InfoSec Round-Up: September 27th 2020

Ransomware Fatality, Bing Leaks, Instagram Bug & Uber Data Sharing

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking at Microsoft leaks, Instagram flaws, Uber data sharing and a fatal ransomware attack.   

Hospital Patient Died Following Ransomware Attack

Following a ransomware attack against Düsseldorf University Hospital, a patient has died due to an inability to provide critical care, in what is believed to be the first cyber-crime fatality.

Happening on the 9^th of September, the hospital was hit with the attack, causing vital systems to be disabled. As a result, the female patient was being transferred to a nearby hospital when the tragedy occurred.

According to some local reports, it is possible that the hackers did not intend to attack the hospital, instead attempting to target a different university, and that once they had realised their mistake, they handed over the decryption key without demands for ransom payment.

Former chief executive of the UK's National Cyber Security Centre Ciaran Martin said: "If confirmed, this tragedy would be the first known case of a death directly linked to a cyber-attack… Although the purpose of ransomware is to make money, it stops systems working. So, if you attack a hospital, then things like this are likely to happen.”

German police have launched a ‘negligent homicide’ investigation into the matter.

Uber Data Sharing Under the Spotlight

It has been reported that the transport company Uber has shared user data with law enforcement over 2,000 times per year, in a battle to regain its fraught London taxi licence.

Reported by The Times, the company has been sharing user and driver data with the Metropolitan Police ‘seemingly without warrants’, with the intention of currying favour with regards to appeals courts and their highly valuable London licence.

The Westminster Magistrates’ Court last week heard from the Police Chiefs’ Council (NPCC) that law enforcement benefits from "thousands of pieces of intelligence on drivers, passengers and journeys each year," aiding in their ability to tackle drug dealing and human trafficking.

Having lost their licence back in November of 2019, the company was condemned for a “pattern of failures” that jeopardised passenger safety, including not having adequate protections to stop drivers’ pictures from being swapped with unauthorised parties.

Striking some as an invasion of privacy, MP for Monmouthshire, David Davis declared in response that he is tabling “Parliamentary Questions to the Home Office and Freedom of Information requests to police forces around the country seeking further information” into the matter.

Microsoft Leaks 6.5TB of Bing Data

Microsoft has unwittingly exposed an Elasticsearch server containing 6.5TG of location data, device IDs and search details, following the erroneous removal of password-protection.

Originating from the Microsoft Bing mobile app, which has been downloaded more than 10 million times via Google Play alone, the exposed data was discovered by a white-hat hacker and cyber-security operation WizCase.

The database, which, according to the report, was growing by 200GB per day at the time of its discovery, contained the records of people searching from over 70 countries and was left unsecured for approximately 6 days.

A spokesperson for Microsoft has stated: “We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed. After analysis, we’ve determined that the exposed data was limited and de-identified.”

Despite the data containing a relatively limited collection of information, even search data, device numbers and location data can be used to deanonymize users, potentially making those affected more susceptible to phishing attacks, blackmail, and fraud.

Instagram Bug Allowed Hackers Remote Access

It has been reported that Instagram’s Android app contained a critical vulnerability that could have allowed attackers remote access and control over a user’s device, simply by sending a specially designed image.

Now fixed by Facebook, the issue affected hundreds of millions of users of the photo sharing app, up until February 10^th of this year, when an update was released.

Discovered by a research team at Check Point, their Head of Cyber Research has stated: “The issue was a buffer overflow, caused by sending a picture with a large size which fools the application into believing it’s much smaller. This causes an overwrite and lets us do our magic.”

Disputing its significance, Facebook have responded that they “have no reason to believe [the flaw] impacted anyone”; though the discoverers maintain its importance.

According to security report, the critical vulnerability “would have allowed an attacker to perform any action of choice inside Instagram – read DMs, delete or post content, manipulate account details, as well as the ability to turn a victim’s phone into a spying tool to access GPS location, phone contacts and camera.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.