At a glance.
- Cheerscrypt described.
- Twitter settles with FTC over data privacy.
- Update on SpiceJet's ransomware incident.
Three (Bronx) cheers for Cheerscrypt.
The researchers at Trend Micro offer details on Cheerscrypt, a recently observed Linux-based ransomware family targeting VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. An efficient vector for infecting many computers at once ESXi servers have been targeted by the LockBit, HIve, and RansomEXX ransomware operations in the past. In order to ensure that the ransomware can successfully encrypt VMware-related files, Cheerscrypt implements a command to terminate VM processes. Based on ransom notes discovered after encryption, Cheerscrypt uses double-extortion tactics to pressure the victim into meeting the threat actors’ ransom demands. To defend against Cheerscrypt, organizations are advised to follow the security frameworks established by the Center for Internet Security and the National Institute of Standards and Technology.
Twitter reaches settlement for misuse of private user data.
The US Justice Department and the Federal Trade Commission (FTC) report that Twitter Inc has agreed to a $150 million settlement over allegations the social media platform misrepresented how it would use private data supplied by users. According to court documents, between May 2013 and September 2019, Twitter allegedly violated the FTC Act and a 2011 settlement with the agency by telling users their telephone numbers and email addresses would be used for security purposes, when in fact they were used for targeted advertising. FTC Chair Lina Khan said in a statement, “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue.” Reuters reports that in addition to the settlement payment, Twitter will also be required to improve its compliance practices. It’s worth noting that businessman Elon Musk, who is in the process of purchasing Twitter and has previously criticized the platform for its targeted advertising practices, tweeted in response to the settlement, “If Twitter was not truthful here, what else is not true? This is very concerning news.”
SpiceJet ransomware attack leaves passengers grounded.
Indian budget airline SpiceJet has disclosed it suffered an attempted ransomware attack that disrupted operations, delaying flights on Wednesday and leaving many passengers stranded. BBC News reports the airline tweeted last night, “Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.” Following the tweet, however, many passengers reported they were still stranded in airports after hours of waiting, and with the customer service phone lines and online booking systems down, they had little information about when their flights would take off. Bleeping Computer confirmed that as of this morning, only the SpiceJet homepage was working, while most other webpages failed to load, and flight status updates indicated delays of up to five hours. When asked for comment, a SpiceJet spokesperson explained, “While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays. Some flights to airports where there are restrictions on night operations have been cancelled. SpiceJet is in touch with experts and cyber crime authorities on the issue.”
Stephan Chenette, Co-Founder and CTO at AttackIQ comments on the costs of even a partially successful response to an attack:
"Although SpiceJet Airline was able to contain the recent ransomware attack, the airline is still suffering from flight delays, unavailable booking systems, and no way for customers to contact customer service. As evidenced by this and many other recent ransomware attacks, it’s no longer an issue of just whether or not to pay the ransom – it is likely that the organization will suffer reputational damage, legal consequences, and loss of data and business.
"To best defend against ransomware, it’s important to understand the common tactics, techniques, and procedures used by the adversary. In doing so, companies can build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. It’s also crucial for organizations to validate their security controls and configurations and adopt a proactive and threat-informed approach to security strategy that allows the company to know it can thwart ransomware attacks.”
Josh Rickard, Security Automation Architect at Swimlane, also noted the consequences of even a largely thwarted attempt:
"Although SpiceJet was able to curb this attack before it was able to take over fully, most of the time organizations faced with similar cyberattacks aren’t so lucky, and even so, consequences still stand. In this case, customers of the second largest airline in India have taken to social media to express concerns over severely delayed flights and other online access issues. SpiceJet is fortunate that these are the extent of their problems-- had systems been fully breached, they could be facing more severe ramifications consisting of exposed data, system-wide outages and reputation damage. It’s worth noting that SpiceJet also experienced a data breach in January 2020 that resulted in the personal information of over one million customers being exposed. This, in addition to this latest incident, is a highly concerning pattern.
"To ensure that organizations are prepared to defend against similar cyber incidents, and requisite day-to-day operations are able to occur without disruption, it is essential that security and IT teams have full visibility into their environments. Leveraging low-code security automation allows these teams to respond to threats in real time to limit the consequences of these attacks, as well as minimize the chance of human error within IT processes by centralizing and automating detection, response and investigation protocols into a single platform.