[Security Weekly] US DoJ Indicts Two Chinese Hackers of Stealing Intellectual Property for Over a Decade

4th Week of July 2020


1. US DoJ indicts two Chinese hackers of stealing intellectual property for over a decade

On July 21, US Assistant Attorney General for National Security John Demers held a press conference announcing the indictment of two Chinese hackers on theft of intellectual property.

The two hackers had been working both for themselves and for the Chinese Ministry of State Security. A hacking campaign was run for over ten years, stealing intellectual property and trade secrets of hundreds of firms in eight technology sectors over a dozen countries.

Targeted industries included high-tech manufacturing, civil and industrial engineering, robotics, aerospace and maritime equipment, clean energy, and biotechnology. Research facilities for COVID-19 vaccines and treatments were also among the latest hit Targeted countries included the US, Japan, Germany, UK, South Korea, Spain, Australia, Netherlands, Sweden, Belgium, and Lithuania.

Both hackers were charged with 11 counts of offences ranging from computer and wire fraud to theft of identities and trade secrets. According to the indictment, the hackers had been exploiting zero-day and unpatched vulnerabilities to gain access into corporate networks, after which they would install malware capable of stealing credentials and exfiltrating data.

A leak of intellectual property can be just as bad as leaking personal data, as the consequences tend to appear in the long run. Organizations should treat their intellectual property seriously by encrypting all associated data. MyDiamo is an open-source encryption solution for open-source databases including MySQL, MariaDB, and Percona, free for noncommercial use.

Sources: ZDNet, SC Media


2. Online learning platforms leak personal data of one million students

A cybersecurity research team at WizCase, a company that offers VPN reviews and advice, has recently discovered four misconfigured AWS S3 buckets containing unencrypted data that were left open to the public.

The exposed databases belonged to five online learning websites, including American-based Square Panda and Playground Sessions, Brazillian-based Escola Digital, South African-based MyTopDog, and Kazakhstan-based Okoo. In total, these databases contained over 900,000 user records.

The data contained personally identifiable information of children and their parents and teachers. Specifically, these included the names, dates of birth, home addresses, phone numbers, emails, user IDs, course information, and school information of the children.

Despite not containing financial records, these personal data could still be used for further phishing attacks, potentially leading to identity theft and monetary fraud. Since many users are inactive, they may not remember having given information to these sites, making them more vulnerable to further attacks. All users are advised to stay extremely cautious when receiving emails, text messages, and phone calls.

In order to meet data security regulatory compliance, companies must not only ensure that their databases and servers are properly configured, but also have their sensitive data encrypted. D’Amo is an encryption solution that helps companies solve compliance issues and prevent economic losses of data leakage. To learn more about D’Amo, click here.

Source: Infosecurity


3. Telecom Argentina hit by REvil ransomware, 18,000 computers infected

Telecom Argentina, one of Argentina’s largest internet service providers (ISPs), suffered an attack by the REvil ransomware group on July 18, where more than 18,000 workstations across the company were infected.

In exchange for decrypting the locked files, the ransomware operators initially demanded a ransom payment of $7.5 million worth of Monero coin, but doubled that amount on July 21, making it the largest ransomware demand of the year and one of the largest cyberattacks in Argentine history.

Telecom Argentina has not yet commented on the incident. However, according to information posted online by many employees, the attack has caused severe damage to the company’s network. The attackers spread the ransomware to over 18,000 computers after taking control of the domain administrator on one device.

Over the weekend, employees received alerts issued by the company warning them to stay away from the corporate network and to not open emails containing archived files.

Despite paralyzing the company website, the attack did not affect Telecom Argentina’s customers. All internet, cable, and telephone services provided by the ISP remained functional.

According to available information, it appears that the attackers gained access to the corporate network with a malicious email attachment sent to one of its employees.

Sources: ZDNet, Decrypt


4. University of York suffers data breach due to ransomware attack on service provider

The University of York, a public research university in England, reported a data breach incident that compromised the personal information of students, staff, alumni, and affiliates.

The data breach was the result of a ransomware attack on Blackbaud, a cloud computing provider that offers customer relationship management services to the university. Even though the incident occurred back in May 2020, Blackbaud only made it public two months later on July 16. The University of York was only notified on the same day as the public disclosure.

The ransomware operators launched a double-extortion attack – exfiltrating a copy of the data before attempting to encrypt the database. The silver lining is that the attackers failed to encrypt the database, but Blackbaud still paid a ransom to them with the condition that all stolen data would be destroyed.

Compromised data included names, dates of birth, student numbers, phone numbers, home and email addresses, course information, qualifications, and career and employment histories. Blackbaud stressed that bank account and credit card information were safely encrypted prior to the attack.

The university reported the incident to the UK’s Information Commissioner’s Office (ICO), complaining that as the main victim, it was not informed about the incident on time. Indeed, even though Blackbaud paid the ransom, there was no guarantee that the attackers would have destroyed the stolen data, thus the victims should have been notified immediately.

If Blackbaud had encrypted all the personal data in the database, they would have been able to avoid paying the ransom. Contact Penta Security for the right encryption solution.

Sources: BBC, Yorkshire Post


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Automotive and Mobility Security: AutoCrypt