At a glance.
- IP camera firmware bugs.
- Hancitor malware is in circulation.
- Reflections on the first three years of GDPR.
- Estonian ID photos compromised by a hacker.
- Northern Ireland's COVID-19 vaccine certification system breached.
- Risks to prisoners with exposure of their medical information.
- Third-party data exposure affects healthcare system's data.
Bugs discovered in IP camera firmware.
Researchers at RandoriSec have detected vulnerabilities in IP camera firmware provided by South Korean company UDP Technology, Security Week reports. The bugs, which include eleven remote code execution flaws and one authentication bypass issue, could be exploited by an intruder to hack the cameras directly from the internet. The firmware is found in cameras offered by around a dozen vendors including Geutebrück, Ganz, Visualint, and THRIVE Intelligence. The US Cybersecurity and Infrastructure Security Agency has published an advisory warning users about the security issues, and UDP has created a patch made available to at least one vendor.
A look at Hancitor malware.
BlackBerry offers an overview of Hancitor, also known as Chanitor, a malware that depends on social engineering techniques to trick victims into executing its malicious macro code. The operators send targets a phony email mimicking a legitimate service (a fraudulent DocuSign invoice, for example) in order to convince them to click on a malicious link leading to a Trojanized Microsoft Word or Excel document. Once the document is downloaded and a connection is established with the hackers’ command-and-control infrastructure, Hancitor can download additional malicious software like Ficker malware (or FickerStealer) or a Cobalt Strike beacon payload onto the victim’s device
Reflecting on the first three years of the GDPR.
In honor of the third anniversary of the General Data Protection Regulation (GDPR), Cooley is offering a webinar covering the top ten developments in the legislation’s implementation, cyber/data/privacy insights reports. Topics covered include the evolution of enforcement, the importance of user consent, a look at regulator guidance, and the challenges of data transfers for global enterprises. The webinar also explores how the GDPR has inspired countries around the globe to establish similar laws, like the US’s California Consumer Privacy Act and Brazil’s General Law for the Protection of Personal Data, and predictions for privacy legislation in 2022.
Estonian ID photos accessed by intruder.
The Record by Recorded Future reports that an Estonian hacker stole nearly 300,000 government ID photos by exploiting a vulnerability in a database belonging to the Information System Authority (RIA), the government agency that oversees Estonia’s IT systems. The threat actor, a resident of Tallinn, first obtained names and ID codes of Estonian citizens from the web, then used them to access the database and retrieve the images. The police have arrested the suspect and confiscated the stolen photos, and authorities are investigating whether the images were sent to another party. The security flaw has been patched and impacted individuals are being notified. ERR adds that head of the RIA Margus Noormaa believes the incident was arbitrary: "The [hacked] photos were random; there was no purpose here other than to get them." Still, IT and foreign trade minister Andres Sutt said the attack has compelled the government to update their data systems and seek funding to improve cybersecurity measures.
Northern Ireland COVID-19 vaccine certification system breach.
Northern Ireland's Department of Health (DoH) has experienced a data exposure resulting in the temporary shutdown of its COVIDCert NI system, a COVID-19 vaccine digital certification service. Bleeping Computer reports that the data of a limited number of COVIDCert NI users were exposed to other users. The DoH has reported the issue to the UK's Information Commissioner's Office and published a notice yesterday: "Immediate action has also been taken to temporarily remove a part of the service that manages identity."
Canadian prisoners filing lawsuit for medical data exposure.
Fifty federal prisoners in British Columbia, Canada are suing the Attorney General of Canada for violation of privacy rights, reports North Shore News. The plaintiffs say their drug prescription info, which were regularly displayed in public areas for reference by nutritional and medical staff, were also visible to other inmates, putting the plaintiffs at risk of violence at the hands of other prisoners who sought to obtain the drugs for themselves. Correctional Service of Canada (CSC) sent a letter of apology stating, “We acknowledge that CSC has a responsibility to protect personal information from unauthorized disclosure and will ensure appropriate measure are taken to prevent a reoccurrence,” but the victims still say the mishandling of the data is evidence of negligence.
MassHealth affected by third-party data exposure.
Standard Modern, a vendor that provides mailing services to MassHealth on behalf of the Massachusetts Executive Office of Health and Human Services, has disclosed a data exposure issue:
"On May 24, 2021, SMC was notified that some MassHealth members received notices that were mailed between May 10, 2021, and May 18, 2021, that contained personal information about other members. Upon learning of the incident, SMC immediately stopped mailing to MassHealth members and began an internal investigation to determine the root cause of the incident. The investigation identified that an internal program error caused the printing of incorrect addresses on a limited number of notices. SMC suspended use of this internal program and implemented additional safeguards and procedures to prevent the issue from reoccurring. SMC has since mailed the correct information to affected MassHealth members."
Health IT Security reports that the personal health information of about two-thousand MassHealth patients was affected. Demi Ben-Ari, Co-Founder and CTO at Panorays, commented on some now familiar lessons of third-party risk:
"Especially in regulated industries where data privacy and security are paramount, companies and government agencies cannot be too careful in evaluating their third parties that handle that data. This evaluation should include not just a full assessment of the security of the vendor's digital footprint to ensure they are in alignment with the organization's regulations, security controls and risk appetite, but also a full understanding of the human factor. This includes whether the vendor conducts regular security awareness training of its employees, the presence of a security team, and other indicators of a strong security posture."