(not) Safe Digest: Pseudo Leaks, Tax Deepfake and Cheese Attack
Hey! Traditionally, we have collected “classic” and non-trivial information security incidents of the past month – and here “everything is ghostly”. In April, the media wrote about leaks that did not exist, attacks that “no one is behind”, the royal flash of ransomware and a bug that breaks fates.
What happened? After attacks ransomware virus Dutch shops were left without cheese.
Who is guilty? The virus was caught in the logistics company Bakker Logistiek, one of the largest logistics operators in the country, which serves grocery supermarkets. Personal computers, servers and, in general, all devices on the corporate network were infected. As a result, the transport workers were unable not only to control the dispatch of orders, but also, in principle, to work in warehouses. Without specialized software, it was simply impossible to find the right product in giant warehouse complexes. Added to this were problems with air conditioning and cooling of premises where perishable foodstuffs are stored. Including cheese. As a result, it disappeared from counters across the country, and restrictions on shoppers had to be imposed in stores. Fortunately, the company has kept backups – the entire configuration of internal systems can be restored in the near future.
What happened? Half casinos in Tasmania forced were closed due to a cyberattack (that is, two out of four – but how it sounds!).
Who is guilty? The ransomware attack caught up with the Federal Group, which operates a gambling business. As a result, casinos lost access to data on bank cards and customer transactions, and they suspect that attackers can leak this and other personal information of players into the network. To determine the extent of the disaster and find the culprit, Federal Group brought in cyber experts and also notified the Australian Cyber Security Center of the incident. Whether the owners are going to pay the ransom, history is silent.
School codes are wonderful
What happened? Broward County (Florida) Public Schools Network suffered from the ransomware Conti. The virus operators contacted the directorate: they threatened that they would disclose the personal data of the students and demanded a ransom in the amount of $ 15 million in cryptocurrency within 24 hours.
Who is guilty? According to the official version, the ransomware was downloaded from the outside as a result of a hack. The schools contacted the extortionists so that the police had time to find the intruders. While the victims were bargaining, offering a maximum of half a million, the ransom amount rose to $ 40 million. Negotiations are still going on, although the victims say that in any case they were not going to pay and are not at all sure that any data has leaked, was deleted, encrypted, or is in danger of being destroyed in the future. Therefore, so far all efforts have been concentrated on searching the IT infrastructure of schools for the remains of malicious code that can harm the educational process.
What happened? Shared on the Internet turned out a database with information on 1.3 million Clubhouse users. The SQL database contains account data (registration date, nickname, User ID, number of subscribers and list of subscriptions, etc.), as well as information about linked Twitter and Instagram accounts. The media said it was a leak.
Who is guilty? The owners of the social network disagree with the accusations. According to their version, the entire “merged” base is completely made up of open data from user profiles – and no more feeling. And anyone can parse them without any hacks using the API. Clubhouse users were asked to come to terms with the inevitable (and what – not to leave the same profiles empty), not to be nervous and not to press on incomprehensible links if spam falls into direct on Twitter or Instagram. After all, the “leak” is harmless, the information noise around it can cause more harm – remember how liven up phishers with their “you are entitled to compensation” after loud news about the compromise of data from social networks.
For a long time and not true
What happened? By the way, about this – opened another mega-leak from Facebook. It affected the data of more than 530 million users from 106 countries: names, phone numbers, addresses and other information. The company said that the leak is old – back in 2019, but the data is still traded and freely circulated on the Web.
Who is guilty? According to Facebook – some “third-party sites”, from where the information was taken. She got there, apparently, just in 2019 due to some mysterious vulnerability in the social network, which has already been “eliminated”. That is, in fact, the giant is hinting that this time it was not with them that flowed away, but where the already leaked data was traded. Affected users were not satisfied with the answer. For example, the Irish brought against the social network, the case of a potential violation of the GDPR – fortunately, the European office of Facebook is just based in Dublin.
War for private
What happened? To the Network hit private photos and videos of OnlyFans users – platforms where models provide exclusive 18+ content with pay per file. Private folders of 279 authors were “lit up”. However, some contained up to 10 GB of media files.
Who is guilty? The drain is the work of hackers, they did not hide their success on RaidForums. An archive with the loot, posted on Google Drive, was also posted here. It was analyzed by the founder of the research company BackChannel Aaron DeVera (Aaron DeVera). Most of the content was uploaded in October 2020, he said.
But this is not the most interesting thing. For OnlyFans models worried about the privacy of their content, BackChannel has created the OnlyFans Lookup Tool, a tool that checks content for leaks. If duplicates of spicy photos are found somewhere on the network, you can immediately submit a request to delete the compromised data. To do this, it is recommended to visit the labac.dev resource – a community of white hackers who fight Internet harassment. There is a template for notification of DMCA violation (American copyright protection law, the basis for “strike” platforms that post content without the knowledge of the author). Such is the collective campaign for private data – in every sense of the word.
What happened? Cyberattack on one of Iran’s secret nuclear facilities damaged power supply system.
Who is guilty? Officially, everyone disowns the incident, which in Iran was called an act of “nuclear terrorism” – but the Israeli media are hinting that local special services are behind the case. The cyber war, which does not exist, has been going on for more than 10 years – back in 2010, when the Iranian nuclear industry was affected by the Stuxnet virus, they already saw the trail of Mossad in this. At the same time, the Israeli army and special services also regularly become victims of unpleasant cyber incidents. For example, in 2019, Israeli soldiers for gadgets sent out spyware disguised as a secure photo-sharing application – with anonymous beauties who turned out to be Palestinian intelligence officers.
20 years of slavery
What happened? True cyber tyranny for 20 years reigned in the British Post Office: the postmen were literally hostages of the “crooked” software, which regularly attributed shortages to them. According to various estimates, up to 2 thousand employees of the company suffered – people received prison sentences, went bankrupt, trying to compensate for non-existent damage, and one of the victims of despair committed suicide.
Who is guilty? The problem was in the Horizon software – specialized software for managing post offices, including their cash services. Due to the bug, the system regularly reported large shortages at network branches, with amounts reaching hundreds of thousands of pounds. The company’s management fired managers and from 2000 to 2014 alone, more than 740 people were sued. Many, having decided not to bring them to court, were forced to mortgage all the property so that the calculations would “come together” in the program. The tragic consequences of the accusations did not bother anyone – the Post Office’s belief in the reliability of Japanese suppliers was too strong (Horizon is a development of the British ICL, which Fujitsu bought a long time ago). According to other sources, the company knew about the problems in the program long before the first verdicts. Now the British courts are reviewing the cases, the sentences are canceled, and the government has joined in the payment of compensation to the victims. The Post Office continues to use Horizon to this day, although it said it was looking for a “better cloud solution.” And the developers are silent and, it seems, are in no hurry to fix a deadly error in the code.
Attack of the clones
What happened? Scammers cheated the Chinese tax service for $ 76.2 million. They logged into the system under false names and submitted fake tax returns in order to receive a VAT refund.
Who is guilty? A biometric user identification system that the State Tax Administration of China has equipped its services with just to avoid fake authorizations and account theft. Authentication recognition algorithms were unable to distinguish the faces of living people from their photographs, “animated” by fraudsters using deepfake. At the same time, the photographs were the most common – of those that decent taxpayers of the PRC posted in the public domain on social networks.
And this is not the first Chinese biometric authentication technology. Earlier, the traffic control system, which sent fines to a well-known TV presenter, was mistaken. It turned out that it was not she who violated the rules, but her photo posted on the buses: hundreds of times a day and in different places “crossed” the road to red with inhuman speed.
Weakly smart defense
What happened? Forescout Researchers discoveredthat at least 1% of the 10 billion smart devices in use today have one of nine (and possibly more) different vulnerabilities. The vulnerabilities identified were named “NAME: WRECK” because of how they affect the Domain Name System (DNS) protocol.
Who is guilty? The TCP / IP protocol turned out to be “leaky”. This is where the above vulnerabilities are located – in four different stacks, including Nucleus NET, FreeBSD, NetX and IPnet. Due to the weaknesses of the protocol, it is possible to intercept control of smart devices by running third-party code on them, and carry out denial-of-service attacks.
IB-April turned out to be dramatic, if not tragicomic. We wish May to go without incidents. Have a good weekend!