Massive Hack Shows Right-Wing Health Care Providers Pocketed Millions Selling Ineffective COVID-19 Treatments

Group-IB CEO arrested for alleged treason in Russia, U.S. unexpectedly deports Russian hacker, AirTag flaw can redirect Good Samaritans to phishing pages, Cyber breach reporting bill introduced, more

In the second major breach of a right-wing organization to become a blockbuster report over the past few weeks, an unnamed hacker stole hundreds of thousands of records from two companies, CadenceHealth.us and Ravkoo, that helped health care providers affiliated with a right-wing group known as America’s Frontline Doctors (AFLDS) pocket millions of dollars selling ineffective treatments to vaccine-resistant patients.

AFLDS uses SpeakWithAnMD.com, which relies on CadenceHealth as a platform, and Ravkoo as a service that works with local pharmacies to deliver drugs. The hacker says that Cadence and Ravkoo were “hilariously easy” to hack despite promises of patient privacy. The websites of both companies had broken access controls, a common mistake in web application security. In addition, the Ravkoo website had a “hidden admin panel that every user can log in to and view all the data,” according to the hacker.

The hacked data includes information on 281,000 patients created in the Cadence Health database between July 16 and September 12, 2021, 90 percent of whom were referred from AFLDS. Ravkoo claims it stopped doing business with SpeakWithAnMD and AFLDS at the end of August. (Micah Lee / The Intercept)

Russian authorities arrested Ilya Sachkov, the CEO and founder of leading cybersecurity company Group-IB, on suspicion of state treason while law enforcement authorities carried out searches at the Moscow offices of the firm. State treason is punishable by up to 20 years in jail.

State news agency TASS cited an unnamed security source who said Sachkov was accused of working with unspecified foreign intelligence services and of treason that hurt Russia's national interest, allegations that both Sachkov and Group-IB denied. (Tom Balmforth and Anton Zverev / Reuters)

Related: France 24, ETTelecom.com, Russian Legal Information Agency (RAPSI), Security Affairs, The Record by Recorded Future, Forbes, TASS, RIA News Agency, Pravda, Meduza

The U.S. deported Russian hacker Alexei Burkov at least a year before he was expected to finish his sentence, handing him over to Russian authorities despite long resisting Moscow’s efforts to retrieve him.

Authorities gave no reason for his release. Current and former officials said they were surprised given how aggressively the Justice Department had sought his extradition from Israel in 2019, where he had been held in custody since 2015. Burkov pleaded guilty to running web forums where hackers swapped stolen data. He was sentenced to nine years in prison, including time served while in Israel. (Dustin Volz and Aruna Viswanatha / Wall Street Journal)

Related: Cyberscoop, Devdiscourse, Algemeiner.com, The Record by Recorded Future, DataBreaches.net, Devdiscourse, The Hill, Reuters, Haaretz.com, WSJ.com: WSJD, CNN, TASS

Security consultant Bobby Rauch discovered that Apple’s new $30 AirTag has a flaw that can redirect anyone who finds a lost AirTag to an iCloud phishing page or any other malicious website.

AirTags have a Lost Mode feature that lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com and as Good Samaritan who finds a lost AirTag can enter at that URL a personal message and contact phone number. Rauch contacted Apple but didn’t hear anything from the company until last week, shortly before Krebs on Security contacted Apple about the issue. (Brian Krebs / Krebs on Security)

Related: TechSpot, iPhone Hacks

Threat actors are now taking advantage of a complete exploit for the remote code execution vulnerability in VMware vCenter tracked as CVE-2021-22005 that exploit writer wvu made available online.

Malicious actors can use this variant to open a reverse shell on a vulnerable system, allowing remote attackers to execute code of their choice. Last week, the Cybersecurity and Critical Infrastructure Security Agency urged critical infrastructure organizations with vulnerable vCenter servers to prioritize updating the machines or apply the temporary workaround from VMware. (Ionut Ilascu / Bleeping Computer)

Related: Threatpost, The Register - Security, Security Affairs

The Senate Homeland Security and Governmental Affairs Committee leaders introduced Cyber Incident Reporting Act, sponsored by committee Chairman Gary Peters (D-MI) and ranking member Rob Portman (R-OH).

The bill would require owners and operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It would also require critical infrastructure groups and nonprofits, businesses with more than 50 employees, and state and local governments to report to CISA if they paid a sum demanded in a ransomware attack. (Maggie Miller / The Hill)

Related: CNN, InsideCyberSecurity.com, Federal News Network, Federal News Network, Defense Daily Network, BGov, Chemical Facility Security News, Home Security and Government Affairs, Homeland Security Today

Researchers at distributed denial-of-service protection company Nexusguard say that a new DDoS amplification attack called “Black Storm” could wreak havoc on communications service provider networks.

Unlike other amplification attacks, Black Storm can leverage any device connected to the internet, the researchers say. They advise communications service providers to perform regular vulnerability scanning, apply access control to routers and use deep learning-based detection methods. (Duncan Riley / Silicon Angle)

Related: Business Wire Technology News, SC Magazine

Researchers at Dutch cybersecurity firm ThreatFabric report that malicious actors behind the advanced mobile malware Blackrock have returned with a more vicious Android banking trojan dubbed ERMAC, which steals financial data from banking and wallets apps.

ERMAC can also open arbitrary applications and execute overlay attacks against many financial apps to obtain login credentials. (Nica Osorio / International Business Times)

Related: Security Affairs, ThreatFabric

UK umbrella payroll firm GiantPay, which counts thousands of contractors on its books, confirmed that it was the victim of a “sophisticated” cyberattack that crippled its phone and email systems and IT infrastructure.

It’s not clear if the attack was a ransomware infection, although GiantPay said that it would share updates as soon as it’s “safe to do so.” (Tim Richardson / The Register)

Related: Sky News

Researchers at Kaspersky Lab say that despite dwindled detections since 2018, the FinSpy surveillance kit, also known as FinFisher or Wingbird, has not gone away but has instead been hiding behind various first-stage implants to cloak its activities.

The newly discovered FinSpy samples are protected with multiple layers of evasion tactics to slow down the analysis of the spyware. (Tara Seals / Threatpost)

Related: ZDNet Security, TechDator, Securelist, The Register - Security, Dark Reading, Security Week, Anomali Blog, The Hacker News

Canadian private proof-of-vaccination app Portpass exposed the personal information of what could be as many as hundreds of thousands of users by leaving its website data unencrypted and viewable in plaintext format on the internet.

Among the exposed data are email addresses, names, blood types, phone numbers, birthdays, and photos of identification like driver's licenses and passports. Portpass has pulled the data from its servers, and the company is investigating. Portpass has more than 650,000 registered users across Canada. (Sarah Rieger / CBC News)

Related: Pixel Envy

Password service 1Password is launching in partnership with Fastmail a new feature to let users create unique email aliases for logins, much like Apple’s iCloud Plus Hide My Email function.

Apple customers can use this feature for registering accounts for temporary purposes, such as a free Wi-Fi network. But it can also be used more broadly for any app or service because the aliases don’t expire unless a 1Password user manually deletes them. (Tom Warren / The Verge)

Related: Startups News | Tech News, RT USA, Computerworld Security, The Verge, SlashGear » security, Gizmodo, How-To Geek, How-To Geek, How-To Geek, The Mac Observer, iPhone Hacks, Help Net Security, Slashdot, Engadget, ZDNet Security, Slashdot, Graham Cluley, Computerworld Security, Fastmail

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a nine-page technical guide on properly securing VPN servers used by organizations to allow employees remote access to internal networks.

The agency produced the guide because multiple nation-state advanced persistent threat (APT) actors have weaponized vulnerabilities in common VPN servers as a way to breach organizations. In campaigns over the past two years, Chinese, Iranian, and Russian state-sponsored groups have abused vulnerabilities in Pulse Secure and Fortinet VPNs. (Catalin Cimpanu / The Record)

Related: Slashdot, Cyberscoop, US-CERT Current Activity, Homeland Security Today, NSA

According to leaked internal documents and video recordings, Amazon's new security robot called Astro is designed to track the behavior of everyone in a household to help it perform its surveillance and helper duties.

When users purchase the $999 robot, they are asked to "enroll" their faces and voices, as well as the faces and voices of anyone likely to be in a home so that Astro can learn who is supposed to be there. Moreover, developers who worked on the project say it doesn’t work very well, with unreliable person detection and a penchant for throwing itself down a flight of stairs if presented with an opportunity to do so. (Matthew Gault and Joseph Cox / Motherboard)

Related: SlashGear, Fudzilla

Photo by National Cancer Institute on Unsplash