Today’s Topics:
- Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach
- Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks
- How can Netizen help?
Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach
In a recent cybersecurity breach involving National Public Data, a background checking company, approximately 2.7 billion records containing sensitive personal information of U.S. citizens were leaked on a hacking forum, leading to a significant class-action lawsuit. The breach has exposed names, Social Security numbers, physical addresses, and possible aliases of individuals across the United States. None of this information was encrypted in any fashion.
The lawsuit was filed by the plaintiff against National Public Data. It centers around the company’s failure to safeguard the personal identifiable information (PII) of its users. According to the lawsuit, National Public Data had a legal duty to protect the PII of the plaintiff. They also had an ethical duty to protect class members. This duty arises from several sources. These sources include the Federal Trade Commission (FTC) Act, contractual obligations, industry standards, and representations made to customers. The complaint argues that National Public Data didn’t adopt reasonable enough measures to protect the PII from unauthorized access and disclosure.
The plaintiff claims that National Public Data derived substantial economic benefits from collecting and using the PII of its customers. The lawsuit alleges that without the submission of this sensitive information, the company could not have provided its services. National Public Data needed this information to operate. National Public Data assumed legal and fair duties by obtaining, collecting, and using the PII. It failed to protect this information from disclosure.
The exact details of how and when the breach occurred are not fully disclosed. The lawsuit provides information suggesting that a cybercriminal group known as “USDoD” gained access to National Public Data’s network before April 2024. The cybercriminals were able to exfiltrate billions of unencrypted PII records stored on the company’s network.
On April 8, 2024, USDoD posted a database titled “National Public Data” on the Dark Web hacker forum “Breached.” They claimed that the database contained 2.9 billion records of U.S. citizens and offered it for sale at $3.5 million. According to reports from VX-Underground, a malware repository, the database contained extensive details. These details were about individuals who had not used data opt-out services. These details included:
- First and last names
- Current and historical addresses spanning over three decades
- Social Security numbers
- Information about family members, including parents, deceased relatives, and siblings
Malware repository VX-Underground confirmed the authenticity of the data after reviewing the 277.1 GB uncompressed file. The report highlighted that individuals who had used data opt-out services were not present in the database. Those who had not opted out were immediately found.
Following the first sale attempt by USDoD, portions of the stolen data were released by other threat actors. On August 6, 2024, a hacker named “Fenice” leaked the most complete version of the stolen records. The records were posted for free on the Breached forum. Fenice clarified that the breach was actually carried out by another hacker named “SXUL.”
The leaked data consisted of two text files totaling 277GB and containing approximately 2.7 billion plaintext records. While it is unknown whether the leak included data for every individual in the U.S., many individuals have verified that their and their family members’ information was included, even for deceased relatives.
The breach has led to multiple class-action lawsuits against Jerico Pictures, the entity believed to be operating as National Public Data, for failing to protect people’s information adequately.
Questions You Might Have
- 1. What legal obligations did National Public Data have to protect my information?
The lawsuit argues that National Public Data had obligations under the FTC Act, contractual agreements, industry standards, and representations made to customers. These obligations required the company to keep your PII confidential and protect it from unauthorized access. - 2. How does the lawsuit claim National Public Data benefited from my information?
The lawsuit alleges that National Public Data derived substantial economic benefits from collecting and using your PII. The company could not provide its services without requiring customers to submit this sensitive information. - 3. What should I do if I suspect my information was part of the breach?
If you believe your information was compromised in this breach, it is crucial to monitor your credit report for fraudulent activity. You should also be vigilant against phishing attempts and scams that may try to exploit your compromised data.
This data breach has exposed the personal information of millions of people, leading to serious legal and security concerns. As the aforementioned lawsuit progresses, it will likely provide more insights into the breach’s causes and the potential consequences for National Public Data and those affected.
Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks
Web browser extensions have evolved from niche tools into essential components of the Internet ecosystem, enabling various functionalities and enhancements for users. Many users have extensions that are quintessential for their browsing experience, like uBlock origin for adblock or Honey for discounts. Nautrally, with this rise in utility comes an increased risk, as bad actors exploit these tools as a new vector for malware distribution. The ReasonLabs Research Team has recently identified a large-scale polymorphic malware campaign. This campaign targets web browsers by forcefully installing malicious extensions. These extensions range from simple adware to complex scripts designed to steal sensitive information and execute unauthorized commands.
The malware, active since 2021, proliferates through imitation download websites, particularly those part of online games and video streaming. These sites deceive users into downloading seemingly legitimate software while actually delivering a trojan that installs harmful extensions. This campaign has affected at least 300,000 users across Google Chrome and Microsoft Edge. Unfortunately, most antivirus engines have yet to detect the installer and the extensions, leaving countless users vulnerable.
The initial phase of the attack begins with imitation websites. These websites promise popular software like Roblox FPS Unlocker, YouTube, VLC, or KeePass. Users who download software from these lookalike sites unwittingly get a trojan instead. The trojan typically registers a scheduled task using a pseudonym that mimics legitimate system processes, such as Updater_PrivacyBlocker_PR1
, MicrosoftWindowsOptimizerUpdateTask_PR1
, and NvOptimizerTaskUpdater_V2
. These tasks are configured to run PowerShell scripts stored in critical system directories, such as C:/Windows/System32/NvWinSearchOptimizer.ps1
. This script then downloads additional malicious payloads from a remote server and executes them on the affected machine.
The malicious PowerShell script contains several functions, each critical to the success of the malware:
- Registry Manipulation: The script adds specific registry keys to force the installation of the malicious extensions on Chrome and Edge. These keys ensure the extensions remain active, hijacking search queries and redirecting them to adversary-controlled search engines. Moreover, these extensions cannot be disabled by the user, even with Developer Mode enabled. This manipulation results in the browser displaying the message, “Your browser is managed by your organization,” further complicating detection.
- Tampering with Browser Shortcuts: The script modifies browser shortcut files (
.lnk
) to include parameters that load the local extension dropped by the malware. This local extension focuses on stealing search queries and communicating with a command-and-control (C2) server, making it difficult for users to detect or remove. - Communication with C2 Servers: The script frequently contacts a C2 server to report the malware’s status and receive instructions for further actions. These instructions often involve tampering with browser DLL files, such as
msedge.dll
, to override default settings like the search engine. The C2 domain used for these communications is relatively new, and few security systems currently recognize it as malicious.
The PowerShell script employed in this malware campaign is both precise and detailed, designed to carry out multiple stages of the attack with precision. Below is a detailed breakdown of the script’s key components:
- addRegKeys Function: This function is responsible for adding necessary registry paths to ensure the extensions are force-installed. It checks if the relevant registry keys exist and creates them if they do not. The script then uses these keys to install the malicious extensions on Chrome and Edge.
- addRegVal Function: After establishing the registry paths, the script contacts the C2 server to receive specific instructions, including which extensions to install. The C2 response contains variables that dictate the installation parameters, such as the extension IDs and registry paths. The script then applies these values, ensuring the extensions are installed and active.
- removeUpdates Function: To maintain persistence, the script disables all updates for Chrome and Edge. Browser updates often reset settings to their default state, which would disrupt the malware’s activities. By disabling updates, the script ensures that its modifications remain intact.
- Main Function: The final stage of the script involves modifying browser shortcuts and downloading additional files from the C2 server. The script checks the current version of the extension installed and, if necessary, downloads and installs the latest version from the C2. It then traverses all
.lnk
files on the system, injecting parameters to load the malicious extension. These parameters include disabling Chrome’s outdated build detector and removing protections for Chrome’s sensitive pages. - Command Execution: The script also has a mechanism for executing more commands received from the C2 server. These commands often involve downloading and executing new scripts, ensuring the malware can adapt and evolve over time.
The widespread nature of this malware campaign highlights the significant threat posed by malicious browser extensions. By leveraging PowerShell scripts and C2 communication, the attackers have created a highly persistent and adaptable form of malware. The impact on affected users is severe. There are stolen search queries, unauthorized command execution, and the potential for further data exfiltration.
To mitigate this threat, it is crucial to stay vigilant when downloading software, especially from unverified sources. Users should also regularly review their browser extensions and system processes for any signs of unusual activity. Organizations should consider implementing more security measures, like endpoint protection solutions, to detect and block such attacks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.