LockBit Ransomware Group Claims Attack on Italy's Tax Agency, Small Canadian Town

Roblox prepared for Chinese partner's hack, mRNA-free dating site exposed members' personal data, China tried to build informant network inside Federal Reserve, New attack vector threatens VR, more

Jul 26

blue and white bus on road during daytime — Photo by Giorgio Trovato on Unsplash

Italy’s postal police are investigating whether the LockBit ransomware group stole 78 gigabytes of data in an attack against the country’s tax agency.

The group allegedly published news of the hack on the dark web and asked for a ransom in five days, threatening to make the data public if the tax agency didn’t fulfill the request. However, Sogei SpA, the state company managing the tax agency’s IT infrastructure, said no signs of cyberattacks or a data breach were found after initial checks. (Antonio Vanuzzo / Bloomberg)

Related: Cyberscoop, The Register, The Record

Allan “Ransomware Sommelier🍷” Liska @uuallan

Ransomware group targets Italian tax agency cyberscoop.com/lockbit-italy-… via @AJVicens (who is killing it over at @CyberScoopNews)

Ransomware group targets Italian tax agencyLockBit, one of the most prolific ransomware operations, claims to have 100GB of data from the agency.cyberscoop.com

The Canadian town of St. Marys, Ontario, has been hit with a ransomware attack by what appears to be the Lockbit ransomware group, locking staff out of internal systems and encrypted data.

On July 22nd, a post on LockBit’s dark website listed townofstmarys.com as a victim of ransomware and previewed files that had been stolen and encrypted. St. Marys's Mayor Al Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. (Corin Faife / The Verge)

Newly released internal documents reveal that the online gaming platform Roblox assumed and prepared for the possibility that any Chinese partner it worked with could try to hack Roblox.

Roblox also expected Tencent, with which it operated as a partner on a version of its game in China called LuoBuLeSi, to copy the game and create its own version. The documents also show the steps Roblox had to take for its game to comply with Chinese censorship laws: any maps created in the game had to “respect the integrity of the country and not misrepresent the Chinese territory,” including by recognizing Beijing’s claim of self-ruled Taiwan as part of its territory. (Joseph Cox / Motherboard)

Related: Game Developer, Engadget

Kevin Beaumont @GossiTheDog

Interesting case where a news outlet is choosing to publish documents obtained by a ransomware group

Revealed: Documents Show How Roblox Planned to Bend to Chinese CensorshipFiltering games. Blocking maps with Taiwan. Handling “historical facts.” Roblox was prepared to go all in on Chinese censorship, according to newly released internal documents.vice.com

Security researchers GeopJr discovered that an anti-vaccine dating website called Unjected, which allows users to procure “mRNA FREE” semen, exposed its users’ data online.

The site offers what it describes as “mRNA FREE blood match & fertility directories” where unvaccinated users can donate blood, sperm, or eggs to one another. GeopJr noticed that Unjected’s web application framework had been left in debug mode, allowing them to learn pertinent information “that someone with malicious intent could abuse.”

Unjected’s co-founder Shelby Thomson said she would alert her technical team to the issues outlined by the Daily Dot and begin fixing the vulnerabilities. However, shortly after, users reported running into numerous glitches on Unjected that exposed their personal information more than before. (Mikael Thalen / Daily Dot)

Related: The Verge, iTechPost

Mikael Thalen @MikaelThalen

After the Daily Dot contacted Unjected about the issues, the site's co-founder said the problems would be fixed. But the problems only became worse. The site went offline multiple times over the weekend & one user claimed their home address was exposed. dailydot.com/debug/anti-vax…

The Department of Health and Human Services Cybersecurity Coordination Center (HC3) urges healthcare entities to review tactics and potential remediation strategies for ongoing web application attack campaigns targeting the sector.

New HC3 guidance details the typical attack types used against web apps, including Distributed Denial of Service (DDoS) attacks. In healthcare, DDoS attacks are commonly motivated by political, hacktivist, or financial gain and rely on extortion tactics. (Jessica Davis / SC Media)

A rare open House Intelligence Committee hearing this week will examine foreign spyware.

However, despite the escalating number of incidents where malicious spyware is used against journalists, political adversaries, human rights workers, lawyers, and others, Congress has been slow to act. But efforts by the Biden administration and recent developments, including the prospect of defense firm L3Harris buying notorious spyware company NSO Group’s spyware, could make it harder for U.S. firms to ever purchase the spyware. (Tim Starks / Washington Post)

Related: Cyberscoop

An investigation by Republican staff members of the Senate’s Committee on Homeland Security and Governmental Affairs found that China tried to build a network of informants inside the Federal Reserve System, at one point threatening to imprison a Fed economist during a trip to Shanghai unless he agreed to provide nonpublic economic data.

The investigation discovered that for over a decade, Fed employees were offered contracts with Chinese talent recruitment programs, which often include cash payments, and asked to provide information on the U.S. economy, interest rate changes, and policies. Regarding the economist, Chinese officials in 2019 detained and tried to coerce him to share data and information on U.S. government policies, including tariffs, while the U.S. and China were in the midst of a trade war.

The report doesn’t say whether any sensitive information was compromised. But the probe concluded that the Fed failed to mount an adequate response. (Kate O’KeeffeFollow and Nick Timiraos / Wall Street Journal)

Related: Rob Portman

Researchers at cybersecurity company Kaspersky say that Chinese-speaking hackers have been using since at least 2016 malware they call CosmicStrand that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit.

It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines, but researchers found the malware on machines with ASUS and Gigabyte motherboards. Kaspersky's victims also provide clues about the threat actor and their objective since the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry. (Ionut Ilascu / Bleeping Computer)

Researchers at ReasonLabs identified a new attack vector that can connect remotely to Android-based VR devices and record the headset screen using malware called Big Brother.

Once the malware gets into a user’s computer, it lies in wait until the user starts using a device with Developer Mode enabled. Healthcare, the military, and manufacturers use proprietary VR apps for training. Installing those apps requires Developer Mode enabled. (Erron Kelly / Venture Beat)

Related: VR Scout

Former NSA contractor Reality Winner, who was imprisoned for leaking a report about Russia’s hacking of the 2016 presidential election, said she is not a tractor or spy but someone who acted out of love for her country.

Winner said she leaked the documents to counter Trump’s false narrative that Russia wasn’t responsible for hacking the Democrats in the run-up to the 2016 election. “ I just kept thinking, ‘My God, somebody needs to step forward and put this right. Somebody.’” (Scott Pelley / CBS News)

Related: Raw Story, The Guardian

Researchers at Claroty say that vulnerabilities affecting a mobile device management (MDM) product from FileWave exposed many organizations to remote attacks.

They discovered recently that the FileWave MDM product is affected by two critical security holes: an authentication bypass issue (CVE-2022-34907) and a hardcoded cryptographic key (CVE-2022-34906). The vendor quickly patched the flaws. (Eduard Kovacs / Security Week)

Related: Dark Reading, Security Affairs, Claroty

On the sixth anniversary of the No More Ransom project, Europol announced that they have helped around 1.5 million people and organizations decrypt files locked by hackers with ransomware, saving about $1.5 billion.

The initiative was born when a Dutch telecom called the local police to alert it that its employees had found a command and control server inside its infrastructure used by a ransomware group, according to Marijn Schuurbiers, the head of operations at Europol’s European Cybercrime Centre, who worked at the Dutch police at the time. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: ZDNet, Reddit cybersecurity, Europol

Europol @Europol

🎉 Today we’re celebrating #NoMoreRansom’s 6th anniversary! This means 6 years of: 🔓 helping ransomware victims unlock encrypted files 💡 providing tips on how to avoid getting infected 💶 keeping money out of the hands of criminals. Press release ⤵️ europol.europa.eu/media-press/ne…

The privacy group, Big Brother Watch, submitted a complaint against UK grocery store chain Southern Co-operative’s use of facial recognition cameras, claiming it is “Orwellian” and unlawful.

The complaint made to the Information Commissioner’s Office says that the surveillance system “uses novel technology and highly invasive processing of personal data, creating a biometric profile of every visitor to stores where its cameras are installed.” The group said the independent grocery chain had installed the surveillance technology in 35 stores across Portsmouth, Bournemouth, Bristol, Brighton and Hove, Chichester, Southampton, and London. (Jamie Grierson / The Guardian)

Related: Evening Standard, Metro.co.uk

Jasin Bushi, 18, who hacked Snapchat accounts and threatened to post nude pictures of women online in a “cruel” money-making scheme, has been jailed for two years.

Bushi took control of a series of women’s social media accounts, posing as the victim to message their friends asking to borrow money to cover rent. He accessed the accounts of seven victims aged between 17 and 35 between December 2020 and February 2021 and immediately changed their passwords.

He then threatened to post naked pictures of the women he found in their accounts if they did not pay up. Some intimate images or videos were posted several times when the victim’s friends, family, and colleagues saw them. (Tristan Kirk / Evening Standard)

Related: Wales Online, The Mirror

The team behind the open source PrestaShop eCommerce platform issued a public advisory to warn of zero day SQL injection attacks hitting merchant servers and planting code capable of stealing customer payment information.

PrestaShop warned that hackers are exploiting a "combination of known and unknown security vulnerabilities" to inject malicious code on eCommerce sites running the PrestaShop software. The platform released instructions to help merchants identify signs of infections and recommended that eCommerce providers conduct a full audit of their site and make sure that no file has been modified nor any malicious code has been added. (Ryan Naraine / Security Week)

Related: CyberNews, Security Affairs, PrestaShop

In a filing at the SEC, cybersecurity giant Mandiant said that the Justice Department waived the mandatory merger waiting period on Google’s acquisition of Mandiant, which was apparently a condition of the sale.

The ball is now in Google and Mandiant's court to decide on the conclusion of the merger. Mandiant's filing said the companies are expected to close the merger by the end of 2022. (Brandon Vigliarolo / The Register)

Related: CRN, SEC.gov

Metacurity