Connect with us

Security

US and UK Sanction Alleged Russian Ransomware Gang Members

Published

on

Last week, a comprehensive investigation by WIRED shed light on the activities of Trickbot, a notorious Russian ransomware gang. This week, in a significant development, US and UK authorities have imposed sanctions on 11 individuals believed to be associated with Trickbot and its affiliate, Conti. Among those sanctioned is Maksim Galochkin, known by the alias “Bentley,” whose identity was confirmed through WIRED’s investigative efforts. While it remains speculative whether the sanctions are a direct result of the investigation, the timing is certainly noteworthy.

The US Justice Department has also taken action by unsealing indictments in three federal courts against Galochkin and eight other alleged members of the Trickbot gang. These charges relate to ransomware attacks that targeted various entities in Ohio, Tennessee, and California. However, the likelihood of these Russian nationals facing trial is slim, as extradition is improbable.

The International Criminal Court (ICC), led by prosecutor Karim Khan, has announced intentions to pursue charges for cyber war crimes, a move that does not explicitly name Russia but follows a petition from the Human Rights Center at UC Berkeley’s School of Law. This petition called for the prosecution of Russia’s Sandworm hackers, a unit within Russia’s GRU military intelligence agency. Sandworm has been implicated in cyberattacks that caused blackouts in Ukraine—the only known cyberattacks to have shut down an electrical grid—and released the NotPetya malware, which resulted in an estimated $10 billion in global damages.

In parallel, concerns have been raised about China’s cyberwar tactics. A Chinese law enacted in 2022 mandates network technology companies to disclose vulnerabilities in their products to the Chinese government within two days of discovery. This information could potentially aid Chinese hackers in exploiting these vulnerabilities, though it is unclear how many Western companies have complied with this law.

In a related incident, Microsoft disclosed how Chinese state-sponsored hackers managed to steal a cryptographic key, enabling them to access Outlook email accounts of at least 25 organizations, including US government agencies. The breach was achieved by infecting a company engineer’s account with token-stealing malware, which then provided access to a cache of crash data containing the signing key. Microsoft has since addressed several system flaws that permitted the attack.

The late Yevgeny Prigozhin, who died in a mysterious plane crash after an alleged coup attempt against Russian President Vladimir Putin, was not only the head of the Wagner Group mercenaries but also led the infamous Internet Research Agency (IRA). Despite reports of the IRA’s shutdown, new research indicates that pro-Prigozhin trolls continue to disseminate disinformation, particularly on platforms like X (formerly Twitter).

In other cybersecurity news, WIRED has provided insights into prompt injection attacks against AI chatbots like ChatGPT, the challenges of opting out of Facebook’s AI data training, and the privacy-focused suite of tools known as Proton Sentinel. Additionally, WIRED co-published an investigation into Axon’s development of Taser-armed drones and obtained exclusive details on a meeting between US intelligence officials and civil liberties groups regarding Section 702 of the Foreign Surveillance Intelligence Act.

Finally, a report from the Mozilla Foundation has raised alarms about car companies collecting and selling detailed personal data from drivers. The report, which scrutinized privacy policies from 25 major car brands, found that none met the foundation’s privacy and security standards. Modern vehicles, equipped with numerous sensors, can track a wide array of personal information, including location, conversations, and even health data, as highlighted by Nissan’s privacy policy.

As the digital landscape continues to evolve, the intersection of technology, privacy, and security remains a critical area for public awareness and regulatory scrutiny.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy

Massive Intelligence Database Leak in Bangladesh Exposes Sensitive Personal Data

Published

on

In a startling breach of privacy and security, the National Telecommunication Monitoring Center (NTMC), a key intelligence agency in Bangladesh, has suffered a significant data leak. This incident has led to the exposure of a vast array of personal information belonging to countless individuals.

The leaked data is extensive and varied, encompassing names, professions, blood groups, parents’ names, phone numbers, call durations, vehicle registrations, passport details, and even fingerprint photos. Unlike common database leaks that occur frequently, this data is tied to an intelligence database, raising serious concerns about the implications for those affected.

For several months, the NTMC, which plays a pivotal role in monitoring cell phone and internet activity in Bangladesh, had inadvertently made this sensitive information accessible through an unsecured database. The situation escalated when anonymous hackers targeted the database, erasing details from the system and claiming to have absconded with the data trove.

WIRED conducted a verification of a sample of the data, confirming the authenticity of real-world names, phone numbers, email addresses, locations, and exam results. The intent behind the collection of such data remains unclear, with some records appearing to be tests or incomplete. The NTMC has not issued any comments in response to inquiries about the leak.

Security researcher Viktor Markopoulos from CloudDefense.AI was the one to uncover the unprotected database. He linked it back to the NTMC and discovered login pages for a national intelligence platform in Bangladesh. Markopoulos suspects a misconfiguration led to the exposure. Within the database, over 120 indexes of data were found, each storing different logs, including entries labeled “sat-phone,” “sms,” “birth registration,” and “Twitter.”

The majority of the exposed data consists of metadata, which reveals the “who, what, how, and when” of communications. While actual phone call audio was not disclosed, metadata could show calling patterns and contacts, which can be incredibly revealing.

Some of the logs, such as the “birth registration” index, contained detailed personal information including names in English and Bengali, birthdays, places of birth, and parents’ details. Another log, named “finance personal details,” included names, cell phone numbers, bank account details, and even account balances. National ID numbers and cell phone operators’ names were frequent in the data structures, along with lists of base transceiver stations and references to “cdr,” possibly indicating call detail records.

Jeremiah Fowler, a security consultant and co-founder of Security Discovery, reviewed the database and confirmed its connection to the NTMC. He highlighted the presence of IMEI numbers in the data, which could potentially be used to track or clone devices.

The NTMC has not acknowledged the leak, nor has it responded to WIRED’s questions regarding the purpose of the data collection and the extent of the information gathered. The Bangladesh government’s press office and the Bangladesh High Commission in London have also remained silent on the issue. Markopoulos reported the exposed data to Bangladesh’s Computer Incident Response Team (CIRT) on November 8, which acknowledged the report and thanked him for disclosing the “sensitive exposure.” The CIRT informed WIRED that they had notified the NTMC of the issue.

Before the publication of this article, the database was taken offline. However, Markopoulos noted that on November 12, the database was wiped clean, and a ransom note appeared, demanding 0.01 bitcoin (approximately $360) to prevent the public disclosure and deletion of the data. This type of ransom demand is not uncommon for exposed databases.

The NTMC, established in 2013 from a previous monitoring body, is described on its website as providing “lawful communication interception facilities” to other agencies in Bangladesh. Reports suggest that up to 30 agencies are linked to the NTMC through APIs, incorporating records from mobile operators, passport and immigration services, among others.

A telecoms expert with experience in Bangladesh, who chose to remain anonymous, alleged that the NTMC’s surveillance capabilities exceed those in many European countries, citing the absence of stringent data protection laws in Bangladesh.

The leak comes at a time when Bangladesh is experiencing political unrest, with the government cracking down on opposition ahead of the 2024 elections. A local researcher, who also requested anonymity, expressed concerns over increased surveillance and targeting of individuals in the lead-up to the elections.

This incident underscores the critical need for heightened awareness and education on digital rights and safety, especially for activists and those at risk of government surveillance. As the country grapples with fundamental rights issues, the protection of digital privacy remains a pressing concern.

Continue Reading

Security

Millions of Medical Records Exposed in a Series of Data Breaches

Published

on

In a disturbing revelation of privacy violations, Perry Johnson and Associates, a company providing transcription and dictation services to Northwell Health, has been the source of a significant data breach. The breach, which was first disclosed in a letter dated November 3, 2023, involved unauthorized access to files containing sensitive health information of patients, including the author of the letter. This breach is part of a larger pattern of cyberattacks targeting healthcare providers and their associates.

Personal Health Information Compromised

The compromised data includes a wide array of personal health information (PHI) such as names, birth dates, addresses, medical record numbers, and detailed medical conditions. The unauthorized party reportedly had access to the system between March and May of 2023, during which they engaged in a downloading spree of sensitive files. The breach affected almost 10 million people across multiple healthcare providers in various states.

Lack of Apology and Adequate Measures

The letter from Perry Johnson and Associates failed to include an apology but stated that the company takes the incident “very seriously” and promised to update their systems to prevent future breaches. This response raises questions about why more robust security measures were not in place beforehand.

In a similar incident, East River Medical Imaging informed patients of a breach between August 31 and September 20, where unauthorized access to documents could have exposed names, contact information, and even images from medical tests. Like Perry Johnson and Associates, East River Medical Imaging assured patients that they take privacy and security seriously but offered no concrete mitigation for the loss.

The Risks Beyond Financial

The theft of medical information carries risks that extend far beyond financial harm. According to Andrea Downing, co-founder of The Light Collective, a grassroots activist organization advocating for responsible medical data stewardship, “People can be targeted based on their health vulnerabilities and become easy fodder for medical fraud.” The medical information of nearly 10 million people would be a treasure trove for drug marketers, insurance companies, and manufacturers of illegitimate medical devices. Unlike financial information, medical history cannot be replaced or reset.

Regulatory Response and Penalties

The US Health and Human Services Office for Civil Rights is responsible for investigating incidents affecting more than 500 people. Currently, they are looking into more than 500 breaches reported last year. However, the penalties imposed on companies for such violations often amount to minimal fines, which are insignificant compared to the companies’ revenues and the potential damage caused by the breaches.

The Need for Stronger Laws and Community Approach

The article suggests that tougher laws are necessary to ensure that companies implement changes to protect sensitive data. Downing advocates for a community approach where patient representatives are involved in setting up the security infrastructure. The idea is that a collective effort might lead to more robust and effective data protection measures.

Who is Perry Johnson and Associates?

Perry Johnson and Associates, the company at the center of the breach, is part of a network of tech-related corporations founded by Michigan businessperson Perry Johnson. The current CEO, identified as Jeffrey Hubbard, describes himself as a “Chief Executive and Health Tech Care Innovator” on his LinkedIn profile. However, the company’s leadership has been circumspect about its operations, and inquiries about the breach have been met with limited responses.

A History of Data Security Negligence

The current situation echoes the author’s 2005 Newsweek story, “Grand Theft Identity,” which highlighted the cybersecurity problem that has only worsened over the years. Despite the transition to electronic medical records and assurances of enhanced security, the healthcare industry continues to grapple with significant data breaches.

In conclusion, the series of data breaches underscores the urgent need for improved cybersecurity measures in the healthcare industry. As millions of individuals face the consequences of exposed medical data, the call for stronger regulations and a community-based approach to data security becomes increasingly critical.

Continue Reading

Privacy

23andMe Data Breach Exposes Millions of Users’ Genetic Information

Published

on

23andMe, a leading genetic testing company, has been grappling with the aftermath of a data breach that was first reported in October. As the company continues to disclose more details, the situation has become increasingly complex, leaving users uncertain about the extent of the fallout.

In early October, 23andMe acknowledged that attackers had gained unauthorized access to some user accounts by exploiting the company’s DNA Relatives feature, an opt-in social sharing service. Initially, the extent of the breach was unclear, with the company not disclosing the number of affected users. However, it was later revealed that hackers were selling data on criminal forums, which appeared to originate from over a million 23andMe users.

A recent U.S. Securities and Exchange Commission (SEC) filing by the company clarified that the breach affected “a very small percentage (0.1 %) of user accounts,” which translates to approximately 14,000 of their more than 14 million customers. This number, however, did not account for the additional users whose data was scraped via the DNA Relatives feature.

On Monday, 23andMe confirmed to TechCrunch that the attackers had harvested the personal data of about 5.5 million individuals who had opted into DNA Relatives. An additional 1.4 million users had their Family Tree profile information accessed.

The compromised data included display names, most recent logins, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. For some users, the breach was more severe, with ancestry reports, chromosomal match details, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and links to self-created family trees also being exposed. The 1.4 million impacted DNA Relatives users had their Family Tree data specifically targeted, with display names, relationship labels, and in some cases, birth years and self-reported location data stolen.

Katie Watson, a spokesperson for 23andMe, explained that the company was “only elaborating on the information included in the SEC filing by providing more specific numbers.”

The company has attributed the account breaches to a technique known as credential stuffing, where attackers use leaked login credentials from other services that were reused on 23andMe. Following the incident, 23andMe enforced a password reset for all users and began requiring two-factor authentication. Other genetic services like Ancestry and MyHeritage have also started to promote or require two-factor authentication in the wake of 23andMe’s breach.

Despite the company’s explanation, some users, including Rob Joyce, the U.S. National Security Agency cybersecurity director, have expressed skepticism. Joyce, who uses unique email addresses for each account, noted on his personal X (formerly Twitter) account that his 23andMe credentials were unique and could not have been exposed in another leak. He later revealed that his unique 23andMe email address was compromised in a separate MyHeritage data breach in 2018, which may have been linked to the 23andMe breach due to a past partnership between the two companies.

The incident highlights the risks associated with user data sharing between companies and features that promote social sharing, especially when the data is deeply personal and tied to one’s identity.

Brett Callow, a threat analyst at the security firm Emsisoft, commented on the need for better policies, stating, “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminals.”

In a separate development, 23andMe user Kendra Fee pointed out that the company is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company claims the changes will facilitate a quicker resolution of disputes and streamline arbitration proceedings. Users have the option to opt-out of the new terms by notifying the company within 30 days of receiving notice of the change.

Continue Reading

Copyright © 2024 The Data Alliance.