Hello and welcome back to our blog! Here's my latest round-up of the most interesting cybersecurity stories.
We begin in California, where all residents with a permit to carry a concealed handgun had their personal information exposed online this week. The California Department of Justice (DoJ) suffered the breach as part of the launch of its 2022 Firearms Dashboard Portal. The incident is being blamed on an update made to its Firearms Dashboard Portal on Monday, which leaked the personal information of Californians who were granted or denied a concealed and carry weapons permit between 2011 and 2021. That included their names, birth dates, gender, race, driver’s license numbers, addresses and criminal history. Even worse, according to PC Mag, data from other dashboards were also impacted, including an Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Certificate Safety, and Gun Violence Restraining Order dashboards.
Then at U.S. semiconductor manufacturer AMD, the company is investigating a data breach claim by the RansomHouse hacking group. RansomHouse alleges it stole data from AMD's network on January 5th of this year. The group says it targets businesses with lax protection and has stated publicly that it is holding 450 GB of AMD's data.
Publishing giant Macmillan was forced to shut its systems after an attack last weekend. It appears the company has been struck with ransomware. Publishers Weekly first reported on the incident, seeing emails from Macmillan that stated they suffered a "security incident, which involves the encryption of certain files on our network." The use of encryption in the attack indicates that it was a ransomware attack.
The U.S. Transportation Security Administration (TSA) this week announced changes to a cybersecurity directive for U.S. pipelines after backlash from industry experts and trade groups. The changes come a year after the Colonial Pipeline attack, which caused a week-long run on gasoline along the East Coast of the U.S. The TSA is now loosening pipeline cybersecurity rules it imposed after the hack. According to the Wall Street Journal, designated pipeline operators are now required to report hacks to the government within 24 hours, double the previously mandated timeline. More changes to the rules are set to be released by July 26th.
Another U.S. agency, Homeland Security, has been collaborating with Brazil for its Operation 404 efforts. In what has been described as a "fourth wave" of Operation 404, Brazilian law enforcement agencies blocked/shut down around 226 websites and 461 piracy applications. As part of the effort, the domains of six websites that streamed and provided illegal downloads of copyrighted music were seized by U.S. Homeland Security Investigations (HSI) and the Department of Justice.
Also this week, Wiltshire Farm Foods, a leading producer of frozen ready meals in the UK, has revealed that its systems are currently down after experiencing a serious cyber-attack. The company announced on Sunday it is experiencing severe difficulties with its computer system. The cyber attack impacted deliveries for much of the week and is so severe the company wasn't even able to call customers to inform them of the disruption, or even that their delivery would not be made.
According to a report published by researchers at Intezer, YTStealer malware is targeting YouTube content creators. The malicious tool is believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar. The malware uses lures by impersonating software that edits videos or acts as content for new videos.
Another cryptocurrency firm has been attacked and this time, it's unclear who the attacker is. Whoever it is, they stolen more than $100m worth of Ethereum tokens from Californian cryptocurrency firm Harmony. The company has offered a $1 million bounty to the hackers and also says it won’t push for criminal charges if the funds are returned.
Finally (and speaking of $100m), in a surprising development well known accounting firm Ernst & Young (E&Y) has been fined $100m to settle charges of cheating on ethics exams. The U.S. Security Exchange Commission (SEC) announced this week that (allegedly) E&Y audit employees cheated on exams required to obtain and mantain CPA licenses. And then to make matters worse, they supposedly misled investigators. If this did indeed occur, I would imagine it was the first, and last time. Lessons learned...
That's a wrap for the week. Have a great weekend!
Bleeping Computer (June 30, 2022) Macmillan shuts down systems after likely ransomware attack
Publishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident that appears to be a ransomware attack.
The attack reportedly occurred over the weekend, on Saturday, June 25th, with the company shutting down all of their IT systems to prevent the spread of the attack.
Publishers Weekly first reported on the incident, seeing emails from Macmillan that stated they suffered a "security incident, which involves the encryption of certain files on our network." The use of encryption in the attack indicates that it was a ransomware attack.
Computing (June 30, 2022) AMD investigates alleged 450 GB data theft by RansomHouse group
AMD says it is looking into a potential data breach after the RansomHouse hacking group claimed it is in possession of stolen data from the US chipmaker.
An AMD representative told online privacy specialist RestorePrivacy that the company was "aware of a bad actor claiming to be in possession of stolen data", and that an investigation was presently ongoing.
According to RansomHouse, the data was stolen from AMD's network on January 5, 2022, and was not a result of a previous leak of its intellectual property. The group claims to be targeting businesses with lax protection, and stated on its Tor-hidden website that it was holding 450 GB of AMD data.
The Record (June 29, 2022) TSA to change cybersecurity rules for pipelines following industry criticism
The Transportation Security Administration (TSA) announced changes to a cybersecurity directive for U.S. pipelines after backlash from industry experts and trade groups.
TSA issued two sets of security directives last year after the ransomware attack on Colonial Pipeline dominated headlines and caused a week-long run on gasoline along the East Coast of the U.S. TSA to change cybersecurity rules for pipelines following industry criticism.
The attack kickstarted wide-ranging government efforts to better protect critical infrastructure, and in May TSA reissued the first set of security directives for critical pipelines after they expired.
IT Security Guru (June 29, 2022) Ransomware Suspected in Wiltshire Farm Foods Attack
Wiltshire Farm Foods, a leading producer of frozen ready meals in the UK, has revealed that its systems are currently down after experiencing a serious cyber-attack.
The producer said on Sunday that it is “currently experiencing severe difficulties” with its computer system.
They said, “If you are expecting a delivery this week (w/c 27th June) or have other concerns, please contact your local depot.”
“Unfortunately, as our systems are not currently working, we will be unable to make many deliveries in the next few days. We are also unable to contact customers personally as we do not have access to their telephone numbers.”
GovTech (June 29, 2022) Breach Exposes California Concealed-Weapons Permit Data
A data breach has exposed the personal information of every person with a California permit to carry a concealed weapon, authorities said Tuesday.
The California Department of Justice suffered the breach as part of the launch of its 2022 Firearms Dashboard Portal, according to the Fresno County Sheriff's Office, which said it was informed of the leak Tuesday by the California State Sheriffs' Association.
"This public site allows access to certain information, however, personal information of concealed carry weapon permit holders is not supposed to be visible," the Sheriff's Office said in a statement. "This includes, but is not limited to a person's name, age, address, Criminal Identification Index number and license type (Standard, Judicial, Reserve and Custodial)."
The Hacker News (June 29, 2022) New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators
Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.
Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.
"What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared with The Hacker News.
Bleeping Computer (June 27, 2022) US, Brazil seize 272 websites used to illegally download music
The domains of six websites that streamed and provided illegal downloads of copyrighted music were seized by U.S. Homeland Security Investigations (HSI) and the Department of Justice.
266 other websites part of the same network were also taken down in Brazil, with six individuals arrested in 30 search and seizure raids across the country.
"According to court documents, law enforcement identified these six domains as being used to distribute copyrighted material without the authorization of the copyright holders," the Justice Department said today in a press release.
Bank Info Security (June 27, 2022) Horizon Offers $1M Bounty to Hackers Who Stole $100M
Blockchain company Harmony has offered a $1 million bounty to hackers who stole $100 million worth of Ethereum tokens. It also says it won’t push for criminal charges if the funds are returned.
The Horizon bridge is a cross-chain protocol connecting the Ethereum, Binance and Harmony blockchains. It allows the transfers of cryptocurrencies, stablecoins and non-fungible tokens between the Harmony blockchain and the other networks.
The company has attempted to contact the hackers via a transaction to their Ethereum wallet address, Harmony tells Information Security Media Group.
Other Thought-Provoking Stories
Google violating EU data protection rules - Mobile Europe
Iranian steel facilities suffer apparent cyberattacks - Cyberscoop
Ernst & Young pays $100m to settle US charges of cheating on ethics exams - The Guardian
FBI: Beware Deepfakes Used to Apply for Remote Jobs - InfoSecurity
Carnival to pay $5M for cyber violations to NY financial regulator - Cybersecurity Dive
Dozens of cryptography libraries vulnerable to private key theft - Portswigger
New Android Banking Trojan 'Revive' Targeting Users of Spanish Financial Services - The Hacker News
Atlassian Confluence Exploits Peak at 100K Daily - Dark Reading
This new malware is at the heart of the ransomware ecosystem - ZDNet
Canadian NetWalker ransomware defendant agrees to plead guilty in US court - Cyberscoop
OpenSea reveals email breach, blames employee at third-party vendor - Portswigger