Friday Five 1/7
A scientist pleads guilty to stealing trade secret data, a new proof-of-concept iPhone Trojan, and more - catch up on the infosec news of the week with the Friday Five!
1. Health tech vendor QRS faces lawsuit after data theft impacting 319K patients by Jessica Davis
On Wednesday, SC Media recapped a new class action lawsuit that QRS, which makes an electronic portal used by healthcare organizations, is facing following the breach of information belonging to over 300,000 patients last summer. In the suit, filed on Monday, the breach victims claim they've suffered "diminished value to their personal data, out-of-pocket expenses for responding to potential fraud and identity theft risks, lost time and money for recovery efforts, and continued risk to their data." It's unclear exactly what led to the data breach; the suit claims the company failed to implement federally recommended cybersecurity measures but doesn't specify which one wasn't addressed. Attackers didn't compromise every QRS system, just a single portal belonging to an organization; still the information compromised including data - Social Security numbers, patient identification numbers, treatments, diagnoses, and other sensitive data - on 319,778 patients.
2. F.B.I. Arrests Man Accused of Stealing Unpublished Book Manuscripts by Elizabeth A. Harris
The federal government closed the book - pun absolutely intended - this week on a caper that's puzzled the literary community for years when the FBI arrested an Italian man in connection to the theft of unpublished book manuscripts. According to the FBI, Filippo Bernardini, a 29-year-old rights coordinator for Simon & Schuster UK “impersonated, defrauded, and attempted to defraud, hundreds of individuals” by conducting phishing attacks, tricking recipients into surrendering their login credentials to publishing websites. According to the New York Times, which broke down the indictment on Wednesday, Bernardini used phony domains, similar to the actual ones, more than 160 in total, to dupe publishing professionals. Bernardini was arrested after he landed in New York City and was charged with wire fraud and aggravated identity theft, according to the court filing.
3. New iPhone malware spies via camera when device appears off by Jovi Umawing
MalwareBytes digs into new research around NoReboot, malware that can apparently track users even when they're turned off. The malware, a proof-of-concept iPhone Trojan, can let attackers use the phone's microphone and camera to spy on victims by simulating a shutdown or reboot. The proof-of-concept attack hijacks the shutdown event on iOS by injecting code into three daemons, which in turn displays a black screen. While the attack is a proof-of-concept, as MalwareBytes notes, it could only be a matter of time until its co-opted by attackers. To truly restart your phone hold down on the iPhone's restart buttons to force it to reboot.
4. Chinese scientist pleads guilty to stealing US agricultural tech by Charlie Osborne
It took a few years but a former Monsanto employee, suspected of stealing trade secret data dating back to 2014, finally pleaded guilty this week to conspiracy to commit economic espionage. The Department of Justice revealed on Thursday that Xiang Haitao conspired to steal a trade secret from the agrochemical company to benefit China. Mr. Xiang used his insider status at a major international company to steal valuable trade secrets for use in his native China,” U.S. Attorney Sayler Fleming for the Eastern District of Missouri said in a press release this week. “We cannot allow U.S. citizens or foreign nationals to hand sensitive business information over to competitors in other countries, and we will continue our vigorous criminal enforcement of economic espionage and trade secret laws. Xiang was first arrested way back in 2017 while trying to board a flight to Shangai with sensitive trade secret related to crop analysis on a storage device connected to his laptop. It wasn't until two years after, in 2019, that Xiang, a Chinese citizen was indicted.
5. French privacy regulator slaps Facebook, Google with fines totaling nearly $240M by Tim Starks