At a glance.
- Apple and Meta leak user data to hackers posing as police.
- Update on TransUnion ransomware attack.
- Wyze security cameras not so secure.
- California healthcare group likely hit by Hive ransomware.
Apple and Meta leak user data to hackers posing as police.
Bloomberg reports that tech giants Apple and Meta fell prey to a phishing operation that tricked employees into handing over customer data to cybercriminals posing as law enforcement. In 2021, the hackers sent fake “emergency data requests” to the companies demanding customer info including street addresses, IP addresses, and phone numbers. Sources say the perpetrators are believed to be affiliated with “Recursion Team,” a now-defunct hacking group that is said to have spawned members of the infamous Lapsus$ ransomware gang, responsible for recent attacks on Microsoft, Samsung, and Nvidia. The hackers went to great lengths to make the fake requests appear legitimate, including forged signatures of police officers and possibly even using real legal requests as templates. Allison Nixon, chief research officer at cyber firm Unit 221B, commented, “In every instance where these companies messed up, at the core of it there was a person trying to do the right thing. I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.” Meta issued a statement in which spokesperson Andy Stone explained, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Update on TransUnion ransomware attack.
As we previously noted, credit bureau TransUnion South Africa suffered a ransomware attack earlier this month at the hands of the N4aughtysecTU threat group that exposed 54 million personal records. 702 reports that TransUnion refused to pay the R220 million ransom demanded by last Friday, and in retaliation the hackers are now threatening to publish stolen information about high-profile individuals including South African President Cyril Ramaphosa.
World Wide Worx Data analyst Bryan Turner commented, “At the moment those details were released in a private chat with journalists to show that they can do it but it hasn't been released just yet. Journalists have verified that those details are correct and it's not just the president's details.”
Wyze security cameras not so secure.
Bitdefender has released a report on three vulnerabilities its researchers found in popular, budget-friendly Wyze Cam security cameras. As Record by Recorded Future reports, the flaws include an authentication bypass vulnerability, a remote control execution vulnerability caused by a stack-based buffer overflow, as well as a bug impacting unauthenticated access to the contents of an SD card. As Forbes explains, the researchers were able to reposition cameras, enable or disable recording, and turn the devices off and on without ever entering a password. Bitdefender’s report says Wyze Cam was first notified of the flaws in 2019, and despite the vendor releasing patches to remedy the issues over the course of two years, no fix has been found for its first-generation cameras. Android Police notes that Bitdefender wanted to publicize its findings ninety days after detection, the standard waiting period to allow a vendor to patch discovered vulnerabilities, but after three years not enough progress was made. Bitdefender explained, “While most of our reports get answered and patched, this one ends differently. We advise users to stop using this version of hardware as soon as possible.”
California healthcare group likely hit by Hive ransomware.
The Hive ransomware group claims to have exfiltrated 850,000 personal records from US healthcare coverage provider Partnership HealthPlan of California. The organization’s website is currently down, redirecting visitors to a message explaining that suspicious activity was detected on certain computer systems. “We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation,” it reads. VentureBeat adds that Partnership HealthPlan’s phone systems are down as well, and the organization has provided email addresses for patients and providers to contact about the incident. The issues were reportedly first detected on March 24, and on Tuesday Hive, notorious for attacking healthcare entities, posted a message on its HiveLeaks site declaring they’d stolen 400GB of data including names, Social Security numbers, and street addresses. The US Federal Bureau of Investigation has previously warned the public about Hive’s activities, explaining the group “likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.”
Brian Higgins, security specialist with Comparitech noted the significance of the incident:
“Hive ransomware group has posted on its darkweb site that it has stolen 850,000 personally identifiable information (PII) records from the Partnership HealthPlan of California. Based on Comparitech data this is the largest attack in 2022 so far and the 8th largest of all time in the healthcare industry.
"Attacks on the healthcare sector have long been popular with cyber criminals as they provide an extra layer of leverage to any extortion or ransom request. Not only are the target company’s day-to-day business activities, revenue, and reputation put at risk to force payment but with a customer community of vulnerable patients or clients worried that their most intimate and private medical information may be made public, the pressure on a victim organization to pay up quickly and resolve the incident is dramatically increased. Couple this with an ongoing global pandemic and it’s no surprise that the healthcare sector has emerged as one of the most lucrative and attractive for cyber criminals.”