Overview of security incidents for the period July 27 to August 2, 2020
How Twitter was hacked, how Garmin restored its services, how databases of almost two dozen companies were made public, and also about other events in the world of information security over the past week, read our review.
One of the most high-profile events of the past week was the capture of hackers who hacked Twitter. On Friday, July 31, the US authorities indicted the organizer of the hack, 17-year-old Graham Ivan Clark, and two of his accomplices, 22-year-old Nima Fazeli, and 19-year-old British resident Mason Sheppard (Mason Sheppard). Thanks to the published materials of the court, it was possible to compile a complete picture of the break-in and the subsequent investigation.
We can safely say that the past week was held under the aegis of ransomware. The ransomware operators seem to be doing pretty well, receiving millions of dollars in ransom from their victims. For example, as it became known, Garmin paid ransomware up to $ 10 million for the decryption key to restore its networks.
Following Garmin, the American business travel management company Carlson Wagonlit Travel (CWT) fell victim to ransomware. Apparently, its leadership decided not to complicate their life and pay the extortionists. According to some reports, CWT paid $ 4.5 million for the tool to decrypt files.
If the victim does not pay the ransom, some ransomware operators monetize the stolen data by putting it up for sale. For example, last week the operators of the ransomware Nefilim published unencrypted files stolen from the Dussmann Group subsidiary, Dresdner Kühlanlagenbau GmbH. According to the attackers, they encrypted the company's four domains and stole about 200 GB of data.
It's no wonder that more and more cybercriminals are turning to extortion as a source of income. For example, the well-known North Korean APT group Lazarus has acquired its own VHD ransomware program to attack enterprises. According to Kaspersky Lab specialists, VHD samples were first discovered in March-May 2020 during the investigation of two security incidents.
Operation North Star was also reported last week by Lazarus, targeting US defense and aerospace industries. Unlike VHD, in this operation, cybercriminals were engaged in a more familiar activity - cyber espionage.
The past week was marked by reports of attacks on the US infrastructure by another APT group. This is APT28, also known as Fancy Bear. Operation APT28 lasted from December 2018 to at least May 2020, according to an FBI notification sent to victims of the malware campaign in May this year.
Chinese cybercriminal group RedDelta hacked into Vatican computer networks ahead of negotiations with Beijing. A series of cyberattacks began in May this year and also targeted the training mission of the Holy See and the Pontifical Institute for Overseas Missions (PIME).
A group of Iranian hackers calling themselves Cyber Avengers posted on the Telegram channel a statement of responsibility for attacks against the railway system in Israel. The group published a map of Israel's rail network, indicating the stations at which the attack was allegedly directed. A Cyber Avengers spokesman said the group attacked servers running 28 train stations in Israel from July 14-24, including Jerusalem, Tel Aviv University and Ben Gurion Airport.
On Wednesday, July 29, during the webinar, Kaspersky Lab specialists spoke about a previously unknown hacker group that offers its servants for money. Although the group, codenamed Deceptikons, has only now been discovered, it has been in business for nearly a decade.
The past week has been extremely fruitful in terms of data breaches. A cybercriminal or cybercriminal group known as the ShinyHunters floods hacker forums with free databases. On July 21 of this year, he began publishing databases on one of the darknet trading platforms, a total of more than 386 million records stolen from 18 companies as a result of leaks. After the leaks became known to the general public, the affected companies began to send their users appropriate notifications.
First American Title Insurance was the first company charged by the New York Department of Financial Services (DFS) for violating cybersecurity rules. According to the financial regulator, First American Title Insurance is careless about the protection of its data, as a result of which it violated state laws on the protection of non-public information. In April 2018, the insurer's systems contained about 753 million documents, 65 million of which were marked as confidential. In May 2019, the number of records increased to 850 million. All information has been in the public domain on the Web for four years due to a security vulnerability.
The company Ledger, which produces hardware wallets for storing cryptocurrency, reported on its official website that it had leaked the data of a million users. These include customer names, email and postal addresses, phone numbers, and product information. Other important information, such as payment details, bank card details and cryptocurrency accounts, remain safe, Ledger said. The company explained that the hackers gained access to the database on June 25 using an API key.
The administration of the Israeli site for creating a promotional video Promo.com reported a data breach of 22 million of its customers. The user database was published for free download on one of the cybercriminal forums by a well-known vendor. It contained usernames, email addresses, gender and location information, and password hashes for 2.6 million users.