InfoSec Round-Up: June 5th 2020

REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking at the $100,000 Apple bug bounty, ongoing contact tracking security concerns and REvil strikes again. Welcome to the Hut Six Infosec Round-Up.

Security Researcher Receives $100k Apple Bug Bounty

Security researcher Bhavuk Jain has been awarded an impressive $100,000 by Apple, after discovering a zero-day bug in the company’s third party-sign in technology, ‘Sign in with Apple’. 

The critical flaw, which was originally discovered in April, could have allowed attackers to takeover Apple user accounts, and put third-party app users at serious risk.

Having been being reported to Apple, an internal investigation determined that though this exploit had not led to any misuse, or account compromise, the company did decided the flaw was serious enough to warrant a $100k ‘bug bounty’.

Jain, who works full-time as a bug bounty hunter, has also discovered flaws in other well-known tech platforms, including Pinterest, Facebook, Yahoo and Google.

Apple, like many other companies, invites external researchers to submit their work and discoveries, offering bounties of up to $1 million for the most serious of flaws.

Contact-Tracing Security Concerns Mount

As security researchers criticise the ease with which scammers could exploit methods of contact, concerns grow over the UK’s Covid-19 ‘Test and Trace’ program.

Designed to gather data on those reporting coronavirus symptoms, relatively simple methods of spoofing calls and texts could be used by social engineers and phishers hunting for the personal or sensitive information of unsuspecting members of the public.

Along with issues of anonymity, data retention and physical staffing issues, the program has already faced several public setbacks.

With pandemic related scam calls and texts already in progress, much of this specific concern hinges on the government asking the public to anticipate calls in which they are expected to hand over potentially sensitive information. 

Though the official information provided by the UK government makes note of what will and will not be asked for by contact tracers, at this particularly sensitive time, there is seemingly little that citizens can do to verify legitimacy.

As always, the advice remains that sensitive information, such as bank account details, passwords, and other private data, is never shared with unverified parties, and any scams are reported to the appropriate authorities.

Ransomware Attackers Publish Elexon Passports

Following a hack which took place on the 14^th of May, cyber criminals have published passport information stolen from the UK utilities company, Elexon.

Attributed to the international ransomware-as-a-service (RaaS), known as the REvil, or Sodinokibi, a cache of around 1,200 files have been published on the cyber-criminals Tor webpage.

Responsible for a plethora of recent ransomware attacks, including the new year’s Travelex heist and celebrity law firm attack, this strain of ransomware is thought to have, in the last several years, generated upwards of $2 billion in ill-gotten gains.

Though the reason for the passport data being published remains unclear, Elexon, stated publicly that core services remain unaffected by the cyber-attack. Whilst also reassuring stakeholders that as they “do not hold any customer level data, there is no risk to the public.”

If you are interested in finding out more about Hut Six’s information security awareness training, follow the links below or if you have any questions, please contact us.