At a glance.
- City pays DoppelPaymer ransom.
- Babylon Healthcare sustains a data exposure.
- Bogus contact-tracing apps carry a spyware payload.
- Thanos ransomware described.
- Doxing during unrest.
Florence pays up.
DoppelPaymer ransomware hit the US city of Florence, Alabama, on June 5th. The extortionists demanded 38 Bitcoin, about $378,000. As is now almost always the case, they accompanied their encryption of the victims' files with a threat to publish or sell the city's data if they weren't paid, Infosecurity Magazine reports. An unnamed security firm Florence hired to help with recovery was able to negotiate the ransom down to 30 bitcoin, about $291,000, which is better than the original ask, but it's still more than a quarter of a million. Note that Florence is paying in the hope that its data won't be released. That's the gang's promise, but it of course remains to be seen whether the criminals will have enough enlightened self-interest to resist the strong temptation of selling the stolen information anyway. There's a large after-market for other people's data.
Babylon Health regrets.
UK healthcare provider Babylon Healthcare Services sustained a data breach this week in its remote consultation app. SiliconAngle says the issue came to light Tuesday, when a user tweeted that he'd been able to access some fifty video consultations belonging to other patients. Telehealth has seen greater usage during the current pandemic emergency (the Verdict reports that Babylon's app has 2.3 million registered users, including Health Secretary Matt Hancock) and according to the Telegraph Babylon Healthcare has drawn criticism and calls for investigation from both privacy experts and Members of Parliament. The incident was a data exposure due to a software error, not an attack.
The start-up has apologized. The Telegraph quotes their statement: "On the afternoon of Tuesday June 9 we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording. Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app. This was the result of a software error rather than a malicious attack. The problem was identified and resolved quickly. Of course we take any security issue, however small, very seriously and have contacted the patients affected to update, apologise to and support where required."
Bogus contact-tracing apps are distributing spyware.
The COVID-19 pandemic is still furnishing occasions for criminal activity. Anomali yesterday released its findings that bogus contact-tracing apps were in fact carrying spyware payloads, mostly SpyNote and the banking Trojan Anubis. Contact-tracing programs are being spoofed for Armenia, Brazil, Colombia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia, and Singapore. The geographic reach of the operations, the kind of information being collected, and the opportunistic approach are suggestive of a sophisticated criminal enterprise.
Ransomware-as-a-service gets a newly enhanced offering.
Researchers at Recorded Future describe the growing popularity of Thanos in the ransomware affiliate program criminal market. Thanos is a ransomware builder, believed to be the first to feature the RIPlace technique that’s designed to facilitate rapid weaponization of proof-of-concept exploits. RIPlace works, basically, by “leveraging symbolic links through an MS-DOS device name to copy an encrypted version of the file to the original file location.”
It’s been well-received in the criminal-to-criminal customer reviews. Thanos “works flawlessly,” say the happy affiliates, and they ask the vendor (nom-de-hack “Nosophoros”) to “keep the updates coming.” Recorded Future sees two strengthening trends in ransomware. First, the ransomware-as-a-service market can be expected to grow. And, second, the gap between the high-end operators and the skids will persist: as they put it, “there will be a continuing separation between the ransomware ‘haves’ and ‘have-nots’.” And, of course, all ransomware threatens the privacy of the data it affects.
Doxing in times of unrest.
Police officers in major US cities (including Washington, Atlanta, Boston and New York) are being subjected to doxing, their home addresses and other personal information being shared on social media, the AP reports. The source is an unclassified intelligence memorandum from the Department of Homeland Security, which warns that the information could be used by “violent opportunists or domestic violent extremists.” It’s not illegal to post this sort of information, although most platforms at least fitfully discourage doing so, but it’s difficult to ignore the implicit threat in this and other doxing incidents. Since there’s a possibility that at least some of the information came from compromised email accounts, DHS advises police officers to take steps to secure their online presence.