This article is more than 1 year old

BlackCat malware lashes out at US defense IT contractor

Also, Amazon's Ring footage TV shows draws criticism, US v Soviet spying docs found, and more

In Brief The BlackCat ransomware gang, also known as ALPHV, has allegedly broken into IT firm NJVC, a provider of services to civilian US government agencies and the Department of Defense.

DarkFeed, which monitors the dark web for ransomware intelligence, tweeted this week that BlackCat had added NJVC to its victims' list, along with sharing a screenshot allegedly of ALPHV's blog notifying NJVC that it had stolen data during its intrusion. 

"We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material," ALPHV said, per the screenshot.

Interestingly enough, ALPHV's website went offline shortly after providing proof of the security breach, according to a tweet from malware watchers VX-Underground.

According to other sources, BlackCat's website has since come back online, with NJVC's entry conspicuously absent. Maybe someone realized publishing US Department of Defense data was a bad long-term career move? Or some agreement was come to.

BlackCat, which is also the name of the group's signature malware coded in Rust, has apparently attacked 60 organizations around the globe since first appearing on the scene in late 2021. BlackCat, the ransomware, has been a prevalent part of the ransomware-as-a-service economy in its year of operation, Microsoft said, due to the choice of programming language. 

"By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions," Microsoft said. BlackCat has been seen targeting Windows, Linux, and VMware installations, Redmond said.

US Cold War spies hid Russian bugs where?

A stack of 1980s KGB documents obtained by a US journalist provides an interesting window into spy technology during the peak of the Cold War.

Writing for Project Brazen's The Brush Pass, which covers espionage news, Zach Dorfman said the trove of documents and photos details the sheer number of surveillance bugs US spies hid in Soviet diplomatic facilities, vacation homes, apartments, and cars – and their creativity.

"The bugs were everywhere," Dorfman said, and the list is exhaustive. Some of the more creative locations include being bored into concrete bricks and threaded into window frames, plastered into walls, and even stashed within a building's very foundation.

Intelligence officials Dorfman spoke to, all of whom asked to remain anonymous, said the number of bugs indicates a sustained operation over years, but with some serious technical limitations that meant someone likely had to physically access the bugs regularly to grab the information they stored and replace batteries. 

According to Dorfman's sources, battery technology was the major historical limitation to the miniaturization of Cold War tech. One US official Dorfman spoke to said the CIA's battery technology remains one of its most closely guarded secrets, and described it as one of the most heavily compartmentalized work the US spy service does. 

So, why keep all those found bugs a secret instead of holding them up as a demonstration of US Cold War duplicity? The likely explanation, Dorfman said, is that the KGB knew the US had just as much to throw back at it.

Amazon wrong to turn privacy violations into family fun, say rights groups

In case you missed it, Amazon is getting ready to premiere a new version of America's Funniest Home Videos, but with a twist: it's going to show hilarious clips captured by its Ring home cameras – a premise ripe for criticism from privacy and civil rights groups.

Forty such organizations signed an open letter to MGM, which is owned by Amazon and is distributing the show, urging them to cancel the show Ring Nation before its premier at the end of September. In it, the signatories argued the program seeks to "put a happy face on a dangerous product," as well as claiming in its Cancel Ring Nation petition that the series is "a transparent attempt to normalize surveillance and manufacture a PR miracle for scandal-ridden Amazon." 

Earlier this year Amazon admitted it sometimes hands Ring footage over to US law enforcement without getting permission from the device's owners, doing so 11 times in the first half of 2022.

The AWS parent said at the time that, while it generally doesn't allow police to view footage without owner consent, it does waive that requirement when served with applicable court orders and emergency requests.

Los Angeles school cyberattackers make ransom demand

The unidentified miscreants who broke into Los Angeles Unified School District (LAUSD) systems last month made a ransom demand, officials said Tuesday. 

"There has been no response to the demand," said LAUSD superintendent Alberto Carvalho. Carvalho didn't state how much the extortionists demanded or what data they may have stolen and be holding, but did say that there had been no new security breaches since the incident, which was detected over Labor Day weekend in the US. 

LAUSD, which is said to have more than 640,000 students, said it didn't believe there was any compromise of employee information, such as social security numbers, though officials haven't elaborated as to what student data may have been taken in the attack. The district does not collect Social Security data from students or parents. 

Brett Callow, threat analyst at Emsisoft, told the Los Angeles Times that 25 school districts had been hit with similar attacks so far in 2022. "The only unusual thing about this attack is that it involved the nation's second-largest school district. That fact aside, incidents such as this are unfortunately all too common," Callow said.

While it was believed early on that cybercrime gang Vice Society was responsible for the attack, authorities never confirmed that detail, and the LA Times said officials continue to decline to do so. 

Chrome, Edge spellcheckers expose cleartext PII to Google, Microsoft

Google's Chrome and Microsoft's Edge browsers have been found to be, depending on the user's setup, transmitting private information – such as usernames, emails, and even passwords – to their parent companies in good, old-fashioned cleartext. 

Dubbed "spell-jacking" by researchers at JavaScript security company Otto that spotted it, the problem arises in Chrome's Enhanced Spellcheck feature and Edge's MS Editor add-on, both of which allow the browsers to check spelling in form fields and similar spots on websites. If users with the feature enabled click the "Show Password" button available on many websites, Chrome and Edge will send that valuable data out.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," said Otto co-founder and CTO Josh Summitt. 

Otto said a number of high-profile websites, including Office 365, Alibaba Cloud Service, Google Cloud Secret Manager, AWS Secrets Manager and LastPass all let the browsers transmit cleartext data to Google and Microsoft. The researchers said AWS and LastPass have already mitigated the issue.

Otto said it tested more than 50 websites across banking, cloud, healthcare, government, social media and ecommerce sectors and found the majority transmitted data gleaned from the two spellcheckers. Like many security issues involving user input on websites, this bug can be coded out, in this case by adding "spellcheck=false" to input fields containing sensitive data. ®

More about

TIP US OFF

Send us news


Other stories you might like