Weekly Axis Of Easy #255
Last Week’s Quote was “Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom.” was by Viktor Frankl author of Man’s search for meaning… and Dave got it first! Congats.
This Week’s Quote: “I put my heart and my soul into my work, and have lost my mind in the process.” -by ???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- CRTC Chair Ian Scott Confirms Bill C-11 Can Be Used To Pressure Internet Platforms to Manipulate Algorithms
- The Chinese surveillance state encounters resistance from the public
- Federal agencies warned healthcare organizations about North Korean ransomware attacks
- Hacked WordPress sites are now using PayPal phishing kits to steal full ID information
- North Korean Ransomware emerges under the name H0lyGh0st
- Thousands of patients’ medical records left exposed for 16 years
- Media organizations and journalists are targeted by APT actors to advance state-aligned collection initiatives
- The ban on commercial open-source apps proposed by Microsoft
- The potential dangers of exploiting GitHub’s code repository for malware
- WikiLeaks whistleblower convicted for leaking Vault 7 documents
- New attacks can reveal the identities of anonymous users on major browsers
Imagine our shock. As the critics of Bill C-11 have been saying all along, it turns out the sweeping bill which will give the CRTC regulatory powers over the internet can be used to influence or manipulate algorithms.
As Prof. Michael Geist points out, the devil is in the details and the language used is just that detail. Ian Scott was questioned at the Senate Standing Committee on Transport and Communication specifically about algorithm manipulation. His answer is revealing in this short paragraph:
“I’ll give you a simple example. Instead of saying – and the Act precludes this – we will make changes to your algorithms as many European countries are contemplating doing – instead, we will say this is the outcome we want. We want Canadians to find Canadian music. How best to do it? How will you do it? I don’t want to manipulate your algorithm. I want you to manipulate it to produce a particular outcome. And then we will have hearings to decide what are the best ways and explore it.”
Critics say it starts with prioritizing Canadian content for Canadians (who may actually be looking for foreign or more relevant content other than just being Canadian) and ends up being used to censor content contrary to the current narrative the government wants you to see.
Chinese artists, privacy activists, and ordinary citizens have fought against the authorities’ abuse of Covid tracking apps. The Chinese government is running up against growing public unease about the lack of safeguards to prevent the theft or misuse of personal data and is moving systematically to squelch news about the largest known breach of a Chinese government computer system.
A database of personal information —apparently used by the police in Shanghai— was exposed online by an anonymous user, who offered to sell it for 10 Bitcoin, or about $200,000. Besides names, addresses, and ID numbers, the sample appears to include information pulled out from external databases, such as courier instructions about where to drop deliveries, which indicates a greater sharing of information between private companies and the government.
The government has sought to erase nearly all discussions of the leak, emphasizing the need to “defend information security” for the public and businesses.
China’s efforts to implement data collection safeguards have lagged behind its own data collection drive. People are growing weary of the government and public institutions as they see how their data is being used against them. Now, some individuals are drawing attention to privacy concerns. On online forums like Zhihu, Chinese users exchange advice on evading surveillance, and 60 percent claim facial recognition technology has been misused.
According to legal analysts, the Shanghai police database breach will probably not result in any disciplinary actions being made public. The Chinese government agencies lack mechanisms for holding themselves accountable for data leaks. This lack of recourse has contributed to a sense of resignation among many citizens.
North Korean state-sponsored hackers attacked US healthcare and public health organizations (HPH), according to an FBI, CISA, and Treasury Department advisory. Reportedly, hackers used a Maui ransomware variant to encrypt servers responsible for electronic health records, diagnostics, imaging, and intranet services. The US federal agencies warned that North Korean hackers assumed healthcare organizations were willing to pay a ransom to avoid disruption and protect sensitive data and that paying ransoms could not guarantee data recovery.
Unlike other ransomware variants, Maui does not require external infrastructure to generate encryption keys. The malware requires manual execution by remote attackers via a command-line interface. Silas Cutler, Principal Reverse Engineer at Stairwell, said Maui ransomware encrypts files using a 128-bit AES key and RSA algorithm, along with a hard-coded RSA public key.
While the agencies have not been able to determine the attack vector, they have suggested that the attacks could be a combination of ransomware, intellectual property theft, and industrial espionage.
Federal agencies published indicators of compromise (IoCs) associated with the Maui ransomware variant. They recommended that healthcare and other critical infrastructure organizations implement the recommendations to keep North Korean hackers at bay.
PayPal users are being targeted by a phishing kit designed to steal their personal information, including government identification documents and photos. Hackers have hosted the kit on legitimate WordPress websites that have been hacked, which allows it to evade detection to a certain degree.
Akamai Researchers discovered the kit after the threat actor planted it on their WordPress honeypot. Based on a list of common credential pairs found online, the threat actor targets poorly secured websites and brute-forces their logins. The phishing kit is uploaded to the breached site using a file management plugin.
According to Akamai, the phishing kit crosses IP addresses with domains belonging to companies, including some companies in the cybersecurity industry, to avoid detection. Researchers also noticed that the author of the phishing kit used htaccess to rewrite the URL of the fraudulent page, giving it a professional appearance.
In order to steal a victim’s data, a CAPTCHA challenge is presented, a step that creates the illusion of legitimacy. The victim is then asked to log into their PayPal account using their email address and password, which are automatically transmitted to the threat actor. Under the pretence that the victim’s account has “unusual activity,” the threat actor requests more verification information.
As part of the scam, the victim is asked to disclose personal information and financial details, such as payment card numbers, addresses, social security numbers, mother’s maiden name, and even ATM pin numbers. The threat actor collects the victim’s personal information and then requests official identification documents to verify their identity.
While the phishing kit appears sophisticated, researchers found that its file upload feature can be exploited to upload a web shell and gain access to a compromised website. The scam might seem obvious to some users because of the huge amount of information requested. However, Akamai researchers believe the kit’s success relies on this specific social engineering element.
Microsoft researchers have linked an emerging ransomware threat to North Korean state-sponsored actors that have been active since last year. The threat actors, named H0lyGh0st, have successfully compromised small-to-midsized businesses in multiple countries starting as early as September.
H0lyGh0st uses a namesake ransomware to encrypt files on target devices, then sends a sample of the encrypted files to the victim as proof. Researchers from Microsoft Threat Intelligence Center (MSTIC) said that the group interacts with victims on a .onion site that maintains and provides a contact form for victims to get in touch. They then demand payment in Bitcoin for restoring access to victim data and threaten to publish stolen data on social media if victims don’t pay.
According to MSTIC researchers, H0lyGh0st’s ransomware campaigns are financially motivated and attempt to legitimize their actions by claiming to increase the victim’s security awareness.
Virginia Commonwealth University Health System (VCU) announced that 4,441 patients’ private health information was left exposed for 16 years by a medical transplant centre. The healthcare provider said the concerned data included names, Social Security numbers, lab results, medical record numbers, and/or dates of birth. According to VCU, this information was “possibly viewable” by transplant recipients, donors, and/or their representatives who accessed the patient portals of the recipient and/or donor.
VCU has not yet released any information about the privacy incident but has stated that no information was misused. Ashutosh Rana, a senior security consultant at Synopsys Software Integrity Group, speculated over what may have happened, determining that it was likely a “typical case of misconfiguration.”
Rana explained that any user could view someone else’s information by logging in since the system is designed that way. “Patient portal is a critical part of any healthcare system, so it is surprising to see this flaw was undetected for that long. The good part is that it seems any patient has to have a valid account (donor or recipient) to be part of this incident which contains the incident in some sense,” said Rana.
A spokesperson for VCU told The Daily Swig that organ donors could view one recipient’s information at a time and that the university has worked with cybersecurity experts to resolve the issue.
Media organizations and journalists are targeted by APT actors to advance state-aligned collection initiatives
The ban on commercial open-source apps proposed by Microsoft
The potential dangers of exploiting GitHub’s code repository for malware
WikiLeaks whistleblower convicted for leaking Vault 7 documents
New attacks can reveal the identities of anonymous users on major browsers
Previously on #AxisOfEasy
If you missed the previous issues, they can be read online here:
- July 12th, 2022: Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying
- July 4th, 2022: Ending Freedom Of The Press, Speech, And Expression: The Main Goal Of Big Corporations
- June 27th, 2022: Scammers Can Steal Your Selfies For NSFW Purposes On Instagram
- June 20th, 2022: Facebook Messenger Scam: Millions Deceived
- June 13th, 2022: Attacking 5G Via Network Slices: A New Emerging Threat