Senate Finance Committee Warned DHS of Poor Security of Organ Transplant Sharing Network
Illuminate Education data breach highlights school system tracking system risks, Experts puzzled over Secret Service's January 6 texts back-up fail, Oz teen spent RAT proceeds on take-away food, more
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Leaders of the Senate Finance Committee grew so alarmed during a closed-door briefing earlier this year about the security of the system for getting donated kidneys, livers, and hearts to desperately ill patients that they warned officials at the Department of Homeland Security and intelligence agencies they had “no confidence” in the security of the transplant network.
The United Network for Organ Sharing (UNOS) holds the monopoly on getting organs to transplant victims. The Health Resources and Services Administration (HRSA) oversees UNOS, but that agency has little authority to regulate transplant activity, and UNOS has rejected any attempts to regulate the system. The Finance Committee has scheduled a hearing on the system for Wednesday. (Joseph Menn and Lenny Bernstein / Washington Post)
A recent cyberattack on Illuminate Education, a leading provider of student-tracking software, highlights how the software many school districts use to track students contains highly confidential information on children such as “Intellectual disability,” “Emotional Disturbance,” “Homeless,” “Disruptive,” “Defiance,” “Perpetrator,” “Excessive Talking. and more.
The Illuminate incident affected the personal information of more than a million current and former students across dozens of districts, including New York City and Los Angeles, the nation’s largest public school systems. The exposure of students’ sensitive data could have long-term implications for them, which has prompted Hector Balderas, the attorney general of New Mexico, to sue tech companies for violating the privacy of children and students.
Balderas said that Congress had failed to enact modern, meaningful data protections for students while regulators had failed to hold ed tech firms accountable for flouting student data privacy and security. Illuminate said it had “no evidence that any information was subject to actual or attempted misuse” and “implemented security enhancements to prevent” further cyberattacks.
However, despite extolling a series of security upgrades the company has said it implemented since the cyber incident, Greg Pollock, the vice president for cyber research at UpGuard, a cybersecurity risk management firm, found one of Illuminate’s AWS buckets with an easily guessable name, which is one known route that bad actors can follow to obtain student data, particularly given how often organizations misconfigure those buckets. The reporter then found a second AWS bucket named after a popular Illuminate platform for schools. (Natasha Singer / New York Times)
Natasha Singer @natashanytI spent the last month looking into the cyberattack on Illuminate Education which affected more than million students nationwide. Among our findings: 1. Before the hack, Illuminate Education did not have a chief information security officer. https://t.co/SlehIZozgP
Cybersecurity experts and former government leaders are stunned by how poorly the Secret Service and the Department of Homeland Security handled the preservation of officials’ text messages and other data from around Jan. 6, 2021.
Experts are divided over whether the disappearance of phone data from around the time of the insurrection is a sign of incompetence, an intentional coverup, or some murky middle ground. Paul Rosenzweig, a senior policy official at the Department of Homeland Security during the George W. Bush administration, polled 11 of his friends with cybersecurity backgrounds, including information-security chiefs at federal agencies, on whether any of them had ever done a migration without a plan for backing up data and restoring it. None of them had. Experts said that the Secret Service had truly wanted to preserve agents’ messages, it should have been almost trivially easy. (Drew Harwell, Will Oremus, and Joseph Menn / Washington Post)
Carol Leonnig @CarolLeonnig“It’s ludicrous” Deletion of Secret Service texts from Jan. 6 - and lack of real plan to back them up baffles experts - @drewharwell @WillOremus @josephmenn https://t.co/kinYv2h6RA
Canadian coffee giant Tom Hortons proposes offering impacted customers a free hot drink and a baked good as a settlement in class action lawsuits filed after the company spied on app users for over a year.
The proposal, subject to court approval, settles four class action lawsuits in Quebec, British Columbia, and Ontario involving the Tim Hortons app. In June, Canadian regulators said that Tim Hortons’ data collection violated Canadian law by tracking every time a user entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace. (Joseph Cox / Motherboard)
Ten days after Krebs on Security published an expose on 911[.]re, a proxy service that has sold access to hundreds of thousands of Microsoft Windows computers daily, the service announced it is shutting down in the wake of a data breach that destroyed critical components of its business operations.
The proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies. (Brian Krebs / Krebs on Security)
Australian Federal Police allege that a teenager living in the suburbs of Brisbane, Jacob Wayne John Keen, created and sold a sophisticated hacking tool used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the globe and then used the proceeds to buy takeaway food.
They allege he created a sophisticated remote access trojan (RAT) called Imminent Monitor that allowed users to take control of their victims’ computers remotely. Keen allegedly sold the tool for $35 on a hacking forum, making between $300,000 and $400,000 by selling it to more than 14,500 people in 128 countries. (Michael McGowan / The Guardian)
The Justice Department unveiled a conspiracy charge against Russian national Aleksandr Viktorovich Ionov for allegedly orchestrating “a years-long foreign malign influence campaign that used various U.S. political groups to sow discord, spread pro-Russian propaganda, and interfere in elections within the United States.”
Prosecutors allege that the conspiracy was to establish relationships that would “further the interests of the Russian Federation.” Ionov, the indictment alleges, worked with FSB agents to “identify and exploit” connections with the US political groups.
They describe the groups as “separatist groups” based in Florida and California that advocated for seceding from the US and allege that Ionov had “direction or control over these groups on behalf of the FSB,” providing financial support for the group and using them to publish Russian and pro-separatist propaganda online and on the radio. The Treasury Department also announced sanctions Friday against Ionov and Natalya Valeryevna Burlinova, the president of an organization allegedly connected to the Russian intelligence service and their organizations. (Tierney Sneed and Holmes Lybrand / CNN)
Researchers at Sentinel Labs say that a threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load beacons from penetration testing technology Cobalt Strike on compromised systems and evade detection by security software.
In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code. (Bill Toulas / Bleeping Computer)
U.S. lawmakers and researchers are seeking solutions for securing the thousands of satellites orbiting the Earth, many of which are now controlled by the private sector.
“We need to make every effort to understand what further actions can be and should be taken to strengthen cybersecurity for civil and commercial space systems, including commercial space systems that provide mission-critical government data and services," said Subcommittee on Space and Aeronautics Chairman Rep. Don Beyer (D-VA) in a hearing of the House Science, Space, and Technology Committee’s Subcommittee on Space and Aeronautics. One witness at the hearing, Theresa Suloway, Space Cybersecurity Engineer at MITRE Corporation, testified in favor of incentivizing commercial sector information-sharing through voluntary collaborations rather than regulatory approaches to getting the private sector on board, partly out of concerns that commercial space companies would choose to launch from other parts of the world where they did not have to comply. (Andrea Peterson / The Record)
Morocco’s national security authorities have apprehended a French national, Sebastien Raoult, who is wanted by the US for alleged cybercrime, under a cooperation framework between Morocco’s General Directorate for National Security (DGSN) and the FBI.
U.S. intelligence authorities suspect that the French student is affiliated with ShinyHunters, an infamous cyberterrorism group believed to be behind some of the most notable data breaches made public in the past two years, including multiple cyber attack operations that had targeted U.S. companies, including tech giant Microsoft. According to media reports, the suspect’s attorney is requesting Moroccan authorities extradite his client to France rather than the United States, maintaining that he had only ever been to Morocco and France. (Jihane Rahhou / Morrocco World News)
Researchers at Volexity say that a threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers capable of stealing email content from Gmail and AOL in a cluster of activity they call SharpTongue.
SharpTongue share overlaps with an adversarial collective publicly referred to under the name Kimsuky has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea." The group’s latest effort employs an extension named Sharpext to exfiltrate email data. (Ravie Lakshmanan / The Hacker News)
Nirvana Finance, a Solana-based yield protocol, suffered a $3.5 million exploit utilizing flash loans to manipulate and drain its liquidity pools.
Nirvana’s stablecoin NIRV dropped 85% from its dollar peg after the hack. Nirvana appealed to the hacker on Twitter and offered a $300,000 “white hat” bounty and a cessation of further investigation if the stolen funds were returned. (Shaurya Malwa / Coindesk)
Students at Sapir College near Sderot in Israel received text messages claiming that their personal information was being held for ransom by hackers.
The college issued a statement saying that "So far, no traces of a hack into sensitive information systems or personal accounts have been found.” (Arutz Sheva)
Trend Micro researchers say the Gootkit access-as-a-service (AaaS) malware operators have resurfaced with updated techniques to compromise unsuspecting victims.
Although Gootkit used freeware installers to mask malicious files in the past, the researchers say it now uses legal documents to trick users into downloading these files. (Ravie Lakshmanan / The Hacker News)
Related: Trend Micro