Cyber Round-up for 6th November

Cyber Round-up

Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Marriott International Fined £18.4 Million for Data Leak

In 2014, 339 Million Guest Records were stolen in a cyber-attack on Starwood Hotels and Resorts Worldwide Inc. The attack remained undiscovered until four years later, at which point the company had been taken over by Marriott International. As the new owners of the company, Marriott are now facing a fine of £18.4 million for failing to keep their customer’s personal data secure. The stolen data reportedly included names, email addresses, phone numbers, passport numbers and arrival/departure information.

More details on the attack here.


UK Cyber-Threat Agency Reviews COVID-19 Attacks

The National Cyber Security Centre (NCSC) produces annual reports on cyber incidents in the UK. Their most recent review addresses everything from September 2019 to August 2020; during this period, the NCSC responded to 723 incidents, with 194 of them being Covid-related. Some of the most prominent attacks seen during this period include ransomware attacks and cyber-espionage attempting to steal vaccine-related information. As well as these attacks, it was found that 15,354 phishing campaigns used COVID-19 themed content to lure in victims.


Ransomware Gangs Don’t Always Delete Data After Ransom Is Paid

The Maze Ransomware group created a new tactic called double-extortion back in 2019; this involves the data being stolen, and then potentially being published online if a ransom is not paid. This was later adopted by many other ransomware groups as it typically encouraged the victims to pay. However, recent research has found that many groups do not keep their promise to delete the stolen data, meaning your information could still be published after paying the ransom. This is yet another reason cyber experts encourage companies not to pay ransomware groups.


AMP Graphic 2809


Hacker Selling 34 Million Stolen User Records Online

An unknown cybercriminal is selling account databases online, which reportedly contain 34 million user records from 17 different companies. On October 28th, a new topic was spotted on a hacker forum regarding the stolen databases and BleepingComputer have been in contact with the broker; in this conversation, it was revealed that they were not responsible for stealing the company data, and is simply acting as a seller. The largest of the stolen databases belongs to, with 8.1 million records being exposed.

The list of stolen databases can be found here.


23,600 Databases Leaked from Data Breach Index Site

Data breach index site,, is known for collecting hacked databases and providing records to hackers for a subscription fee. More than 23,000 of these hacked databases were made available for download on a number of hacking forums; analysis from threat experts suggests that this is the biggest leak of its kind in recent history. The databases were only available for a few hours however, before being reported and taken down. ZDNet managed to download a portion of the dataset but was not able to retrieve it all. The leaked data includes usernames, emails, addresses and even cleartext passwords.


AT&T Phish Uses Google Forms to Steal Credentials

Researchers have found a new phishing campaign that uses Google Forms as a landing page that collects the credentials of customers from more than 25 companies, brands and government agencies, with over 70% appearing to come from AT&T; Other popular brands include Citibank and Capital One. The most popular form being used appears to request the victim’s username and passwords; this phish is sometimes difficult to spot due to Google Forms providing a valid SSL certificate. Despite showing a secure certificate, users can tell If the form is a scam by the final button. After inputting credentials, the final button says ‘Submit’, rather than ‘Login’ which is not common in login pages. As always, keep an eye out for phishing attempts and be careful when providing details.


SkyKick Banner

Vulnerabilities & Updates

Emergency WordPress Patch 5.5.3

Just one day after the release of version 5.5.2, WordPress were forced to release an emergency 5.5.3 patch to address a newly discovered issue. This flaw made it impossible to install WordPress on a new website without configuring a database connection beforehand. While preparations were being made for the emergency patch, another issue arose that automatically updated sites to version 5.5.3-alpha. WordPress site users should update to 5.5.3 as soon as possible if they are not doing so automatically to avoid encountering any of the new issues.

Security release details can be found here.


And that is it for this week’s round-up, please don’t forget to tune in for new instalments every week.

Stay Safe, Secure and Healthy!

Edition #116 – 6th November 2020

Why not follow us on social media:

Ironshare – Security Simplified