Info Security
Texan Admits Data Center Bomb Plot
A man from Texas could be facing up to 20 years in prison after pleading guilty to plotting to blow up a data center in Virginia.
Seth Aaron Pendley, of Wichita Falls, was arrested in April after trying to purchase what he believed to be an explosive device from an undercover FBI employee in Fort Worth.
The 28-year-old admitted that he had planned to use the device to destroy servers in an Amazon-owned data center located on Smith Switch Road in Ashburn, Virginia.
According to his plea documents, Pendley shared the details of his plot with a source via an encrypted messaging app last February.
When the source offered to help the would-be bomber obtain C4 plastic explosives, Pendley responded with the message: “F*** yeah.”
Pendley sent the source a list of data center addresses and said he hoped a successful attack would “kill off 70% of the internet.”
Pendley then showed the source a hand-drawn map of a data center in Ashburn that included details of how he intended to enter and exit the site. The source also heard how Pendley planned to disguise his car to escape detection by law enforcement.
In March, the source introduced the unsuspecting Pendley to an undercover FBI employee posing as an explosives supplier. Pendley was recorded telling that FBI employee that he wanted to blow up Amazon web servers.
Pendley said he thought that the servers in the data center benefited the FBI, CIA and other federal agencies. By destroying the servers, Pendley hoped to prevent the United States from being taken over by a tyrannical Marxist government.
On April 8, Pendley was arrested after meeting with the FBI employee to collect inert devices that Pendley believed to be real explosives. At his residence, cops found an AR-15 receiver with a sawed-off barrel, a pistol painted to look like a toy gun, masks, wigs, and notes and flashcards related to the planned attack.
On June 9, Pendley pleaded guilty to a malicious attempt to destroy a building with an explosive. He is due to be sentenced on October 1.
Federal authorities said Pendley was apolitical until he lost his job and began researching politics on the internet.
New Jersey Councilor Charged with Cyber-harassment
A councilor from New Jersey has been arrested and charged with waging a campaign of cyber-harassment against a former girlfriend.
Detectives from the Cape May County Prosecutor's Office, with the assistance of detectives from the Middle Township Police Department, launched an investigation into the activities of 43-year-old realtor and Cape May councilman Christopher Bezaire in May 2021 after allegations of cyber-abuse were made.
Bezaire, who is the president of the Cape May County Board of Realtors, was taken into custody on Wednesday afternoon. Law enforcement officers then exercised search warrants at the realtor's home address and at his workplace.
Law enforcement officers have not released any comments on what, if any, evidence was discovered during the searches.
Following the investigation, Bezaire was charged with invasion of privacy in the third degree, cyber-harassment in the fourth degree, and stalking in the fourth degree. He was also charged with contempt of court in the fourth degree.
After being notified of the charges against him, Bezaire was placed at the Cape May County Correctional Facility to await court proceedings.
News of Bezaire's arrest was announced on June 16 by Cape May County prosecutor Jeffrey Sutherland and Chief Paul Skill of the Cape May County Prosecutor's Office.
According to Sutherland, individuals convicted of third-degree crimes can receive a sentence of three to five years in New Jersey State Prison. Fourth-degree crimes can carry a sentence of up to eighteen months in state prison.
The prosecutor urged anyone who has any information relating to this investigation to contact the Cape May County Prosecutor’s Office, High Technology Crimes Unit.
Allegations of harassment and stalking have been made against Bezaire on social media, with posts on Facebook and change.org under the heading “Impeach Chris Bezaire of Cape May.”
Bezaire was elected to the council in 2020. Mayor Zack Mullock told the Press of Atlantic City that the city would not take any action to remove Councilman Bezaire from office unless he is convicted.
“All parties involved are entitled to due process, and that process still has to play itself out," said Mullock.
Colorado Passes New Privacy Act
The Centennial State has unanimously passed a new data privacy act to safeguard Coloradoans' personal information.
On June 8, the state Senate approved the Colorado Privacy Act after a series of revisions were made. The Act is due to take effect on July 1, 2023, and now awaits the signature of state governor Jared Polis.
Should the Act become law, Colorado will follow California and Virginia by enacting comprehensive privacy legislation.
The Act gives consumers who reside in Colorado five key rights over their personal data. Firstly, they have the right to opt out of the sale of their personal data, the processing of personal data for targeted advertising purposes, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.
They also have the right to access their personal data held by a data controller and the right to make corrections to their personal data if inaccuracies are identified.
Finally, they have the right to be provided with their data in a portable and ready to use format, and the right to have their personal data erased.
The new Act will apply to all data controllers operating businesses in Colorado that process or control the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.
Under the new law, entities will have specific responsibilities pertaining to how they collect and process data. Consumers must be informed about why their personal data is being collected and must be notified if their data is sold or used for targeted advertising.
Data controllers must limit their data collection, only gathering the information they need to serve their stated purpose. And the data they collect must be secured to prevent unauthorized access.
Sensitive information, such as data on ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors, cannot be collected and processed unless consumers provide their consent through an opt-in process.
Google Spices Up Supply China Security with SLSA Framework
Google has proposed a new framework to mitigate the growing risks posed by attacks on the software supply chain.
The Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is designed to ensure the integrity of software artifacts across the entire supply chain.
It’s based on Google’s own Binary Authorization for Borg framework, which the tech giant has been using as standard for all its production workloads for over eight years.
“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats,” Google explained. “With SLSA, consumers can make informed choices about the security posture of the software they consume.”
A typical software supply chain features multiple weak points and dependencies where attackers could strike — from the source repository and control platforms to the build and package phases.
The SolarWinds attackers that managed to compromise nine US government agencies compromised the build platform and installed an implant that injected malicious behavior during each build, for example.
In another recent supply chain attack affecting US firm Codecov, attackers used leaked credentials to upload a malicious artifact that was not built by the company’s CI/CD system. Users unwittingly downloaded this directly from its Google Cloud Storage bucket.
SLSA would have helped prevent both by requiring more robust security controls for the SolarWinds build platform and flagging the malicious artifact to Codecov, Google claimed.
It described SLSA as a “set of incrementally adoptable security guidelines” with four levels designed to go beyond best practice approaches.
“It will support the automatic creation of auditable metadata that can be fed into policy engines to give ‘SLSA certification’ to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step,” Google explained.
“Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today.”
Infosecurity Europe 2021 Postpones Live Event
Infosecurity Europe has announced that it is postponing the live event due to run at London Olympia in July, following the government’s delay in lifting the final COVID-19 restrictions.
Infosecurity Europe will instead deliver a virtual exhibition and conference from 13-15 July 2021, the original dates of the event. The in-person event will now be held in 2022.
The plan, before government restriction lifting was delayed, was to combine both live and online elements of Infosecurity Europe. The planned virtual program will be retained and enhanced with a rich line-up of presentations, talks and discussions including - but not limited to - keynote presentations and the technology showcase.
The event will include a virtual exhibition. The full program will be available on the Infosecurity website shortly.
Nicole Mills, exhibition director at Infosecurity Group said: “Infosecurity Europe has always been the place where the cybersecurity industry’s finest minds come together to share knowledge, ideas and experiences. While we can’t yet meet in person, we’ll still be bringing the community together this July for a digital only event. We’ve run two very successful virtual conferences over the past year, and we’re ready to deliver a stimulating and insightful program of content, with plenty of opportunities to discuss, debate and discover the best ways to protect organizations and get ahead of cyber-criminals.”
All visitors, exhibitors and press who have already registered for Infosecurity Europe 2021 will be able to access the virtual event. Those that haven’t yet registered can do so here.
Novel Phishing Attack Abuses Google Drive and Docs
Enterprising cyber-criminals have found a way to create convincing phishing emails which abuse Google Docs and Drive functionality to bypass security filters, according to Avanan.
Researchers at the email security vendor claimed this is the first time such techniques have been used to piggyback on a popular service like Google’s.
The email that victims receive contains what appears to be a legitimate Google Docs link, Avanan explained in a blog post.
Clicking through takes the user to a Google Docs page hosting what appears to be a Word doc.
“This Google Docs page may look familiar to those who share Google Docs outside of their organization. This, however, isn’t that page. It’s a custom HTML page made to look like that familiar Google Docs share page,” Avanan explained.
“The attacker wants the victim to ‘Click here to download the document’ and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another web page made to look like the Google Login portal.”
The attack itself is fairly simple to execute. A malicious coder creates an HTML web page designed to resemble a Google Docs sharing page and uploads it to Google Drive.
Then they simply right-click to open in Google Docs, before embedding and publishing it to the web. Google does most of the hard work, including generating a link that will render the full HTML file, Avanan explained.
The vendor claimed a similar technique had been used to spoof a DocuSign document, taking the user to a fake DocuSign login page.
Using Google Docs in this way, attackers have a good chance of bypassing static link scanners that many legacy security products use, Avanan argued. An AI-based tool capable of spotting suspicious behavior should perform better.
Phishing remains the top threat vector for today’s cyber-criminals. Of the 62.6 billion cyber-threats detected by Trend Micro last year, over 91% were sent via email.
Hank Schless, senior manager of security solutions at Lookout, argued that phishing attacks like these could seriously impact corporate cybersecurity.
“Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Since most organizations use either Google Workspace or Microsoft 365 as their main productivity platform, attackers build phishing campaigns that specifically exploit those services,” he added.
“Once the attacker has those login credentials and can log into the cloud platform they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate.”
Carnival Confirms Another Breach Impacting Staff and Passengers
One of the world’s largest cruise ship operators has disclosed a data breach from mid-March, impacting an unspecified number of customers, employees, and crew.
Carnival Corporation runs many of the globe’s leading cruise lines, including P&O, Cunard and Carnival Cruise Line.
According to a data breach notification letter sent to customers and seen by Infosecurity, the firm detected unauthorized third-party access to a “limited number” of email accounts on March 19.
“The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing,” it continued.
“That information may include names, addresses, phone numbers, passport numbers, dates of birth, health information and in some limited instances additional personal information such as Social Security or national identification numbers.”
According to reports, the incident affected customers and employees on Carnival Cruise Line, Holland America Line and Princess Cruises.
Although Carnival claimed in the letter that there was a “low likelihood” of the data being misused, it urged recipients to review their account statements and credit history and be on guard for possible follow-on phishing attempts using the information.
The firm also offered those affected free credit monitoring and identity theft detection for 18 months.
This isn’t the first time Carnival has suffered a security breach.
In March 2020, it revealed that the personal information of passengers and crew was obtained by a third party the previous May, impacting its Princess Cruises and Holland America Line brands.
Then in August 2020, it revealed that ransomware attackers managed to steal personal information from guests and employees of its Carnival Cruise Line, Holland America Line and Seabourn businesses.
A Billion CVS Records Exposed
More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection.
The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation.
Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed.
Information that was left publicly accessible to anyone who knew how to look for it included customers' search histories detailing their medications, and production records that exposed visitor ID, session ID, and device information (i.e., iPhone, Android, iPad, etc.).
Personal data was also exposed, with researchers noting that "a sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions."
Researchers said that any threat actors who accessed the database could have gleaned a clear understanding of configuration settings, discovered where data is stored, and accessed a blueprint of how the logging service operates from the backend.
After encountering the unprotected database on March 21, researchers contacted CVS Health, which acted swiftly to restrict public access.
“We were able to reach out to our vendor and they took immediate action to remove the database," said CVS Health. "Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone," PJ Norris, senior systems engineer at Tripwire, told Infosecurity Magazine.
He continued: "A misconfigured database on an internal network might not be noticed, and if noticed, might not go public, but the stakes are higher when your data storage is directly connected to the internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3."
Australia Suffers Widespread Internet Outage
Australians' lives were disrupted on Thursday by a widespread internet outage that impacted the country's mail service and multiple businesses, including banks and airlines.
The outage began in the early hours and was caused by a problem at Akamai Technologies, a global content delivery network (CDN) and cybersecurity and cloud service provider.
Akamai, which is based in Cambridge, Massachusetts, has acknowledged the issue, but has not yet disclosed the cause of service disruptions to its hosting platform, which mitigates against Distributed Denial-of-Service (DDoS) attacks.
Akamai’s Chris Nicholson told NPR: "Akamai can confirm the segment of our Prolexic platform impacted is up and running and we are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated."
Three of the country's four largest banks – ANZ, Westpac, and the Commonwealth Bank (CBA) – were all affected along with many smaller banks and some credit unions.
On Thursday afternoon, banking customers began reporting on social media that they were experiencing access issues when trying to use online banking services and banking apps.
Banks used social media to let their customers know that they were trying to deal with the situation.
CBA tweeted: "We're aware some of you are experiencing difficulties accessing our services and we're urgently investigating."
The Reserve Bank of Australia said on Thursday night: "We have implemented appropriate mitigations and the website is now back up and running."
However, ABC News reported that ongoing technical problems led to the cancellation of some market operations between the Reserve Bank and other commercial banks.
Services were also disrupted at Southwest Airlines, United Airlines, and Virgin Australia, which stated on social media that it was being impacted by a system outage that had affected its website and contact center.
Virgin, whose services were back online shortly after 5pm, stated that it "was one of many organizations to experience an outage with the Akamai content delivery system today and we are working with them to ensure that necessary measures are taken to prevent these outages from reoccurring."
The national mail service, Australia Post, said that a number of its services had been knocked offline by an "external outage." The Hong Kong Stock Exchange‘s website was also impacted.
Australians' lives were disrupted on Thursday by a widespread internet outage that impacted the country's mail service and multiple businesses including banks and airlines.
The outage began in the early hours and was caused by a problem at Akamai Technologies, a global content delivery network (CDN), cybersecurity and cloud service provider.
Akamai, which is based in Cambridge, Massachusetts, has acknowledged the issue, but has not yet disclosed the cause of service disruptions to its hosting platform, which mitigates against Distributed Denial-of-Service (DDoS) attacks.
Akamai’s Chris Nicholson told NPR: "Akamai can confirm the segment of our Prolexic platform impacted is up and running and we are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated."
Three of the country's four largest banks - ANZ, Westpac, and the Commonwealth Bank (CBA) - were all affected along with many smaller banks and some credit unions.
On Thursday afternoon, banking customers began reporting on social media that they were experiencing access issues when trying to use online banking services and banking apps.
Banks used social media to let their customers know that they were trying to deal with the situation.
CBA tweeted: "We're aware some of you are experiencing difficulties accessing our services and we're urgently investigating."
The Reserve Bank of Australia said on Thursday night: "We have implemented appropriate mitigations and the website is now back up and running."
However, ABC News reported that ongoing technical problems led to the cancellation of some market operations between the Reserve Bank and other commercial banks.
Services were also disrupted at Southwest Airlines, United Airlines, and at Virgin Australia, which stated on social media that it was being impacted by a system outage that had affected its website and contact center.
Virgin, whose services were back online shortly after 5pm, stated that it "was one of many organizations to experience an outage with the Akamai content delivery system today and we are working with them to ensure that necessary measures are taken to prevent these outages from reoccurring".
The national mail service Australia Post said that a number of its services had been knocked offline by an "external outage". The Hong Kong Stock Exchange‘s website was also impacted.
Hackers Can Spy on Peloton Workouts
Peloton bike users could be spied on while working out, according to new research by McAfee's Advanced Threat Research team.
The team discovered a vulnerability (CVE-2021-3387) in the touchscreen of the $2,495 Bike+ that allows it to be controlled remotely by a threat actor without any interference to the equipment's operating system.
Hackers could exploit the flaw to install malicious apps that spoof Netflix or Spotify to steal personal details and login credentials.
Researchers also found that the vulnerability allowed bad actors to access the Peloton bike's microphone and camera to spy on users.
McAfee said that bikes used in hotels and other public spaces were most at risk because hackers had to physically access the screen and infect it with malicious code stored on a USB drive to exploit the flaw.
The lower-priced Peloton Bike is not affected by the flaw as the fitness device uses a different type of touchscreen.
But researchers noted: "Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment, however, the scope of our research was confined to the Bike+."
The flaw was detected in the Peloton bike's software. After McAfee shared the discovery with Peloton, the two companies joined forces to "responsibly develop and issue a patch."
A mandatory software update that fixes the issue was released to users by Peloton earlier this month.
Adrian Stone, Peloton’s Head of Global Information Security, said: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.
"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”
McAfee's report is the second security issue to hit Peloton in the past two months. In May, the company released an update to stop the leakage of personal account information, including the age, weight and location of its users.
LORCA Announces New Intensive Program for Most Promising Cyber Startups
The London Office for Rapid Cybersecurity Advancement (LORCA) has launched a new initiative designed to propel the growth of UK cyber startups.
LORCA Ignite will see six of the most successful companies that have graduated from the LORCA accelerator program during the past three years participate in a new, intensive program, which will help them achieve rapid scale and commercial growth.
LORCA is a government-backed initiative that started in 2018 to accelerate the growth of UK cyber startups. It is delivered by Plexal at the London-based technology hub Here East and is supported by Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast. The year-long programs help the selected startups to secure investment, access new markets, and even participate in overseas trade missions, alongside mentoring and training sessions.
LORCA has significantly exceeded expectations during that time, with the 72 cyber startups and scaleups to take part in the program so far raising more than £200m in investment and generating over £37m in revenue. The level of investment achieved at this point is a massive 450% higher than LORCA’s original target that was set in 2018.
The new six-month program will enable the six selected firms to attend commercial and technology validation clinics and a showcase event. These firms have collectively raised £27m in investment and grants in the last three years. Additionally, LORCA Ignite will provide them with access to investors, mentoring services, and national and global networks and connect them to companies and security leaders who may require their products and services.
The cohort will also receive professional services expertise from several LORCA’s corporate partners, including AHL Connect, Outfly, Informed Funding, and Infosec People.
The six companies making up the LORCA Ignite cohort are:
- Ampliphae - https://www.ampliphae.com/
- CyberOwl - https://www.cyberowl.io/
- CyberSmart - https://cybersmart.co.uk/
- Risk Ledger - https://riskledger.com/
- Salt Communications - https://saltcommunications.com/
- Crypto Quantique - https://www.cryptoquantique.com/
Digital Infrastructure Minister Matt Warman commented: “Good cybersecurity is the bedrock of our digital economy, and our thriving sector will play a vital role in helping the nation build back better and stronger from the pandemic.
“Through our support for LORCA, we are backing our innovative cyber startups to grow their businesses and develop the cutting-edge solutions people and companies need to stay one step ahead of security threats.”
Saj Huq, director of LORCA, outlined: “LORCA Ignite is the evolution of an accelerator program that has demonstrated the extraordinary success of the British startup ecosystem over the last three years. By combining government support with innovation expertise and access to investors and global tech leaders, LORCA has accelerated the growth of a new generation of world-class British cyber startups. LORCA Ignite will continue that growth trajectory for some of the most high-potential businesses that have participated in our program. The UK has a globally competitive cyber ecosystem, and we need to provide support to the cyber scaleups at the forefront of what is quickly becoming a jewel in the UK’s tech crown.”
This week, it was announced that Risk Ledger, one of the companies that will take part in LORCA Ignite, has been chosen by NHS Test and Trace to help it manage its supply chain cybersecurity risks.
Puzzling New Malware Blocks Access to Piracy Sites
Researchers have admitted they’re baffled by a new piece of malware primarily designed to prevent victims from visiting software piracy sites.
Sophos principal researcher, Andrew Brandt, branded the discovery “one of the strangest cases I’ve seen in a while.”
It’s hidden in pirated copies of various software, including security products, and distributed on game chat service Discord and through Bittorent. Once double-clicked, it works by flashing up a bogus error message on the victim’s screen while executing.
The malware apparently blocks infected users from visiting a large number of piracy sites by modifying the HOSTS file on their systems. Brandt described this as a “crude but effective” strategy — crude because although it works, the malware has no persistence mechanism.
This means that anyone can remove the HOSTS file entries and stay removed unless the program is run a second time. Bizarrely, Brandt claimed to have discovered a malware family that behaved almost identically more than a decade ago.
The malware also downloads and executes a second payload, an executable named “ProcessHacker.jpg.”
It’s detected by Sophos as Mal/EncPk-APV.
Brandt said that the malware developer’s end game is still a mystery.
“On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, techniques and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky,” he added.
“There may not even be an overall purpose to this attack at all. However, that doesn’t reduce the level of risk or the potential disruption for victims.”
Brandt urged users to install a robust security solution to spot such threats and avoid downloading pirated or “too good to be true” software.
60% of Businesses Would Consider Paying a Ransomware Demand
Three in five (60%) organizations would consider paying an extortion demand in the event of a ransomware attack, according to a new study by the Neustar International Security Council (NISC).
The research also revealed that one in five businesses would be prepared to spend 20% or more of their annual revenue to restore their systems in these situations.
The findings have come amid a surge in high-profile ransomware incidents in recent months, many of which have resulted in substantial payouts to the perpetrators. For example, just last week, meat processing company JBS confirmed it paid its extorters $11bn. In contrast, last month it was reported that Colonial Pipeline paid out $4.4m after attackers knocked the US’ largest fuel pipeline offline. In the latter case, the US Department of Justice was able to seize the majority of funds paid to the Russian ransomware group.
These incidents have reignited the complex debate on whether it is ever right for organizations to pay a ransomware demand.
Encouragingly, Neustar’s study, which was based on a survey of 304 senior professionals across six EMEA and US markets, found that 80% of respondents emphasize defending against ransomware attacks in light of current events. More than two-thirds (69%) saw ransomware as a growing threat to their organization, making it the top concern across more than a dozen attack vectors.
The participants were also asked for their views on the effectiveness of currently available security technologies in protecting against ransomware. Close to three-quarters (74%) said they were either ‘very’ or ‘somewhat’ sufficient, while 26% viewed the technologies as ‘somewhat’ or ‘very’ insufficient.
Rodney Joffe, NISC Chairman, SVP, and fellow at Neustar, commented: “Companies must unite in not paying ransoms. Attackers will continue to increase their demands for ever larger ransom amounts especially if they see that companies are willing to pay. This spiral upwards must be stopped. The better alternative is to invest proactively in mitigation strategies before the attacks, including the use of qualified providers of “always-on” monitoring and filtering of traffic as part of a layered security approach.”
Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers
Hundreds of thousands of retail customers had their personal data exposed thanks to a misconfigured cloud storage account, Infosecurity has learned.
A research team at reviews site WizCase traced the leaky Amazon S3 bucket to popular Turkish beauty products firm Cosmolog Kozmetik.
The 20GB trove contained around 9500 files, including thousands of Excel files which exposed the personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.
Although the research team discovered no payment information, they did find customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed.
The oldest orders dated back to 2019, and they went right up to the present day. This indicates that the database is continually updated.
WizCase warned that many of those whose details were exposed may be unaware of the leak, as e-commerce marketplace users often don’t check the names of sellers.
Cosmolog Kozmetik, which also sells under the name “Marketlog,” is commonly found on major Turkish e-commerce platforms Trendyol, Hepsiburada, and Unishop.
WizCase warned that if threat actors managed to find and copy the exposed data, it might put these shoppers at risk of follow-on phishing and fraud, including refund scams. They could even suffer physical theft of packages if attackers track and steal shipments as they arrive at customers’ homes, it added.
“Cyber-criminals are always generating new methods to exploit anyone vulnerable on the internet,” WizCase warned in a blog post detailing the privacy snafu.
“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack.”
Although WizCase contacted the Turkish CERT, Amazon and Cosmolog Kozmetik about the breach, none had replied at the time of writing.
US Warns Russia of Cyber-Attack No-Go List
President Biden and his team have warned the Putin administration of 16 critical infrastructure entities that are off-limits for threat actors operating from Russia.
The news came as the two leaders sat down in Geneva for a summit which Biden said was designed to ensure a “stable and predictable” relationship between countries following the turmoil of the Trump years.
After an audacious attack on Colonial Pipeline, which disrupted fuel supplies on the East Coast for days, Biden has been under increasing pressure to confront Putin over the cybercrime groups apparently operating with impunity from Russia.
The two spent “a great deal of time” talking about cybersecurity, said Biden in a post-meeting press conference.
“I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems,” he added.
“Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.”
The two countries will now sit down to work on a deeper agreement on cybersecurity, designed to articulate “what’s off-limits.”
The US hammered out a similar agreement with China back in 2015 when Barack Obama warned Xi Jinping not to allow state-backed spies to target US companies in “economic cybercrime” attacks.
However, that deal soon fell apart as it became clear Beijing had no intention of dropping its plans.
Putin reportedly appeared similarly unapologetic at the Geneva meeting, claiming the Colonial Pipeline attack had nothing to do with the Kremlin. His US sources told him most cyber-attacks originate from the US.
Adam Flatley, former NSA director of operations and now director of threat intelligence at [redacted], said the summit went as expected.
“Both sides went in and stated their positions to set the playing field for the next few years. Russia denied everything, which is totally standard. Biden stated our opposing positions and didn’t cave to any of Putin’s initial demands, most of which were normal,” he explained.
“It looks like we’re back in a more normal world of international relations, which is a good thing. So the real outcome here seems to be that both sides stated their opening positions and will go back home to start pushing their different agendas, and we’ll have to see who has the will and resources to succeed.”
US Convicts Russian Malware-masker
The United States has convicted a Russian cyber-criminal of running a malware-masking service that helped hackers systematically infect victim computers around the world with malware, including ransomware.
On Tuesday, a federal jury in Connecticut found 41-year-old native Estonian Oleg Koshkin guilty of operating a crypting business via multiple websites, including “Crypt4U.com,” and “fud.bz.”
On the websites, Koshkin and his co-conspirators claimed that they could render malicious software such as botnets, remote-access trojans, keyloggers, credential stealers and cryptocurrency miners undetectable by nearly every major provider of antivirus software.
According to court documents and evidence introduced at trial, Koshkin worked with Kelihos botnet operator Peter Yuryevich Levashov (aka Sergey Astakhov aka Petr Severa) to create a system that would allow Levashov to crypt the Kelihos malware multiple times per day.
"Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates," said a Department of Justice spokesperson.
"Levashov used the Kelihos botnet to send spam, harvest account credentials, conduct denial of service attacks, and distribute ransomware and other malicious software."
The Kelihos botnet included at least 50,000 compromised computers around the world when it was dismantled in 2017 by the FBI following Levashov's arrest in Barcelona. After extradition to the United States, Levashov pleaded guilty in 2018 to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.
Koshkin was arrested in California in September 2019 and has been detained since his arrest. He faces a maximum penalty of 15 years in prison and is scheduled to be sentenced on September 20.
Pavel Tsurkan, Koshkin’s co-defendant, is charged with aiding and abetting Levashov in causing damage to 10 or more protected computers and also with conspiring to cause damage to 10 or more protected computers.
Acting Assistant Attorney General Nicholas McQuaid of the Justice Department's Criminal Division said: “The verdict should serve as a warning to those who provide infrastructure to cyber-criminals: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable, and we will work tirelessly to bring you to justice.”
Deloitte Acquires Terbium Labs
All of the assets of Terbium Labs have been acquired by multinational professional services network Deloitte Touche Tohmatsu Limited (Deloitte).
The acquisition of the Baltimore-based digital risk protection company was announced by Deloitte on June 15.
Terbium Labs was found in 2013 to help organizations detect and remediate data exposure, theft, or misuse across the digital landscape. In 2019, the company announced a $2m investment from the Omidyar Network, a philanthropic investment firm created by eBay founder Pierre Omidyar and his wife, Pam.
Deloitte said acquiring the dark web intelligence firm will boost its cyber practice in its Detect & Respond suite offering.
Services and solutions offered by Terbium Labs include a digital risk protection platform that uses artificial intelligence, machine learning and patented data fingerprinting technologies to identify the illegal use of sensitive data online.
"Finding sensitive or proprietary data once it leaves an organization's perimeter can be extremely challenging," said Kieran Norton, Deloitte risk & financial advisory's infrastructure solution leader and principal.
"Adding Terbium Labs' business to our portfolio will offer our clients one more way to continuously monitor for — and, when appropriate, minimize the impact of — data exposed on the open, deep, or dark web," he added.
"Our industry-leading cyber practice is focused on providing our clients with new and innovative ways to transform their cyber risk postures as they endeavor to strengthen their trust equity, resilience and security," added Deborah Golden, Deloitte risk & financial advisory cyber and strategic risk leader and principal.
"As regulations change and new capabilities become available, we're strategically investing to offer advanced approaches to monitor digital assets privately and securely and to reduce time from event to remediation. These investments are powerful individually in bringing improved outcomes for our clients and transformational together by helping our clients become higher performing and more agile in the face of new threats and more efficient in their operations."
Terbium Labs is Deloitte's third cyber acquisition this year. The network purchased Root9B, LLC (R9B) in January and announced its acquisition of cloud security posture management provider CloudQuest on June 7.
IAB Tech Lab Accused of “World’s Largest Data Breach”
The IAB Technology Laboratory (IAB Tech Lab), which develops ad-industry standards, is being sued by the Irish Council for Civil Liberties (ICCL) for allegedly being responsible for "the world's largest data breach."
A non-profit digital media consortium established in 2014 and based in New York, the IAB Tech Lab's 650-member community includes Facebook, Google and Amazon.
In a lawsuit filed by ICCL senior fellow Johnny Ryan on May 18 in a court in Hamburg, the IAB Tech Lab comes under fire for real-time bidding, a process during which data is shared between ad brokers and other companies while advertising space is being auctioned as a website loads.
Despite the case's having been filed nearly a month ago, the IAB Tech Lab told a BBC reporter who reached out to the consortium for comment for an article that went live Wednesday that it was not familiar with Ryan's claim.
"We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate," said an IAB Tech Lab spokesperson.
Ryan, who worked as an advertising-industry professional before joining the ICCL, claims that when a user loads an app or web page that carries advertising, their data is shared with hundreds of ad brokers.
The brokers use the data to sell the ad space that splashes onto the screen while the page loads. According to Ryan, users who see empty ad spaces that then fill with ads are watching their own data being auctioned in real time.
Ryan said user data shared in the process includes "inferences of your sexual orientation, religion, what you're reading, watching, and listening to, your location."
He said it is multi-million-dollar industry that most internet users know nothing about.
The IAB Tech Lab provides publicly available two- and three-digit codes, each of which represents a piece of user data. For example, a household with an income lower than $10k is given the code 60.
Ryan alleges that providing that data – which IAB Tech Lab calls "audience taxonomy" – breaches EU privacy rules because users have not actively consented to this collection and dispersion of their data.
He said: "The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands."
Members of Clop Ransomware Gang Arrested in Ukraine
Members of the notorious FIN11 (Clop) ransomware gang have been arrested today by the Ukrainian police in conjunction with Interpol and law enforcement from the US and South Korea.
In a statement published today, the Ukrainian police revealed it has arrested six people alleged to be part of the financial cybercrime gang FIN11, which is believed to be behind many high-profile cyber-attacks. These include the attacks exploiting vulnerabilities in Accellion’s FTA product earlier this year, enabling it to access the system of aircraft manufacturer Bombardier.
In the statement, the police outlined its belief that the six suspects “carried out ransomware-type malware attacks on the servers of US and Korean companies.” This includes encrypting personal data of employees and financial reports of the Stanford University School of Medicine, the University of Maryland and the University of California.
The police added that it had seized cash, cars, and a number of Apple Mac laptops and desktops alongside the arrests. It stated: “Through the joint efforts of law enforcement officers, it was possible to stop the operation of the infrastructure from which the virus is spreading and block the channels for the legalization of cryptocurrencies obtained by criminal means.”
The announcement is the latest in several recent successes for law enforcement agencies in countering cyber-criminal gangs. For example, earlier this month, the US Department of Justice revealed it managed to seize around $2.3m of the $4.4m in cryptocurrency paid to the Darkside gang by Colonial Pipeline following the ransomware attack on the fuel transportation company in May.
Security experts such as Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, recognizes the significance of these arrests: “On 16 Jun 2021, Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware. This activity comes in the aftermath of increased pressure from law enforcement and governments on ransomware groups, following recent attacks on critical national infrastructure in the US. Clop ransomware has been active since February 2019 and targets large organizations for big game hunting. Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti’.
“Earlier in the year, the ‘Ziggy’ ransomware shut down its operation, citing an increased scrutiny from law enforcement as the reason. This week, the ‘Avaddon’ ransomware also appear to have ceased operations. Seemingly, the consistent pressure from law enforcement on these threat groups is beginning to have a positive impact.”
John Hultquist, VP of analysis, Mandiant Threat Intelligence, outlined: “The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace and technology. The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.
“The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime, and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyber-threats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world.”
NHS Test and Trace Bolsters its Cybersecurity
NHS Test and Trace has announced that an early-stage UK company will be in charge of managing its supply chain cybersecurity risks.
Risk Ledger, which was part of the fourth cohort of the government-backed London Office for Rapid Cybersecurity Advancement (LORCA) program to promote cyber scaleups, will allow NHS Test and Trace to utilize its ‘social network’ platform. The platform will enable organizations to connect and share risk data securely, quickly and easily. This move is particularly crucial for the UK’s test and trace service, which involves the continued sharing of sensitive data to help control the spread of COVID-19 as lockdown restrictions ease.
The Risk Ledger platform will provide NHS Test and Trace complete visibility of its supply chain, including data needed to identify, measure and mitigate any cyber threats that emerge.
The importance of securing supply chains has come into sharper focus due to recent high profile incidents, especially the SolarWinds attacks at the end of last year.
Creating the NHS Test and Trace system, which includes an official app, has brought about several privacy and data protection concerns. It is hoped the contract with Risk Ledger, which was a winner in the Department for Digital, Culture, Media, and Sport’s ‘Most Innovative UK Cyber SME of the Year’ competition in May, will help assuage some of these fears.
Minister for Digital Infrastructure Matt Warman MP commented: “The government is working tirelessly to secure the nation online and grow the UK’s £8.9bn cybersecurity industry as we build back better from the pandemic. We’re helping SMEs develop innovative products and services, and it’s great to see Risk Ledger, one of the firms we’ve supported, win this contract to protect the Test and Trace system and support the national effort against coronavirus.”
Haydn Brooks, Risk Ledger CEO and co-founder, welcomed the move: “NHS Test and Trace is essentially the biggest new start-up in the UK healthcare market so we are delighted they have chosen to take advantage of our ability to provide enhanced visibility of their supply chain risks. I am proud we will be part of the effort to secure this incredibly important supply chain.
“Healthcare organizations and their supply chains handle lots of highly sensitive data and have a high rate of data breaches. We have already seen during the COVID-19 pandemic that bad actors are actively targeting supply chains to access data and cause disruption.”