SecureFact - Cyber Security News - Week of March 03, 2025

Data Breaches

1. 24,041 Americans Affected As Billion-Dollar Bank Suffers Data Breach

Reading Cooperative Bank (RCB), a billion-dollar bank based in Massachusetts, recently reported a data breach affecting 24,041 customers. The breach, which occurred between August 8th, 2024, and January 31st, 2025, was the result of an employee clicking on a phishing email. The incident may have exposed customers' personally identifiable information. RCB is taking steps to enhance its cybersecurity and suggests concerned customers place security freezes and fraud alerts on their credit files.

2. Toronto Zoo says patrons' transaction data leaked on dark web in 2024 cyberattack

The Toronto Zoo announced that transaction data of guests and members was stolen in a January 2024 cyberattack and subsequently leaked on the dark web. The compromised data includes information of those who paid for general admission and membership purchases between 2000 and April 2023, including names, addresses, phone numbers, email addresses, and the last four digits of credit card numbers with expiration dates. While the leaked data is currently difficult to access, the zoo advises vigilance and monitoring of financial accounts. The zoo reported the breach on January 17, 2024, and initially believed only staff and a small number of volunteers were affected. The zoo has since taken steps to improve its IT security.

3. US drug testing firm DISA says data breach impacts 3.3 million people

DISA Global Solutions, a US-based drug testing firm, has reported a data breach affecting 3.3 million individuals. The breach, which occurred between February 9, 2024, and April 22, 2024, potentially exposed sensitive data including names, Social Security numbers, driver's license numbers, financial account information, and more. While the specific type of cyberattack remains undisclosed, DISA reportedly paid a ransom to prevent the public release of the stolen data. The company is offering affected individuals 12 months of free credit monitoring and identity theft protection services through Experian.

4. Orange Group confirms breach after hacker leaks company documents

Orange Group, a French telecommunications company, has confirmed a data breach after a hacker using the alias Rey from the HellCat ransomware group leaked company documents on a hacker forum. The hacker claims to have stolen thousands of internal documents, including user records and employee data, primarily from Orange Romania. Orange confirmed the breach occurred on a non-critical application and that they are investigating the incident. The stolen data includes 380,000 unique email addresses, source code, invoices, contracts, and customer and employee information.

?5. Australian IVF giant Genea breached by Termite ransomware gang

Australian fertility services provider Genea, which accounts for over 80% of the industry's total revenue in the country, has confirmed a data breach after a "cyber incident" where attackers stole data from its systems. The Termite ransomware gang has claimed responsibility, stating they stole roughly 700GB of data. The breach occurred via a Citrix server on January 31, 2025, with data exfiltration happening on February 14. Exposed data include names, contact information, Medicare numbers, health insurance details, medical history, diagnoses, treatments, and more. Genea has obtained a court order to prevent further sharing of the leaked data and is working with the Australian Cyber Security Centre. Termite is a ransomware operation that emerged in mid-October and is known to use a version of the Babuk encryptor.

6. Nearly 12,000 API keys and passwords found in AI training dataset

Security researchers from Truffle Security have made a significant discovery in the Common Crawl dataset, which is used for training large language models (LLMs) like DeepSeek. The dataset, comprising 400 terabytes of web data from millions of pages, was found to contain nearly 12,000 live API keys and passwords. These sensitive credentials include AWS root keys, MailChimp API keys, and Slack webhooks, which were inadvertently embedded in the dataset due to developers hardcoding them into front-end code such as HTML and JavaScript. The exposed secrets pose substantial risks, including potential phishing campaigns, brand impersonation, and insecure coding practices in AI-generated code. To mitigate these risks, it is recommended that exposed keys be rotated, secret scanning be enhanced for public datasets, developers be educated on secure coding practices, and stricter safeguards be implemented in AI training processes.

Malware and Vulnerabilities

1. VSCode extensions with 9 million installs pulled over security risks

Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and 'Material Theme Icons – Free,' with nearly 9 million combined downloads, due to potentially malicious code. Cybersecurity researchers discovered suspicious code, leading Microsoft to ban the developer, Mattia Astorino (aka equinusocio), and remove all of their extensions. The suspected malicious code was found in an update, potentially indicating a supply chain attack or a compromised developer account. The developer claims an outdated Sanity.io dependency was compromised and that Microsoft didn't contact them before removing the extensions. Microsoft will release further details on the VSMarketplace GitHub repository. It's recommended to remove the listed extensions from all projects until the situation is resolved. The developer created a new extension named "Fanny Themes" which was also removed by Microsoft.

2. CISA Warns of Actively Exploited Adobe ColdFusion and Oracle Agile PLM Vulnerabilities

CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2017-3066, affecting Adobe ColdFusion, and CVE-2024-20953, affecting Oracle Agile PLM. Both are deserialization vulnerabilities that can allow attackers to execute arbitrary code and compromise systems. CVE-2017-3066 involves a Java deserialization flaw in older ColdFusion versions, while CVE-2024-20953 impacts Agile PLM version 9.3.6 and can lead to a complete system takeover. Adobe and Oracle have released patches to address these vulnerabilities, urging users to update their systems. The article emphasizes the importance of prioritizing security best practices, such as applying security patches, monitoring network traffic, educating staff, and implementing strong access controls.

?

?