[Security Weekly] REvil Ransomware Hits Prominent Law Firm, Threatens to Release President Trump’s Secrets
4th Week of May 2020
1. REvil ransomware hits prominent law firm, threatens to release Trump-related secrets
Grubman Shire Meiselas & Sacks, a New York-based entertainment and media law firm representing some of the most prominent companies and public figures in the US, was hit by the REvil ransomware in mid-May.
The attackers stole all data that they deemed valuable before encrypting them. A total size of 756 GB, these compromised data include the sensitive information of Lady Gaga, Madonna, Elton John, Bruce Springsteen, Mariah Carey, Barbara Streisand, and more.
The attackers initially demanded a ransom of $21 million, and published 2.4 GB of data relating to Lady Gaga online to prove their words. After a week of failed negotiations, the attackers doubled the ransom to $42 million, and threatened to leak data relating to President Trump which would be “severely damaging to his re-election”. The attackers emphasized that “no one would want him as president after seeing these data”, and indirectly threatened the President by urging him to put pressure on the law firm “if he wanted to remain president.”
President Trump was never a client of the law firm, thus experts believe that the attackers simply used the name to gain media attention. Earlier this week, the attackers claimed to have found buyers for Trump’s data.
Since the law firm stands firm on its position of denying the payment, the attackers changed their tactics by announcing that they would be holding an auction online every week with the stolen client data, starting this week with Madonna’s data at a base price of $1 million. By doing so, the attackers are essentially blackmailing both the law firm and the clients, by giving the clients a chance to anonymously buy back their sensitive data at the auctions. However, the situation could quickly escalate if the data gets sold to malicious third parties.
Sources: SC Media, BleepingComputer
2. EasyJet data breach leaks travel information of 9 million customers and 2,000 credit card details
On May 19, British low-cost airline EasyJet disclosed a cyberattack incident that compromised the travel information of 9 million passengers, as well as 2,208 credit card credentials.
EasyJet did not specify when and how the attack took place, but described the attackers as “highly sophisticated”. The stolen travel information included email addresses and travel itineraries. Such information could easily be used for further phishing attacks, perhaps with COVID-19 themes, given how airlines are closely relatable to the pandemic.
EasyJet reported the incident to the UK’s Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). It has promised to contact all 9 million affected customers before May 26.
As of yet, there is no reported case on any misuse of the compromised data. Nevertheless, experts recommend those 2,208 victims with their credit card credentials stolen to contact their card issuers to change their card numbers.
Over the recent years, the airline industry might have great safety records, but holds extremely poor information security records. This is the second mass-scale data breach from a British carrier in less than two years. British Airways’ data breach in 2018 which leaked 500,000 customer data has left the company with a fine of £183 million under the General Data Protection Regulation (GDPR).
{Penta Security’s database encryption solution MyDiamo provides a comprehensive encryption framework for open-source databases, protecting data from cyber threats.}
Sources: ZDNet, Threatpost
3. Source code for Mercedes Benz on-board units leaked online
On May 17, more than 580 git repositories containing the source code of the on-board units (OBUs) for Mercedes Benz vans were leaked online.
OBUs are built-in vehicle components that serve as the communication device for modern connected vehicles. They connect a car’s hardware to its built-in software, to mobile devices, and to road-side units. These components are the building blocks of vehicle-to-everything (V2X) communications, which is the foundation of semi- and full autonomous driving.
The intruder appears to be a Swiss software engineer named Till Kottmann, who self-reported to ZDNet claiming to be responsible for the leak. According to ZDNet, Kottmann successfully registered an account on Daimler’s GitLab server using a non-existent company email, which gave him access to all the git repositories in the server. Clearly, the company failed to implement an account registration verification process.
After analysis done by security experts, the leaked source code contains passwords and API tokens that could be used for attacks on Daimler’s internal IT systems.
{Modern cars contain OBUs that are responsible for all kinds of vehicle connections and data sharing. It is crucial for automakers to apply security measures to these OBUs to prevent intrusions. Learn more about vehicle security at autocrypt.io.}
Source: ZDNet
4. Critical vulnerability found in all Windows PCs with Thunderbolt ports
Followed by Intel, Microsoft made an announcement on May 17 confirming a newly discovered security vulnerability found in the Thunderbolt ports, affecting all Windows PCs regardless of the operating system.
Discovered by a security researcher at the Eindhoven University of Technology, the vulnerability was given its name Thunderspy. It allows anyone who has physical access to a Windows PC to modify its Thunderbolt port’s controller firmware and disable its security capabilities. It takes less than five minutes for an attacker to bypass all password protection and intrude the PC, view and exfiltrate encrypted data, and install malware.
Even though physical cyberattacks are relatively rare, users should still be extra cautious. As this is a hardware vulnerability, software patches would not fix the problem. Thus users would have to bear with it for the rest of the PC’s life.
An easy way to avoid the problem is to always turn the PC off when not around. This is because Thunderspy only allows a hacker to bypass the password if the computer is turned on or in sleep mode. It would not be able to intrude a PC that is completely shut off.
Sources: Forbes, Naked Security
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Authentication: ISign+
Smart Car Security: AutoCrypt