This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
341 Comments
Tomi Engdahl says:
In Opinion Authored by Amy Coney Barrett SCOTUS Limits Reach of Federal Computer Fraud Law
https://thefederalistpapers.org/us/opinion-authored-amy-coney-barrett-scotus-limits-reach-federal-computer-fraud-law
The Supreme Court on Thursday limited the type of conduct that can be prosecuted under a federal computer fraud law, overturning a former Georgia police officer’s conviction for misusing a government database to investigate whether a purported local stripper was an undercover cop.
The justices, in a 6-3 decision authored by Justice Amy Coney Barrett, sided with former Cumming, Georgia police sergeant Nathan Van Buren in an appeal of his conviction under the Computer Fraud and Abuse Act, reversing a lower court ruling that had upheld a jury verdict against him.
The justices agreed that Van Buren could not be convicted for misusing the database to perform the investigation because the information had been available to him as part of his job. Van Buren was charged after a 2015 FBI sting operation.
“This provision covers those who obtain information from particular areas in the computer – such as files, folders or databases – to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them,” Barrett wrote in the ruling.
Tomi Engdahl says:
Under Barrett’s opinion, “the CFAA is violated if someone accesses a computer file, and the owner of that file does not permit them to access it for any purpose. In his dissenting opinion, Thomas warns of an employee who “plays a round of solitaire” on their work computer if their employer “categorically prohibits accessing the ‘games’ folder in Windows.” Such an employee could potentially face criminal charges under the majority’s interpretation of the CFAA.”
https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
Tomi Engdahl says:
Supreme Court narrows scope of sweeping cybercrime law
The justices agreed with a broad range of critics that prosecutors had been misusing the 35-year-old law.
https://www.politico.com/news/2021/06/03/supreme-court-cybercrime-law-491764
Tomi Engdahl says:
Tekstiviestitse levitettävät Android-haittaohjelmat https://www.kyberturvallisuuskeskus.fi/fi/tekstiviestitse-levitettavat-android-haittaohjelmat
Pakettiteemaisia huijausviestejä lähettävä FluBot-kampanja on aktivoitunut Suomessa. Kyberturvallisuuskeskukselle tulleiden ilmoitusten perusteella suomen kielellä kirjoitettuja huijausviestejä lähetetään tällä hetkellä arviolta tuhansille suomalaisille. Lisäksi:
https://yle.fi/uutiset/3-11966491. Lisäksi:
https://www.is.fi/digitoday/tietoturva/art-2000008027889.html.
Lisäksi:
https://www.epressi.com/tiedotteet/logistiikka-ja-liikenne/android-haittaohjelmat-leviavat-tekstiviestitse.html
Tomi Engdahl says:
Exclusive: U.S. to give ransomware hacks similar priority as terrorism https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/
The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters. Lisäksi:
https://blog.malwarebytes.com/malwarebytes-news/2021/06/ransomware-to-be-investigated-like-terrorism/.
Lisäksi:
https://www.tivi.fi/uutiset/tv/2d0b61b6-2465-4ed6-8bd4-f702eaf77f5d.
Lisäksi:
https://arstechnica.com/gadgets/2021/06/justice-department-tells-prosecutors-to-closely-track-ransomware-cases/
Tomi Engdahl says:
Google PPC Ads Used to Deliver Infostealers https://threatpost.com/google-ppc-ads-used-to-deliver-infostealers/166644/
Researchers have tracked down the origins of several increasingly prevalent info-stealers including Redline, Taurus, Tesla and Amadey that threat actors are delivering via pay-per-click (PPC) ads in Google’s search results.
Tomi Engdahl says:
Phishing uses Colonial Pipeline ransomware lures to infect victims https://www.bleepingcomputer.com/news/security/phishing-uses-colonial-pipeline-ransomware-lures-to-infect-victims/
The recent ransomware attack on Colonial Pipeline inspired a threat actor to create a new phishing lure to trick victims into downloading malicious files. The emails are targeted and tailored as urgent notifications to download and install a system update that would defend against the latest ransomware strains. Lisäksi:
https://www.zdnet.com/article/hackers-use-colonial-pipeline-ransomware-news-for-phishing-attack
Tomi Engdahl says:
10 Critical Flaws Found in CODESYS Industrial Automation Software https://thehackernews.com/2021/06/10-critical-flaws-found-in-codesys.html
Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to remote code execution on programmable logic controllers (PLCs).
Tomi Engdahl says:
Supreme Court Limits Scope of Controversial Hacking Law https://threatpost.com/court-limits-scope-hacking-law/166672/
Judges rule that Georgia police officer did not violate CFAA when he accessed law-enforcement data in exchange for bribe money, a ruling that takes heat off ethical hackers.
Tomi Engdahl says:
Chrome 91 will warn users when installing untrusted extensions https://www.zdnet.com/article/chrome-91-will-warn-users-when-installing-untrusted-extensions/
Developers who are new to the Chrome Web Store can also expect to wait several months before being considered ‘trusted’ within the Chrome browser.
Tomi Engdahl says:
Attackers are scanning for vulnerable VMware servers, patch now!
https://www.bleepingcomputer.com/news/security/attackers-are-scanning-for-vulnerable-vmware-servers-patch-now/
Threat actors are actively scanning for Internet-exposed VMware vCenter servers unpatched against a critical remote code execution
(RCE) vulnerability impacting all vCenter deployments and patched by VMware ten days ago. The ongoing scanning activity was spotted by threat intelligence company Bad Packets yesterday and confirmed earlier today by cybersecurity expert Kevin Beaumont. Lisäksi:
https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software.
Lisäksi:
https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html.
Lisäki:
https://arstechnica.com/gadgets/2021/06/under-exploit-vmware-vulnerability-with-severity-rating-of-9-8-out-of-10/
Tomi Engdahl says:
GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks https://thehackernews.com/2021/06/github-updates-policy-to-remove-exploit.html
Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service. Lisäksi:
https://www.bleepingcomputer.com/news/security/githubs-new-policies-allow-removal-of-poc-exploits-used-in-attacks/
Tomi Engdahl says:
GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks https://thehackernews.com/2021/06/github-updates-policy-to-remove-exploit.html
Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service. Lisäksi:
https://www.bleepingcomputer.com/news/security/githubs-new-policies-allow-removal-of-poc-exploits-used-in-attacks/
Tomi Engdahl says:
Exchange Servers Targeted by Epsilon Red’ Malware https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/
REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests.
Tomi Engdahl says:
White House Urges Private Companies to Help in Fight Against Ransomware
https://www.securityweek.com/white-house-urges-private-companies-help-fight-against-ransomware
In an open letter, the White House this week urged corporate executives and business leaders to take the appropriate measures to protect their organizations against ransomware attacks, only days after meat-packaging giant JBS fell victim to such an attack.
The memo, signed by Anne Neuberger, deputy national security advisor for cyber and emerging technology, mentions the recent increase in the number of ransomware incidents, as well as the Biden administration’s response to such attacks targeting government and private sector organizations.
In response to a series of cyberattacks that affected U.S. critical infrastructure both directly and indirectly – including the SolarWinds incident and the Colonial Pipeline attack – President Joe Biden signed an executive order on improving the cyber-defenses of “vital institutions.”
Tomi Engdahl says:
Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks
https://www.securityweek.com/organizations-warned-stun-servers-increasingly-abused-ddos-attacks
Application and network performance management company NETSCOUT warned organizations this week that STUN servers have been increasingly abused for distributed denial-of-service (DDoS) attacks, and there are tens of thousands of servers that could be abused for such attacks by malicious actors.
The Session Traversal Utilities for NAT (STUN) protocol serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal, helping applications discover the NATs and firewalls that are between them and the Internet. It also enables applications to determine the public IP allocated to them by the NAT.
According to NETSCOUT, threat actors have been adding STUN reflection/amplification to DDoS-for-hire services.
While the amplification rate is only 2.32 to 1, UDP reflection/amplification attacks abusing STUN services can be more difficult to mitigate without overblocking legitimate traffic. NETSCOUT discovered more than 75,000 STUN servers that could be abused for DDoS attacks and the company has seen significant multi-vector attacks that include STUN as a component.
“Observed attack bandwidth (bps) sizes range from ~15 Gbps to ~60 Gbps for single-vector STUN reflection/amplification attacks and up to an aggregate 2 Tbps for multivector attacks that include STUN as a component,” NETSCOUT said.
“The highest observed throughput (pps) for a single-vector STUN reflection/amplification attack is ~6 Mpps and up to an aggregate ~836.3 Mpps for multivector attacks that include STUN as a component,” it added.
Tomi Engdahl says:
Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products
https://www.securityweek.com/serious-vulnerabilities-found-codesys-software-used-many-ics-products
Researchers have discovered 10 vulnerabilities — a majority rated critical or high severity — in CODESYS industrial automation software that is used in many industrial control system (ICS) products.
Researchers at Russian cybersecurity company Positive Technologies identified the vulnerabilities in various products made by CODESYS. They initially found the flaws in a programmable logic controller (PLC) made by WAGO, but further analysis showed that the issues were actually introduced by CODESYS software that is used by more than a dozen manufacturers for their PLCs, including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian firms.
Tomi Engdahl says:
National Vulnerability Database: CVE-2021-33838 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33838, 2021-06-04 00:15:07 +0000
Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because requests related to Check-In State occur shortly after requests for Phone Number Registration.
Tomi Engdahl says:
Washington Post:
Analysis: eighteen, or nearly 2%, of the 1,000 highest grossing apps on the App Store are scams; according to Appfigures data, the apps may have cost users $48M — Nearly 2 percent of Apple’s top-grossing apps on one day were scams — and they have cost people $48 million
https://www.washingtonpost.com/technology/2021/06/06/apple-app-store-scams-fraud/
Tomi Engdahl says:
Hackers Breached Colonial Pipeline Using Compromised Password
By William Turton and Kartikay Mehrotra
4. kesäkuuta 2021 klo 22.58 UTC+3
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password?sref=ylv224K8
Investigators suspect hackers got password from dark web leak
Colonial CEO hopes U.S. goes after criminal hackers abroad
The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.
Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.
Tomi Engdahl says:
First known malware targeting windows containers.
Worlds First Known Malware Targeting Windows Containers to Compromise Cloud Environments.
https://cyberworkx.in/2021/06/07/worlds-first-known-malware-targeting-windows-containers-to-compromise-cloud-environments/
Researchers have discovered first known malware targetting windows containers by mimicking CExecSvc.exe for breaking out of containers.
Tomi Engdahl says:
First on CNN: US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers
https://www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html
Washington (CNN) – US investigators have recovered millions of dollars in cryptocurrency paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, according to people briefed on the matter.
The ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.
Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal in an interview published last month that the company complied with the $4.4 million ransom demand because officials didn’t know the extent of the intrusion by hackers and how long it would take to restore operations.
But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. US officials have linked the Colonial attack to a criminal hacking group known as Darkside that is said to share its malware tools with other criminal hackers.
Tomi Engdahl says:
ANOM: Hundreds arrested in massive global crime sting
https://www.bbc.com/news/world-57394831
Law enforcement agencies say they have arrested hundreds of criminals around the world in a three-year operation, using a secure messaging app run by the American FBI.
It has led to arrests in 18 countries.
They include suspects linked to the mafia and organised criminal groups.
Drugs, weapons and cash have also been seized.
New Zealand police said that after the FBI had dismantled two other encryption services, it began operating its own encrypted device company called ANOM.
Tomi Engdahl says:
Raids worldwide as police reveal vast hack of criminals’ encrypted phones
https://www.bangkokpost.com/world/2128723/raids-worldwide-as-police-reveal-vast-hack-of-criminals-encrypted-phones
SYDNEY: International law enforcement agencies on Tuesday revealed a vast three-year global operation to infiltrate encrypted phones with violent criminal groups, resulting in hundreds of arrests worldwide.
Unveiling the “world’s most sophisticated” sting, agencies from Australia, Europe, New Zealand and the United States said they “operated” the supposedly secure “AN0M”-enabled phones.
Dubbed “Operation Trojan Shield”, forces in 16 countries monitored as members of the mafia, Asian crime syndicates and outlaw motorcycle gangs discussed drug deals, money laundering and even gangland hits.
Tomi Engdahl says:
Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments https://unit42.paloaltonetworks.com/siloscape/
In March 2021, I uncovered the first known malware targeting Windows containers, a development that is not surprising given the massive surge in cloud adoption over the past few years. I named the malware Siloscape (sounds like silo escape) because its primary goal is to escape the container, and in Windows this is implemented mainly by a server silo. Lisäksi:
https://therecord.media/first-malware-discovered-targeting-windows-server-containers/.
Lisäksi:
https://threatpost.com/windows-containers-malware-targets-kubernetes/166692/.
Lisäksi:
https://thehackernews.com/2021/06/researchers-discover-first-known.html
Tomi Engdahl says:
Amazon Sidewalk: Cutting Through the Hype
https://isc.sans.edu/diary/rss/27502
Later this week (tomorrow?), Amazon will enable its new Sidewalk feature. The feature has already gotten a lot of bad press. Much of this comes from the fact that existing devices are automatically used as Sidewalk Gateways and users will have to opt-out. New devices may require a specific opt-in during setup.
Tomi Engdahl says:
Hacking space: How to pwn a satellite hacking an orbiting satellite is not light years away here’s how things can go wrong in outer space https://www.welivesecurity.com/2021/06/07/hacking-space-how-pwn-satellite/
Getting root on something floating above our planet (or any other for that matter) would seem like a new form of hacking Holy Grail. Don’t worry though, someone’s already working on it believe it or not.
Because when you break something in space, bad things happen. Just ask any space movie fan.
Tomi Engdahl says:
Hackers Breached Colonial Pipeline Using Compromised Password https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. Lisäksi:
https://thehackernews.com/2021/06/hackers-breached-colonial-pipeline.html.
https://www.zdnet.com/article/the-cost-of-ransomware-around-the-globe-to-go-beyond-265-billion-in-the-next-decade/.
The cost of ransomware attacks worldwide will go beyond $265 billion in the next decade. The cost of ransomware incidents worldwide is expected to spiral out of control, exceeding $265 billion by 2031.
Tomi Engdahl says:
Australians spent AU$26.5m in cryptocurrency to pay scammers in 2020
https://www.zdnet.com/article/australians-spent-au26-5m-in-cryptocurrency-to-pay-scammers-in-2020
Australians in 2020 reported losses to scams totalled AU$851 million, with AU$128 million lost to business email compromise (BEC), AU$8.4 million classed as remote access scams, and AU$3.1 million a result of identity theft. Lisäksi:
https://www.accc.gov.au/system/files/Targeting%20scams%20-%20report%20of%20the%20ACCC%20on%20scams%20activity%202020.pdf
Tomi Engdahl says:
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department’s Office of Foreign Assets Control (OFAC).
Tomi Engdahl says:
Pelastakaa Lasten tuore julkaisu: Lapsista otettuja tavallisia arkipäiväisiä kuvia seksualisoidaan netissä https://www.epressi.com/tiedotteet/sosiaaliset-kysymykset/pelastakaa-lasten-tuore-julkaisu-lapsista-otettuja-tavallisia-arkipaivaisia-kuvia-seksualisoidaan-netissa.html
Pelastakaa Lasten tuottama “Arkipäiväiset kuvat lapsista seksualisoivassa kontekstissa” -julkaisu nostaa esiin huolestuttavan ilmiön siitä, että lapsista otettuja tavallisia, arkisia kuvia päätyy netissä seksualisoiviin konteksteihin. Lisäksi:
https://www.is.fi/digitoday/art-2000008033291.html
Tomi Engdahl says:
A new way to detect deepfake’ picture editing https://www.lightbluetouchpaper.org/2021/06/07/a-new-way-to-detect-deepfake-picture-editing/
Common graphics software now offers powerful tools for inpainting using machine-learning models to reconstruct missing pieces of an image. They are widely used for picture editing and retouching, but like many sophisticated tools they can also be abused. They can remove someone from a picture of a crime scene, or remove a watermark from a stock photo. Could we make such abuses more difficult?
Tomi Engdahl says:
‘Apple is eating our lunch’: Google employees admit in lawsuit that the company made it nearly impossible for users to keep their location private
https://www.businessinsider.com/unredacted-google-lawsuit-docs-detail-efforts-to-collect-user-location-2021-5
Google made it nearly impossible for users to keep their location private, according to newly unredacted court documents.
Even Google execs and employees in charge of location data were confused about how privacy settings worked.
Google was sued by Arizona’s attorney general over its data collection practices last year.
Tomi Engdahl says:
Wall Street Journal:
US investigators seize nearly 64 bitcoins, valued at ~$2.3M, that Colonial Pipeline had paid in ransom to hackers last month; source says ransom was 75 bitcoin — Law-enforcement officials seize nearly 64 bitcoin of ransom paid after cyberattack led to closure of East Coast fuel conduit
U.S. Retrieves Millions in Ransom Paid to Colonial Pipeline Hackers
Law-enforcement officials recover roughly $2.3 million in digital currency paid after cyberattack that led to closure of East Coast fuel conduit
https://www.wsj.com/articles/u-s-retrieves-millions-paid-to-colonial-pipeline-hackers-11623094399?mod=djemalertNEWS
U.S. authorities have recovered millions of dollars in digital currency paid to the hackers who hit a major East Coast fuel pipeline with a ransomware attack last month, in a law-enforcement operation that officials said demonstrated progress undermining criminals’ ability to disrupt American commerce and critical infrastructure for profit.
Investigators seized about 64 bitcoin, valued at roughly $2.3 million, from a virtual wallet—the alleged proceeds from the ransom hack carried out by a suspected Russian-based criminal gang on Colonial Pipeline Co., the Justice Department said.
“The extortionists will never see this money,” Stephanie Hinds, acting U.S. attorney for the Northern District of California, where the seizure warrant was obtained, told reporters. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”
Tomi Engdahl says:
Catalin Cimpanu / The Record:
In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat service AN0M for 3+ years to intercept messages between criminals globally — The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …
https://therecord.media/fbi-and-australian-police-ran-an-encrypted-chat-platform-to-catch-criminal-gangs/
Tomi Engdahl says:
Alexander Osipovich / Wall Street Journal:
FTC: consumers have reported losing nearly $82M to crypto scams during Q4 2020 and Q1 2021, up more than 10x YoY
Crypto Frauds Target Investors Hoping to Cash In on Bitcoin Boom
https://www.wsj.com/articles/crypto-frauds-target-investors-hoping-to-cash-in-on-bitcoin-boom-11623058380?mod=djemalertNEWS
FTC says consumers have reported losing more than $80 million to crypto-investment scams since October
Tomi Engdahl says:
Huge parts of internet currently offline
https://www.bbc.com/news/technology-57399628
A number of leading websites are currently not working, including Amazon, Reddit and Twitch.
The UK government website – gov.uk – is also down as is parts of the BBC and a host of other media outlets.
Affected websites displayed the message: “Error 503 Service Unavailable”.
Early reports suggested it could be related to Fastly, a cloud computing provider, which underpins a lot of major websites.
Tomi Engdahl says:
Basically, internet is down.
https://twitter.com/mikko/status/1402207208188821507
Tomi Engdahl says:
Military Vehicles Maker Navistar Reports Data-Theft Cyberattack
https://www.securityweek.com/military-vehicles-maker-navistar-reports-data-theft-cyberattack
Tomi Engdahl says:
Breaking: Major Websites Around The World Down As Cloud Service Fastly Crashes
https://www.iflscience.com/technology/breaking-major-websites-around-the-world-down-as-cloud-service-fastly-crashes/
Several websites across the Internet, from social media platforms such as Twitch and Reddit to news outlets including the Financial Times, the Guardian, and New York Times are currently down, with users seeing the error message “Error 503 Service Unavailable”. This is reportedly due to an outage of unknown origin from the cloud service company Fastly, a cloud computing company that offers services ranging from cloud security to content delivery networks (CND).
The outage has also affected government websites and shopping sites including Amazon and PayPal, while other major sites like Facebook and Twitter and messaging sites Microsoft Teams and Slack appear unaffected.
Tomi Engdahl says:
Are we overestimating the ransomware threat?
https://techcrunch.com/2021/06/08/are-we-overestimating-the-ransomware-threat/?tpcc=ECFB2021
On Monday afternoon, the U.S. Justice Department said it has seized much of the cryptocurrency ransom that U.S. pipeline operator Colonial Pipeline paid last month to a Russian hacking collective called DarkSide by tracking the payment as it moved through different accounts belonging to the hacking group and finally breaking into one of those accounts with the blessing of a federal judge.
Tomi Engdahl says:
Andy Greenberg / Wired:
Hackers stole and posted 70GB of data from LineStar Integrity Services, a compliance tech provider to pipeline clients, on dark web around time of Colonial hack
Ransomware Struck Another Pipeline Firm—and 70GB of Data Leaked
https://www.wired.com/story/linestar-pipeline-ransomware-leak/
LineStar Integrity Services was hacked around the same time as Colonial Pipeline, but radical transparency activists have brought the attack to light.
When ransomware hackers hit Colonial Pipeline last month and shut off the distribution of gas along much of the East Coast of the United States, the world woke up to the danger of digital disruption of the petrochemical pipeline industry. Now it appears another pipeline-focused business was also hit by a ransomware crew around the same time, but kept its breach quiet—even as 70 gigabytes of its internal files were stolen and dumped onto the dark web.
A group identifying itself as Xing Team last month posted to its dark web site a collection of files stolen from LineStar Integrity Services, a Houston-based company that sells auditing, compliance, maintenance, and technology services to pipeline customers. The data, first spotted online by the WikiLeaks-style transparency group Distributed Denial of Secrets, or DDoSecrets, includes 73,500 emails, accounting files, contracts, and other business documents, around 19 GB of software code and data, and 10 GB of human resources files that includes scans of employee driver’s licenses and Social Security cards. And while the breach doesn’t appear to have caused any disruption to infrastructure like the Colonial Pipeline incident, security researchers warn the spilled data could provide hackers a roadmap to more pipeline targeting. LineStar did not respond to requests for comment.
DDoSecrets, which makes a practice of trawling data leaked by ransomware groups as part of its mission to expose data it deems worthy of public scrutiny, published 37 gigabytes of the company’s data to its leak site on Monday. The group says it was careful to redact potentially sensitive software data and code—which DDoSecrets says could enable follow-on hackers to find or exploit vulnerabilities in pipeline software—as well as the leaked human resources material, in an effort to leave out LineStar employees’ sensitive, personally identifiable information.
But the unredacted files, which WIRED has reviewed, remain online. And they may include information that could enable follow-on targeting of other pipelines, argues Joe Slowik, a threat intelligence researcher for security firm Gigamon who has focused on critical infrastructure security for years as the former head of incident response at Los Alamos National Labs. While Slowik notes that it’s still not clear what sensitive information might be included in the leak’s 70 GB, he worries that it could include information about the software architecture or physical equipment used by LineStar’s customers, given that LineStar provides information technology and industrial control system software to pipeline customers.
“You can use that to fill in lots of targeting data, depending on what’s in there,” says Slowik. “It’s very concerning, given the potential that it’s not just about people’s driver’s license information or other HR related items, but potentially data that relates to the operation of these networks and their more critical functionality.”
Xing Team is a relatively new entrant to the ransomware ecosystem.
That leak could in turn serve as a stepping stone for other ransomware hackers, who frequently comb dark web data dumps for information that can be used to impersonate companies and target their customers. “If you were to steal data from a pipeline company, that could possibly enable you to construct a fairly conventional spearphishing email to another pipeline company,” says Callow. “We absolutely know that groups do that.”
DDoSecrets’ practice of republishing the leaked data of ransomware victims—even in a redacted form—has been criticized for amplifying ransomware groups’ coercive techniques. But the group’s cofounder Emma Best, who uses the pronoun “they,” argues that doing so for the LineStar leak in particular helps to shine a spotlight on an industry with a long record of environmental scandals. The Colonial Pipeline itself leaked 1.2 million gallons of gasoline into a nature preserve in North Carolina less than a year prior to being targeted by ransomware, Best points out. “To torture a metaphor, fuel is the fuel of our economy, but it’s also a poison when they frequently leak or the pipeline’s construction, operation, or maintenance infringe on communities, typically already marginalized ones,” Best told WIRED in a text interview.
Best notes that even the shutdown of the pipeline following Colonial’s ransomware incident in May, which triggered gas shortages across the East Coast, wasn’t primarily due to safety concerns, but business and billing issues. “This isn’t an industry that has the public interest at heart,” Best writes. They didn’t confirm if they had found any evidence of wrongdoing in the leaked LineStar files, but argue that it’s noteworthy either way. “With some industries, you have to stop and study them regardless of individual wrongdoing because the industry itself is either so inherently harmful or fraught with danger that to not study it would be reckless.”
The breach of a second pipeline firm by ransomware operators after Colonial’s shutdown may seem to signal a trend of cybercriminal hackers specifically targeting critical infrastructure. But Emsisoft’s Brett Callow points out that ransomware groups like Xing Team are targeting companies mostly indiscriminately, casting a wide net as they seek to maximize their ransom payments.
Tomi Engdahl says:
TechCrunch:
Many large websites went down Tuesday, including Amazon, Twitch, BBC, NYT, Spotify, Reddit, and FT, due to an issue at the Fastly CDN, which has now been fixed — Countless popular websites including Reddit, Spotify, Twitch, Stack Overflow, GitHub, gov.uk, Hulu, HBO Max, Quora, PayPal
Twitch, Pinterest, Reddit and more go down in Fastly CDN outage (Update: Outage resolved after 1 hour)
Manish Singh, Romain Dillet / 1:08 PM GMT+3•June 8, 2021
https://techcrunch.com/2021/06/08/numerous-popular-websites-are-facing-an-outage/
Tomi Engdahl says:
Hundreds Arrested in ‘Staggering’ FBI Encrypted Phone Sting
https://www.securityweek.com/hundreds-arrested-staggering-fbi-encrypted-phone-sting
Police arrested more than 800 people worldwide in a huge global sting involving encrypted phones that were secretly planted by the FBI, law enforcement agencies said Tuesday.
Officers were able to read the messages of global underworld figures in around 100 countries as they plotted drug deals, arms transfers and gangland hits on the compromised ANOM devices.
The evidence from “Operation Trojan Shield” prevented around 100 murders and foiled several large-scale drug shipments, said officials from the FBI, the EU’s police agency Europol and other countries as far afield as Australia.
“The results are staggering,” FBI Assistant Director Calvin Shivers told reporters at Europol’s HQ in The Netherlands.
He said the FBI had provided criminal syndicates in over 100 countries with the devices over the last 18 months “that allowed us to monitor their communications.”
Europol said police from a total of 16 countries launched raids on the basis of evidence from the phones, around 12,000 of which were distributed worldwide.
“This information led over the last week to hundreds of law enforcement operations on a global scale from New Zealand to Australia to Europe and the USA, with impressive results,” said Jean-Philippe Lecouffe, Deputy Director Operations at Europol.
“More than 800 arrests, more than 700 locations searched, more than 8 tonnes of cocaine.”
Tomi Engdahl says:
Apple Unveils VPN-Like Service and New Privacy Features at WWDC 2021
https://www.securityweek.com/apple-unveils-vpn-service-and-new-privacy-features-wwdc-2021
On Monday, at its 2021 Worldwide Developers Conference (WWDC), Apple unveiled several privacy features that are coming with its new iOS 15, iPadOS 15, macOS Monterey, and watchOS 8 operating systems later this year.
Apple announced iCloud+, which brings several new features on top of iCloud, including a new private browsing service named Private Relay.
Private Relay is designed to ensure that when the user browses the internet with Safari, traffic leaving their device is encrypted to prevent third-parties — this allegedly includes Apple — from intercepting it. Based on Apple’s limited description of the service, it sounds like a VPN, but from a technical perspective it may be more similar to the Tor anonymity network.
According to Apple, all requests are sent through two relays: one that assigns an anonymous IP address to the user, and one that decrypts the web address they want to access and forwards the user to their destination,
“This separation of information protects the user’s privacy because no single entity can identify both who a user is and which sites they visit,” Apple said.
Tomi Engdahl says:
WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes
https://www.securityweek.com/wago-controller-flaws-can-allow-hackers-disrupt-industrial-processes
A couple of vulnerabilities discovered in industrial controllers made by WAGO, a German company specializing in electrical connection and automation solutions, can be exploited to disrupt technological processes, which in some cases could lead to industrial accidents, according to Russian cybersecurity firm Positive Technologies.
WAGO PLC vulnerabilities The vulnerabilities were found in the WAGO PFC200 programmable logic controller (PLC) and they have been patched by the vendor. One of flaws, tracked as CVE-2021-21001 and rated critical severity, has been described as a path traversal issue related to a CODESYS component used by the device. It allows an authenticated attacker with network access to the targeted device to access its file system with elevated privileges, by sending specially crafted packets.
“By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents,” explained Vladimir Nazarov, head of ICS security at Positive Technologies.
The second issue, identified as CVE-2021-21000 and rated medium severity, impacts WAGO’s iocheckd service, which is designed to check PLC input/output and display the PLC configuration. An unauthenticated attacker with network access to the device can leverage this flaw to cause a DoS condition.
Tomi Engdahl says:
Critical Vulnerabilities Patched in Android With June 2021 Security Updates
https://www.securityweek.com/critical-vulnerabilities-patched-android-june-2021-security-updates
Google this week announced the availability of the latest monthly security patches for the Android operating system, which address more than 50 vulnerabilities, including several rated critical severity.
The most severe of these is a bug in the System component that could be exploited to execute code remotely. Tracked as CVE-2021-0507, the flaw can be exploited using a specially crafted transmission, Google explains.
The bug affects Android 8.1, 9, 10, and 11 iterations, the same as another critical flaw in the System component — CVE-2021-0516 — which could lead to elevation of privileges.
Six other vulnerabilities resolved in the System component — three elevation of privilege and three information disclosure bugs — have a severity rating of high.
All eight flaws were addressed with the 2021-06-01 security patch level, which fixes six other high-risk issues in the mobile platform: one elevation of privilege in Android runtime, one information disclosure in Framework, and four elevation of privilege issues in Media Framework.
Tomi Engdahl says:
Crypto Markets Crash Again After DOJ Seizes $2.3 Million Bitcoin Ransom
https://www.forbes.com/sites/jonathanponciano/2021/06/08/crypto-markets-crash-again-after-doj-seizes-23-million-bitcoin-ransom/
After regulatory concerns in China crashed the market last month, cryptocurrencies plummeted again Tuesday morning after the Department of Justice said it seized $2.3 million in bitcoin as part of its investigation into a ransomware attack that shut down the nation’s largest gas pipeline, fueling concerns U.S. officials could ramp up their crypto oversight—something that’s helped spark a years-long bear market before.
As of 9:45 a.m. EDT, the global crypto market had plummeted more than 11% over the past 24 hours, falling below $1.5 trillion to its lowest point since a flash crash in May pushed the market down to $1.3 trillion from an early month high above $2.5 trillion.
The crash started Monday after reports surfaced that the DOJ had seized an unspecified amount of cryptocurrency related to the May 8 cyberattack on Colonial Pipeline and intensified overnight—wiping out more than $150 billion in market value by 9:45 a.m. EDT Tuesday.
It’s unclear how the DOJ obtained the private key, but experts, including Dr. Nicholas Weaver, a cybersecurity professor at the University of California at Berkeley, have suggested federal officials effectively hacked the hackers in a show of unprecedented government intervention in the cryptocurrency space.
The developments rocked all major tokens, with bitcoin, ether and binance coin falling 10%, 12% and 14%, respectively, Tuesday morning.
More government intervention. On Sunday, two senators on the Intelligence Committee suggested lawmakers should take increased measures to regulate and trace cryptocurrencies. “The only way you can begin to get on top of the pervasive” ransomware problem is “to develop a pattern,” Sen. Roy Blunt (R-Mo.) told NBC News’ Meet the Press, calling cryptocurrencies the “ransom payment of choice” for hackers and saying lawmakers shouldn’t allow cryptocurrencies to operate “behind the scenes.”
Tomi Engdahl says:
Senators Urge Crackdown On Crypto As Ransom Payment After Gas Pipe, Meat Plant Hacks
https://www.forbes.com/sites/jonathanponciano/2021/06/06/senators-urge-crack-down-on-crypto-as-ransom-payment-after-gas-pipe-meat-plants-hacks/
After a second widespread ransomware attack in less than one month, two senators on the Intelligence Committee suggested Sunday that lawmakers should take increased measures to regulate and trace cryptocurrencies, the medium of exchange that’s become popular among hackers for allowing transactions to remain anonymous.
In an appearance on NBC News’ Meet the Press, Sen. Roy Blunt (R-Mo.) said, “The only way you can begin to get on top” of the “pervasive” ransomware problem is “to develop a pattern,” before launching into a critique of the anonymity provided by cryptocurrencies often used to pay ransoms.
“It took gasoline and beef for us to think this is really a serious problem,” Sen. Blunt said, referencing the attacks on Colonial Pipeline and meatpacker JBS, which sparked widespread gas shortages and meat-plant shutdowns, respectively; Colonial paid hackers $4.4 million in bitcoin, but it’s unclear whether JBS has paid a ransom.
Though he didn’t outline specific policy measures, Blunt said lawmakers shouldn’t allow cryptocurrencies to operate “behind the scenes,” calling them the “ransom payment of choice” for hackers and a “fairly easy” way to receive money for attacks without a trace.
“We have a lot of cash requirements in our country, but we haven’t figured out in the country or in the world how to trace cryptocurrency,” Blunt said Sunday, adding: “We’ve got to do a better job here.”
Tomi Engdahl says:
“What I’m really worried about is if we saw the kind of massive, across-the-system attack that took place last year, the SolarWinds attack,” Warner said Sunday, referencing a cyberattack by Russian hackers who unleashed a computer virus on 18,000 government and private networks worldwide. “If that attack had been an effort to shut down our system, our economy would have come to a halt.”
https://www.forbes.com/sites/jonathanponciano/2021/06/06/senators-urge-crack-down-on-crypto-as-ransom-payment-after-gas-pipe-meat-plants-hacks/