At a glance.
- EARN-IT Act now being debated in Congress.
- Taurus info-stealer being hawked in criminal markets.
- Extortionists shuffle through exposed MongoDB databases.
EARN-IT Act now being debated in Congress.
The US Congress is taking up the EARN-IT Act in earnest today: “encryption fireworks,” as the Washington Post calls the discussion. The measure represents an anti-encryption shot in the Crypto Wars. We’ll know more about how debate proceeded after Independence Day weekend. The bill's sponsors see it as an indispensable measure against child abuse and terrorism. The bill's opponents see it as a pervasive threat to privacy and security.
Taurus, the info-stealer, not the astrological sign.
Researchers at security firm Zscaler describe an information stealer, "Taurus," currently sold in criminal-to-criminal souks. It’s offered by the tastelessly self-named "Predator the Thief," and it’s carefully coded not to execute in twelve former Soviet Republics. That’s understandable, since accommodation to the Organs has long been the better part of criminal valor. Taurus concentrates on system information, passwords, cookies, browser history, autofill values, and cryptocurrency wallets. The payload is delivered by phishing. If you’re keeping score at home, the countries where Taurus is programmed to tread lightly are Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, and Ukraine. Predator the Thief’s criminal clients can keep track of where their phishbait is being swallowed on a swell dashboard featuring a heatmap of the whole world.
Scanning and scraping MongoDB.
Hackers have been using an automated script to scan for unsecured MongoDB databases, and they’ve found some 22,900, which by ZDNet’s count amounts to about 47% of all such databases accessible online. Once an unprotected database is found, two things happen. First, the criminal backs up the data, and, second, they wipe the original. That deletion was in some initial cases fumbled or overlooked, but the hoods seem now to have fixed their problem and become more adept at deleting information from their victims.
Then they leave a ransom note. The ransom isn’t particularly high, coming in at just fifteen-thousandths of a Bitcoin--that’s about a hundred-forty dollars. It is interesting, however, to see the extortionists use both a carrot and a stick to induce compliance with their chicken-feed demand. The carrot is the promise that the wiped data will be restored from the crooks’ own backup. The stick is that the stolen data will be referred to European authorities to get the victim prosecuted under GDPR. There’s also a deadline: the victim has forty-eight hours to decide, at which point it’s goodbye data and hello Information Commissioner.
We received some comment on this campaign from Ilia Kolochenko, founder & CEO of web security company Immuniweb. He remarked in an emailed statement:
“Perhaps it sounds cynical, but this large-scale extortion campaign may bring a powerful boost to the cybersecurity awareness. Many organizations carelessly expose terabytes of confidential and sensitive data online in unprotected cloud or databases. Frequently the data is silently stolen and then (re)sold on the Dark Web without triggering any alert. Unless the attackers clearly indicate the source of the compromised data, it may be technically challenging, if not impossible, to attribute the leak to an organization. Virtually, this creates a toxic ambiance of impunity and collective irresponsibility, aggressively exploited by cyber gangs make huge profits. While victims have no viable means of a legal recourse as it is oftentimes unfeasible or just too expensive to reliably attribute the source of a data breach and file complaint or civil lawsuit seeking damages.
“I think governments should mandate special agencies or law enforcement teams to crawl and monitor the Internet for such leaks affecting their jurisdictions. Once detected, legal action should be taken against the company behind the leak and all costs of the monitoring and investigation should likewise be imposed on the guilty company.
“Organizations, on their side, should urgently implement continuous attack surface monitoring and implement a well-though third-party risk management program. Today, many disastrous incidents and data exposures stem from negligent suppliers or vendors that have a privileged access to the data of their clients and fail to properly secure it. Paper-based questionnaires won’t help, and more proactive monitoring of attack surface and Dark Web for the data stolen from your suppliers is a requisite in 2020. Otherwise, we will certainly see a steady surge of such leaks.”
A note to our readers.
We'll be observing Independence Day this week, and so won't be publishing on either Friday or Saturday. We'll be back with a new episode of Career Notes this coming Sunday, and as usual we'll return to our normal publication schedule Monday. In the meantime, enjoy the Fourth.