At a glance.
- Data exposure at an e-learning platform.
- Report: Connecticut law firm sustains ransomware attack.
- Lion brewery resumes operation after REvil attack.
- University of California decides to pay ransomware extortion.
E-learning platform leaves unsecured database in the AWS cloud.
vpnMentor has discovered an exposed AWS database belonging to OneClass, a Toronto-based e-learning platform widely used in Canada and the US. vpnMentor says the database held "27 GB of data, totaling 8.9 million records, and exposed over 1 million individual OneClass users." OneClass, which secured the database upon notification, says the data were on a test server, bore no relation to actual individuals, and thus that no personal information was actually exposed. vpnMentor believes to the contrary that that database did indeed hold information on students and lecturers. The researchers checked some of that data against various open sources and think they have sufficient evidence to call what they found a breach. The data are said to include full names, email addresses ("some masked, many viewable"), schools and universities attended, phone numbers, course enrollment details, and OneClass account details. vpnMentor points out that such data are valuable in conducting phishing attacks.
Report: Coles, Baldwin, Kaiser & Creager hit with Sekhmet ransomware.
ITWire reports that the major Connecticut law firm Coles, Balwin, Kaiser & Creager has been attacked with the Sekhmet Windows ransomware. The firm represents many large and prominent US corporations.
Beer may be back, but the threat to data hasn't gone away.
Australia's Lion brewery has resumed operations and is supplying customers in Australia and New Zealand again. Gizmodo says the beverage firm (Lion also does juice and milk in addition to beer) has restored operations after the ransomware attack it sustained earlier this month. Some of the better-known brands the company produces include XXXX, Tooheys, Little Creatures and James Squire. Lion is a subsidiary of Japan’s well-known Kirin.
The attack Lion suffered was from the REvil gang, which usually steals information as well as rendering it unavailable. Lion said, in an update on the incident it issued late last week, that it didn’t think it had lost any data, but it was properly cautious: “To date, we still do not have evidence of any data being removed. As we indicated last week, it remains a real possibility that data held on our systems may be disclosed in the future. Unfortunately, this is consistent with these types of ransomware attacks.”
REvil has threatened, according to Security Affairs, to release stolen data. Pay up, they told Lion, “otherwise all your financial, personal information your clients and other important confidential documents will be published or put up for auction.”
University of California San Francisco pays ransomware extortionists.
The University of California has decided to pay a gang that infected “a limited number of servers” at its University of California San Francisco unit with Netwalker ransomware, Computer Business Review reports. The university said the encrypted data were “important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay… for a tool to unlock the encrypted data and the return of the data they obtained.” The “public good” claim appeared to suggest that COVID-19 research was impeded, but Bloomberg, which put the amount of ransom paid at $1.4 million, says the university maintains its work on the virus was unimpeded. The BBC has an account of the negotiations between UCSF and the gang in which the extortionists explicitly threaten to release stolen student information.
Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, sent comments on the incident, which he sees as a symptom of under-investment in cybersecurity on the part of public institutions.
"Public schools frequently save money on cybersecurity, trying to invest budgets into apparently more appealing areas to deliver more value for students and society. Unfortunately, the road to hell is paved with good intentions, and unscrupulous attackers readily exploit any inadequate resilience and unpreparedness to extort money. Covid-19 largely exacerbates the situation with the surge of shadow IT, abandoned servers and unprotected applications serving as an easy entry point into disrupted organizations. Crypto currencies turn cyber extortion and racketeering into a highly profitable and riskless business given that in most cases the attackers are technically untraceable and thus enjoy impunity. We will likely see a steady growth of ransomware hacking campaigns targeting the public sector in 2020.”
He also suggests that, if you were to bet on form, you would guess that the attackers got in by taking advantage of lax digital hygiene. “The disclosed technical details of the attack are obscure and insufficient to derive definitive conclusions about the origins and nature of this exorbitant incident. In light of the well-known malware reportedly used in the attack, we may, however, assume that the attack exploited a lack of IT asset visibility, improperly implemented security monitoring or patch management.