Please fill in the form below to subscribe to our blog

The Week in Breach News: 06/05/24 – 06/11/24

June 12, 2024

This week: Another big data breach has something in common with other recent large breaches, nation-state hacking in Germany, seven reasons why IT professionals choose Datto EDR and the top three findings from over 10k penetration tests.


What challenges will IT pros face in the second half of 2024? Find out in the Mid-Year Cyber Risk Report. GET IT>>



Palomar Health Medical Group

https://www.sandiegouniontribune.com/news/health/story/2024-05-24/suspected-cyber-attack-continues-to-hobble-operations-at-palomar-health-medical-group

Exploit: Hacking

Palomar Health Medical Group: Healthcare Provider

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.201 = Severe

Palomar Health Medical Group continues to operate without fully functional systems after a cyberattack knocked it offline. The medical group’s hospitals in Escondido and Poway are not affected, but representatives said in a statement that the attack hit its outpatient facilities, including its Graybill medical offices, limiting their operations. The attack was discovered on May 5, 2024. There is no anticipated timeline for the resumption of full operations.

How It Could Affect Your Customers’ Business: Healthcare centers must be careful to implement robust security because they are frequent targets for cybercriminal activity, creating public health risk.

Kaseya to the Rescue: Learn about the growing list of cybersecurity challenges that organizations face in the Kaseya Security Survey Report 2023. DOWNLOAD IT>>


Datto EDR’s Ransomware Rollback rolls data and systems back to their pre-attack state in minutes SEE HOW IT WORKS>>



Germany – Christian Democratic Union (CDU) 

https://therecord.media/germany-opposition-party-cyberattack-europe

Exploit: Hacking (Nation-State)

Christian Democratic Union (CDU): Political Party 

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.856 = Severe

Germany’s major opposition party, the Christian Democratic Union (CDU), announced that it has experienced a large-scale cyberattack, and they suspect that Russia-aligned threat actors are involved. The attack led the party to take down and isolate parts of its IT infrastructure as a precaution. Officials said that law enforcement is investigating. This incident, occurring just before the European Parliament elections, follows a similar attack on the SPD attributed to Russian state-controlled hackers.

How It Could Affect Your Customers’ Business: Governments and government agencies have seen an increasing tide of pressure from bad actors that is expected to continue.

Kaseya to the Rescue:  Learn how to protect businesses from dark web danger and mitigate cyberattack risk with the insight we share in The IT Professional’s Guide to Dark Web Defense. DOWNLOAD IT>>


France – Decathlon

https://cybersecuritynews.com/threats-claimimg-breach/

Exploit: Ransomware

Decathlon: Sporting Goods Retailer

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 1.721 = Moderate

Threat actors 888 claim to have stolen a database linked to France-based sporting goods retailer Decathlon. The company confirmed a data security incident involving email addresses of its Spanish employees, discovered on May 27 by its cybersecurity team in Spain. The data originated from a third-party application, and no passwords or customer data were affected. 

How It Could Affect Your Customers’ Business: It’s critical that every organization conduct regular phishing simulations to mitigate its risk for often email-based cyberattacks like ransomware.

Kaseya to the Rescue: Learn about the factors that have shaped cybersecurity in 2024 and be ready for what’s next with the knowledge you’ll gain from our Midyear Cyber-risk Report 2024. GET REPORT>>


Every business faces insider risk, from employee mistakes to malicious acts. Learn how to mitigate it. DOWNLOAD EBOOK>>


The Netherlands – Heineken

https://www.cyberdaily.au/security/10659-over-8-000-heineken-employees-affected-in-alleged-cyber-attack

Exploit: Hacking

Heineken: Brewer

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.803 = Moderate

Cybercrime group 888 claims to have exfiltrated the data of 8,174 Heineken employees. The group said that the data belongs to employees across a number of countries, including an employee’s identification scans, full names, email addresses, company roles and more. The threat actors posted a sample of the data, which shows the details of 10 users from countries including Brazil, Nigeria, Indonesia and the UK.

How It Could Affect Your Customers’ Business: A company’s employee data is just as valuable and attractive to cybercriminals as its customer data may be.

Kaseya to the Rescue:  An endpoint detection and response solution can help businesses stop the spread of cyberattacks fast. This checklist helps you find the right one. DOWNLOAD IT>>   


UK – LivaNova

https://cybernews.com/news/livanova-ransomware-attack

Exploit: Ransomware

LivaNova: Medical Device Maker

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.712 = Severe

UK-based medical device manufacturer LivaNova has informed affected individuals that it fell victim to a ransomware attack that led to the exposure of the personal data of current and former employees. Data exposed in the attack includes an employee’s name, telephone number, email, address, Social Security or national identification number, date of birth, financial account information, health insurance information, online credentials and work-related information, such as employee ID, compensation, disability status and evaluations.

How it Could Affect Your Customers’ Business: This treasure trove of information contains details like identification numbers that help facilitate identity theft.

Kaseya to the Rescue:   Our infographic walks you through exactly how security awareness training prevents the biggest cyber threats that businesses face today. DOWNLOAD IT>>


dark web threats represented by a hacker in a hoodie shrouded in shadows with faint binary code

Get Vonahi’s exclusive report on the top findings of thousands of penetration tests. GET THE REPORT>>



Vietnam – Vietnam Post

https://e.vnexpress.net/news/news/vietnam-s-national-postal-service-attacked-by-ransomware-4754280.html

Exploit: Ransomware

Vietnam Post: Postal Service

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.376 = Severe

Vietnam Post said its IT systems have been taken down by a ransomware attack. Officials say the attack happened at around 3 a.m. on June 6, directly impacting activities related to postal delivery. The Vietnam Post’s website and application were inaccessible starting Tuesday morning. Officials stressed that finance postal, public administration and good distribution services are still operating normally. The Vietnam Post said it is working with authorities and its partners to resolve the issues as soon as possible.

How it Could Affect Your Customers’ Business: Disrupting a country’s postal service with a cyberattack could cause a widespread ripple effect that impacts many businesses.

Kaseya to the Rescue: Our Penetration Testing Buyer’s Guide walks you through the pentesting process to help you find the right pentesting solution for your needs. GET THE GUIDE>>


young brunette caucasian woman sits at a com[uter mo

See the path from a cyberattack to a defensive success with managed SOC in this infographic. GET IT>>



Australia – Ticketek Australia

https://www.sbs.com.au/news/article/fresh-warning-after-ticketek-customers-personal-details-stolen-in-cybersecurity-incident/c1prvrxar

Exploit: Suppl Chain Data Breach

Ticketek Australia: Ticket Seller

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.866 = Moderate

Ticketek Australia has informed customers that sensitive stored on a cloud-based platform by a global third-party supplier had been exposed in a data breach at a third-party data storage provider. The company said that customer names, dates of birth and email addresses may have been exposed in the incident. This breach, as well as the recent Ticketmaster and Santander Bank breaches all appear to be related to the cloud data platform Snowflake. However, the platform claims that the breach was caused by its customers’ poor security procedures. The story is still developing.

How it Could Affect Your Customers’ Business: Supply chain and third-party risk is a constant menace for organizations that they must take seriously.

Kaseya to the Rescue: There are a bewildering array of acronyms used for cybersecurity technologies. This infographic breaks down six of them. DOWNLOAD IT>> 


New Zealand – Smith & Caughey’s

https://www.nzherald.co.nz/nz/smith-caugheys-set-to-close-department-store-falls-victim-to-cyber-attack-on-day-of-proposal-to-close-for-good/G25KF73IOFCX5C7CV32RS3LEPE

Exploit: Ransomware

Smith & Caughey’s: Retailer

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.602 = Moderate

Auckland department store Smith & Caughey’s has fallen victim to a cyberattack, on the same day it announced it proposed to close in early 2025, after 144 years in business. A store executive said that the store’s server and retail operations systems have been crypto-locked, likely the result of a ransomware infection. The official stated that the attack has impacted the store’s ability to communicate with staff, customers, suppliers and other critical stakeholders.

How it Could Affect Your Customers’ Business: A ransomware attack can be enough to knock a teetering business out, making prevention mission-critical.

Kaseya to the Rescue: This infographic includes 10 handy tips to help you get the most out of your security awareness training solution and run an effective program. GET INFOGRAPHIC>>



1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a range of factors for each incident


dark web threats represented by a hacker in a hoodie shrouded in shadows with faint binary code

Find out about five of today’s biggest dark web threats to businesses in this infographic. DOWNLOAD IT>>



Spruce up your training with these two refreshed training modules


We’ve refreshed two of our most popular training modules in BullPhish ID to ensure that they deliver training that covers the latest cyber threats.

  • What is an insider threat? Learn about the danger of threats that come from within an organization.
  • What is account takeover (ATO)? Learn how to prevent intruders from stealing your credentials and taking over your accounts.

Learn more about these training modules and other innovations in the BullPhish ID Release Notes. LEARN MORE>>


How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>



New infographic: 7 Reasons Why Partners Rely on Datto EDR


Endpoint detection and response (EDR) is crucial for business security. Take a look at the seven biggest reasons why IT professionals and businesses rely on Datto EDR and learn more about how it can benefit you. Learn why features like continuous monitoring and automated threat response combined with ransomware rollback make Datto EDR the clear winning choice for endpoint security.

DOWNLOAD IT NOW>>

Did you miss…Vonahi’s Top 10 Critical Pentest Findings for 2024 report? DOWNLOAD IT>>


an ominously dark image of a hacker in a blue grey hoodie with the face obscured.

Explore the nuts and bolts of ransomware and see how a business falls victim to an attack. GET EBOOK>>




One of the most effective ways for information technology (IT) professionals to uncover a company’s weaknesses before the bad guys do is penetration testing. By simulating real-world cyber attacks, penetration tests, sometimes called pentests, provide invaluable insights into an organization’s security posture, revealing weaknesses that could potentially lead to data breaches or other security incidents. Vonahi Security, the creators of the revolutionary vPenTest automated penetration testing platform, recently released the 2024 version of their annual Top 10 Critical Pentest Findings report, detailing the vulnerabilities they uncovered through more than 10,000 automated network pentests in 2023. Here are the top three findings and recommendations for preventing exploitation. 


Excerpted in part from Vonahi Security’s Top 10 Critical Pentest Findings


Source: Vonahi Security


AI phishing represented by a robotic face behind several conversation bubbles

See why choosing a smarter SOC is a smart business decision. DOWNLOAD AN EBOOK>>



Multicast DNS (mDNS) is a protocol used within small networks to resolve a domain name system (DNS) name when a local DNS server does not exist.  

When a system attempts to resolve a DNS name, the system proceeds with the following steps:  

  1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP address.  
  2. On small networks where no DNS Server is configured, the system then uses mDNS to send an IP multicast query message to the systems on the local subnet that asks the host having that name to identify itself. Attackers can take advantage of this by answering this request and impersonating a system on the network. 

Recommendations  

The most effective method for preventing exploitation is to disable mDNS altogether if it is not being used. Depending on the implementation, this can be achieved by disabling the Apple Bonjour or Avahi-daemon service. 

Reproduction steps  

On a system configured with mDNS, attempt to interact with a DNS name that is known to be invalid (e.g. test123.local). On another system, use a network packet analyzer, such as Wireshark, to inspect the mDNS traffic on the internal network environment by filtering for UDP queries over port 5353. 

Security impact  

Rating CVSS3.1:  9.8   

Since the mDNS queries are sent to systems on the local subnet, any system can respond to these queries with the IP address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of these queries with the IP address of the attacker’s system. Depending on the service that the victim was attempting to communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/or hashed account credentials. Hashed credentials can, many times, be recovered in a matter of time using computing modern-day computing power and brute force techniques. 


See how security awareness training stops the biggest security threats! GET INFOGRAPHIC>>



NetBIOS Name Service (NBNS) is a protocol used amongst workstations within an internal network environment to resolve a domain name system (DNS) name when a DNS server doesn’t exist or can’t be helpful.  

When a system attempts to resolve a DNS name, the system proceeds with the following steps: 

  1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP address.  
  2. If the system does not have an entry in its local hosts file, the system then sends a DNS query to its configured DNS server(s) to attempt retrieving an IP address that matches the DNS name in question.  
  3. If the configured DNS server(s) cannot resolve the DNS name to an IP address, the system then sends an NBNS broadcast packet on the local network to seek assistance from other systems. 

Recommendations  

The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of NBNS Spoofing attacks:   

  • Configure the UseDnsOnlyForNameResolutions registry key in order to prevent systems from using NBNS queries (NetBIOS over TCP/IP Configuration Parameters). Set the registry DWORD to 1.  
  • Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options, network adapter settings or a registry key. 

Reproduction steps  

On a system configured with NBNS, attempt to interact with a DNS name that is known to be invalid (e.g. test123.local). On another system, use a network packet analyzer, such as Wireshark, to inspect the broadcasted traffic on the internal network environment. 

Security impact 

Rating: VSS3.1:  9.8 

Since the NBNS queries are broadcast across the network, any system can respond to these queries with the IP address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of these queries with the IP address of the attacker’s system. Depending on the service that the victim was attempting to communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/ or hashed account credentials. Hashed credentials can, many times, be recovered in a matter of time using modern-day computing power and brute force techniques.  


Learn to defend against today’s sophisticated email-based cyberattacks DOWNLOAD EBOOK>>



Link-Local Multicast Name Resolution (LLMNR) is a protocol used amongst workstations within an internal network environment to resolve a domain name system (DNS) name when a DNS server does not exist or cannot be helpful.  

When a system attempts to resolve a DNS name, the system proceeds with the following steps:  

  1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP address.  
  2. If the system does not have an entry in its local hosts file, the system then sends a DNS query to its configured DNS server(s) to attempt retrieving an IP address that matches the DNS name in question.  
  3. If the configured DNS server(s) cannot resolve the DNS name to an IP address, the system then sends an LLMNR broadcast packet on the local network to seek assistance from other systems. 

Recommendations  

The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order to prevent systems from using LLMNR queries. 

  • Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast Name Resolution = Enabled (To administer a Windows 2003 DC, use the Remote Server Administration Tools for Windows 7) 
  • Using the Registry for Windows Vista/7/10 Home Edition only: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\DNSClient \EnableMulticast 

Reproduction steps  

On a system configured with LLMNR, attempt to interact with a DNS name that is known to be invalid (e.g. test123.local). On another system, use a network packet analyzer, such as Wireshark, to inspect the broadcasted traffic on the internal network environment. 

Security impact  

CVSS3.1:  9.8 

Since the LLMNR queries are broadcast across the network, any system can respond to these queries with the IP address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of these queries with the IP address of the attacker’s system. Depending on the service that the victim was attempting to communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/or hashed account credentials. Hashed credentials can, many times, be recovered in a matter of time using modern-day computing power and brute-force techniques. 


Affordable, automated penetration testing is a game-changer. Learn about it in our buyer’s guide! GET GUIDE>>



vPenTest is the premier, fully automated network penetration testing platform designed to proactively minimize security risks and breaches across your organization’s IT environment. By eliminating the need to source qualified network penetration testers, vPenTest delivers high-quality results that clearly outline identified vulnerabilities, assess their risks, and provide strategic and technical remediation guidance. Additionally, it enhances your compliance management capabilities effortlessly. The benefits of vPenTest are unbeatable 

  • Comprehensive assessments made easy: With vPenTest, conduct both internal and external network penetration tests seamlessly, ensuring every potential entry point in your network infrastructure is meticulously examined.  
  • Real-world simulation: Experience real-world cyber threat simulations with vPenTest, gaining invaluable insights into your security posture and preparedness against malicious actors.  
  • Timely and actionable reporting: Post-testing, vPenTest provides detailed, yet easy-to-understand reports, highlighting vulnerabilities, their potential impacts, and recommended mitigation actions, ensuring you’re always a step ahead.  
  • Ongoing penetration testing: Stay proactive with vPenTest’s affordable monthly testing intervals, maintaining a robust security posture that swiftly adapts to emerging threats.  
  • Efficient incident response: By identifying vulnerabilities proactively, vPenTest ensures you’re better prepared to respond to potential security incidents efficiently and effectively.  
  • Compliance alignment: vPenTest aligns seamlessly with regulatory compliance requirements such as SOC2, PCI DSS, HIPAA, ISO 27001, and cyber insurance mandates, simplifying your compliance management process.  

Transform your security approach with vPenTest—your trusted partner in automated network penetration testing. Ensure comprehensive, real-time protection and compliance, all while streamlining your security operations. BOOK A DEMO NOW>> 


See why EDR is the perfect investment to make in your future right now in our buyer’s guide. DOWNLOAD IT>>



June 19, 2024 I 1 PM ET / 10 AM PT

In 2023, cyberattacks surged by 35%, costing businesses over $4.2 billion. As threats continue to evolve, understanding these trends is imperative. In this informative session, host Miles Walker will guide you through the top cyberthreats businesses face right now. You’ll learn:

  • The most dangerous of emerging cyberthreats.
  • Effective cybersecurity strategies.
  • Lessons from recent high-profile attacks.

Save your spot and stay up-to-date on the top cyberattack trends! REGISTER NOW>>

June 19: The Top Cyberattack Trends of 2024 REGISTER NOW>>

June 18:  Kaseya+Datto Connect Local Toronto (Security and Compliance Series) REGISTER NOW>>

October 28 – 30: Kaseya DattoCon (Miami) REGISTER NOW>>

November 12 – 14: Kaseya DattoCon APAC (Sydney) REGISTER NOW>>


dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>


Do you have comments? Requests? News tips? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.

Partners: Feel free to reuse this content. When you get a chance, email [email protected] to let us know how our content works for you!


let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

LEARN MORE>>


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>


Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!

SCHEDULE IT NOW>>