Privacy and (alleged) monopoly. Notes on the FireEye breach. Stealthy skimmer software. Cloud host compromised.

Summary

By the CyberWire staff

At a glance.

Privacy dimensions of the Facebook anti-trust suit.
WhatsApp challenges Apple's privacy labels.
Notes on the FireEye breach.
Skimmer software hides in compromised e-commerce sites.
Netgain takes services offline after ransomware incident.

Facebook faces antitrust lawsuit.

Social media giant Facebook is being sued by a bipartisan coalition of US attorneys general from forty-six states, the District of Columbia, and the US territory Guam for anti-competitive practices and endangerment of user privacy, reports the New York Law Journal. The lawsuit claims that Facebook’s dominance of the social media market, heightened by the acquisition of platforms WhatsApp and Instagram, is bordering on monopoly and gives Facebook too much control over how user data are collected and shared. According to Letitia James, New York Attorney General and spokesperson for the suit, “No company should have this much unchecked power over our personal information and our social interactions.” As the Washington Post reports, when Facebook first purchased WhatsApp in 2014 they claimed they would maintain the messaging app’s privacy protections, but Facebook later reversed its stance. In the end the deal served to remove a more privacy-focused competitor, leaving users who desired more data protection with no alternative. Facebook’s stance is that the lawsuit is “revisionist history,” pointing out that federal regulators had the opportunity to prevent the acquisitions and are now essentially punishing Facebook for its success.

WhatsApp challenges Apple privacy nutrition labels.

Perhaps substantiating the aforementioned lawsuit’s claims, Axios reports that the Facebook-owned messaging platform WhatsApp is contesting Apple’s requirement that all apps in its App Store disclose user data privacy policies in the form of “nutrition labels.” The regulation is the result of Apple’s effort to improve user privacy after its September system update to iOS 14. WhatsApp claims that the rule is anti-competitive, as Apple’s messaging app, Messages, doesn't display a label because it is automatically included on Apple devices and therefore not sold in the App Store. Though WhatsApp did in fact deliver its label info on Monday as required, a spokesperson argued “we believe it’s important people can compare these 'privacy nutrition' labels from apps they download with apps that come pre-installed." It’s important to note, however, that apps like Messages do, in fact, publish privacy policies, not in the store, but on the Apple website.

FireEye breach: Who watches the watchmen?

Other watchmen do, of course.

Cybersecurity company FireEye announced they’ve experienced a data breach in which state-sponsored threat actors stole hacking tools that could be used against the very community FireEye works to protect, reports Reuters. These “red team” tools -- scripts, scanners, and techniques that are designed by cybersecurity researchers to test a client’s ability to defend itself against attackers could become dangerous if in the wrong hands. The sophistication of the breach indicates that it was likely backed by a nation state, and Russia is a possible suspect. In an effort to help organizations protect themselves, FireEye is releasing a set of countermeasures to detect and defend against the tools. The US Federal Bureau of Investigation is investigating the attack.

While the stolen red-teaming tools could show up in commodity-level attacks, it would be unwise to exaggerate the risks, particularly the risks to privacy. FireEye has shared details on the stolen tools in its GitHub repository that should help organizations secure themselves against misuse.

Hiding in the CSS files.

BleepingComputer reports that new criminal skimming software is now concealing itself in the CSS files of compromised online stores. We received some notes from Ameet Naik, security evangelist at PerimeterX, who sees the evasiveness as standing in a long tradition that includes such deceptive techniques as steganography:

“Digital skimming attackers have developed innovative ways to evade detection by obfuscating the code or hiding the malicious code in images (steganography), social media buttons and favicons. Traditional application security approaches like static code analysis are ineffective in finding and stopping such attacks. Runtime analysis using client-side application security solutions can catch the malicious script in the act by observing behavioral signals and flagging anomalies.

"Businesses need to be vigilant about increasingly sophisticated digital skimming and Magecart attacks that could strike during the busy holiday shopping season. Consumers need to be careful with online payments and use alternative payment methods where available that don’t require them to type in credit card numbers.”

Cloud provider down after ransomware attack.

BleepingComputer reports that hosting service Netgain is sustaining outages as it copes with an unspecified ransomware attack. Little is known about the incident except that it's believed to have begun on November 24th, with outages continuing into this week. We heard from Trevor Morgan, comforte AG product manager, who sees the attack as a lesson to users of cloud services: they remain responsible for protecting their own data.

“The ransomware attack affecting the cloud hosting service provider Netgain must be of concern to its customers. All indications show that Netgain has been working very proactively to isolate and mitigate the situation while keeping the customer base fully informed. This response is appropriate and admirable given the situation. In the wake of these types of data security incidents, the best-case scenario is that the service disruptions are a nuisance but that sensitive data remains protected.

"All enterprises should take away from this incident a very simple lesson. If your business relies on cloud services for data handling, processing, and storing, you are responsible for the protection of sensitive data. If regulations are broken, your business must answer for the way that you handle and protect peoples’ sensitive data in the cloud. This should not inspire fear but rather should encourage you to reassess how you are protecting your customers’ most sensitive, private information no matter where that data is. Are you relying on more traditional perimeter- and access-focused methods of data protection, or are you taking a more data-centric approach that protects the data itself? If incidents like this can cause you to rethink your strategy and ask yourself questions like this, then that is a good outcome for your business.”

Selected Reading

Ransomware Attacks on MySQL Databases: PLEASE_READ_ME Campaign (Guardicore Labs) Guardicore Labs uncovers an opportunistic Ransomware campaign which targets internet-facing MySQL servers. The attackers use Double Extortion, and publish the data to pressure victims into paying the ransom.

Spammers Get Better at Impersonating Banking Services, Use Lingo and Legit Layouts to Con Victims (HOTforSecurity) E-mail-based attacks mimicking well-known financial institutions and online payment services have surged over the Halloween and Black Friday season, as cybercriminals continue to leverage restrictions brought on by the pandemic. Although coronavirus-related email... #ANZBank #bankofamerica #covid19

Stalkerware, the latest privacy threat groups vow to fight (ZME Science) Malwares keep security trackers and news sites busy enough, but a hellish offshoot is causing concern, too. It's called stalkware.

U.S. Retailers: How a Grinch Will Steal Your Holiday This Year (CyberPion) On top of a challenging economic year, retailers, e-tailers, and their customers face a growing threat this holiday season: the rise in cyber-attacks. While businesses have lived with this threat ever since the birth of online sales, this season will be different for several reasons. Our cursory scans of the Top 30 U.S. Retailer’s online […]

How to stay cyber secure while online shopping (WAND-TV) With the ongoing pandemic, more people than ever are relying on online shopping for the holidays. That is why it is more important than ever to

Adobe to block Flash content from running on January 12, 2021 (ZDNet) Adobe releases final Flash update with stronger language asking users to uninstall the app before its EOL.

December 2020 Android Updates Patch 46 Vulnerabilities (SecurityWeek) A total of 46 vulnerabilities patched with the release of the December 2020 security updates for Android.

Apple responds to WhatsApp's criticism on privacy labels (ETCIO.com) The latest chapter in Facebook-Apple rivalry is about privacy labels on apps.

Data leaks surge by 1,453% in 5 years to a record 36 billion cases in 2020 alone (Atlas VPN) With a global pandemic, devastating wildfires, racial tension, and political divide, it is not surprising that 2020 was named the most challenging year in the past decades. The year has been grim for data privacy as well, with leaked personal data records reaching numbers the world has never seen before.

Misery of Ransomware Hits Hospitals the Hardest (Threatpost) Ransomware attacks targeting hospitals have exacted a human cost as well as financial.

They're Here! COVID-19 Vaccine Phishes Finally Arrive (KnowBe4) COVID-19 vaccine phishing emails and templates

From romance scams to phantom PPE, banks battle coronavirus crimewave (Reuters) Fraud risk analyst Rajendran Raj was used to the odd out-of-hours alert from authorities, but a call one Saturday in March heralded a new era, of tackling criminals seeking to cash in on coronavirus.

Hackers are selling more than 85,000 SQL databases on a dark web portal (ZDNet) Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesn't want to pay the ransom demand.

D-Link Routers at Risk for Remote Takeover from Zero-Day Flaw (Threatpost) Critical vulnerabilities discovered by Digital Defense can allow attackers to gain root access and take over devices running same firmware.

Game over? Vulnerabilities on Valve's Steam put hundreds of thousands gamers at risk (Check Point Software) Highlights: CP<R> found four major vulnerabilities in the popular Valve games networking library. All vulnerabilities were acknowledged and received

Vermont Hospital Cyberattack Cost Estimated at $1.5M a Day (SecurityWeek) A late October cyberattack on the computer systems of the University of Vermont Medical Center is costing the hospital about $1.5 million a day in lost revenue and recovery costs, its CEO said.

Iranian-Linked Android Spyware Sneaks Into Private Chats (GovInfo Security) A hacking group behind an Android spyware variant has recently added fresh capabilities that include the ability to snoop on private chats on Skype, Instagram and

Rana Android Malware (ReversingLabs) Your past catches up, sooner or later...

Ransomware forces hosting provider Netgain to take down data centers (BleepingComputer) Cloud hosting and IT services provider Netgain was forced to take some of their data centers offline after suffering a ransomware attack in late November.

Impersonator Syndrome: Supply chain lures and COVID-19 cures (Digital Shadows) It’s been a tough few months for the healthcare industry (and for all of us in general). While we’ve reported on recent Q3 ransomware campaigns targeting the healthcare industry, a new campaign targeting COVID-19 vaccine supply chain partners has emerged.