At a glance.
- ICO interested in Meta's Oculus.
- Government data leak in Ghana.
- Data breach at fertility clinic.
- Online pharmacy sustains prescription information data breach.
- BadUSB campaign arrives in either official or festive wrapping.
- FinalSite restores services.
ICO raises questions about Meta’s Oculus headset and child safety.
Computing reports that Meta is facing scrutiny for concerns that the Oculus Quest 2 virtual reality headset might violate child safety rules. The UK's Information Commissioner's Office (ICO) is questioning whether the headset’s parental control features comply with the Children’s Code, the data protection code (written into law with the 2018 Data Protection Act) regarding age appropriate design for online services likely to be accessed by children. Child safety advocates have voiced concerns about the device’s lack of parental controls, and campaign group Center for Countering Digital Hate found evidence of abuse on VRChat, a forum frequented by Oculus users. If Meta is found to be in violation, officials could issue a warning, impose a penalty of £17.5 million, or issue a fine up to four per cent of the company’s global turnover. A Meta spokesperson says the company is confident the tech meets the Code's requirements, pointing out that children under the age of 13 are not permitted to use its products (though there are concerns that little is being done to uphold this policy), and the company is launching a $50 million initiative devoted to ensuring compliance.
Ghana's National Service Secretariat inadvertently leaks citizen data.
The data of hundreds of thousands of Ghanaian citizens were potentially exposed in an unprotected Amazon Web Services storage bucket. vpnMentor found the database, which contained unencrypted data connected to Ghana's National Service Secretariat, which oversees a mandatory public services program for Ghanaian graduates, and determined that a portion of the files were neither encrypted nor password protected. The compromised data includes images of ID cards, employment records, payment receipts, and internal NSS correspondence files. When asked for a response, Ghana’s Computer Emergency Response Team (GH-CERT) told the Daily Swig it could not comment on the issue as it is currently under investigation.
US fertility clinic hit by cyberattack.
Fertility Centers of Illinois (FCI), which operates fertility services providers across the US state, suffered a cyberattack resulting in a data breach that potentially impacted nearly 80,000 former and current patients as well as a number of employees. Infosecurity Magazine explains that FCI detected suspicious activity last February, at which point they enlisted the services of third-party computer forensic specialists. Though FCI’s cybersecurity measures protected the company’s electronic medical record system, the intruder was able to infiltrate administrative records containing a plethora of patient data including names, Social Security numbers, financial account information, treatment information, billing/claims information, health insurance info, and account login information. The attack is just the latest in a series of incidents impacting fertility centers, with American fertility giant US Fertility hit in September 2020, and UK clinic Lister Fertility compromised in a November 2021 ransomware attack on their medical record scanning company.
Online pharmacy platform suffers prescription data breach.
Ravkoo, a US online pharmacy service, also experienced a data breach as the result of a cyberattack, this one discovered this past September. Security Week explains that the attackers targeted Ravkoo’s prescription fulfillment portal, which is hosted on Amazon Web Services, and as a result prescription and health data, as well as names, email addresses, and phone numbers were potentially compromised. In a patient notification letter, the company stated, “At this time, Ravkoo does not have any evidence to indicate that any of your personal information has been or will be misused as a result of this incident.” According to Ravkoo’s notification to the Maine Attorney General’s Office, 105,000 individuals were impacted.
BadUSB campaign by FIN7 hits US companies.
The Record reports that the FBI has warned that FIN7, the criminal gang well-known for operating DarkSide and BlackMatter ransomware, has undertaken a BadUSB campaign against US organizations in the transportation, insurance, and defense sectors.
The physical USBs, which carry malware, are being sent by the US Postal Service or by the United Parcel Service, and what could be more innocent-looking than those two? Some represent themselves as packages arriving from the US Department of Health and Human Services that carry important COVID-19 information. Others pose as holiday packages from Amazon, complete with festive wrapping, a thank-you note, a bogus gift card, and, of course, the malicious USB drive. The payloads observed include "Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, and TIRION" as well as "BlackMatter and REvil" ransomware.
Purandar Das, Co-founder and CEO of Sotero, notes that more sophisticated isn't always better:
“This seems like a step back in terms of attack sophistication. In a time when attacks are being executed leveraging third part and open-source software components this seems like a step back in to a bygone era where the attack depended on a human failure or event to start. It may have been an attempt to capitalize on lowered guards when everyone is focused on talking about the more sophisticated attacks. Regardless, this demonstrated that the attackers will leave no avenue unexploited. It also demonstrates the potential for pay off’s that the attackers are willing to invest in usb drives and physical mailing costs.”
The crooks are interested in cash, not art. Technical sophistication for its own sake is of no interest to them.
FinalSite restores its services.
FinalSite, the widely used provider of school websites and related solutions, has restored its services following the ransomware attack that cascaded through school systems in many countries.
Danny Lopez, CEO of Glasswall, commented on the effects ransomware of this kind can have on schools:
"Reports of the education sector being the victim of cyber attacks have become increasingly common over the last two years. News like this regarding FinalSite is concerning considering the extensive damage that can be caused in terms of lost data – for both students and staff – and access to vital educational services.
"Educational institutions should adopt a ‘defence-in-depth’ approach to cybersecurity, as advised by the NCSC. This means using multiple layers of defence with several mitigations, which creates more opportunities to detect malware and prevent it from doing widespread harm to the institution.
"But even when all procedures and policies are well-executed, there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities. Often this is as simple as inserting malware using documents and files shared in their hundreds every day in an educational environment. It's vital these organisations invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing all users to do their vital work.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”