Cyber Security Headlines – September 3, 2021

WhatsApp faces $267M fine for breaching Europe’s GDPR

Facebook is feeling heat from Ireland’s Data Protection Commission (DPC), which announced Thursday, a €225 million (~$267 million) General Data Protection Regulation (GDPR) fine against its WhatsApp messaging app. The DPC, which has been investigating WhatsApp since 2018, concluded that WhatsApp failed to meet GDPR standards, and has given WhatsApp a three-month deadline to improve the level of transparency it offers users and non-users regarding its data handling practices. WhatsApp has characterized the penalties as “entirely disproportionate” and plans to appeal the decision.

(TechCrunch)

UK VoIP telcos disrupted by cyberattacks

Two UK VoIP operators had services disrupted this week by ongoing, aggressive DDoS attacks. Voip Unlimited confirmed it has been slapped with a “colossal ransom demand” after being hit by a sustained and large-scale DDoS attack it believes originated from the Russian cybercriminal gang REvil. It confirmed Thursday morning that “services are operational … however the attacks are still ongoing.” Separately, London-based Voipfone said it is still suffering outages on voice, inbound and outbound calls, and SMS services. Voipfone advised their customers that it had been hit by multiple DDoS attacks, the latter of which occurred over the Monday bank holiday. UK law enforcement agencies have been notified of the attack and the UK Comms Council has contacted other UK VoIP providers, reminding them to adopt “appropriate DDoS mitigation strategies.”

(The Register)

White House doubles down on warning about cyberattacks over the holidays

On Thursday, White House deputy national security adviser Anne Neuberger urged U.S. organizations to be on guard against malicious digital activity ahead of the Labor Day holiday. While the administration has no specific threat information or insights about possible cyberattacks, this year’s three biggest ransomware incidents against the Colonial Pipeline, meat processing giant JBS and software company Kaseya all occurred over weekends and major holidays. Neuberger encouraged corporate leadership teams, especially those of critical infrastructure operators, to take proactive steps to mitigate the risk, including applying software patches, forcing password rotation, enabling multi-factor authentication, reviewing response plans, and monitoring networks for unusual activity.

(The Record)

Autodesk admits breach as result of SolarWinds attack

In its filing of Form 10-Q for Q2 2021 with the American Stock Exchange Commission, Autodesk disclosed that it had identified a compromised server as a result of the SolarWinds Orion software supply chain breach. AutoDesk added that after discovering the compromise, they promptly took steps to contain and remediate the incidents and that they believe that no customer operations or Autodesk products were disrupted. However, AutoDesk’s mention of the breach in its latest quarterly results reminds the world just how far-reaching the SolarWinds supply chain compromise was, with victims now totaling roughly 18,000 customers.

(The Register)

Thanks to our episode sponsor, Semperis

One thing we’ve learned from attacks like SolarWinds: Cybercriminals can lurk in your Active Directory environment for weeks or months before dropping malware. How do you root them out? First, you need to uncover security gaps in Active Directory that can lead to a breach. Download Purple Knight, a free security assessment tool from Semperis that scans your environment for pre-attack and post-attack indicators of exposure and compromise. Check it out at Purple-Knight.com.

FTC bans SpyFone from surveillance business

The Federal Trade Commission (FTC) announced this week that it has banned stalkerware app maker SpyFone and its CEO, Scott Zuckerman, from the surveillance business alleging that the company harvested and shared user data without their knowledge. The FTC says a hidden hack was used to monitor people’s phone use, online activities, and physical movements and that the company sold, “real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence.” The commission further noted that harvested information was not encrypted and the company did not ensure that only authorized users had access to it. The FTC ordered the company to erase all illegally harvested information, and to inform users that the application had been secretly installed on their devices.

(SecurityWeek)

SEC fines brokerage firms over hacked accounts

Earlier this week, the US Securities and Exchange Commission fined three brokerage firms, Cetera, Cambridge, and KMS, for failing to secure cloud-based employee email accounts, which led to the data exposure of more than a combined 11,000 customers. According to court documents, the three companies were hacked multiple times between 2017 and 2020, and then hid the intrusions, and failed to properly notify customers. It took Cambridge and KMS nearly two years to begin implementing appropriate security measures while Cetera used misleading language to customers to give the appearance that it had issued timely breach notification. The SEC said the three companies broke the Safeguards Rule, which requires companies to protect confidential customer information from hacks or accidental data leaks. Cetera, Cambridge and KMS have agreed to pay fines of $300,000, $250,000, and $200,000 respectively.

(The Record)

FBI warns of cyberattacks targeting food and agriculture

On Wednesday, the FBI’s Cyber Division issued a Private Industry Notification (PIN), that ransomware gangs are actively targeting and disrupting the operations within food and agriculture sectors, causing financial loss and directly affecting the food supply chain.  While recent media coverage around ransomware attacks has centered on incidents in local governments, healthcare, and education sectors, the FBI said ransomware groups have also hit companies in food and agriculture sighting a number of examples including an attack on a US farm back in January resulting in a whopping $9 million loss, another incident which crippled operations at a US beverage company in March, and in July, as part of the Kaseya incident, a US bakery was forced to halt production and shipping operations.

(Bleeping Computer and The Record)

Facebook announces new bug bounty guidelines

On Thursday, social media giant Facebook, announced new guidelines to help vulnerability hunters better understand its bounty payouts. Per the new guideline, Facebook will shell out a maximum of $10,000 for reports demonstrating the ability to obtain one or more contact points (i.e. phone number or email) from accounts that have privacy settings enabled. Facebook also awards up to $40,000 for bugs leading to complete account takeover. Facebook notes that payouts also factor in whether user interaction is required for the exploit, whether the attacker needs to be in a privileged position, and whether or not the attack applies to Workplace.

(SecurityWeek)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.