At a glance.
- Google Chrome extension found to be tracking users’ internet activity.
- More on the Twitter whistleblower scandal.
- Updates in the commercial spyware industry.
- Perhaps threat actors simply don’t want to pay late fees.
- Cleaning up the NHS data breach.
Google Chrome extension found to be tracking users’ internet activity.
Five Google Chrome extensions collectively downloaded over 1.4 million times have been monitoring users’ browser histories in order to track when users visit an e-commerce site and modify the visitor's cookie to appear as if they came through a referrer link. In return, BleepingComputer explains, the authors of the malicious extensions receive an affiliate fee for any purchases made at the e-commerce site. Detected by McAfee threat analysts, the extensions in question are Netflix Party, Netflix Party 2, Full Page Screenshot Capture, FlipShope Price Tracker Extension, and AutoBuy Flash Sales. The two Netflix Party extensions have been removed from the Chrome Web Store, but the other three are still available, and removal will not delete the extensions from web browsers; users must uninstall them themselves.
Uriel Maimon, Head of Emerging Products at Human Security, says he sees a systemic problem with browser extensions. “Browser extensions are the Wild Wild West of the Internet," he wrote. "There are approximately 200,000 extensions available on the Chrome store alone. What most users don’t realize is that extensions have full access to all of the data on a page including your email, banking information and credit card numbers. While many extensions provide value added services, there’s little to stop them from collecting and abusing user data.”
More on the Twitter whistleblower scandal.
Last week’s revelations from Twitter whistleblower Peiter “Mudge” Zatko – alleging that the social media giant has been misleading regulators about its weak cybersecurity defenses and allowing bot accounts to spread disinformation – continue to send shock waves through the privacy community. Zatko claimed that Twitter allowed the Indian government to put agents on the company’s staff, giving them “direct unsupervised access to the company’s systems and user data.” Prateek Waghre, policy director at Indian digital rights organization the Internet Freedom Foundation, told Security Week, “We tend to look at these companies as large, well-resourced entities who know what they’re doing — but you realize that a lot of their actions are ad hoc and reactive, driven by crises.”
Last October, a Saudi humanitarian aid worker was arrested for allegedly creating an anonymous, satirical Twitter account, and it’s possible he was uncovered by spies allegedly working for the social media giant. Bethany Al-Haidari, who works at US-based human rights group the Freedom Initiative, says it’s likely Twitter’s cybersecurity issues could allow hackers or governments to reveal dissidents’ identities. “Given what we know about how social media is used around the world, that is incredibly problematic,” Al-Haidari stated. Tony Anscombe, Chief Cyber Threat Officer at Slovakia-based cybersecurity software provider ESET weighs in: "If the allegations are true, yes, there's probably an increased risk," he told Yahoo Finance. However, Anscombe does see a silver lining for Twitter users. "If the allegations are unfounded, then the company's probably running an audit anyway to make sure that they haven't got any weaknesses and, if they are founded, they're running around fixing those things. So, actually, the end result is a good thing."
Updates in the commercial spyware industry.
As we noted last week, it was discovered that Tykelab, a subsidiary of Italian software company RCS, has been using a system of unsecured phone networks to send “tracking packets” used to surveil individuals in southeast Asia, Africa, Latin America, and the EU. Cybernews notes that despite being discovered eight years ago, the security loophole has gone unpatched, the result of a telecom industry practice of leasing out network access points to other parties. In this case, the apple doesn’t fall far from the tree, as Cy4Gate reported in December that the surveillance products of Tykelab’s parent company RCS include a phone-hacking tool that can be used to record calls and remotely access other sensitive data, and that web pages spoofing Apple and Facebook were used to lure targets into downloading the software.
Meanwhile, Gearrice reports that NSO Group, the company at the center of last year’s Pegasus spyware scandal, is reorganizing. The revelation that Pegasus was being used to spy on journalists and activists across the globe left NSO with a pile of blacklistings, sanctions, and lawsuits, and as a result one hundred of the company’s employees have been let go, and CEO Shalev Hulio has resigned. In a recent press release, NSO said it plans to shift its focus to supporting NATO countries – a smart choice given the impact of the war in Ukraine – and that it still hopes to become “one of the largest cybertech companies in the world.”
Perhaps threat actors simply don’t want to pay late fees.
Leading US library supplier Baker & Taylor suffered a ransomware attack last week, and the company is struggling to bring its systems back online, the Record by Recorded Future reports. Baker & Taylor confirmed the attack on its website Monday, stating, “Our IT team and outside experts are working nonstop to restore our systems.” The company stated that several of its systems and applications, including its internal phone network, had been impacted. Established nearly two hundred years ago, Baker & Taylor offers library tech solutions as well as physical and digital content including books, ebooks, audio books, music, and videos. It’s unclear who might be behind the attack or if any ransom demands have been made. The publishing industry has been having a rough time recently, as American publishing powerhouse Macmillan was hit with a ransomware attack last month, and the LockBit ransomware group attacked German library service Onleihe in April.
Cleaning up the NHS data breach.
Itay Bochner, Director of Malware Analysis Solutions at OPSWAT, wrote about the problems the NHS breach continues to cause:
“The UK NHS ransomware attack is turning into one of the biggest cyberattacks ever to happen in healthcare. 20+ days have passed since the health services' cloud provider Advanced was attacked by ransomware. Since then, providers and patients have had no access to medical records – causing chaos and broader societal impact. Patients can't get their medicine, physiatrists can't add reports to the system and provide their professional opinion in court, and only last week was the emergency dispatch number 111 restored.
"Advanced estimated it could take a few more weeks before they see a full restoration of services, leaving many questions about why recovery is taking so long and what could’ve been in place prior to the attack to reduce recovery time.
"While we can only speculate at this time, the lengthy recovery time could either be due to Advanced’s production environment and the last backup is not up to date. More likely, it could be because the backup is also infected with the malware, and recovering it will not help, forcing them to go way back or build it again. Another possibility is that they backed everything but never tried to recover it, and now in a time of need it simply doesn't work. If this is the case, doing routine backups and recovery could have helped in a situation like this and restored these critical services faster.
"While we’ve seen so many attacks on critical infrastructure, this may be an example of how the effects of cyberattacks on healthcare systems could be potentially more dangerous (and deadly) than on any other critical industries." Added 9.1.22: "The UK NHS isn’t the only one battling this problem - just last week, the Center Hospital Sud Francilien, a French hospital outside of Paris, was hit with LockBit ransomware with a demand to pay $10 million, forcing them to send patients elsewhere for medical health services.
"Monetization of the attack is more likely given that human lives are at stake and the general population relies on healthcare and emergency services on a daily basis.”