LastPass suffers second data breach in 5 months

Password management app Last Pass has announced hackers have breached its cloud storage containing customer data.

This is the second time the company has been targeted in five months, after a similar breach in August.

Cyber attackers gained access to the company’s developer environment using a hacked developer account, stealing source code and technical information that allowed them to access customer data from the most recent breach.

LastPass still maintain that passwords remain safe after both attacks.

“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” LastPass chief executive officer Karim Toubba said.

“We have determined that an unauthorised party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”

With over 33 million users and 100,000 businesses, the company says it is one the most popular password management systems on the market.

LastPass announced that an investigation has been immediately launched, alerting law enforcement and engaging leading security firm Mandiant.

If LastPass changes its position or releases further information on the matter we will share it here.

If you have any questions or wish to know more about this incident, please contact us below.

Contact

Google Bypasses Privacy, Puts Users’ Data on the Map

Google’s handling of user data has long been a subject of concern for data privacy enthusiasts. While the tech giant has undergone a comparatively low number of data breaches in recent history, its hold over the Android platform allows them to harvest an unprecedented amount of data. 

Now, Google is taking more steps to ensure the collection of user data across non-mobile devices as well. Recently Google has changed their domain structures to include all their services under one parent domain. This means that any permissions given by the user for one google service, such as Google Maps, extend to all Google services under the domain. 

The discovery was made by an alert user when they noticed Google had switched from a subdomain to a subdirectory.

This means any pop-up that appears when the website tries to access a user’s camera, microphone or location only needs to be accepted once to be applied across the vast range of Google’s services.

Subdomains are considered children of the parent domain, existing outside the main domain within a disparate partition. Alternatively, subdirectories are treated as part of the main domain as they are nothing but a page under the domain.

Google had previously used a subdomain for Google Maps, with URL ‘maps.google.com’ but now has now changed to a subdirectory with the URL ‘google.com/maps’.

For example, the user’s mic can be accessed from the Google search page, with camera permissions being granted from Google Meet. Location access allowed through Google Maps may likely be used to track users’ location in search engine without granting specific permissions.

Users wanting to use Google Maps for a short period of time will be asked to give permission to access their location. Under the new domain structure, Google can now access this data any time allowing them to geo-track the user when they have a Google Website open.

Do you know what apps are tracking your location? Do you know the security score of apps you are using? Are you aware of the permissions you have granted?

Acurus helps companies start to build Cyber Security resilience by aligning to the ACSC Essential 8 as a starting point. We then help companies build out sophisticated and mature IT security capabilities and standards. 

Contact us below to speak with our cyber security experts and start the journey to protect your company today.

Contact

Government passes bill increasing data breach penalties to $50m

The Australian Government has passed a bill that will significantly increase the penalty for businesses that suffer repeated or major data breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the civil penalty from $2.2 million, to the penalty that bears the most financial weight:

• $50 million
• 30 per cent of adjusted turnover for the period or
• three times the financial gain from the misuse of data in the case of outstandingly shocking breaches.

The bill passed through the senate and then the lower house on Monday after it was slightly reworded to target organisations that suffer “serious” or “repeated” breaches.

Concerns have been raised over the lack of definition of serious and repeated incidents’, and that small to medium businesses may be hit by the same penalties as large organisations.

“Reforms to clarify key definitions in the Privacy Act, developed a tiered penalty regime, provide greater clarity on the applications of penalties and enhance security guidelines are being considered through the Privacy Act review,” said Labor Senator and Agriculture Minister Murray Watt.

The increase in penalties is a direct response to recent major data breaches in Australia, with government aiming to send a clear message to large companies; they must do better to protect the data they collect.

Do you know your Cyber Security capabilities, and your level of risk? Do you have a clear plan on how to improve your capabilities? Would you know what do to do if you had a cyber security incident? 

If you are concerned about these new penalties, and don’t understand what your level of risk is request a free assessment to start your journey on protecting your company, employees and customers below. 

Contact

The culprits behind the recent Medibank data breach have released more private health information on the Dark Web.

After several days of silence online the hackers released their largest batch of data to date, with up to 1469 records being exposed.

9News has chosen to keep the name of the files and the health conditions they relate to as confidential but say that the conditions were deeply personal areas of healthcare.

Currently, over 2700 records have been released with over 2500 Australian’s affected by the data breach.

Medibank has continued to reach out to the customers affected, while the AFP also continue to investigate the incident.

Medibank are sticking by their decision to not pay the hackers’ ransom, however the Cyber Security community believe the next step may be a direct consumer attack.

Individual threats for ransom or extortion have not yet been circulated but customers are still being warned to remain on high alert of potential scams.

Would you know what to do if your personal information was leaked in a data breach? Would you know how to identify a phishing scam via phone, post or email? Do you know where are your data lives and what protects access to it?

Acurus helps companies start to build Cyber Security resilience by aligning to the ACSC Essential 8 as a starting point. We then help companies build out sophisticated and mature IT security capabilities and standards. 

Contact us below to speak with our cyber security experts and start the journey to protect your company today.

Contact

Over the past several years, hackers have targeted public-facing network devices such as routers, VPN concentrators, and load balancers to gain a foothold into corporate networks.

While finding remote code execution vulnerabilities in such devices is not uncommon, incidents where attackers were able to deploy malware on them that can survive restarts or firmware upgrades have been rare and generally attributed with sophisticated APT groups.

Because of this, researchers from firmware security firm Eclypsium recently investigated the persistence opportunities attackers would have on such devices.

“Can the malware be resilient enough to persist across reboots and even upgrades? Is it possible to infect the device so deeply that a clean wipe and reinstall isn’t sufficient?”.

To investigate researchers looked into the configuration backup functionality available through the administration interface that can be used to generate an archive containing all the configs and settings that can later be deployed on a fresh install.

After scouring the documentation and config files, the team now had three different ways to store and start scripts after reboot that would even survive reinstalled because they would be included in the config backups across F5 and Citrix devices.

“Gone are the days of proprietary, purpose-built firmware used by routers & switches, instead replaced with firmware which is a fully functional operating system. This evolution introduces the commodity-server level risk on devices that have historically been out of reach for all but the most skilled attackers.”

With introduction of these sorts of new advanced and persistent vulnerabilities, detection and response capabilities are more important than ever.

Security isn’t about being either secure or insecure, it’s about how fast you can move.

If you don’t have a detection and repsonse strategy in place today ask us how we can help.

Contact

The Australian Federal Police have claimed the hackers behind Medibank’s data breach are located in Russia.

The culprits are responsible for millions of customers’ data being exposed on the dark web.

The commissioner of the Australian Federal Police Reece Kershaw announced at a media conference that authorities had flagged a group of “loosely affiliated” cyber criminals as being responsible for the breach.

He said the agency believes it knows the identities of those behind the breach but would not name them, with some affiliates suspected to be in other countries.

The AFP said they will be speaking with Russian law enforcement about the individuals and the incident.

Kershaw directed a warning to the criminals, “We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.

The federal government is looking to introduce new legislation to increase fines for companies that suffer serious or repeated privacy breaches.

The updated law would see the maximum fine for data breaches rise from $2.2 million to $50 million.

Would you know what to do if your personal information was leaked in a data breach? Do you know the security score of your key service providers? How safe is the data your organisation collects from its customers?

Acurus helps companies start to build Cyber Security resilience by aligning to the ACSC Essential 8 as a starting point. We then help companies build out sophisticated and mature IT security capabilities and standards. 

Contact us below to speak with our cyber security experts and start the journey to protect your company today.

Contact