Hacktivist skids nip at Mounties' ankles, Emotet ransomware rides again, and more

Including AV patches, VPN attacks, data leaks, and security cam holes

Roundup Summer is winding down, although there are plenty of computer security news bits and bytes to go around.

Eco-warriors pick a cyber-fight with Canadian Mounties

The Royal Canadian Mounted Police (RCMP) was targeted last week by hacktivists angry over Canada's issuing of permits to hunt polar bears.

The so-called National Frog Agency, a script-kiddie group that told The Register it focuses on animal rights, publicly shared about 120 RCMP staff email addresses and associated passwords, hashed and unhashed, on two websites. The group claimed it had 950 or so sets of credentials for some of the police force's employees, and has revealed only a small fraction so far. The gang alleged one in nine of the logins is or was known to work, though there is no reason to believe this boast.

Jason Coulls – a Reg reader, Brit abroad in the Great White North, and serial CTO known in Toronto for spotting bank cybersecurity blunders – raised the alarm to Vulture West after being given the runaround by the Mounties: he had tried to report the leaks more than a week ago, and was ignored.

"Taking four days to open a ticket and nine days to act on a potential national threat, means either nobody knows how to open a ticket, or nobody knows how to deal with a potential national threat,” Coulls said of his experience. “In an environment where Canada has tensions with China over Huawei, border disputes of the North West passage with the USA, arctic tensions with Russia, and so on, you’d think they’d move a little faster when faced with a potential breach."

Fortunately, this credential disclosure appears to be less serious than first feared. The RCMP told us the passwords were not directly lifted from its servers.

After some digging around, it appears the credentials were collected from account databases that were previously stolen from other websites and shared among hackers. In other words, the hacktivists in this case got their hands on a bunch of credentials leaked from other servers by other miscreants, and searched them for RCMP email addresses. They then leaked the passwords, either the hashes or cracked hashes, and email addresses in hope someone else would try to log into services where the credentials had been reused by police staff.

The RCMP told us it has already taken measures to "mitigate" any danger; presumably any of the staff listed in the public posts have changed their passwords on any systems where they reused the exposed credentials. Also, one of the public posts containing the leaked details was removed within 24 hours of El Reg contacting the Mounties. The other post remains online to this day.

The slow response of the RCMP is worrying, Coulls told us. "The RCMP were lucky this was just a badly handled false alarm," Coulls tells us. "If it was a badly handled real event, well, that would be... bad.”

In any case, do not use the same password and username or email address combination across more than one website. If one gets hacked, and the credentials leaked, miscreants can use this information to break into your other accounts.

This week's reminder to patch your AV software comes courtesy of BitDefender

Here's another reminder that even security software needs patches. For proof, we have this month's update from BitDefender to address a vulnerability in its Antivirus Free 2020 offering. Bug hunters with SafeBreach sussed out and reported CVE-2019-15295, an elevation of privilege flaw due to the ability to load arbitrary DLLs in the AV suite's update tool.

Fortunately this is not a particularly serious vulnerability (you need to already be running malware on the target machine) but it's a good reminder that it is not just your operating system that needs to be regularly updated.

Don't forget... to update your Nest Cam IQ Indoor firmware. Cisco's Talos team have found and documented various bugs in the network-connected, wireless CCTV devices that, while not terribly serious, have the potential to be exploited, so make sure you're running the latest version.

Similarly, please, please make sure you have patched your Pulse Connect Secure and Pulse Policy Secure VPN gear where possible: fixes were emitted in April to close up critical remotely exploitable holes, and now proof-of-concept exploit code for CVE-2019-11510 to seize control of systems is live.

And the same goes for Fortinet's FortiOS SSL VPN web portal, patched in May, and now proof-of-concept exploit code is available.

Both VPN bugs are under active attack right now, so if you haven't patched, your kit is about to belong to someone else.

80 charged in massive cyber-fraud takedown

Hundreds of charges have been filed in the US against 80 people accused of being part of a massive online scam operation.

It's said that 252 charges have already been slapped on suspected fraudsters operating in America and Nigeria. While these appear to be your run-of-the-mill social engineering scams, in which victims were duped into wiring money orders and account information to con men, the scale is eye-popping. Prosecutors say that the group either moved or attempted to move some $40m.

Texas mass-hacker's $2.5m ransomware demand

The wide-reaching malware invasion that has hit nearly two dozen government offices in the US state of Texas now has a price tag.

The mayor of Keene, one of the cities infected, said the software nasty's masterminds are demanding a $2.5m ransom payout to provide decryption keys for the scrambled data. It is highly unlikely the extortionists will see that dosh, however, as officials would rather opt to simply restore from backup or wipe their systems.

Emotet rides again

The notorious Emotet Windows ransomware appears to be gearing up to cause some significant mayhem. Infosec bods have logged dozens of new command-and-control servers firing up, leading them to believe that a sharp spike in infection rates is on the horizon.

"Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat," US-Cert says of the infection. "Emotet infections have cost governments up to $1 million per incident to remediate."

Card sharks royally flushed by PokerTracker MageCart infection

Unlucky poker players may want to keep a close eye on their bank statements following the disclosure that the popular app PokerTracker was seeded with MageCart, steals payment card details typed into pages the malicious JavaScript code lurks on.

A website used by the PokerTracker app's site was infected, meaning that anyone visiting the PokerTracker website would pull in code from the infected site, which would run MageCart in the visitor's browser, and siphon off any bank card details typed into the page to fraudsters.

MoviePass popped for customer data

MoviePass leaked tens of thousands of customer account details, including payment cards numbers and mistyped passwords, via a poorly secured public-facing database that appears to have been used for logging account activity. The system has since been secured.

Moscow voting system compromised

A French egghead has claimed a $15,000 prize after exposing security holes in Moscow's blockchain-based voting system.

Pierrick Gaudry claimed the prize after showing how the private keys for the Moscow Duma election system could be decrypted. The voting system, presumably with more security protections in place, will be going live next month. Then again, this is Russia we're talking about. Everyone knows who's going to win. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019