Uber executive accused of disguising data-breach extortion as “bug bounty” is the title of my article this week. This article is about an ongoing investigation of the second data security breach at Uber which went unreported. The call to investigate arose after the Federal Trade Commission (FTC) found that Uber failed to disclose their response to the incident and suspected something fishy. The story dates to 2016 when uber was being investigated for a data breach. When this second data breach occurred later, Uber paid a “bug bounty” of $100,000 to hackers to avoid public shame and instructed the hackers (Charles Glover and Vasile Mereacre) to delete the data after signing a non-disclosure agreement.
According to court documents, it was revealed that the data was shared with a third person who is seen as a vulnerability. There is an ongoing debate about whether the security community or the courts should handle this case. Some members of the security community claim Sullivan, the security chief of Uber at that time did nothing wrong. However, charges of concealing felony and obstruction of justice have been leveled against Sullivan, and this comes with a lot of reputational damage, legal battles, and financial burden. Sullivan was fired at Uber and is currently on a leave of his duties at Cloudflare where he served as the chief security officer. Though the final decision has not been made yet, the writer claims for instance that if the alleged defendant is found guilty of obstruction of justice, he could be hit with a five (5) year prison sentence and a $250,000 fine.
I find this story interesting because it reminds us constantly about how we must strategically deal with risks, threats, and vulnerabilities in the cyber world. I hope to update this story intermittently as and when I get the most current information.
Sophos claims that around 77% of global retailers were hit by ransomware last year (2021), making the industry one of the hardest hits. This data indicator has increased by approximately 75% compared to 2020. 92% of respondents said the attack impacted their operational capabilities, and 89% said it caused their organization to lose business and revenue.
The ransomware threat is becoming a lingering dark cloud over the internet world. Network security level protection will usher in new and higher demands. The ransomware organization has gradually formed a method of stealing private corporate data and business information during the attack process and threatening to release the private data within the enterprise without paying the ransom. The vast majority of ransomware attacks are caused by employee-conscious negligence. On the one hand, enterprises need to carry out security awareness training work systematically, and at the same time, they should conduct daily drills for specific security incidents, so as to minimize the loss of production and operation of enterprises when an attack occurs. At the same time, the use of defense and detection products provided by professional security vendors to set up obstacles for ransomware can reduce the possibility of ransomware attacks. Enterprises should realize that data encryption caused by targeted extortion attacks is technically unrecoverable. They should immediately start data backup, and strengthen the isolation encryption of data backups, so as to maintain high availability of backup data at all times.
U-Haul has disclosed a data breach after a customer contract search tool was hacked to access customer names and driver’s license information. The investigation started on July 12th and on August 1st, the company found that attackers accessed some customer’s rental contracts between November 5th 2021 and April 5th 2022. U-Haul told affected customers in notification letters to those who were impacted this past Friday. The attack happened through compromising two “unique passwords.” The company didn’t disclose how the credentials were compromised, however they changed the passwords after the breach. No credit card information was accessed or acquired during the incident because the tool that was compromised didn’t require any credit card information. U-Haul has decided to provide its affected customers one year of free identity theft protection through Equifax which help detect when or if their personal information is misused.
Interesting read! Thanks for sharing. My thoughts to the article is that although the tool that was compromised didn’t require any credit card information the hackers had accessed customer’s rental contract. Contracts that must have contained personal information which are consumer confidential information, ie social security information, addresses etc Furthermore, not disclosing how the credentials were compromised does not show transparency on the part of the company.
Threat actors associated with the ShadowPad remote access Trojan have implemented a new toolset to assist its campaigns. This group is targeting various government and state-owned organizations spanning multiple Asian countries, according to Symantec.
The focus of the campaign appears to be intelligence gathering. The threat actors have leveraged legitimate software packages to load malware payloads in the past, technique referred to as DLL side-loading.
The attack method leveraged by ShadowPad consists of placing a malicious dynamic link library (DLL) in a legitimate DLL directory. The attacker runs the application which then executes the payload.
Symantec stated that these kinds of attacks often associated with software packages like graphic software, web browsers, outdated versions of security software.
After executing the payload, attacker uses Mimikatz and ProcDump to steal user credentials and network scanning tools to identify other devices on the network that could facilitate lateral movement.
On September 2nd Samsung announced that its American systems had been hacked in late July and that it had discovered the breach of customer data on August 4th. This is not the first time Samsung has suffered a data breach, even this year has been one time (in March, Samsung announced that hackers had exposed internal company data affecting Galaxy smartphones). It’s clear that Samsung’s information security needs to be improved. There’s been a lot of reaction to this data breach because of Samsung’s vague announcement:
Why didn’t Samsung announce the customer data breach until a month later?
What is the judgment that the SSN specifically mentioned in the announcement is not affected by the data breach?
In addition, the notice vaguely mentioned that the leaked data contained demographic information, meaning it could contain accurate geographic location data. On Sept. 6, Shelby Harmer filed a lawsuit against Samsung in U.S. District Court in Nevada alleging breach of contract, negligence, and invasion of privacy.
It is unacceptable for Samsung to issue such vague statements. They need to find a better way of reassuring customers to boost confidence of all stakeholders. At least they have taken some measures by engaging a cybersecurity firm as well as complying with law enforcement. It will be premature to draw conclusions as investigations are still ongoing.
Wei ! I enjoyed your article and we will be looking forward for updates.
According to a report by Microsoft, Iran has attacked Albania for the second time in a span of three months. The first attack was on July 15th and affected 1225 online services that belong to Albanian businesses and the government. During the July attack, Iranian state-sponsored groups were able to gain initial access and exfiltrate files, deploy ransomware, and wiper malware. The second attack halted the functionality of the TIMS system in September 2022. TIMS system is used by Albanian border control and tracks individuals entering and leaving the country. The bad actors first infiltrated the system in may 2021 throw a known vulnerability of a SharePoint Server. Through web shells that were installed on this server, the bad actors gained access to administrative privileges. The bad actors were able to exfiltrate emails and then deployed ransomware and a wiper. The Iranian government had also recently experienced several cyber-attacks. There are wars in cyberspace that we do not hear about in regular news.
Thanks Elizaveta for your article. It reveals the some of the reasons why cyberattacks occur. I disagree with the statement in the article which says that “the focus should be on the prevention of cyberattacks rather than their remediation”. In my opinion, I think both prevention and remediation are necessary in this case scenario. I however agree with the suggestion for the implementation of access encryption and segmentation as a preventive measure.
iOS 16 Launches With Lockdown Mode, Spyware Protection, Safety Check
Every year apple releases a new version of phones and updated software version . This year apple releasing IOS 16 with several privacy and security-focused features . At the first conference of WWDC 2022 apple mention ios 16 supports iphone 8 and second and third generation of iphone SE . The first feature introduced is “LOCKDOWN MODE ” which is available in all the ios 16 devices .
According to Apple, Lockdown Mode provides an “extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats.”
This feature is blocking the most the message attachment types , disable links when the device is locked among other things .
Apple introduced another feature also ” Safety Check” , this feature is to cut the ties with abusive partners and who are try to track their locations . Safety Check was reportedly developed by Apple in collaboration with the National Network to End Domestic Violence, the National Center for Victims of Crime and the Australian Women’s Services Network. Additional security features in iOS 16 include preventing applications from accessing the device’s clipboard and Passkey, a feature that replaces passwords on Safari with biometrics–powered passkeys. https://www.infosecurity-magazine.com/news/ios-16-launches-lockdown-mode/
Thanks for posting this article. I think it is a step in the right direction. Consumers deserve value for money, protection of privacy and I believe Apple is pursuing that agenda by enhancing security features in its latest version.
“YouTube Users Targeted By RedLine Self-Spreading Stealer.”
As per cybersecurity researchers from Kaspersky, attackers are targeting YouTube users. RedLine is one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. RedLine can steal usernames, passwords, cookies, bank card details and autofill data from Chromium browser (a google developed and maintained browser). The malware is reportedly downloaded in form of bundle included in Youtube Channels (videos, links, description, hacks, etc.). The bundle can download and run third–party software tools, execute commands in cmd.exe and open links via the default browser.
Cyber–criminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. The Kaspersky advisory came after a report by cybersecurity firm Akamai that suggested cyber–attacks in the gaming sector to have increased by 167% in the last year.
“Marriott hack: Hotel chain suffers new data breach affecting 5.2 million customers”
Marriott International, the hotel group that owns global chains including Marriott, St Regis and The Ritz-Carlton, has suffered a major security breach – its second in three years. The company announced on 31 March that details of up to 5.2 million customers could have been accessed between mid-January and the end of February this year. In a statement, Marriott said: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. “At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020.” The access credentials involved have now been disabled and the hotel group is currently investigating the incident and the extent of the breach. It said that “although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy (its loyalty scheme) account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.” However, the data breach could have involved contact details (eg name, mailing address, email address, and phone number); loyalty account information (eg account number and points balance, but not passwords); additional personal details (eg company, gender, and birthday day and month); partnerships and affiliations (eg linked airline loyalty programs and numbers); and preferences (eg stay/room preferences and language preference). Marriott has already contacted customers involved, and they will be required to reset their passwords, while worried guests can also check whether they were affected via a dedicated portal. Customers whose data may have been breached are also offered enrolment into Identity Works, a personal information monitoring service, free of charge for a year.
Hi Marylyn
its interesting how Marriot International got hacked twice in three years , reading from the link provided i think they should train their employees on security and also check if fine the loop holes in their system since they are serving over 5.2 million customers
South Redford Schools closed again after cyber attack
George Hunter
The Detroit News
Redford — The South Redford School District on Wednesday canceled classes for a second straight day after its computer system was infiltrated, just weeks after federal officials warned that hackers are ramping up attacks against schools across the country.
South Redford officials announced the closure in a post to the district’s website, warning employees to avoid using communication devices issued by the district.
Uber executive accused of disguising data-breach extortion as “bug bounty” is the title of my article this week. This article is about an ongoing investigation of the second data security breach at Uber which went unreported. The call to investigate arose after the Federal Trade Commission (FTC) found that Uber failed to disclose their response to the incident and suspected something fishy. The story dates to 2016 when uber was being investigated for a data breach. When this second data breach occurred later, Uber paid a “bug bounty” of $100,000 to hackers to avoid public shame and instructed the hackers (Charles Glover and Vasile Mereacre) to delete the data after signing a non-disclosure agreement.
According to court documents, it was revealed that the data was shared with a third person who is seen as a vulnerability. There is an ongoing debate about whether the security community or the courts should handle this case. Some members of the security community claim Sullivan, the security chief of Uber at that time did nothing wrong. However, charges of concealing felony and obstruction of justice have been leveled against Sullivan, and this comes with a lot of reputational damage, legal battles, and financial burden. Sullivan was fired at Uber and is currently on a leave of his duties at Cloudflare where he served as the chief security officer. Though the final decision has not been made yet, the writer claims for instance that if the alleged defendant is found guilty of obstruction of justice, he could be hit with a five (5) year prison sentence and a $250,000 fine.
I find this story interesting because it reminds us constantly about how we must strategically deal with risks, threats, and vulnerabilities in the cyber world. I hope to update this story intermittently as and when I get the most current information.
Reference
https://arstechnica.com/tech-policy/2022/09/uber-exec-accused-of-disguising-data-breach-extortion-as-bug-bounty/
Sophos claims that around 77% of global retailers were hit by ransomware last year (2021), making the industry one of the hardest hits. This data indicator has increased by approximately 75% compared to 2020. 92% of respondents said the attack impacted their operational capabilities, and 89% said it caused their organization to lose business and revenue.
The ransomware threat is becoming a lingering dark cloud over the internet world. Network security level protection will usher in new and higher demands. The ransomware organization has gradually formed a method of stealing private corporate data and business information during the attack process and threatening to release the private data within the enterprise without paying the ransom. The vast majority of ransomware attacks are caused by employee-conscious negligence. On the one hand, enterprises need to carry out security awareness training work systematically, and at the same time, they should conduct daily drills for specific security incidents, so as to minimize the loss of production and operation of enterprises when an attack occurs. At the same time, the use of defense and detection products provided by professional security vendors to set up obstacles for ransomware can reduce the possibility of ransomware attacks. Enterprises should realize that data encryption caused by targeted extortion attacks is technically unrecoverable. They should immediately start data backup, and strengthen the isolation encryption of data backups, so as to maintain high availability of backup data at all times.
https://www.sophos.com/en-us/press-office/press-releases/2022/09/retail-industry-was-the-second-most-targeted-industry-by-ransomware-in-2021
U-Haul has disclosed a data breach after a customer contract search tool was hacked to access customer names and driver’s license information. The investigation started on July 12th and on August 1st, the company found that attackers accessed some customer’s rental contracts between November 5th 2021 and April 5th 2022. U-Haul told affected customers in notification letters to those who were impacted this past Friday. The attack happened through compromising two “unique passwords.” The company didn’t disclose how the credentials were compromised, however they changed the passwords after the breach. No credit card information was accessed or acquired during the incident because the tool that was compromised didn’t require any credit card information. U-Haul has decided to provide its affected customers one year of free identity theft protection through Equifax which help detect when or if their personal information is misused.
https://www.bleepingcomputer.com/news/security/u-haul-discloses-data-breach-exposing-customer-driver-licenses/
Interesting read! Thanks for sharing. My thoughts to the article is that although the tool that was compromised didn’t require any credit card information the hackers had accessed customer’s rental contract. Contracts that must have contained personal information which are consumer confidential information, ie social security information, addresses etc Furthermore, not disclosing how the credentials were compromised does not show transparency on the part of the company.
ShadowPad-Associated Hackers Targeted Asian Governments
https://www.infosecurity-magazine.com/news/shadowpad-hackers-targeted-asia/
Threat actors associated with the ShadowPad remote access Trojan have implemented a new toolset to assist its campaigns. This group is targeting various government and state-owned organizations spanning multiple Asian countries, according to Symantec.
The focus of the campaign appears to be intelligence gathering. The threat actors have leveraged legitimate software packages to load malware payloads in the past, technique referred to as DLL side-loading.
The attack method leveraged by ShadowPad consists of placing a malicious dynamic link library (DLL) in a legitimate DLL directory. The attacker runs the application which then executes the payload.
Symantec stated that these kinds of attacks often associated with software packages like graphic software, web browsers, outdated versions of security software.
After executing the payload, attacker uses Mimikatz and ProcDump to steal user credentials and network scanning tools to identify other devices on the network that could facilitate lateral movement.
On September 2nd Samsung announced that its American systems had been hacked in late July and that it had discovered the breach of customer data on August 4th. This is not the first time Samsung has suffered a data breach, even this year has been one time (in March, Samsung announced that hackers had exposed internal company data affecting Galaxy smartphones). It’s clear that Samsung’s information security needs to be improved. There’s been a lot of reaction to this data breach because of Samsung’s vague announcement:
Why didn’t Samsung announce the customer data breach until a month later?
What is the judgment that the SSN specifically mentioned in the announcement is not affected by the data breach?
In addition, the notice vaguely mentioned that the leaked data contained demographic information, meaning it could contain accurate geographic location data. On Sept. 6, Shelby Harmer filed a lawsuit against Samsung in U.S. District Court in Nevada alleging breach of contract, negligence, and invasion of privacy.
https://www.bleepingcomputer.com/news/security/samsung-discloses-data-breach-after-july-hack/
https://techcrunch.com/2022/09/06/parsing-samsung-july-breach-notice/
https://www.cshub.com/attacks/news/samsung-hit-with-class-action-lawsuit-following-data-breach
It is unacceptable for Samsung to issue such vague statements. They need to find a better way of reassuring customers to boost confidence of all stakeholders. At least they have taken some measures by engaging a cybersecurity firm as well as complying with law enforcement. It will be premature to draw conclusions as investigations are still ongoing.
Wei ! I enjoyed your article and we will be looking forward for updates.
“Iranian Hackers Target Albania’s Border Control System in a Tit-for-Tat Operation ”
https://www.spiceworks.com/it-security/threat-reports/news/albania-cyberattack-by-iran-nation-state-groups/
According to a report by Microsoft, Iran has attacked Albania for the second time in a span of three months. The first attack was on July 15th and affected 1225 online services that belong to Albanian businesses and the government. During the July attack, Iranian state-sponsored groups were able to gain initial access and exfiltrate files, deploy ransomware, and wiper malware. The second attack halted the functionality of the TIMS system in September 2022. TIMS system is used by Albanian border control and tracks individuals entering and leaving the country. The bad actors first infiltrated the system in may 2021 throw a known vulnerability of a SharePoint Server. Through web shells that were installed on this server, the bad actors gained access to administrative privileges. The bad actors were able to exfiltrate emails and then deployed ransomware and a wiper. The Iranian government had also recently experienced several cyber-attacks. There are wars in cyberspace that we do not hear about in regular news.
Thanks Elizaveta for your article. It reveals the some of the reasons why cyberattacks occur. I disagree with the statement in the article which says that “the focus should be on the prevention of cyberattacks rather than their remediation”. In my opinion, I think both prevention and remediation are necessary in this case scenario. I however agree with the suggestion for the implementation of access encryption and segmentation as a preventive measure.
iOS 16 Launches With Lockdown Mode, Spyware Protection, Safety Check
Every year apple releases a new version of phones and updated software version . This year apple releasing IOS 16 with several privacy and security-focused features . At the first conference of WWDC 2022 apple mention ios 16 supports iphone 8 and second and third generation of iphone SE . The first feature introduced is “LOCKDOWN MODE ” which is available in all the ios 16 devices .
According to Apple, Lockdown Mode provides an “extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats.”
This feature is blocking the most the message attachment types , disable links when the device is locked among other things .
Apple introduced another feature also ” Safety Check” , this feature is to cut the ties with abusive partners and who are try to track their locations . Safety Check was reportedly developed by Apple in collaboration with the National Network to End Domestic Violence, the National Center for Victims of Crime and the Australian Women’s Services Network. Additional security features in iOS 16 include preventing applications from accessing the device’s clipboard and Passkey, a feature that replaces passwords on Safari with biometrics–powered passkeys.
https://www.infosecurity-magazine.com/news/ios-16-launches-lockdown-mode/
Thanks for posting this article. I think it is a step in the right direction. Consumers deserve value for money, protection of privacy and I believe Apple is pursuing that agenda by enhancing security features in its latest version.
“YouTube Users Targeted By RedLine Self-Spreading Stealer.”
As per cybersecurity researchers from Kaspersky, attackers are targeting YouTube users. RedLine is one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. RedLine can steal usernames, passwords, cookies, bank card details and autofill data from Chromium browser (a google developed and maintained browser). The malware is reportedly downloaded in form of bundle included in Youtube Channels (videos, links, description, hacks, etc.). The bundle can download and run third–party software tools, execute commands in cmd.exe and open links via the default browser.
Cyber–criminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. The Kaspersky advisory came after a report by cybersecurity firm Akamai that suggested cyber–attacks in the gaming sector to have increased by 167% in the last year.
https://www.infosecurity-magazine.com/news/youtube-users-targeted-by-redline/
“Marriott hack: Hotel chain suffers new data breach affecting 5.2 million customers”
Marriott International, the hotel group that owns global chains including Marriott, St Regis and The Ritz-Carlton, has suffered a major security breach – its second in three years. The company announced on 31 March that details of up to 5.2 million customers could have been accessed between mid-January and the end of February this year. In a statement, Marriott said: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. “At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020.” The access credentials involved have now been disabled and the hotel group is currently investigating the incident and the extent of the breach. It said that “although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy (its loyalty scheme) account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.” However, the data breach could have involved contact details (eg name, mailing address, email address, and phone number); loyalty account information (eg account number and points balance, but not passwords); additional personal details (eg company, gender, and birthday day and month); partnerships and affiliations (eg linked airline loyalty programs and numbers); and preferences (eg stay/room preferences and language preference). Marriott has already contacted customers involved, and they will be required to reset their passwords, while worried guests can also check whether they were affected via a dedicated portal. Customers whose data may have been breached are also offered enrolment into Identity Works, a personal information monitoring service, free of charge for a year.
https://www.independent.co.uk/travel/news-and-advice/marriott-hack-data-breach-leak-hotel-guest-details-a9440236.html/
Hi Marylyn
its interesting how Marriot International got hacked twice in three years , reading from the link provided i think they should train their employees on security and also check if fine the loop holes in their system since they are serving over 5.2 million customers
South Redford Schools closed again after cyber attack
George Hunter
The Detroit News
Redford — The South Redford School District on Wednesday canceled classes for a second straight day after its computer system was infiltrated, just weeks after federal officials warned that hackers are ramping up attacks against schools across the country.
South Redford officials announced the closure in a post to the district’s website, warning employees to avoid using communication devices issued by the district.
“At this time, Cyber Forensic teams are advising the District to remain closed for (Wednesday),” the bulletin said. “Student and staff data security continues to be a top priority for the South Redford School District. Cyber Forensics teams are diligently working to (restore) our systems to normal operations.
https://www.detroitnews.com/story/news/local/wayne-county/2022/09/21/cyber-attack-forces-south-redford-schools-closure-second-straight-day/8070311001/