Weekly Threat Report - 11th January 2019
German politicians and celebrities caught in Christmas data leak
Over Christmas, personal information and alleged communications belonging to German politicians, journalists, and celebrities were leaked on Twitter, under the username @_0rbit. The information was published in the style of an "advent calendar event" each day in December.
The data breach reportedly included politicians' email addresses, mobile phone numbers, identity card photos, direct debit and credit card information, and personal and work communications.
A 20-year-old student has admitted to carrying out the hack.
The private information seems to have been acquired over a substantial period of time in 2018 in what German officials called a "sophisticated" operation, and added to publicly available information. Investigators said that the hacker "exploited several vulnerabilities", although they have confirmed that several such security gaps have since been fixed. Officials also said there was no evidence to suggest that government systems had been compromised.
The BSI information security agency said it was contacted by a member of the German parliament in early December about suspicious activity on private email and social media. In a statement, the agency said it was linked to the @_0rbit leaks only when the account's existence became known in early January.
German Interior Minister Horst Seehofer has subsequently confirmed that he will introduce new measures to improve cyber security and an existing security law with more protections for industry and citizens.
Data breaches such as this highlight the need for individuals who believe their data may be comprised to remain vigilant to phishing emails. The NCSC has published guidance on the phishing threat following data breaches.
Hackers threaten to leak 9/11 litigation documents
A cyber crime group calling itself ‘The Dark Overlord’ continues to threaten to release stolen files from US law firms and a London-based plastic surgery clinic if ransom demands are not met.
The FBI is investigating the theft of 18,000 insurance and legal documents relating to the September 11 attacks on the World Trade Centre. The group reportedly obtained access to the documents after compromising a specialist law firm in the U.S. that provided advice to global insurance firm Hiscox. The insurance firm has confirmed that their own systems were unaffected by this incident.
In October 2017, the Met police confirmed that it was investigating the group for stealing data from a London cosmetic surgery clinic popular with celebrity clients. The group continue to threaten the release of this historic, personal data for money.
After distributing a small preview set of files, the group has publicly released a decryption key for more files, in a bid to bolster their extortion efforts.
The news gives insight into how hacking groups may be evolving in their extortion efforts; opting to drip out stolen material bit by bit, while generating public interest through the media and their own announcements, all to exert pressure on the ransom victim.
The NCSC has previously highlighted this tactic as one which is used by criminals to blackmail organisations.
Open source reporting suggests that there has been a recent surge in activity by ‘The Dark Overlord’ which began in September 2018.
Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted. The NCSC has published 15 good practice measures for the protection of bulk personal data.
The NCSC strongly encourages anyone who believes they have been a victim of this or other similar activity to report it to Action Fraud.
Hackers hijack Chromecast devices to warn of latest security bug
Two hackers – HackerGiraffe and j3ws3r – claimed to have taken control of 70,000 Google Chromecast smart TV devices around the world in a stunt to raise awareness of cyber security and to promote YouTuber PewDiePie.
The hackers exploited a vulnerability which tricks Google’s media streamer into playing any YouTube video they want. In this instance, the affected Chromecasts displayed a pop-up notice warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers.
HackerGiraffe retired the following day, noting that “the constant pressure of being afraid of being caught and prosecuted” was affecting his mental and physical health.
Google confirmed it is aware of the issue and is offering guidance on how to handle the attack. The company said: “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.To restrict the ability for external videos to be played on their devices, users can turn off Universal Plug and Play (UPnP)”.
The hackers also took the opportunity to ask viewers that they subscribe to youtuber PewDiePie’s channel. A similar tactic was employed in December 2018, when an anonymous individual hacked 50,000 printers, causing them to print out a message that urged people to subscribe to the same channel.
The NCSC and DCMS have published the Secure by Design Code of Practice to help developers build secure smart devices, as well as consumer guidance for smart devices in the home.