At a glance.
- Hackers demand hefty ransom for Dominican Republic government agency data.
- Lockdown Mode might not be as safe as it seems.
- Leaked documents shed light on the commercial spyware market.
- College student wins lawsuit claiming remote room scan was a violation of privacy rights.
- Security incident at LastPass exposes development environment.
- Update on the Twilio hack.
Hackers demand hefty ransom for Dominican Republic government agency data.
The Dominican Republic's Instituto Agrario Dominicano (IAD), responsible for the country’s Agrarian Reform programs, was hit last week with a ransomware attack perpetrated by the Quantum threat group, an offshoot of the Conti ransomware operation and a rebrand of the MountLocker threat group. Bleeping Computer reports that the threat actors disrupted operations by encrypting multiple services and workstations and claim to have stolen over 1TB of data, which they’ve threatened to release if IAD does not meet their ransom demands. IAD Director of Technology Walixson Amaury Nuñez stated, “They ask for more than 600 thousand dollars. We were affected by four physical servers and eight virtual servers; virtually all servers." The National Cybersecurity Center (CNCS), which is assisting with the recovery process, says the attackers’ IP addresses originate in the US and Russia. The IAD lacks a dedicated security department or sophisticated security software, and it’s unlikely the agency could afford to pay the requested ransom even if they wanted to.
Stephan Chenette, Co-Founder and CTO, AttackIQ, wrote to explain why governments, like healthcare organizations, are attractive targets for ransomware:
“Just last month Quantum ransomware group was responsible for a data breach that affected over 650 healthcare providers. Now, The Dominican Republic's Instituto Agrario Dominicanothe has suffered ransomware attack by Quantum. Personally identifiable information, which includes the names, email addresses, databases, and applications were hacked. This data can now be bought and sold for top dollar on the dark web, further exposing victims to future fraud or phishing attacks. Additionally, this attack has disrupted the agency’s operations until a ransom of $600,000 has been paid to Quantum.
"Government organizations are an attractive target for cybercriminals because of the wealth of sensitive information they hold. It is critical for all organizations that manage sensitive information to adopt a threat-informed cyber-defense strategy. This approach should be tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also employ continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.
"To best defend against ransomware attacks, it is also important to understand the common tactics, techniques, and procedures used by the adversary. Using the MITRE ATT&CK framework, government organizations can test their cyberdefenses against known threats and ensure that their defenses function as they should. This gives organizations a ready-made, adaptive means to plan for threats."
Lockdown Mode might not be as safe as it seems.
Starting next month, Apple iPhone and iPad users will be able to activate a new, “extreme” privacy setting called Lockdown Mode. Intended for journalists, activists, and anyone else who fears their devices may be targeted by sophisticated software (Pegasus, anyone?), Lockdown Mode disables certain iPhone features that hackers have used to hack track Apple devices in the past. However, CEO of privacy-focused encryption company Cryptee John Ozbay says users in Lockdown Mode will be sacrificing privacy for security, as the new setting could make them easier to identify. Ozbay explained to Vice, “Let's say you're in China, and you're using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode.” Ozbay created a proof-of-concept website that detects whether the visitor is using Lockdown Mode, and experts say the lack of privacy might unfortunately be unavoidable. Ryan Stortz, an independent iOS researcher, stated, “As for fingerprinting, it’s sadly a trade off we always have to deal with. The same is true of Tor and the Tor Browser—they go to huge lengths to reduce any fingerprinting ability but you end up standing out because you’re the one with less traceable fingerprints.”
Leaked documents shed light on the commercial spyware market.
Cybersecurity firm Vx-underground has leaked confidential documents indicating that spyware provider Intellexa is offering surveillance services that include Android and iOS device exploits for an €8 million price tag. SecurityWeek notes that Intellexa is fairly new to the spyware scene, and the company’s website says its products are intended to help law enforcement and intelligence agencies fight crime. According to screenshots shared on Twitter by Vx-underground, Intellexa offers services that allow data extraction from Android and iOS devices through remote, one-click browser-based exploits. The documents say the exploits work on iOS 15.4.1 and the latest Android 12 update, implying that the offer was made recently, and Vx-underground says they found the leaked documents on Russian-language hacker forum XSS in July. It’s worth noting that three security updates have been released since iOS 15.4.1 was released, meaning it’s possible that Apple has patched the vulnerabilities Intellexa claims to exploit.
College student wins lawsuit claiming remote room scan was a violation of privacy rights.
A judge in the US state of Ohio has ruled that the practice of remote test-taking software scanning test-takers’ rooms is an invasion of privacy and a violation of the Fourth Amendment’s guaranteed protection against the unlawful search of American homes. With the pandemic forcing many students to complete their schoolwork remotely, the practice of scanning a student’s environment for any signs of cheating has become commonplace. Wired reports that Cleveland State University student Aaron Ogletree sued the school for violating his Fourth Amendment rights after he agreed to a room scan before a chemistry exam. He says sensitive tax documents were visible in the room and the images were shared with other students. The school defended their actions by saying that such scans are not considered “unreasonable” and that Ogletree knew about and agreed to the surveillance. Judge J. Philip Calabrese disagreed, stating, “Though schools may routinely employ remote technology to peer into houses without objection from some, most, or nearly all students, it does not follow that others might not object to the virtual intrusion into their homes or that the routine use of a practice such as room scans does not violate a privacy interest that society recognizes as reasonable, both factually and legally.” The decision could set a precedent for other students who protest the controversial practice.
Security incident at LastPass exposes development environment.
LastPass, whose password manager is widely used by both individuals and organizations, disclosed yesterday that an unauthorized party accessed a portion of the company's development environment. The intruder gained access through a compromised developer account and was able to take "portions of source code and some proprietary LastPass technical information." LastPass says its customers' accounts remain secure, and that its services are operating normally. The company says it's contained the incident, is working on mitigation, and will keep its customers apprised of developments.
David Lindner, CISO at Contrast Security, pointed out that LastPass is an especially attractive target for attack: “LastPass has been a prime target for malicious actors over the past few years. This makes sense as LastPass holds the keys to the kingdom for millions of websites and applications. In this case of stolen source code, I would worry less about what’s in the code and more about where the malicious actor may have been or still is in my environment.”
Tom Kellermann, Senior Vice President of Cyber Strategy, also at Contrast Security, uses the occasion of the incident to draw attention to the consequences of underinvestment in security: “Cybersecurity companies are being targeted to facilitate island hopping. After the FireEye breach, the industry should have woken up. In 2022 cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”
Update on the Twilio hack.
Okta has since described the campaign, and they're tracking the threat actor as Scatter Swine. Okta has seen Scatter Swine before. "Scatter Swine has directly targeted Okta via phishing campaigns on several occasions, but was unable to access accounts due to the strong authentication policies that protect access to our applications." Okta's account includes a lengthy discussion of the tactics, techniques, and procedures Scatter Swine used, and these are interesting for what they reveal about the conduct of a social engineering attack, about the way in which intelligent use of phishbait and convincing voice imposture combine with commodity phishing kits to harvest user credentials.
Roger Grimes, data-driven defense evangelist at KnowBe4, focused on what the incident has to teach organizations about the risks of social engineering:
"This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication. Many cybersecurity leaders and organizations are touting the fake fact that MFA stops 99% of all hacking attacks. It doesn't. It never will. All organizations and users considering using MFA should use phishing-resistant forms. What is phishing-resistant MFA? I keep a list of it here: https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes. It simply does no good to move users from easily phishable passwords to easily phishable MFA. It's a lot of hard work, resources, time, and money, not to get any benefit. Whatever MFA someone uses, the user should be taught about the common types of attacks that are committed against their form of MFA, how to recognize those attacks, and how to respond. We do the same when we tell users to pick passwords but don't when we tell them to use supposedly more secure MFA."