Cyber Security Headlines – January 5, 2022

FTC warns of potential penalties for failing to fix Log4j flaws

On Tuesday, the Federal Trade Commission warned companies of possible legal repercussions for failing to remedy recently discovered Log4j open-source software vulnerabilities. As a cautionary tale, the FTC’s notice cites the agency’s $700 million settlement with Equifax in 2019 after the company was breached, exposing personal data of 147 million customers resulting from failure to patch a known flaw. The agency noted, “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” 

(CyberScoop)

UScellular discloses data breach after billing system hack

Wireless carrier, UScellular, has disclosed its second data breach in 2021 after the company’s billing system was hacked in December 2021. The mobile carrier sent data breach notifications to 405 impacted individuals and have indicated that threat actors gained access to customer accounts including name, address, PIN code, phone numbers and plan information. UScellular clarified that Social Security numbers and credit card information is masked within the CRM system. Uscellular has reset security questions, answers, and PINs linked to affected accounts and impacted customers are advised to be on the lookout for targeted phishing scams.

(Bleeping Computer)

SlimPay fined for exposing data of 12 million customers for 5 years

Paris-based payment services company, SlimPay, has been fined €180,000 by the French CNIL regulatory body for several GDPR violations after exposing sensitive data of 12 million customers. SlimPay provides API and processing services to merchant clients which include Unicef, BP, and OVO Energy. In 2015 SlimPay appears to have used actual customer data to test an anti-fraud mechanism as part of an internal research project. Although the research project ended in July 2016, SlimPay left the data, including contact details and banking information on a server that was freely accessible from the public internet. The company was apparently unaware of this situation until February 2020, when it was tipped off by a customer, after which SlimPay appears to have immediately secured the data.

(The Register)

McMenamins breach affected 23 years of employee data

McMenamins, an Oregon-based operator of restaurants, hotels, movie theaters, and concert venues, has confirmed a December 2021 ransomware attack that compromised employee data dating back to January of 1998. The trove of potentially stolen data included SSNs names, contact info, birthdates, demographic and disability status, medical notes, performance notes, health insurance info, income, and retirement plan balances. McMenamins is offering past and current employees identity and credit protection services and has a call center to answer questions about the incident.

(Dark Reading)

Thanks to our episode sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

Data skimmer infects Sotheby’s real-estate websites

According to Palo Alto Networks’ Unit 42 division, at least 100 Sotheby’s real-estate websites have been infected by a supply-chain style JavaScript data skimmer distributed via a cloud-video platform. The code harvests information that victims load into contact pages requesting a home showing, including names, emails and phone numbers. Researchers highlight that the skimmer is “highly polymorphic, elusive and continuously evolving” making it difficult to defend against using techniques such as blocking domain names or URLs. A sample of active affected sites make heavy use of the Brightcove video player, though researchers have not confirmed the affected service. Researchers recommend that website administrators conduct regular web content integrity checks to help defend against such attacks.

(Threatpost and Bleeping Computer)

Fake Telegram app using Purple Fox to hack into computers

According to new research from Minerva Labs, trojanized installers of the Telegram messaging application are being used to distribute the Windows-based Purple Fox backdoor on compromised systems. Purple Fox is a difficult to detect rootkit and uses a worm-like propagation feature to spread more rapidly. The researchers note that threat actors are breaking the attack up into several small files, most of which have low detection rates by antivirus scanners. Trend Micro shed light on the later stages of the Purple Fox infection chain, targeting SQL databases for illicit cryptocurrency mining.

(The Hacker News)

SEGA’s sloppy security exposes AWS S3 bucket

During a recent cloud security audit, gaming giant SEGA Europe discovered that its sensitive data was being stored in an unsecured Amazon Web Services (AWS) S3 bucket. The laundry list of SEGA’s potentially exposed data includes keys to the company’s MailChimp and Steam API, access to simple notification service (SNS) used by their IT team to communicate, multiple sets of SEGA Europe’s AWS keys, and data of hundreds of thousands of users. Researcher Aaron Phillips with VPN Overview indicated that so far there is no indication the exposed data and services have been accessed by unauthorized individuals. Phillips added, “This cybersecurity report should serve as a wake-up call for businesses to assess their cloud security practices.” 

(Threatpost)

DatPiff data breach exposes passwords of millions of customers

The popular mixtape hosting service, DatPiff, has fallen victim to threat actors selling the cracked passwords for nearly 7.5 million of its members online. DatPiff hashed the passwords in the database with the now obsolete and insecure MD5 algorithm which can be cracked by comparing hashes to known MD5 wordlists or using cracking tools. It is unclear when the data breach occurred, but DatPiff’s database was first sold privately and then publicly on hacking forums in July 2020. Users can check if they are part of the data breach through the Have I Been Pwned notification service.

(Bleeping Computer)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.