At a glance.
- Some free VPN apps expose user data.
- Court rules for NSO Group after closed testimony by Israel's Ministry of Defence.
- Collabera hit with PII-stealing ransomware.
- More on MGM breach.
Data exposure incident hits seven apparently related free VPNs.
Researchers at Comparitech report that they’ve found that Hong Kong-based VPN provider UFO VPN left a database of user logs and API access records exposed online without passwords or any other form of authentication to protect it.
vpnMentor says it found the exposure was perhaps more extensive. It wasn’t just UFO VPN, but six other brands as well: FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. They all appear to share a common developer. The data vpnMentor says it found exposed include PII of some twenty-million users, and it runs to such items as “email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.” The seven apps advertised themselves as both free and “no-log,” “no-log” meaning that they didn’t collect any personal information, but that seems not to be true.
The seven apps are connected in a number of ways. The branding of three of them is similar, for one thing. vpnMentor thinks they’re all white-labelled versions of the same product. In any case they use the same Elasticsearch server, they’re hosted on the same assets, and they use “a single recipient for payments,” Dreamfii HK Limited.
vpnMentor concludes that, “there are a lot of excellent free VPNs” out there, but in the case of these seven, you apparently get what you pay for.
Court rules for NSO Group in Amnesty suit.
An Israeli court ruled against Amnesty International in a suit that sought the revocation of NSO Group's export license on the grounds that the company's tools were provided to regimes who used it for illicit or at least questionable surveillance. The Jerusalem Post reports that the judge did not explain the reasons for his ruling, but that the Defence Ministry testified in a closed session concerning its oversight of NSO Group's international sales.
Among the recent high-profile cases involving NSO Group's Pegasus intercept tool was its apparent use against a pro-independence Catalan legislator. The Guardian reports that the Spanish government is suspected of political espionage in the case.
PII-stealing ransomware hits IT consultancy Collabera.
Hackers infected New Jersey-based IT and staffing consultancy Collabera with ransomware, and stole employees' personal information, the Register reports.The data exposed to compromise includes: "names, addresses, contact and social security numbers, dates of birth, employment benefits, and passport and immigration visa details."
Collabera says it detected an apparent ransomware attack on June 8th, restored access to its files from backup, and began an investigation. On the 10th the company determined that some unauthorized party had accessed data. It’s unclear who’s responsible for the incident, although the Maze group last month did claim to have hit Collabera. It is another illustration that a ransomware attack is now tantamount to a data breach.
Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, offered these comments on the incident:
"This incident would be just another drop in the borderless ocean of fairly trivial data breaches during 2020, BUT the business of the allegedly breached company makes the incident particularly dangerous for would-be victims, who are mostly Collabera clients.
"Sophisticated spear-phishing campaigns and well-thought BEC (business email compromise) campaigns are becoming both proficient and widespread these days. Given that many organizations blindly trust their IT employees - including those who no longer work for them, but have failed to properly inform their colleagues about their departure - identity theft may be particularly fruitful under the circumstances.
"Even a well-trained employee is highly susceptible to unwittingly or thoughtlessly sharing confidential data if the request comes from someone previously employed in the cybersecurity or IT team. The current pandemic bolsters the risks given that many organizations and enterprises are still tremendously disrupted by the work from home set-ups.
"Unless further technical details about the incident are released by Collabera it would, however, be premature to make any conclusions about the origins and potential causes of the incident. Though, one thing is clear: Collabera clients and their employees should be particularly vigilant during the next few months of incoming emails, messages and even phone calls.”
More comment on the growing MGM Resorts data breach.
According to Matt Keil, Director of Product Marketing at Cequence Security, data lost by MGM pose a threat mostly because of people's propensity to reuse their passwords, which tends to render them vulnerable to credential stuffing:
"It's not uncommon to see attacks increase across a range of industries due to the discouraged and poor security practice of re-using passwords. This means that MGM, and many other organizations, will be the victims of increased account takeover activity as a result of the Data Viper credentials theft.
"Interestingly, Data Viper, a purported security company, lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document. The scope of the breach and the technique used, highlight two areas of weak security practices. The first weakness is the fact that many of the databases collected by Data Viper were the result of poor cloud-based implementations – they had little or no access control and authentication configured, or the API keys were left exposed – so the data was freely accessible to anyone on the web. The second weakness is the developer error of leaving API credentials exposed, an all too common error made by many organizations that are moving (rapidly) to an API-based development methodology."
The breach has been connected with an incident at Data Viper. ZDNet is following developments in that story.