This article is more than 1 year old

Cloudstar – IT provider for real estate, finance, insurance worlds – downed by ransomware

Plus: Telegram security probed, CISA boss confirmed, and more

In Brief Cloud-based IT provider Cloudstar has been hit by ransomware, taking down its systems. It said it is currently negotiating with the crooks that infected its computers.

"On Friday, July 16, Cloudstar discovered it was the victim of a highly sophisticated ransomware attack," the Florida-based biz warned its customers over the weekend.

"Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline. Our Office 365 mail services, email encryption offering and some support services are still fully operational.

"Cloudstar has retained third-party forensics experts Tetra Defense to assist us in our recovery efforts and also informed law enforcement. Negotiations with the threat actor are ongoing. We are working diligently to address this matter as quickly as possible and will keep our stakeholders informed."

Cloudstar is said to provide technology for hundreds of title companies and lenders. It offers remote virtual desktops, cloud-hosted software and storage, and IT security to businesses in the Americas working in real estate, finance, insurance, and petrochemicals.

"This is an incredibly difficult time for Cloudstar but more importantly, for our customers, whose trust we value so highly," the outfit added on its website.

Four Chinese people living in the Middle Kingdom have been accused by Uncle Sam of compromising "the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018." Their alleged activity has been linked to a Beijing-run crew dubbed APT40.

Miscreants are peddling on the dark web 1TB of stolen data said to belong to Saudi Aramco.

Spyware maker NSO tried to build a business in the United States, and failed, though its lobbyists, consultants, and lawyers made good money from the attempt, it is reported.

Cloudflare code-execution bug spotted, squashed

A critical flaw in a Cloudflare service said to be used by 12.7 per cent of all websites could have been hijacked by a malicious user-controlled package to potentially compromise a good number of webpages.

The service in question is cdnjs, which hosts people's JavaScript and CSS libraries and serves them from a content delivery network. Bug-hunter RyotaK, while investigating supply chain attacks, found a path-traversal bug that could be exploited by a carefully crafted JS/CSS library submitted to cdnjs via its GitHub repository for inclusion in the CDN.

This library would be able to overwrite files and execute commands within the context of cdnjs's backend when the submission is processed, and could obtain Cloudflare's secret GitHub API keys. An attacker potentially could have used that position to alter the JavaScript and CSS delivered to those websites using cdnjs.

Just as interesting, when RyotaK tried out a proof-of-concept exploit for this vulnerability, GitHub triggered an alert to Cloudflare that its credentials had been compromised, and the API keys were rapidly revoked and regenerated by staff. We're told RyotaK, who was participating in Cloudflare's bug-bounty program, submitted a vulnerability report soon after in early April, and the issue was fully fixed by early June.

"While this vulnerability could be exploited without any special skills, it could impact many websites," RyotaK said this month. "Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary."

America finally has a head of the CISA

Jen Easterly has been confirmed by Congress as the new director of the US Cybersecurity and Infrastructure Security Agency (CISA).

A former president fired the previous CISA chief Chris Krebs by tweet after the director said the 2020 election of Joe Biden was “the most secure in American history." Easterly was a name that came up early for a top US government cyber-security post though political wrangling delayed her formal instalation.

Easterly is well respected in the industry: she is a Rhodes Scholar who went to Oxford and spent 20 years in the US Army, setting up its first first cyber battalion, and was a key player in the formation of today's US Cyber Command. She has served at the NSA as head of its Tailored Access Operations penetration team and as a national security advisor to Presidents Bush and Obama.

Easterly's confirmation was held up in June when Senator Rick Scott (R-FL) put a hold on the process until Biden went down to the US-Mexico border. Later in the month, when the hold was lifted, the Senate couldn't get around to it because a two-week recess was being held.

Boffins turn spotlight on Telegram security

Cryptographers at ETH Zurich and Royal Holloway college at the University of London have investigated Telegram's home-grown encrypted chat protocol, and claim an attacker could exploit it to, among other things, change the order of messages sent and potentially uncover plaintext of some communications in exceptional circumstances.

"In this instance our work was motivated by other research that examines the use of technology by participants in large-​scale protests such as those seen in 2019/2020 in Hong Kong," said Royal Holloway professor Martin Albrecht. "We found that protesters critically relied on Telegram to coordinate their activities, but that Telegram had not received a security check from cryptographers."

"None of the changes were critical," Telegram said in a statement, referring to software updates issued to address the academics' findings.

Iranians fingered for academic phishing attack

A group identified as working with the Islamic Revolutionary Guard Corps (IRGC) has been running a phishing campaign aimed at harvesting information from academics, think tank policy makers, and journalists covering the Middle East.

The campaign, dubbed SpoofedScholars by Proofpoint, sent out a spearphishing email impersonating a senior lecturer at the University of London’s School of Oriental and African Studies (SOAS). The recipients were asked to speak at a webinar on “the US security challenges in the Middle East,” and the URL led to a compromised University of London’s SOAS radio website.

That site asked people to sign in using their Google, Yahoo, Microsoft, iCloud, AOL, mail.ru, or Facebook account details, which would have been collected by the phishers. A few months later the same tactic was tried again, using another SOAS academic's name and inviting people to a “DIPS Conference.”

"Proofpoint recommends investigating network traffic to soasradio[.]org, specifically URIs starting with hxxps://soasradio[.]org/connect/?memberemailid=," the report advises. "Additionally, emails from hanse.kendel4[@]gmail.com, hannse.kendel4[@]gmail.com, and t.sinmazdemir32[@]gmail.com should be considered suspect and investigated."

Ring E2EE now generally available

After a beta-testing phase, Amazon is officially rolling out its end-to-end encryption for its most-recent internet-connected cameras and floodlights. You can get the full list of devices that support the system here. ®

More about

TIP US OFF

Send us news


Other stories you might like