This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are discussing Trump’s looming TikTok ban, the teens arrested for the celebrity Twitter hack, the ransomware attack against Canon and the class-action lawsuit against Google.

US Moves Closer to TikTok Ban

President Trump has threatened that the popular social media app TikTok will likely be banned by September 15th if the company is not passed to American owners.

As the latest development in a long string of Chinese technology tensions, the proposed ban is based on concerns over the information security threat which Chinese-owned companies potentially play.

American owned company Microsoft has confirmed that it is in continued talks to purchase the US operations of TikTok, as well as for Canada, Australia and New Zealand – every member of the Five Eyes alliance, except for the UK.

The proposed ban comes only weeks after India made the move to ban dozens of Chinese-made apps, including TikTok, for matters of ‘state security’.

There has also been calls from members of UK parliament to carry out a security review of the social media platform ahead of possibly allowing the company to establish a headquarters in the country.

In a statement, Microsoft has made public that they are “committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States.”

Teens Arrested in Twitter Bitcoin Scam

Following a law enforcement investigation, three young men have been charged over the Twitter account hijacking which netted around $100,000 earlier this month.

The suspects are a seventeen-year-old from Tampa, Florida, a twenty-two-year-old, Nima Fazeli, of Orlando and a Mason Sheppard, of Bognor Regis, nineteen.

The seventeen-year-old, who has not been named, is believed to be the ringleader, and faces around 30 felony charges for his alleged myriad of cybercrimes.

State Attorney Warren noted: “He’s a 17-year-old kid who apparently just graduated high school… but make no mistake, this was not an ordinary 17-year-old. This was a highly sophisticated attack on a magnitude not seen before.”

The scam, which took place mid-July is understood to have compromised 130 high-profile accounts and garnered $100,000 from over 400 transfers of funds, as well as accessing private account information from dozens of users.

Suspected to be the result of a spear-phishing attack via a phone call, the perpetrators were tracked down through their attempts to launder the ill-gotten cryptocurrency.

Twitter has responded: “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.”

Canon Hit with Massive Ransomware Attack

Japanese optical company Canon has reportedly suffered an enormous data breach with around 10TB of data being stolen by ransomware gang Maze.

Coming only days after a serious, though unconnected, outage of Canon’s various online services, the attack occurred the morning of the 5th.

According to Beeping Computer, who have communicated with members of the cyber-criminal gang, “10 terabytes of data, private databases etc.” were taken as part of the attack. Data, which is likely being held under threat of publication, as leverage in ransom negotiations.

The Maze gang, who have been responsible for many high-profile incidents, including the recent Cognizant ransomware attack, regularly expose stolen data via their website, where they sardonically refer to victims as “new clients”.

Though the details of the attack are currently unknown, Canon has sent a company-wide notification informing employees of “systems issues”. The company has also told journalists that they are “currently investigating the situation”.

Google to Pay $7.5M in Breach Settlement

Users of Google+ have this week received emails notifying them about a settlement of a recent class action lawsuit.

The two-year lawsuit, which was launched by multiple plaintiffs because of two Google+ software bugs, which saw hundreds of thousands of users’ names, email addresses, and other personal information exposed.

Google announced that a $7.5 million settlement has been reached, though deny any wrongdoing, stating: “Google denies Plaintiffs’ allegations, denies any wrongdoing and any liability whatsoever, and believes that no class members… have sustained any damages or injuries due to the software bugs.”

Although the company found the issues in March of 2018 (around the same time as the ‘Facebook – Cambridge Analytica scandal), it is reported that the company chose not to disclose the breach over fears of “reputational damage” and “regulatory interest”.

Having led to Google shutting down the Google Plus platform in 2019, claimants in the lawsuit will be eligible to a maximum payment of $12, depending on the number that come forward.

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.