Like that other bloke who rose from the grave, the El Reg security desk is back this week...
...and here's a quick summary of what's been going down in infosec land
Roundup Welcome back, Brits, from your Easter break – assuming you weren't working or on-call over the four-day weekend.
Since you've been away from your desks, RSS feeds, and browsers, it's been a busy time in cyber-security, what with not one but two Facebook privacy cockups, one cunningly timed to coincide with the release of the Mueller report, plus the guilty plea of British malware researcher Marcus Hutchins. Here's some of the lesser news landing in and around the Easter break.
Last week started badly for Indian outsourcing giant Wipro after investigative journo Brian Krebs revealed that its corporate network had been successfully penetrated by hackers, who were leveraging the intrusion to, at least attempt to, compromise a dozen or more of its customers.
It appeared that the attack had been carrying on for more than a month, according to Krebs, and it appeared to be state sponsored. The biz initially tried to duck the issue, then confirmed it had been hacked, and then tried to play down news reports as inaccurate while on a conference call with financial analysts – which prompted Krebs to crash the call to clear his name:
On Friday, Wipro claimed that while several staff had been fallen for phishing emails, "the incident did not impact the company's ongoing critical business operations," which kinda vaguely suggests customers weren't directly affected. This kerfuffle could pretty much serve as a textbook case of how not to handle a computer security breach.
Malware floods TV station off-air
Viewers of the Weather Channel in the US were left without regular service on Thursday when miscreants caused a hurricane of trouble for the broadcaster's servers: a malware infection knocked its live feed off air.
The expected programming at 0600 ET (1000 UTC) was unable to be broadcast, and the channel just stuck repeats up instead. It took nearly two hours before the ransomware was scrubbed away, and normal services resumed. The FBI is investigating.
Iranian cyber-espionage tools leaked... ish
Portions of what appears to be Iranian government surveillance malware have been uploaded to the public internet via a Telegram chat group for anyone to grab.
The bundle includes PowerShell and web-shell scripts used in recent cyber-attacks by the Iranian state-backed APT34, aka OilRig, hacking gang. It also included some names, addresses, photographs, and phone numbers of people linked to the cyber-crew and Iran's Ministry of Intelligence, along with data on some of APT34's victims and the IP addresses of servers used to hack them.
An early analysis revealed the leakers have been public minded enough to leave out crucial snippets of code, preventing the tools from being deployed in any practical sense, and avoid another Shadow Brokers fiasco. There are no zero-day exploits or anything interesting like that; instead it appears to be a shot across Tehran's bow by dox'ing its intelligence agents.
"We are exposing here the cyber tools the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," the leakers wrote on Telegram. "We hope that other Iranian citizens will act for exposing this regime’s real ugly face."
In brief... The Carbanak malware source code has apparently accidentally turned up on Virus Total...
The backend database for an app that lets people provide the passwords to Wi-Fi hotspots to world+dog was found facing the public internet, revealing all the shared passwords in one go. The data store has since been taken offline...
Free smartphone apps aimed at helping people with depression or trying to quit smoking are spilling private details to Facebook, Google, and others, without mentioning this in their privacy policies, a study has shown...
A Riot-forked secure messaging app called Tchap for French government workers was, surprise, found to be insecure, in that anyone with the right skills could sign up for an account and natter away on it. The bug has been fixed...
Prison for Codeshop dark souk admin
A Macedonian man is facing seven and a half years in the US prison system, plus some major fines, after being convicted of running a stolen credit card market online.
Djevair Ametovski was sentenced to 90 months behind bars after pleading guilty to running Codeshop between 2010 and 2014 on the dark web, and told to cough up $250,000 and other damages. The forum had a large database of stolen credit cards for sale, stored in a form that allowed for searches by bank identification number, financial institution, country, state and card brand for different geographical locations.
“The sentencing of this transnational cybercriminal emphasizes the commitment of the Secret Service to disrupt and dismantle global criminal networks,” said US Secret Service Special Agent-in-Charge David Beach.
“The Secret Service will continue to work closely with our network of law enforcement partners to dismantle criminal enterprises seeking to victimize innocent people, regardless of geographic distance or borders.”
Isn't it ironic
Israeli computer security outfit Verint has confirmed that its servers were hit with ransomware.
"The company has experienced a critical flaw that has affected local servers," the biz said in a statement. "The company is working to contain and handle the situation, with the help of outside parties."
According to local media, the company got a dose of Ryuk, a potent piece of ransomware thought to emanate from North Korea and used to help fund the dictatorship there. Thankfully, it looks as though Verint had backups ready, though it's a useful warning to all that even security professionals sometimes get hit – so be prepared. Make regular offline backups, full as well as diffs. ®