Cyber Risk News
Researchers have discovered a vulnerability in TikTok which could have allowed attackers to harvest users’ phone numbers and personal profile details.
Check Point revealed today that the flaw, which has now been fixed by the popular social network, was found in the app’s “Find Friends” feature.
The problem stems from the fact that TikTok allows users to sync their phone contacts with the app, thus connecting user profiles with phone numbers.
If exploited, the flaw could have allowed attackers to bypass the app’s HTTP message signing to login, and then sync contacts to discover the profiles of all the TikTok users in the victim’s phone book.
Worse still, the SMS log-in process from a mobile device involved TikTok servers generating a token and session cookies, but these did not expire for 60 days, meaning an attacker could use the same cookies to login for weeks.
Among the profile details exposed by the vulnerability are TikTok nickname, profile and avatar pictures, unique user IDs and settings including whether a user is a follower or if a user’s profile is hidden.
Check Point head of products vulnerabilities research, Oded Vanunu, said his team was curious to see if the TikTok platform could be used to gain access to private user data.
“We were able to bypass multiple protection mechanisms of TikTok, that led to privacy violation. The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers,” he explained.
“An attacker with that degree of sensitive information could perform a range of malicious activities, such as spear phishing or other criminal actions. Our message to TikTok users is to share the bare minimum, when it comes to your personal data, and to update your phone’s operating system and applications to the latest versions.”
A TikTok statement recognized the work of “trusted partners” like Check Point in making the platform safer for users.
“We continue to strengthen our defenses, both by constantly upgrading our internal capabilities such as investing in automation defenses, and also by working with third parties,” it added.
Over 320,000 court records belonging to the second most populous county in the US have been discovered sitting on a misconfigured online database.
Security researcher Jeremiah Fowler and a team from Website Planet soon found that the data was all from Cook County, Illinois, which is home to America’s third-largest city, Chicago.
“There have been several high -profile data exposures of private companies that affected Cook County residents in the past few years including a large hospital data breach. However, this appears to be the largest breach of Cook County internal records to date,” noted Fowler.
“We hope our discovery and notification helped protect and secure this sensitive data before it could be stolen, encrypted with ransomware, or wiped out by an automated bot script. Companies, organizations and even governments must do more to protect the data they collect and store.”
He said that the highly sensitive data appears to have come from an internal records management system, with virtually all exposed records containing some form of personal info including: full names, home addresses, email addresses, case numbers and private case notes.
Dating back nine years, the cases were marked up signify they relate to either immigration, family or criminal court proceedings.
Immigration case notes are particularly lucrative for fraudsters as it they can help to add legitimacy to social engineering scams.
“In this exposure there was a treasure trove of contacts and data that could have potentially been exploited for a wide range of nefarious purposes,” argued Fowler. “Immigrants are in a vulnerable position and these are real threats against people who can rarely protect themselves or fight back for their rights due to lack of resources, including financial resources.”
Family court records are also particularly sensitive as they can include details of children involved in domestic violence, custody and other cases, he added.
In many cases, the victims were not only exposed to phishing and possible identity theft attempts but also blackmail.
The exposed database was discovered on a Saturday and secured promptly two days later on the Monday. However, there’s no clue as to how long it was left online, available to access by “anyone with an internet connection.”
Tens of thousands of users have had their personal details exposed after a popular online gaming site misconfigured the Elasticsearch server they were sitting on.
A research team at WizCase found the wide-open server, with zero encryption and no password protection, through a simple search. It was traced back to VIPGames.com, a popular free-to-play card and board game platform with 100,000 Google Play downloads and roughly 20,000 active daily players globally.
The site features games such as Hearts, Crazy Eights, Euchre, Rummy, Dominoes, Backgammon, Ludo and Yatzy. Its Bulgarian developer, Casualino JSC, runs multiple similar gaming platforms including VIPSpades.com, VIPBelote.fr, Belot.bg, VIPJalsat.com and VIPBaloot.com.
Over 30GB of data was leaked in the privacy snafu, including 23 million records. In this trove, the researchers picked out 66,000 user profiles including: usernames, emails, device details, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, in-game transaction details, bets and details regarding banned players.
The passwords were hashed using the Bcrypt algorithm using 10 rounds which, while time-consuming, is not impossible for a determined attacker to crack, WizCase argued. These could then be used to try and open other sites and accounts used by the same gamers.
The firm warned that if a threat actor had found the exposed data, they could have crafted convincing phishing attacks by email or phone, using the extensive personal information in these profiles.
There was even an opportunity for blackmail of certain banned users of the site, it claimed.
“A hacker could obtain a banned user’s email address and social media IDs then use the reason given for the ban for extortion or revenge. For instance, a player who was banned for possible pedophile behavior could be tricked into a physical meeting with vigilantes,” WizCase continued.
“If a user was banned for exhibitionism, someone who knows their email address or social media accounts could threaten to expose them. Also, given bans are ultimately at the moderators’ discretion, a banned player’s personal reputation may be ruined if the accusation was without merit.”
Users were advised not to reuse passwords and to use a password manager, to be cautious of unsolicited phone calls and not reply to unsolicited emails.
A man from Texas has been convicted of operating a website dedicated to publishing stories detailing the sexual abuse of children.
Brewster County resident Thomas Alan Arthur was convicted by a federal jury on January 21 following a trial that lasted three days.
According to trial evidence, the 64-year-old started operating a website called Mr. Double in 1996. The website was devoted to publishing writings that described the sexual abuse of children, including the rape, torture, and murder of infants and toddlers.
The website, which Arthur administered from his home, proved popular, and in 1998 he began charging a membership fee.
According to NewsWest9, Arthur stated in an interview with the FBI that his site had over 800 subscribers who paid up to $90 a year to access content.
Arthur invited members to submit material for publication on the site in return for a discounted membership fee. All of the submitted material was reviewed and approved by Arthur personally prior to being uploaded to the website.
The evidence at trial showed that along with text, some of the author pages on the website contained drawings depicting children engaged in sexually explicit behavior.
Arthur made enough income from the Mr. Double website for it to be his sole source of income for more than 20 years.
The site remained online until November 2019, when the FBI executed a search warrant at Arthur's residence near Terlingua. Additional evidence about Arthur's illegal activities was obtained from a server in the Netherlands where the Mr. Double site was hosted.
The FBI said that the site contained several disclaimers stating that none of the stories were based on real events. However, among the site's subscribers were a significant number of people with prior convictions for child sexual abuse and possession of child sexual abuse material.
Arthur was found guilty of three counts of trafficking in obscene visual representations of the sexual abuse of a child, five counts of trafficking in obscene text stories about the sexual abuse of children, and one count of engaging in the business of selling obscene matters involving the sexual abuse of children.
Sentencing is scheduled for April 19, 2021.
A San Francisco law firm has launched an investigation into a data breach that took place at a subsidiary of Petco Health and Wellness Company.
The breach, which occurred over a six-month period last year, resulted in the exposure of the payment card information of tens of thousands of customers of PupBox, Inc.
PupBox, which appeared on the entrepreneurial-themed reality TV show Shark Tank, sells customized puppy subscription boxes containing toys, treats, chews, and accessories handpicked according to the animal's age and physical characteristics.
On October 2, 2020, PupBox announced that its website, PupBox.com, had been the target of a prolonged data breach affecting more than 30,000 of its subscribers.
Threat actors installed an unauthorized website plug-in that allowed personal information to be captured and shared with a third-party server between February 11, 2020, and August 9, 2020.
Data potentially exposed in the breach includes subscribers' names, addresses, email addresses, passwords, credit card numbers, credit card expiration dates, and credit card CVV codes.
According to a security notification letter dated October 2 and signed by PupBox' Ben Zvaifler, the company learned of the breach in September. A month later, they found out that as a result of the incident, PupBox customers may have become the victims of fraudsters.
"We are writing to inform you that on September 2, 2020, PupBox (a business unit of Petco Animal Supplies Stores, Inc.) became aware of a security incident which affected the PupBox website and may have resulted in a breach of your personal information," reads the letter.
"On August 7, 2020, we received a notification that fraudulent activities may have occurred on credit cards that were used on the PupBox website between February 26, 2020 and July 21, 2020."
The incident is now under investigation by class-action lawyers at Schubert Jonckheer & Kolbe LLP, who noted that PupBox waited at least a month before notifying victims after learning the full extent of the breach.
"The Schubert Firm is investigating the conduct and cybersecurity practices of PupBox and Petco in relation to the breach. Of particular concern, the malicious plug-in was active on the PupBox website for nearly six months between February 11 and August 9, 2020," said a spokesperson for the firm.
Founded in 2011 as a cybersecurity training company with a vision of delivering military-grade technology to the private sector, Root9B provides advanced cyber-threat-hunting services and solutions. The company also offers defense forensics and incident response, tech-enabled vulnerability assessment and penetration testing, and defensive security and hunt operator training.
R9B is headquartered in Colorado Springs, Colorado, and maintains dedicated security operations centers there and in San Antonio, Texas.
"Deloitte continually works to provide outstanding value to our clients,” said John Peirson, Deloitte Risk & Financial Advisory CEO.
“Adding R9B’s business to our existing cyber practice is just one more way we’re accelerating meaningful investments into the innovative approaches we offer our clients as they work to manage emerging threats.”
Deloitte said the deal will bolster its existing Detect and Respond cyber client offering with the addition of R9B’s experienced cyber-operations professionals and award-winning threat-hunting and risk-assessment solutions.
"Commercial and government entities contend with cyber adversaries who use incredibly sophisticated technology to penetrate legacy defenses and take advantage of expanding attack surfaces,” said Deborah Golden, Deloitte Risk & Financial Advisory Cyber and Strategic Risk leader and principal.
“The addition of R9B’s business will expand our complement of skilled cyber professionals and leading technologies, while also offering our clients an advantage against adversaries. Our newly combined powerful and innovative solutions for preventing, detecting and mitigating cyber threats are unlike anything we’ve seen available in today’s market.”
R9B founder and CEO Eric Hipkins described the acquisition as "a logical next step" for the company that is known around the world for its threat-hunting platform ORION.
“Our shared commitment to our clients’ missions and recognition of the importance of combining exceptional technology, people and processes to solve the most challenging security problems of our day makes joining Deloitte a logical next step in our story," said Hipkins.
"At Deloitte, we’ll be able to accelerate scaling and development of offerings we consider vital to proactive cyber threat hunting and remediation.”
The Russian government has issued cybersecurity guidance to businesses in the country after claiming they are at risk of US reprisals for the recent SolarWinds attacks.
The alert came late last week from the National Coordination Center for Computer Incidents (NKTsKI), an agency created in 2018 by KGB successor the Federal Security Service (FSB).
It claimed the Biden administration had threatened to carry out retaliatory attacks on Russian critical infrastructure following the large-scale cyber-espionage campaign experts say the Kremlin has waged on US government and other organizations over the past year.
In fact, Biden’s press secretary had done little but repeat previous statements that the US reserves the right to “respond at a time and manner of our choosing to any cyber-attack.”
The 15-point plan issued by NKTsKI features some pretty basic advice including updating incident response plans, correctly configuring security tools, training users how to spot phishing, avoiding third-party DNS servers and using multi-factor authentication.
Also on there are: application controls, firewalls, updated passwords, email security and prompt patching.
The US finally blamed Russia for the SolarWinds attacks earlier this month, after it emerged that Kremlin-sponsored operatives had performed a major spying operation on government departments including the Department of Justice, the State Department and the Treasury.
President Biden now has the tricky geopolitical task of seeking cooperation with Russia over arms treaties but a way to punish the Kremlin for this cyber-attack and other pressing issues.
Reports suggest he has tasked the intelligence community with investigating four key areas: the SolarWinds attack, possible interference in the 2020 election, efforts to muzzle Russian opposition leader Alexei Navalny, and a bounty program to pay Taliban fighters in Afghanistan for killing US troops.
Intel was forced to issue its financial results earlier than expected last week after an internal error made public some of the information before it was due to be released, the firm has confirmed.
Originally, Intel CFO, George Davis claimed a “hacker” had got hold of an infographic detailing the earnings, which was waiting to be published on the firm’s PR Newsroom site.
An Intel spokesperson told the Financial Times at the time: “We were notified that our infographic was circulating outside the company. I do not believe it was published. We are continuing to investigate this matter.”
However, the chip giant since admitted that it was to blame.
“The URL of our earnings infographic was inadvertently made publicly accessible before publication of our earnings and accessed by third parties,” noted a new statement. “Once we became aware of the situation we promptly issued our earnings announcement. Intel’s network was not compromised and we have adjusted our process to prevent this in the future.”
In the end, the chip giant published its financials only minutes before they were due to go live anyway, although it meant traders had six minutes before the markets closed to act on the report.
The strong financials showed Intel beating Wall Street estimates, thanks to a 33% boost in the volume of PC chips it sold over the previous quarter, due to soaring lockdown demand from home workers and students.
Intel ended the day with its share price up over 6%, although it subsequently tumbled more than 9% the following day.
Immersive Labs’ chief cyber officer, Max Vetter, argued that this may have been linked to the earnings incident, and the uncertainty created over its origins.
“The negative impact on Intel’s finances is, unfortunately, a sign of why data security has become a boardroom issue,” he argued.
Incident response plans and organizational processes must always be primed to deal with any breaking threat, Vetter added.
“The ones who will respond best are the teams that have been drilling for such events far in advance to ensure that, if the worst does happen, they have the muscle memory to respond quickly and the agility to react when the unexpected hits,” he concluded.
Security vendor SonicWall has warned its customers that threat actors may have found zero-day vulnerabilities in some of its remote access products.
An initial post on the vendor’s knowledgebase pages on Friday claimed that the NetExtender VPN client version 10.x and the SMB-focused SMA 100 series were at risk.
However, an update over the weekend clarified that impacted products were confined to its Secure Mobile Access (SMA) version 10.x offering running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.
These provide customer employees with secure remote access to internal resources — capabilities in high demand during the pandemic. As such, there’s an obvious advantage to attackers in finding bugs to exploit in such tools.
“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall said in the alert.
“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
There’s no more info for now on what the attackers were after and how they performed the intrusion.
However, SonicWall also clarified that its firewall products, SonicWave APs and SMA 1000 Series product line are unaffected.
“Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation,” it added. “We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the internet while we continue to investigate the vulnerability.”
Since the start of the COVID-19 crisis, security and infrastructure providers have come under increasing scrutiny as attackers look for holes in products which could provide them with large-scale access to customer environments.
Back in April, it emerged that sophisticated ransomware groups were exploiting flaws in VPN products to attack hospitals, while in October, the US warned that APT groups were chaining VPN exploits with the Zerologon flaw to target public and private sector organizations.
Products from Fortinet (CVE-2018-13379), MobileIron (CVE-2020-15505), Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510), Citrix NetScaler (CVE-2019-19781) and Palo Alto Networks (CVE-2020-2021) were all highlighted as at risk.
The European Data Protection Board has issued new advice to hospitals regarding what action to take in the event of a cyber-attack.
Currently released in draft form, the new set of recommendations urges healthcare providers hit with ransomware to report the attack even if no patient data is accessed or exfiltrated.
The guidelines state: "The internal documentation of a breach is an obligation independent of the risks pertaining to the breach and must be performed in each and every case."
A series of attack scenarios are described in the recommendations along with appropriate prior measures, risk assessment, mitigation, and obligations.
"The fact that a ransomware attack could have taken place is usually a sign of one or more vulnerabilities in the [data] controller's system," state the guidelines.
In example case number three, a hospital suffers a ransomware attack in which data was encrypted but not exfiltrated and backups of the data are available in an electronic form. Such an attack could have a large impact on patients, according to the EDPB.
"The quantity of breached data and the number of affected data subjects are high, because hospitals usually process large quantities of data," state the guidelines.
"The unavailability of the data has a high impact on a substantial part of the data subjects. Moreover, there is a residual risk of high severity to the confidentiality of the patient data."
Despite data restoration's being possible in this circumstance, the EDPB said such an attack still posed a big risk to patient data.
"The type of the breach, nature, sensitivity, and volume of personal data affected in the breach are important," state the guidelines.
"Even though a backup for the data existed and it could be restored in a few days, a high risk still exists due to the severity of consequences for the data subjects resulting from the lack of availability of the data at the moment of the attack and the following days."
The guidelines go on to say that patients who experience major delays in care as a result of a ransomware attack should be informed directly of the attack by the data controller.
“It might be a step too far, to require a communication like this,” commented Dirk Schrader, global vice president at New Net Technologies (NNT).
“The formulated requirement to communicate a data breach to patients affected with the delays caused by it, can create another path for extortion by attackers.”
A former home security technician has admitted habitually hacking into customers' home surveillance cameras to spy on people without their consent.
Telesforo Aviles accessed the accounts of around 200 customers more than 9,600 times over a period of four and half years while employed by security company ADT.
The 35-year-old carried out the cyber-intrusions for his own sexual gratification. He made a note of which camera feeds were linked to the homes of women he deemed attractive, then logged into these feeds repeatedly.
Aviles admitted watching numerous videos of naked women and couples engaging in sexual activity inside their homes.
"Mr. Aviles admits that contrary to company policy, he routinely added his personal email address to customers' 'ADT Pulse' accounts, giving himself real-time access to the video feeds from their homes," said the Department of Justice in a statement. "In some instances, he claimed he needed to add himself temporarily in order to 'test' the system; in other instances, he added himself without their knowledge."
Aviles pleaded guilty yesterday in federal court to charges of computer fraud, according to the US Attorney's Office for the Northern District of Texas. He now faces a maximum sentence of five years in prison.
ADT officials told the Dallas Morning News that it "deeply regrets" the incidents and that affected customers have been informed of the intrusion on their most private moments.
Brandon Hoffman, chief information security officer at Netenrich, said that Aviles' criminal activity highlighted the continued growth of privacy concerns among consumers.
“With the rising exposure of privacy intrusions by basic connected devices, such as Alexa and Google, home devices buyers should beware systems like this that have active intrusion capability," Hoffman told Infosecurity magazine.
"While designed for the intent of security or providing additional services, it's important to understand the detail of access these systems provide and measure the benefits versus the risk of privacy invasion.
"Additionally, there is a glaring lack of discussion and availability on protective measures against intrusion from these systems that are common or basic enough to be understood and used by non-deeply technical users.”
A woman from Pennsylvania will appear before a federal court on Monday to face charges in connection with the theft of a laptop belonging to Speaker of the United States House of Representatives Nancy Pelosi.
The computer was stolen from Pelosi's office earlier this month when a crowd of people who had been attending a political protest forced their way into the US Capitol building and disrupted the certification of then President-elect Joe Biden's electoral victory.
Harrisburg resident Riley June Williams was arrested by federal authorities on January 18 following a tip to the FBI from the 22-year-old's former romantic partner. The ex said that Williams appeared in a video of the Capitol invasion and had said that she intended to sell Pelosi's stolen computer to Russian intelligence.
Williams, who has no prior criminal record, was charged with trespassing, obstruction, theft, violent entry, and conducting herself in a disorderly way on Capitol grounds.
Video from the chaotic scenes at the Capitol that unfurled on January 6 show a woman matching Williams' description saying “upstairs, upstairs, upstairs” to people who were trespassing in the building.
An affidavit submitted to the court by an FBI agent based in Virginia stated that Williams had been seen on closed-circuit security camera footage entering and exiting the office of the speaker.
The agent said a video showing a man's gloved hand picking up an HP laptop from a table and captioned with the words “they got the laptop” may have been shot on a cellphone belonging to Williams.
After three nights in jail, Williams was released into the custody of her mother yesterday by Federal Judge Martin Carlson and placed under travel restrictions.
Carlson ordered Williams to appear in federal court in Washington on Monday to continue her case.
“The gravity of these offenses is great,” he told Williams. “It cannot be overstated.”
Lori Ulrich, defending Williams, said the FBI's tipster was an abusive ex-boyfriend of Williams whose accusations "are overstated."
The effectiveness of offensive capabilities in deterring nation state actors was discussed by a panel during the recent ‘RSAC 365 Innovation Showcase: Cyber Deterrence’ webinar.
Chair of the session, Jonathan Luff, co-founder at Cylon, observed that now is the ideal time to be asking if and when offensive strikes should be used following the Russian state-backed SolarWinds attacks at the end of last year, as well as the inauguration of newly-elected President Joe Biden this week. Luff noted: “The new administration has already made clear it intends to make cyber a huge priority.”
Ciaran Martin, former CEO at the National Cyber Security Centre (NCSC) in the UK, began by arguing that while offensive cyber-actions can be useful against certain types of enemies, they will not deter incidents like SolarWinds. He highlighted the UK’s successful cyber-strikes against the Islamic State back in 2018, which hindered its operations and made it harder for it to radicalize people online. However, he does not believe it would have such a positive effect in preventing cyber-attacks emanating from countries such as Russia and China. “If you knock off the six o’clock news in Moscow who’s that going to deter?” he asked.
He added that the nature of the threat China poses to the West is different to that of Russia, with its bid for technological supremacy an “existential” danger. This means there is now a clash between societies with free and open technologies and those that are authoritarian. Martin commented: “You certainly don’t counter that with cyber-attacks or by Trumpian sanctions; you counter it by innovation.”
Sian John, EMEA director, cybersecurity policy at Microsoft, said that the tech giant’s main priority in dealing with the cyber-threats posed is innovating around threat, detection and response capabilities. “We’re definitely on the defense side of that approach,” she added. More broadly, to keep the free and open internet secure, she highlighted the importance of tech companies collaborating more closely “to try and get ahead of the threat.”
The panel agreed that the role of cybersecurity startups will be vital in the development of more innovative defensive solutions going forward. Itxaso del Palacio, partner at investment firm Norton Capital, believes the challenges to organizations posed by the rapid shifts to home working and adoption of the cloud has increased the importance of startups in this space. This has, in turn, already led to more innovative solutions becoming available. “That has accelerated the need to manage and monitor these multi-cloud solutions,” she stated.
Concluding the discussion, the panellists offered reasons for positivity in relation to making the open internet more secure over the coming decade. These include an increased focus by security companies on tackling the evolving ransomware threat and the use of automation to detect dangers quickly. More generally, John said she is “really excited by the move to build privacy and security in by design rather than it being a bolt on.”
A leading rights group has asked the UK’s data protection regulator to urgently investigate the role of a shadowy political consultancy over claims that helped the Conservative Party to general election victory in 2019.
CT Group is a global lobbying and consulting firm founded by long-time Tory collaborator Lynton Crosby. Its CT Partners Limited business accounted for nearly 40% of the Conservative Party’s £4.5m spend on “Market Research/Canvassing” at the last election, way more than any other business, according to Privacy International.
However, the rights group said it has been consistently stonewalled by the firm after trying to find out exactly what services it offered in the run-up to the general election.
Regulator the Information Commissioner’s Office (ICO) is conducting an ongoing investigation into the use of personal information and data analytics for political purposes. It was sparked by revelations over the work of Cambridge Analytica, which is said to have used data harvested illegally from Facebook users and their friends to target voters in the 2016 US Presidential election.
The hiring of companies like Cambridge Analytica and CT Partners is increasingly common in modern politics, and in itself is perfectly legal.
However, there are growing concerns over how voters’ personal data is used to profile them in political campaigns, especially in opaque online “micro-targeting,” which allows parties to say different things to different people in the hope of securing their vote.
COVID-19 has accelerated the trend for this kind of virtual campaigning, which relies on the processing of vast volumes of personal data on individuals who often have no idea they’re being profiled in this way, noted Privacy International.
The non-profit’s policy director, Lucy Purdon, argued that this “invisible processing” of personal data is at the heart of its concerns about CT Partners, and could have major GDPR compliance implications.
“Most people will have no direct relationship with these companies, and are mostly unaware they are being profiled for political purposes,” she said. “It is vital that the democratic process is not undermined by these secret and opaque methods. Voters deserve better.”
Publicly reported global breach volumes dropped 48% last year compared to 2019, but the number of exposed records soared 141% to top 37 billion, according to new data from Risk Based Security.
The security vendor uses automated tools to crawl the internet for info on breaches, which are then manually verified by human researchers, who also obtain data from Freedom of Information requests.
The resulting 2020 Year End Report revealed a total of 3932 breaches last year, although it explained that around 5% to 10% more from 2020 may end up being disclosed over the coming months. That would apparently put the year roughly in line with 2015 and 2016 in terms of breach volumes.
The soaring number of breached records also includes those that have been exposed through cloud misconfigurations but may not actually have been compromised by attackers.
In fact, 30.4 billion (82%) of the breached records listed in the report came from just five incidents, all of which were down to misconfigured databases or services. The vendor admitted “there is scant evidence the data has been used for malicious purposes.”
External actors accounted for 77% of breaches, and of those caused by insiders, the vast majority (69%) were down to human error or oversight. The use of stolen credentials was the number one confirmed method of entry for attackers.
In a sign of the growing popularity of “double extortion” attacks, 676 breaches (17%) included ransomware as an element, an increase of 100% on 2019.
“We do not believe fewer breaches are happening,” argued Risk Based Security executive vice-president, Inga Goddijn.
“Disruptions at certain governmental sources, delayed reporting and declining news coverage have all contributed to fewer breaches coming to light in 2020, but that is only a part of the story. More complex and damaging attacks have also contributed to lengthy and complex investigations.”
Security experts have warned that more nasty surprises may be in store for recipients of a Department for Education (DfE) laptop scheme, after malware was found on some machines.
Malicious files were found on some laptops that were sent to a Bradford school as part of the government’s attempt to support remote learning for vulnerable children, the BBC reported yesterday.
They’re said to be infected with the legacy Gamarue.I worm, which Microsoft claims could seek to download additional malware to the endpoint. This could theoretically expose users to ransomware or theft of personal and financial information.
The report claimed that the infected laptops have been observed attempting to contact Russian servers.
The government is said to have shipped over 800,000 laptops to schools around the country, although a DfE spokesperson claimed only a “small number” were affected.
Tanium’s EMEA chief architect, Oliver Cronk, said action must be taken quickly to ensure any infected laptops aren’t used by children or their families.
“It’s clear these machines have not been wiped or updated properly and this raises concern around what else might be present on them, as well as how long these vulnerable children will now be left without devices if they’ve been compromised and need to be cleaned up,” he argued.
“Schools should work with authorities to identify how many of the 800,000 devices that have been given out contain the malware. Then they must also assess if it’s just pupils’ devices that have been compromised or teachers too, as this would cause further problems.”
Redscan head of threat intelligence, George Glass, also cautioned that there may be further trouble ahead for the government scheme.
“The Gamarue worm is not a new malware strain, it was first discovered in 2011 and is just one example of hundreds of such threats that may reside on old, unchecked devices,” he explained.
“If such an old worm was discovered on these machines it may not be the only nasty surprise. It’s certainly possible that newer and more severe malware strains are present on devices too.”
Sam Curry, chief security officer at Cybereason, argued that the laptops are likely to have been refurbished, which increases the risk of infection if they’re not properly treated before redistribution.
“The safest way to ensure students received a bug-free laptop would have been to wipe the hard drives, essentially starting from scratch by removing existing files and doing a complete reinstall on every machine. However, this requires time, money and patience,” he added.
“To reduce the overall risk to students the Department for Education should be putting security parameters in place to prevent them from downloading games, other apps and other unnecessary programs that could come from untrustworthy websites and sources and be laced with viruses or malware."
Medical records belonging to truck drivers and rail workers may have been exposed following an alleged cyber-attack on an occupational healthcare provider in Virginia.
Data apparently belonging to employees of the United Parcel Service (UPS) and Norfolk Southern Railroad was published online to a leak site by the gang behind Conti ransomware. The cyber-criminals claimed to have obtained the data during a December cyber-attack on Taylor Made Diagnostics (TMD).
The HIPAA Journal reported that the leaked data includes full names, Social Security numbers, details of medical examinations, drug and alcohol testing reports, and scans of driver’s licenses.
With locations in Chesapeake and Newport News, TMD is an operator of occupational health clinics used by transportation companies and government agencies. The company provides services including drug testing, CPR training, fit-for-duty evaluations, vaccinations, and respirator fit testing.
According to their website, TMD clients include the US military, the US Secret Service, the navy special warfare development group, BAE systems, Old Dominion University, the Social Security Administration, and the Virginia Department of Military Affairs.
While TMD has not verified the alleged attack, FreightWaves reported that among the more than 3,000 TMD files leaked on January 8 were multiple health records for employees at both UPS and Norfolk Southern dated as recently as December 2020.
In addition, the trucking news source spotted records belonging to employees of US government agencies, defense contractors, and multiple smaller trucking companies.
Norfolk Southern Railroad, which employs nearly 25,000 people in 22 states, said that it was investigating the veracity of the cyber-criminals' claims.
“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” Norfolk Southern spokesperson Jeff DeGraff wrote in an email to FreightWaves.
“Norfolk Southern is looking into the issue but has no further comment at this time.”
UPS, which employs 362,000 people in the US and an additional 82,000 internationally, said it was also looking into the possible data breach.
According to the US Department of Health and Human Services, in December alone, 37 US healthcare providers reported hacking or unspecified information technology incidents that compromised nearly 1.5 million patients.
Fourteen people have been arrested in France as part of a nationwide sweep to combat the sexual exploitation of children online.
The arrests were made by the French Gendarmerie (Gendarmerie nationale) with the support of Europol as part of an operation that was code-named Horus. All suspects were taken into custody between November 16 and November 20, 2020.
In a statement released yesterday, Europol said: "The alleged suspects used social media networks to approach minors aged between 12 and 13 and lured them into sharing intimate images and videos."
It is not believed that there were any links between the 14 arrested suspects, three of whom have already been convicted and sentenced.
Operation Horus, which is still ongoing, has so far contributed to the identification of eight potential victims who are minors and resulted in the seizure of 1,058 illicit images.
Over 50 cyber-investigators were brought in to work on the operation to track the online activities of a large volume of users. The investigators' efforts were coordinated by the French Gendarmerie’s cybercrime center, C3N.
Support provided by Europol included operational analysis and real-time database cross-checks to enable the identification of potential suspects and victims.
Europol said that the investigation was made more complex by the suspected users' often swapping their online pseudonyms.
Statistics published by Europol in June showed that the exchanging of child sexual abuse material (CSAM) had increased sharply during the COVID-19 pandemic.
"With both children and sexual offenders confined at home, law enforcement authorities have seen in the past few months the amount of child sexual exploitation material shared online increasing globally," said Europol.
"Sex offenders have increased their criminal activities in social media, via peer-to-peer networks and on the darkweb. Attempts to access websites featuring child sexual abuse material, calls to helplines and activities in dark net and surface web chats sharing child abuse material have all increased during the confinement period."
Europol reported that the amount of webcam footage depicting CSAM had increased considerably in forums accessed by offenders.
"This includes videos depicting forced or coerced children, videos produced by children for peers or for social media attention or others which were captured without their knowledge."
A team of enterprise resource planning security experts in Massachusetts have identified a functional exploit affecting SAP that is publicly available.
The exploit was discovered by Onapsis Research Labs on code-hosting platform GitHub, where it had been published by Russian researcher Dmitry Chastuhin on January 14. Researchers said the exploit can be used against SAP SolMan, the administrative system used in every SAP environment that is similar to Active Directory in Windows.
The fully functional exploit abuses United States' National Vulnerability Database listing CVE-2020-6207, a vulnerability in which SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check, does not perform any authentication for a service. This vulnerability results in the complete compromise of all SMDAgents connected to the Solution Manager.
A successful attack exploiting this vulnerability could impact an organization's cybersecurity and regulatory compliance by placing its mission-critical data, SAP applications, and business process at risk.
"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited," wrote Onapsis researchers.
"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."
Because it was created to centralize the management of all SAP and non-SAP systems, SolMan has trusted connections with multiple systems. An attacker that could gain access to SolMan could potentially compromise any business system connected to it.
"Unfortunately, since it doesn't hold any business information, SAP SolMan is often overlooked in terms of security; in some companies, it does not follow the same patching policy as other systems," noted researchers.
An attacker with SAP SolMan control could shut down systems, access sensitive data, delete data, cause IT control deficiencies, and assign superuser privileges to any new or existing user.
"It is not possible to list everything that can potentially be done in the systems if exploited, since having admin privileged control in the systems or running OS commands basically make it limitless for an attacker," wrote researchers.
IoT and OT security firm Nozomi Networks has announced that enterprise security leader Barmak Meftah has joined its board of directors.
Meftah brings more than 25 years of experience in building market-leading enterprise SaaS and cybersecurity companies to Nozomi Networks and most recently served as president of AT&T Cybersecurity where he established its cybersecurity division and grew revenue by double digits.
In addition to his independent board position with Nozomi Networks, Meftah also serves on various other boards of directors, is an advisor and coach to multiple CEOs and is an independent investor as well as a limited partner to a number of VC funds.
Commenting on the announcement, Nozomi Networks CEO Edgard Capdevielle, said: “Barmak’s impressive track record of success in Silicon Valley has gained him international respect as a pillar in enterprise security. His keen business instincts and depth of knowledge in security software and SaaS will be invaluable as we add cloud-based solutions to our product portfolio and accelerate market expansion and growth. We are ecstatic to welcome him to the board.”
Meftah added: “Nozomi Networks is leading the charge to ensure a secure future for critical infrastructure and industrial networks. IT/OT convergence and a growing reliance on AI-powered processes and IoT devices has created a flaming hot market for advanced security solutions that can help CISOs effectively span mixed networks, physical systems and IoT devices.
“I look forward to helping Nozomi Networks take its business to the next level.”