At a glance.
- REvil ransomware hits Spanish rail infrastructure manager ADIF.
- Garmin sustains a cyber incident.
- Blackbaud hack extends to more organizations.
- Over a thousand people at Twitter could have changed account settings.
- A OnePlus research email exposes many email addresses.
- DJI drone Android app's privacy issues.
Ransomware hits Spanish railway infrastructure manager.
ADIF (Administrador de Infraestructuras Ferroviarias), the state-owned railroad infrastructure manager, was hit by REvil ransomware, Security Affairs reports. The International Railway Journal writes that 800GB of data, including correspondence and contracts, were taken. Apparently the incident is more a threat to privacy than it is to operations, which have gone largely unaffected. “The infrastructure has not been affected at any time, and the correct functioning of all its services has been guaranteed,” ADIF said.
Garmin sustains an outage (the word in social media is that is was ransomware).
Garmin, of Schaffhausen, Switzerland, and Olathe, Kansas, the maker of widely used wearables, smart watches, and especially GPS devices, took its servers offline yesterday for a multiday period of maintenance. The company called it an “outage” that affected GarminConnect and its customer call centers, but ZDNet reports that Garmin employees who’ve tweeted about the incident are calling it a ransomware attack.
Services are being restored, with aviation GPS services said to have been the first to get back online, but disruptions continue. It’s not known whether customer data are at risk, but that’s nowadays a strong possibility with ransomware attacks. If, in fact, this is a ransomware attack, which, remember, remains unconfirmed.
Effects of the Blackbaud hack spread.
The consequences of the Blackbaud hack have spread to more universities and not-for-profits in the UK, Canada, and the US. The BBC gives the following list of known victims: the University of York, Oxford Brookes University, Loughborough University, the University of Leeds, the University of London, the University of Reading, University College (Oxford), Ambrose University in Alberta (Canada), Human Rights Watch, Young Minds, the Rhode Island School of Design in the US and the University of Exeter.
Blackbaud stressed to the BBC that not all of its users have been affected, and indeed the BBC confirmed that University College London, Queen's University Belfast, the University of the West of Scotland, Islamic Relief, and Prevent Breast Cancer were not affected. The company has also sought to reassure its customers that it believed the data taken in the incident wouldn't be misused, but that seems to have been of small comfort to most of those who've heard the reassurance.
Blackbaud has been criticized for paying ransom in exchange for the attackers’ assurance that they’ll destroy the stolen information. An apparently unverifiable promise on the part of criminals seems to many to be grounds more for despair than it is for hope.
A lot of Twitter employees and contractors had access to the tools used to reassign accounts.
Last week's Twitter hack continues to look like a case of successful social engineering in the service of making an illicit buck selling prestige handles. How many Twitter employees and contractors had access to internal tools that would enable them to change account settings and give control of those accounts over to someone other than the owner? Reuters writes that it was more than a thousand, which is a lot of points of human failure.
Twitter CEO Jack Dorsey said in an earnings call yesterday that everyone at Twitter feels “terrible” about last week’s hack. “We fell behind,” the Washington Post quotes him as saying, “both in our protections against social engineering of our employees and restrictions on our internal tools.” It seems that Twitter didn’t see it coming, and the question investors and others will ask is, should they have?
It could've happened to anyone (but in this case it happened to OnePlus).
We don't want to cast the first stone, but others have already tossed it in so we don't have to. Android Authority calls it, with harsh justice, a "rookie mistake": Shenzhen-based smartphone manufacturer OnePlus sent out a research email blast with all the addressees shown in the "To" field, not, as is usually done, blind-copying them to obscure the recipients from one another. An email address by itself is, relatively speaking, a fairly innocuous piece of information, but it could be used to spam, to phish, or as one-half of the common email address and password credential. It's also, unfortunately, part of a poor security track record, as Android Police mentions.
DJI drone privacy issues.
Concerns mount over the risk of data exposure through Chinese-manufactured DJI drones, CyberScoop and others write. The concern is that DJI’s smartphone interface could capture data from users’ Android devices and transfer them to Chinese intelligence and security services. Researchers at GRIMM summarize the privacy issues as follows:
- "The application contains a self-update feature that bypasses the Google Play store.
- "The application contains the ability to download and install arbitrary applications (with user approval) via the Weibo SDK. During this process, the Weibo SDK also collects the user's private information and transmits it to Weibo.
- "Prior to version 4.3.36, the application contained the Mob SDK, which collects the user’s private information and transmits it to MobTech, a Chinese analytics company.
- "The application restarts itself when closed via the Android swipe closed gesture. Thus, users may be tricked into thinking the application is closed, but it could be running in the background while sending Telemetry requests."
Synacktiv observes darkly the DJI app's lack of transparency: "DJI GO 4 application makes use of the similar anti-analysis techniques as malware, such as anti-debug, obfuscation, packing and dynamic encryption."