Trends in ransomware. Account hijacking reported at cellular service. Data breaches.

Summary

By the CyberWire staff

At a glance.

Ransomware trends.
Cellular accounts hijacked.
COVID-19 data compromised.
Albanian voters' data leaked.
Acer India customer data offered for sale.

Trends in global ransomware activity.

For their first Ransomware Activity Report, the researchers at VirusTotal examined 80 million ransomware samples submitted by one hundred forty countries over the past eighteen months. Highlights include:

The largest number of samples came from Israel, followed by South Korea, Vietnam, and China.
The first half of 2020 showed surges in activity, and a peak in July 2021 was the result of increased action from the Babuk ransomware family.
One hundred thirty ransomware families were detected, with GandCrab the most active, and Babuk, Cerber, Matsnu not far behind.

Ransomware is now routinely accompanied by theft of sensitive data.

Hackers get to Visible accounts.

Visible, the mobile virtual network operator owned by Verizon, has confirmed that hackers have taken over multiple user accounts, 9to5Mac reports. According to users' posts on Reddit and Twitter, the attackers are locking the user out then purchasing phones on the user’s tab. The company claims there has been no breach of their internal systems, but that the intruder obtained account login credentials through a credential stuffing operation. However, according to Android Police, some victims say their login info was unique to their Visible accounts, making credential stuffing an unlikely explanation. FierceWireless notes that at least one user says Visible does not offer two-step authentication, which could have made the accounts more difficult to crack.

Saryu Nayyar, CEO of Gurucul, thinks companies undergoing incidents like this should come clean as soon as they responsibly can: “Customer transparency into attacks is really the only honest way a company can respond to its users. It’s not clear yet whether user accounts have been hacked, but Verizon has to take customers’ claims seriously. This means that Verizon has to investigate whether accounts were changed and get back to affected customers immediately on remediation efforts, as well as cancelling any orders or reimbursing customers for fraudulent orders.”

Bill Lawrence, CISO of SecurityGate, observes that utilities (and cell service can be usefully thought of in this way) often require payment methods to be associated with customers' accounts.

“This scenario sounds like the attackers could change account access and treat themselves to new iPhones with the victim’s credit. When setting up these types of accounts, first and foremost, look for multi-factor authentication options and enable them. Also, be wary of linking bank accounts directly, and if you’re using a card, credit cards have better fraud protection than debit cards. Never click the box shopping websites have to offer to save credit card information to “make the next purchase easier”. That puts your information out there to be lost in each company’s future breach. Use a password manager or your browser instead. And regularly keep an eye out for other fraudulent activity in your accounts.”

Belgian COVID-19 data compromised.

Belgium has disclosed its CovidScan app, used to verify COVID vaccinations, experienced a leak potentially exposing the data of 39,000 individuals, Bloomberg reports. The timing is less than ideal, as Brussels planned to start requiring proof of vaccination in restaurants, bars, sports clubs, and hospitals as of this coming Friday.

Albanian voter data leak.

US Ambassador to Albania Yuri Kim has requested an investigation into the exposure of a database allegedly used by Albania’s ruling Socialist party to keep track of citizens’ voting preferences. EURACTIV details that the database contained info on over 910,000 citizens including names, phone numbers, employer, and voting preferences, as well as a party member assigned to keep tabs on the individual’s political leanings. On twitter, Kim echoed the sentiments of the OSCE-ODIHR election monitoring mission: “Albania should ensure the security of citizens’ personal data. Relevant institutions should thoroughly investigate and sanction any breach which impacts public confidence in the electoral process.”

Hacker offers 60GB of Acer data for sale.

After criminals on an underground forum attempted to sell 60GB of data stolen from Acer, the electronics company has confirmed it experienced a data breach, its second attack this year. Acer told the Record by Recorded Future, “We have recently detected an isolated attack on our local after-sales service system in India. Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems.” The data, which was leaked by hacking group Desorden, allegedly includes customer info and login credentials for over three thousand Indian retailers and distributors. The Hindustan Times adds that the threat actors promised that “More data will be published.” Though Acer has not yet verified the authenticity of the data, researchers at Privacy Affairs say it appears to be “accurate and genuine.”

Selected Reading

We analyzed 80 million ransomware samples – here’s what we learned (Google) Leaders at organizations across the globe are witnessing the alarming rise of ransomware threats, leaving them with the sobering thought that an attack on their business may be not a matter of if, but when.The stakes are becoming higher. Hackers aren’t just demanding money, they’re threatening to reveal sensitive or valuable information if companies don’t pay up or if they contact law enforcement authorities.

Heads up: Verizon's Visible MVNO accounts are getting hacked left and right (AndroidPolice) Users are reporting account hijacks, address changes, and unauthorized purchases

Verizon’s Visible confirms accounts were breached – report (FierceWireless) Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained password and login information from “outside sources,” the company confirmed on social media Wednesday.

Apparent Verizon Visible hack was credential stuffing attack, says carrier [U] (9to5Mac) Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged ...

Romance scams with a cryptocurrency twist – new research from SophosLabs (Naked Security) Romance scams and dating site treachery with a new twist – “there’s an app for that!”

Acer India servers breached? Hackers claim over 60GB data accessed (Hindustan Times) In what could be a second data breach at technology company Acer this year, a hacker group has claimed it has accessed over 60GB of data from its India servers

US diplomat asks Albanian prosecutors to investigate mass citizen data breach (www.euractiv.com) US Ambassador to Albania Yuri Kim has called on prosecutors to investigate any breach of citizens’ privacy following the mass publication of personal data before April’s general elections.

Belgium’s Covid App Reports Data Breach Days Before Pass Rollout (Bloomberg) Watchdog says the leak exposes data of 39,000 people. Brussels is due to roll out Covid pass mandate for restaurants.

Facebook Can Process Data Without Consent: Irish Watchdog (Law360) Facebook does not need to get consent to process European users' data if the users agree to terms of service, Ireland's Data Protection Commissioner has said in a draft ruling that an activist claims endorses a "legal trick" that "undermines" EU privacy laws.

NJ Fertility Clinic Inks Deal To Settle AG's Data Breach Probe (Law360) A New Jersey fertility clinic has agreed to pay $425,000 and strengthen its data security to resolve claims that it failed to put adequate measures in place to protect health information that was swept up in a data breach that affected nearly 15,000 patients, the state attorney general said Tuesday.

Judge rules neighbour's Ring doorbell cameras breached privacy (Mail Online) Jon Woodard, 45, may have to pay Dr Mary Fairhurst more than £100,000 in damages after a judge found his use of the cameras broke data laws.