1. Sodinokibi Ransomware Hits New York Airport Systems by Sergiu Gatlan

Following a cyberattack that took place over Christmas, administrative servers belonging to the Albany International Airport were hit by Sodinokibi ransomware. The airport immediately notified the FBI and the New York State Cyber Command and solicited the help of ABS solutions. According to reports, attackers were able to infiltrate the systems through the maintenance server of its MSP, Logical Net, and spread through the airport’s network until they reached the backup servers. Because the backup servers were compromised, the airport was forced to pay the “under six figures” ransom that the attackers demanded. Airport CEO Philip Calderone announced that it severed its relationship with Logical Net after the breach. Fortunately, no airline or TSA servers were affected, customers’ financial and personal information were not accessed, and operations were not impacted by the breach. Most of the files that were encrypted were administrative documents and archived data. Bad actor groups, such as the one that runs Sodinokibi, are continuously targeting high-profile victims, and, for the first time, are beginning to publish stolen data when companies do not pay the ransom.

Read more

2. US Troops Deploying to the Middle East Told to Leave Personal Devices at Home by Catalin Cimpanu

Amid rising tensions resulting from the death of general Qasem Soleimani, the US deployed emergency troops as part of the US Army 82nd Airborne division in Iran. The paratroopers were told to leave personal devices like smartphones, tablets, and laptops at home as an operational security (OPSEC) and force protection measure. To put this ban in context of realistic military threats that personal devices could cause, ZDNet conducted interviews with more than 20 US military veterans who now work jobs in cybersecurity firms. The veterans listed a number of different avenues that personal devices can open for threat actors, including kidnap, ransoms, catfishing, device theft, device imaging, and location tracking. Kidnapping and ransom of individual troops as a result of catfishing is a particularly dangerous threat that has been happening for a few years now. Through social media, soldiers have been tricked into downloading malware, revealing details to members of the opposite sex, or even going on dates with Hamas agents disguised as women. Personal cell phones also may connect to cell towers in a foreign country, something which could leave a digital trace that could allow actors to track troop movements. Mark Waggoner, a vet with ten years Army experience, now a Linux sysadmin for LogRhythm, believes the restrictions make good sense and stated, “Trying to maintain good OPSEC with thousands of these devices would be a losing battle."

Read more

3. Baby’s First Data Breach: APP Exposes Baby Photos, Videos by Jeremy Kirk

A mobile app called “Peekaboo Moments,” which is essentially designed for parents to create a virtual baby book of photos, videos, and records of growth, has left its Elasticsearch server unsecured, in turn potentially exposing over 70 million log files. The database contains more than 100 GB of data, with some information dating back to March 2019, including email addresses, detailed device data, and links to photos and videos. The app also transmits sensitive data for babies such as their height and weight, birthdate, and location data that is accurate to within about 30 feet of an individual’s location. It is unclear for how long Peekaboo’s Elasticsearch server has been left unsecured, or who may have accessed the data but according to security expert Dan Ehrlich, the server, the company’s website, and the iOS/Android app was bizarrely built and blatantly left open. This seems to contradict the app’s description of itself as a “secured space” and its promise to safeguard the data and information it stores. On its Google Play app profile page, Peekaboo Moments writes, “We completely understand how these moments are important to you… Data privacy and security come as our priority.” The company’s CEO has not publicly responded to the breach, despite repeated efforts of communication from multiple media outlets.

Read more

4. Aussie Bushfires Donation Site Hit by Magecart Thieves by Phil Muncaster

Hackers have hit a new low with this this recent attack on an Australian bushfire donation site. Since September, over 24 million acres of Australia have burned in one of the country’s worst fire seasons on record, and it has brought devastation to its wildlife and its people. Many websites have been set up to accept donations for victims, and in this case, the website was specifically raising money for those affected by fires in Lake Conjola that have destroyed many homes. Magecart hackers created a digital skimming code designed to harvest card details on the site’s payment page. They inject malicious JavaScript into the page, harvest card and personal data, and the exfiltrate the information to an external domain under their control. The same malicious script in question was also identified targeting an additional 39 separate websites.

Read more

5. Impact of Cyber Attacks on RavnAir More Damaging than First Thought; Flights May be Grounded for a Month by Scott Ikeda

Let's circle back to a story we touched on a couple weeks ago in which Alaska-based airline, RavnAir, was forced to cancel flights during the holidays due to a cyber-attack. Upon review, the airline found that the impact of the attack is greater than its initial evaluation. Although the company had to cancel at least a dozen flights, something which affected more than 260 customers, it had been thought that the company recovered fairly quickly and was able to return to their normal operation schedule. The airline recently issued a press release that reported the company might still experience disturbances to their flights throughout January, meaning it's clear that RavnAir’s network has not fully recovered from the cyber-attack. A spokesperson for RavnAir, Debbie Reinwand, stated that the company will rely on back up systems and manual processes to continue operations until the impact of the cyber attack is fully contained. Although the nature of the attack was not disclosed in the release, many are speculating that it's ransomware due to the patterns of disruption and the long-expected recovery period. The FBI and a third-party cyber security company are still working with RavnAir to restore the network.

Read more