Newsletters

Twitter data leak: A vulnerability reported via the HackerOne platform was used to mass-harvest the account details of Twitter users, including private information such as phone numbers and email addresses. An initial dataset compiled via this vulnerability and containing the details of more than 5.4 million Twitter accounts was allegedly traded on underground hacking forums earlier this year, while an even larger second dataset has also popped up on hacking forums over the past few days. According to reports, this second dataset allegedly contains details on tens of millions of Twitter accounts.

No WhatsApp breach: A threat actor has been circulating an alleged leak of WhatsApp data. It's fake. It's just a list of phone numbers, according to Alon Gal of Hudson Rock.

Zwijndrecht police ransomed: The Ragnar Locker ransomware gang has hacked and is now extorting the police department of the Belgian city of Zwijndrecht. The group claims to have obtained information detailing thousands of license plates, speeding fines, and even criminal investigations, ranging from 2006 to September 2022. Police officials said they detected the attempt to encrypt their servers and shut down their network for two weeks while they investigated and restored services. Ragnar Locker has already leaked some of the files on their dark web leak site.

EU Parliament DDoS attack: The EU Parliament said its servers were subject to a DDoS attack hours after they proclaimed the Russian government as a sponsor of terrorism. A pro-Kremlin hacktivist group took credit for the attack, according to Roberta Metsola, President of the EU Parliament. The agency's website resumed operations after two hours.

Guadeloupe cyberattack: In a message posted on its official website, the government of the Caribbean island Guadeloupe, a French overseas region, said it was hit by "a large-scale computer attack." Officials said they shut down all affected systems to protect data and diagnose the problem. The incident took place on Monday, and systems have yet to be restored. Security experts believe this is a ransomware attack, although the perpetrators have not yet been identified.

Ransomware on Indian hospital: A suspected ransomware attack has disrupted the IT network of the All India Institute of Medical Sciences (AIIMS), one of India's largest medical schools and hospitals. The Hindustan Times said this would mark the first instance of a major Indian hospital being affected by ransomware. Healthcare organizations, and especially hospitals, have been constantly targeted by ransomware gangs all over the US and Europe for the past five years, but as these organizations are getting better at protecting their networks, ransomware attacks are now hitting other countries as well.

There are legitimate reasons to be concerned about the platform. Last month Forbes reported that TikTok's China-based parent company ByteDance planned to use the app to monitor the location of specific US citizens without their knowledge or consent. This monitoring effort was allegedly led by Bytedance's Internal Audit and Risk Control department, the team that investigates potential misconduct by current and former employees. Forbes alleges that in at least two cases "the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company".

It's hard to know what to make of this report as it's light on details and it's not even clear that the monitoring even took place. But perhaps the most concerning aspect of the Forbes article was that TikTok didn't explicitly deny the allegation and instead issued a "non-denial denial". Yikes.

Then there are concerns apps like TikTok could be used to harvest citizen data in bulk. In June we covered TikTok's efforts to mitigate these concerns by securing user data in US-based Oracle data centres before – the company's so-called "Project Texas" — and our take was that isolating US user data will be hard.

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

Pig-butchering crackdown: The US Department of Justice said it seized seven websites that were being used to trick victims as part of an online scam scheme known as "pig butchering." Pig butchering schemes are a combination of romance, investment, and cryptocurrency scams, where victims are approached via dating sites and then social-engineered into making various investment or cryptocurrency transactions. Pig butchering scams originated in Southeast Asia—where they have deep ties to criminal cartels—and are spreading globally. The DOJ said the seized domains impersonated the Singapore International Monetary Exchange and were used to steal more than $10 million from at least five victims.

Ten BEC scammers charged: The US DOJ has charged ten suspects across the US for stealing more than $11.1 million from state Medicaid programs and private health insurers. Officials said the group used BEC schemes where they posed as business partners to divert money from their victims' bank accounts into accounts operated by their money mules. The DOJ said that five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers fell victim and lost money to the group.

Quantum encryption deadline: The Office of Management and Budget has ordered federal agencies to scan their systems and provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers in the coming years. Agencies have a deadline until May 4, 2023, according to an OMB memo [PDF]. The memo comes after the White House directed US government agencies to mitigate risks from quantum computers earlier this year and after the NSA ordered that all government agencies that handle classified information must use quantum-resistant encryption algorithms by 2035. [Additional coverage in FedScoop]

AGs ask FTC for online privacy regulation: A coalition of 33 state attorneys general have urged the US Federal Trade Commission to pass regulation around online data collection practices. AGs said they are "concerned about the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized," and that they regularly receive inquiries from consumers about how their data is being hoarded and abused. [Read the full letter here/PDF]

Indian privacy regulation: The Indian government has published the long-awaited first public draft of its upcoming data privacy law—known as the Digital Personal Data Protection Bill. According to the law's text, companies that operate in India and handle the personal data of Indian citizens must use clear and plain language to describe what data they collect and for what purpose. The new law includes many clauses similar to the EU GDPR, such as requiring companies to notify users about security breaches, and allowing users to delete their data from online services. Companies that fail to comply with this upcoming regulation risk some of the largest fines in the world for a privacy breach, fines of up to 500 crore rupees—up to $61 million.

Universal health code in China: The Chinese government is planning to digitize the health records of its citizens and assign them a "universal health code" by 2025. The move has sparked fear among Chinese activists that the digitized health records could be used to bar citizens' access to certain services, jobs, or benefits based on their medical history, genetic information, or family history.

Qatar WC app warning: Officials for the Dutch, German, French, and Norwegian governments have warned against installing Qatar's World Cup apps Ehteraz and Hayya, citing several privacy and security concerns. German officials specifically recommend that in cases where the use of any of the apps is necessary, that users install the apps on a separate phone that does not store any of their personal data and then wiping the device after use during the World Cup events.

US-China cyber report: In its yearly report to Congress, the US-China Economic and Security Review Commission has found that "China has developed formidable offensive cyber capabilities over the past decade and is now a world leader in vulnerability exploitation." The commission also found that China "enjoys an asymmetric advantage" over the US in cyberspace due to its unwillingness to follow norms for responsible state behavior. The report found that China selectively applies and promotes norms to benefit its authoritarian view of cyberspace and is "creating new organizations to supplant existing cyber governance mechanisms in line with its vision for the internet."

On November 12, Australia's Minister for Cyber Security and Home Affairs Clare O'Neil announced "an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups". Speaking to the ABC's Insider's program the next day, O'Neil used strong language, describing the operation as "a partnership of new policing between the Australian Signals Directorate (ASD), which are the cyber guns of the Australian Public Service, and the Australian Federal Police (AFP)".

"What they will do is scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber attacks and disrupt their efforts. This is Australia standing up and punching back."

Risky Biz News described the events that led to the announcement:

It is currently unknown who is behind the Moldova Leaks website, but Litvinenco said his ministry has already started a formal investigation into the hack, which will also look at the Minister of Internal Affairs, which the official said has the technical capabilities to obtain such conversations at its disposal—suggesting that investigators don't rule this out as an insider attack.

But even if this could be the work of some hacker-for-hire mercenary group, several infosec figures believe this is the work of Russia's GRU agency, which has executed hack-and-leak operations in the past to push Russia's political interests abroad.

And as a former part of the Soviet Union, Russia has quite an interest in keeping Moldova under its sphere of influence and not letting it align with the EU and Romania.

O'Neil's statement came on the same day that the AFP issued a press release identifying the Medibank hackers as being located "in Russia."

"We believe we know which individuals are responsible but I will not be naming them," said AFP Commissioner Reece Kershaw. "What I will say is that we will be holding talks with Russian law enforcement about these individuals."

After years during which law firms, cyber-insurance providers, and even security firms and law enforcement have closed their eyes during ransomware negotiations and allowed victims to pay ransom demands in order to placate attackers, these criminal cartels have grown their operations and intensified attacks feedings on profits but also on a sense of invincibility.

DDOS attacks on election day: Some websites operated by the Mississippi state government were knocked offline during the US midterm elections on Tuesday following DDOS attacks claimed by pro-Russian hacktivist groups. None of the attacked websites were involved in the vote and vote counting process.

Not a cyber-attack: Officials from Suffolk County in the state of New York dismissed rumors of a cyber-attack on their infrastructure on Tuesday, on election night, after some election workers had to collect voting tallies on memory cards and drive to a central office to upload the results on state computer servers. Officials said this happened because "electronic security measures put in place to protect elections systems from cyber attacks had overtaxed and slowed an older operating system," which initially made election authorities believe they were the victim of a cyber-attack.

Cyber.org Range expands nationwide: A Louisiana pilot program called Cyber.org Range—designed to teach K-12 students cybersecurity skills—announced it would expand to all 50 US states after receiving funding, including from the US Cybersecurity and Infrastructure Security Agency.