CHB Cybersecurity Briefing 24/06/19
by Cameron Hunter Bell
Ransomware attack hits police forensic work: U.K. police have suspended work with a major private forensics company following a ransomware attack earlier this month. Eurofins does about half of the U.K. police's forensics, some 70,000 cases each year. The Crown Prosecution Service, which brings prosecutions to trial, said it's "assessing" its cases to see if vital evidence has been lost.
Security researchers from Dragos have observed the hacking group Xenotime, known for highly effective malware attacks, has expanded its focus and is now probing the US power grid for possible entry points.
Swedbank Suspends CEO, CFO of Estonian Unit Amid Money Laundering Probe: STOCKHOLM— Swedbank suspended the chief executive and chief financial officer of its Estonian business amid a continuing internal investigation into compliance of money laundering rules at the bank. Swedbank came under scrutiny in February after a Swedish broadcaster reported that billions of dollars of illicit funds may have passed through the bank’s Estonian branch in a link to money laundering at Danske Bank AS . Former Chief Executive Birgitte Bonnesen was ousted in March over the scandal while then Chairman Lars Idermark quit shortly after.
US supermarket giant Walmart has confirmed it uses image recognition cameras at checkouts to detect theft. The cameras identify when items are put in a shopping bag without first being scanned by a cashier, or at the self-service checkout.
Google Confirms Creepy New Privacy Problem: Google recently published a pretty clear declaration of how committed it is to privacy in the home. "Your home is a special place. It's where you get to decide who you invite in," the Google document states, adding that people want to trust the things they bring into their homes before insisting, "we're committed to earning that trust." Unfortunately, that trust was eroded a little this week when it emerged that owners of the popular Google Nest Cam Indoor home security camera could be spied upon in their own home. Via Davey Winder at Forbes aka @HappyGeek.
U.S. secretly struck back against Iranian cyber-spies targeting U.S. ships: The Pentagon hit Iranian cyber-spies in an operation Thursday in what's believed to be the second ever U.S. offensive cyber-strike against a foreign target. Washington Post confirmed the report and added new colour. It comes amid international calls for de-escalation in the region after a tense few days between the U.S. and Tehran. The AP reported that Iranian hackers have been targeting U.S. government agencies and critical infrastructure in recent weeks. For reference, the first cyber-strike was against the Russian troll factory, the Internet Research Agency, on the day of voting in the 2018 midterms.
Europol et al release Gandcrab decryption tool: Europol, with help from law enforcement agencies across the world and Bitdefender, have released a decryption tool for the Gandcrab ransomware. According to the security firm, its decryption tools have resulted in more than 30,000 successful decryptions and have saved victims roughly $50 million in unpaid ransom.
How not to prevent a cyberwar with Russia: The Times reports that U.S. spies are already in Russia's power grid ready to strike. Trump personally denied the story, but days later Russia still sounded like it was gunning for a cyberwar. No lights are flickering yet, but @a_greenberg spoke to former U.S. officials who said such actions were "uncharted territory" and that things could get worse before they get better.
FBI, DHS blunder reveals name of child abuse victims: An FBI mix-up inadvertently revealed the names of several child abuse victims by publishing their Facebook ID — which when plugged into Facebook's URL identified the victim's profile page.
Cloudflare aims to make HTTPS certificates safe from BGP hijacks: Now onto some slightly lighter news. Cloudflare said this week it's offering a new service that'll prevent BGP hijackers from fraudulently obtaining browser-trusted HTTPS certificates. The new service is free "because the company believes that attacks on the certificate authority system harms the security of the entire Internet."
Hacked documents reveal details of expanding US border surveillance: The breach of CBP data — blamed on subcontractor Perceptics — continues on. This week, Post reporters began digging into the hacked data, since made public. It appears CBP is looking expand border surveillance — even as it shows it can't keep its own data safe. The data also includes "financial statements, project budgets, internal passwords, sales and marketing material, and information about employees’ performance reviews, insurance coverage and pay." CNN found more than 50,000 license plates leaked in a data dump believed to have come from the Perceptics.
Guardian said to be target of Saudi hackers after Khashoggi killing: The U.K.-based newspaper said it was warned it was "being targeted by a cybersecurity unit in Saudi Arabia" ordered to hack into the email accounts of journalists investigating the royal family. It comes following the murder of dissident Saudi journalist Jamal Khashoggi last year.
Florida city pays $600,000 ransom to save computer records: Florida's Riviera Beach bucked the trend and caved into ransomware actors by paying $600,000 in ransom to save their data. Email went down, systems were offline, and 911 operations were said to be disrupted during the attack. But the FBI and security experts have alike long warned against paying the ransom. In Riviera Beach's case, the ransom payment is covered by the city's cybersecurity insurance.
Hacked medical debt collector AMCA files for bankruptcy protection: The collections agency behind the Quest and LabCorp breaches has filed for bankruptcy protection after hackers pilfered more than 20 million records. A case was filed in Manhattan this week. AMCA owes owes around $20,000 to IBM and Cablevision, but the case makes no reference to the breach, arguably the bigger problem on its hands.
Iran says it dismantled a U.S. cyber espionage network: Tehran said it has arrested several CIA spies "in different countries," amid continuing tensions between the U.S. and Iran. If you cast your mind back, it's likely related to recent reporting that a simple Google search led to a massive CIA communications system breach, per a scoop by JennaMC_Laugh and @zachsdorfman last year.
MongoDB's plan to stop breaches with database encryption: MongoDB takes flak over data exposures, usually because developers forget to set passwords, so MongoDB fixed it. Now the database maker is going a step further with its new encryption technology. Basically, the many major companies reliant on MongoDB — like Google and Adobe — will get greater protections with field-level encryption. In short, it's an encrypted database that protects against database dumps but uses a client-side encryption, so only authorised users can access readable data. "That means MongoDB itself and cloud providers won't be able to access customer data, and a database's administrators or remote managers don't need to have access to everything either,"
Irked researcher discloses Facebook WordPress plugin flaws: A researcher dropped a zero-day in two Facebook-built WordPress plugins — used in more than 200,000 installs. The two CSRF bugs were dropped in "protest" against the moderators of the WordPress Support Forum. Facebook patched the bugs.
Robocalls are overwhelming US hospitals, threatening a new kind of crisis: Tufts Medical Center is struggling to deal with the onslaught of robocalls overwhelming its phone system. In two hours, there were more than 4,500 robocalls. "The FCC and Justice Department need to go after these criminals with the seriousness and urgency this issue deserves," said Rep. Frank Pallone, the chairman of the House Energy and Commerce Committee.
Nation-state hackers likely carried out hostile takeover of rival group's servers: The Russian-speaking Turla hacking group appeared to hijack the OilRig's network, associated with Iranian hackers. Symantec, which carried out the research, said it was an "unprecedented hacking coup," but may also make attribution harder in the future.
John Deere's promotional USB drive hijacks your keyboard: I saw this via @Mikko first but later on Motherboard, which digs in a bit more. The farming equipment maker created a promotional USB drive hijacks a user's keyboard to type in a web address in the user's browser. "It’s an HID-compliant keyboard that, when connected detects what platform it’s on and automatically sends a keyboard shortcut to open a browser, and then it barfs the link into the address bar," wrote the Redditor. John Deere apologised for the security snafu.
Firefox zero-day used in hack Coinbase employees, not its users: Two Firefox zero-days found recently were being used to attack Coinbase employees, not its users, to remotely run code in a browser and a sandbox escape bug to get access to the underlying operating system. The bug was under active exploitation, and their targets seemed to be cryptocurrency organisations.
Instagram finally does something about hacked accounts: Hackers are known to hijack high-profile Instagram accounts for ransom, and Instagram didn't seem to concerned. The social media giant now has new processes in place to help account owners get their accounts back in the event of a hijack. One Instagram account hacker said the new measures would slow down hackers but likely wouldn't prevent them entirely.
Samsung’s security reminder is a good reason not to own a smart TV: Samsung was 'reminding' smart TV owners in a tweet to run a virus scan on their TVs. Yes, your smart TV can be exploited — the CIA showed that's completely possible — but arguably you only need a smart TV antivirus because Samsung's codebase is so limited. Amid bad headlines, Samsung's social media team pulled the tweet.
Dell quietly patches flaw that affected millions of users: Computer giant Dell released an advisory this week warning about a security flaw that would've allowed hackers to obtain sensitive information on "millions" of machines running its app.
BBC Box lets you store your data at home: A prototype project will allow users to pull data and store it in a box at your house, instead of its servers. The technology is based off a secure Databox. The BBC describes it as "a physical device in the person’s home onto which personal data is gathered from a range of sources, although of course (and as mentioned above) it is only collected with the participants explicit permission, and processed under the person’s control."
U.K. data surveillance powers unlawfully wide, court told: The U.K.'s bulk collection data powers are "too wide" and invade privacy, according to the U.K. High Court. "Even if a warrant has been granted for the data to be gathered, they argue, the searching of bulk data — sometimes known as secondary data — is not governed by any warrant," writes the BBC.
US DHS looking to move biometric data to Amazon's cloud: Homeland Security's biometric database containing fingerprints, irises and faces (and eventually DNA, palm prints, scars and tattoos) on some 250 million people could soon be hosted in Amazon's government cloud. The system is said to replace the existing IDENT system with HART, which'll contain far more data. Let's just hope nobody leaves an S3 bucket open...
- European leaders are expected to call for a tougher “security culture” in the bloc to counter cyber threats, according to draft European Council conclusions dated Monday [17th June].
- Apple's security may not be as water-tight as it would have you believe after an Israeli forensic firm has revealed that it can break into any iPhone or iPad running any version of iOS.
- A medical workstation that is used by an array of medical facilities, including the NHS, is at risk of being remotely controlled by threat actors. New York-based Cyber security researchers CyberMDX discovered a critical vulnerability within the Alaris Gateway Workstation, an infusion pump used in many medical centres.
- Symantec claims that a Chinese hacker group associated with Chinese government intelligence conducted a hacking campaign using a tool that at the time was only known to be the property of the NSA.
- Visa Inc. (NYSE: V) announced new analysis showing Visa Advanced Authorisation (VAA) using artificial intelligence (AI) helped financial institutions prevent an estimated $25 billion in annual fraud—making the global payment ecosystem safer for retailers and consumers.
- Instagram is trialing a new account recovery system for users whose profiles have been hacked.
- A group of Ethiopian lawyers are planning to sue the country's state-run monopoly telecoms provider over the internet shutdown, which is now in its eighth day [18th June]
If you wish to submit a story, event, research or article to the CHB Cybersecurity Briefing, please email [email protected] The information contained within the brief is gathered from current, open source data supplied through contacts within diplomatic posts, law enforcement agencies & UK intelligence services. Credit to Dillitas International Risk and Zack Whitaker at Tech Crunch.
This information keeps you informed of current security situations and risks within the UK and internationally. Please forward this briefing to colleagues. You can follow Cameron on Twitter @CamHunterBell.