Stranded travelers' data exposed. BEC crimewave. Legal platforms and privacy. Telework advice. Further Blackbaud disclosure.

Summary

By the CyberWire staff

At a glance.

Australian travelers' data exposed.
BEC crimewave.
Legal research platforms and privacy concerns.
Telework advice for small businesses.
Blackbaud discloses exposure of sensitive information during ransomware incident.

Dfat exposes email addresses of stranded Australian citizens.

The Australian Department of Foreign Affairs and Trade (Dfat) accidentally disclosed the email addresses of thousands of Australian citizens stranded overseas due to COVID-19 travel restrictions, reports the Guardian. The addresses were unintentionally included in the header of an email message sent by Dfat’s COVID-19 consular operations section to notify the travelers about interest-free loans available to cover travel costs. Dfat, after realizing their mistake, recalled the emails and sent a follow-up email apologizing for the error and asking the recipients to delete the original, but nearly 3,000 individuals were affected.

Global Business Email Compromise steals millions.

Cybersecurity incident response company Mitiga reports they are working with the US Federal Bureau of Investigations (FBI) and secret service to respond to a large-scale Business Email Compromise (BEC) campaign that may have affected over 150 organizations globally. The threat actors have been intercepting sensitive emails by using imposter Office 365 email accounts to impersonate senior executives involved in high-level financial transactions. Once the attackers acquire the necessary wire transfer information, they redirect the funds to rogue bank accounts, stealing about $15 million so far. Mitiga has not yet identified the companies that were impacted.

NYCLU questions privacy of legal research platforms.

The New York Civil Liberties Union (NYCLU) has published a report questioning how user data in legal research platforms is handled and employed, reports Legaltech News. Sharing user data with a third party is not only a privacy concern, but could also bias legal proceedings. While the author of the report, Media Democracy Fund technology fellow Jonathan Stribling-Uss singled out prominent platforms Westlaw and LexisNexis, he has no evidence that they have been sharing user data. A representative from Westlaw told Legaltech News, “We’ve implemented systems and protocols designed to safeguard users’ confidential search histories on Westlaw from unauthorized access,” but did not state whether the platform is currently sharing user data.

US Cyber Readiness Institute offers telework advice to small businesses.

The US Cyber Readiness Institute (CRI) announced that it has released a cybersecurity toolkit designed to help smaller businesses protect their data as they shift to remote work amidst the pandemic. CRI was created to provide small and medium-sized enterprises (SMEs) with free cybersecurity resources. Now, working in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), CRI has developed the Telework Essentials Toolkit, a series of guides to help these businesses adapt their cybersecurity protocols to the distinctive needs of telework environments.

Blackbaud tells the SEC that sensitive financial information was compromised.

The ransomware attack against Blackbaud and its widely used donor-relations-management platform is now known to be more serious than had been hoped. Blackbaud has determined that the attackers accessed financially sensitive information. A Form 8-K the company filed with the US Securities and Exchange Commission says:

“As previously reported in our Quarterly Report on Form 10-Q for the quarter ended June 30, 2020, on July 16, 2020, we contacted certain customers to inform them about a recent security incident (the “Security Incident”). This information disclosed that in May 2020 we discovered and stopped a ransomware attack. Our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support. We expect our Security Incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.”

Selected Reading

More than 12 Data Points are Publicly Available on 60% of Internet... (HOTforSecurity) With more than half the world now using social media and internet traffic increased 30%, new digital behaviors adopted during the coronavirus lockdown continue to reshape the digital landscape. Consumers worldwide shifted to online... #bitdefenderdigitalidentityprotection #cybercrime #databreach

Selecting Security and Privacy Controls: Choosing the Right Approach (NIST) Recently, NIST published a significant update to its flagship security and privacy controls catalog,

CISA and MS-ISAC Release Ransomware Guide (CISA) The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats.

Ransomware Guide, September 2020 (CISA) Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.

The Cybersecurity 202: Americans are as insecure as ever on the 17th annual Cybersecurity Awareness month (Washington Post) Seventeen years after October became National Cybersecurity Awareness Month, Americans are undoubtedly far more aware of digital threats. But they're as insecure online as ever.

Breaking down morality and forum dynamics on cybercriminal forums (Security Magazine) Digital Shadows explored four main themes via which threat actors’ personalities or real-life identities are expressed on cybercriminal forums, providing examples they've observed over the years. This first blog looked at gender and nationality, while the second in the series examined morality and forum dynamics.

Cache Creek Casino Closed Due To Cyber Attack (CBS Sacramento) Cache Creek Casino and Resort is not taking any gambles. The casino is closed for business after an apparent cyber-attack on its system.

Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers (SecurityWeek) Cisco this week released patches for two high-severity vulnerabilities in IOS XR software that have been actively exploited in attacks for over a month

Are There Data, Privacy Risks With Legal Research Platforms? (Legaltech News) A recent paper is calling for legal research platforms to become more transparent in how they prioritize results and share user data. But legal research companies say protecting data is fundamental to their business, even as they expand beyond their core offering.

Evasive URLs in Spam: Part 2 (Trustwave) A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.

QNAP warns customers of recent wave of ransomware attacks (BleepingComputer) QNAP has issued an advisory about a recent wave of ransomware attacks targeting its NAS storage devices and encrypting files.

Data breach: Dfat reveals email addresses of vulnerable Australians stranded overseas (the Guardian) The email addresses belonging to hundreds of Australian citizens were accidentally disclosed in a message about interest-free loans

Mitiga is Cooperating with the FBI & Secret Service on a Global Business Email Compromise (BEC)… (Medium) Mitiga has uncovered a widespread and well-executed Business Email Compromise (BEC) campaign in which cybercriminals are impersonating…

TA2552 Uses OAuth Access Token Phishing to Exploit Read-Only Risks (Proofpoint) Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019.

This spyware poses as a fake Android WhatsApp update app (SonicWall) SonicWall Capture Labs threats researchers observed an interesting Android sample that passes itself as a WhatsApp Updater app.

Linkury adware caught distributing full-blown malware (ZDNet) Linkury (SafeFinder) installations linked to infections with the Socelars and Kpot infostealer trojans.

Blackbaud: Ransomware gang had access to banking info and passwords (BleepingComputer) Blackbaud, a leading cloud software provider, confirmed that the threat actors behind the May 2020 ransomware attack had access to unencrypted banking and login information, as well as social security numbers.

Blackbaud admits hackers stole banking details, passwords (ComputerWeekly) Software firm paid off a ransomware gang, believed its hackers when they said they had destroyed the data, and has now discovered the cyber criminals accessed even more sensitive information than it thought.

Blackbaud ransomware hackers could access unencrypted banking data and login credentials (Computing) Blackboard had originally claimed such data was protected

Mounting Ransomware Attacks Morph Into a Deadly Concern (Wall Street Journal) Hackers are launching more brazen attacks aimed at locking down entire networks, not just a few workstations, and increasingly target health-care companies, putting lives at risk as they demand higher bounties.

Threat Spotlight: New InterPlanetary Storm variant (Journey Notes) The cybercriminal organization behind InterPlanetary Storm malware has released a new variant into the wild, now targeting Mac and Android devices.