At a glance.
- Call center data leak.
- Gun owner database possibly exposed.
- Healthcare data breaches.
- FBI warns of evolved Mamba ransomware
- CNA shuts down its network after a ransomware attack.
- Android malware pretends to be a system update app.
- Patient data saved to removable devices.
- Criminal-on-criminal crossfire.
- Update on the Fat Face breach.
Robocall data leak reveals security risks.
Website Planet explains that a recent data exposure from a robocall center sheds light on the practice of autodialing. Last October, researchers at Website Planet discovered an unsecured database of phone call records from 200 Networks, LLC, a robocall service provider based in the US state of Nevada. Once notified, the company secured the database quickly, but in just the twenty-four hours the researchers had access, nearly 1.5 million calls were made, exposing outgoing and incoming call data. To use voice over internet protocol (VOIP), which allows the service to place calls from all over the world, Session Initiation Protocol (SIP) is used, but SIP is a text-based protocol similar to HTML that can be easily hacked, exposing data about the caller’s device. Researchers also found evidence that *67 caller ID blocking did not protect a recipient’s phone number from being exposed.
Could data dump be breach smoking gun?
An anonymous hacker has leaked a large cache of files that he alleges were stolen from online firearm peddler Guns.com, Gizmodo reports. Published on popular underground website Raid Forums, the data included customer login credentials, full names, email addresses, phone numbers, and most notably, full physical addresses. The dump also revealed details about the types of guns sold and purchased, as well as back-end code for a Laravel-powered version of the website. The hacker promises there’s more ammunition where that came from, and that he’s willing to unload it all for free. Guns.com experienced a data breach in January, but at the time the company claimed they’d dodged a bullet, as the attack’s apparent intention was merely to disrupt business operations, not steal data. While there’s no evidence that the exposed data are linked to the recent attack, the timing of the leak would imply the company jumped the gun in assuming no data were compromised.
Threat actors release stolen data from healthcare entities.
Further evidence that cybercriminals will continue to target the healthcare sector this year, the threat groups Conti, Babuk, and Avaddon have published data allegedly stolen from five US and UK healthcare institutions, HealthITSecurity reports. Avaddon leaked approximately 2.09GB of data they claim belongs to Bridgeway Senior Healthcare, and has promised to release more data if their ransom demands are not met. Conti also posted data allegedly from UK medical technology company Livanova, and Babuk published data supposedly from Cardiva Medical, a California medical device company.
FBI warns of Mamba ransomware attacks.
The US Federal Bureau of Investigation (FBI) has released a statement warning US organizations of increased attacks from the Mamba ransomware group, The Record by Recorded Future reports. First detected in 2016, Mamba ransomware is notorious for its ability to first encrypt data, then rewrite the system’s Master Boot Record MBR, which prevents the computer from restarting, instead leaving a ransom request on a pre-OS-boot screen. The FBI warned on Tuesday that the ransomware “has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.” However, the FBI has found a potential weakness in Mamba’s data encryption app, DiskCryptor, that could allow the victim to recover its files if the attack is caught in its early stages: “The encryption key and the shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the second restart about two hours later.”
Cyberattack shuts down CNA Financial’s network.
Information Security Magazine reports that US insurance giant CNA Financial, one of the country's largest commercial property and casualty insurance companies, was the victim of a cyberattack that has forced the company to completely shut down its network. CNA’s official statement called the attack “sophisticated” and revealed that corporate email was among the systems disrupted. At this point there is no evidence that customer data has been compromised, but if data exposure becomes evident, CNA has pledged to notify all impacted parties. Though CNA hasn’t confirmed the nature of the attack, Security Week notes that the complete network shutdown could indicate a ransomware attack, as a proactive lockdown can prevent further data encryption. BleepingComputer has reported that the incident was an attack with Phoenix CryptoLocker ransomware. Law enforcement has been notified and an investigation is underway.
Android malware masquerades as a "system update."
Zimperium reports finding a new strain of Android malware circulating in the wild. It pretends to be a system update app, and it carries with it an impressive array of privacy-compromising capabilities:
- "Stealing instant messenger messages;
- "Stealing instant messenger database files (if root is available);
- "Inspecting the default browser’s bookmarks and searches;
- "Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
- "Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
- "Inspecting the clipboard data;
- "Inspecting the content of the notifications;
- "Recording audio;
- "Recording phone calls;
- "Periodically take pictures (either through the front or back cameras);
- "Listing of the installed applications;
- "Stealing images and videos;
- "Monitoring the GPS location;
- "Stealing SMS messages;
- "Stealing phone contacts;
- "Stealing call logs;
- "Exfiltrating device information (e.g., installed applications, device name, storage stats); and
- "Concealing its presence by hiding the icon from the device’s drawer/menu."
Zimperium includes a useful set of indicators of compromise.
Medical device stored sensitive patient information in removable media.
CISA warned, yesterday, of a vulnerability in the Phillips Gemini PET/CT family of devices, whose software saves patient data to a removable device. CISA cites Phillips's guidance and mitigations:
- Users should operate all Philips deployed and supported Gemini PET/CT systems within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.
- Philips also recommends users implement a comprehensive, multi-layered strategy to protect systems from internal and external security threats, including restricting physical access of the scanner and removable media to only authorized personnel to reduce the risk of physical access by an unauthorized user.
- Patient health related information recorded on removable media may become accessible to unauthorized individuals despite the application of the anonymize function, which could create a security risk.
Matias Katz, CEO of Byos, emailed us comments on the risks removable storage devices present to medical systems:
“Removable storage without proper access control is yet another example of the increasing number of vulnerabilities found in medical devices. These vulnerabilities highlight the need to rethink how we secure medical devices using zero trust principles. Healthcare Delivery Organizations rely on OEMs and 3rd party integrators to manage, patch, update, monitor and troubleshoot these medical devices inside of their networks - but they don't trust them. Security through endpoint micro-segmentation gives network owners the ability to isolate and manage medical devices without establishing implicit trust or configuring the network to allow external access. Granular control and visibility of sprawling medical device inventories will help HDOs move toward a more preventative approach to securing their networks.”
Civilians caught in criminal-on-criminal cyber crossfire.
Criminal-on-criminal crime hit the Carding Mafia, an underworld forum in which paycard data are sold, shared, and traded, Vice reports. According to Have I Been Pwned, the stolen records included email addresses, IP addresses, usernames, and hashed passwords for nearly 300,000 people.
We received commend on the incident from ImmuniWeb's Ilia Kolochenko, who sees a difficult investigation ahead for the police:
“Most of the compromised accounts have fake data and IPs from anonymous VPNs or proxies that are not likely to bring much actionable evidence to law enforcement agencies for investigation. Moreover, even the Western law enforcement agencies are currently underequipped to investigate and prosecute cybercrime on a large scale, and will probably not initiate investigatory operations after the leak.
"On the other hand, private messages – if also stolen – can be a treasure trove: many beginners carelessly expose sensitive technical, personal and other details there. Even a simple analysis of the unencrypted messages can paint a broad picture of the underground marketplace and shed light on the true identities of wrongdoers and their clients. Cybercriminals will probably not exploit the stolen information in an aggressive manner except for some rival gangs aiming to stiff competition.
"It would be interesting to learn about the origins of the hack, but mostly it will have stemmed from a 0day in forum web software, compromised admin’s machine or maybe even a password reuse attack. We will probably not get a forensic report and may just observe how the situation develops.”
Update on the Fat Face affair.
We described the Fat Face breach yesterday, and the company's unusual request (unusual even for a lifestyle retailer) that those affected by the breach keep it quiet. Saryu Nayyar, CEO of Gurucul, also found this aspect of the response odd:
“The breach of UK clothing retailer Fat Face is interesting more for their response than the incident itself. While the data stolen was limited, it would still be useful to attackers. Their response to customers included an advisory to keep the incident in confidence. That is unusual and would seem to fly in the face of the UK's data protection laws. While a business might suffer a hit to their reputation after a breach, it is guaranteed to suffer a greater hit if they try to conceal one. Customers and the general public appreciate transparency and it goes a long way to restoring trust after a cybersecurity incident."
Transparency has often proved to be good business.