At a glance.
- LightBasin activity cluster looks like telco-compromising SIGINT.
- Ireland's DPC draft decision would permit Facebook to obtain user consent by contract.
- UPMC hacker gets seven years for conspiracy to defraud the US Government and aggravated identity theft.
- Ransomware disrupts production at Ferrara Candy.
LightBasin espionage operation threatens telecom sector.
The researchers at CrowdStrike have discovered a surveillance activity, dubbed LightBasin (China-linked but not formally attributed) that has been infiltrating the global telecommunications industry since 2016. The operation exhibits impressive knowledge of the industry, emulating telecom protocols in order to develop customized infiltration techniques to gather subscriber info and call metadata, intel that would likely be of interest to signals intelligence organizations. While the researchers don’t directly attribute the operation to China, clues within the tools’ code indicates the group has knowledge of the Chinese language. CyberScoop notes the report comes on the heels of the US Central Intelligence Agency’s push to concentrate on China’s capabilities in light of mounting geopolitical competition. CrowdStrike’s senior vice president of intelligence Adam Meyers underscores how this operation could render traditional malware attacks unnecessary: “They don’t need to deploy the malware onto your phone if they’re owning the network that your phone is riding on.”
Facebook given permission to bypass user consent.
The Irish data protection commissioner (DPC) has drafted a decision that allows Facebook to effectively bypass the General Data Protection Regulation (GDPR) by permitting the social media giant to process EU user data without obtaining user consent. It’s well known that consent is a central requirement of the GDPR, but Security Week discusses how Facebook uses its Terms of Service statement to circumvent this stipulation. By adding data processing specifications to its general terms and conditions, which every user must accept in order to use the platform, Facebook is effectively entering into a contract with every user. The Terms of Service statement details a list of “core data uses,” including “to transfer, transmit, store, or process your data outside the EEA, including to within the United States and other countries.” In other words, by allowing this, the Irish data protection authority is implying that Facebook does not have to adhere to the GDPR’s definition of user consent nor the European Court’s Schrems II ruling, which states that the transfer of European PII to the US is illegal under the Privacy Shield.
UPMC tax fraud hacker sentenced.
Justin Sean Johnson, the hacker responsible for stealing the private data of over 65,000 employees of University of Pittsburgh Medical Center (UPMC), located in the state of Pennsylvania, has been sentenced to seven years in prison for conspiracy to defraud the United States and aggravated identity theft. As Security Week explains, the breach fueled a tax fraud operation in which cybercriminals, customers of Mr. Johnson, claimed hundreds of thousands of dollars in illicit refunds. Johnson (also known as TheDearthStar or Dearthy Star) is also responsible for the theft of around 90,000 additional sets of tax data from other sources that yielded nearly $2 million in fraudulent tax return claims.
More trick than treat.
Is candy corn, universally considered the worst of all Halloween candies, unappealing enough to inspire a cybercrime operation just to halt its production? DarkReading reports that candy corn maker Ferrara Candy Co. suffered a ransomware attack earlier this month that resulted in the shutdown of some of its systems and interrupted manufacturing at select plants. However, fans of the waxy, tri-colored confection need not worry about All Hallow’s Day; as most shipments were completed in advance of the attack, Ferrara says the attack shouldn’t impact Halloween candy supply. And the disruption appeared to affect production; there are no reports of personal data being lost.
As it is, the effects of a ransomware attack are worth some reflection. Alex Pezold, CEO of TokenEx, wrote:
"Being locked out of your systems by ransomware can have immediate and dire consequences for all organizations. Whether that’s disrupting supply chain management or preventing you from processing transactions, every second that your systems are down costs you money.
"It is clear that ransomware attacks and other attempts to breach data stores are growing more frequent than ever, so every organization must have a plan for what data to protect and how to protect it. As experts continue to investigate and we learn more about the specific attack methods the hackers used, we need to also consider more effective defenses. Specifically, we should work to build resilience into company systems and implement proper disaster-recovery protocols so those systems can be 'rebooted,' if needed.”
Danny Lopez, CEO of Glasswall, perceives the seasonal angle:
"It's likely no coincidence that attackers are hitting a candy company's supply chain just before Halloween -- knowing full well the urgency and demand at this time of year will increase the likelihood they'll get the payment desired. Ferrara, however, is not alone. Ransomware attacks across industries are on the rise.
"Organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use. It's vital that critical infrastructure organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”
And, finally, Egnyte's Cybersecurity Evangelist, Neil Jones, thinks the latest incident should lend some urgency to preparation against ransomware:
"The recent Ferrara Candy ransomware attack -- along with the JBS and Colonial Pipeline cyber attacks that preceded it -- demonstrate that your organization needs to make cybersecurity a Boardroom priority, if you haven't done so already. For years, cybercriminals have attacked targets for financial gain, but now we're seeing an alarming pattern of debilitating attacks on our food, critical infrastructure, and IP supply chain, which can have a crippling impact across the US economy. While advocating support from your executive team, you need to implement proactive data hygiene and protective behaviors, such as patching your CVEs and hardening your databases now. It could be a real lifesaver."