This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Wizard spider is a current ransomware group
The cartel, made up of five Russian-speaking cyber gangs, was formed last year and dominates ransomware attacks across the globe.
Wizard Spider profile: Suspected gang behind HSE attack is part of world’s first cyber-cartel
https://www.irishtimes.com/news/crime-and-law/wizard-spider-profile-suspected-gang-behind-hse-attack-is-part-of-world-s-first-cyber-cartel-1.4568806?mode=amp
Health service attack regarded as a for-profit crime rather than any proxy attack by Russia
The Russian-speaking cybercrime gang, Wizard Spider, suspected of launching an attack on the HSE and Department of Health, is the biggest and most advanced gang in the world’s first cyber-cartel. That cartel, made up of five Russian-speaking cyber gangs, was formed last year and dominates ransomware attacks across the globe.
At least some members of Wizard Spider are believed to be based in Russia, where their activities are tolerated by the state as long as they do not attack Russian targets. The code they use in their malware or ransomware is programmed to uninstall itself if it locks onto a Russian language system or any systems featuring internet protocol (IP) address in former Soviet states.
It is widely suspected across the international community that Russia tolerates Wizard Spider as long as they attack targets in the West. They are also suspected of working on behalf of Russian authorities, lending their infrastructure and expertise to carry out state-backed attacks on Russia’s enemies. However, the attack on the HSE is regarded as a for-profit crime intended to extract a ransom from the HSE, rather than any proxy attack by Russia on the Republic.
while healthcare facilities in the US and some in Europe had been targeted in ransomware attacks, he knew of no attack on the same scale as that on the HSE.
“The deliberate targeting of a State-run health care system is without parallel in my experience,” he said. While the NHS had been hit by the WannaCry ransomware attack four years ago, it had been accidentally infected during an effort by North Korea to rob Asian banks rather than being the target.
Those members of Wizard Spider who are based in Russia rarely, if ever, leave that country for fear of being arrested. However, security sources said it was highly likely the people who make up Wizard Spider – who have never been identified – are also based in other countries, mainly Ukraine.
Espionage Malware
Wizard Spider previously used Ryuk ransomware though, of late, has been using Conti, which is the ransomware deployed against the HSE. Uniquely among cybergangs, evidence has been found of ransoms from simultaneous Ryuk and Conti attacks being transferred into Bitcoin wallets controlled by Wizard Spider. This means the gang is conducting several attacks using different methods at the same time.
That is seen by the cyber-security industry as strong evidence that Wizard Spider is a much bigger than the other gangs in the Ransom Cartel, also known as the Maze Cartel, and is split into several teams. Wizard Spider is also unique in global cybercrime in another sense; evidence now beginning to emerge it is the first cyber-gang in the world to have espionage malware. The espionage malware it is using, Sido, seeks to capture information only, there is no financial component.
All of the groups in the Ransom Cartel, or Maze Cartel, that officially joined forces last summer – Twister Spider, Wizard Spider, Viking Spider, Lockbit gang, SunCrypt gang – engage in the same activities as those now underway against the HSE.
They break into a target’s computer systems with malicious software – malware or ransomware – and encrypt and copy files and other data. They then seek a ransom, to be paid in untraceable Bitcoin, in exchange for unlocking the files they have encrypted. If they are not paid they leak the data they have stolen, often personal or commercially sensitive information, on special ‘leak sites’.
Wall of shame
On its leak site, Wizard Spider issues press releases designed to humiliate the companies they have attacked and are trying to extort; using tactics to publicly embarrass them. This includes a “wall of shame” on which companies are nominated for the “hole of the month” or “clown of the month” and during which they are generally taunted with insults and name-calling.
“Beyond their experience alone, Wizard Spider has more tools, malware, and sophisticated capabilities than any other cartel gangs,” DiMaggio’s report says.
Tomi Engdahl says:
Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom
Joseph Blount says he needed to quickly restore service after cyberattack threatened East Coast supply
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive officer came to a difficult conclusion: He had to pay.
Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.
Tomi Engdahl says:
Found a paper just now of general interest, on using graphics processors (CUDA) to rapidly scan files in parallel on a system for malware. Might be fast enough to run during boot up. https://www.techrepublic.com/article/new-intel-tool-uses-gpu-to-scan-for-viruses-saving-time-and-compute-resources/ but the recent paper was from 2019.
Tomi Engdahl says:
Eufycam Wi-Fi security cameras streamed video feeds from other people’s homes
Plus: Biden’s order on security, US govt acquiring data on citizens, and more
https://www.theregister.com/2021/05/17/in_brief_security/
Unlucky owners of Eufycam security cameras were horrified earlier today when they opened their app for the equipment and saw video streams from strangers’ homes instead of their own.
A software bug was blamed for the fault, which has been corrected, we’re told.
These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people’s homes – even those in other countries – and feared they were being watched, too.
“I use Eufy to monitor my baby daughter’s room,” said one Redditor. “Tonight I logged into the app and instead have complete access to the security systems of someone in a different country. I can view streams from all of their cameras, turn lights on and off, and have access to the HomeBase settings. Their contact details including email addresses appear in my app.
“This is a terrible security and privacy breach. If I’m able to view other people’s cameras, anyone could be looking in on my daughter. I have unplugged the camera in her room for now, but I imagine this is seriously bad news for Eufy. I will certainly be contacting a lawyer in the morning.”
A spokesperson for Anker told us just a small number of customers were affected
Tomi Engdahl says:
And they only want 10years experience and a masters.
U.S. has almost 500,000 job openings in cybersecurity
https://www.cbsnews.com/news/cybersecurity-job-openings-500k/
Help wanted: thousands and thousands of people interested in a career in cybersecurity.
There are about 465,000 open positions in cybersecurity nationwide as of May 2021, according to Cyber Seek — a tech job-tracking database from the U.S. Commerce Department — and the trade group CompTIA.
The need for more web watchmen spans from private businesses to government agencies, experts say, and most of the job openings are in California, Florida, Texas and Virginia. That means for anyone looking to switch careers and considering a job in cybersecurity, there’s no greater time than now to find work, the job trackers said.
Tomi Engdahl says:
Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents >
Toyota rear-ended by twin cyber attacks that left ransomware-shaped dents
Oh what a feeling, and in the same week as automaker announced new production pauses
https://www.theregister.com/2021/05/21/toyota_cyber_attacks/
Toyota has admitted to a pair of cyber-attacks.
The first hit the European operations of its subsidiary Daihatsu Diesel Company, a Toyota-owned company entity that designs engines. In a statement [PDF] dated May 16th, Daihatsu said it “experienced a problem in accessing its file server in the internal system on 14 May 2021.”
“After a brief investigation, a cyber-attack by an unauthorised access from a third party was confirmed as a cause of this issue,” the statement adds. Daihatsu stopped whatever it was spreading to other offices, kicked off an investigation and promised an update. None has been forthcoming at the time of writing.
Tomi Engdahl says:
Mobile app developers misconfiguration of third party services leave personal data of over 100 million exposed https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/
Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. But what happens if the developer behind the app does not configure their real-time database with . one of the most basic features authentication?
Tomi Engdahl says:
Craig Federighi says the Mac has an unacceptable malware problem https://9to5mac.com/2021/05/19/craig-federighi-mac-malware-problem/
As detailed earlier this afternoon, Craig Federighi is currently testifying during the Apple vs. Epic lawsuit. While facing questioning from Apples lawyers, Federighi made some interesting comments about security, particularly noting that the Mac currently has a level of malware that Apple does not find acceptable.
Apple macOS SMB server signature verification information disclosure vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1237
[Analysis of a patched vuln] An information disclosure vulnerability exists in the SMB Server Apple macOS 11.1. A specially crafted SMB packet can trigger an integer overflow, leading to information disclosure, cryptographic check bypass and denial of service. This vulnerability can be triggered by sending a malicious packet to the vulnerable server.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/spammers-flood-pypi-with-pirated-movie-links-and-bogus-packages/
PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or “warez” sites that provide pirated downloads:
watch-(movie-name)-2021-full-online-movie-free-hd-…. In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated.
Tomi Engdahl says:
Conti ransomware gives HSE Ireland free decryptor, still selling data https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/
Today, the ransomware gang posted a link to a free decryptor in their negotiation chat page for the HSE that can be used use to recover encrypted files for free.. However, the threat actors warn that they will still be selling or publishing the stolen private data if a ransom of $19,999,000 is not paid.
Tomi Engdahl says:
A doctor reveals the human cost of the HSE ransomware attack https://blog.malwarebytes.com/ransomware/2021/05/a-doctor-reveals-the-human-cost-of-the-hse-ransomware-attack/
Daniel (not his real name) sat with Malwarebytes Labs on condition of anonymity, to explain how this cyberattack is continuing to affect the lives of vulnerable patients, and the people trying to treat them.
Since May 14, Ireland’s Health Service Executive (HSE) has been paralysed by a cyberattack. In the very early hours of Friday morning, a criminal gang activated Conti ransomware inside HSE’s computer systems, sparking a devastating shutdown.
Government officials were quick to reassure people that emergency services remained open and the country’s vaccine program was unaffected. The story echoed around the world, and then, outside of Ireland at least, the news moved on. Just as it had moved on from the Colonial Pipeline attack that preceded HSE, and the attack on AXA insurance that followed it.
But the HSE attack isn’t over.
A 21st century health system runs on computers, but the computers in Daniel’s hospital have notes on them saying they cannot be used, and should not be restarted. While those computers are dormant, simple things become difficult; everything takes longer; complex surgeries have to be cancelled.
Daniel told us that before the attack he would go through a system linked to HSE for each of his appointments, looking for GP referrals by email, checking blood results, accessing scans, reading notes linked to each patient. That is gone now.
“Before surgery I review [each patient’s] scans. Or even during the surgery. Legally I have to look at the scans.”
“I can’t even check my hospital mail. Our communication with everyone has been affected… They can’t ring me. The whole thing is just breaking apart.” The GDPR, which is designed to protect patients’ data, prevents him from using his personal email or other messaging systems for hospital business. A generation of staff raised on computers are back to pen and paper. “You don’t know who’s looking for who, who wants to see who.”
I ask him how he first learned about the attack and he tells me about coming to work on Friday totally unprepared for what he’d encounter. The only nurse he sees asks “did you hear?”. He had not. The systems he relies on to stay informed aren’t working. “I didn’t get a heads up. All computers are not allowed to be touched. Do not restart.”
He describes how uncertainty hung over them, until at midday he let a patient who had been waiting for surgery since 7 am know that the day is cancelled. “She’s been fasting. With her stress up I had to tell her to go home.”
The staff are in the dark. “We were optimistic it would get done over the weekend. We thought it might get done the same day. Then we thought maybe Monday.” It has been this way since Friday and he is not optimistic that it will be sorted any time soon. “There is no official timeline but we’re thinking it will take at least a week or so. We are not optimistic about it.”
I ask him about the impact on patients.
“I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”
“I’m dealing with patients lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”
But not harming people requires access to information he no longer has. Delays can be life threatening. “If I reschedule a patient and they come back a few weeks or a few months later with a tumour that I couldn’t asses from the paperwork…”, he stops there.
And it’s obvious from my conversation with Daniel that it isn’t only the patients who are being put at risk. There are grinding, corrosive effects on the hospital staff too. Everything takes longer, which requires more work, and nobody knows when it will be over.
It is a wicked burden for a medical profession that has spent the last year grappling with a once-in-a-century pandemic. “Our backlog just became tremendous”, Daniel says, before explaining that over the last few months he and his colleagues have performed surgeries at nighttime and weekends to work through the backlog of operations and appointments delayed by the response to COVID.
And now there is another reason to work late.
Because of the ransomware attack, he must put in hours of extra effort after his day’s work is done just to determine which of tomorrow’s appointments he will have to cancel for lack of information. And then he must deal with those anguished, sometimes angry patients, telling them their appointment cannot go ahead.
“Imagine the scenario,” he says. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” Daniel’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”
Tomi Engdahl says:
Google: Four Recently Patched Android Vulnerabilities Exploited in Attacks
https://www.securityweek.com/google-four-recently-patched-android-vulnerabilities-exploited-attacks
Tomi Engdahl says:
Israel Says Its Fighter Jets Bombed Buildings Used by Hamas Cyber Unit
https://www.securityweek.com/israel-says-its-fighter-jets-bombed-buildings-used-hamas-cyber-unit
The Israeli Air Force has claimed that in the past week its fighter jets bombed two buildings allegedly used by the cyber unit of Hamas, the Palestinian militant group that runs Gaza.
The first announcement was made on May 14, when Israel announced a strike on what it described as a “cyber-equipment storage site of the Hamas terror organization cyber unit.” The Air Force said the building was located in the northern Gaza Strip and it belonged to Hamas military intelligence.
Tomi Engdahl says:
Hackers Targeted SolarWinds Earlier Than Previously Known
https://www.securityweek.com/hackers-targeted-solarwinds-earlier-previously-known
Tomi Engdahl says:
The hackers who carried out the massive SolarWinds intrusion were in the software company’s system as early as January 2019, months earlier than previously known, the company’s top official said Wednesday.
https://www.securityweek.com/hackers-targeted-solarwinds-earlier-previously-known
Tomi Engdahl says:
Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws
https://www.securityweek.com/scans-vulnerable-exchange-servers-started-5-minutes-after-disclosure-flaws
Adversaries are typically quick to take advantage of newly disclosed vulnerabilities, and they started scanning for vulnerable Microsoft Exchange Servers within five minutes after Microsoft’s announcement, Palo Alto Networks reveals in a new report.
Between January and March, threat actors started scanning for vulnerable systems roughly 15 minutes after new security holes were publicly disclosed, and they were three times faster when Microsoft disclosed four new bugs in Exchange Server on March 2.
For comparison, global enterprises need roughly 12 hours to identify vulnerable systems within their environments, provided that they are aware of all of their assets, Palo Alto Networks explains in their 2021 Cortex Xpanse Attack Surface Threat Report.
Tomi Engdahl says:
https://www.securityweek.com/alaska-health-department-website-targeted-malware-attack
Tomi Engdahl says:
CVE-2021-21551- DELL dbutil_2_3.sys driver Write What Where to Local Privilege Escalation. Reverse Engineering, Root Cause Analysis and Exploit code
Reverse Engineering & Exploiting Dell CVE-2021-21551
https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/
Tomi Engdahl says:
https://cointelegraph.com/news/pancakebunny-tanks-96-following-200m-flash-loan-exploit/amp
Tomi Engdahl says:
U.S. has almost 500,000 job openings in cybersecurity
https://www.cbsnews.com/news/cybersecurity-job-openings-united-states/?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm
Help wanted: thousands and thousands of people interested in a career in cybersecurity.
There are about 465,000 open positions in cybersecurity nationwide as of May 2021, according to Cyber Seek — a tech job-tracking database from the U.S. Commerce Department — and the trade group CompTIA.
The need for more web watchmen spans from private businesses to government agencies, experts say, and most of the job openings are in California, Florida, Texas and Virginia.
Tomi Engdahl says:
Hear ye, DarkSide! This honorable ransomware court is now in session
Colonial Pipeline hackers have cashed in spectacularly. Now, they’re feeling the heat.
https://arstechnica.com/gadgets/2021/05/darkside-ransomware-makers-accused-of-skipping-town-without-paying-affiliates/
A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide, the ransomware that shut down Colonial Pipeline two weeks ago, to hear claims from former affiliates who say the makers skipped town without paying. Or at least that’s what members of crime forum XSS.is want us all to believe.
A Russian-speaking person using the handle “darksupp” took to XSS.is in November to recruit affiliates for DarkSide, researchers at security firm FireEye said recently. At the time, DarkSide was the new ransomware-as-a-service on the block, and it was in search of business partners.
Since then, DarkSide has cashed in spectacularly. According to newly released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months, with $46 million of it coming in the first three months of this year.
DarkSide made another $10 million this month, with $5 million coming from Colonial Pipeline and $4.4 million from Chemical distribution company Brenntag. Last week, DarkSide suddenly went dark. A post attributed to darksupp said his group had lost control of infrastructure and its considerable holding of bitcoin.
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated.
DarkSide hasn’t been heard from since.
Under the terms of the deal struck on XSS, DarkSide pays affiliates 75 percent of ransoms that are less than $500,000. The cut rises to 90 percent for ransoms higher than $5 million.
But according to multiple DarkSide affiliates on XSS, the RaaS provider has absconded without honoring its commitments. The affiliates have been asking to be reimbursed from a deposit, balance about $900,000, that DarkSide was required to make with XSS.
Tomi Engdahl says:
‘Did weak wi-fi password lead the police to our door?’
https://www-bbc-co-uk.cdn.ampproject.org/v/s/www.bbc.co.uk/news/technology-57156799.amp?amp_js_v=a6&_gsa=1&usqp=mq331AQFKAGwASA%3D#aoh=16218060964983&csi=0&referrer=https%3A%2F%2Fwww.google.com&_tf=From%20%251%24s
After a year of lockdowns, home schooling and a bout of Covid, Kate and Matthew (not their real names) were hoping for better times as 2021 dawned.
Instead, one January morning, there came a knock on the door from the police who were investigating a very serious crime, involving images of child abuse being posted online.
The couple insisted they had nothing to do with it.
But the next few months were “utter hell” as they attempted to clear their names.
And it was only when the case was dropped in March, with no further action, that they realised the most likely explanation for the false accusation was their wi-fi router – and its factory-set password.
“They took everything: our desktop computer, both our laptops, our mobile phones, a laptop I had borrowed, even old mobile phones that were lying around in drawers,” said Kate.
Their children, aged five and seven, were allowed to keep their tablets.
“It was months of hell. And during it, we both had suicidal thoughts.”
In February, a conversation with a friend who worked in cyber-security alerted them to the possibility that their router, supplied by their broadband provider Vodafone, might hold clues to what had happened.
They had not changed the default passwords for either the router itself or the admin webpage, leaving it susceptible to brute force attacks.
“We think of ourselves as competent users but we are not IT experts,” said Matthew. “No-one told us to change the password and the setting up of the router didn’t require us to go on to the admin menu, so we didn’t.”
“First, a hacker would need to ‘crack’ the wi-fi password – and if that hasn’t been changed from the one written on a sticker on the side of the router, and the router is more than a year or two old – then it would take a matter of minutes to crack it,” he said
That would allow the hacker on to a private individual’s home network – although they would have to be within about 20 metres of the house.
“Second, to do anything particularly sinister on the home network, the hacker will need to change the router configuration. That needs the router admin password,” explained Mr Munro
Industry problem
In March, when the couple’s devices were returned and the case closed, the police officer assigned to liaise with them seemed to corroborate that unauthorised use of their wi-fi was to blame.
But it couldn’t be proved.
The router was several years old. The HHG2500 model in question has been highlighted as having a weak default password in a recent report by Which? into security issues around older routers.
The problem is industry-wide, points out Mr Munro.
“Internet service providers have started to improve matters to make these attacks harder, by putting unique passwords on each router. However, it will take years for all of the offending routers to be replaced,” he said.
Doing so costs money – which could be another reason it has taken so long, he adds.
The government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices.
Tomi Engdahl says:
Näin huijarit VÄÄRENTÄVÄT! VARO TÄTÄ YLEISTYVÄÄ HUIJAUSTA!
https://www.youtube.com/watch?v=1z8o_E_eWRg
Tällä videolla näytän käytännössä miten huijarit tällä hetkellä huijaavat! Kuittiväärennöksiä ja silmänkääntötemppuja verkkopankissa. Näitä on mahdoton huomata!
Tomi Engdahl says:
Growing Mystery of Suspected Energy Attacks Draws US Concern
https://www.securityweek.com/growing-mystery-suspected-energy-attacks-draws-us-concern
The Biden administration is facing new pressure to resolve a mystery that has vexed its predecessors: Is an adversary using a microwave or radio wave weapon to attack the brains of U.S. diplomats, spies and military personnel?
The number of reported cases of possible attack is sharply growing and lawmakers from both parties, as well as those believed to be affected, are demanding answers. But scientists and government officials aren’t yet certain about who might have been behind any attacks, if the symptoms could have been caused inadvertently by surveillance equipment — or if the incidents were actually attacks.
Whatever an official review concludes could have enormous consequences. Confirmation that a U.S. adversary has been conducting damaging attacks against U.S. personnel would unleash calls for a forceful response by the United States.
Tomi Engdahl says:
ICS Vendors Assessing Impact of New OPC UA Vulnerabilities
https://www.securityweek.com/ics-vendors-assessing-impact-new-opc-ua-vulnerabilities
Multiple companies that develop industrial systems are assessing the impact of two new OPC UA vulnerabilities on their products, and German automation technology firm Beckhoff is the first to release a security advisory.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released advisories to describe two OPC UA vulnerabilities discovered by Eran Jacob of OTORIO, an Israel-based company that specializes in operational technology (OT) security and digital risk management solutions.
Developed by the OPC Foundation, OPC UA (Unified Architecture) is a machine-to-machine communication protocol that is widely used in industrial automation and other fields.
Jacob, who is the security research team lead at OTORIO, analyzed OPC UA and uncovered a couple of vulnerabilities that have been assigned a high severity rating.
One of the flaws is tracked as CVE-2021-27432 and it has been described as an uncontrolled recursion issue that can be exploited to trigger a stack overflow. This vulnerability has been found to impact OPC UA .NET Standard and Legacy.
The second vulnerability is CVE-2021-27434, which has been described as a sensitive information disclosure issue that impacts the Unified Automation .NET based OPC UA client/server SDK.
The OPC Foundation released a patch in March. The flaw affecting Unified Automation software is related to the use of vulnerable versions of the .NET framework. According to CISA, CVE-2021-27434 is related to a .NET vulnerability patched by Microsoft in 2015 (CVE-2015-6096). CISA said Unified Automation has addressed the issue with an update.
Tomi Engdahl says:
India’s National Carrier Says Hack Leaked Passengers’ Data
https://www.securityweek.com/indias-national-carrier-says-hack-leaked-passengers-data
Personal data of an unspecified number of travelers has been compromised after a company that serves India’s national carrier was hacked, Air India said.
The hackers were able to access 10 years’ worth of data including names, passport and credit card details from the Atlanta-based SITA Passenger Service System, Air India said in a statement Friday.
It disclosed the scale of the breach nearly three months after it was first informed by the IT provider.
The breach that happened in late February had compromised the data of some major global airlines, too. SITA at that time had said that Singapore Airlines, New Zealand Air and Lufthansa were among those affected.
Tomi Engdahl says:
Tulsa Cybersecurity Attack Similar to Pipeline Attack
https://www.securityweek.com/tulsa-cybersecurity-attack-similar-pipeline-attack
A cybersecurity attack on the city of Tulsa’s computer system was similar to an attack on the Colonial Pipeline and that the hacker is known, officials said Thursday.
“I can’t share anything other than we know who did it,” Mayor G.T. Bynum said, adding that the city did not pay the hackers. “They wanted to talk with us about what (a ransom) would be for them not to announce (the attack) and we never engaged them.”
Bynum said Tulsa’s computer security system identified the attack and shut down the system before it was infiltrated.
The attack, discovered earlier this month, was similar to the ransomware attack that shut down the Colonial Pipeline for days, according to Tulsa Chief Information Officer Michael Dellinger.
Colonial Pipeline eventually paid a $4.4 million ransom, the Georgia-based company said.
Tomi Engdahl says:
RSA Conference 2021 – Summary of Vendor Announcements
https://www.securityweek.com/rsa-conference-2021-summary-vendor-announcements
The 2021 edition of the RSA Conference — a fully virtual event this year — took place May 17-20 and several companies used the opportunity to announce new products, services, initiatives, and other resources.
To help cut through the clutter, the SecurityWeek team is providing a summary of the announcements made at RSA Conference 2021.
Tomi Engdahl says:
Insurance company paid $40 million in ransom after march cyberattack https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
CNA Financial paid $40 million in late March to regain control of its network after a ransomware attack. The payment is bigger than any previously disclosed payments to hackers.
Tomi Engdahl says:
Microsoft Warns of Data Stealing Malware StrRAT That Pretends to Be Ransomware https://threatpost.com/email-campaign-fake-ransomware-rat/166378/
On Thursday Microsoft warned of a massive email campaign that’s pushing malware to steal confidential data from infected systems while disguising itself as a ransomware infection. See also:
https://twitter.com/MsftSecIntel/status/1395138347601854465
Tomi Engdahl says:
UK Recruitment Firm Leaked Sensitive Applicant Data https://www.websiteplanet.com/blog/fasttrack-breach-report/
Researchers found 21000 exposed files containing applicant data, including passports, citizen ID cards, driver’s licenses on an open AWS S3 bucked owned by FastTrack Reflex Recruitment (now Team Resourcing Ltd). Directly identifiable data contained names, email addresses, phone numbers and home addresses.
How to Tell a Job Offer from an ID Theft Trap https://krebsonsecurity.com/2021/05/how-to-tell-a-job-offer-from-an-id-theft-trap/
One of the oldest scams around the fake job interview that seeks only to harvest your personal and financial data is on the rise, the FBI warns.
Tomi Engdahl says:
Foreign cyber mercenaries breached Russian federal agencies https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/
Hackers have breached and stolen information from Russian federal executive bodies, the Russian government said. To breach Russian federal agencies, Rostelecom and NKTsKI said the attackers used a broad set of entry vectors that included spear-phishing, exploiting vulnerabilities in web applications, and hacking the IT infrastructure of government contractors.
Tomi Engdahl says:
Air India Hack Exposes Credit Card and Passport Info of 4.5 Million Passengers https://www.bleepingcomputer.com/news/security/air-india-data-breach-impacts-45-million-customers/
Air India has disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years after SITA fell victim to a cyber attack earlier this year. The breach involves personal data registered during a span of 10 years and includes names, dates of birth, contact information, passport information and other personal information.
Tomi Engdahl says:
Nuoret hakkerit löysivät tietoturva-aukkoja Abitti-ohjelmasta
https://yle.fi/uutiset/3-11939828
Poikakolmikko löysi laajoja tietoturva-aukkoja lukioiden käyttämästä Abitti-ohjelmasta, jonka kautta järjestetään muun muassa yo-kokeet. He ovat saaneet löydöksen jälkeen lukuisia työtarjouksia.
Tomi Engdahl says:
Bizarro banking malware targets 70 banks in Europe and South America https://www.bleepingcomputer.com/news/security/bizarro-banking-malware-targets-70-banks-in-europe-and-south-america/
The malware spreads through phishing emails that are typically disguised as official tax-related messages informing of outstanding obligations. The malware can terminate online banking sessions and force the user to re-enter the account credentials, while also transferring those credentials to the attackers. There are also an extensive set of commands the backdoor functionality has, including key logging, displaying fake pop-up messages and control of mouse and keyboard.
Tomi Engdahl says:
It took over 80 different developers to review and fix mess made by students who sneaked bad code into Linux https://www.theregister.com/2021/05/21/linux_5_13_patches/
Earlier, computer scientist at the University of Minnesota sneaked bad code into Linux as an experiment. Greg Kroah-Hartman, leading Linux kernel maintainer, has been posting extensively about the fallout of the experiment and the size of the cleanup effort.
Tomi Engdahl says:
Microsoft Exchange admin portal blocked by expired SSL certificate https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-admin-portal-blocked-by-expired-ssl-certificate/
The Exchange admin portal is was inaccessible after Microsoft forgot to renew the SSL certificate. For Google Chrome users the site couldn’t be accessed at all and for Firefox users a warning was displayed about the insecure connection.
Tomi Engdahl says:
Indonesian govt blocks access to RaidForums hacking forum after data leak https://www.bleepingcomputer.com/news/security/indonesian-govt-blocks-access-to-raidforums-hacking-forum-after-data-leak/
The Indonesian government is blocking access to the RaidForums hacking forum after the alleged personal information of Indonesian citizens was posted online. On Friday, a newly registered forum member posted what they claim is a database containing 200 million records of personal information for Indonesian people.
Tomi Engdahl says:
Key Takeaway from the Colonial Pipeline Attack https://blogs.cisco.com/security/key-takeaway-from-the-colonial-pipeline-attack
In the Cisco Blog Vikram Sharma describes the colonial pipeline attack and some measures that could have helped prevent the attack
Tomi Engdahl says:
Bluetooth flaws allow attackers to impersonate legitimate devices
https://kb.cert.org/vuls/id/799380
Attackers could abuse vulnerabilities discovered in the Bluetooth Core and Mesh Profile specifications to impersonate legitimate devices during the pairing process and launch man-in-the-middle (MitM) attacks.
Tomi Engdahl says:
Apple fixes three zero-days, one abused by XCSSET macOS malware https://www.bleepingcomputer.com/news/security/apple-fixes-three-zero-days-one-abused-by-xcsset-macos-malware/
Apple has released security updates to patch three macOS and tvOS zero-day vulnerabilities attackers exploited in the wild, with the former being abused by the XCSSET malware to bypass macOS privacy protections.
Tomi Engdahl says:
Tulsa Computer System Hacks Stopped by Security Shutdown
https://www.securityweek.com/tulsa-computer-system-hacks-stopped-security-shutdown
Most residents of Tulsa are being prevented from paying their water bills after the city shut down its computer network as a security measure following an attempted ransomware attack, a city official said Friday.
The attempted breach was stopped before any personal data was accessed, city spokesman Carson Colvin said. Tulsa detected malware in its network May 6 and immediately started shutting it down to prevent hackers from accessing anything sensitive.
“It didn’t get far enough into the system to get personal data,” Colvin said.
The primary effect of the shutdown — which could last from several more days to about a month — is payment for city water services, either online or in person, because the city cannot process credit or debit cards with computers inoperable.
Residents will have five days after online payments are again possible to pay their bills without penalty, Colvin said.
Tomi Engdahl says:
Russian to be Deported After Failed Tesla Ransomware Plot
https://www.securityweek.com/russian-be-deported-after-failed-tesla-ransomware-plot
A Russian man was sentenced Monday to what amounted to time already served and will be deported after pleading guilty to trying to pay a Tesla employee $500,000 to install computer malware at the company’s Nevada electric battery plant in a bid to steal company secrets for ransom.
Egor Igorevich Kriuchkov, appearing by videoconference from jail, apologized after U.S. District Judge Miranda Du in Reno acknowledged the attempted hack was not successful and the company network was not compromised.
“I’m sorry for my decision. I regret it,” the 27-year-old Kriuchkov said through a Russian-language court interpreter.
Chris Frey, his court-appointed attorney, said Kriuchkov speaks fluent English, but the judge provided the interpreter anyway.
Tomi Engdahl says:
Trend Micro Patches Vulnerabilities in Home Network Security Devices
https://www.securityweek.com/trend-micro-patches-vulnerabilities-home-network-security-devices
Vulnerabilities identified by security researchers with Cisco’s Talos unit in Trend Micro Home Network Security devices could be exploited to elevate privileges or achieve arbitrary authentication.
The Home Network Security station provides users with monitoring and protection capabilities, including vulnerability scanning, intrusion prevention, threat protection, and device-based access control.
A total of three security holes were identified in these devices, namely two stack buffer overflows with CVSS scores of 7.8 (CVE-2021-32457 and CVE-2021-32458) and one hardcoded password issue, with a CVSS score of 4.9 (CVE-2021-32459).
The first two bugs are related to ioctl stack-based buffer overflows that an attacker could exploit through specially crafted ioctl requests. Both issues lead to privilege escalation but require for the attacker to first be able to execute low-privileged code on the device.
Tomi Engdahl says:
Cyber Insurance Firms Start Tapping Out as Ransomware Continues to Rise
https://www.darkreading.com/risk/cyber-insurance-firms-start-tapping-out-as-ransomware-continues-to-rise/d/d-id/1341109
A global insurance carrier refuses to write new ransomware policies in France, while insurers rewrite policies. Are we heading toward a day when ransomware incidents become uninsurable?
In early May, global insurer AXA made a landmark policy decision: The company would stop reimbursing French companies for ransomware payments to cybercriminals.
The decision, which reportedly came after French authorities questioned whether the practice had fueled the current epidemic in ransomware attacks, may be just the beginning of a general retreat that will force companies to reconsider their attempts to outsource cyber-risk to insurance firms. Already, the massive damages from one damaging crypto worm, NotPetya, caused multiple lawsuits when insurers refused to pay out on cyber-insurance claims.
AXA’s decision could signal the insurance industry agreeing that ransomware payments spur greater ransomware activity, forcing companies to deal with the direct damages of cyberattacks
“On one side, this decision will likely hinder flourishing ransomware business and indirectly incentivize would-be victims to implement better cybersecurity and enhance their cyber-resilience,” he said. “On the other side, the categorical ban will unfairly discriminate against enterprises who adequately care about their cyber defense but nonetheless fall victims to sophisticated attacks or because of their careless suppliers.”
Tomi Engdahl says:
Matt Stroud / The Verge:
Chicago PD constantly surveilled a man after its predictive policing system said he’d be involved in a shooting, but not whether he’d be the shooter or victim — ROBERT MCDANIEL’S TROUBLES — began with a knock on the door. It was a weekday in mid-2013, as he made lunch …
Heat Listed
https://www.theverge.com/22444020/chicago-pd-predictive-policing-heat-list?scrolla=5eb6d68b7fedc32c19ef33b4
Chicago’s predictive policing program told a man he would be involved with a shooting.
But it couldn’t determine which side of the gun he would be on.
Instead, it made him the victim of a violent crime — twice
Tomi Engdahl says:
Mara Hvistendahl / The Intercept:
A look at Oracle’s effort to sell Endeca software to Chinese authorities beginning in 2012, and how Oracle touted its use in Chicago for predictive policing
Oracle Boasted That Its Software Was Used Against U.S. Protesters. Then It Took the Tech to China.
https://theintercept.com/2021/05/25/oracle-social-media-surveillance-protests-endeca/
To sell the CIA-backed Endeca software for use by Chinese authorities, Oracle touted its use in Chicago for predictive policing.
Tomi Engdahl says:
After Colonial Pipeline Hack, U.S. to Require Operators to Report Cyberattacks
The action, expected this week, also will require companies to designate cybersecurity point person
https://www.wsj.com/articles/tsa-to-require-pipeline-operators-to-notify-it-of-cyberattacks-11621960244
Tomi Engdahl says:
From Wiper to Ransomware – The Evolution of Agrius https://labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius/
Researchers say they’ve uncovered a new disk-wiping malware (wiper) that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets. Full report as PDF:
https://assets.sentinelone.com/sentinellabs/evol-agrius
Tomi Engdahl says:
Audio maker Bose discloses data breach after ransomware attack https://www.bleepingcomputer.com/news/security/audio-maker-bose-discloses-data-breach-after-ransomware-attack/
Bose systems were breached in March. Bose recovered and secured the systems with third-party cybersecurity experts. No ransom was paid.
https://www.securityweek.com/bose-says-personal-information-compromised-ransomware-attack