The Taliban's access to data.
The Taliban's seizure of HIIDE (Handheld Interagency Identity Detection Equipment) biometric registration and identification devices aroused concern when it was first reported, but the risks of that loss, while real, seem likely to be limited. MIT Technology Review argues that a more serious matter is the insurgent government's acquisition of APPS, the Afghan Personnel and Pay System used by the deposed government's Ministries of Defense and the Interior. APPS data were unprotected by retention or deletion policies and was presumably seized intact.
Phorpiex botnet shuts down.
The Record reports that the Phorpiex botnet has shut down, and researchers at Cyjax have found that the botnet's proprietors are offering the source code for sale. If you're in the market, not that you would be, know that Phorpiex has a mixed reputation in the underworld. It's been profitable, with its spam module and ability to hijack cryptocurrency clipboards being consistent moneymakers. Phorpiex has also hired its botnet out for use by ransomware operators, among them Avaddon, a gang that's recently gone into occultation. On the other hand Phorpiex's own security has tended toward the slipshod, with other criminals able to either uninstall it or substitute their own payloads for those the proprietors intended.
Bangkok Airways discloses data breach.
Bangkok Airways disclosed that it's been the victim of an attack that compromised passengers' personal information, including name, "nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information, and special meal information." ZDNet reports that the LockBit ransomware gang has claimed responsibility and threatened to release information if their ransom demands aren't met. That data dump, the Register wrote Tuesday, has begun, as Bangkok Airways refused to pay the ransom. The size of the data dump is assessed variously as between 103GB and more than 200GB.
BleepingComputer reports that the gang also claims to have used credentials stolen from Accenture to access and encrypt files at an unnamed airport. That last brag, however, seems not to be true. As Accenture commented to Threatpost, "We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false. As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”
FBI and CISA urge vigilance during Labor Day weekend.
The FBI and CISA warned, as the US Labor Day holiday approaches this weekend, that holidays have commonly been occasions for heightened rates of cyberattack. BleepingComputer offers a rundown of such correlations. The FBI and CISA offered the following observations about recent holidays:
- "In May 2021, leading into Mother's Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim's network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
- "In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting US and Australian meat production facilities, resulting in a complete production stoppage.
- "In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers."
The White House at its regular press conference this past Thursday reinforced the warning from the FBI and CISA, stressing that the nation should be on heightened alert for cyberattacks, especially ransomware attacks, over the Labor Day long weekend. The US Government here seems to be betting on form as opposed to basing its warning on specific intelligence. Deputy National Security Adviser Neuberger said that while there were no specific indications of attacks, criminals in particular have a track record of taking advantage of the reduced staffing and relaxed vigilance that often accompany holidays.
Home security system vulnerabilities.
Rapid7 on Tuesday disclosed that multiple vulnerabilities affect the Fortress S03 WiFi Home Security System. Rapid7 disclosed the vulnerabilities three months after reporting them to Fortress, during which time Rapid7 says it received no acknowledgement from Fortress. Lawyers representing Fortress told TechCrunch that Rapid7's claims were "false, purposely misleading and defamatory," but they've so far been short on details; the story is developing.
BEC actors outsource talent.
Intel 471 has issued an account of the way in which underworld criminal markets have commodified business email compromise attacks, now adapted for and available to even the meanest criminal understanding. The researchers state, "In February, an actor on a popular Russian-language cybercrime forum announced he was searching for a team of native English speakers for the social engineering elements of BEC attacks after they had obtained access to custom Microsoft Office 365 domains. Additionally, another actor on a different forum asked for the same thing in June, posting help wanted ads that essentially outsourced the social engineering work behind BEC, while the actor would take care of the related technical aspects."
Another DeFi compromise.
Another DeFi cryptocurrency platform, Cream Finance, has suffered the theft of $29 million. Cream suspended "supply and borrow" in the affected AMP market shortly after blockchain security firm PeckShield detected activity that looked like a re-entrancy criminal attack.
Re-entrancy can occur when a procedure can be initiated, interrupted, initiated again in a second instance, and when both instances can then be run to completion without error. PeckShield tweeted how the robbery worked. “The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow…. Specifically [in this case], the hacker makes a flashloan of 500 [Ethereum] and deposit[s] the funds as collateral. Then the hacker borrows 19M [in AMP tokens] and makes use of the reentrancy bug to re-borrow 355 [Ethereum] inside [the AMP token transfer]. Then the hacker self-liquidates the borrow.” And then, of course, Bob’s your uncle. Or rather the thieves’ uncle.
Cream tweeted a summary account of the incident yesterday: “C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.”
The possible threat of hardware backdoors in electrical power systems.
Control Global points out the potential threat of hardware backdoors in transformers and other power generation, transmission, and distribution equipment. The essay also notes the limitations of software bills of materials in addressing this risk. The threat may illustrate the familiar maxim that lowest cost doesn't always equate to best value.
Québec seeks to reassure citizens over safety of QR codes in tracking apps.
Le Devoir reports that Québec's Ministry of Health is assuring citizens of the province that the QR codes used in its vaccine-tracking system are safe. The reassurance comes after Crypto.Québec reported that QR codes associated with prominent political figures had been compromised, with attendant exposure of personal data.
Ghostwriter seems bigger than previously suspected.
UNC1151, a Russian threat group whose activities are tracked as "Ghostwriter," has been determined to have a much larger infrastructure and more extensive operations than previously believed. Prevailion, who announced its findings on Wednesday, says that it's unclear whether UNC1151 is a single organization, but that its infrastructure and the Ghostwriter campaign appear to have "an overarching theme and direction." Prevailion found eighty-one malicious domains "clustered with the activity" that had hitherto gone unremarked, which would make UNC1151's infrastructure about three times as large as earlier reports had reckoned it.
BrakTooth, a Bluetooth vulnerability is described.
Researchers at the Singapore University of Technology and Design described a set of Bluetooth Classic protocol vulnerabilities collectively known as BrakTooth. The affected firmware is thought, the Record says, to be found in more than fourteen-hundred chipsets. The Register reports that BrakTooth's impact and severity varies considerably across different devices.
Food and agriculture sector targeted by ransomware.
The US FBI on Wednesday issued a private industry notification warning the food and agriculture sector that it's under active attack by ransomware gangs. There's nothing particularly distinctive about the criminals' approach to organizations in this sector; the tactics and techniques they employ are familiar. But it's a sector not accustomed to thinking of itself as a high-priority criminal target. The Record elaborates on one of the cases mentioned in the FBI's warning: a US farm lost $9 million when a ransomware attack disrupted its operations.
The Bureau stated, "The Food and Agriculture sector is among the critical infrastructure sectors increasingly targeted by cyber attacks. As the sector moves to adopt more smart technologies and internet of things (IoT) processes the attack surface increases. Larger businesses are targeted based on their perceived ability to pay higher ransom demands, while smaller entities may be seen as soft targets, particularly those in the earlier stages of digitizing their processes, according to a private industry report."
Low and slow (and in your in-box).
KrebsOnSecurity notes the "low and slow," and lucrative, approach one criminal gang has taken to fraud, compromising about a hundred-thousand email inboxes daily. They're selective in their take, scanning for emails related to gift cards and customer loyalty programs, both of which have a useful resale value in criminal markets.
“The fraudsters aren’t downloading all of their victims’ emails,” KrebsOnSecurity writes. “That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.”
Crime and punishment.
A Brooklyn woman, Juliana Barile, has pleaded guilty to one count of computer intrusion after she deleted sensitive information belonging to her former employer, a New York credit union The Justice Department stated, "According to court filings, Barile was fired from her position as a part-time employee with the Credit Union on May 19, 2021. Two days later, on May 21, 2021, Barile remotely accessed the Credit Union’s file server and deleted more than 20,000 files and almost 3,500 directories, totaling approximately 21.3 gigabytes of data. The deleted data included files related to mortgage loan applications and the Credit Union’s anti-ransomware protection software. Barile also opened confidential files. After she accessed the computer server without authorization and destroyed files, Barile sent text messages to a friend explaining that “I deleted their shared network documents,” referring to the Credit Union’s share drive. To date, the Credit Union has spent approximately $10,000 in remediating Barile’s unauthorized intrusion and destruction of data."
Flashpoint looks at Russian sources who've been talking to the LockBit gang. Among other things, LockBit dismisses reports that they're under law enforcement pressure, stating, "The pressure of the security forces can be felt only when they have already come to you with a warrant and jumped into your window. It is impossible to put pressure on us with other methods." The group noted that they operate from former USSR countries, which offers them shelter from Western law enforcement efforts.
Courts and torts.
Ireland's Data Privacy Commissioner (DPC) has fined WhatsApp €225 million, Reuters reports. The DPC stated, "The DPC’s investigation commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies. On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp." Reuters quotes a WhatsApp spokesperson as saying, "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate." The company plans to appeal the decision.
The US Federal Trade Commission (FTC) has banned the company Support King, maker of stalkerware app SpyFone, and its CEO Scott Zuckerman from operating any surveillance platform. The FTC stated, "The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone’s lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats. In addition to imposing the surveillance-business ban, the FTC’s order requires SpyFone to delete the illegally harvested information and notify device owners that the app had been secretly installed."
The FTC added, "The stalkerware app company not only illegally harvested and shared people’s private information, it also failed to keep it secure. The FTC alleges that SpyFone did not put in place basic security measures despite promising that it took “reasonable precautions to safeguard” the information it illegally harvested. The stalkerware apps’ security deficiencies include not encrypting personal information it stored, including photos and text messages; failing to ensure that only authorized users could access personal information; and transmitting purchasers’ passwords in plain text."
Policies, procurements, and agency equities.
Israeli Foreign Minister Yair Lapid has promised closer investigation of NSO Group's intercept tool exports, the Associated Press reports. Lapid stated, "We are going to look at this again. We’re going to make sure, or try to make sure to the extent of what is doable and what is not, that nobody is misusing anything that we sell."
Bloomberg has an account of an upsurge in cyberattacks against Australian targets, largely government agencies and universities. Their conclusions point to China, and see the precipitating event as Prime Minister Morrison's call, in April of 2020, for an international investigation into the origins of the coronavirus. The call was not to Beijing's pleasure, and the response was delivered in cyberspace.
Australian Federal Police have received extraordinary authorities for the enforcement of laws against cybercrime in the form of three new warrants covering network activity, data disruption, and account takeover. The authorities extend beyond investigation to disruption of criminal activity; ITNews says that the standard for issuing the warrants is that they be "reasonably necessary, and proportionate."
POLITICO reports that US national cyber director Inglis will approach fostering cyber resilience as an exercise in soft power.
The US Cybersecurity and Infrastructure Security Agency (CISA) has opened registration for the President’s Cup Cybersecurity Competition. Individuals can register through October 4th; teams have until September 20th to sign up.