Breach Roundup: MongoDB Blames Phishing Email for Breach – Source: www.databreachtoday.com

Update on Security Incident at MongoDB

Database management system maker MongoDB on Saturday announced a probe into a security incident involving unauthorized access to specific corporate systems, leading to the exposure of customer account metadata and contact details.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

The company said it had promptly initiated the incident response process after detecting unauthorized access on corporate systems on Dec. 13. The intrusion has “been going on for some period of time before discovery,” the company said. The incident exposed customer account metadata and contact information.

The company has repeatedly said it had not found evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. On Wednesday, it said the hacker had used a phishing attack to gain access to its corporate environment.

Hacking Incident Disrupts Shipping for North Face, Other Brands

Canvas shoe and outdoor wear maker VF Corp. disclosed Monday that a hacking incident had disrupted its ability to fulfill holiday shopping orders.

The Colorado maker of apparel and footwear brands including Vans, Supreme, The North Face and Timberland told U.S. federal regulators on Friday that on Dec. 13 it had detected an intruder on its digital systems. The hacker had been able to encrypt some IT systems and had stolen data, including personal data, the company said.

Company retail stores are operating normally, and consumers can place online orders for most of the company’s brands, it said. “However, the company’s ability to fulfill orders is currently impacted.”

A spokesperson did not say whether the corporation received a ransomware demand. News of the filing sent the share price sharply down in the first hours of trading this week, ending Monday with shares down 7%, although the share price recovered somewhat by midweek.

The company announced the incident the same day as a mandate took effect from the U.S. Securities and Exchange Commission for large and medium-sized publicly traded companies to disclose “material cybersecurity incidents” within four business days of determining materiality. Small businesses have an additional 180 days before they must comply with the rule (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

The Denver-based company earned $11.6 billion in revenue last year and owns 12 brands, including JanSport backpacks and Dickies rugged wear.

Britain’s National Grid Drops Chinese Supplier

Britain electrical grid operator National Grid has started to remove components supplied by a U.K. subsidiary of China’s Nari Technology Co. from the transmission network, the Financial Times reported.

The decision, made in April after National Grid had consulted the National Cyber Security Center, was motivated by cybersecurity concerns – underscoring growing Western trepidation about Chinese technology’s involvement in critical infrastructure vulnerabilities.

The newspaper said the U.K. government in 2022 twice invoked new powers allowing it to limit foreign direct investment by intervening to restrict Chinese companies’ involvement in Britain’s electricity grid.

The United Kingdom in 2020 banned equipment from Chinese manufacturer Huawei after pressure from the United States, which has placed the Shenzhen-based telecom equipment maker on a national security blacklist (see: FCC Upholds Ruling That Huawei Poses National Security Threat).

Darknet Site Kingdom Market Has Shuttered

Germany’s Federal Criminal Police Office and Frankfurt Public Prosecutor’s Office dismantled darknet marketplace Kingdom Market. German authorities said Wednesday that more than 42,000 products had been offered for sale on the criminal bazaar.

The English-language illicit hub, operational since March 2021, was a clearinghouse for narcotics, malicious software and forged documents. Tens of thousands of customers and several hundred seller accounts were registered on the marketplace.

U.S. federal prosecutors arrested a Slovak national named Alan Bill – also known as “Vend0r,” and “Kingdom Official” – and accused him of helping found and administer Kingdom Market. A redacted indictment unsealed Wednesday charges Bill on 10 criminal counts including distribution of controlled substances, identity theft and money laundering conspiracy. Prosecutors on Thursday asked a federal judge not to release Bill ahead of a trial, calling the Bratislava resident a flight risk.

Tens of thousands of customers and hundreds of sellers engaged in transactions using cryptocurrencies such as Bitcoin, Litecoin, Monero and Zcash. The operators received a 3% commission for processing sales of illegal goods on the platform.

German authorities said they had cooperated with counterparts from the United States, Switzerland, the Republic of Moldova and Ukraine in dismantling the site.

Play Ransomware Actors Targeted Around 300 Entities

Threat actors behind the Play ransomware, also known as Playcrypt, have targeted around 300 entities across North America, South America and Europe, according to a Monday advisory from U.S. and Australian law enforcement and cyber agencies.

Operating as a closed group, Playcrypt’s tactics include abuse of valid accounts to obtain initial access and a double-extortion model, in which victims are coerced to contact the threat actors via email, adding a psychological dimension to the onslaught.

The Play ransomware group is responsible for cyberattacks against the city of Oakland, an attack on the Judiciary of Córdoba in Argentina and the German chain H-Hotels. TrendMicro said the group’s activities closely resemble those of ransomware groups Hive and Nokoyawa, suggesting a potential affiliation.

The group also exploits vulnerabilities in public-facing applications such as known weaknesses in FortiOS tracked as CVE-2018-13379 and CVE-2020-12812. It has also used a Microsoft Exchange vulnerability known as ProxyNotShell, tracked as CVE-2022-41040 and CVE-2022-41082.

The group’s sophisticated methods extend to discovery and detection evasion, leveraging tools such as AdFind and Grixba for Active Directory queries and network enumeration.

Playcrypt actors use a range of tools such as GMER and IObit to disable antivirus software and remove log files and show a preference for PowerShell scripts targeting Microsoft Defender.

Interpol-Led Operation Haechi IV

Law enforcement agencies from 34 countries joined forces for Operation Haechi IV, resulting in 3,500 arrests and the seizure of $300 million in stolen funds. The six-month-long operation targeted seven cyberthreats, including “voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.”

A collaboration between Filipino and Korean authorities led to the arrest of a high-profile online gambling criminal in Manila after a two-year manhunt. Interpol states that the operation blocked 82,112 suspicious bank accounts, leading to the confiscation of $199 million in hard currency and $101 million in virtual assets.

Interpol worked alongside various virtual asset service providers that assisted in identifying 367 virtual asset accounts linked to transnational organized crime. Investigations are underway as law enforcement agencies globally freeze these assets.

With reporting by Information Security Media Group’s Mihir Bagwe in Mumbai, India.