At a glance.
- Call of Duty uncompromised?
- BlueLeaks hacktivism versus RCMP, other Canadian police agencies.
- NCAA referee information exposed in ArbiterSports breach.
- LokiBot rising.
Call of MFA.
Activision maintains that Call of Duty accounts have not been “compromised,” contrary to pervasive rumors, but Computer Weekly says “it is clear that some kind of incident has taken place, most likely a credential stuffing attack.” Recreational accounts are especially prone to credential stuffing, a type of cyberattack that plugs login information pinched from one database into another to try for a match. Edgescan engineer David Kennefick says Activision seems to have dropped the ball on guarding against this form of incursion, having not allowed multi-factor authentication (MFA), passwords over twenty characters, and passwords with special characters. The Twitter account that first drew attention to the alleged breach has been suspended.
BlueLeaks hacktivists potentially dox Mounties.
CBC reports that thirty-eight Canadian police agencies, including the Royal Canadian Mounted Police, were caught up in the June BlueLeaks breach leveled at US law enforcement. Anonymous purportedly ran the strike, and Distributed Denial of Secrets published the plunder. Though the RCMP says only “training, administration and unclassified material” was released, cybersecurity expert Steve Waterhouse warns that bureaucratic information can be damaging too: "It could be emails or phone numbers of police officers in that stash of information, and they can sell it or use it to physically harm or harass police officers' families.”
ArbiterSports foul.
A ransomware attack on NCAA software vendor ArbiterSports extracted the account information, contact details, and social security numbers of 540 thousand referees and officials, HOTforSecurity and Express report. Unknown hackers failed to encrypt ArbiterSports’ files, but succeeded in decrypting delicate information from a backup database. ArbiterSports paid a ransom in exchange for “confirmation” that the exfiltrated data was deleted, and offered casualties a free identity protection subscription. Victim and data engineer Keith Mukai claims the vendor “failed to adhere to the most basic security best practices established 30+ years ago” such as proper password hashing and careful social security number encryption, saying, “there is no such thing as proof of deletion,” and worrying that “our sensitive personal info is forever vulnerable out in the wild now.”
We heard from Warren Poschman, of data security specialists comforte AG, who sees the incident as an example of the difficulties surrounding secure key management:
“One of the biggest problems when encrypting data is secure key management - when hackers gain access to encryption keys they start looking for data to decrypt because they know it has some value. The age-old adage rings true with the breach at ArbiterSports – encryption is easy, key management is hard. Keeping encryption keys accessible but secure is challenging when encrypting sensitive data in backup files, databases, cloud repositories, and other areas.
"The best strategy is to avoid sole reliance on key-based data protection - deploying tokenization drastically reduces the chances of sensitive data being revealed because the data is replaced with meaningless, de-identified data and there is no key for an attacker to obtain. Tokenization is a highly secure, format-preserving data protection approach which does not require the generation, distribution, management, or rotation of encryption keys file to protect data.
"In other high-profile data breaches, attackers were able to also decrypt data but were unable to access data that was tokenized. In the case with ArbiterSports, if tokenization had been utilized and the attackers were able to access and decrypt the stolen backup, the tokenized data would have remained secure.”
LokiBot on the loose.
LokiBot is on the rise in recent months, per a Cybersecurity and Infrastructure Security Agency (CISA) alert. The infostealer Trojan usually enters Android and Windows systems through malignant webpages, emails, or messages, then installs keyloggers and backdoors. Threat actors have variously used the malware to swipe data and deploy ransomware. CISA recommends the following preventive measures: keeping software current, deactivating sharing functionalities, activating firewalls, requiring robust passwords and multi-factor authentication, blocking unwanted sites and applications, scrutinizing attachments and removable drives, and staying informed about new threats. ZDNet calls LokiBot “one of today's most dangerous and widespread malware strains.” First discovered in the 2010’s, it’s now the go-to tool of inexpert hackers.