Kubernetes API servers exposed on the web. Real estate firm settles data breach suit for $1.2 million. Google AI subsidiary accused of sharing patient data without consent. Commercial spyware vendor's product exploited zero-days.

Summary

By the CyberWire staff

At a glance.

Kubernetes API servers exposed on the web.
Real estate firm settles data breach suit for $1.2 million.
Google AI subsidiary accused of sharing patient data without consent.
Commercial spyware vendor's product exploited zero-days.

Majority of Kubernetes API servers exposed on the web.

Researchers at the nonprofit cybersecurity organization the Shadowserver Foundation have determined that over 380,000 Kubernetes API servers, or 84% of all global Kubernetes API instances observable online, are exposed on the internet. Security Week reports that Shadowserver has been conducting daily scans across IPv4 infrastructure using HTTP GET requests, looking for IP addresses that respond with an HTTP 200 OK status, which indicates that the request has succeeded. Shadowserver’s report reads, “While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface. They also allow for information leakage on version and builds.” Over half of the exposed instances are located in the US, with many also found in Western Europe, Southeast Asia, and Australia. Dark Reading notes that the findings support recent research indicating that many organizations are not protected against potential API attacks. According to Salt Security’s recent "State of API Security 2022" report, approximately 34% of organizations have no API security strategy in place, and an additional 27% say they have just a basic strategy requiring minimal scanning and no management over API security status.

Real estate firm settles data breach suit for $1.2 million.

Weichert Co, a residential and commercial real estate franchise based in the US state of New Jersey, reached a $1.2 million settlement this week over three data breaches that compromised the personal data of nearly 11,000 consumers and employees. Weichert faced allegations that the company misrepresented security practices to consumers, and that the company’s inadequate cybersecurity safeguards allowed unauthorized access to its network, violating the New Jersey Consumer Fraud Act, the Identity Theft Protection Act, and the Gramm-Leach-Bliley Act. NJBIZ explains that an intruder allegedly gained unauthorized access to Weichert’s network on multiple occasions between July 2016 and July 2018, exposing personal data including Social Security numbers, credit card information, passport numbers, financial accounts, and driver’s license details. Weichert disputes the claims but has agreed to the settlement, which also requires the company to retain an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order. When announcing the settlement, Acting Attorney General Matthew Platkin stated, “Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law. This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”

Google AI subsidiary accused of sharing patient data without consent.

On Tuesday a sole claimant filed a representative action suit in the High Court of Justice of England and Wales against Google and DeepMind Technologies, a British artificial intelligence subsidiary of Alphabet Inc, for misuse of private patient data. Jurist explains that the case involves a 2015 collaboration between DeepMind and the Royal Free London National Health Service (NHS) Foundation Trust for developing Streams, an app designed to support doctors and nurses in the prognosis of acute kidney injury. The data sharing agreement gave DeepMind access to five years’ worth of confidential data of over 1.6 million patients covered by the NHS. However, in 2017 the UK Information Commissioner’s Office (ICO) found the agreement, which did not allow patients to opt out, breached the Data Protection Act, leading the ICO to sanction the NHS. The ICO’s investigation determined that DeepMind’s use of patient data for testing the clinical safety of Streams differed from patients’ reasonable expectations and was not “necessary and proportionate” for app testing. Google was able to avoid legal responsibility as the NHS was technically at fault for sharing the patient data, and last August decided to decommission Streams. Mishcon de Reya, the law firm representing the present claimant Andrew Prismall, says they brought the suit to achieve fair closure for the compromised patients and provide clarity regarding tech companies’ use of patient data.

Google assesses a commercial spyware threat “with high confidence.”

Recent discussions (and investigations) of commercial spyware and its alleged abuse by governments and other actors have focused on NSO Group and its Pegasus product. But NSO isn’t the only player in the field.

Google’s Threat Analysis Group yesterday outlined five zero-days–CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003 in Chrome and CVE-2021-1048 in Android–that have been employed against Android users. Google thinks the North Macedonian lawful intercept vendor Cytros is responsible for creating the tools used to exploit the vulnerabilities.

“We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below,” Google’s Threat Analysis Group writes. “Consistent with findings from CitizenLab,” they add, “we assess government-backed actors purchasing these exploits are located (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.”

Companies like Cytrox deploy capabilities formerly achievable only by governments, but then if you look at the customer list, effectively they’re functioning as contractors. “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.”

Google thoroughly disapproves of the way this sector is doing business. “Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms,” they conclude. “We look forward to continuing our work in this space and advancing the safety and security of our users around the world.”

Selected Reading

Spyware Vendors Target Android With Zero-Day Exploits (Wired) New research from Google's Threat Analysis Group outlines the risks Android users face from the surveillance-for-hire industry.

Protecting Android users from 0-Day attacks (Google) To protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. In 2021, we reported nine 0-days affecting Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks.This blog is a follow up to our July 2021 post on four 0-day vulnerabilities we discovered in 2021, and details campaigns targeting Android users with five distinct 0-day vulnerabilities:CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in ChromeCVE-2021-1048 in Android. We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below.

Deadbolt ransomware group targeting QNAP network storage devices (SC Magazine) QNAP advises customers to update their devices immediately and to not expose their NAS systems to the internet since discovering the Deadbolt ransomware.

Anonymous Server Leaks Millions of Loan Applicants’ Data (SafetyDetectives) Led by Anurag Sen, the SafetyDetectives security team discovered a misconfigured server belonging to an unknown entity that leaked data for potentially millions

What is ARP Spoofing? How to Prevent an ARP Attack (CrowdStrike) Address Resolution Protocol (ARP) spoofing or ARP poisoning is a form of spoofing attack that hackers use to intercept data.

Majority of Kubernetes API Servers Exposed to the Public Internet (Dark Reading) Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.

Ransomware Attack Vectors: RDP and Phishing Still Dominate (GovInfo Security) Attackers who successfully infect targets with ransomware primarily first gain access by exploiting poorly secured remote desktop protocol or VPN connections or by

Pegasus row: Supreme Court says probe panel can submit report by June 20 (Hindustan Times) Pegasus row: There are allegations that Pegasus was used for snooping against opposition leaders among others. 

Google faces UK lawsuit for NHS patient data breach (Jurist) A sole claimant Tuesday filed a representative action suit against Google and its artificial intelligence (AI) subsidiary DeepMind Technologies in the High Court of Justice of England and Wales for mi...

Texas Says Google's 'Incognito' Mode Stealth Tracks Data (Law360) Texas on Thursday expanded its deceptive trade practices lawsuit against Google LLC, adding claims that the search engine's "Incognito" mode misleads users to believe the company cannot track their search history or location when using the privacy setting.