[Security Weekly] Microsoft Power Apps Misconfiguration Exposes 38 Million Personal Records
4th Week of August 2021
1. Microsoft Power Apps misconfiguration exposes 38 million personal records
A highly common misconfiguration on Microsoft Power Apps was found to have led to the exposure of 38 million personal records containing information such as COVID-19 vaccination status and social security number (SSN). Microsoft Power Apps is an online platform that provides tools for developing low-code apps and websites that share data with the cloud.
Affected organizations included Microsoft’s own Global Payroll Services Portal, American Airlines, J.B. Hunt Transport Services, Ford, Indiana Department of Health, and New York City public schools. Among the exposed data were the names, phone numbers, job titles, and email addresses of 332,000 Microsoft employees and contractors, along with another 400,000 from American Airlines.
First discovered by researchers at UpGuard, the misconfiguration was not caused by a software vulnerability. Instead, it was induced by a design flaw regarding the default usage of the Open Data Protocol (OData) by the API of the Power Apps. This makes all data shared by the application public by default. In order to limit access to certain private data, the developers must proactively set up table permissions, which many had not done.
Nevertheless, Microsoft quickly released a tool for Power Apps users to check for data leaks.
Sources: UpGuard, Threatpost, Nasdaq
2. SAC Wireless reveals data breach after Conti ransomware attack
SAC Wireless, a wholly owned Nokia subsidiary based in Chicago, was attacked by the Conti ransomware gang, who successfully stole 250 GB of data before encrypting the company’s systems. SAC Wireless is a cellular infrastructure builder that works with US carriers and tower operators.
SAC Wireless detected the attack on June 16, only after the attackers obtained access to its network, corrupted its cloud storage, and stole its files before encrypting its systems.
After two months of investigations, the company eventually confirmed a data breach on August 13, suggesting that the personal information of its current and former employees has been compromised. Stolen files included names, dates of birth, contact details, driver’s licence numbers, social security numbers (SSN), health insurance information (of dependents), and tax return information.
Impacted people are being contacted individually. The Conti ransomware gang claimed responsibility for stealing 250 GB of data and threatened to release them for a ransom payment.
Sources: Bleeping Computer
3. FBI issues warning on Hive ransomware after Memorial Health System paralyzed
On August 25, the FBI issued an alert with regards to the recently active Hive ransomware gang, soon after it took down Florida-based Memorial Health System on August 15.
According to the report, Hive ransomware became active in June 2021 and has already taken down at least 28 organizations so far. Healthcare providers are especially at risk. Running on a ransomware-as-a-service (RaaS) model, Hive affiliates are known for their double extortion attacks. Attackers usually try to disable backups, antivirus programs, and file copying features before deploying ransomware, making it very difficult to mitigate.
The attack on Memorial Health System paralyzed all three hospitals and 64 clinics the system operates. Urgent surgeries and exams were canceled on August 16 while emergency patients were redirected to nearby hospitals. CEO Scott Cantley admitted that they had to pay the ransom to receive the decryptor.
Sources: FBI, ZDNet, Infosecurity
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security