As commented in our previous blog, The Resurgence of Major Data Breaches?, in May 2024, a potential data breach involving Ticketmaster surfaced on deep and dark web forums, and we want to analyze it as a sample data breach. The original breach, as shown in the accompanying image below, was posted by the user named ShinyHunters on May 28, 2024. This breach includes data of 560 million customers and 1.3TB of detailed information, including full names, addresses, emails, phone numbers, ticket sales, event information, order details, credit card details, customer fraud details, and more. The data was offered for sale at a price of $500,000 USD.

Understanding the Breach

Recently, another user named Sp1d3r seems to have taken more prominence on the forum, possibly due to the ShinyHunters user having fallen back to a somewhat more secondary role. Sp1d3r advertised the data on the forum, indicating that the potential data breach affected 680 million customers, with data available for $100,000 USD. In addition to selling the entire 680M data set, it has offered a sample of the first million records to all users.

Constella Intelligence obtained the 1 million records sample offered in the forum and analyzed it, providing a glimpse into the scale and severity of the incident. The sample dataset includes:

• Personal Information: Names, email addresses, phone numbers, physical addresses.
• Financial Data: Credit card details, payment methods, and transaction information.
• Web Sessions and Cookies: Session details, IP addresses, browser identifiers.
• Transaction Details: Purchase history, patron IDs, party lookup IDs.

Key Statistics from the Sample

Analyzing the sample dataset provides several important statistics that illustrate the scope and impact of the potential breach. These statistics offer a quantitative perspective on the breach, helping to understand the extent of the data exposure and identify trends that could inform future protective measures.

• Total Records: 999,998 entries
• Total Fields: 53 fields encompassing various data types
• Email Statistics: 999,985 total email addresses, 761,041 unique email addresses
• Top Email Domains: Gmail.com (620,985), Yahoo.com (57,796), Hotmail.com (45,490)
• Geographical Distribution: USA (800,414 records), Mexico (99,910), Canada (64,011)
• Payment Methods: VISA (429,279 records), MasterCard (304,484), American Express (64,369), PayPal (59,747)

AI-Driven Scams: What You Need to Know

The exposure of such detailed and sensitive information in the potential data breach poses several significant risks to the affected individuals. At Constella, in our experience, we are seeing many spear phishing attacks that use credit card data or payment methods as inputs for AI models trained to generate realistic, targeted phishing attacks.

Spear phishing is a targeted attack aimed at stealing sensitive information from a specific individual by posing as a trusted entity. Unlike mass phishing, it is highly personalized and tailored using detailed information from breaches.

With access to names, email addresses, financial information, payment methods, web session cookies and transaction histories, threat actors can create highly convincing emails that appear legitimate using actual AI tools (using LLM models like WormGPT, HackerGPT or DarkBERT, or even prompt jailbreaking into corporate LLM modes).

As the previous example, an email might reference recent user purchases or use personal financial information to make the message more believable. The use of AI can enhance the realism and effectiveness of these scams, making it harder for individuals to distinguish fraudulent emails from legitimate ones.

Protecting Exposed Data

If the information published by “Sp1d3r” is accurate, Constella recommends taking the following actions:

1. Clear cookies and close any active sessions: Regularly clearing your browser cookies and cache and closing any active sessions can help protect your web session data.
2. Reset the password associated with your account and any other accounts using the same password: Although Ticketmaster claims that no passwords were compromised and the banking data is encrypted, it is wise to reset the password for your Ticketmaster account and any other accounts using the same password. Use strong, unique passwords for each account, and consider using a password manager to generate and store these securely.
3. Stay alert for possible spear-phishing campaigns, as mentioned earlier: Be vigilant with emails, especially those that seem related to Ticketmaster or recent transactions. Avoid clicking on links or downloading attachments from unknown senders, and verify the authenticity of any requests for personal information.

By following these specific recommendations, individuals can better protect their personal information and mitigate the impact of data breaches like the one potentially experienced by Ticketmaster.

This blog continues our previous article, The Resurgence of Major Data Breaches, where we discussed the alarming increase infostealers in data breaches orchestrated by the notorious ShinyHunters group. In this part, we delve into the role of infostealers in these breaches and how they contribute to the rising wave of cyberattacks.

Why Are We Seeing More Major Breaches?

Lately, we have noticed an alarming increase in the number of major data breaches, with millions of records being exposed and shared on dark web forums. This resurgence has been driven in large part by the spread of infostealers – malicious software designed to gradually and unobtrusively steal sensitive information from infected devices without the victim’s awareness. This wave of cyberattacks, along with the resurgence of the names of these former hacking groups/users, raises the question of whether we are entering another “golden age” of mass leaks, similar to what we experienced a few years ago.

The potential reason behind these significant breaches could be the mass leakage of credentials due to infections from various infostealers. Infostealers infiltrate systems through phishing emails, malicious downloads, or compromised websites, extracting valuable data such as usernames, passwords, and other personal information. Once collected, this data is sold or shared on dark websites, providing cybercriminals with the tools they need to conduct further attacks.

Analysis of Notorious Infostealers

Analysis of how infostealers operate reveals that their modus operandi typically involves certain threat actors developing these tools as a service. Other actors then pay to use that infostealer infrastructure, allowing them to simply steal sensitive information from victims easily and efficiently. Let us take a brief look at some of the most infamous infostealer families that are currently wreaking havoc:

• RedLine Stealer is known for its effectiveness in stealing credentials from browsers, FTP clients, and even cryptocurrency wallets. Distributed through phishing campaigns and malicious downloads, RedLine quickly extracts and transmits sensitive data to attackers. Its widespread use has linked it to numerous breaches, making it a formidable threat in the cybersecurity landscape.

• Racoon Stealer focuses on stealing information from browsers, email clients, and other software. Its user-friendly interface makes it accessible to even novice cybercriminals. Racoon Stealer has been a key player in many data breaches, contributing significantly to the rise in stolen credentials. Its ease of use and effectiveness has cemented its place in the toolkit of many cybercriminals.

• Meta Stealer is a versatile malware targeting a broad range of applications and platforms, including browsers, gaming accounts, and VPN credentials. Its adaptability and extensive reach make it a potent tool for cybercriminals aiming to harvest a wide array of sensitive information. The ability to target multiple platforms increases its value and impact, making it a significant threat.

• Lumma Stealer is particularly well known for its ability to resurrect session cookies, allowing attackers to bypass security measures like multi-factor authentication. This capability has made Lumma a critical component in several high-profile breaches, including recent attacks where stolen session tokens were used to gain unauthorized access. Its advanced functionality poses a serious risk to both individuals and organizations.

Potential for More Major Breaches

A recent analysis conducted by Constella has detected thousands, even millions, of credentials from companies whose employees might be infected by these info stealers. This compromised data includes not only personal information but also access credentials to corporate networks and cloud services. Such widespread exposure significantly increases the risk of large-scale data breaches similar to those we have seen in recent weeks.

Certain cloud service companies have had between 100k and more than 1M credentials exposed in infostealer infections. This wide range of exposed credentials underscores the pervasive threat posed by infostealers across various cloud services, indicating a high likelihood that both employees and customers are exposed on a daily basis, thus increasing the risk that these credentials will increasingly be used maliciously by threat actors.

Protecting Against Infostealer Threats

Given the current landscape, it is crucial for individuals and employees to take specific measures to protect against infostealer infections and subsequent data breaches:

1. Use Browser Extensions Cautiously: Avoid installing unnecessary browser extensions, as they can sometimes be exploited by infostealers to capture the credentials and session data.
2. Monitor for Unusual Browser Behavior: If the browser behaves oddly (e.g., redirects, pop-ups, or unusual login prompts), it could be a sign of an infostealer infection. Disconnect from the internet and start proceeding to remove the infection.
3. Regularly Clear Cookies and Cache: Periodically clear the browser cookies and cache to minimize the risk of session hijacking through stolen cookies.
4. Enable Security Features: Use browser security features such as disabling saving autofill and enabling warnings for untrusted websites. Additionally, avoid storing your credentials in the browser to prevent them from being easily stolen. These steps can help make it more difficult to steal such sensitive information.
5. Protect Against Infostealers: As infostealers are malware designed to steal personal information by exploiting user behavior and system vulnerabilities, avoid downloading files, opening email attachments, or clicking on links from untrusted or unknown sources or without making a thorough prior check of the sender.

By following these targeted recommendations, users and employees can better protect their personal and corporate information from infostealer infections. The fight against these threats is ongoing, but with the right precautions, we can mitigate their impact and safeguard our data and privacy.

In the past few weeks, we have noticed an alarming increase in major data breaches, with millions of records being exposed and shared on dark web forums. This resurgence has been largely driven by a user who appears to be using the name ShinyHunters, a notorious hacking group. This wave of cyberattacks, along with the resurgence of the names of these former hacking groups/users, raises the question of whether we are entering another “golden age” of mass leaks, similar to what we experienced a few years ago.

The Golden Age of Major Data Breaches

Between 2019 and 2021, the cybersecurity community witnessed what many refer to as the “golden age” of massive data breaches. During this period, numerous hacker groups, including ShinyHunters, conducted large-scale attacks, compromising the data of millions of users. These stolen data were shared and sold on the dark web, creating a highly lucrative black market for personal and business information.

ShinyHunters stood out during this period for their attacks on companies such as Tokopedia, Unacademy, and Zoosk, leaking tons of sensitive data, including names, email addresses, passwords, and more. In 2020 and 2021, ShinyHunters conducted a series of hacks on prominent entities, including clothing retailer Bonobos, photo app Pixlr, and Microsoft’s GitHub account. They also claimed to have information on 70 million AT&T accounts, although AT&T denied the leak.

Recently, a user named ShinyHunters allegedly reopened BreachForums, a deep web forum for sharing stolen data breaches, and became its “owner” after the original forum was taken down. The resurgence of BreachForums at the hands of ShinyHunters has coincided with new leaks of data breaches impacting large companies, along with the emergence of other users registered under the names of former famous hackers and database sharers. This begs the question of whether we could be starting a new “golden age” of breaches. However, due to the major issues the group was facing, including recent arrests, there is a possibility that we are witnessing identity impersonation to gain credibility when sharing breaches.

Recent Breaches

In the last week of May 2024, ShinyHunters was allegedly responsible for two significant breaches. While it cannot be confirmed 100% that ShinyHunters is behind these breaches, the following incidents have been reported:

Santander Bank Breach

• Countries Affected: Spain, Chile, Uruguay
• Date Published: May 30, 2024
• Data Compromised:
  • 30 million customer records
  • 6 million account numbers and balances
  • 28 million credit card numbers
  • HR employee lists
  • Consumer citizenship information
  • And much more
• Price: $2 million USD

Ticketmaster Breach

• Date Published: May 28, 2024
• Data Compromised:
  • Full details of 560 million customers (name, address, email, phone)
  • Ticket sales, event information, order details
  • Credit card details, last 4 digits of the card, expiration date
  • Customer fraud details
  • And much more
• Price: $500,000 USD

Recommendations if Impacted By Major Data Breaches

To be protected from the repercussions of these breaches, users should consider the following measures:

1. Be Cautious with Phishing Emails: Avoid clicking on links or downloading attachments from unknown or suspicious emails.
2. Use a Password Manager: A password manager can help securely generate and store complex passwords.
3. Stay Informed: Keep up to date with the latest news on cybersecurity threats and breaches.

By staying vigilant and taking these proactive steps, users can better protect their personal information from being compromised in future data breaches.

Growing Cyber Threats Focus on Ransomware, Infostealers, and Defacements

This blog continues our geopolitical series, highlighting the growing cyber threats during the ongoing Israel-Palestine tensions. Recent months have seen a significant increase in cyberattacks targeting Israeli institutions, with a particular focus on ransomware, infostealers, and defacements. This blog delves into the most recent incidents, primarily orchestrated by the Handala group.

Escalation of Tensions in Israel

As mentioned in our previous blog, the escalating tensions between Israel and Palestine are mirrored in cyberspace by increased activity from the Handala Hack Group. Active since 2011, this pro-Palestinian hacker collective has intensified its cyber offensives against Israeli targets, employing defacements and ransomware attacks to disrupt operations and steal sensitive information. These attacks not only aim to cause financial and operational damage but also to broadcast their political message and gain support against Israel.

Recent Ransomware Attacks by Handala

Handala has potentially conducted numerous ransomware attacks, targeting the technology, education, and healthcare sectors. Here are some of the most recent incidents:

• On May 27, 2024, Zionist Information Technology was potentially attacked.
  • The affected entities include Cello (formerly Cellopark), MER Group, ForSight Robotics, Magnet Accelerator, Citizen Café Tel Aviv, Toks, Barak Finance, EasyUP, Sirius Electronics, Israel Archaeological Services, and Shai Nursing Company.
  • This attack compromised multiple sectors, including technology, healthcare, and academic services, highlighting significant breaches in Israeli cybersecurity.
• Ramat Gan Academic College faced a possible attack on May 25, 2024, affecting its educational infrastructure and data.
• Harmony Pharm, the largest pharmacy in Tel Aviv, was attacked on May 22, 2024, disrupting the pharmaceutical supply chain.
• Amigour Company, a major housing and community development company, was hacked on May 16, 2024. The attack led to 522 GB of data being dumped and wiped.
• High Group, a key settlement development source, was attacked on May 2, 2024, resulting in 84 GB of data being dumped.

Defacement Attacks: Exposing the Faces of Cyber Warfare

A defacement attack involves altering the visual appearance of a website, often to display a political or social message. Handala Group and other hacktivist groups have been actively engaging in defacement attacks to criticize and expose Israeli entities publicly.

Here are some notable recent defacements:

• Handala Group: Two defacements recorded on makombelev.org.il and hadct.co.il
• Cyb3r_Drag0nz_Team: Defaced www.infodent.co.il and www.argal.co.il
• Mr.Rm19: Targeted gedera.gogeek.co.il
• adem:): Defaced maxlock.co.il
• jokeir 07x: Targeted tudiotb.co.il and ugarit.co.il
• P1Y4D3: Defaced multiple pages under ugaritgroup.co.il
• TOMODACHI: Defaced call.ugarit.co.il and mishkan-store.co.il
• ./r0cky_n00bz: Targeted horoot.co.il
• Cyber Ghost: Defaced hadpeami.co.il, korki-net.co.il, and shoo-fee.org.il
• DragonForceMalaysia: Defaced bridgesalon.co.il
• Hacktivist Indonesia: Targeted isr.org.il
• JH-TEAM H: Multiple defacements including www.nsc.org.il and maccabi.co.il
• the key40: Targeted maccabi.co.il
• systemadminbd: Defaced www.ite-cat.co.il

Infostealer Infections: A Growing Concern

The data previously exposed in ransomware attacks could lead to further infections by infostealers. Infostealers are malware designed to gather sensitive information from infected systems, such as login credentials and personal data.

• Smart College
• 99 Digital
• Ramat Gan Academic College
• Barak Finance

These infections could be the root cause of some of the previous ransomware attacks or, even worse, could be used to enhance the damage of the existing ones.

Conclusions and Recommendations

The recent surge in cyber attacks amid the Israel-Palestine conflict underscores the evolving nature of digital warfare. Ransomware, infostealers, and defacements are being utilized to disrupt, expose, and damage critical sectors in Israel. Understanding these threats is crucial for mitigating the impact of these malicious activities.

Recommendations:

• Be Careful with Emails: Avoid clicking links or downloading attachments from unknown or unsolicited emails. Phishing is a common method hackers use to access personal information.
• Use Two-Factor Authentication (2FA): Enable 2FA on all accounts to add an extra layer of security.
• Regularly Update Systems: Keep all software and systems up to date with the latest security patches to prevent exploitation of known vulnerabilities.

By adopting these practices, individuals can significantly reduce their risk of falling victim to cyberattacks and ensure a robust defense against the ever-evolving threat landscape.

---

With fake and synthetic identities emerging as a potent tool for nefarious actors, the threat of cyber deception looms large. Recent revelations shed light on the sophisticated tactics employed by individuals seeking to infiltrate organizations using fraudulent personas. This blog explores the evolving landscape of synthetic identities, the imperative for businesses to bolster their defenses, and Constella’s innovative response with its Advanced Know Your Employee (KYE) solution.

Unveiling the Elaborate Ruse

Across industries and borders, malicious actors are employing elaborate strategies to deceive organizations and gain unauthorized access. Through fake names, counterfeit documents, and meticulously crafted online profiles, these actors seek to exploit vulnerabilities and compromise sensitive information. Constella’s advanced capabilities, leveraging the world’s largest data lake of more than 1 trillion assets collected from the surface, deep, and dark web, can reveal the widespread presence of synthetic identities across freelancing platforms, online communities, and even within existing organizations, underscoring the pervasive nature of this threat.

The Mechanics of Synthetic Identities

Synthetic identities are not merely a collection of false information but carefully constructed personas designed to evade traditional verification processes. Fraudsters combine real and fabricated data to create these identities, making them harder to detect. This sophisticated approach allows them to open bank accounts, apply for credit, and gain employment under assumed identities.

According to a TransUnion report, synthetic identity fraud reached record levels in 2023, with U.S. lender exposure to synthetic identities reaching a staggering $2.9 billion.

Warning on a Global Scale: A Call to Vigilance

Late last year, Reuters broke a startling revelation: The North Korean government had been orchestrating a covert operation using synthetic identities to infiltrate Western companies, aiding its weapons programs.

In this high-stakes investigation, Constella’s solution helped to sift through millions of data points to identify anomalies and potential threats. This capability is invaluable in helping organizations in uncovering synthetic identities—fake personas constructed using a combination of real and fabricated information. By cross-referencing data from various sources, Constella is able to pinpoint inconsistencies that flag potential synthetic identities used by operatives or other malicious actors.

On May 16, 2024, the FBI issued an advisory to help companies recognize and counter threats related to fake IT workers entering the U.S. workforce. Stressing the importance of rigorous identity verification processes, the advisories outlined red flags and specific measures, including comprehensive background checks and video interviews. The imperative for businesses to enhance their identity verification processes and fortify their defenses against cyber deception has never been clearer. That same day, The DOJ announced multiple arrests linked to the scheme, targeting individuals who facilitated using stolen identities. Among those arrested was Christina Marie Chapman from Arizona, who ran “laptop farms” to help North Korean IT workers remotely access company networks under false pretenses. These actions are part of a broader strategy to dismantle the network and hold those who enable such fraud accountable. 

Constella’s Groundbreaking Response: Advanced KYE Solution

Constella Intelligence introduced its Advanced Know Your Employee (KYE) solution in response to the escalating threat landscape. Leveraging our proprietary AI profiling engine and the world’s largest data lake comprising more than one trillion assets, this innovative solution empowers organizations to uncover synthetic identities and manage internal identity risks with unparalleled precision. From continuous monitoring to enhanced identity verification, Constella is revolutionizing internal risk management in an era marked by sophisticated cybercrime and fraud.

Empowering Organizations with Proactive Risk Mitigation

Constella’s Advanced KYE solution equips organizations with unrivaled capabilities for proactive risk mitigation:

Insider Monitoring

Identify and address potential threats through continuous scanning and comprehensive analysis. The solution offers insights into employee activities, helping organizations detect and mitigate risks before they escalate.

Contractor and Portfolio Monitoring

Safeguard investments and supply chain integrity with ongoing insights into contractor activities. This feature is particularly crucial for businesses that rely on third-party vendors and freelancers.

Fraudulent Employee Provisioning

Enhance traditional background checks by uncovering potential risk factors inaccessible through conventional means. This includes deep web searches and cross-referencing multiple data sources to verify employee identities.

A Paradigm Shift in Internal Identity Risk Management

As AI technology continues to evolve, its applications in fraud prevention will expand. Advanced KYE is just the beginning. Future innovations will incorporate more sophisticated approaches and broader applications, further enhancing an organization’s ability to detect and prevent synthetic identity fraud and threats.

A Collective Call to Action

As businesses navigate the complexities of the digital landscape, the threat of synthetic identities and internal risks loom. Constella’s Advanced KYE solution offers hope, enabling organizations to uncover and mitigate internal identity risks with unprecedented accuracy. Are you ready to fortify your organization against cyber deception? Discover how Constella’s Advanced KYE solution can empower your business. Schedule a free demo today and embark on a journey towards enhanced cybersecurity resilience.

Strengthening Defenses Against Ransomware Attacks

In recent years, ransomware attacks where criminals lock up a victim’s data and demand money to unlock it have become a serious threat to organizations worldwide. These attacks target many sectors, including healthcare and finance. The goal is often not just to make money but also to cause disruption and chaos. One group known for these aggressive tactics is Black Basta. They use a method called double extortion, where they not only lock the victim’s data but also threaten to release sensitive information unless they are paid. As these cybercriminals continue to improve their methods, it is increasingly important for organizations to strengthen their defenses.

The Ayesa Data Breach

Ayesa, a leading Spanish company providing technology and engineering services, seems to have recently fallen victim to a potential ransomware attack by Black Basta. With over 12,500 employees and a presence in 23 countries, the possible breach at Ayesa highlights the extensive reach of these cyber criminals. The attack, which was made public on May 13, 2024, potentially resulted in the theft of about 4.5 terabytes of sensitive data, including:

• Company data (treasury, human resources, administration, general management, security, audits, etc.)
• Employees’ data
• Projects and CAD files

The Threat of Detailed Profiling

The types of data potentially stolen from Ayesa, such as personal details of employees and company information, can be highly valuable for criminals. With this information, threat actors can create synthetic identities to impersonate employees. These synthetic identities can then be used to commit fraud, purchase illicit items, or even access secure company systems by posing as legitimate employees. Additionally, cybercriminals can further enhance these synthetic identities by accessing the information available from data brokers. Data brokers collect and sell large amounts of personal information, often gathered from public sources such as social media profiles, past employment history, and other publicly available records. This information can be accessed by cybercriminals to enhance their profiling efforts significantly. Additionally, information from previous breaches can be cross-referenced to enrich these profiles further.

For example, if a cybercriminal obtains an employee’s name, job title, and contact information from Ayesa, they can look up additional details such as social media profiles, past employment history, and other personal records from data brokers. This enriched profile can then be used to craft highly targeted phishing emails or impersonation attempts, making the attacks more convincing and increasing the likelihood of success.

The Ease of Exploiting Leaked Data

Generative AI tools, especially those without ethical restrictions like WormGPT or FraudGPT, enable cybercriminals to automate and carry out more realistic and sophisticated fraudulent attacks.

These tools can write undetectable malware, create convincing phishing pages, and generate spear-phishing emails that appear to come from trusted sources within an organization. The ability of AI to exploit human psychology significantly increases the likelihood of successful cyberattacks.

Potential Attack Vectors

With the kind of data a cybercriminal can obtain from these data breaches, several attack vectors can be exploited:

1. Identity Theft: Personal data such as ID card photos and employee information can be used to commit identity theft, leading to financial loss and reputational damage.
2. Phishing and Social Engineering: Detailed personal and company data can help attackers craft convincing phishing emails, increasing the success rate of these attacks.
3. Intellectual Property Theft: Projects and CAD files contain valuable intellectual property that malicious actors could exploit.
4. Credential Stuffing: Access to employee credentials could allow attackers to gain unauthorized access to other systems where the same credentials might be used.

Cybersecurity Recommendations

In addition to the classical tips we have provided in previous blogs, such as enabling MFA, it is important to take additional steps to secure your devices and networks.

• Secure Your Devices: Ensure that any device used to access sensitive information is secured with updated antivirus software and a firewall. Regularly update your operating system and software to protect against vulnerabilities.

• Use Secure Networks: Avoid using public Wi-Fi to access or transmit sensitive information. Instead, use a secured or virtual private network (VPN) to enhance online privacy.

• Remove Unused Accounts: Review and delete any accounts for unused services regularly. Ensuring your information is not stored unnecessarily reduces the risk of being exposed to a breach.

• Be Cautious of Phishing and Scams: Always be wary of unsolicited emails, messages, or phone calls asking for personal information. Verify the authenticity of the source before responding, and avoid clicking on links or downloading attachments from unknown senders. Recognizing and avoiding phishing attempts can significantly reduce the risk of falling victim to scams.

By following these steps, individuals can better protect their personal information from cyber threats and mitigate the impact of potential data breaches. In an increasingly digital world, staying informed and proactive is essential to maintaining security and trust.

Healthcare ransomware attacks are one example of cyberattacks for the healthcare sector due to the sensitivity of its data. In recent weeks, several attacks and data breaches have been identified, highlighting the sector’s target for ransomware groups and unwanted data exfiltration. The following cases highlight the severity and scope of these attacks.

New Boston Dental Care Healthcare Ransomware Attacks

New Boston Dental Care fell victim to a ransomware attack by the 8BASE group that was disclosed on May 13, 2024. Unlike the NHS Scotland incident, the attackers have provided a download link for the stolen data, and the period for the company to pay the ransom has expired. The compromised files include:

• Invoices
• Receipts
• Accounting records
• Certificates
• Employment contracts
• Confidential information

The publication of these files indicates that the negotiation period has ended without a resolution, leading to the public release of sensitive information.

NHS Scotland Healthcare Ransomware Attacks

NHS Scotland, the publicly funded healthcare system in Scotland and part of the UK’s National Health Service, was attacked by the INC Ransom group. The attack was publicized on May 11, 2024. The threat actor behind this attack appears to have attempted negotiations with NHS Scotland, but as of now, they have not received a response. Consequently, the data has not yet been leaked.

The compromised data includes:

• 3 terabytes of data
• More than 100 internal files

Currently, no full data has been published as the ransom group seems to be in ongoing contact with NHS Scotland.

Covid19MOVE Breach

At Constella, we have identified several breaches in the healthcare sector over recent weeks, one of the most significant being the Covid19MOVE breach. Detected on April 29, 2024, this breach exposed approximately 12 million records related to Covid-19 patients in Russia. The types of exposed data include:

• Emails
• Dates
• Phone numbers
• Other user-related information

The data from this breach has not been attributed to a specific company, suggesting it could be a compilation of Covid-19 related data from various sources.

Saudi Ministry of Health Data Breach

Additionally, at Constella, we have analyzed various sources from the Dark Web and detected that a database containing information from the Saudi Ministry of Health (500 GB), according to the threat actor, this information has recently been put up for sale by a user known as verifiedBpp. The data spans from 2020 to 2024 and includes:

• Full names, addresses, telephone numbers, blood types, patient records, staff internal messages, and emails
• Access to admin, staff, and patient pages, with capabilities to remove users and change permissions
• Internal systems data, including Covid-19 system, my health system, and Seha (the largest healthcare network in the UAE)
• Details such as infections, tests, recoveries, deaths, and other data
• Specific information like name, ID number, age, nationality, gender, place of diagnosis, residence, mobile phone number, and more

The post’s owner claims that the Ministry of Health’s servers were hacked, with access gained on January 3, 2021, and maintained through March 21, 2024. The total amount of data stolen is estimated to be 500 GB. The owner also mentioned that he could leak 100 GB of this sensitive data if he wants.

Cybersecurity Recommendations for Patient Data Management and Software

Given the recent surge in healthcare ransomware attacks, it’s crucial to take proactive steps to protect our health information. Here are some tips to help safeguard your personal health data against such cyber threats:

• Be Vigilant with Emails: Avoid clicking on links or downloading attachments from unknown or unsolicited emails. Phishing is a common method used by hackers to gain access to personal information.
• Enable Two-Factor Authentication (2FA): Whenever available, activate two-factor authentication on your online healthcare accounts. This adds an extra layer of security by requiring a second form of verification.
• Educate Yourself on Your Rights: Familiarize yourself with your rights under health information privacy laws, such as HIPAA in the U.S., which can help you understand how your data should be handled and what to do if you suspect it’s being misused.
• Secure Your Devices: Ensure that any device you use to access healthcare information is secured with updated antivirus software and a firewall. This can help block malicious attacks before they reach your data.
• Use Secure Networks: Avoid using public Wi-Fi to access or transmit your health information. Instead, use a secured, private network or a virtual private network (VPN) to enhance your online privacy.
• Remove Unused Accounts: Regularly review and delete any accounts for healthcare services you no longer use. Ensuring that your health information is not stored unnecessarily reduces the risk of it being exposed in a breach.

By taking these steps, you can help protect your sensitive health information from cyber threats and mitigate the impact of any potential data breaches in the healthcare sector. For more information about how to protect your organization and your patients, contact Constella.

Bank breaches and the banking world are now a front line in cybersecurity, where hidden networks thrive in the shadows of the dark web and encrypted chats. As technology advances, the dangers of bank hacks grow, transforming old-school bank robbers into modern cyber thieves who operate from behind screens worldwide.

Social media, especially platforms like TikTok, Instagram, and Twitter, play pivotal roles in this shift. Hashtags like #CCCard, #CardCloning, and #CloningCards aren’t just trendy—they’re where cybercriminals mingle, share hacking tips, and flaunt their crimes.

These platforms, along with encrypted apps like Telegram and dark web marketplaces, form a kind of cybercriminal university. Here, new hackers can learn everything from cloning cards to cracking bank security, all shared openly in tutorials and forums. This easy access to criminal resources marks a stark evolution from the masked, gun-toting bank robbers of the past to today’s sophisticated digital thieves.

Below, you’ll find screenshots that capture these exchanges, highlighting how these digital platforms have reinvented the concept of bank robbery, giving it a vast, tech-savvy reach.

Navigating the digital frontier, it’s evident that traditional security measures no longer suffice against the advanced tactics of today’s cybercriminals. This shifting landscape demands more robust and adaptive security strategies to protect sensitive information.

At Constella, we have compiled a concise summary that reflects our ongoing focus on the latest data breaches we’ve uncovered on the Dark Web. Below, we detail these findings.

Bank Breach – HSBC & Barclays

Last May 8, one of the moderators of this breaches forum, called “IntelBroker” (very renowned actor), and another member named “Sanggiero”, published several CSV files, concretely, if we add up all the records of all the documents, there would be more than 2 million records, with valuable information of users of two of the most internationally known banks, these files specifically contain:

• Database Files.
• Certificated files.
•  Source Code.
•  SQL files.
•  JSON config files.
•  Compiled Jar files.

Bank Breach – Argentina Central Bank

On May 2nd, a significant banking breach was reported by a user known as ‘303’, who has a solid reputation on the forum. Although the exact date the breach occurred wasn’t specified, the user noted that the data is from 2024. This breach impacted over 49,000 customers, exposing sensitive information including:

• Customers’ full names
• ID numbers
• Home addresses
• Cities

Bank Breach – Kernel Finance

On April 26th, a threat actor named ‘netnsher’ potentially targeted ‘India’s Simplest GST Billing Solution’, Kernel Finance, leading to a data breach that exposed over 7,000 bank account numbers and sensitive information. Within this breach, the following type of information can be found:

• Id.
• Created_at.
• Updated_at.
• Deleted_at.
• Created_for_account.
• Document_type.
• Reminder_period_type.
• Reminder_receiver_type.
• Trigger_period_days.
• Is_enabled.
• Resource_type.
• Additional_fields.
• Created_by_user.

Bank Breach – M&T Bank

The same day, April 26th, this threat actor, “netnsher”, exposed data over 600 rows of access tokens and essential files of the Law Firm Banking Trustnota by M&T bank. All this information could be current active access tokens, as the threat actor said that any user with access to the accounts can get a lot of money. The information includes:

• Bank account details
• Residential locations
• Other personal data (National ID, Age, Status, etc…)

The breaches we’ve discussed here are just a few examples of what’s been happening on the Dark Web over the last few weeks. These incidents highlight the ongoing and very real threats that exist online, especially in hidden corners of the internet. To help protect yourself, here are some straightforward tips:

• Be Cautious with Personal Information: It’s crucial not to share sensitive details like your social security number or bank account information with people you don’t know. This can help prevent identity theft and fraud.
• Use Virtual Cards for Online Purchases: If possible, opt for virtual credit or debit cards when shopping online. These provide an extra layer of security by masking your real card details and keeping your primary accounts safer.
• Subscribe to an Identity Monitoring Service: Consider using a service that monitors your identity. These services can alert you if your personal information is being used without your permission, helping you respond quickly to potential threats.

Taking these steps can enhance your defenses against the types of cyber threats that are becoming more common in our increasingly digital world.

The ongoing need for financial institution fraud prevention presents continuous challenges that can have far-reaching impacts on trust and financial stability. Open-Source Intelligence (OSINT) is increasingly recognized as a crucial element in the strategic toolkit for fraud prevention within financial institutions. In fact, Fraud scams and bank fraud schemes resulted in $485.6 billion in losses globally last year, according to Nasdaq’s 2024 Global Financial Crime Report released last month.

The Critical Role of Deep OSINT in Financial Service Fraud Prevention

Classic OSINT involves the collection and analysis of information from publicly accessible sources to identify potential threats or fraudulent behavior before it causes harm. In the financial sector, this means leveraging a variety of data points from web and forums in internet and social media. Constella has expanded classic OSINT with Deep OSINT, that includes the Deep & Dark Web, which holds a much bigger amounts of information and where 1 trillion identity assets can be found.

Constella’s Hunter: A Beacon for Financial Fraud Prevention

Constella Hunter exemplifies the application of Deep OSINT in the financial sector. Hunter’s capabilities enable financial institutions to delve deep into the digital realm to uncover and attribute fraudulent activities to real-world identities. By analyzing data across multiple layers of the internet—including the obscure corners of the dark web—Hunter provides unparalleled visibility into potential threats.

Operational Benefits of Deep OSINT in Financial Institutions

Using OSINT tools like Hunter, financial institutions can streamline their fraud detection processes. This includes:

• Cyber Attribution: Quickly linking suspicious activities to real identities, thereby reducing the time from detection to response.
• Risk Assesment: Incident response teams can assess risk and prioritize depending on who is the attacker. An apparently small event becomes should be taken very seriously if the attacker is an important adversary.
• Enhanced KYC Compliance: Supporting Know Your Customer (KYC) efforts by providing detailed background checks and identity verification to prevent fraud.
• Know your Employee & Insider Threat Detection: Identifying unusual or unauthorized activities that could suggest internal fraud.
• AML and Sanction Lists compliance: Financial institutions use Deep OSINT to investigate money laundering and can detect engagement with a sanctioned entity.

The Strategic and Competitive Advantage of Deep OSINT

For financial institutions, the integration of Deep OSINT into their cybersecurity and fraud prevention strategies provides a competitive edge. It allows for a more comprehensive understanding of the threat landscape, better risk management, and more effective protection of customer assets and information. By deploying Constella’s Deep OSINT solutions, financial organizations can not only defend against fraud but also enhance their operational efficiency and maintain regulatory compliance.

As financial institutions navigate the complexities of the modern threat landscape, Deep OSINT provides a powerful tool for enhancing fraud prevention strategies. Constella Intelligence’s Deep OSINT solutions offer the depth, breadth, and analytical capabilities necessary to safeguard against the evolving tactics of cybercriminals and fraudsters in the financial sector.

For financial leaders interested in strengthening their fraud prevention systems, exploring Constella Intelligence’s Deep OSINT capabilities can be a significant step toward securing their operations in the digital age. Schedule a demo today to get started.

In recent times, Israel and Iran have been caught up in a series of conflicts and tensions, both on the geopolitical stage and in cyberspace posing significant challenges to regional stability but have also made both nations targets for cybersecurity vulnerabilities. As tensions intensify, so does the risk of cyberattacks aimed at critical infrastructure, government institutions, and individual citizens.

Cybersecurity Vulnerabilities are Rising after Hamas Assault

At Constella, we’ve observed the escalating cyberwar between Israel and Iran manifesting through a series of high-profile data breaches. This ongoing cyber conflict not only reflects the heightened geopolitical tensions but also reveals a disturbing trend of sensitive data being weaponized. Our analysis shows that these breaches affect not only government institutions and key organizations but also impact millions of individual citizens, emphasizing the far-reaching consequences of cyber warfare.

1. Israel insured information

On April 3rd, a threat actor named “MakhlabalNasr” claimed to have accessed data for 8 million Israelis insured with the Israel National Insurance Institute. The information includes bank account details, residential locations, and other personal data. This sensitive data is being shared in a Telegram group associated with the hacking group Makhlab_al_Nasr.

2. Israel Department of Defense

Later that week, on April 7th, a different threat actor claimed in the same breach forum to have access to sensitive information from the Israel Department of Defense. Although much of this data appears to have been previously exposed in 2023, the recent resurface of the breach compromised thousands of additional records containing the following information:

• National ID
• First Name
• Last Name
• Project
• Group
• Phone Number
• Email Address
• Date of Birth
• Age
• Hebrew Birth Date
• City
• Address
• Gender
• Status
• Father’s Name
• Country of Origin
• Level of Support
• General
• Injuries

3. Israel Election Campaign

In a separate incident, another breach potentially from an election app that was utilized by the Likud Party and other political affiliations exposed over 6.5 million records containing voter registration data and personal details of Israeli citizens. The compromised information included:

• Full names
• Phone numbers
•  Identity card numbers
•  Residential addresses
•  Gender
•  Age
•  Political preferences

4. Israel Post

Earlier this week, on May 7th, a breach originally published in November 2021 resurfaced, with the threat actor group claiming it originated from Israel Post. This breach reportedly compromised 900K unique email addresses, along with associated personal information.

These are just a few examples of the many breaches we’ve observed over the last few days. The total number of Israel-related breaches has risen by 80% in recent months, reflecting the escalating cyberwar.

Similarly, Iran has not been immune to the dangers of cyber warfare. Collaborative efforts between Russia and Iran, as evidenced by the Crescent of Anon leak, have revealed a troubling alliance in cyberspace. The leak exposes not only email addresses, IP addresses, and domain names but also documents and agreements between Russia and Iran. These documents shed light on the depth of cooperation between the two nations in the realm of warfare, raising questions about their collective goals and potential targets.

In addition, the leak includes mentions of drone-related issues, suggesting discussions or plans for malicious operations beyond the traditional spheres of conflict.

Tips for Preventing Cybersecurity Vulnerabilities

Regardless of whether or not you are a citizen of countries embroiled in the ongoing cyberwar, as a member of the digital world, it’s crucial to protect yourself against the rising tide of cyber threats.

Follow these tips:

• Monitor Your Accounts Closely: Regularly check your bank statements, credit card statements, and any online accounts for unauthorized transactions or suspicious activity. Early detection can prevent further damage.
• Set Up Alerts: Many financial institutions offer free alert services that notify you of any unusual activity in your accounts. Enabling these alerts can provide you with immediate updates on any potential unauthorized transactions.
• Change Passwords Regularly: If your data has been compromised, change your passwords immediately. Use strong, unique passwords for each of your accounts and consider using a password manager to keep track of them.
• Be Wary of Phishing Attempts: Be cautious with emails, phone calls, or messages that ask for personal information or direct you to a website where you need to input personal data. Verify the authenticity of the request by contacting the organization directly using a trusted number or website.