Ransomware gang threatens to leak data if victim contacts FBI, police

In an announcement published on Ragnar Locker’s darknet leak site this week, the group is threatening to publish full data of victims who seek the help of law enforcement and investigative agencies following a ransomware attack, or who contact data recovery experts to attempt decryption or to conduct the negotiation process. This announcement puts additional strain on victims, considering that governments worldwide have strongly advised against paying ransoms, but have suggested turning to law enforcement instead.

(Bleeping Computer)

Personal details of French visa applicants exposed by cyber-attack

A cyber-attack has compromised the data of around 8,700 people applying for French visas via the France-Visas website. The French Ministry of Foreign Affairs and the Ministry of the Interior announced on Friday that the cyber-attack targeted a section of the site, which receives around 1.5 million applications per month. In a statement, the ministries claimed that the attack had “been quickly neutralized,” but personal details — including names, passport and identity card numbers, nationalities and dates of birth — had been leaked. No ‘sensitive’ data (as defined by the GDPR) was compromised, said the government ministries.

(Info Security Magazine)

Brazil President Bolsonaro restricts powers of social media companies to remove accounts and content

Mr. Bolsonaro said a change of regulations was needed to combat the “arbitrary removal” of profiles, and protect freedom of speech. Throughout the coronavirus pandemic, Twitter and Facebook removed many posts shared by the president and his supporters that were deemed misleading. Details of the new decree released so far simply state that tech giants will have to provide “just cause and motivation” before removing an account or content. It is unclear, however, exactly how the order will be enforced.

(BBC News)

Atlassian Confluence flaw delivers glancing blow to Jenkins 

The maintainers of Jenkins—a popular open-source automation server software—have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service, to install a cryptocurrency miner. The “successful attack,” which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts. “At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,” the company said in a statement published over the weekend.

(The Hacker News)

Thanks to our episode sponsor, Semperis

It’s no secret that Active Directory is a prime target for cybercriminals: AD is more than 20 years old, and security settings can get sloppy over time. If you haven’t checked your Active Directory environment for risky settings, you might be in for a surprise. To find and fix security gaps, download Purple Knight, a free security assessment tool from Semperis that checks for 70-plus indicators of exposure and compromise. Go to Purple-Knight.com.

REvil ransomware’s servers mysteriously come back online

The Tor payment/negotiation site and the ‘Happy Blog’ data leak site suddenly came back online yesterday, although it is unclear whether REvil is back in business, or if the servers are being turned on by law enforcement. On July 2nd, the gang used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business customers. After the attack, the gang faced increasing pressure from law enforcement and the White House, and shut down, leaving victims unable to negotiate or restore files.

(Bleeping Computer)

Guntrader breach reformatted as Google Earth file to thwart fox hunting

A person or people going by the name Ernie Goldman recently took a hacked database belonging to UK firearms retailer Guntrader and reformatted it as a Google Earth-compatible CSV file, essentially doxxing people who allegedly support Britain’s traditional fox hunt. The person or group denies that what was done was a criminal offense, stating that it was done in retaliation for the fox-hunting society’s creation of its own database of protestors. Fox hunting and badger culls are highly contentious issues in the UK, but Guntrader and others state that the five year old database may include addresses of people who never shoot live quarry, for example skeet shooters, as well as the fact that some gun owners on the list may no longer live at the addresses posted, putting innocent people at risk of retaliation.

(The Register)

McDonald’s leaks password for Monopoly VIP database

A bug in the McDonald’s Monopoly VIP game in the United Kingdom caused the login names and passwords for the production and staging database servers including sensitive information for the web application.to appear in prize redemption emails sent to prize winners. This information included hostnames for Azure SQL databases and the databases’ login names and passwords. A prize winner who shared the email with Have I Been Pwned creator Troy Hunt said that the production server was firewalled off but that they could access the staging server. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes.

(Bleeping Computer)

TrickBot gang member arrested after getting stuck in South Korea due to COVID

A Russian citizen was arrested last week at the Seoul international airport on accusations of developing code for the TrickBot malware gang. The man was arrested trying to leave South Korea after having been stuck there for more than a year and a half due to covid-related travel cancelations. During this extended stay, US officials had started an official investigation against Russia-based TrickBot and had already arrested a 55-year-old Latvian woman in Miami who allegedly worked as one of TrickBot’s programmers. Similar to her situation, the Russian in South Korea was charged with working with the TrickBot gang, developing a web browser-related component for them after answering a job ad in 2016.

(The Record