McGraw Hill exposed student grades and personal info
Misconfigured Amazon Web Services S3 buckets belonging to McGraw Hill exposed more than 100,000 students’ information. Roughly 22 TB of data was exposed and included names, email addresses, grades and course materials for students at various US and Canadian universities. The education publishing giant also exposed its own source code and digital keys. Researchers at vpnMentor discovered the issue on June 12 and say the misconfigured buckets could have been accessed by anyone with a web browser as far back as 2015. McGraw Hill removed the sensitive files from the public buckets on July 20.
UK privacy regulator names and shames breached firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website. The ICO published data from Q4 2021 onwards, including breached organization’s name and sector, breach details and relevant legislation, and outcomes. This may not come as a surprise since ICO fines tripled this year compared to the prior 12 months. However experts are surprised at the lack of fanfare around the ICO’s aggressive move and also that data is buried in the ICO’s website.
Twitter aided the Pentagon in covert online propaganda campaign
For years, Twitter execs claimed that it makes concerted efforts to detect and thwart government-backed covert propaganda campaigns on its platform. However, emails between Twitter and the Defense Department from as far back as 2017, show that Twitter worked with the government to safelist a network of the military’s social media accounts and online personas. The Pentagon has used the accounts to generate news and memes in an effort to shape opinion in Yemen, Syria, Iraq, Kuwait, and others. Though Twitter has since publicly opposed such platform manipulation tactics, the accounts were not shut down for years while some still remain active.
Ukraine’s military intel system targeted by attacks
Over the weekend, Ukraine cyber officials warned that threat actors are using a compromised Ministry of Defense email account in attempts to compromise the military’s situational awareness system, known as Delta. Delta contains intelligence about Ukraine’s enemies as well as information related to coordination of defensive forces. Attackers are leveraging phishing emails to persuade recipients to ‘update’ Delta in order to use it securely. Malicious PDF and ZIP file attachments masquerade as the security updates, but launch malware designed to steal and exfiltrate files via FTP.
And now a word from our sponsor, Tines
Tech giants lose faith in Internet gatekeeper
Microsoft, Mozilla, and now Google are dropping support for TrustCor Systems, a root certificate authority based in Panama. Major web browsers and operating systems use a list of trusted certificate authorities to validate TLS certs on websites and then establish secure connections. TrustCor Systems recently came under fire for its alleged ties to an organization that distributed a spyware SDK to US intelligence agencies. That, in addition to TrustCor’s lackluster responses to security researchers, has caused the collapse in trust, even though no specific wrongdoing has been proven. Chrome version 111 will no longer trust certificates issued by TrustCor with Android expected to follow suit in the near future.
Russian hackers accessed JFK airport taxi software
Two Queens men, Daniel Abayev and Peter Leyman, have been arrested and are facing up to 10 years in prison on charges that they conspired with Russian hackers to tamper with JFK airport’s taxi queuing software. The pair used malware and other methods to enable taxi drivers to pay a $10 bribe in exchange for moving ahead in the taxi queue, which is monitored by New York’s Port Authority. Drivers could also have their fees waived if they referred others to the scheme. Starting back in September 2019, as many as 1,000 “fraudulently expedited trips” were orchestrated daily, with $100,000 in proceeds wired to Russian co-conspirators.
New attack vector discovered in Amazon Web Services
Researchers from Mitiga have uncovered a new security threat to Amazon Web Services’ (AWS) ‘Elastic IP transfer’ feature in Virtual Private Cloud. The new feature, announced back in October, enables much easier transfer of Elastic IP addresses from one AWS account to another. The researchers point out that threat actors would first need to compromise at least two APIs to exploit Elastic IP transfer. They indicate that organizations can mitigate the threat by utilizing AWS’ ‘service control policies’, implementing API automated detection and response options, using bring your own IP (BYOIP) as well as reverse DNS protections.
Raspberry Robin worm drops fake malware to confuse researchers
Researchers at Trend Micro discovered Raspberry Robin using trickery in recent attacks against telco providers and government systems. Raspberry Robin is a worm-like malware dropper that typically reaches target systems via malicious USB drives. The malware leverages heavy obfuscation to hide its code from antivirus programs and security researchers. Now, to make it even harder for researchers, Raspberry Robin is now equipped with two different payloads. If the malware detects it is running inside a sandbox, indicating it is likely being analyzed, the loader drops a fake payload. Otherwise, it will launch the actual Raspberry Robin malware.