Category: security breach

  • Sourcegraph Falls Victim to Security Breach Through Exposed Admin Token

    Security breach
    Security Breach Through Exposed Admin Token

    This week, Sourcegraph, the AI-driven coding platform, disclosed a security breach incident involving unauthorized access to their website. On August 28th, an attacker exploited an admin access token mistakenly made public on July 14th. By utilizing the exposed token, the individual successfully established a new admin account and accessed Sourcegraph.com’s administrative dashboard two days following the intrusion.

    Discovery of the Security Breach

    The alarm bells went off the same day as Sourcegraph’s security experts noticed an unusual uptick in API activity, characterized as “anomalous and unnatural.” It didn’t take long for them to trace the origin of this activity back to the recently created rogue admin account.

    Sourcegraph’s Response on Security Breach

    Diego Comas, Sourcegraph’s Head of Security, provided insights into the incident. He confirmed that the exposed admin token had originally slipped through the cracks in a code commit dated July 14th. “The attacker leveraged this token to masquerade as a user and gain unfettered access to our system’s administrative console,” said Comas.

    (Read more about: Security breach costs in India)

    Subsequent Malicious Activities

    Once inside, the perpetrator shifted the illicit account’s permissions several times, effectively probing the internal systems of Sourcegraph. Moreover, a proxy application was set up, directing users to directly interact with Sourcegraph’s APIs. “Users were guided to establish free accounts on Sourcegraph.com, produce access tokens, and then seek an unwarranted elevation of their rate limits from the attacker,” according to Sourcegraph’s official statement.

    Data Impact and Customer Notification on Security Breach

    Although the intruder managed to access some customer data like license keys, names, and email addresses, more sensitive information remained unscathed. No passwords, usernames, or other types of personally identifiable information were compromised. “Your personal data was neither altered nor copied, but it could have been viewed by the attacker,” Comas clarified in an email dispatched to potentially affected customers.

    Ensuring Future Security

    Importantly, private code and customer credentials were not accessible during this ordeal, as they are stored in segregated environments. After identifying the breach, Sourcegraph took immediate steps to neutralize the threat. They disabled the unauthorized admin account. They provisionally scaled back API rate limits for all free-tier users, and changed potentially vulnerable license keys.

    With a burgeoning user base of over 1.8 million software engineers and partnerships with industry giants such as Uber, F5, Dropbox, Lyft, and Yelp, Sourcegraph is taking this security incident very seriously. Comprehensive measures are being taken to ensure such vulnerabilities do not pose a risk in the future.

    As the platform moves forward, it is committed to improving its security protocols to safeguard user data more effectively. They will also restore the confidence of its global clientele.

  • Maximus Security Breach Affects Millions

    Security Breach
    Maximus Security Breach

    In a recent cyberattack, US government service contractor Maximus fell victim, revealing a data breach that has exposed personal details of an estimated 8 to 11 million individuals. The breach was made possible through the MOVEit Transfer data-theft attacks that have been plaguing various high-profile companies around the world.

    An Overview of Maximus and Its Operations

    Maximus is a known contractor that oversees US government-backed programs. It specializes in managing healthcare programs at both the federal and local level and handles student loan servicing. The company boasts a workforce of approximately 34,300 and generates annual revenue of roughly $4.25 billion. Its operations span across the U.S., Canada, Australia, and the UK.

    The Nature of the Maximus Security Breach and the Disclosure

    Maximus announced the data theft in an 8-K form submitted to the Securities and Exchange Commission (SEC). The theft utilized a zero-day vulnerability (CVE-2023-34362) in the MOVEit file transfer application. The notorious Clop ransomware group has exploited this flaw extensively to infiltrate hundreds of global companies.

    In its probe into the breach, Maximus found no evidence to suggest that the hackers ventured beyond the MOVEit environment. This was swiftly segregated from the rest of the corporate network.

    Extent of the Maximus Data Breach

    Although the hackers’ access appeared limited, it was substantial enough to compromise the personal information of millions. The company is in the process of issuing data breach notifications to the affected individuals.

    The SEC 8-K filing disclosed: “Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident.”

    As a response to the incident, Maximus is planning to allocate approximately $15 million for the quarter ending June 30, 2023. This expense is to cover the cost of investigations and remediation activities linked to the incident.

    The Role of the Clop Ransomware Gang in Maximus Security Breach

    The Clop ransomware gang added Maximus to its dark web data leak site, listing it among 70 new victims, all of whom fell prey to the MOVEit zero-day flaw.

    According to the entry on Clop’s site, they reportedly pilfered 169GB of data. It is during the attack on Maximus’ MOVEit Transfer server. However, no data leaks have got limelights so far, indicating that the extortion process is ongoing.

    As the list of victims of the MOVEit zero-day flaw expands, the Clop ransomware gang is resorting to more hostile extortion strategies. They have begun launching clearweb sites to leak specific companies’ stolen data. This tactic enhances the pressure on victims as it makes the data readily accessible to a larger audience.

  • Critical Security Bug in WordPress WooCommerce Payments Plugin Under Siege by Hackers

    WordPress
    WordPress WooCommerce Payments Plugin Under Siege by Hackers

    A severe vulnerability in the widely-used WooCommerce Payments plugin is under rampant attack by cybercriminals. They are exploiting this security loophole to gain access rights of all users, notably administrators, on WordPress sites that are susceptible to this exploitation.

    About WooCommerce Payments Plugin

    The WooCommerce Payments plugin is an exceptionally popular tool within the WordPress ecosystem. Its prime function is to facilitate websites in accepting debit and credit card payments within WooCommerce-based online stores. The plugin boasts a substantial user base. The current users stands at 600,000 installations, as per WordPress.

    Critical Bug Identified and Patched

    On March 23, 2023, the critical vulnerability, tagged as CVE-2023-28121, caught the attention of the developers. Subsequently, they launched version 5.6.2, aiming to rectify this critical 9.8-rated bug. The flaw influences WooCommerce Payment plugin versions 4.8.0 and above, and the remedy is available in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and subsequent ones.

    The vulnerability opens a backdoor for any remote user to mask as an administrator, subsequently gaining complete control over the WordPress site. To mitigate this risk, Automattic, the company behind WordPress, enforced a security update on all WordPress installations using this plugin.

    At that point, WooCommerce claims that the vulnerability had not been put for wrong use. However, they cautioned that active exploitation was a future possibility due to the severity of the bug.

    The Flaw is Now Being Actively Exploited

    Fast-forward to the present month, cybersecurity analysts at RCE Security dissected the bug, delivering a comprehensive technical blog concerning the vulnerability and its potential exploitation methods. Attackers can merely introduce an ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ request header and assign it to the user ID of the account they aim to mimic.

    When WooCommerce Payments identifies this header, it treats the request as originating from the stated user ID, inheriting all of the user’s privileges. RCE Security, as part of their blog post, exposed a proof-of-concept exploit. This exploit leverages the flaw to introduce a new admin user on vulnerable WordPress sites. Consequently, threat actors can wholly overrun the site.

    According to Wordfence, a WordPress security firm, a massive campaign has been launched exploiting this vulnerability, targeting over 157,000 sites as of Saturday. They warned that threat actors are using the exploit to create administrator accounts or install the WP Console plugin on targeted devices.

    Impact of the WooCommerce Payments Plugin Exploitation

    On servers where WP Console gets installation, the threat actors execute PHP code. This code is to set up a file uploader on the server, acting as a backdoor that could be helpful. Wordfence has also reported instances where threat actors created admin accounts with random passwords using the exploit.

    The threat actors conduct a vulnerability scan by attempting to access the ‘/wp-content/plugins/woocommerce-payments/readme.txt’ file. If the file is located, they exploit the flaw. Cybersecurity researchers have identified seven IP addresses responsible for these attacks, with one IP address alone probing 213,212 sites.

    Remedial Measures and Caution Against WooCommerce Payments Plugin Bug

    Given the ease of exploiting the CVE-2023-28121 vulnerability, it is of importance for all WordPress sites using WooCommerce Payment plugin. It is to update their installations. For sites that haven’t been got update, site admins should scan for unusual PHP files and dubious administrator accounts. Then they should and promptly eliminate any they discover.

  • IT Security Breach Reported at Shree Cement

    IT Security Breach Reported at Shree Cement
    IT Security Breach Reported at Shree Cement

    Shree Cement, one of the leading cement manufacturing companies in India, reported an IT security breach on Tuesday. The company has confirmed that its IT security team took immediate action to address the incident.

    The security breach Incident

    In a statement issued on Wednesday, Shree Cement confirmed that it detected an IT security incident on Tuesday on its IT assets. The company stated that its IT team, as well as management, took all necessary precautions and measures to address the incident.

    While the production facilities have not been affected by the breach, dispatches faced some difficulty, which has now been normalized, according to the company.

    Shree Cement is still assessing whether there has been any other impact due to the incident. At present, the company has confirmed that the incident does not qualify as “material” in terms of Regulation 30 of the LODR (Listing Obligations and Disclosure Requirement).

    The response

    Shree Cement’s IT security team and management have taken immediate action to address the incident. The company has stated that the situation is under control, and its production facilities are functioning as usual.

    The IT security team is still investigating the incident to determine the scope and impact of the breach. The company has stated that it will take all necessary measures to prevent any future incidents and ensure the security of its IT assets.

    Recap

    Shree Cement has confirmed that it experienced an IT security incident on Tuesday. The company’s IT security team and management took immediate action to address the incident, and the situation is now under control.

    While the production facilities were not affected by the breach, dispatches faced some difficulty, which has since been resolved. The company is still assessing whether there has been any other impact due to the incident.

    Shree Cement has assured its stakeholders that it will take all necessary measures to prevent any future incidents and ensure the security of its IT assets.