TikTok facing £12.7M fine from ICO for regulatory issues for the use of children’s data

TikTok is currently facing a £12.7 million fine from the UK’s Information Commissioner’s Office (ICO) for several regulatory issues concerning the use of children’s data. This current fine focuses on TikTok’s failure to ensure underage users do not sneak onto its platform and the collection and use of children’s data without parental consent. The ICO says TikTok should have been aware of these data regulatory concerns on its platform and its failure to implement adequate checks amounting to gross negligence.

The ICO found that 1.4 million British children under the age of 13 were using TikTok from 2018 to 2020. This falls below the minimum required age to open a TikTok account according to the platform’s own terms of service. The fine was issued due to TikTok’s failure to screen for these accounts and prevent them from being established in the first place without parental consent and supervision. Parental consent is required by the UK’s national data privacy laws for children under 13 to create a social media presence. It was found that TikTok’s primary user base is between the ages of 10-19 and that underage users lie about their actual age on the app to circumvent parental involvement and supervision. The ICO says that TikTok ought to be reasonably aware of this liability on its platform and should have preventative measures in place to prevent such situations from arising, to begin with.

The platform is also being fined for not being transparent about collecting children’s online data to meet General Data Protection Regulation (GDPR) requirements. The current fine sum of £12.7 million is actually a reduced amount, as ICO’s original notice had called for £27 million. This reduction seems to be due to a change in direction in prosecuting unlawful use of special category data.

Read: https://www.cpomagazine.com/data-protection/12-7-million-fine-for-tiktok-in-uk-for-failure-to-screen-underage-users-use-of-childrens-data-without-parental-consent/

The evolution of the Lazarus group’s DeathNote campaign

The Lazarus group is a Korean-speaking threat actor with multiple sub-campaigns, the latest of which is the active cluster DeathNote, so named because the malware that downloads its additional payloads is called Dn.dll or Dn64.dll. The Death Note malware cluster is also known as Operation DreamJob or NukeSped. According to a study by SecureList.com, there has been a significant shift in DeathNote’s targets throughout its lifespan, and the malware’s tools and techniques have seen several developmental shifts.

The DeathNote cluster started as a novel downloader in October 2019, designed to attack cryptocurrency businesses before shifting its focus to the defense industry in April 2020. The former was achieved using decoy malicious Word documents related to the cryptocurrency business, such as questionnaires about buying specific cryptocurrencies and a Word doc that acted as an introduction to a bitcoin mining company. The latter switch in 2020 showed DeathNote being used to target automotive and academic sectors across Eastern Europe, both of which are connected to the defense industry. To do this, new decoy documents were created, which included job descriptions related to defense contractors and diplomatic services.

In 2021, DeathNote attacked a European S/W vendor in May. By June 2021, the Lazarus group was studied using new infection mechanisms against South Korean targets. It was noted that the initial malware stage was executed by a legitimate security software widely used in South Korea. The malware was believed to be spread in South Korea through this vulnerability. By July 2022, DeathNote was observed to have evolved enough to target defense contractors in Africa with sophisticated TTPs via a suspicious PDF application sent via Skype messenger.

Read: https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

Microsoft Releases Set of Security Updates to Patch 97 Flaws Impacting its Software, Including Active Ransomware Exploit

Microsoft has released another set of security updates to patch 97 flaws impacting its software, one of which was actively being exploited by ransomware attacks. Seven of 97 bugs are rated Critical, while the remaining 90 are rated as Important in their severity. This latest series of updates also contain fixes for 26 vulnerabilities in Microsoft’s Edge browser that were released over the past month. The security flaw that was subject to active ransomware exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

In an advisory meeting, Microsoft said, “An attacker who successfully exploited this vulnerability could gain system privileges.” Researchers Boris Larin, Genwei Jiang, and Quan Jin were credited by the company for reporting the issue. As of this year, CVE-2023-28252 is the fourth privilege escalation flaw found in CLFS. A total of 32 vulnerabilities have been identified in CLFS since 2018. Russian cybersecurity firm Kaspersky reported that small and medium-sized businesses across the Middle East, North America, and Asia were being targeted by Nokoyawa ransomware.

“CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block,” Larin said. “The vulnerability gets triggered by the manipulation of the base log file.“

Read: https://thehackernews.com/2023/04/urgent-microsoft-issues-patches-for-97.html

Lessons learned: A retrospective on Eth. limo’s DNS outage

Recently, Eth.limo, a website that provides a gateway from the legacy world-wide-web to Ethereum Name Service (ENS) addresses, experienced a DNS outage, which resulted in the website being temporarily unavailable. The outage was caused when their former registrar mistakenly parked their domain on a pay-per-click page.

A previous version of this article incorrectly reported this incident as a cyber-attack. It was not.

AxisOfEasy regrets the errant reporting.

Eth.limo has since moved their domain registrar… to easyDNS.

Read: https://ethlimo.substack.com/p/ethlimo-dns-outage-retrospective

RMM platform Action1 abused by hackers for ransomware attacks

According to a report from Bleeping Computer, hackers are abusing the remote monitoring and management (RMM) software Action1 to deploy ransomware on victims’ networks. Action1 is a cloud-based platform IT administrators use to remotely manage endpoints, such as servers and workstations. The report highlights that hackers have started abusing the platform to gain access to victims’ networks and deploy ransomware on them.

The attackers are using a combination of phishing attacks and exploiting vulnerabilities in the Action1 software to gain access to victims’ networks. Once they gain access, they use the software’s built-in features to execute commands on the endpoints and deploy ransomware. The report notes that this is the first time an RMM platform has been used to deploy ransomware.

Action1 has acknowledged the issue and released a patch to fix the vulnerabilities. They have also advised their customers to take necessary precautions, such as changing passwords and enabling two-factor authentication. The company has also recommended that customers limit the use of administrative credentials and monitor their networks for any unusual activity.

Read: https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/


Google and easyDNS Announcements

If you’re running your own mail server and have been putting off creating SPF or DKIM records, you may have noticed gmail bouncing messages since November of 2022. SPF and DKIM records are ways to authenticate email messages to cut down on rampant spam. We created a tool,  SPFWizard, to help you easily set up the correct records for your domain.

Read: https://support.google.com/mail/answer/81126#auth-reqs

The development team at easyDNS has been working on an all encompassing, easy to use DNS editor for the last little while. We’re happy to announce it is now available in your member page or directly at:  https://cp.easydns.com/manage/domains/dns/

Feel free to send us a note to let us know how you like it. There’s also a product tour available to get you familiar with how to use it.

Elsewhere online:

Montana Legislature Votes to Outlaw TikTok
Read: https://www.nytimes.com/2023/04/14/technology/montana-tiktok-ban-passed.html

UK’s Largest state boarding school latest victim in a string of ransomware attacks against British schools
Read: https://therecord.media/wymondham-college-cyberattack-uk-boarding-school

Affiliates must follow strict rules to avoid public exposure at RTM Locker
Read: https://cyware.com/news/rtm-locker-enforces-strict-rules-on-affiliates-to-avoid-public-attention-2e256c40/

National Intelligence Service of the Republic of Korea (NIS) warns of North Korean threat group Kimsuky’s use of Chrome extensions to steal Emails
Read: https://www.bleepingcomputer.com/news/security/north-korean-hackers-using-chrome-extensions-to-steal-gmail-emails/

Microsoft researchers establish links between spyware threat actor and Israeli company, QuaDream
Read: https://www.darkreading.com/vulnerabilities-threats/microsoft-nso-group-like-quadream-actor-selling-mobile-spyware-governments

Previously on #AxisOfEasy