Impacted PIIs#

Unfortunately, it’s not just about Student’s ID and Parent name but over 40 categories of personal information. CyberNews mentions categories listed below:

• Class lists
• Student ID numbers
• Dates of birth
• Race/ethnicities
• Grades
• Course schedules
• Home phone numbers
• Email addresses
• Home addresses
• Parent/guardian names
• Transcripts
• Individualized education plans (IEP) or 504 plans (developed for students with disabilities)
• Social Security numbers
• Driver’s licenses or State IDs
• Financial aid information
• Class ranks
• Places of birth
• Taxpayer identification numbers
• Tribal IDs
• Account numbers
• Routing numbers
• Health insurance information
• Account types
• Disciplinary files
• Medical information
• Absence reasons
• Financial aid account numbers
• Health/allergy information
• Diagnosis
• Patient ID numbers
• Institution name
• Health insurance policy numbers, subscriber numbers, or policy numbers
• US alien registration numbers
• Medical record numbers
• Treatment locations
• Payment card numbers
• Mental or physical condition treatment types
• Prescription information
• Passport numbers
• Treatment information
• Username with password pins or login information
• Patient account numbers
• Biometric data
• Mental or physical diagnosis codes
• Payment card type
• Military ID number

Steps taken#

But, what’s a good news, not all this data was potentially compromised for most individuals. EVIT demonstrated calmness and as Notice states they’ve already notified appropriate authorities, as well as provided email notification to all current and former students, staff, faculty, and parents. EVIT also stated they started investigating this cyber event, reported the incident to law enforcement, contain and remediate the threat. Given the number of potentially impacted files, this investigation concluded on June 4. EVIT said that it hadn’t observed the publication of any of the personally identifiable information.

Remedy#

Furthermore, impacted individuals can receive identity theft protection through IDX, which includes 12 months of CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services.

Sources:

• https://www.evit.edu/about-evit/district-departments/information-systems/notice-of-january-breach
• https://cybernews.com/news/east-valley-institute-of-technology-data-breach/

What happened?#

In a spectacular display of cybersecurity negligence, Caja Los Andes, Chile’s largest pension and social security fund, has managed to expose the sensitive data of over 10 million Chileans. To put that in perspective, that’s more than half of the country’s entire population. The breach was discovered by Cybernews researchers on July 4th, and it’s safe to say that this wasn’t the kind of fireworks Chileans were hoping for.

Founded back in 1953, Caja Los Andes is the big shot in Chile’s social security landscape, managing everything from health insurance to pension funds. With a workforce of nearly 3,000 and equity worth around $1 billion, you’d think they could afford to secure their data. But, alas, their Apache Cassandra database was left wide open without authentication, essentially handing the keys to the kingdom over to anyone with an internet connection.

What was exposed?#

Just the usual: names, home addresses, birth dates, phone numbers, credit details—basically everything someone would need to ruin your day (or life). And while the fund claims to have just over four million members, the leaked data suspiciously covers more than double that. This suggests the breach also scooped up information on family members, former clients, and even those who have passed away. It’s like a data buffet, and unfortunately, everyone’s invited.

The risks are as serious as they are varied. With personal information like this floating around, identity theft, fraud, and targeted scams are virtually guaranteed. Cybernews even warns of more sinister possibilities like targeted robberies or physical threats—because nothing says “secure retirement” like worrying about someone breaking into your home.

Now pay!#

Adding insult to injury, this massive breach could also land Caja Los Andes in hot water with Chile’s data protection authorities. If found guilty, they could face fines up to 4% of their annual income, along with an avalanche of lawsuits from disgruntled victims.

While the leak has now been sealed, the damage is done. Caja Los Andes is not alone in its cybersecurity failings; earlier in 2024, Brazil faced a similar catastrophe when the personal data of its entire population was exposed due to an unprotected cloud server. It seems that in South America, the phrase “better safe than sorry” might need to be reintroduced—preferably before the next breach.

Resource:

• https://cybernews.com/security/caja-los-andes-chile-data-leak/

The Scope of APT42’s Phishing Campaigns#

APT42 has set its sights on some of the most sensitive and influential targets, including current and former government officials, diplomats, military personnel, and individuals involved in political campaigns. The group’s operations are not just a random scattergun approach; they are highly targeted and calculated, reflecting a deep understanding of their targets’ roles and the broader geopolitical context. In particular, the group has zeroed in on the U.S. presidential election, attempting to breach the personal email accounts of individuals associated with both President Biden and former President Trump.

Tactical Sophistication#

What makes APT42 particularly dangerous is the sophistication of its tactics. The group is adept at using social engineering, creating fake websites, and leveraging legitimate platforms like Google Sites and Gmail to carry out their phishing attacks. For example, they recently created a fake petition on a Google Sites page that appeared to be from the Jewish Agency for Israel, complete with a redirect URL to a phishing page. These phishing attempts are often accompanied by personalized emails that appear to come from trusted sources, such as well-known think tanks or NGOs, making them even more convincing.

APT42’s use of “typosquat” domains—web addresses that closely resemble legitimate ones—is another tactic that enhances their credibility and increases the likelihood of success. For instance, they created domains like “understandingthewar[.]org” to impersonate the Institute for the Study of War and targeted U.S. military members.

Targeting Israeli Interests#

In the past few months, APT42 has intensified its focus on Israel, a country that already faces significant cyber threats. The group’s phishing campaigns in Israel have targeted former senior military officials, aerospace executives, diplomats, academics, and NGOs. These attacks often begin with benign-looking emails, designed to build trust before the group attempts to compromise the target’s credentials.

One notable campaign involved sending emails that appeared to come from a journalist seeking commentary on recent airstrikes. While these initial emails didn’t contain malicious content, they were likely part of a broader strategy to engage the target before launching more direct attacks.

Phishing Kits and Tailored Attacks#

APT42’s success in credential phishing is largely due to their use of advanced phishing kits that target specific platforms like Google, Hotmail, and Yahoo. These kits are designed to mimic the sign-on pages of these services, complete with multi-factor authentication support, making them highly effective. The group also conducts extensive reconnaissance on their targets, using open-source tools to identify personal email addresses that might not have robust security measures in place.

Once APT42 gains access to an account, they don’t just stop there. They implement additional mechanisms to maintain access, such as changing recovery email addresses or exploiting features that bypass multi-factor authentication.

Implications and Ongoing Threats#

APT42’s activities are a stark reminder of the ongoing cyber threats posed by state-sponsored actors, particularly as geopolitical tensions remain high. Their focus on U.S. and Israeli targets reflects Iran’s strategic priorities, and their evolving tactics suggest that these attacks will likely continue and become even more sophisticated.

As hostilities between Iran and Israel continue, and with the U.S. presidential election approaching, the need for enhanced security measures is more critical than ever. Google’s Advanced Protection Program (APP) is one such measure, offering targeted users an extra layer of security against these kinds of attacks. This program, along with heightened awareness and vigilance, can help mitigate the risks posed by groups like APT42.

In conclusion, APT42’s campaigns are not just a series of isolated incidents but part of a broader, coordinated effort to undermine key individuals and institutions in the U.S. and Israel. As these cyber threats grow in complexity and scope, so too must our collective response.

Resources:

• https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf
• https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/