New York county still dealing with ransomware eight months after attack
Also: iSpoof no more, Edmodo fined more than it can pay, UK is #1 (in CC theft), and the week's critical vulns
security in brief The fallout from an eight-month-old cyber attack on a county in Long Island, New York has devolved into mud-slinging as leaders try to figure out just what is going on.
Suffolk County was hit with a ransomware attack in early September 2022, which led county executive Steve Bellone to issue nine separate emergency declarations, Long Island publication Newsday said – the most recent of which was enacted earlier this month.
Bellone's detractors don't believe the state of emergency needs to continue, however, and county legislators have introduced a resolution to terminate the continued declarations. In Suffolk County, a state of emergency gives executives the ability to issue no-bid contracts and hire staff without legislative approval.
Bellone used those powers in December to suspend Suffolk County clerk IT director Peter Schlusser without pay, with Bellone and his team placing much of the blame for the intrusion and accompanying $2.5 million ransom demand on the clerk office's shoulders.
A spokesperson for the county told Newsday that the continued state of emergency was necessary "because certain functions, including remote public document searches, remain offline and require a complete overhaul due to the fact that the former clerk IT administrator failed to update these systems in decades."
Schlusser disagrees, and claims he alerted Bellone's IT team to potential intrusions months before the ransomware attack, as well as an FBI warning that there was an active ransomware campaign being waged against the county shortly before the attack was discovered.
Despite claims that the county's state of emergency is long past expired, a post-breach report found 600 instances of malware on county systems that had gone undetected for years. So far, the ransomware incident has cost Suffolk County $5.4 million for investigation and restoration, and $12 million for new hardware and software.
GitLab issues emergency patch for CVSS 10.0 vulnerability
Anyone hosting code on GitLab should take this week's list of critical vulnerabilities seriously – the code repository released an emergency patch for a rather serious path traversal flaw this week.
Identified as CVE-2023-2825, the issue exists in community and enterprise editions of GitLab running version 16.0.0, while prior versions of the platform aren't affected. Those vulnerable could find that an unauthenticated attacker could read arbitrary files on a GitLab server when attachments are nested at least five groups down on public projects.
GitLab's own security advisory for the flaw contained minimal information, but did include a warning to update to version 16.0.1 as soon as possible.
So get to it.
Outside of the GitLab report, a quartet of critical ICS vulnerabilities were reported by CISA this week:
- CVSS 10.0 – CVE-2023-1424: Several models of Mitsubishi MELSEC CPU modules contain a buffer overflow vulnerability that an attacker could use to execute malicious code on target machines.
- CVSS 9.8 – Multiple CVEs: Version 1.0 of Moxa's MXsecurity software contains hard-coded credentials that could be exploited to give an attacker RCE capabilities.
- CVSS 9.8 – Multiple CVEs: Hitachi Energy's RTU500 series modules contain bugs in a wide variety of firmware versions that could be combined to cause denial of service or completely crash affected devices.
- CVSS 8.1 – Multiple CVEs: Firmware on several models of Hitachi Energy's AFS and AFF network equipment contain a use after free vulnerability that could let an attacker disclose sensitive information or cause denial of service.
- Google settles location tracking lawsuit for only $39.9M
- Toyota's bungling of customer privacy is becoming a pattern
- T-Mobile US suffers second data theft within months
- Google adds account sync for Authenticator, without E2EE
iSpoof entrepreneur jailed
The man behind a popular website that allowed cyber criminals to fake their caller ID location has been sentenced to 13 years and four months in prison, the Metropolitan Police said this week.
Tejan Fletcher, the operator of iSpoof, was arrested in November last year and pleaded guilty to making or supplying articles for use in fraud, encouraging or assisting in the commission of an offense, possessing criminal property and transferring criminal property, the Met said.
iSpoof was a massive international operation, with £48 million ($59 million) in losses reported from victims in the UK alone. Users of the site, of whom there were a reported 59,000, made ten million calls via iSpoof in the 12 months ending in August 2022 – 3.5 million of those targeted UK residents and customers of banks like Barclays, HSBC and Lloyds. Some 169 people have been arrested in the UK under suspicion of using iSpoof.
"This type of crime will not be tolerated and those who are involved in fraud and cyber crime will be found and brought to justice," said City of London Police Commander Nik Adams.
Ed tech firm fined $6m, says it can't pay
Education technology firm Edmodo was fined $6 million by the US Federal Trade Commission this week, and will have to conform to several other requirements, after an investigation determined the company illegally collected and sold minors' data to be used to serve ads.
Edmodo reportedly foisted legal compliance onto districts and teachers, violated data retention rules, and committed numerous other violations of COPPA, the FTC said.
Edmodo won't face the fine, however, as it said it doesn't have the ability to pay. The FTC suspended the fine in response, but let other provisions of its order stand – despite the fact that Edmodo suspended its US operations in response to the investigation.
Edmodo isn't doing business anywhere right now, which may be why the $6 million penalty is a bit out of its price range. If the company ever resumes operations, it'll be required to collect only information that's reasonably necessary for students to participate in virtual classroom activities. The other orders prohibit it from collecting or using data to serve ads, and require it to get explicit consent from parents – not schools – to collect data. ®