Cyber Security Headlines – January 22, 2021

Technologists comb through Parler videos with facial recognition

Faces are being recognized in archived Parler videos. One technologist claims to have distinguished about 40,000 faces spotted in 900 videos. They’ve put together a collection of unique identifiers for what the system interprets as a particular individual, which video from the Capitol riot they appeared in, timestamps, and the location where the video was taken. Their data set doesn’t attempt to match individuals to their identities. That’s good, given how error-prone facial recognition technology is. For example, one glitch involved supposedly recognizing Andrew Cuomo’s face—from a t-shirt. The technologist has shared their findings with the FBI.

(Vice)

EU privacy watchdogs go after employers who spy on workers

Worker surveillance is reportedly spiking in the US and Europe, as employers try to monitor remote workers during the pandemic. European privacy regulators are investigating employers’ collection of employees’ personal data, including health and religion details—data collection that’s against EU privacy law. The latest company to be targeted is a German electronics retailer, notebooksbilliger.de, that sells laptops, phones and other electronics.A data protection regulator in Lower Saxony said this month that the retailer was fined 10.4 million euros, or about $12.6 million, for using video surveillance cameras to monitor employees. 

(Wall Street Journal)

Google investigates top AI ethicist’s exfiltration of thousands of files

Google has locked the email account of Margaret Mitchell, who helps lead its ethical AI team. Google says it was automatic: its security systems detected exfiltration of thousands of files from Mitchell’s account and sharing of files with multiple external accounts. Some context: on Tuesday, Mitchell tweeted criticism of Google CEO (soon·daar puh·chai’s) planned meeting with historically Black college and university leaders, suggesting other ways to undo what she called “a problem with consistently alienating Black women” and causing “serious damage in their lives.”

Sundar Pichai’s 

(Axios)

Microsoft: How SolarWinds hackers hid their tracks for so long

Microsoft security researchers have outlined the specific OpSec techniques and anti-forensic tricks the SolarWinds attackers used to remain undetected for so long. They’d been trying to figure out how the DLL of the Solorigate backdoor malware, launched in February 2020, handed over control to the Cobalt Strike loader. Given the attack timeline and the fact that the backdoor was designed to stay dormant for at least two weeks, Microsoft figures that the attackers spent a month or so cherry-picking victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. Hands-on-keyboard activity likely started as early as May, Microsoft has determined.(Microsoft Security Blog, ZDNet)

Thanks to our episode sponsor Armis

Are you spending a lot of time and manual effort trying to identify every asset you have in your environment? Can’t determine whether those assets are secure, and whether they adhere to or deviate from your security policies? See how Armis Asset Management delivers 5X more visibility over other solutions to give you complete confidence that you are safe and secure.

Sloppy phishing scam exposes thousands of stolen passwords

In August, phishers targeted thousands of global organizations with emails purporting to be Xerox scan notifications, prompting recipients to open a malicious HTML attachment. A simple  scam, but one that bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand employees’ credentials. But the crooks screwed up with a simple mistake: they exposed the stolen credentials to the public Internet, across what Check Point says are dozens of servers used by the attackers. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses:  a gift to every opportunistic attacker,” Check Point says.

(Check Point, ZDNet)

Parler’s new, Russian-provided Internet space about to be yanked

Apple and Google kicked Parler out of their stores. Amazon turned off the hosting tap. Eventually, following the Capitol riot, the social network found a new home on DDoS-Guard, a Russian digital infrastructure company. But Parler isn’t in the clear yet: DDoS-Guard is on the brink of losing more than two-thirds of the Internet address space it leases to clients — including to Parler — thanks to the efforts of researcher Ron Guilmette. The researcher’s personal mission is apparently to de-platform conspiracy theorist and far-right groups. His modus operandi included filing a complaint about DDoS-Guard having incorporated in Belize on paper only, with no actual employees in the country.

(Krebs On Security)

UK gives malware-infected laptops to disadvantaged students

The UK government has sent more than 800,000 laptops to schools to help disadvantaged students do their schoolwork during lockdown. But a handful of them are infected with malware and have apparently been phoning home to Russian servers. According to an online teachers’ forum, the Windows laptops contained Gamarue.I, a self-propagating network worm identified by Microsoft in 2012 that installs spyware that can snoop on browsing habits and harvest personal information. The Education Department says it’s “urgently” investigating. One question: Why the devices weren’t checked and scrubbed before being sent to children. 

(BBC)

Belgian hospital hit with Windows BitLocker ransomware attack

CHwapi hospital in Belgium was attacked on Sunday by threat actors who claim to have encrypted 40 servers and 100 TB of data using Windows Bitlocker. As of Thursday, the hospital said that it had resumed surgeries scheduled for Wednesday, that patient data hadn’t been compromised, and that COVID vaccines are still being given, but that urgent cases are being sent to other hospitals. Local media said that CHwapi didn’t receive a ransom note, but threat actors claiming responsibility contacted Bleeping Computer and said that they had indeed left ransom notes, named ransom.txt, on the domain controllers and backup servers.(Chwapi, Bleeping Computer)