At a glance.
- California data privacy regulator investigates smart cars.
- WorldCoin receives scrutiny for collection of biometric data.
- The latest on the MOVEit data breaches.
- Report: extortionists paid.
- Card data skimmed from Everlast.
Report: BankCard USA surrenders to extortionists, and pays the ransom.
SuspectFile, which says it's been tracking the negotiations over the past month, reports that BankCard USA has finally agreed to pay Black Basta ransom in exchange for both a decryptor and a promise not to release stolen data (it would have been a double extortion attack). The company did talk the crooks down by an order of magnitude from their penultimate demand for $500,000. SuspectFile thinks Black Basta is obviously lying in any promises not to release stolen data. They'd promised “No publication of any kind,” but SuspectFile observes, "If we are writing this article it is precisely because both the name of the BankCard USA and some financial documents and passports have been public for over a month."
We received some industry comment on the incident. The tone is not one of approval. Carol Volk, EVP of BullWall, wrote, “That's an awfully expensive consultant they've got there! Their list of 10 recommendations is a good start, but as soon as organizations become better at plugging holes, new holes will appear. It's never-ending. While plugging the holes is important, more effort needs to be put towards containing active attacks; not just trying to prevent them by staying one step ahead of ransomware groups. Imagine if the attack was immediately contained and Black Basta wasn't able to get the data to begin with?”
And Cyware's VP of Marketing, Willy Leichter, thinks any approach to recovering from an attack that depends upon the honor of thieves is to say the least unwise. “Paying a ransom and relying on the integrity of cybercriminals to 'return' your data is a dubious strategy," Leichter wrote. "This is still a data breach and requires the same level of public disclosure. Getting the data back may help the bank maintain its operations, but it offers little comfort to the customers whose data has been compromised." He suggests some measures a prudent organization might institute to avoid finding itself in the position of negotiating with hoods in the first place. "To improve resiliency," he said, "organizations should:
- "Enable security controls such as multi-factor authentication
- "Implement regular security awareness training for employees
- "Invest in context-rich intelligence and/or partner with intelligence sharing organizations
- "Develop, maintain, and run through an organizational incident response plan
- "Keep all systems patched and software updated”
Stephen Gates, Principal Security SME at Horizon3.ai, thinks that the gang's post-attack security advice actually isn't that bad. “According to the report on Suspectfile.com, it's interesting what Black Basta recommends Bankcard USA (BUSA) do in the future to help thwart similar attacks. The recommendations the hacking group provides in the back-and-forth correspondence are actually quite good since they highlight some of the issues autonomous penetration testing can easily find in many organizations’ networks. Surprisingly, the hacker group even says, “conduct full penetrations tests and audit” which is really good advice for all organizations." He also noted a security issue with the victim's site. “One last thing… As of July 31st, 0900 hours EDT, it appears the security certificate for https://www.bankcardusa [dot] com/ expired 2 days ago. If anyone were to override their browser protections and log into their account right now, their traffic would not be encrypted.”
California data privacy regulator investigates smart cars.
On Monday the California Privacy Protection Agency (CPPA) announced it’s launching an investigation into the data practices of internet-connected cars. Established in 2020, the agency was granted the authority as of July 1 to conduct operations that help residents of the US state of California to better understand and control what data is being collected from them. This probe will be the first application of this new power. As the Washington Post explains, smart cars have become increasingly popular in recent years, and it has become difficult to find a modern car that doesn’t have some internet-connectivity. Ashkan Soltani, CPPA’s executive director, states, “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” The data collected from drivers – which includes web histories, driving habits, and movement tracking that can reveal information about everything from religious practices to medical histories – is highly valuable to data brokers as well as insurance companies, and many users are unaware of their data privacy rights. Soltani continues, “Our Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.”
WorldCoin receives scrutiny for collection of biometric data.
German data regulator the Bavarian State Office for Data Protection Supervision has revealed it’s been investigating WorldCoin, a project that collects user biometric data – an iris scan, to be exact – in an effort to create an "identity and financial network." WorldCoin, which officially launched last week, is run by Sam Altman, CEO of controversial artificial intelligence research lab OpenAI, Molly White explains. Like something out of an episode of Black Mirror, users' irises are scanned by an ominous-looking silver orb, and in exchange receive a digital ID which can then be used as verification for cryptocurrency transactions. During the trial period over the past two years, WorldCoin says 2.1 million people have signed up for the program at sites in various countries including France, Germany and Spain, mostly during a trial period over the last two years.
Michael Will, president of the German data watchdog, told Reuters the regulator launched a probe last November due to concerns about WorldCoin’s use of new tech to process "sensitive data at a very large scale." (Tools For Humanity, the company behind Worldcoin, has a subsidiary in Germany.) Will stated, "These technologies are at first sight neither established nor well analysed for the specific core purpose of the processing in the field of transferring financial information.” The process raises a number of questions, including whether or not users were asked for explicit consent for their data to be collected. Several other European supervisory authorities, including officials in France and Great Britain, have also expressed an interest in the investigation. The Worldcoin Foundation claims it complies with EU data privacy rules and will continue to cooperate with authorities as the investigation goes on.
The latest on the MOVEit data breaches.
The mass-hack of MOVEit’s popular file transfer application seemingly claims a new casualty every day, and Bank Info Security reports that the victim count has reached a whopping 545 organizations as of yesterday. According to German cybersecurity firm KonBriefing, this number includes companies that were directly breached as well as organizations that were indirectly impacted, for instance through a third-party vendor. The hacking spree, which began at the end of May, has led to the theft of personal data belonging to at least 38 million individuals. Cl0p, the ransomware group claiming responsibility for the hacks, has in recent days named or published the data of fifty more organizations on the hackers’ leak site.
Security firm Emsisoft says the most-affected industries appear to be education, followed by finance and professional service. Approximately 74% of the known victims are US organizations. The most recent victims include the government of Allegheny County, located in the US state Pennsylvania, and University of Rochester, a private research college in the state of New York. It’s worth noting that MOVEit released a patch for the exploited vulnerability soon after it was discovered, but the climbing number of victims demonstrates just how difficult it is to reign in the damage of a bug once it is detected by threat actors.
We will not use the headline "Everlast data KO'd by hackers..."
...because that would be cliché, but also because it was really more of a mandatory eight count. Boxing and sports equipment manufacturer Everlast has sustained a data breach that exposed customer paycard data. Cybernews reports that cybercriminals were capturing credit card data during checkout by using a trojan skimmer loader installed in the everlast.com online store. The blow appears to be work of a gangland heavyweight. Cybernews writes, "The Everlast hack has been attributed to Magecart Group 4. This group is linked by other research to Cobalt Group, which itself is related to Carbanak, a financially-motivated threat actor known for conducting intrusions targeting ATM systems, card processing, payment, and SWIFT systems."
Pedro Fortuna, CTO and Co-founder, Jscrambler offered some comments to set the attack in context. “E-commerce skimming attacks and the methodologies employed by these criminals are not novel. Magecart attacks like this one can severely impact a business in many ways. Beyond the direct theft of stealing payment card data from customers, it can also ultimately lead to a disruption in customers’ loyalty and satisfaction." He advised businesses engaged in e-commerce retailing to harden themselves as a target. "To defend against e-commerce skimming attacks, businesses like Everlast must remain vigilant and implement several crucial security measures such as:
- "Ensure their storefronts - e-commerce platforms, CMS, and any third-party tools - are up to date with the latest security patches;
- "Limiting the JavaScript on sensitive pages like login pages and pages that collect payment card data;
- "Monitoring of all JavaScript to immediately detect any unauthorized modifications or malicious activity;
- "With the new PCI DSS 4.0 requirements, merchants are obligated to implement controls to protect against these attacks. Even though those new requirements won't become mandatory until 2025, responsible merchants should get a head-start in enhancing their security practices and start protecting their customers today.
He concluded, "Companies should prioritize a proactive approach and promptly remove any third-party scripts from their pages that were identified as a security threat. Simultaneously, they should conduct a thorough review of all their CMS plugins, taking appropriate actions such as removal or updating, depending on the individual cases. It is also advisable for companies to conduct a full forensic investigation to identify the intrusion point and potential ramifications of the attack.”