AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/9/2020

1 – One of Roman Abramovich’s companies got hit by ransomware

EVRAZ, one of the world’s largest steel manufacturers and mining operations, has been hit by ransomware, a source inside the company told ZDNet today. The infection has been identified as a result of the Ryuk ransomware strain. The ransomware infection has hit and brought down the company’s North American branches. These include primarily steel production plants across Canada and the US. Manufacturing has been halted at most plants, our source told us, and the company’s IT staff is working to contain the infection and prevent it from spreading.


2 – Former Buttigieg CISO urges DNC to coordinate information sharing between campaigns

Over the last year, Democratic presidential campaigns have had difficulty sharing threat data between one another, according to the former security boss for Pete Buttigieg’s campaign, raising concerns about the party’s ability to fend off possible interference ahead of the November elections. Mick Baccio, who spent roughly five months working for the now-defunct Buttigieg campaign, told CyberScoop that his team tried sharing information with other campaigns that could have helped officials protect themselves from hackers. The effort was hampered, he said, by a shortage of qualified security staffers on other campaigns, and the lack of a formal information sharing process. Baccio resigned from the campaign in January over philosophical differences.


3 – Defense contractor CPI knocked offline by ransomware attack

A major electronics manufacturer for defense and communications markets was knocked offline after a ransomware attack, TechCrunch has learned. A source with knowledge of the incident told TechCrunch that the defense contractor paid a ransom of about $500,000 shortly after the incident in mid-January, but that the company was not yet fully operational. California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. The company confirmed the ransomware attack.


4 – University Launches Cyber-Toolkit for Detectives

An American university has launched an ingenious new toolkit that can help detectives catch cyber-criminals.  The Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR), built by cybersecurity experts at Purdue University, is an all-in-one tool that tracks and reconstructs files and online activity. Cleverly, the tool lets law enforcement access data that criminals believe has been safely swept under the digital carpet. Kathryn Seigfried-Spellar, an associate professor of computer and information technology in the Purdue Polytechnic Institute who helped lead the FileTSAR research team, explained: “FileTSAR allows forensic investigators to capture, selectively analyze and reconstruct files from network traffic.


5 – Coronavirus forces Tesla to use old Autopilot processors in Chinese Model 3

Due to supply chain constraints caused by the COVID-19 (Coronavirus), Tesla installed older, slower processors in its new cars made in China. Owners of new Model 3s in China reportedly complained to the EV maker when they found out their vehicles had an old, less capable component, according to the BBC. The most up to date Model 3s use the 3.0 Tesla chip, but the supply constraints have forced Tesla to install the 2.5 chip. These processors are used in the car’s Autopilot system, and have been since last April. Hopefully, the downgrade won’t affect user experience, but it should be noted that the 3.0 chip processes images 21 times faster than the outgoing component. The older chip undoubtedly doesn’t live up to Tesla‘s latest claims of Autopilot‘s capabilities.


6 – Online Retailers Scramble To Fight Coronavirus Scams

Online retailers have to be wary of scams centering around the deadly coronavirus as it now makes its way across the world. Amazon has removed more than 1 million products related to the virus that it determined to contain fraudulent claims, according to Forbes. Dharmesh Mehta, Amazon’s vice president of Worldwide Customer Trust, said there were also tens of thousands of other products trying to price-gouge customers. Mehta said the situation is “rapidly evolving,” and the company is staying vigilant against frauds. Third-party sellers on sites like Amazon have been criticized for price-gouging on items like Purell hand sanitizer, which in some cases was sold for $100, Forbes reported. While third-party sellers aren’t affiliated with the company, people wondered if Amazon was benefiting from the price-gouging. The company said it was working to remove the price-gouging and stood against the practice.


7 – Virgin Media Data Breach Exposes Info of 900,000 Customers

Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database. Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at December 31, 2019, according to the company’s preliminary Q4 2019 results. According to an ongoing investigation, Virgin Media discovered on February 28, 2020, that the exposed database was accessible from at least April 19, 2019, and it was recently accessed by an unauthorized party at least once although the company doesn’t know “the extent of the access or if any information was actually used.”


8 – Facebook purges hundreds of fake accounts from state actors, marketers

In the first of what’s going to be monthly reports on its efforts to battle coordinated inauthentic behavior (CIB) leading up to the 2020 US elections and beyond, Facebook said that it removed five networks of accounts, Pages and Groups engaged in foreign or government interference in February. The platform is always battling inauthentic behavior, including fake engagement, spam and artificial amplification, but it doesn’t bother to make announcements about those quotidian takedowns, most of which are financially motivated. The five February takedowns are different: they have to do with countering foreign interference or domestic influence operations, Facebook said in a post on Monday. Facebook says that it views influence operations – also referred to as influence ops (IO) – as “coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation,” be they carried out by domestic, non-state campaigns (CIB) or CIB done on behalf of a foreign or government actor (FGI).


9 – Hacker behind 2012 attacks on LinkedIn and Dropbox was in regular contact with alleged SEC hacker, according to DOJ filing

Two hackers who separately attacked LinkedIn and the US Securities and Exchange Commission (SEC) had worked together and also shared resources. In a new court filing on Tuesday, the US Department of Justice (DOJ) claimed that Yevgeniy Nikulin, a Russian national, accused of stealing nearly 117 million usernames and passwords from LinkedIn, Formspring, and Dropbox in 2012 was in contact with Oleksandr Ieremenko, a Ukrainian man, charged for allegedly hacking the US Securities and Exchange Commission (SEC) in 2016 and 2017. Nikulin was arrested in the Czech Republic in October 2016 before being extradited to the US in 2018. In 2012, the US Secret Service had seized a hard drive belonging to Ieremenko, which revealed further evidence related to Nikulin case.


10 – J.Crew says a hacker accessed some customer accounts

Clothing giant J.Crew said an unknown number of customers had their online accounts accessed “by an unauthorized party” almost a year ago, but is only now disclosing the incident. The company said in a filing on Tuesday with the California attorney general that the hacker gained access to the customer accounts in or around April 2019. According to the letter, the hacker obtained information found in customers’ online accounts — including card types, the last four digits of card payment numbers, expiration dates and associated billing addresses. Online accounts also store customer order numbers, shipping confirmation numbers and shipment statuses.


11 – Facebook bans face mask ads to curb coronavirus exploitation

As the coronavirus outbreak continues, Facebook is suspending ads and commerce listings for face masks, saying the social network “will make necessary updates to our policies if we see people trying to exploit this public health emergency.” Facebook will start enforcing its move over the next several days, it said in a web post late Friday. On Thursday, eBay axed some listings related to the coronavirus, and Amazon this week said it’s clamping down on sellers who are price gouging on items like face masks and hand sanitizer.  Facebook said it’s keeping an eye on the circumstances surrounding the coronavirus and the illness it causes, COVID-19.


12 – Big Tech Will Pay Its Hourly Workers Even as Full-Time Staff Stays Home During Coronavirus Outbreak

Various big tech companies announced this week that they will continue to pay hourly employees that provide their offices with much-needed services, such as food catering, security and cleaning, even as an increasing number of tech giants ask their full-time employees to work from home to contain the novel coronavirus outbreak. According to the Verge, Microsoft, Facebook, Apple, Amazon, Google and Twitter have all confirmed that they will continue to give their hourly employees their regular pay. This is important considering that many of these employees could see their work affected because big tech companies have asked their full-time employees to work from home, which could lead to reduced work hours and staffing requirements.


13 – Security breach at T-Mobile exposed data of customers and employees

Telecommunications company T-Mobile has revealed that it experienced a security breach which has potentially impacted the account information of both employees and customers. In a notice posted on T-Mobile’s official website, the company explained that its cybersecurity team had recently identified and stopped a cyberattack against T-Mobile’s email vendor. The attack gave unauthorized access to certain employee email accounts – some of which had account information for customers and other employees.

Related Posts