this week in security — march 12 edition
THIS WEEK, TL;DR
Ransomware gang posts video of data stolen from Minneapolis schools
Bleeping Computer: This week starts in the bleak, miserable world of ransomware. A euphemistically described "encryption event" — aka ransomware attack — by the Medusa gang targeting the Minneapolis Public Schools district saw a ransom demand of $1 million or the gang says it will publish the stolen files. In a weird twist, the gang published a screenshare-like video demonstrating its vast access to MPS' networks, a tactic not seen before. Some of the data already seen seems to include incredibly sensitive information, like investigations into abuse and student maltreatment, as well as students' personal information. @IanColdwater has a great advisory thread for parents, since the school district itself isn't saying much at all.
More: Minneapolis Public Schools | The 74 | The Record
Police obtained warrant for Ring owner's footage despite no connection to probe
Politico: Here's a wild one. We all know that Ring cameras are wonderful legal loopholes for police to request footage on the fly. But one Ring camera owner is calling foul on potential overreach, after a local judge signed off on a warrant to obtain footage from his Ring cameras — including in his own house, let me stress, even though the investigation was on his neighbor next door. @alfredwkng explains more in a thread. Ring does a lot to keep its partnerships with police quiet, but they continue to provide data — even when the owner has literally nothing to do with the case. Ring didn't even challenge it. Meanwhile, Ring's customer support thinks the whole thing is a hoax, apparently.
More: Gizmodo | @thomasgermain | @EFF | @ACLU
Washington DC health exchange breach affects thousands, including lawmakers
Associated Press: A verified sample of data stolen from Washington, D.C.'s health insurance exchange includes highly personal information of former top Pentagon brass and lawmakers following a data breach. House members and staff received letters confirming their data was stolen, including (but not limited to) Social Security numbers. Senators are also affected, per Gizmodo. According to @snlyngaas, some 56,415 customers are impacted by the breach (though the forum where the data was listed puts the figure at 170,000). I wonder if this'll finally prompt some form of data protection legislation...? I mean, we can hope, but let's be honest, probably not.
More: Associated Press | Cyberscoop | Bleeping Computer
Police arrest suspected members of prolific DoppelPaymer ransomware gang
TechCrunch: German and Ukrainian police arrested several suspected members of the DoppelPaymer ransomware group, announced this week. DoppelPaymer targeted more than 600 companies worldwide, including 37 organizations in Germany, with victims paying out at least $42 million between May 2019 and March 2021. One organization was the University Hospital in Düsseldorf, which caused outages that resulted in what's believed to be the first death caused by ransomware. That said, while locals were arrested, police believe the big fish actors got away.
More: Europol | Cyberscoop | Bleeping Computer | The Register | @vxunderground
~ ~
~ ~
THE STUFF YOU MIGHT'VE MISSED
Ransomware targeting legal firms on the uptick
Greg Linares: Free observation from @Laughing_Mantis: it looks like law firms are an increasing target for ransomware attackers. Some of it involves hack-and-leak style operations in South and Central America, but also worth noting the potential for compromises and exposure for legal case work. The full thread is worth the read, but a good heads-up for legal firms to be aware — you're a major target!
Go ahead and unplug this door device before reading. You'll thank us later
Ars Technica: You might not have heard of the Akuvox E11, but you might have seen one. These wall-mounted devices are a lot more than just a video phone, since it's network-connected, has a microphone, and takes a photo every time someone walks by. But vulnerabilities (some incredibly basic) remain unfixed — so as suggested, your best bet is probably to just rip it out of your office's wall.
Shein Android app sent some contents of clipboard to remote server
Microsoft: Researchers at Microsoft found that an older version of the Shein Android app "periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server." Yikes! Though it wasn't believed to be malicious (and Microsoft explains why), it's still pretty alarming, especially if you're copying and pasting passwords. (via @campuscodi; also read Risky Biz, it's great.)
quot; and :// — clipboard data that gets sent to a Shien API." src="/content/images/scraped_images/00841954-a27d-4c7e-6ec0-2a2209bfe631.jpeg" width="564" style="max-width: 1000px;padding-bottom: 0;display: inline !important;vertical-align: bottom;border: 0;height: auto;outline: none;text-decoration: none;-ms-interpolation-mode: bicubic;" class="mcnImage">
Which NYC stores are scanning your face? No one knows
The New York Times ($): Times reporter @kashhill walked around Manhattan to discover which businesses that are using facial recognition or other biometric data. This is thanks to a recently enacted NYC law, mandating that businesses must disclose their use of facial recognition and other biometric-gathering technology. And they're not always in the places you expect them to be (think grocery stores!).
Congressman masterminded 2017 ATM fraud, former roommate tells feds
Politico: Look, normally I wouldn't want to draw attention to the weird liar in Congress (which one? har-har). But specifically, really-bad liar Rep. George Santos is accused of running a 2017 credit card skimming operation in Seattle while under a different name. The declaration sworn under oath is a fun read [PDF]. Politico has the goss, and by the looks of it @briankrebs is on the trail.
~ ~
OTHER NEWSY NUGGETS
Feds bust malware masquerading as legit remote admin tool: Prosecutors in California obtained a warrant to seize the only known website selling the NetWire remote access trojan — or RAT — a kind of surveillance malware. Police in Switzerland also seized the NetWire infrastructure. The feds explained how they figured out how they determined NetWire was used for malicious purposes and not just a helpful remote admin tool. (via @lorenzofb)
FBI bought location data, no warrant needed: The FBI director Christopher Wray confirmed in a hearing this week that the agency purchased U.S. location data rather than obtaining a warrant, per Wired ($). While an increasingly common tactic, the FBI's never disclosed this before. It's a classic @RonWyden question, since he sits on the Senate Intelligence Committee, and knows more than most. (via @dellcam)
Another telehealth startup sold you out to advertisers: Cerebral, the online mental telehealth startup, disclosed this week that it shared over 3.1 million patients' personal and health data with ad giants Facebook, Google and TikTok. Truly awful, yet totally allowed because — a little louder for the folks in the back — still no U.S. data protection or privacy law! On the rare occasion I swapped words for my voice, I ranted a bit about why startups like this scare the bejesus out of me. (via TechCrunch, DataBreaches.net).
Catholic group spent millions on app data that tracked gay priests: An investigation by Washington Post found that a group of rich philanthropists poured millions of dollars into a Denver nonprofit, which bought commercially available mobile app tracking data that identified priests who used gay dating and hookup apps, then shared it with bishops around the country. Utterly horrifying, because now anyone who's well-funded can buy this data and weaponize it because, as the Post notes (and I'll keep saying): "No U.S. data privacy laws prohibit the sale of this data." (via Washington Post ($))
~ ~
THE HAPPY CORNER
Not much in the happy corner this week, but if you needed a reason to improve your passwords at work, here's the Wall Street Journal ($) debunking years of bad password policies. And yes, that means getting rid of expiring passwords, since even NIST no longer recommends this outdated practice that doesn't actually help. Former FTC'er @lorrietweet said periodic password resets are "an ancient and obsolete mitigation of very low value." Preach! (via @adrianhon)
If you have good news you want to share, get in touch at: this@weekinsecurity.com
~ ~
CYBER CATS & FRIENDS
This week's two-for-one cyber cat special are Midnight (left) and Petey (right). According to their human, they're still kittens, but clearly they have already figured out how to gain elevated privileges (the cat tree — get it?) Many thanks to Brent P. for sending in!
Keep sending in your cyber cats! (Fluffy non-feline friends are also welcome.). Send in a photo and their name, and they'll be featured in an upcoming newsletter.
~ ~
SUGGESTION BOX
That's all for now — thanks for reading! Feel free to email me any feedback or drop a note in the suggestion box. As always, I'll be back next Sunday with your usual news drop.
See you next,
—@zackwhittaker