CyberSecurity news

FlagThis - #supplychainsecurity

Dissent@DataBreaches.Net //

Cartier Confirms Data Breach After Third Party Incident - Cartier has confirmed a data breach that exposed customers’ personal information following a security incident at a third-party service provider, underscoring the importance of supply chain security.
Luxury brand Cartier has confirmed a data breach impacting its customers. The breach stemmed from a security incident affecting one of its third-party service providers. This incident has exposed sensitive customer information, including names, contact details, and dates of birth. Cartier has notified affected clients and is taking steps to address the breach and reinforce its security measures.

This incident highlights the growing concern around supply chain security and the potential vulnerabilities introduced by third-party vendors. Even prestigious brands like Cartier are susceptible to data breaches if their partners' security defenses are not robust. The breach serves as a reminder for organizations to carefully assess and manage the security risks associated with their external service providers. It's yet another reminder that supply chain security is not a theoretical risk. Even the most prestigious brands can find their reputation tarnished if a partner’s defences aren't watertight.

While details remain limited, this breach comes amid a series of recent cyberattacks targeting high-end brands in both Europe and the U.S.. According to SecurityWeek, Cartier emphasized that no passwords, credit card numbers, or banking information were involved in the breach. It is not yet known if these attacks are related or the work of a single group. Cartier is owned by Richemont, and the company is working to determine the full scope of the incident and implement measures to prevent future occurrences.

Recommended read:
References :
  • bsky.app: Cartier suffered a data breach that exposed customer personal information after its systems were compromised.
  • DataBreaches.Net: Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • malware.news: Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Graham Cluley: Cartier has confirmed a data breach that exposed customers' personal information, following a security incident at a third-party service provider.
  • BleepingComputer: Luxury fashion brand Cartier is warning customers it suffered a data breach that exposed customers' personal information after its systems were compromised.
  • www.techradar.com: Luxury retailer Cartier experienced a data breach exposing customer personal information, including names, emails, and countries.
  • cyberinsider.com: Cartier Alerts Customers of Data Breach Exposing Personal Information
  • Davey Winder: Warning As Cartier Hacked — What You Need To Know
  • www.scworld.com: Data compromise confirmed by Cartier
  • securityaffairs.com: Luxury-goods conglomerate Cartier disclosed a data breach that exposed customer information after a cyberattack.
  • hackread.com: Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims
  • www.itpro.com: North Face, Cartier among latest retail cyber attack victims – here’s what we know so far
info@thehackernews.com (The@The Hacker News //

Earth Ammit Targets Drone Supply Chains With Espionage - Earth Ammit, a cyber espionage group, has been linked to attacks on drone supply chains in Taiwan, targeting software service providers, military, satellite, heavy industry, media, technology, and healthcare sectors.
A cyber espionage group known as Earth Ammit, believed to be linked to Chinese APT groups, has been actively targeting organizations in Taiwan and South Korea through coordinated multi-wave attacks. These campaigns, dubbed VENOM and TIDRONE, were conducted from 2023 to 2024 and aimed to disrupt the drone supply chain by compromising trusted networks. Victims spanned various sectors, including military, satellite, heavy industry, media, technology, software services, and healthcare, highlighting the group's broad targeting scope. The attacks demonstrate Earth Ammit's long-term goal to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach, potentially leading to data theft and exfiltration of credentials.

The VENOM campaign focused on penetrating the upstream segment of the drone supply chain. Attackers exploited web server vulnerabilities to deploy web shells and used open-source tools like REVSOCK and Sliver in an attempt to avoid attribution. The only custom malware observed in VENOM was VENFRPC, a customized version of FRPC, which is a modified version of the open-source fast reverse proxy tool. The goal was to harvest credentials and use them as a stepping stone for the TIDRONE campaign, which targeted downstream customers.

The TIDRONE campaign involved multiple stages, mirroring the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers. Custom-built tools like CXCLNT and CLNTEND backdoors were used for cyber espionage purposes. Post-exploitation activities included establishing persistence, escalating privileges, disabling antivirus software, and installing screenshot capturing tools. Trend Micro researchers have provided detections and blocking mechanisms via Trend Vision One™ and offer hunting queries and threat intelligence reports to help organizations defend against Earth Ammit's tactics.

Recommended read:
References :
  • Virus Bulletin: Trend Micro's Pierre Lee, Vickie Su & Philip Chen discuss the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
  • www.trendmicro.com: Trendâ„¢ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
  • The Hacker News: A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
  • Industrial Cyber: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
  • industrialcyber.co: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
@socket.dev //

Malicious PyPI Package Targets Discord Developers with RAT - A malicious Python package, 'discordpydebug,' was discovered on the Python Package Index (PyPI) repository, containing a remote access trojan (RAT) targeting Discord developers and allowing file manipulation and command execution.
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.

The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands.

The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community.

Recommended read:
References :
  • socket.dev: Malicious PyPI Package Targets Discord Developers with Remote Access Trojan
  • The Hacker News: Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times
  • www.scworld.com: RAT-laced PyPI package sets sights on Discord developers
  • thecyberexpress.com: Article highlighting the malicious discord developer package and its purpose
  • Security Risk Advisors: Malicious PyPI package "discordpydebug" targets Discord developers with remote access trojan. Over 11K downloads enables arbitrary command execution and data theft.
  • www.bleepingcomputer.com: Malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.
ross.kelly@futurenet.com (Ross@Latest from ITPro //

Hertz Confirms Data Breach Customer Info Stolen - Hertz Corporation confirmed a data breach impacting its Hertz, Thrifty, and Dollar car rental brands, resulting in the theft of customer data through the exploitation of Cleo zero-day vulnerabilities.
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.

The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected.

The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information.

Recommended read:
References :
  • securityaffairs.com: Hertz disclosed a data breach following 2024 Cleo zero-day attack
  • techcrunch.com: Hertz says customers’ personal data and driver’s licenses stolen in data breach
  • The DefendOps Diaries: Hertz Data Breach: Lessons in Cybersecurity and Vendor Management
  • www.bleepingcomputer.com: Hertz confirms customer info, drivers' licenses stolen in data breach
  • Zack Whittaker: New by me: Car rental giant Hertz has confirmed a data breach affecting customers' personal information, driver's licenses, and payment card data. Customers worldwide are being notified.
  • techcrunch.com: Hertz says customers' personal data and driver's licenses stolen in data breach
  • BleepingComputer: Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks.
  • www.itpro.com: Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
  • Malwarebytes: Hertz data breach caused by CL0P ransomware attack on vendor Cleo
  • PCMag UK security: Hackers Stole Credit Card, Driver's License Info in Hertz Data Breach
  • Zack Whittaker: Hertz won't say how many are affected by its breach, but continues to notify U.S. states, giving a little indication of the numbers. Per its filing in Texas today, Hertz said 96,665 Texas residents are affected. Plus 3,400 people in Maine and that's already 100,000+ people in two states alone.
  • www.cybersecuritydive.com: Hertz says personal data breached in connection with Cleo file-transfer flaws
  • ComputerWeekly.com: Hertz warns UK customers of Cleo-linked data breach
  • The Register - Security: Where it Hertz: Customer data driven off in Cleo attacks
  • cyberinsider.com: Hertz Confirms Data Breach Following Clop Ransomware Leaks
  • cyberinsider.com: Analysis of how the Clop ransomware group exploited zero-day vulnerabilities to compromise Hertz's systems
  • Help Net Security: Car rental company Hertz suffers a data breach from exploitation of vulnerabilities in third-party software.
  • hackread.com: Hertz Confirms Data Breach After Hackers Stole Customer PII

Posts

Blogs

Research Tools