Farming Group Warns of Supply Chain Chaos After Ransomware Attack

An Iowan agricultural group hit by ransomware over the weekend appears to have claimed that the impact of the attack on the US public could be worse than the Colonial Pipeline incident.

The attack has been traced to BlackMatter, a group that some believe has links to the DarkMatter outfit responsible for the days-long oil supply outage in May, which sent prices soaring on the East Coast.

According to reports, it targeted New Cooperative, a major US grain producer, with a $5.9m ransom demand.

However, screenshots of the negotiations between the two parties posted on Twitter by security researchers shed some interesting light on the attack’s significance.

In one, the cooperative’s spokesperson suggests that the ransomware group has misjudged the scale of the impact a resulting supply chain outage could have.

“The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused,” they said. “I am just telling you this so you are not surprised as it does not seem like you understood who we are and what role our company plays in the food supply chain.”

The threat actors appeared unmoved, demanding the firm come up with the money.

The to-and-fro between victim and extorter has added significance given the Biden administration has made it clear to the Kremlin that 16 critical infrastructure sectors of the US economy are off-limits to cybercrime groups thought to be operating from Russia.

After a relatively quiet summer, this attack would appear to be testing those red lines.

“There is going to be very very public disruption to the grain, pork and chicken supply chain. About 40% of grain production runs on our software and 11 million animals feed schedules rely on us,” the spokesperson said, according to another screenshot.

“This will break the supply chain very shortly, and we will have to report this to our regulators and likely the public if this disruption continues … CISA is going to be demanding answers from us within the next 12 hours or so and we are going to have to tell them exactly what has happened.”

Hank Schless, senior manager of security solutions at Lookout, argued that firms would need better to protect themselves in place of any geopolitical breakthrough.

“BlackMatter claimed that New Cooperative doesn’t reach the threshold that the President laid out. Threat actors already operate outside the bounds of the law, so why would they suddenly comply? If this is the attitude Russia-based threat actors have towards the President’s warnings, then this could be indicative of similar attacks to come,” he added.

France Condemns #Anti2010 Cyber-bullying

Education officials in France have spoken out against a new cyber-bullying trend targeting children who were born in 2010.

The BBC reports that the malicious new #anti2010 campaign has been spreading online via Twitter and through the video-sharing app TikTok. Videos that encourage viewers to form an "anti-2010 police" have been watched millions of times.

Euro News reports that the hashtag #anti2010 had more than 40 million views on TikTok before it was removed.

Parents have reportedly become concerned that the campaign has created a vogue for bullying eleven-year-olds at a particularly vulnerable moment in their lives – starting secondary school.

France's education minister, Jean-Michel Blanquer, condemned the online bullying as "completely stupid and against our values."

Reports have allegedly been made that the cyber-bullying has progressed from digital taunts to physical violence.

"In the courtyard, they point the finger at us, shouting 2010! 2010!" a student born in 2010 told the Le Parisien newspaper, adding that fights had emerged out of the verbal abuse.

Blanquer urged families to report any cases of harassment via an emergency hotline. 

"The warm welcome of sixth-grade students – and their successful integration thanks to the goodwill of their peers and adults – is an essential issue in school life at the college," wrote Blanquer in a letter to school principals in which he implored them to be alert to harassment, threats, and insults. 

The main federation of school parents in France (FCPE) has asked the government to act urgently to create a new child protection policy for social networks, saying it is "unacceptable that children are victims of an appeal to hate."

While the origins of the #anti2010 trend are shrouded in mist, French newspapers have speculated that the bullying arose from a fashion for players of the video game Fortnite to brand younger players as "Fortkids" and slam them for not adhering to an unwritten code of conduct. 

The bullying is believed to have intensified with the release last month of the song “Pop it Mania” by Pink Lily, which contains the lyric "We are the queens of 2010." On YouTube, the video has attracted nearly half a million (428K) dislikes.

Americans Stressed Out by Cyber-attack Coverage

Most Americans and Canadians say that news of ransomware attacks and data breaches causes them to experience stress.

An online survey of 2,500 adults in Canada and the United States found that in relation to cybersecurity, seven in ten respondents (69%) said news of data breaches caused them stress. 

The research, which was conducted in July 2021 by research firm Opinion Matters for cybersecurity company Kaspersky, also found that 64% of respondents said that consuming news coverage of ransomware attacks left them feeling stressed.

"These stress levels were nearly identical between Americans and Canadians," said Kaspersky in its report Dealing with a New Normal in our Digital Reality. 

"When we asked this question in 2018, three quarters of respondents said news of data breaches caused them stress. This number dropped in 2019 to 68%, however since then, the number has barely changed (69%)."

Experiencing a cybersecurity incident ranked as one of life's top stressors for many respondents, with 37% saying that having their bank account compromised would be more stressful than losing their employment. 

Increased internet usage linked to the COVID-19 pandemic caused additional stress for 56% of survey respondents. 

Nearly three in five respondents increased their use of online services because of the pandemic, with over a quarter (27%) reporting a significant increase. But while 64% of Millennials went online more because of the pandemic, only 45% of Baby Boomers had spent more time on the internet.

Using the internet more often made nearly half of the men who were surveyed (49%) feel more confident that they could maintain their safety online. This confidence boost was only experienced by 29% of women. 

Fewer than half of respondents (48%) said that they check their accounts for indicators of compromise, and only 26% of respondents said that they educate themselves about online privacy. 

Cybersecurity incidents had been experienced by nearly half (48%) of all respondents within the past two years, compared to 28% in 2019. 

Marina Alekseeva, chief human resources officer at Kaspersky, said: “It is important to gain control of your digital life to have peace of mind in knowing your data is protected."

Data of 106 Million Visitors to Thailand Breached

A British cybersecurity researcher stumbled across his own personal data online after discovering an unsecured database containing the personal information of millions of visitors to Thailand.

Bob Diachenko, leader of cybersecurity research at Comparitech, found the unprotected Elasticsearch database on August 22, 2021. Inside the 200GB digital index were records dating back ten years containing the personal details of more than 106 million international travelers.

Information exposed in the publicly accessible database consisted of full names, arrival dates, gender, residency status, passport numbers, visa information, and Thai arrival card numbers. 

Before the Covid-19 pandemic affected travel, Thailand was a popular tourist destination, drawing nearly 40 million visitors in 2019 alone. 

"Diachenko surmises that any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident," said Comparitech tech writer Paul Bischoff in a report on the data breach. 

"He even confirmed the database contained his own name and entries to Thailand."

Researchers at Comparitech were not able to determine how long the data had been exposed before it was indexed by the search engine Censys on August 20, 2021. 

Diachenko sent word of the data breach to Thai authorities, who secured the database within 24 hours. Thai authorities informed Comparitech that the exposed data was not accessed by any unauthorized parties. 

While the IP address of the database is still public, the index has been replaced with a digital booby trap. Visitors to the IP address who attempt to access the now secured database are presented with the message: “This is honeypot, all access were logged [sic].”

While no financial or contact information was included in the database, the data breach may be resented by impacted individuals.

"Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database," reads the Comparitech report. 

"There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues."

The breach follows a report in May in which Comparitech flagged the online exposure of more than 6,500 international visa applications by a visa assistance website for travelers to India.

Infosecurity Magazine Autumn Online Summit 2021 - Last Chance to Register!Register now for our 15th Annual Infosecurity Magazine Autumn Online Summit

The event showcases an extensive education program featuring high caliber speakers and thought leaders in the cyber community as well as offer packed resource centers featuring the latest reports, research and case studies.

• Tuesday 21st September 2021-EMEA
• Wednesday 22nd September 2021-North America

The event showcases an extensive education program featuring high caliber speakers and thought leaders in the cyber community as well as offer packed resource centers featuring the latest reports, research and case studies.

Topics to be explored during the event include:

• From Hero to Zero: Strategies for Zero Trust   
• SOC .vs. MSSP: Which Is Right For Your Organization?
• Safer Online: Strengthening the Resiliency of the Internet
• The Cyber Threat Landscape: Global Trends, Evolving Techniques and Progressive Attackers 
• How To: Use AI to Strengthen Your Cybersecurity Posture Without Compromise
• Cybersecurity Automation: The Good, The Bad & The Ugly
• Global Threat Brief: The Most Dangerous Attack Techniques in 2021
• How To:  Establish a  Positive Cybersecurity Culture in Your Organization 
• Ransomware: To Pay or Not to Pay? And…How Not to Pay! 
• How Cryptocurrency is Shaping the Cybercrime Landscape 

The Infosecurity Magazine Autumn Online Summit will also provide the opportunity to:

1. Earn up to 11 CPE credits towards your SSCP®/CISSP®,  ISACA & EC Council certifications
2. Watch informative education sessions covering the latest trends & issues– offering real world solutions and insight   
3. Download whitepapers, presentations, case studies and special offers from our sponsors 

Former IT Exec Pleads Guilty to Insider Trading Conspiracy

A former IT executive at a NASDAQ-listed healthcare company is facing more than a quarter of a century behind bars after pleading guilty to insider trading and preparing a false tax return.

Dayakar Mallu, 51, of Orlando, Florida, admitted to conspiring with others to trade in the securities of Mylan, which is now a part of global healthcare firm Viatris.

Between 2017 and 2019, the former vice president of global operations information technology worked with another unnamed executive to secure non-public information in advance of public announcements from the firm.

According to the Department of Justice (DoJ), they used this info to place trades and then cashed out via Indian banks, according to the Department of Justice (DoJ).

Mallu’s insider trading resulted in the former exec realizing net profits and losses avoided of more than $4.2m.

Mallu also admitted sending false information to his tax preparer relating to Opel Systems, a company that he owned and controlled, according to the DoJ.

He falsely told the third party that Opel had paid $1.3m to a contractor. In fact, Mallu directed Opel to transfer those funds to his personal securities brokerage account, according to court documents. Therefore, Mallu’s false statement resulted in the preparation of a false 2015 corporate return for Opel.

Mallu will be sentenced in January 2022 and will face a maximum penalty of 25 years in prison for conspiracy to commit securities fraud, plus three years for the tax offenses.

He’s by no means the first IT executive to find himself on the wrong side of the law. Last November, two eBay executives were indicted on charges of cyber-stalking, witness tampering and falsifying records.

In March last year, Anthony Levandowski, former tech lead at Google’s Waymo division, pleaded guilty to 33 counts of trade secrets theft related to his downloading of IP on self-driving cars before leaving the company.

However, he was subsequently pardoned by outgoing President Donald Trump.

Payment API Vulnerabilities Exposed "Millions" of Users

Millions of consumers may have exposed their personal and payment information after researchers discovered API security vulnerabilities affecting multiple apps.

CloudSEK said that of the 13,000 apps uploaded to its BeVigil “security search engine” for mobile applications, around 250 use the Razorpay API to facilitate financial transactions. Unfortunately, it found that approximately 5% of these exposed their payment integration key ID and key secret.

This is not a flaw in Razorpay, which serves around eight million businesses, but rather how app developers are mishandling their APIs.

“When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem,” the firm explained.

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.”

Specific data exposed in this way could include user information like phone numbers and email addresses, transaction IDs and amounts, and order and refund details. In addition, because the same apps are usually integrated with other applications and wallets, even more could be at stake, CloudSEK warned.

Threat actors could use the exposed API information to make bulk purchases and then initiate refunds, sell stolen data on the dark web, and/or use it to launch social engineering attacks such as follow-on phishing attempts, the firm claimed.

All 10 of the leaky APIs have now been deactivated. Still, CloudSEK urged developers to understand the potential impact of such issues early on and set up review processes to prevent them from escalating.

That’s because invalidating a payment integration key will stop an app from working, causing significant user friction and financial loss.

“Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key,” CloudSEK concluded.

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

US Set to Sanction Cryptocurrency Firms Involved in Ransomware

The US government is reportedly set to announce new measures, including sanctions to deter cryptocurrency businesses from getting involved in laundering and facilitating ransomware payments.

People familiar with the matter told the Wall Street Journal that the Treasury could roll out the new sanctions as early as this week. They’ll reportedly target cryptocurrency exchanges and traders who either knowingly or unwittingly enable cybercrime transactions.

As part of the measures, the government will also issue new guidance explaining the risks involved in facilitating ransomware payments, including significant fines and other penalties.

The move would seem to be in keeping with the direction of travel over the past few months, which has seen the Biden administration prioritize ransomware as a national security threat.

Following the Colonial Pipeline attack in early May, the White House issued an open letter to CEOs to persuade them to take the threat more seriously. Reports have also revealed plans to elevate attacks to the same priority level as terrorism.

Then there was the creation of a DoJ Ransomware and Digital Extortion Task Force, which scored a significant victory by helping to seize more than half of the funds paid to the Colonial Pipeline attackers.

Biden’s executive order on cybersecurity will also help drive improvements designed to mitigate the impact of ransomware across the federal government, including the roll-out of multi-factor authentication (MFA) and zero trust principles. It will also make it easier for organizations across public and private sectors to share information following incidents.

The US has also led efforts at a G7 and NATO level to denounce Russia for harboring cybercrime groups that engage in ransomware. The White House has repeatedly claimed it reserves the right to go after these groups unilaterally if no action is taken to contain them.

More Tribes Given Enhanced Access to US Crime Data

More Native American tribes are going to be given enhanced access to critical databases containing national crime information for the United States.

In an announcement made September 16, the Department of Justice said that 12 tribes have been newly selected to participate in the Tribal Access Program for National Crime Information (TAP), bringing the total number of federally recognized participating tribes to 108.

TAP was set up in 2015 after tribal leaders raised concerns about not being able to directly access crime data held in federal systems. Using the program, tribes can view shared information for non-criminal justice purposes such as screening employees or volunteers who work with children. 

Information accessible to tribes via TAP includes data on missing persons; registered convicted sex offenders; entered domestic violence orders of protection for nationwide enforcement; criminal history checks; identified and arrested fugitives; entered bookings and convictions; and completed fingerprint-based record checks.

In 2019, the Department of Justice announced that tribal governments already participating in TAP could directly input data and gain access to the FBI’s National Sex Offender Registry (NSOR) using the Tribe and Territory Sex Offender Registry System (TTSORS).

The twelve tribes joining the program are the Confederated Tribes of the Warm Springs Reservation; Cow Creek Band of Umpqua; Fort Belknap Indian Community; Grand Traverse Band of Ottawa and Chippewa; Havasupai Tribe; Lower Brule Sioux Tribe; Menominee Tribe; Mille Lacs Band of Ojibwe; Muckleshoot Tribe; Passamaquoddy Tribe; Shingle Springs Band of Miwok; and United Keetoowah Band of Cherokee.

Under the program, the tribes will be given training as well as software and biometric/biographic kiosk workstations to take mugshots, process fingerprints, and submit information to FBI Criminal Justice Information Services (CJIS) systems.

“Timely access to federal criminal information can help protect domestic violence victims, place foster children in safe conditions, solve crimes and apprehend fugitives on tribal land, among other important uses,” said Deputy Attorney General Lisa Monaco. 

“Increasing tribal access to criminal databases is a priority of the Justice Department and this administration, and essential to many tribal government efforts to strengthen public safety in their communities.”

Prison for AT&T Phone-Unlocking Fraudster

A cyber-criminal who defrauded American telecommunications giant AT&T out of more than $200m through a phone-unlocking bribery scheme has been sentenced to prison.

Muhammad Fahd, a 35-year-old citizen of Pakistan and Grenada, led a seven-year conspiracy in which AT&T employees were bribed to unlawfully unlock nearly two million customers' cell phones for profit.

The plot began in 2012 when Fahd colluded with others to recruit AT&T staff working at a call center in Bothell, Washington. The employees were bribed to use their AT&T credentials to unlock cell phones for ineligible customers.

"Unlocking a phone effectively removes it from AT&T’s network, thereby allowing the account holder to avoid having to pay AT&T for service or to make any payments for purchase of the phone," said the Department of Justice's Office of Public Affairs in a statement released September 16.

Fahd used the alias Frank Zhang to contact an AT&T employee through Facebook and offer them large sums of money to secretly unlock phones' International Mobile Equipment Identity numbers (IMEIs). Fahd also asked the employee to enlist other AT&T staff in the scheme. 

The recruited employees were instructed by Fahd to establish fake businesses and set up bank accounts for those businesses. These accounts were used to give the illusion that the fraudulent payments and fictitious invoices that formed part of the scheme were genuine.

"AT&T’s forensic analysis shows the total number of cellular telephones fraudulently unlocked by members of the scheme was 1,900,033 phones," said the Office of Public Affairs. 

"AT&T has further determined that the loss it suffered because customers, whose cellular phones were illegally unlocked, failed to complete payments for their cellular telephones was $201,497,430.94."

When AT&T implemented a new unlocking system in 2013 that made unlocking the IMEIs harder, Fahd hired a software developer to design malware to unlock phones more efficiently and in larger numbers. Fahd then had AT&T employees install the malware on AT&T's computer system.

Fahd was indicted in 2017 and arrested in Hong Kong in 2018. After being extradited to the US in 2019, in September 2020 Fahd pleaded guilty to conspiracy to commit wire fraud. On September 16, he was sentenced to 12 years in prison and ordered to pay restitution of $200,620,698.

Free REvil Decryptor Launched

Antivirus vendor Bitdefender has launched a free universal decryption tool to help victims of REvil ransomware, also known as Sodinokibi.

The new tool, which was made available on Thursday, can restore many files impacted by the crypto-locking malware before July 13, 2021. However, the tool's instructions include the warning that "some versions" of REvil "are not yet decryptable."

REvil victims can download the tool and a step-by-step tutorial on how to use it via the Bitdefender website. The free decryptor is also from the No More Ransomware project, a public-private collaboration involving Europol, Dutch cybercrime law enforcement, and multiple private security firms.

Bitdefender said that the decryption tool was created in collaboration with "a trusted law enforcement partner" while the investigation into REvil's criminal activities continues.

"Please note this is an ongoing investigation and we can’t comment on details related to this case until authorized by the lead investigating law enforcement partner," Bitdefender said in a statement released September 16. 

"Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible."

REvil first came on the cybercrime radar as a Ransomware-as-a-Service (RaaS) operator in April 2019 and grew to become one of the most prolific ransomware gangs on the dark web. 

After successfully extorting millions of dollars from thousands of technology companies, retailers, and managed services providers around the world, REvil's website went down earlier this year following a major supply-chain attack on IT software provider Kaseya.

"On July 13 of this year, parts of REvil’s infrastructure went offline, leaving infected victims who had not paid the ransom unable to recover their encrypted data," said Bitdefender.

"This decryption tool will now offer those victims the ability to take back control of their data and assets."

Bitdefender and its unnamed law enforcement partner suspect that more attacks from REvil could be about to occur. 

"We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus," said Bitdefender. "We urge organizations to be on high alert and to take necessary precautions."

Romance Scammers Make $133m in First Half of 2021

Over $133m has already been lost this year to romance scams, with victims increasingly urged to invest in fraudulent cryptocurrency opportunities, according to the FBI.

A new Public Service Announcement was published yesterday revealing that the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints from January 1 to June 31 this year, resulting in soaring losses for victims.

Victims are typically approached on dating and social media sites, where the scammer establishes a relationship with them designed to build confidence. In time, the scammer will share information on a new cryptocurrency investment or trading opportunity, which is claimed to generate significant profits, according to the FBI.

The victim is then directed to a scam website where they hand over some money for the investment. To add legitimacy to the scheme, the fraudsters purportedly make it appear as if the victim has made a profit and allow them to withdraw a small amount of money.

“After the successful withdrawal, the scammer instructs the victim to invest larger amounts of money and often expresses the need to ‘act fast.’ When the victim is ready to withdraw funds again, the scammers create reasons why this cannot happen,” the Public Service Announcement continued.

“The victim is informed additional taxes or fees need paid, or the minimum account balance has not been met to allow a withdrawal. This entices the victim to provide additional funds. Sometimes, a ‘customer service group’ gets involved, which is also part of the scam. Victims are not able to withdraw any money, and the scammers most often stop communicating with the victim after they cease to send additional funds.”

Romance scams are a perennial money-maker for fraudsters. In fact, they collectively accounted for over $600m in losses last year, second only to Business Email Compromise, according to official FBI figures.

The addition of a cryptocurrency element taps into a growing parallel trend of scammers making money from eager investors looking to get rich quickly.

According to the FBI, investment scams are the third-highest earner for cyber-criminals, bringing in over $336m last year.

Experts Concerned Over New Digital Secretary's Lack of Cyber Knowledge

Privacy and security experts have signaled their concern over the appointment of Nadine Dorries to the post of digital and culture secretary.

This week, Boris Johnson announced the move as part of a major Cabinet reshuffle designed to stamp his authority on government and drive momentum into the next General Election campaign.

However, while most of the appointments were well received, question marks have been raised over Dorries’ tech credentials. As secretary of state for digital, culture, media and sport, she will be expected to master the detail of complex regulatory issues and sell Britain’s growing prowess in digital and cyber abroad.

However, in 2017 she invited widespread criticism from security experts after publicly admitting that her staff logged into her work computer using her credentials “every day.”

“Dorries spent much of her parliamentary career as a backbencher — and didn’t attend a single session when appointed to the Science and Technology Committee in 2010,” argued ProPrivacy digital privacy expert Hannah Hart.

“This is even more alarming when you weigh her seemingly lack of digital knowledge against the fact that the UK is facing an increasing amount of high-profile cybersecurity attacks. The education sector has faced a flurry of ransomware attacks, 2020 was a landmark year for hacking attempts, and the pandemic has seen opportunities for phishing scams soar as we do most of our banking and shopping online.”

Others raised concerns about the potential regulatory impact of the appointment.

“Given the government is currently pondering whether we should ‘relax’ data protection regulation and move away from the GDPR, it would be great to have the confidence that our parliamentarians had the technical and legal understanding of this complex issue,” Bournemouth University professor of IT ethics, Andy Phippen, told the i newspaper.

 “Equally, observing the Online Safety Bill as it moves through parliament, one would hope those debating greater regulation of big tech understand both what technology is capable of in terms of content monitoring and filtering, and the implications of legislation on everyone’s online experiences. Sadly, with a few exceptions, I do not have that confidence.”

CISA: Patch Zoho Bug Being Exploited by APT Groups

The US government is urging organizations to patch a newly identified Zoho vulnerability since state-sponsored attackers are actively exploiting it.

CVE-2021-4053 is a critical authentication bypass vulnerability affecting REST-based API URLs which could enable remote code execution if exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA).

It affects ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.

Zoho released a patch for this bug on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August, using various tools and techniques.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software,” it warned.

“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

CISA claimed that threat actors might be looking for “US research” in multiple sectors.

Sean Nikkel, a senior cyber threat intel analyst at Digital Shadows, claimed that this is the fifth critical bug to be found in ManageEngine this year.

“Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of ‘blending in with the noise’ of everyday system activity. It’s reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes,” he argued.

“The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin.”

US Imprisons World’s Largest Facilitator of CSAM

A dual Irish-American citizen has been sentenced to 27 years in US federal prison for sharing on the dark web millions of images depicting the sexual abuse of children, toddlers and infants. 

Dublin resident Eric Eoin Marques was extradited to the United States on March 23, 2019, to face federal criminal charges filed in Maryland on August 8, 2013. On February 6, 2020, 36-year-old Marques pleaded guilty to conspiracy to advertise child pornography on the dark web. 

According to his plea agreement, between July 24, 2008, and July 29, 2013, Marques operated a free, anonymous web-hosting service (AHS) called Freedom Hosting that hosted more than 200 child exploitation websites on the dark net. The websites hosted by Marques housed millions of images of child exploitation material, including over 1.97 million videos and images featuring victims not previously known to law enforcement. 

"Many of these images involved sadistic abuse of infants and toddlers to include bondage, bestiality and humiliation to include urination, defecation and vomit," said the US Attorney's Office for the District of Maryland in a statement published Wednesday.

In his guilty plea, Marques admitted distributing child sexual abuse material (CSAM) that involved children aged under twelve and sadistic or masochistic material or depictions of violence.  

According to Acting United States Attorney for the District of Maryland Jonathan F. Lenzner, “Eric Marques was one of the largest facilitators of child pornography in the world.” 

On September 15, US District Judge Theodore D. Chuang sentenced Marques to 27 years in federal prison, followed by lifetime supervised release.

The Marques prosecution was part of a global investigation targeting thousands of users of more than 200 websites operating on the Tor network that were dedicated to trading in CSAM. This investigation led to the disruption of the activities of tens of thousands of online child sexual abuse material creators and the seizure of over four million images and videos of child sexual abuse.

“Today’s sentencing of Eric Marques sends a clear message to perpetrators of this egregious crime that no matter where you are in the world, law enforcement will hold you accountable and bring you to justice,” said FBI Assistant Director Calvin Shivers.

Australia, UK, and US Announce Security Partnership

The United States, United Kingdom and Australia have announced a historic trilateral security and defense agreement.

Under the new AUKUS pact, the three nations will cooperate more closely than ever before in several areas that include artificial intelligence, cyber capabilities, quantum computing critical technology, and defense-related industrial bases and supply chains. 

The partnership was announced on Wednesday in a joint virtual press conference between US president Joe Biden, UK prime minister Boris Johnson, and Australian prime minister Scott Morrison.

Biden said: "AUKUS will bring together our sailors, our scientists, and our industries to maintain and expand our edge in military capabilities and critical technologies, such as cyber, artificial intelligence, quantum technologies, and undersea domains."

A joint statement released by the three world leaders on September 15 read: "This is an historic opportunity for the three nations, with like-minded allies and partners, to protect shared values and promote security and prosperity in the Indo-Pacific region."

A primary initiative of AUKUS will be an 18-month plan to provide Australia with nuclear-powered submarines and the necessary technology and infrastructure to maintain them. 

A statement from 10 Downing Street read: "AUKUS is a concrete articulation of the UK’s ambition, made in the Integrated Review, to deepen defense, security and foreign policy ties with like-minded allies across the globe. The agreement reflects the unique level of trust and cooperation between our three countries, who already share extensive intelligence through the Five Eyes alliance."

Commenting on the new partnership, the United States Studies Centre said: "Though it aims to deepen diplomatic, security and defense cooperation between the three states, AUKUS will focus specifically on deepening integration in defense-related science, technology, industrial bases and supply chains, with particular emphasis on cyber capabilities, artificial intelligence, quantum technologies and new undersea capabilities."

AUKUS has not been positively received by the People's Republic of China. Chinese foreign ministry spokesperson Zhao Lijian stated that Australia, the UK and the US “should abandon the obsolete Cold War zero-sum mentality and narrow-minded geopolitical concepts and respect regional people’s aspiration and do more that is conducive to regional peace and stability and development – otherwise they will only end up hurting their own interests.”

FTC: Health Apps Must Notify Consumers of Data Breaches

The United States Federal Trade Commission (FTC) has warned the developers of health apps and connected devices that they must disclose data breaches to consumers or face a fine.

In a policy brief issued Wednesday, the Commission clarified that healthcare apps that collect or use consumers' health information are subject to the Health Breach Notification Rule requiring entities not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify consumers when their health data is breached.

In a 3–2 vote held during an open virtual meeting, the FTC agreed to approve a policy statement affirming that developers of health apps and connected devices are considered to be healthcare providers, and that sensitive information disclosed by them without authorization constitutes a breach. 

Every breach, even breaches that did not occur as the result of a malicious cyber-attack, must be reported. The FTC stated that companies that fail to comply with the rule could be subject to financial penalties of up to $43,792 per violation per day.

The FTC said in a statement that "health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers. 

"These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information."

The Commission noted that the use of health apps and other connected devices that collect personal health data increased during the COVID-19 pandemic. It observed that despite being a "ripe" target for scammers and cyber-attackers, "too few privacy protections" were in place for such apps.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC chair Lina M. Khan. 

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

Household Names Hit with £500K Fine for Spamming Consumers

Three big-name UK brands have been collectively fined nearly half a million pounds by the privacy regulator after sending hundreds of millions of nuisance marketing messages to consumers.

We Buy Any Car was fined £200,000 by the Information Commissioner’s Office (ICO) after bombarding consumers with over 191 million emails and 3.6 million nuisance texts.

Saga Services and Saga Personal Finance were handed £150,000 and £75,000 penalties, respectively, for sending 157 million emails between them.

Recipients had not given direct consent to receive such messages, and the firms have been hit with an additional enforcement notice warning that court action could follow if their illegal marketing continues.

Finally, high street retailer Sports Direct was fined £70,000 after sending 2.5 million emails as part of a re-engagement campaign between December 2019 and February 2020. Recipients had not been contacted for some time, and the firm couldn’t show any evidence of consent.

ICO head of investigations, Andy Curry, argued that nuisance emails and texts are “frustrating and intrusive” and that the firms involved should have known better.

“Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organization, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected,” he added.

“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”

The ICO issued the fines under the UK’s Privacy and Electronic Communications Regulations (PECR), which govern nuisance marketing messages and calls. Unlike under the GDPR, or UK Data Protection Act 2018, the maximum the regulator can fine individual companies via PECR is £500,000.

Misconfigured APIs Account for Two-Thirds of Cloud Breaches

Shadow IT and misconfigured APIs accounted for the vast majority of security incidents in the cloud last year, according to a new report from IBM Security X-Force.

The threat intelligence player drew on multiple data sources, including dark web analysis, pen-testing data, incident response cases and threat intelligence to compile the 2021 IBM Security X-Force Cloud Threat Landscape Report.

It revealed that attackers are actively looking to exploit weaknesses in enterprise protection, many of which come about due to human error.

To this end, over half of breaches came about as a result of shadow IT, when systems were spun up without being subject to corporate security policy — and therefore lacked vulnerability and risk assessments and hardened security protocols.

Additionally, two-thirds of the incidents studied involved improperly configured APIs.

“APIs lacking authentication controls can allow anyone, including threat actors, access to potentially sensitive information,” said senior cyber threat intelligence analyst, Charles DeBeck. “On the other side, APIs being granted access to too much data can also result in inadvertent disclosures.”

The overall result of these security issues has been to enable cryptojacking and ransomware, the top two malware types, which accounted for over half of cloud compromises.

IBM also noted a thriving dark web market for public cloud access, dominated by ads offering Remote Desktop Protocol (RDP) access to cloud resources (71%).

The report claimed that threat actors often jump from on-premises to cloud environments. This type of lateral movement accounted for a quarter of incidents X-Force responded to last year.

“Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premises, which leads to a fragmented and more complex security environment that is tough to manage,” DeBeck argued.

“Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back.”

Banks Slammed for Low Fraud Reimbursement Rates

The UK’s high street banks have been called out for “shockingly low” reimbursement rates for Authorized Push Payment (APP) fraud.

APP fraud is an increasingly popular type of scam in which the fraudster — posing as a trusted entity such as a family member or business — tricks the victim into transferring money to a bank account under their control. It cost an estimated £479m in 2020.

Until a voluntary banking code of conduct was recently introduced, victims had no course to reclaim funds because they technically initiated the payment.

When the code was rolled out 14 months ago — in combination with pop-up warnings online if payee names and account details don’t match — it was hoped things would change.

However, that doesn’t appear to have been the case, according to consumer rights group Which?.

“Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions,” it noted, citing official figures.

“Financial Ombudsman Service (FOS) data indicates that banks are getting most of these decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.”

Which? argued that scammers have an increasingly formidable array of tools and techniques at their disposal to trick victims into making payments. These include number spoofing, hijacking email accounts via phishing, SIM swap fraud and more.

Banks are taking too long to adjudicate in fraud cases, and their final decisions lack consistency, making reimbursement a “lottery,” the group said.

“The Payment Systems Regulator (PSR) is due to make an announcement imminently on how to improve consumer protections against APP fraud – and Which is calling for strong and urgent action from the regulator to ensure that banks do more to protect consumers, and treat victims fairly and consistently,” it concluded.

“Instead of continuing to pursue another version of a code, we believe the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation.”

Eset cybersecurity specialist, Jake Moore, argued that consumers must also get more cyber-savvy.

“Scammers often use fear, scarcity or credibility as a way to socially engineering their prey into following simple orders,” he added. “However, people must question the motive at all times and err on the side of caution with any call or text before they move any money or hand over sensitive information.”