Attacks on critical infrastructure have been a major concern off late, accelerated in part due to recent SolarWinds and Microsoft Exchange Server hacks, underscoring the vulnerability of the networks on which the government and corporations rely. Now a ransomware attack on Colonial Pipeline, the largest refined products pipeline in the U.S., exposes the cyber weaknesses in critical infrastructure.
"On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack," the company said in a statement posted on its website. "We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems."
What’s trending in Security
✅ Google said it plans to add iOS-style privacy labels to app listings in Play Store. The changes are expected to go live sometime next year, just as Apple began enforcing new privacy changes that require app developers to seek users' explicit consent before tracking them for serving personalized ads. [The Hacker News]
📱 In 2019, security researcher Qixun Zhao of Qihoo 360's Vulcan Team unveiled an exploit called "Chaos" that could allegedly let a remote attacker easily jailbreak an iPhone X iOS 12.1 by leveraging two flaws that were demonstrated at the TianfuCup hacking contest held in November 2018. Now according to new reports, the Chaos exploit was weaponized "virtually overnight" by Chinese intelligence groups as a weapon against Uyghur Muslims as part of a wide-ranging espionage campaign that came to light in 2019. [MIT Technology Review]
🇰🇵 North Korean state-sponsored hackers are one of the most prolific threat actors known for pulling various tactics ranging from bank heists to the deployment of ransomware and the theft of cryptocurrency from online exchanges. The heavily sanctioned country has leveraged its "hydra-headed" cybercrime program to support and fund its nuclear weapons program by perpetrating malicious attacks on U.S. defense and aerospace contractors. [The New Yorker]
🇧🇪 More than 200 organizations across Belgium including the government and parliament were affected by a distributed denial-of-service (DDoS) attack that overwhelmed them with bad traffic. [The Record]
💲 A coalition of 60-plus private and government organizations, called the Ransomware Task Force, released a 48-recommendation framework for combatting ransomware. [Institute for Security and Technology]
⚠️ An email disclosed in Epic Games' lawsuit against Apple showed that 128 million iPhone users, of which 18 million were in the US and 55% in China, downloaded apps with XcodeGhost malware in 2015. XcodeGhost, reported to be the first instance of the iOS App Store distributing a large number of trojanized apps, crippled over 4,000 apps, enabling them steal device and user information. [Motherboard / Ars Technica]
🏃♀️ Peloton is having a bad run. Besides having to issue a voluntary recall for all of its treadmill products — including both the Peloton Tread and Tread Plus — following a series of accidents that have resulted in multiple injuries and at least one death, the company has had to contend with a security issue that allowed anyone to pull users' private account data directly from Peloton's servers, even with their profile set to private. The issue has been fixed, but not before an extended delay. [TechCrunch]
👻 A team of academics from the University of Virginia and University of California, San Diego, have discovered a new line of attack that bypasses all current Spectre protections built into the chips, potentially putting almost every system — desktops, laptops, cloud servers, and smartphones — once again at risk just as they were three years ago. [The Hacker News]
🇵🇱 Cybersecurity firm FireEye disclosed a new "Ghostwriter" campaign, which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the North Atlantic Treaty Organization's (NATO) presence in Eastern Europe. "Several recent operations have heavily leveraged the compromised social media accounts of Polish officials on the political right to publish content seemingly intended to create domestic political disruption in Poland rather than foment distrust of NATO." [FireEye]
🚨 Researchers detailed a new type of attack that could increase the energy consumption of neural networks by adding small amounts of noise to a network's inputs. [MIT Technology Review]
💰 Lazarus Group, the hackers linked with the North Korean government, were found using malicious JavaScript code, typically used for web skimming attacks, to steal cryptocurrency in a campaign that started early last year. [Group-IB]
🇺🇸 Cybersecurity firm Kaspersky it discovered new malware called "Purple Lambert" that appears to have been developed by the U.S. Central Intelligence Agency (CIA) based on an analysis of samples it received in 2019. "The samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families." The Lamberts APT, also known as Longhorn, had their hacking tools leaked in the Vault 7 dump published by Wikileaks in 2017. [Kaspersky]
❎ The operators of Babuk ransomware, which were recently behind the ransomware attack targeting the Metropolitan Police Department, said it's ceasing ransomware intrusions to focus on data theft and extortion instead. [Bleeping Computer]
🇨🇳 China's ministry of state security ordered social groups, enterprises and public entities to step up efforts to safeguard against efforts by "overseas espionage and intelligence agencies and hostile forces" to steal secrets as part of new counter-espionage regulations. [The Guardian]
🔐 Even as WhatsApp senior exec Will Cathcart stressed the need to "prioritize private and secure communication," Facebook said its Messenger app will not gain support for end-to-end encryption until sometime in 2022 at the earliest. [Facebook Newsroom]
🦠 The Android version of Google and Apple's COVID-19 exposure notification app had a privacy flaw that let other preinstalled apps potentially see sensitive data, including if someone had been in contact with a person who tested positive for COVID-19. In a statement to The Markup, Google said it's currently rolling out a fix to the bug. [The Markup / AppCensus]
💵 The REvil ransomware group, which stole blueprints from Apple supplier Quanta Computer and threatened to release the trove of documents, mysteriously removed all references related to the extortion attempt from its dark web site. [MacRumors]
🚫 Researchers from the University of Minnesota apologized to the maintainers of the Linux Kernel Project for intentionally including vulnerabilities in the project's code, which caused the open-source project to ban the school from making future contributions. The paper has since been retracted, and all the details of their study have been released. [The Hacker News]
🇫🇮 A catastrophic data breach of mental health startup Vastaamo in Finland last year exposed patient records of its vulnerable mental health patients to ransomware threats. Here's William Ralston piecing together the whole incident. [WIRED]
🗄️ The past fortnight in bugs, data breaches, leaks, and ransomware: Clubhouse, DigitalOcean, Experian, First Horizon Corp, H&M Israel, Metropolitan Police Department, NSW Labor Party, Office of the Solicitor General of the Philippines, Resort Municipality of Whistler, Brazil's Rio Grande do Sul, Schepisi Communications, Scripps Health, and Swiss Cloud Computing AG.
$220,298
That's the average demand for a digital extortion payment in the first quarter of this year, up 43% from the previous quarter, according to a new report from Coveware.
And that's it. Stay safe!
-Ravie