At a glance.
- OpenSubtitles discloses cyberattack.
- Third-party data breach at the International Red Cross.
- US Olympic Committee tells winter athletes to use burner phones.
- Conti ransomware compromises data at RR Donnelly.
Subtitle repository data breach exposes user data.
Leading online subtitle repository OpenSubtitles has disclosed it experienced a cyberattack last August that exposed the personal data of 7 million subscribers. TorrentFreak reports that email and IP addresses, usernames, and passwords were among the stolen data, which a hacker posted online this week. According to an administrator post on the OpenSubtitles forum, the hacker demonstrated how he had infiltrated the system by obtaining the security password of a SuperAdmin, gaining access to an unsecured script that allowed him to perform SQL injections to extract the data. The attacker also requested a bitcoin ransom, which OpenSubtitles did not pay as it was “not a low amount of money,” but it wasn’t until this month that one of the original hacker’s collaborators decided to publish the stolen data. Subscribers are being urged to change their passwords. It’s worth noting that OpenSubtitles is considered a pirate service and blocked by ISPs in many countries including Australia, Greece, and Norway.
Third-party Red Cross data breach impacts highly vulnerable populations.
SecurityWeek reports that the humanitarian organization the International Committee of the Red Cross (ICRC) suffered a third-party data breach that resulted in the theft of the data of over 515,000 “highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention," a statement from the organization explains. Headquartered in Geneva, ICRC does not know who carried out the attack, but the attackers targeted a Switzerland-based firm that the Red Cross uses for data storage. Though there is no indication that the data has been published, ICRC director-general Robert Mardini stated, "An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure." As result of the breach, ICRC was forced to shut down the systems supporting its Restoring Family Links program. Red Cross spokesperson Elizabeth Shaw told CNN, "As a first step, we will work with most concerned ICRC delegations and Red Cross and Red Crescent societies on the ground to find ways to inform individuals and families whose data may have been compromised, what measures are being taken to protect their data and the risks they may possibly face.”
Olympian efforts to protect athlete data.
As Olympic athletes prepare for next month’s Winter Games being held in Beijing, the US Olympic and Paralympic Committee is recommending that travelers not bring their personal phones into China, but instead use burner phones and rental computers in order to protect their data. They also suggest that the devices be wiped and destroyed upon return. A notice from the committee states, “No guarantees of data privacy or security should be made regardless of the security technology utilized. Assume that every device and every communication, transaction, and online activity will be monitored. Devices may also be compromised with malicious software designed to compromise the device and its future use.” As SecurityWeek notes, the guidance comes on the heels of the detection of a vulnerability in the MY2022 COVID monitoring app being used by athletes, journalists, and other attendees of the Beijing games that could expose the app’s data to leaks.
Conti ransomware group confirms data theft from RR Donnelley.
Marketing firm RR Donnelley (RRD) has disclosed that the cyberattack they experienced in December was the work of the Conti ransomware group. The attack led to the shutdown of RRD’s system and disruptions for clients awaiting documents required for vendor payments, disbursement checks, and motor vehicle documentation. Bleeping Computer explains that although RRD initially stated they did not believe any client data had been exfiltrated, on January 15 Conti began to publish 2.5GB of data allegedly obtained in the attack. According to Bleeping Computer, Conti soon took the data down, presumably because RRD began negotiation proceedings with the threat group. In light of the new developments, RRD released a new 8-K filing with the US Securities and Exchange Commission stating “the Company has become aware that certain of its corporate data was accessed and exfiltrated, the nature of which is being actively examined. Based on information known to date, the Company believes the access and exfiltration was in connection with the previously disclosed systems intrusion and not a new incident."
Tim Erlin, VP of strategy at Tripwire, wrote to remind us that ransomware is now typically of the double-extortion variety, threatening doxing as well as denial:
“Ransomware isn’t just about encrypting your data any longer. It’s now about exfiltrating your data and holding it hostage. The strategy of taking a copy of data to ransom means that simply having backups from which you can restore isn’t really a sufficient ransomware strategy.
"In most incidents, the initial discovery and report rarely provide a complete picture. The fact is, it takes time for organizations to discover what really happened. Additional information is bound to come out after the initial report. A rigorous change detection and configuration management program can not only help prevent breaches, they can also help organizations figure out what happened faster.
"As usual, the reporting and the regulatory filing focus on the ransomware and the data, but don’t really explain how the attacker was able to succeed. Information about how the attack occurred, the initial vector and subsequent steps, can really help other organizations organize their defensive measures. Successful ransomware attacks aren’t inevitable. Implementing strong security controls can prevent these types of attacks, but more information makes for better defensive decisions.”