The top 9 cyber security incidents in September 2023

Here, Cyber Security Hub takes a look at the top cyber attacks, data breaches and cyber security incidents across the globe that happened in September, 2023. 

Contents:

1. Ransomware gang steals 1.3TB of data from Sabre
2. X-based NFT phishing attack causes losses of over $691,000
3. Ransomware gang steals 6.8TB of data from Save The Children
4. MGM Resorts operations halted by cyber attack
5. CoinEx loses $70 million in cyber attack
6. Microsoft SAS misconfiguration causes 38TB data leak
7. Personal customer information exposed in T-Mobile system glitch
8. Multiple hackers claim responsibility for Sony data breach
9. More than 3.8 billion records exposed in DarkBeams data breach

Ransomware gang steals 1.3TB of data from Sabre

On September 6, ransomware gang Dunghill Leak claimed that it had launched a cyber attack against travel booking company Sabre.

In a post on its dark web data leaks site, Dunghill said it had stolen 1.3 terabytes of data from Sabre. According to the malicious actors, this data included corporate financial information, passenger turnover and ticket sales data and personal employee information.

To validate its claims, the ransomware gang shared a portion of the stolen data with the promise that the rest of it would be “available soon”. The data shared showed that the employee information allegedly stolen included employee email addresses, work locations, names, nationalities, passport and visa numbers and even certain employee’s US I-9 forms. 

In response, Sabre said it was investigating the group’s claims of a cyber attack. 

Learn more about the ransomware gang here.

X-based NFT phishing attack causes losses of over $691,000

A phishing attack launched from the compromised X (formerly Twitter) account co-founder of decentralized blockchain Ethereum and cryptocurrency Ether, Vitalik Buterin, led to the loss of over US$691,000.

Suspicious activity on Buterin’s account on September 9 led to the discovery of the compromise and phishing scheme. Using Buterin’s influence in the cryptocurrency community, the hackers attempted to steal cryptocurrency and NFTs from his followers by making a post which offered a free commemorative NFT to “celebrate Proto-Danksharding coming to Ethereum”.

In actuality, the post contained a phishing link that required victims to link their blockchain wallets to the phishing site before receiving the NFT. This allowed the malicious actors to drain victim’s wallets.

Discover public response to the phishing attack here.

Ransomware gang steals 6.8TB of data from Save The Children

On September 11, ransomware gang BianLian claimed to have stolen 6.8TB from nonprofit Save The Children International.

The claim was made by the ransomware gang via a post on its dark web leaks site. While the charity was not directly named in the post, BianLian did say that the victim of its cyber attack was “the world's leading nonprofit”, that it makes US$2.8 billion in revenue and that it operates in 116 countries. Using this information, it was deduced that Save The Children was the unnamed victim of the cyber attack.

According to the ransomware gang, the stolen data encompasses both business and personal data, including 800GB of financial records, as well as email messages, international HR files and personal data including medical and health data.

Discover Save The Children’s response to the cyber attack here.

MGM Resorts operations halted by cyber attack

Also on September 11, entertainment company MGM Resorts suffered a cyber attack that severely impacted its business operations.

The cyber attack was made public via a post on the company’s X, where it was explained that a “cyber security incident” was impacting some it its systems.

Following this, a number of issues related to the cyber attack were reported by customers. Issues ranged from slot machines not being operational to the online booking systems not allowing customers to check in, make card payments to book rooms or cancel their reservations. Staff were also reportedly giving physical keys to guests as the digital keys for their hotel rooms were not working.

Sources close to the cyber attack said that hacking group Scattered Spider, who have been linked to ransomware gang ALPHV (also known as BlackCat), were responsible for the cyber attack.

Read a full timeline of the cyber attack here.

CoinEx loses $70 million in cyber attack

Hong Kong-based cryptocurrency exchange platform, CoinEx, saw the loss of US$70 million in cryptocurrency following a cyber attack launched against it on September 12.

The company shared news of the cyber attack via a post on its X account. In it, the company explained that the cyber attack was discovered after its risk control system “detected anomalous withdrawals from several hot wallet addresses used to store CoinEx's exchange assets”. 

The cryptocurrency exchange platform directly contacted the malicious actors regarding the cyber attack also via a post on X in an attempt to negotiate with them.

Read CoinEx’s response to the malicious actors here.

Microsoft SAS misconfiguration causes 38TB data leak

On September 18, technology company Microsoft revealed via a blog post that it suffered a data leak in July 2020 which exposed 38 terabytes of private employee data. 

In the blog post, Microsoft explained that the leak was caused by a software misconfiguration uncovered in June 2023 by IT security company Wiz. In its investigation, the company discovered that “a researcher at Microsoft inadvertently included [a] SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository”. 

This misconfiguration meant that external parties (including security researchers at Wiz) were able to use the token to access the internal storage account and its data. This data included the workstation profile backups of two former employees as well as the internal Microsoft Teams messages the former employees sent to their colleagues.

Learn more about the data leaked by the software misconfiguration here.

Personal customer information exposed in T-Mobile system glitch

Between September 20-22, telecommunications company T-Mobile was accused of two data breaches. One was reportedly caused by a “system glitch” and the other was allegedly the result of a cyber attack.

The “system glitch” was recognized by customers on September 20, who noticed that, upon logging into the T-Mobile app, that other customers’ information was being displayed instead of their own. This meant that personally identifying information including address, credit card information and purchase history was exposed. 

The second cyber security incident was made public on September 22. vx underground, “the largest collection of malware source code, samples and papers on the internet”, posted allegations that 90GB worth of T-Mobile employee data was stolen during a data breach in April 2023. It was later clarified, however, that the data breach impacted an independently owned authorized T-Mobile retailer, Connectivity Source.

Learn more about the cyber security incidents here.

Multiple hackers claim responsibility for Sony data breach

Multiple malicious actors attempted to take responsibility for a data breach seen by multinational technology company Sony. 

Responsibility for the cyber attack was initially claimed by extortion group RansomedVC. The group made a post regarding the data breach on notorious dark web hacking forum BreachForums, where it claimed that they had “successfully compromissed [sic] all of Sony systems”. The ransomware gang also shared a 2MB compressed data sample containing, among other assets, some Java source code files, Eclipse IDE screenshots and a PowerPoint presentation. RansomedVC additionally said they would not ransom the data and instead would be selling it “due to Sony not wanting to pay”. 

The gang also told cyber security news site BleepingComputer that they had stolen 260GB during a cyber attack against Sony, and that they were attempting to sell the data for $2.5 million.

RansomedVC’s claims were refuted, however, on September 26 by a malicious actor using the alias ‘MajorNelson’. MajorNelson posted to BreachForums, saying: “You journalists believe the ransomware crew for lies. Far too gullible, you should be ashamed.”

MajorNelson also called RansomedVCs “scammers who are just trying to scam you and chase influence”. They then “leaked for free” a sample of the data via a 2.4GB compressed archive containing 3.14GB of Sony’s data.

Discover more about the alleged hackers here.

More than 3.8 billion records exposed in DarkBeams data leak

More than 3.8 billion records were exposed after digital protection firm DarkBeam left an interface containing the exposed records unprotected.

The leak was discovered on September 18 by CEO of cyber security news site SecurityDiscovery, Bob Diachenko, who alerted DarkBeam to the leak. After being made aware of the leak the digital protection firm immediately addressed the vulnerability and closed it.

The data had been collected by DarkBeam in case of a data breach, so it could alert its customers. This means that the data exposed was already leaked in prior cyber attacks. Of the data leaked, there were 16 collections named ‘email 0-9' and ‘email A-F' which represented 239,635,000 pairs of login credentials.

Discover more about the data leak here.