Intel Reports

Activity Summary - Week Ending on 6 January 2023:

• Red Sky Alliance identified 32,773 connections from new IP’s checking in with our Sinkholes
• Amazon in Singapore hit 32x
• Analysts identified 492 new IP addresses participating in various Botnets
• Red Sky Dark Web Collection for 2022
• LockBit seen twice in Top 5 Malware
• Indian Job Seeker data stolen (IR-23-005-001)
• The Meta Eire Fine
• Five Guys Burgers

Red Sky Alliance Compromised (C2) IP’s 

Red Sky Alliance Malware Activity   

On 5 January 2023, Red Sky Alliance identified 32,773 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@wapacklabs.com 

Red Sky Alliance Botnet Tracker

On 5 January 2023, analysts identified 492 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

 Red Sky Alliance Dark Web Collection

Three (3) years ago, Red Sky Alliance created a Dark Web collection project.  In this time, automated collection of Dark Web was developed and resulted in the collection from 80+ sites.  Last year (2022), the data set added 30 new Dark Web Sites; see below:

MALICIOUS CYBER TRENDS:

Recorded Future Top 5 Threat Actors and Malware for 01 05 2023 (see left - rankings change daily)

Exposing Indian Job Seekers Data - An Elasticsearch server belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.  However, the data is not limited to jobseeker as the server is also exposing the company’s employees’ data.  Another important aspect of this data exposure is the fact that it also contains the company’s client records from different companies, including Apple and Samsung.

Full report: https://www.hackread.com/erp-firm-expose-india-job-seekers-data/

GLOBAL TRENDS:   

The Meta Eire Fine - Ireland’s data privacy watchdog has handed down a €390 million (about $413 million) fine to Meta after two years-long inquiries into the data processing operations of Facebook and Instagram.  The inquiries resulted from two complaints filed in May 2018 centered on the legal justifications used by the social media giant for the collection of user data.

Ireland’s Data Protection Commission (DPC) ruled that Meta did not clearly outline to users the “processing operations” that were being carried out with personal data nor what that data was being used for.  The lack of transparency was a violation of the European Union’s General Data Protection Regulation (GDPR).[1]

While a significant hit to Meta, the decision also exposed disagreement within Europe over how to enforce the GDPR. The original fines proposed by the DPC were much lower and were only raised on orders from the European data protection authority.  The DPC ultimately regulates Meta because its European headquarters are based in Dublin.  Ireland’s commission originally determined that Meta did not violate the GDPR by relying on “forced consent” – whereby Facebook and Instagram force users to “accept” a terms of service agreement in order to use the platforms.  Other bodies within Europe disagreed, concluding the company was indeed in violation of the law.  Those terms of service agreements are used by Meta to justify the legality of their data collection practices.  Under the GDPR, bodies like the DPC submit their decisions to regulators across the European Union.  The other privacy watchdogs agreed with the DPC’s first assessment around transparency but said the fines needed to be increased.

On the second issue, 10 of the 47 privacy authorities in Europe raised objections to DPC’s findings.   Several privacy watchdogs said Meta should not be allowed to rely on byzantine terms of service agreements to justify the use of personalized ads on Facebook and Instagram.  The personalized ads were not “necessary to perform the core elements” of the social media platforms’ functions, they found.  The DPC, however, argued that Facebook and Instagram are “personalized services that also feature personalized advertising” – which is “central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.”

The two sides could not agree on a resolution and the decision was then sent to the European Data Protection Board (EDPB), which ruled on December 5 that the DPC needed to increase its fine and backed the 10 watchdogs that disagreed with Meta’s legal justifications for data collection.   The EDPB’s ruling on the additional violation of GDPR is what prompted the DPC to increase the fine to €210 million (about $229 million) for Facebook privacy violations and €180 million (About $200 million) for Instagram.

Meta now has three months to bring its operations into compliance with the GDPR or they will face additional fines.   The EDPB also ordered the DPC to conduct a new investigation into Facebook and Instagram’s data processing operations, something the DPC vehemently disagreed with and plans to challenge in court;  "transparency" of the illegal processing, but not stop the illegal processing itself.  Kind a like "we ask them to break the law in a more transparent way" – why don't you think this is enough?  The third #noyb complaint on WhatsApp is delayed for another two weeks, but will…  — Max Schrems 🇪🇺 (@maxschrems) 4 January 2023

NOYB, the organization that filed the complaints in 2018, said in a statement that it felt vindicated by the EDPB ruling rejecting what they felt was an attempt by the DPC and Meta to bypass the rules outlined in the GDPR.  Meta will now have to get “opt-in” consent for personalized advertising and must provide users with a “yes/no” option, the organization explained.  They noted that a third complaint they filed against another Meta service  WhatsApp, has been delayed until mid-January.  “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way,” said Schrems, a NOYB privacy expert.  This case is about a simple legal question. Meta claims that the ‘bypass’ happened with the blessing of the DPC. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities.  It is overall the fourth time in a row the Irish DPC got overruled.”

A Meta spokesperson said that the level of disagreement within Europe demonstrated by the DPC’s press release was “very telling,” adding that there is a “total lack of regulatory certainty or clarity on this topic.”  The spokesperson said the company has a variety of options to process user data and they are currently assessing which to use.  “The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area.  We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” a Meta spokesperson said.  “These decisions do not prevent targeted or personalized advertising on our platform.  The decisions relate only to which legal basis Meta uses when offering certain advertising.  Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”

The New York Times reported that the personalized ad practices at issue generated $118 billion in revenue in 2021 for Meta.  Almost 5 years after the GDPR came into force, this is probably the most significant enforcement decision to date – following complaints made on 25 May 25 2018 (!), the day the GDPR came into force. The Irish DPC fined Meta 390 million euros, but this is not about the fine. 1/ https://t.co/riEEEV6ZZ1  — Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) 4 January 2023

Schrems criticized the DPC for allegedly holding 10 confidential meetings with Meta and accused the watchdog of helping Meta skirt GDPR rules.  Schrems said the Irish authority also tried to influence the European regulatory body to rule in favor of Meta.   He argued that despite what was in DPC’s statement, the privacy watchdog “shielded Meta and they got voted down on the EU level.   The decision means that Meta must allow users to have a version of all apps that does not use personal data for ads within three months,” NOYB said.   The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a ‘yes/no’ option.  Users must be able to withdraw consent at any time and Meta may not limit the service if users choose to do so.  While this will limit Meta’s profits dramatically in the EU, it would not fully prohibit ads.”

The privacy non-profit also took issue with DPC’s rollout of the decision, noting that the watchdog only informed them today that they would not be releasing the full decision to them, citing confidentiality, despite the fact that the organization is a plaintiff in the case.  Schrems said he has never seen a decision only being served to one party, but not the other.  The original fine proposed by DPC was between €28 million to €36 million (about $29 million to $38 million).  He noted that Meta has been hit with fines totaling nearly €1 billion ($1.06 billion) since the GDPR went into effect.

Last September, Meta said it was appealing another fine, worth $400 million, for violations related to Instagram allowing children as young as 13 to operate business accounts.  Last year, the DPC also fined Meta $267 million for GDPR violations related to data processing done by WhatsApp.  The DPC also fined Meta €265 million (about $275 million) in November for the company’s data protection practices.

5 Guys - The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyber attackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.  Details are scant, but in a form letter to the impacted sent out on 29 December, Five Guys chief operating officer noted that an "unauthorized access to files" was discovered on 17 September and was blocked the same day.  He added, "We conducted a careful review of those files and, on 8 December 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and [variable data]."

What was that "variable data," one might ask?  Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.  Five Guys did not immediately respond to a request for verification or comment.

Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is like other food-service jobs.  But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.

Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.  "An unfortunate precedent has been set [by the infamous Equifax breach] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.

A Whole Menu of Follow-on Attacks:  Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself.  This is not Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president notes, and a prior incident illustrates just what could be at stake for both.  "In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he said. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”

As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.

In this more recent case, the principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.  "The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future." 

BullWall meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.  "Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" they explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain.  Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."

The chief security adviser at Tanium, says that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.  "Any victimized organization could receive double extortion threats; i.e., ask for money to not leak or sell the data," he says.  "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."  Source: https://www.darkreading.com/attacks-breaches/five-guys-data-breach-hr-data

A Smash (& Grab) Burger of Data Theft:  Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.  Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.  "The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"

Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."

Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says:  "This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."  He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."

Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.  "Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."

[1] https://therecord.media/irish-privacy-watchdog-fines-meta-400-million-amid-disagreem