Friday Five: 1/17 Edition
The U.S. military fears OPSEC failures as more troops are deployed to the Middle East, an app exposes the sensitive data of babies, and a site helping Australian bushfire victims becomes a victim itself - catch up on the week's news with the Friday Five.
1. Sodinokibi Ransomware Hits New York Airport Systems by Sergiu Gatlan
Following a cyberattack that took place over Christmas, administrative servers belonging to the Albany International Airport were hit by Sodinokibi ransomware. The airport immediately notified the FBI and the New York State Cyber Command and solicited the help of ABS solutions. According to reports, attackers were able to infiltrate the systems through the maintenance server of its MSP, Logical Net, and spread through the airport’s network until they reached the backup servers. Because the backup servers were compromised, the airport was forced to pay the “under six figures” ransom that the attackers demanded. Airport CEO Philip Calderone announced that it severed its relationship with Logical Net after the breach. Fortunately, no airline or TSA servers were affected, customers’ financial and personal information were not accessed, and operations were not impacted by the breach. Most of the files that were encrypted were administrative documents and archived data. Bad actor groups, such as the one that runs Sodinokibi, are continuously targeting high-profile victims, and, for the first time, are beginning to publish stolen data when companies do not pay the ransom.
2. US Troops Deploying to the Middle East Told to Leave Personal Devices at Home by Catalin Cimpanu
Amid rising tensions resulting from the death of general Qasem Soleimani, the US deployed emergency troops as part of the US Army 82nd Airborne division in Iran. The paratroopers were told to leave personal devices like smartphones, tablets, and laptops at home as an operational security (OPSEC) and force protection measure. To put this ban in context of realistic military threats that personal devices could cause, ZDNet conducted interviews with more than 20 US military veterans who now work jobs in cybersecurity firms. The veterans listed a number of different avenues that personal devices can open for threat actors, including kidnap, ransoms, catfishing, device theft, device imaging, and location tracking. Kidnapping and ransom of individual troops as a result of catfishing is a particularly dangerous threat that has been happening for a few years now. Through social media, soldiers have been tricked into downloading malware, revealing details to members of the opposite sex, or even going on dates with Hamas agents disguised as women. Personal cell phones also may connect to cell towers in a foreign country, something which could leave a digital trace that could allow actors to track troop movements. Mark Waggoner, a vet with ten years Army experience, now a Linux sysadmin for LogRhythm, believes the restrictions make good sense and stated, “Trying to maintain good OPSEC with thousands of these devices would be a losing battle."
3. Baby’s First Data Breach: APP Exposes Baby Photos, Videos by Jeremy Kirk
A mobile app called “Peekaboo Moments,” which is essentially designed for parents to create a virtual baby book of photos, videos, and records of growth, has left its Elasticsearch server unsecured, in turn potentially exposing over 70 million log files. The database contains more than 100 GB of data, with some information dating back to March 2019, including email addresses, detailed device data, and links to photos and videos. The app also transmits sensitive data for babies such as their height and weight, birthdate, and location data that is accurate to within about 30 feet of an individual’s location. It is unclear for how long Peekaboo’s Elasticsearch server has been left unsecured, or who may have accessed the data but according to security expert Dan Ehrlich, the server, the company’s website, and the iOS/Android app was bizarrely built and blatantly left open. This seems to contradict the app’s description of itself as a “secured space” and its promise to safeguard the data and information it stores. On its Google Play app profile page, Peekaboo Moments writes, “We completely understand how these moments are important to you… Data privacy and security come as our priority.” The company’s CEO has not publicly responded to the breach, despite repeated efforts of communication from multiple media outlets.
4. Aussie Bushfires Donation Site Hit by Magecart Thieves by Phil Muncaster
5. Impact of Cyber Attacks on RavnAir More Damaging than First Thought; Flights May be Grounded for a Month by Scott Ikeda
Let's circle back to a story we touched on a couple weeks ago in which Alaska-based airline, RavnAir, was forced to cancel flights during the holidays due to a cyber-attack. Upon review, the airline found that the impact of the attack is greater than its initial evaluation. Although the company had to cancel at least a dozen flights, something which affected more than 260 customers, it had been thought that the company recovered fairly quickly and was able to return to their normal operation schedule. The airline recently issued a press release that reported the company might still experience disturbances to their flights throughout January, meaning it's clear that RavnAir’s network has not fully recovered from the cyber-attack. A spokesperson for RavnAir, Debbie Reinwand, stated that the company will rely on back up systems and manual processes to continue operations until the impact of the cyber attack is fully contained. Although the nature of the attack was not disclosed in the release, many are speculating that it's ransomware due to the patterns of disruption and the long-expected recovery period. The FBI and a third-party cyber security company are still working with RavnAir to restore the network.