The Good, the Bad and the Ugly in Cybersecurity – Week 1

The Good

This past week saw cybersecurity end 2020 on a couple of high notes. First, we were delighted to learn that the UK’s National Crime Agency has apprehended 21 individuals in relation to purchasing stolen data from the now defunct online criminal marketplace WeLeakInfo.

The site, which was taken down at the beginning of 2020, had hosted some 12 billion stolen credentials harvested from over 10,000 data breaches. Those arrested were males aged between 18 and 38, suspected of fraud and/or offences against the Computer Misuse Act. Along with the arrests, around $55,000 in Bitcoin was also seized.

Earlier in December, Microsoft shared information about how the recent SolarWinds breach and the nation-state actor thought to be behind it was targeting its Azure/Microsoft 365 customers. Good to hear that this week CISA’s Cloud Forensics team has released an open-source PowerShell tool for incident responders called Sparrow, which helps detect possible compromised accounts. Among other things, the script checks for known IoCs related to SolarWinds, lists Azure AD domains and checks certain API permissions to identify potential malicious activity. The seriousness of this recent APT campaign cannot be underestimated, and CISA’s tool is a welcome addition in the fight to secure enterprises against the consequences of the SolarWinds supply chain attack.

The Bad

We’re all looking forward to better news in 2021, particularly regarding COVID-19 and the continued roll out and development of vaccines, but the lure of easy spoils from organizations focusing on responding to the pandemic continues to be too much to resist for some threat actors. This past week a laboratory in Belgium working on COVID-19 was brought to halt after cyber criminals infected the General Medical Laboratory (ANL) in Antwerp with ransomware.

The AML is a private enterprise handling around 3000 COVID-19 tests daily and ranks as the largest private testing laboratory in the country, handling around 5% of the nation’s cases.

Although similar attacks such as last month’s breach of the European Medicines Agency also targeted data theft, there is as yet no evidence of patient data having been stolen. Details also remain unclear as to which strain of ransomware was involved or what amount the attackers are seeking for the ransom. However, forcing a COVID-19 testing facility into downtime at this stage of the pandemic is already a cost we could all well do without.

The Ugly

Finally this week, another ugly data breach hit the news, this time all the more unsightly as the data exposed belongs to 930,000 US children, teens and college students.

According to reports, GetSchooled, an education charity founded by Viacom and the Bill & Melinda Gates Foundation, exposed the PII (personally identifiable information) of students in a database containing 125 million records with names, addresses, phone numbers, ages, gender, school and graduation details. GetSchooled, however, has stated that the number of leaked records is closer to 250,000, with only 75,000 linked to email addresses that remain active.

It is not known how long the data was exposed for, but there is some concern about the extended timeline. The breach was reported to a UK cyber security company, TurgenSec, by an unidentified third party. The security firm then informed GetSchooled of the issue on November 17th. However, it took until December 21st for the issue to be resolved, and an investigation and review are said to be pending until after the New Year. That timeline has attracted some criticism, and the lack of details regarding the original source that reported the breach is also a worry.

As we’ve seen in the past and noted above in relation to the WeLeakInfo marketplace, this kind of data once exposed can soon end up being dumped in hacker forums or found for sale in darknet market places, where it is traded for use in phishing attacks, identity theft, automated account takeovers, fraud and other criminal activities.