At a glance.

  • More on the apparent Shanghai National Police data breach.
  • Supply chain attack on NPM package manager.
  • Marriott confirms data breach of hotel guest and employee data.

More on the apparent Shanghai National Police data breach.

As we noted yesterday, in what experts say could be the largest data leak in China’s history (indeed, the biggest in anyone’s history), an anonymous hacker going by the handles “HackerDan” and “ChinaDan” is claiming to have stolen the data of a billion Chinese residents. As CNN reports, HackerDan says a database belonging to the Shanghai National Police was left exposed via an unsecured backdoor link for over a year before he posted the data for sale on an underground hacker forum. Binance CEO Changpeng Zhao wrote a post on Twitter explaining the exposure was “likely due to a bug in an Elastic Search [sic] deployment by a gov agency.” The Register reports that Wall Street Journal reporter Karen Hao verified the data provided in a sample from HackerDan. Hao tweeted, “I was truly stunned when the first person picked up—I really believed the whole thing to be fake. By the third, I was shaking—both from the nerves of trying to explain why I had their extremely private information and the weight of realizing what this leak could mean for so many.”

Meanwhile, the Chinese government has been tightlipped about the incident, not yet releasing any official statement. Gizmodo adds that posts on popular social media platforms Weibo and WeChat discussing the possible breach have been removed, and reportedly the authorities have asked at least one poster to come in for questioning. The New York Times notes that the alleged leak demonstrates how Beijing’s rampant collection of mass surveillance data leaves the door open for potential exposure. Indeed, as ZDNet warns, if the data is in fact real, Chinese businesses should expect a rise in identity theft through smishing attacks, phone swapping, and other cybercrime. 

Moshe Zioni, VP of Security Research at Apiiro, drew some lessons about supply chains from the incident:

“The recent breach of the Shanghai Police database is another proof point of the critical implications of inept security in the software supply chain. Secrets in code are one of the most serious threats to organizations today, as they are easily plucked from code and utilized by adversaries without the hassle of breaking into an organization the “old-way.” Factor in the ease of access to cloud services where secrets are typically stored, and you have a very good ROI for attackers with minimum effort and low complexity.

“Proper developer training is absolutely essential to mitigate future attacks. From Apiiro’s own research, we know that developers committing code to enterprise internal repositories are 8X more likely to include secrets in their code that can be immediately used by malicious actors than when dealing with public repositories. CISOs must take developer security education on that matter more seriously when dealing with internal repositories.

“Globally, organizations need to adapt and understand this inequality of powers. Educating developers on the dangers of using hard-coded secrets in code and the grand implications of such an event is critical, as well as practicing secure secret utilization in code that employs safe techniques to use, audit, and rotate those secrets in real-time.

“Secrets must be monitored and proactively scanned by security teams in organizations throughout the development lifecycle to catch those mistakes early on, as well as employ tripwires and audit trails in case of breaching that standard.”

Gil Dabah, co-founder and CEO of Piiano, commented simply, “Only in China could a breach of this scale happen, but the lesson learned for every organization worldwide is PII (Personal Identifiable Information) data vaults must be prioritized as part of their IT security tech stack.” 

Supply chain attack on NPM package manager.

Researchers at ReversingLabs detail the discovery of a widespread supply chain attack that aims to install malicious Javascript packages delivered via the NPM package manager. The attack, which has been targeting the NPM package manager since at least last December, is designed to harvest sensitive data from forms embedded in mobile applications and websites. Though the exact scope of the attack is not yet certain, researchers say the packages are potentially used by thousands of mobile and desktop applications and websites, and in one instance a malicious package had been downloaded over 17,000 times. The operation relies on typo-squatting, an approach in which hackers impersonate high-traffic sites by using names closely resembling the spellings of legitimate sites. The Hacker News notes that a majority of the NPM modules are still available for download from the repository.

Uriel Maimon, VP of Emerging Products at PerimeterX, commented on the discovery and its implications: “This NPM incident is a further reminder of software supply chain risks. We strongly advise organizations to ask themselves whether they have the tools and capabilities to notice and take action on changes, potential risks and anomalies in their supply chain, and analyze the behavior of users on their website. Using a multi-tiered approach that looks at the entire attack lifecycle from data theft and harvesting, through validation and then account fraud, can provide indications of account takeover activity, and prevent it regardless of the method the attacker used to get in.”

Marriott confirms data breach of hotel guest and employee data.

DataBreaches.net reported yesterday that it was contacted by an unnamed international hacking group they’re calling GNN (Group with No Name) claiming they’d successfully breached the networks of hotel giant Marriott International. GNN says they infiltrated Marriott about a month ago exfiltrating 20GB of data including credit card info and other confidential data belonging to hotel guests and employees. CyberScoop reports that the hospitality company has confirmed the breach, a spokesperson stating Marriott “is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer.” The associate in question reportedly works at BWI Airport Marriott, located in the US state of Maryland, and Marriott says the intruder only had access to their systems for a short period of time on one day. After Marriott began investigating the incident, the attacker contacted the company with a ransom demand, which Marriott did not pay. The hotelier says the exfiltrated data was “non-sensitive internal business files regarding the operation of the property,” and GNN’s screenshots show reservation logs for airline crew members from January 2022 and credit card authorization forms. It’s worth noting that this is at least Marriott’s third recent serious data breach, as in November 2018 hackers stole the personal data of around 500 million guests from one of the company’s subsidiary brand’s reservations systems, and a March 2020 breach resulted in the theft of the data of 5.2 million guests. 

Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the role social engineering played in this incident, as it has in others:

“The most common method by hackers for breaching data is social engineering, just like what happened in this instance. The particular method, where an employee is contacted and tricked into providing access to a hacker, which then accesses data files has happened many times in the past. Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training. Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to put these types of attacks.”