InfoSec Round-Up: August 2nd 2020

Ransomware Attacks, Google Privacy & Avon Leaks

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are discussing the ransomware attacks against Edinburgh Zoo and fitness tracker Garmin, Australia’s investigation to Google’s privacy practices and the 19 million records leaked by Avon.

Garmin In Recovery from Ransomware Attack

Garmin, the US based fitness tracker and GPS, has this week confirmed that it has suffered from a debilitating ransomware attack that led to a three-day outage of services.

The attack, which took place last week is likely the work of Russian cyber-gang ‘Evil Corp’ and is thought to have used a type of ransomware named WastedLocker to try and extort Garmin out of a reported $10 million.

The gang behind the attack is understood to use a highly targeted approach to cybercrime and extortion, the suspected leader of which being listed on the FBI’s most wanted cybercriminals list.

With a $5 million bounty over his head, Maksim Yakubets (AKA ‘Aqua’) is accused of infecting tens of thousands of computers across North America and Europe and is thought to have close connections to the Russian government.

Garmin has publicly stated: "We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen."

Hoping to soon resume operations the company added, “we expect some delays as the backlog of information is being processed.”

Google Accused of Down Under Privacy Breach

The Australian consumer watchdog has accused the search giant Google of misleading millions of Australian citizens over the extent of personal data being collected.

The Australian Competition and Consumer Commission (ACCC) has launched a suit on the grounds that Google allegedly collected “potentially sensitive and private” browsing history from its users, without obtaining the proper informed consent.

“Some new features for your Google Account

We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.”

The statement shown above is the notification in question; an option, which if agreed to would allow Google to collect third-party site activity, and to combine this with user account data to serve up targeted advertisement.

The Australian authority alleges that the notification was misleading because consumers could not have properly understood the changes Google was making, nor how their data would be used, and so did not - and could not - give informed consent.

Chair of the ACCC, Rod Sims stated on the matter, “Google significantly increased the scope of information it collected about consumers on a personally identifiable basis… then used this information to serve up highly targeted advertisements without consumers’ express informed consent.”

Edinburgh Zoo Impacted by Blackbaud Attack

The Royal Zoological Society of Scotland has announced they are amongst the latest of organisations know to be affected by the Blackbaud hack covered in last week’s Infosec Round-Up.

The charity, which runs Edinburgh Zoo, has made public that it is one of the 125 organisations ‘so far’ known to be affected by the Blackbaud hack.

In a statement the Zoological Society announced, “this cyber-attack may have involved some personal data belonging to members and adopters. We have been assured that the risk to our supporters is very low.”

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

• Blackbaud

With dozens of universities, museums, schools, and charities affected, Blackbaud has faced criticism for its handling of the situation, in particular, because of its capitulation to the criminal’s demands, and the speed with which the attack was disclosed.

The company has stated that at "every point we were working closely with law enforcement and other specialists". Adding, "we take our regulatory responsibilities seriously and comply with GDPR at all times, including in this instance."

Avon Exposes 19 Million Records

Around seven gigabytes of personal and technical records belonging to cosmetics brand Avon have been discovered publicly exposed on a misconfigured company server.

Uncovered by security researchers ‘Safety Detectives’ earlier this month, the vulnerability would have allowed anyone with the server’s IP-address access to the database in question, and to sensitive information.

Amongst the 19 million records discovered, personally identifiable information included full names, addresses and phone numbers; none of which is reported to have been protected by either passwords or encryption.

Though it is unclear if the incidents are linked, Avon had also disclosed a cyber incident on the 9^th of June that had “interrupted some systems and partially affected operations.”

Speaking on the potential impact, the researchers who discovered the records noted: “Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions… namely, ransomware attacks and paralysing the company’s payments infrastructure.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.