Robin’s Newsletter #220

4 September 2022. Volume 5, Issue 36
The US gov simultaneously using, and suing a provider of, commercial geolocation data. Uncovering Russian agents in hacktivist data breaches.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

The US is grappling with the (mis)use of geolocation data

Various parts of the US government are waking up to the consequences of the widespread, uncontrolled use of geolocation data. Last week (vol. 5, iss. 35), the US Federal Trade Commission (FTC) released the results of an investigation showing that US mobile operators retain location data for an average of two years.

This week there are a couple of stories revolving around geolocation data, paired with advertising identifiers, harvested by many free apps.

” Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder” — Samuel Levine, Director, FTC

  • The FTC has filed a lawsuit against Kochava, a data broker, for allegedly selling geolocation data that could reveal sensitive information about individuals. The suit claims the firm’s data can be used to track individuals to their home address and cites Kochava’s marketing information cyberscoop.com

… meanwhile, those same techniques are widely used within various US government agencies …

  • US Law enforcement uses a tool costing as little as $7,500 to identify and track suspects’ movements. Warrants aren’t needed to use Fog Reveal, which generates patterns of life based on app advertising IDs @josephfcoxapnews.com

Interesting stats

97% of $1.3 billion in cryptocurrency stolen in Q1 2022 was from Decentralised Finance (DeFi) platforms, warns the FBI bleepingcomputer.com 75% increase in ransomware attacks targeting Linux systems, comparing H1 2022 and H1 2021, says Trend Micro zdnet.com

Other newsy bits

Mining open source intelligence from hacktivist breaches

The Belarusian Cyber Partisans are a hacktivist group opposing the authoritarian regime of Alexander Lukashenko. They’ve had remarkable success in accessing systems to reveal the identities of intelligence agents, compromise transport information systems, the whole country’s passport database and, notably, border crossing data. They’ve been sharing these datasets with investigative journalists and researchers, and some fascinating things are coming to light. 

One is the identification and unmasking of Maria Adela Kuhfeldt Rivera (or rather Olga Kolobova), a jeweller and socialite who appears to have done an excellent job of befriending NATO officers based in Naples, Italy, eventually acting as secretary for their local Lions Club branch.

The crazy thing behind all of this and her identification is because — for all their clandestine prowess — it seems that Russian military intelligence had, for years, just sequential passport numbers for undercover agents. The passport for “Maria Adela” is in the same range as those used by “Ruslan Boshirov” and “Alexander Petrov”, the GRU agents implicated in the Novichok poisoning of Sergey and Yuia Skripal in Salisbury 2018.

Data breaches like this present massive open source intelligence (OSINT) opportunities for researchers, investigative journalists and intelligence agencies.

The Cyber Partisans have also released a series of NFTs featuring Belarusian President Aleksandr Lukashenko and his associates to raise funds. The NFTs are mocked-up passports, with the photos showing the individual behind prison bars, using data obtained when the group stole the whole Belarusian passport database in 2021. OpenSea, a marketplace for selling NFTs and decentralised art, promptly took the listings down.

OSINT: @EliotHiggins@christogrozev,  NFTs:  cyberscoop.com

Interesting thinking

  • Researchers from the universities of Cambridge, Strathclyde and Edinburgh have analysed attacks relating to the Russian invasion of Ukraine and concluded “that the widely-held narrative of a cyberwar fought by committed ‘hacktivists’ linked to cybercrime groups is misleading,” and “the cybercrime underground’s involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further” arxiv.org (PDF)

  • Dan Carr on why the (re)insurance markets will need to embrace systemic risk in insurance:

” The embracing of systemic risk is not something that the insurance industry has, historically, naturally built its foundations on, or which is naturally familiar. However, what is clear is that the world has become - and will continue to be - more interconnected. Through travel, digital connectivity, and broad globalisation. Consequently, the notion of systemic risk and its associated challenges is not going to abate, and the (re)insurance market must meet it head on to retain relevance and value as an industry."

linkedin.com

  • Brian Krebs on how time-based one-time passwords have ‘become a corporate liability,’ drawing on examples from the recent 0ktapus (vol. 5, iss. 33) phishing attacks that also compromised SMS one time passwords used as multi-factor authentication. The article also included this neat graphic from Wiz’s threat researcher Amitai Cohen:

A chart showing the relationships between different targets of the 0ktapus SMS phishing group (Source: @Amitaico)

krebsonsecurity.com

In brief

Attacks, incidents & breaches

  • Officials in Montenegro have blamed a “persistent and ongoing cyberattack” on Russia as the country tries to recover from incidents affecting transportation, electricity and water systems and government information portals. Staff from France’s National Agency for the Security of Information Systems (ANSSI) are aiding the response therecord.media
  • An unnamed Chilean government agency is also struggling with a ransomware attack therecord.media
  • China-scale: 800 million face prints and licence plate images were exposed for months, presumably accidentally, before being quietly secured following an approach from journalists at TechCrunch techcrunch.com
  • Business email compromise attack against the government of Lexington, Kentucky, sees cybercriminals make off with $4 million over three transactions therecord.media
  • Ragnar Locker ransomware group claims to have breached the Portuguese flag-carrier airline, TAP Air Portugal bleepingcomputer.com
  • The US Internal Revenue Service (IRS) accidentally leaked information on 120,000 taxpayers who completed 990-T forms used to report ‘unrelated business income’ bleepingcomputer.com

Finally…

Threat intel

  • Back online following a DDoS attack against their infrastructure, the LockBit ransomware group is ‘most likely to move into “triple extortion” attacks combining encryption, data leak and DDoS, according to a post on a cybercrime forum bleepingcomputer.com
  • Chinese spies-gonna-spy: Red Ladon campaign uncovered by Proofpoint and PwC targets those with interests in the South China Sea, poses at ‘Australia Morning News’ proofpoint.com
  • Big uptick in phishing campaigns promising blue ticks on Instagram bleepingcomputer.com

Vulnerabilities

  • Atlassian BitBucket 9.9/10.0 vulnerability CVE-2022-36804: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request” theregister.com

Cyber defence

  • Interesting thread on the ins and outs of SPF (Sender Policy Framework) and things to watch out for when securing your organisation’s email @jschauma 
  • Behind the scenes changes hint at Apple having overhauled built-in antivirus protections: XProtect is now “as active as many commercial anti-malware products” arstechnica.com
  • PSA: Reminder that Microsoft is disabling basic auth for Exchange Online starting next month bleepingcomputer.com

Security engineering

  • Google has announced a bug bounty programme for vulnerabilities in its open source software and the third-party upstream packages it depends on therecord.media
  • Microsoft researchers found a way to hijack TikTok accounts using a single link that bypassed the app’s deep link verification arstechnica.com
  • Symantec has found over a thousand iOS apps containing hardcoded AWS credentials that allowed access to cloud instances and databases bleepingcomputer.com

Privacy

  • Facebook is to settle a case brought over alleged harms revealed by the Cambridge Analytica scandal ahead of Mark Zuckerberg, former COO Sheryl Sandberg and Chief Growth Office Javier Olivan depositions, scheduled to begin later this month arstechnica.com

Regulatory

  • New regulations for UK telcos, derived from November 2021’s Telecommunications (Security) Act, were announced this week. The rules focus on who infrastructure and services can be procured from, monitoring activity and access, and the handling of breaches, with transgressions costing up to £100,000 ($117K) per day or 10% of annual revenues techcrunch.com

Law enforcement

  • Three former National Security Agency employees have been ‘disbarred’ for International Traffic in Arms Regulations (ITAR) violations while supporting the United Arab Emirates develop surveillance capabilities cyberscoop.com

Mergers, acquisitions and investments

  • The UK Competition and Markets Authority (CMA) has clear the $8.1 billion merger (vol. 4, iss. 33) between NortonLifeLock and Avast techcrunch.com

And finally

Ride-sharing app hacked, causing Moscow traffic jam

Hats off to the imagination behind this compromise: pro-Ukrainian hacktivists breached the Russian ride-hailing app Yandex Taxi. They directed all available cabs to pickups at the same address in the centre of Moscow. A video posted to Twitter shows dozens and dozens of cabs causing gridlock.

newsweek.com, @visegrad24

Robin

  Robin's Newsletter - Volume 5

  Geolocation Privacy Data Protection Kochava Belarus Belarusian Cyber Partisans Espionage Systemic risk One-time passwords LockBit
Next:
Robin’s Newsletter #221
Previous:
Robin’s Newsletter #219