Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Ransomware is spreading like wildfire in the US. At least 1,040 schools have been victimized in 2019 alone. That is when baddies aren’t busy targeting city governments, insurance firms, data centers, technology and healthcare companies. Last week, New Orleans became the latest victim, with the city declaring a state of emergency after its network was breached. Meanwhile, some companies, including hospital network Hackensack Meridian Health and Canada’s laboratory diagnostics service provider LifeLabs, have opted to pay up the ransom to recover access to locked systems. “Ransomware attacks are a tried and tested method to get money for adversaries as they find it very lucrative,” says Eric Cornelius, Chief Product Officer at BlackBerry Cylance. But the question of whether or not to pay a ransom doesn’t come with easy answers. “We would not be negotiating ransoms if the threat were to manifest physically,” tells Ryan Kalember, who leads cybersecurity strategy for California-based enterprise security solutions provider Proofpoint. “Insurance has changed the economics in favor of the attackers.” But just as enterprises are beginning to adopt a backup strategy and not yield to ransom demands, criminals are adapting their strategy by collecting and stealing a victim’s data before encrypting files. As if that wasn’t enough, attackers have come up with another ploy to make infected companies pay up: threaten with mass data exposure. “One ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors,” reported independent security researcher Brian Krebs. This public naming and shaming marks an escalation of the criminals’ tactics, although it’s not entirely unexpected. Ultimately, what cannot be denied is that companies and public entities can no longer afford to be lax about erecting security defenses to thwart such attacks from happening in the first place.
Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.
What’s trending in security?
Hackers are targeting Ring cameras to speak to the people over the device’s speakers, and what’s more, their security protections are abysmal. [Motherboard] An insider view of Evil Corp, an international crime network that stole $100 million from businesses and consumers. [Krebs on Security] The FBI has for years secretly demanded vast amounts of Americans’ consumer and financial information from major US credit agencies, such as records of purchases and locations. [TechCrunch] Visa issued a statement warning consumers that cybercriminals — dubbed “Fin8” — are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data. [Visa] Banking data for 29,000 Facebook employees, which was stored on unencrypted hard drives, was stolen by a thief from a payroll worker’s car. [Bloomberg] Researchers announced a breakthrough in cryptography after RSA-240, an RSA key that has 240 decimal digits and a size of 795 bits, was factored through efficient algorithms than through hardware improvements. [Ars Technica] Burnout is real in infosec industry too. [OneZero] A new form of “wiper” malware — called ZeroCleare — connected to hackers in Iran were found to be used in destructive attacks against energy companies in the Middle East. [IBM X-Force]
Bug reporting platform HackerOne suffered a security incident of its own after an outside hacker the ability to read and modify some customer bug reports. [Ars Technica] The FBI recommended that you connect your IoT devices, such as smart speakers and refrigerators, on a separate Wi-Fi network. “Your fridge and your laptop should not be on the same network.” [FBI] The developer behind the most copied StackOverflow Java code snippet of all time admitted the code was flawed and offered a fix. [Andreas Lundblad] At least 44 million Microsoft account users are employing usernames and passwords that were leaked online following security breaches at other online services. [Microsoft] Facebook filed lawsuit against two Chinese nationals and a Hong Kong advertising firm for allegedly using the social media platform to distribute malware, and then serve misleading advertisements to try to make money. [Facebook] From toys to surveillance: Toys “R” Us has re-emerged with new stores that have embedded ceiling sensors, cameras, and other tech tasked with monitoring your every playful moment in the store. [Motherboard]
Researchers disclosed a new flaw that allows attackers to sniff, hijack, and tamper with VPN connections on Linux, Android, macOS, and other Unix-based operating systems. [SecLists] Hackers published 15 million bank debit card numbers from customers of Iran’s three largest banks on social media after a rogue contractor with legitimate access to the systems stole the data. [The New York Times] Details associated with 463,378 Turkish payment cards are currently being sold on the dark web. [Group-IB] Apple fixed a bug in iOS AirDrop, which allows users to share files between iOS devices, that potentially allowed an attacker to repeatedly send files to all devices within the wireless range. [TechCrunch] Malware targeting Macs are on the rise, accounting for six of the top 25 threat detections in 2019. [Malwarebytes] India’s third largest telco Airtel fixed a flaw that could let hackers access subscribers’ information using just their phone numbers. [BBC] A new attack called “Plundervolt” gives attackers access to sensitive data stored in a processor’s secure enclave by just fiddling with the voltage of Intel chips. [WIRED]
Data Point
Throughout this year, phishing attacks have mutated in various insidious forms, so much so that they’ve reached new levels of “creativity and sophistication.” Telemetry data gathered by Google shows that malware-infested sites have become a relatively rare phenomenon when compared to phishing sites. According to the company’s Safe Browsing report, the number of detected phishing sites rose to 1,694,944 in December 2019 from a mere 117,538 in early 2015.
Takeaway: Cybersecurity expert The Gruqg once said on Twitter: “Give a man an 0day and he’ll have access for a day, teach a man to phish and he’ll have access for life.” The continuing evolution of the attempts to trick users into revealing their private information only shows the stealthy nature of these scams: “The longer phishers can quietly hide from security solutions, the more chances they have to invade inboxes and trick people into divulging sensitive information.”
Tweet of the week
That’s it. See you all in 2 weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)