Friday Five: 2/7 Edition
Ransomware takes a dangerous turn, a flaw in the Android Twitter app is exploited, and more - catch up on the week's news with the Friday Five.
1. New Ransomware Doesn’t Just Encrypt Data. It Also Meddles with Critical Infrastructure by Dan Goodin
The menace that is ransomware is taking a new, darker turn: intentionally tampering with industrial control systems that keep crucial equipment running safely. Industrial control system (ICS) networks are usually segregated and better fortified, making it unlikely for ransomware programs to make the jump from the IT systems which they usually target but a new, dangerous strain of ransomware, Ekans, also known as Snake, has an ICS-specific code that actively seeks out and forcibly stops applications used in industrial controls of systems such as dams, electric grids, and gas refineries. Ekans also disables data backups and mass encrypts files. Before starting the file encryption process, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of malware. An example of a code that surgically dismantled certain highly sensitive functions inside critical infrastructures was seen in the sophisticated malware Industroyer. It caused a power outage in Ukraine in December 2016, leaving households without electricity in one of the country’s coldest months. In an investigation done by Dragos, a industrial security firm, it was discovered that Ekans is currently much less of threat as it has no mechanism to spread, so it is a “relatively primitive attack.” Security experts are stressing that the program still warrants serious attention by organizations with ICS operations even though it currently lacks a level of sophistication.
2. Toll Group Confirms “Targeted” Ransomware Attack by Ry Crosier
Toll Group, an Australian logistics company, suffered an IT cybersecurity incident last week that forced the shutdown of several customer-facing systems days later. Staff worldwide were told to leave desktops and laptops switched off and disconnected from the corporate network. The company made a statement on Twitter and announced that they made the decision to shut down their systems “as a precautionary measure” and were working closely with cyber security experts to bring their systems back online in a “controlled and secure manner.” Although Toll Group kept pretty tight-lipped about the attack at first, it has since disclosed that it was a large-scale ransomware attack that infected over 1000 of their servers. The attackers specifically targeted the company but it's not yet clear as to what they were after. Toll Group said that there is no evidence that any personal data has been lost at this stage. Spokespeople for the company are emphasizing that its focus on customers is itsfirst priority while it restores their services. The company understands consumers’ frustrations and said in a report, “we are continuing to meet the needs of many of our customers through a combination of manual and automated processes across our global operations, although some are experiencing delay or disruption."
3. Twitter Says State-Backed Actors May Have Accessed Users’ Phone Numbers by Katie Paul and Leslie Adler
Just a few weeks after a security researcher unearthed a flaw in Twitter’s contacts upload feature, the company discovered a high volume of attempts by possible state actors, coming mostly from Iran, Israel and Malaysia, to access phone numbers associated with user accounts. TechCrunch reported that a researcher was able to match 17 million phone numbers to specific user accounts back in December. The Android app feature that is currently being exploited allows people to search a user’s phone number in order to find and connect that user’s Twitter profile. Contacts upload is switched on by default for all users besides those in the European Union where strict privacy rules are enforced. Twitter has now changed the feature, so it no longer reveals specific names in response to requests and has suspended any account that is suspected to be abusing the tool. A company spokeswoman did not disclose how many user phone numbers that were exposed as Twitter was unable to identify all of the impacted accounts. Contrary to the advice from most security experts, Twitter is not currently sending individual notifications to users whose phone numbers were accessed during the leak.
4. Google Bug Sent Private Google Photos Videos to Other Users by Lawrence Abrams
Google made admitted a faux pas of its own this week: A bug caused users’ videos and photos to be included in other users’ Google Photos archive when they downloaded their data using Google Takeout. The Takeout feature allows users to download content that has been uploaded to various Google-run services such as Google Photos, YouTube, Chrome, and many others. Google has sent out email notifications to affected users, notifying them that videos stored in their Google Photos were mistakenly shared with unrelated users sometime between November 21, 2019 and November 25, 2019. Although the company has identified the underlying issue and made the necessary adjustments, there is nothing that can be done about the videos that have already been erroneously shared. In the email notification, the company is encouraging users to “perform another export of your content and delete your prior export at this time.” It goes without saying that this is a serious privacy lapse for users who expected their private content to remain private; it also serves as a perfect example of the insecurity of data stored in the cloud without protection or encryption.
5. Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K by Sergiu Gatlan
Oregon’s largest Medicaid coordinated care organization (CCO), Health Share of Oregon, disclosed a data breach this week that it suffered at the beginning of January. The theft of a laptop owned by its transportation vendor, GridWorks, is where the breach originated, and it’s estimated that the health and personal information of over 654 thousand individuals was exposed. The member information held on the stolen laptop includes names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. It is unclear whether the thief was able to locate the information on the stolen device but Health Share is still being vigilant in its efforts to notify any members that may have been affected. Health Share is also offering one year of free identity monitoring services including credit monitoring, fraud consultation, and identity theft, which it strongly urges all affected members take advantage of. In a public statement regarding the breach, Health Share wrote, “Though the theft took place at an external vendor, we take our members’ privacy and security very seriously. Therefore, we are ensuring that members, partners, regulators, and the community are made fully aware of this issue.” The company plans to expand contractor annual audits, enhance training policies, and keep patient information that is transmitted to partners to a bare minimum in direct response to the breach. Although Health Share could have taken more preventative measures to avoid this incident, it is providing a good example for other companies on how to react and respond to a data breach.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business