Data breaches, DDoS bosses, and modem problems
This week, one data breach hit a school system in SoCal while another hit none other than NASA.
Feds take down DDoS bosses
Dirty deeds in the digital age can mean various forms of internet sabotage, but one of the cybercriminal’s favorite ploys is the DDoS attack, the tactic of infecting a mass amount of computers and devices so that together they become a botnet which can overwhelm a targeted domain with traffic, forcing it to freeze up. Someone who wants to dip into this criminal endeavor could engage a “booter” service, so named because it results in the targeted website being “booted” from online to off. Essentially, these are DDoS-for-hire sites, and up until this week, the most popular ones were Downthem, Ampnode, and Quantum Stress. That’s no longer true as the FBI has seized all three sites, as well as many ancillary ones, and busted three men running the operations.
A 30-year-old from Illinois and a 25-year-old from California were charged with running the Downthem and Ampnode platforms, responsible for over 200,000 DDoS attacks over the last four years, and a 23-year-old from Pennsylvania was brought in for running the Quantum Stress platform, the longest-running DDoS service in operation and responsible for over 50,000 attacks. While the alleged perpetrators are tried for their crimes, the DoJ did not mention in their official statement if the FBI will also look into the tens of thousands of customers registered with the booter websites.
“This is really good news,” comments Luis Corrons, Avast security evangelist. “Cybercriminals have been using DDoS attacks as a means to run extortion schemes just like real-life gangsters. Typically cybercriminals will target SMBs and once the initial attack is complete, they offer ‘antiDDoS’ services to the victim as a means to avoid future attacks. If the scam doesn’t pay off, they then launch a full-scale attack.” Corrons adds that unfortunately, the cons can just go on: “There are for-hire services, too, where people just rent a botnet, for example, to launch an attack against a competitor. Finding out who is behind these attacks is almost impossible, so getting rid of the infrastructure that enables it and the people in charge of it is the best way to deal with this.”
Schneider Electric patches EVLink flaw
A critical vulnerability in the EVLink parking devices, the electric vehicle charging stations one commonly finds in parking structures for hotels and office buildings, has been flagged by its maker Schneider Electric. The flaw involves hard-coded credentials that can be compromised to give an attacker access to the device. This week, Schneider issued a patch for this and two other vulnerabilities in their EVLink devices. Exploiting any of these flaws would allow access to certain parts of the system, including payment data.
Breachers target teachers
The info of students and staff alike in the San Diego Unified School District is at risk due to a data breach that stretched from January through November 2018. Using phishing tactics to get in, the attacker gained access to school records dating as far back as the 2008-2009 school year and consisting of in-depth files on over 500,000 people. The treasure trove of data includes names, addresses, personal records, staff wages, heath info, and more.
SDUSD staff became aware of the breach in October, but did not announce it for fear of alerting the attacker. Instead, staff IT officials monitored the web traffic associated with the breached info. While nobody has been named as of yet, SDUSD reports that “school police have identified a subject of investigation” but cannot say more due to the ongoing nature of the case.
Orange modems leak data in Europe
A cybersecurity team noticed a threat actor scanning for Orange modems beginning December 21, and still continuing as of this writing. The hacker is exploiting a vulnerability in Orange Livebox devices which allows him or her to see the Wi-Fi password and network ID (SSID). The researchers have identified 19,500 Orange Livebox ADSL modems that are vulnerable, almost all of them located in France and Spain, and have shared the list with the security team at Orange. On December 23, Orange CERT acknowledged in a tweet that they are working on the issue.
“Diversity is great for security, and the lack of it is great for attackers,” explains Corrons. “ISPs usually provide routers and modems to their clients, and each one likely provides the same model to all its clients. What this means is that big ISPs have millions of customers using the same hardware, so when a security hole or vulnerability shows up, that equipment puts all of those customers at risk.”
Houston, we have a data breach problem
An internal memo was issued to all NASA employees on December 18 announcing that the agency had suffered another data breach. The entire scope of the breach is unclear, but the Assistant Administrator of the Office of the Chief Human Capital Officer reported in the memo that “After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.” NASA IT operations has been criticized for using weak security for years now, as the agency suffered another major breach in 2016.
The memo also states that “NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time.”