Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. GPS and fitness-tracking company Garmin became the latest in a long list of firms that have become victim to a ransomware attack. The incident left some of its systems encrypted, interrupting many of its online services, including website functions, customer support, customer-facing applications, and company communications for more than three days. Although there’s no evidence that personal information was accessed or stolen, Garmin has so far not stated if there was a ransom demand and whether or not it paid the blackmailers to recover access to its systems. As of today, most of its services are back online, while a few others are operating in a “limited” state, according to the company’s status dashboard. The ransomware strain that wreaked havoc on Garmin’s systems is believed to be WastedLocker, a handiwork of a Russian cybercriminal gang which calls itself “Evil Corp.” It’s not clear if Evil Corp itself targeted Garmin. Earlier this June, Symantec noted that Evil Corp’s series of cyber attacks have hit more than 31 organisations already, with eight of them being Fortune 500 companies. With Garmin’s software used for aerospace and even maritime navigation, the attack should worry anyone who uses a smartwatch or any wearable. It should also serve as a wake-up call for companies to secure critical systems and safeguard sensitive GPS, health, and fitness data from the prying eyes of hackers, especially when it has the potential to disrupt services that millions of people rely on. And for the rest of us, be sure to have backups, and backups of backups.
What’s trending in security?
Researchers uncovered a new campaign that hacked into news websitesto plant their fabricated stories, a Hong Kong-based VPN service provider was caught exposing users log files despite claiming to the contrary, and the US charged two Chinese nationals for a massive global hacking spree that also targeted COVID-19 research.
UFO VPN, a Hong Kong-based VPN service provider that claimed to have a zero logs policy, was found leaking millions of log files about users of its service, including their account passwords and IP addresses. [Comparitech] Diebold Nixdorf, the company behind ATMs and point-of-sale systems, warned of a new “jackpotting” attack that allows criminals to gain access to the machine internals to illegitimately dispense cash. [Ars Technica] FireEye researchers disclosed a new Russia-linked “Ghostwriter” campaign that targeted audiences in Lithuania, Latvia, and Poland with fabricated content undermining NATO and the US military, and in some cases hacked the content management systems of news websites to plant their own stories. [FireEye] A new form of attack called “Shadow Attack” allows bad actors to modify the content of digitally signed PDF documents. The new flaws were found by the same team who found a separate set of flawswhich let attackers to extract contents of a password-protected file. [PDF Insecurity] Internal source code from 50 high-profile companies including Microsoft, Disney, and Nintendo was leaked and posted online for people to access. [Bleeping Computer] The Electronic Frontier Foundation has released a handy interactive map of all the surveillance tech used by law enforcement in the US. It’s called the “Atlas of Surveillance.” [EFF] Hackers working for Russia’s GRU military intelligence agency are attacking US energy companies, while the Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by China’s RedDelta hacking crew. Both campaigns used phishing lures to deliver malware. [WIRED / Recorded Future]
It’s only July, but here are the biggest 11 data breaches of 2020. [Auth0] The US charged two Chinese spies for a decade-long global hacking spree that also targeted COVID-19 research. Meanwhile, Russian state-sponsored hackers were found targeting coronavirus vaccine research, an allegation Kremlin has refuted. [The Hacker News] Forbes’ Thomas Brewster went into detail about Mitre Corp, a not-for-profit organization that builds a wide variety of tools for the US military agencies, including a prototype that can hack into smartwatches, fitness trackers, and home thermometers, software to collect human fingerprints from social media platforms, and a “study to determine whether someone’s body odour can show they’re lying.” [Forbes] Westbridge, the US arm of the controversial spyware vendor NSO Group, pitched its phone-hacking technology to the Secret Service as late as 2018. [Motherboard] A hacker group affiliated with Iranian state authorities left a trove of data which included, among other things, roughly five hours’ worth of video explaining how to compromise accounts belonging to people in the US and Greek armed forces and siphon sensitive data out of those accounts. [The Hacker News] The fortnight in data breaches, leaks, and ransomware: Dave, Drizly, Dunzo, Garmin, GEDmatch, Instacart, Orange, Promo.com, and Twilio.
Tweet of the week
Google is calling out Apple for its new Security Research Device program that places restrictions that prevent 90-day disclosures for major security flaws.
— Ben Hawkes (@benhawkes) July 22, 2020 That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)