Apr 16, 2024NewsroomPrivacy Breach / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has ordered the mental telehealth company Cerebral from using or disclosing personal data for advertising purposes.

It has also been fined more than $7 million over charges that it revealed users’ sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies.

“Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies,” the FTC said in a press statement.

While claiming to offer “safe, secure, and discreet” services in order to get consumers to sign up and provide their data, the company, FTC alleged, did not clearly disclose that the information would be shared with third-parties for advertising.

The agency also accused the company of burying its data sharing practices in dense privacy policies, with the company engaging in deceptive practices by claiming that it would not share users’ data without their consent.

The company is said to have provided the sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat, and TikTok by integrating tracking tools within its websites and apps that are designed to provide advertising and data analytics functions.

The information included names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information.

The FTC complaint further accused Cerebral of failing to enforce adequate security guardrails by allowing former employees to access users’ medical records from May to December 2021, using insecure access methods that exposed patient information, and not restricting access to consumer data to only those employees who needed it.

“Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards,” the FTC said.

Pursuant to the proposed order, which is pending approval from a federal court, the company has been barred from using or disclosing consumers’ personal and health information to third-parties for marketing, and has been ordered to implement a comprehensive privacy and data security program.

Cerebral has also been asked to post a notice on its website alerting users of the FTC order, as well as adopt a data retention schedule and delete most consumer data not used for treatment, payment, or health care operations unless they have consented to it. It’s also required to provide a mechanism for users to get their data deleted.

The development comes days after alcohol addiction treatment firm Monument was prohibited by the FTC from disclosing health information to third-party platforms such as Google and Meta for advertising without users’ permission between 2020 and 2022 despite claiming such data would be “100% confidential.”

The New York-based company has been ordered to notify users about the disclosure of their health information to third parties and ensure that all the shared data has been deleted.

“Monument failed to ensure it was complying with its promises and in fact disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol,” FTC said.

Over the past year, FTC has announced similar enforcement actions against healthcare service providers like BetterHelp, GoodRx, and Premom for sharing users’ data with third-party analytics and social media firms without their consent.

It also warned [PDF] Amazon against using patient data for marketing purposes after it finalized a $3.9 billion acquisition of membership-based primary care practice One Medical.

Mar 30, 2024NewsroomLinux / Supply Chain Attack

RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in an advisory.

“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).

The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.

The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).

The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.

Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China’s economic espionage and foreign intelligence objectives.

Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that’s believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).

Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a “sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts.”

As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against the Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” stated U.S. Attorney Breon Peace.

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The sprawling hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that came with hidden tracking links that exfiltrated the victims’ location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts simply upon opening the messages.

This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients’ home routers and other electronic devices.

The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.

Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.

The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.

Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.

“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.

“In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance.”

“Chinese state-sponsored cyber espionage is not a new threat and the DoJ’s unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People’s Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning,” Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.

“The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world.”

The charges come after the U.K. government pointed fingers at APT31 for “malicious cyber campaigns” aimed at the country’s Electoral Commission and politicians. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.

The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.

China, however, has rejected the accusations, describing them as “completely fabricated” and amounting to “malicious slanders.” A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have “made groundless accusations.”

“The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Foreign Ministry Spokesperson Lin Jian said.

“We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”

Mar 24, 2024NewsroomRansomware / Threat Intelligence

German authorities have announced the takedown of an illicit underground marketplace called Nemesis Market that peddled narcotics, stolen data, and various cybercrime services.

The Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said it seized the digital infrastructure associated with the darknet service located in Germany and Lithuania and confiscated €94,000 ($102,107) in cryptocurrency assets.

The operation, conducted in collaboration with law enforcement agencies from Germany, Lithuania, and the U.S., took place on March 20, 2024, following an extensive investigation that commenced in October 2022.

Founded in 2021, Nemesis Market is estimated to have had more than 150,000 user accounts and 1,100 seller accounts from all over the world prior to its shutdown. Almost 20$ of the seller accounts were from Germany.

“The range of goods available on the marketplace included narcotics, fraudulently obtained data and goods, as well as a selection of cybercrime services such as ransomware, phishing, or DDoS attacks,” the BKA said.

The agency said further investigations against criminal sellers and users of the platform are presently ongoing. That said, no arrests have been made.

The development comes a month after another coordinated law enforcement operation took down the LockBit ransomware group, taking control of the outfit’s servers and arresting three affiliates from Poland and Ukraine. The disruption prompted the gang to relaunch its cyber extortion operation.

In recent months, German authorities have also taken down Kingdom Market and Crimemarket, both of which boasted of thousands of users and offered a wide array of money laundering and cybercrime services.

Feb 15, 2024The Hacker NewsSaaS Security / Risk Management

With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications.

Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023. Their study reveals how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.

The TL;DR Version Of SaaS Security

2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively), and probably many others that often go unannounced.

The first insight from this research cements the concept that SaaS is the new supply chain, providing an almost intuitive framework to the importance of securing SaaS usage. These applications are clearly an integral part of the modern organization’s set of tools and vendors. That said, long gone are the days when every 3rd party with access to company data had to go through security or IT approval. Even in the most rigorous companies, when a diligent employee needs a quick and efficient solution, they’ll look it up and use it to get their jobs’ done faster and better. Again, think of the widespread use of GenAI, and the picture is clear.

As such, any organization concerned about the security of its supply chain must adopt SaaS security measures. According to the MITRE ATT&CK technique ‘Trusted Relationships’ (T1199), a supply chain attack occurs when an attacker targets a vendor to exploit it as a means to infiltrate a broader network of companies. By entrusting sensitive data to external SaaS vendors, organizations subject themselves to supply chain risks that reach beyond immediate security concerns.

Four Common SaaS Risks

There are various reasons and ways in which SaaS is being targeted. The good news is that most of the risks can be significantly mitigated when monitored and controlled. Basic SaaS security capabilities are even free, suited for organizations that are just beginning to develop their SaaS security posture or need to compare it to their current solution.

1) Shadow SaaS

The first problem with SaaS usage is the fact that it often goes completely unnoticed: The number of applications used by organizations is typically 250% larger than what a basic and often-used query of the workspace reveals.

Amongst the companies analyzed:

• 41% of applications were used by only one individual, resulting in a very long tail of unsanctioned applications.
• 1 out of 5 users were utilizing applications not used by anyone else within their organization, creating security and resource strains.
• 63% of single-user applications were not even accessed within a 3-month period, begging the question – why keep them connected to company data?
• 96.7% of organizations used at least one application that had a security incident in the previous year, solidifying the continuous risk and need for proper mitigation.

2) MFA Bypassing

Wing’s research indicates a trend where users opt to use a username/password to access the services they need, bypassing the security measures in place (see image 1).

Image 1: From Wing Security’s research, bypassing MFA.

3) Forgotten tokens

Users grant the applications they need tokens; this is necessary for the SaaS applications to serve their purpose. The problem is that these tokens are often forgotten about after a few or just one use. Wing’s research revealed a large presence of unused tokens over a period of 3 months, creating an unnecessarily large attack surface for many customers (Image 2).

4) The new risk of Shadow AI

In the beginning of 2023, security teams primarily concentrated on a select few renowned services offering access to AI-based models. However, as the year progressed, thousands of conventional SaaS applications adopted AI models. The research shows that 99.7% of companies were using applications with integrated AI capabilities.

Organizations were required to agree to updated terms and conditions permitting these applications to utilize and refine their models using the organizations’ most confidential data. Often, these revised terms and conditions slipped under the radar, along with the usage of AI itself.

There are different ways in which AI applications may use your data for their training models. This can come in the form of learning your data, storing your data and even having a human manually go over your data to improve the AI model. According to Wing, this capability is often configurable and totally avoidable, provided it is not overlooked.

Solving SaaS Security Challenges In 2024

The report ends on a positive note, listing 8 ways in which companies can mitigate the growing threat of the SaaS supply chain. Including:

1. Ongoing shadow IT discovery and management.
2. Prioritize the remediation of SaaS misconfigurations
3. Optimize anomaly detection with predefined frameworks, automate when possible.
4. Discover and monitor all AI-using SaaS applications, and constantly monitor your SaaS for updates in their T&C pertaining to AI usage.

For the full list of findings, tips on ensuring safe SaaS usage and a 2024 SaaS security forecast, download the full report here.

Jan 31, 2024NewsroomVulnerability / Endpoint Security

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).

Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc’s __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It’s said to have been accidentally introduced in August 2022 with the release of glibc 2.37.

“This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access,” Saeed Abbasi, product manager of the Threat Research Unit at Qualys, said, adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora.

A threat actor could exploit the flaw to obtain elevated permissions via specially crafted inputs to applications that employ these logging functions.

“Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Abbasi noted.

The cybersecurity firm said further analysis of glibc unearthed two more flaws in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third bug in the library’s qsort () function that can lead to memory corruption.

The vulnerability found in qsort() has affected all glibc versions released since 1992.

The development comes nearly four months after Qualys detailed another high-severity flaw in the same library called Looney Tunables (CVE-2023-4911, CVSS score: 7.8) that could result in privilege escalation.

“These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications,” Abbasi said.