At a glance.
- Ransomware at Northern Rail.
- Geolocation as threat to privacy.
- Successful phishing attack responsible for medical center's data breach.
- HiveNightmare and privacy.
- Misconfigured AWS S3 buckets.
- Bypassing facial recognition.
- PII of some who bought tickets to the Olympics compromised.
Northern Rail ransomware attack: targeted or untargeted?
The UK’s Northern Rail railway system has experienced a ransomware attack on its self-service ticketing machines, forcing them to take all machines offline. Given that Northern Rail is owned by the British government and the machines were purchased with government funds, attackers would know there’s little to no chance of a ransom being paid, making Northern Rail an unusual target. As Security Week reasons, this indicates the incident was likely a spray-and-pray attack in which the actors attempted to hit random entities to determine which were vulnerable. A representative from ticketing machine provider Flowbird Transport Intelligence stated no personal payment data had been compromised, which also suggests the attack was commodity-level and not targeted. Andy Norton, European cyber risk officer at Armis, stated, “Rail networks are considered critical infrastructure under the [Networks & Information Systems] legislation and so, a risk assessment of the new Ticketing system should have been undertaken and this risk assessment should have included the risk of cyberattack with mitigating controls."
Clergyman’s exposed phone activity leads to resignation.
US Monsignor and General Secretary of the United States Conference of Catholic Bishops Jeffrey Burrill has resigned after his mobile phone location and app activity data were exposed, Gizmodo reports. The app signal data, which reveal Burrill frequented locales and websites frowned upon by the Church, was released by the Pillar, a small, Church-focused media outlet who obtained the intel from an unnamed data vendor. It’s worth noting that Burrill’s data show he regularly accessed Grindr, a dating app that has been embroiled in a string of user privacy issues over the past few years.
UVM Medical Center attack caused by phishing email.
VTDigger reports that US hospital system University of Vermont (UVM) Medical Center’s October ransomware attack, which cost the center $40 million to $50 million in lost revenue, stemmed from a phishing scam on an employee’s machine. The employee, who was using his work laptop while on vacation, opened a legitimate email from his homeowner’s association, not knowing the association had been hacked and that the message was part of a phishing operation. When the employee subsequently connected the device to the UVM network, the hackers deployed a large-scale malware attack on the medical center’s system. In an effort to prevent future incidents, UVM is staging simulated phishing attack drills and has blocked access to personal email on all machines.
Don’t get stung by HiveNightmare.
Naked Security details a Windows vulnerability, dubbed HiveNightmare, that allows unauthorized access to registry data in a Microsoft proprietary database known as the hive. Hive files, which contain sensitive data like passwords and security tokens, are typically only accessible by an administrator, but the bug would allow an intruder to bypass protections by taking advantage of insecure access control settings and shadow copies of the files. Microsoft recommends users protect against exploitation of the vulnerability by resetting access control lists on live registry hive files and deleting all existing shadow copies.
Misconfigured AWS S3 buckets provided by third-party vendor expose towns' data.
Researchers at WizCase found that some eighty US municipalities saw databases holding citizens' information exposed through misconfigured AWS S3 buckets provided by a third-party vendor. All the affected towns and cities used mapsonline.net, provided by PeopleGIS. WizCase notified PeopleGIS, and the buckets have now been secured.
Trevor Morgan, product manager with comforte AG sees the incident as unfortunate confirmation of the commonplace that many incidents are traceable to human error and oversight, not to aggressive and sophisticated attacks:
“The report that dozens of U.S. municipalities suffered from an expansive data breach related to mapsonline.net points once again to some very common knowledge: a large number of incidents and breaches can be traced back not to aggressive attacks but rather from human error, especially where cloud-service configurations are concerned. In this incident, misconfigured S3 buckets ultimately led to 86 exposed S3 buckets with no password protection or associated data encryption.
"Enterprises should take heed of this very common situation and start building a culture of data privacy and security within their organizations which places a premium on employees at all levels embracing quality of processes over speedy execution. Often, in their desire to be hyper-agile, organizations can overlook very basic and common-sense defensive measures. A culture of data privacy and security also puts investments behind the most complete data security toolkits, including data-centric security like tokenization and format-preserving encryption that go well beyond classic encryption and password protection. Tokenization replaces sensitive data elements with representational tokens that, even if in the wrong hands, cannot be leveraged by hackers and other threat actors. Sensitive data that has been tokenized is meaningless and thus worthless on the black market.
"This isn’t the first S3 bucket misconfiguration we’ve seen that leads to a data breach, but unfortunately it won’t be the last, either.”
Alicia Townsend, technology evangelist with OneLogin points out the imperative of achieving and maintaining a clear understanding of where and how their data are stored and secured:
“Organizations today need to have a clear understanding of where and how they are storing user data. Not only do these organizations need to ensure this data is protected where it lives today, they need to ensure that their employees are educated about the importance of protecting user data going forward. When everyone understands how crucial it is to protect user data and what that means then it is harder for incidents like this to slip through the cracks.”
Bypassing facial recognition.
Various biometric modalities are being pursued as alternatives to traditional passwords. Ars Technica reports that researchers have demonstrated ways of bypassing Microsoft's Hello. CyberArk this month has described a proof-of-concept by which Hello could be defeated.
Chris Clements, Vice President, Solutions Architecture, Cerberus Security Officer, Cerberus Sentinel wrote that the issue is a matter for concern, but that the risk shouldn't be overestimated, either:
"If you are being directly targeted, I can see this type of attack being concerning, but I don’t believe it is a critical issue for Windows users generally. The need for physical access to the device and a high enough quality infrared picture of the user is a fairly high bar for cybercriminals to use at scale. Contrast this with the risk of widespread compromise from the recent PrintNightmare vulnerabilities that can compromise Windows systems completely remotely with no user interaction at all. For any individuals that may be at high risk of direct targeting, however, the best advice is to disable the Windows Hello Face Authentication facial recognition log in feature."
Personal information of Olympic ticket-buyers leaked online.
Kyodo News has reported that login credentials of fans who've purchased tickets to the Tokyo Olympics have been leaked online.
Exabeam's president, Ralph Pisani, wrote about the attraction major events hold for cybercriminals:
“Cybercriminals often capitalize on major world events, due to the breadth of information they can gather as well as the opportunity to increase their own notoriety, so it is no surprise we have already seen a credential leak from the summer Olympics.
"There are not many details on the cause of the leak yet, but it’s likely that it is a result of the ticketing site (point of collection) being compromised or someone with administrative rights being targeted and compromised. A credential stuffing campaign, where bad actors mine login information from previous data breaches of other organizations to break into user accounts, isn't out of the question either.
"This is particularly dangerous for individuals and organizations because these credentials could be used to access corporate accounts then move laterally through the network to cause deeper damage.
"End users should establish different passwords for all of their accounts, immediately change their passwords on sites that have been breached and use multi-factor authentication wherever it is available.
"To remediate incidents involving user credentials and respond to adversaries, organizations must move fast and consider an approach that is closely aligned with monitoring user behavior - to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioral characteristics, when abnormal events have occurred.”
Alexa Slinger, Identity Management Expert at OneLogin traces the history of attacks on these games. This latest incident has had its precursors:
“Cybersecurity threats against the Olympics are not without precedent, however the Tokyo Olympics continue to be targeted repeatedly by bad actors. The attacks started with a series of phishing attempts in late 2020 when hackers attempted to lure users by impersonating Olympic staff. This was followed by a data breach in May 2021 when the Tokyo Olympics were victims in the Fujitsu hack, enabling cyber criminals to infiltrate their systems and leak information of about 170 people involved in security management. This most recent breach, impacting the login IDs and passwords of ticket holders, is especially troubling as it comes just days before the start of the event.
"As ransomware and cyber crime continued to rise during the global COVID-19 pandemic, so did tensions between countries. The Cyber Threat Alliance (CTA) released a report warning various countries may attack in the months leading up to the Games. In addition, cyber criminals may also see this as an opportunity to retrieve quick ransomware payments if they are able to successfully disrupt the live event, as the Olympic organization will have little to no tolerance for downtime.
"With multiple entry points for hackers to exploit, from athletes, spectators, operations, logistics, sponsors to other associated businesses, the Olympic Games must remain vigilant in their attempt to thwart additional breaches. They should begin with standard best security practices such as monitoring identity and access to their network, ensuring all systems are up to date and patches are deployed, as well as enabling multi-factor authentication across all of their corporate applications and resources. In addition, the Olympics must communicate to all parties involved in the games to keep a security first mindset and understand how to identify and respond to threats.”
The credential leak isn't the only cyber risk the Olympics face. The FBI this week released a Private Industry Notification outlining the threats posed by both criminals and nation-state threat actors.