InfoSec Round-Up: August 9th 2020
Trump TikTok Ban, Twitter Hack Arrests, Canon Attack & Google Lawsuit
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
This week we are discussing Trump’s looming TikTok ban, the teens arrested for the celebrity Twitter hack, the ransomware attack against Canon and the class-action lawsuit against Google.
US Moves Closer to TikTok Ban
President Trump has threatened that the popular social media app TikTok will likely be banned by September 15th if the company is not passed to American owners.
As the latest development in a long string of Chinese technology tensions, the proposed ban is based on concerns over the information security threat which Chinese-owned companies potentially play.
American owned company Microsoft has confirmed that it is in continued talks to purchase the US operations of TikTok, as well as for Canada, Australia and New Zealand – every member of the Five Eyes alliance, except for the UK.
The proposed ban comes only weeks after India made the move to ban dozens of Chinese-made apps, including TikTok, for matters of ‘state security’.
There has also been calls from members of UK parliament to carry out a security review of the social media platform ahead of possibly allowing the company to establish a headquarters in the country.
In a statement, Microsoft has made public that they are “committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States.”
Teens Arrested in Twitter Bitcoin Scam
Following a law enforcement investigation, three young men have been charged over the Twitter account hijacking which netted around $100,000 earlier this month.
The suspects are a seventeen-year-old from Tampa, Florida, a twenty-two-year-old, Nima Fazeli, of Orlando and a Mason Sheppard, of Bognor Regis, nineteen.
The seventeen-year-old, who has not been named, is believed to be the ringleader, and faces around 30 felony charges for his alleged myriad of cybercrimes.
State Attorney Warren noted: "He's a 17-year-old kid who apparently just graduated high school… but make no mistake, this was not an ordinary 17-year-old. This was a highly sophisticated attack on a magnitude not seen before."
The scam, which took place mid-July is understood to have compromised 130 high-profile accounts and garnered $100,000 from over 400 transfers of funds, as well as accessing private account information from dozens of users.
Suspected to be the result of a spear-phishing attack via a phone call, the perpetrators were tracked down through their attempts to launder the ill-gotten cryptocurrency.
Twitter has responded: "We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.”
Canon Hit with Massive Ransomware Attack
Japanese optical company Canon has reportedly suffered an enormous data breach with around 10TB of data being stolen by ransomware gang Maze.
Coming only days after a serious, though unconnected, outage of Canon’s various online services, the attack occurred the morning of the 5th.
According to Bleeping Computer, who have communicated with members of the cyber-criminal gang, “10 terabytes of data, private databases etc.” were taken as part of the attack. Data, which is likely being held under threat of publication, as leverage in ransom negotiations.
The Maze gang, who have been responsible for many high-profile incidents, including the recent Cognizant ransomware attack, regularly expose stolen data via their website, where they sardonically refer to victims as “new clients”.
Though the details of the attack are currently unknown, Canon has sent a company-wide notification informing employees of “systems issues”. The company has also told journalists that they are “currently investigating the situation”.
Google to Pay $7.5M in Breach Settlement
Users of Google+ have this week received emails notifying them about a settlement of a recent class action lawsuit.
The two-year lawsuit, which was launched by multiple plaintiffs because of two Google+ software bugs, which saw hundreds of thousands of users’ names, email addresses, and other personal information exposed.
Google announced that a $7.5 million settlement has been reached, though deny any wrongdoing, stating: “Google denies Plaintiffs’ allegations, denies any wrongdoing and any liability whatsoever, and believes that no class members… have sustained any damages or injuries due to the software bugs.”
Although the company found the issues in March of 2018 (around the same time as the ‘Facebook - Cambridge Analytica scandal), it is reported that the company chose not to disclose the breach over fears of “reputational damage” and “regulatory interest”.
Having led to Google shutting down the Google Plus platform in 2019, claimants in the lawsuit will be eligible to a maximum payment of $12, depending on the number that come forward.
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security
University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.
What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.
Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.
Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.