US Imposes Visa Restrictions on Commercial Spyware Abusers

US Imposes Visa Restrictions on Commercial Spyware Abusers

UK and nearly three dozen other nations sign int'l pact against hackers-for-hire, Chicago children's hospital suffering under week-long cyber incident, PA court system out due to DDoS, much more


Note bene: While Metacurity explores switching to alternative newsletter platforms, please know that whatever we do, you can always reach Metacurity at https://metacurity.com. Also note that when we make the switch, it should be seamless for all subscribers, including premium subscribers.

Secretary of State Antony Blinken announced a new policy that will allow the State Department to impose visa restrictions for individuals believed to have been involved in the abuse of commercial spyware and those who facilitate such actions and benefit from it.

Officials say the new policy is part of a broader effort to shape the behavior of foreign governments and companies involved in malicious digital espionage activities. Historically, these companies have been accused of developing platforms facilitating hacks against human rights activists, journalists, and opposition politicians in the developing world.

A senior Biden administration official said that the new policy would also apply to investors and operators of the commercial spyware believed to be misused. They added that private hacking tools have targeted at least 50 U.S. officials in recent years.

The new policy, which is organized under the existing Immigration and National Act, applies to a broad group of individuals involved in hacking operations that in some form "surveil, harass, suppress, or intimidate individuals including journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals." (Christopher Bing and Kanishka Singh / Reuters)

Related: State Department, Financial Times, Cyberscoop, The Record, Bleeping Computer, NextGov, Bloomberg, BleepingComputer, Cyber Daily, Associated Press, Reuters, The Hill, The Record, The Verge, Nextgov/FCW, CyberScoop, Bloomberg, Axios, Dark Reading, South China Morning Post, Reddit - Information Security News, Voice of America, The Guardian, Technology: Latest Tech News Articles Today | AP News, The Independent, The Hill, Infosecurity Magazine, SiliconANGLE, IBTimes India, UPI.com, Cyberscoop, Cyberdaily.au, Fortune, iTech Post, Decipher, The Hacker News, Technology | The Hill

The UK and more than 35 other nations signed a new international agreement to take action against “hackers-for-hire” and commercial markets for tools used to carry out targeted cyber attacks.

Deputy Prime Minister Oliver Dowden will lead a two-day conference alongside France that will see countries and businesses discuss how to tackle the commercial market for malicious tools and the threat they pose to international security.

Companies such as Apple, BAE Systems, Google, and Microsoft will be at the conference.

As part of the agreement under the Pall Mall Process, measures to discourage irresponsible behavior and ways to improve accountability, transparency, and oversight within the sector will be considered. (Martyn Landi / The Independent)

Related: Inquirer.net, The Standard, The Record

Lurie Children’s Hospital in Chicago has been forced to take its networks offline after an unspecified cyberattack, limiting access to medical records and hampering communication by phone or email since the middle of last week.

On January 31, the hospital initially described the as a network outage. It later released public statements saying the hospital had taken its networks offline as part of its response to a “cybersecurity matter.”

“We are taking this very seriously, investigating with the support of leading experts, and are working in collaboration with law enforcement agencies,” the hospital said in a statement Thursday. “As Illinois’ leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve. Lurie Children’s is open and providing care to patients with as limited disruption as possible.

Hundreds of thousands of patients and their families haven't been able to get care, reach their pediatricians, or access their online medical records for about a week. During this outage, elective surgeries have been postponed, and doctors can't access pending test results. Providers still don't have access to all patient records, as many are only available digitally.

Late last week, the hospital announced a separate call center for patients to get prescriptions refilled or ask non-urgent questions about care or appointments. (Kathleen Foody / Associated Press and Justin Kaufmann, Monica Eng / Axios Chicago)

Related: Axios, DataBreachToday.com, WISHTV, JD Supra, CBS News, The Register - Security, The Register - Security, SC Magazine, TIME, Becker's Hospital Review, The Independent, ABC7, NBC Chicago, STAT

According to Chief Justice Debra Todd, Pennsylvania' ’s court system was hit with a distributed denial-of-service (DDoS) attack and is experiencing disruption.

Portions of the Pennsylvania Courts’ website are currently down due to the attack. Todd said the FBI and Cybersecurity and Infrastructure Security Agency (CISA) are involved in the recovery effort. (Note the link for PAcourts.us produced an error as of 6:52 am on February 6.)

“There is still no indication that any court data has been compromised, and our courts remain open and accessible to the public,” she said in a statement on Monday afternoon.

The system used for court payments, including fines, restitution, bail, and registration, is also unavailable. Law enforcement agencies in the state can still use the websites containing information on warrants and criminal complaints.

Court officials did not respond to requests for comment about whether any demands or ransoms were issued concerning the DDoS attack. They also did not say whether the DDoS incident was connected to another cyberattack specifically targeting the Pennsylvania county of Washington.

On January 28, county officials there sent an urgent message to the state’s Supreme Court declaring a “judicial emergency in the district” and explaining that it “has suffered a critical incident, rendering significant segments of the technology infrastructure in the County to be inaccessible and inoperable.” (Jonathan Greig / The Record)

Related: WGAL, ReadWrite, Infosecurity Magazine, Jurist, StateScoop, The Cyber Express, Associated Press

An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 that allows attackers to bypass authentication and access restricted resources on vulnerable devices is currently under mass exploitation by multiple attackers.

Ivanti first warned about the flaw in the gateway's SAML components on January 31, 2024, giving it a zero-day status for limited active exploitation, impacting a small number of customers.

Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw. The exploitation volume of this particular vulnerability is far greater than that of other recently fixed or mitigated Ivanti flaws, indicating a clear shift in the attackers' focus.

According to ShadowServer, almost 22,500 Ivanti Connect Secure devices are currently exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.

Although a proof-of-concept (PoC) exploit released by Rapid7 researchers on February 2, 2024, has undoubtedly played a role in assisting attacks, Shadowserver notes that they saw attackers using similar methods hours before the publication of the Rapid7 report. (Bill Toulas / Bleeping Computer)

Related: The Hacker News, The Register, Ars Technica, Cyberreason

Google agreed to pay $350 million to settle a lawsuit years after a security lapse meant the personal data of users of its now-defunct social media website Google Plus was exposed to the internet.

People who bought Google’s stock from April 23, 2018, to April 30, 2019, will be able to apply for a share of the settlement, according to a filing with the U.S. Court for the Northern District of California. The filing said that eligible investors will be notified by mail, and a website with information will be created.

In 2018, Google realized that its systems had been exposing the data of millions of users of its Google Plus website to external developers for years, but executives chose not to notify the public or shareholders.

Lawsuits ensued, and Google settled a class-action lawsuit by users whose data was affected for $7.5 million in 2018. Most people who applied only got a few dollars. The case that was settled was brought by the Rhode Island government, whose pension fund was an investor in Google. It wound its way through the courts for five years, and Google tried unsuccessfully to appeal it to the Supreme Court before the settlement was reached.

“We regularly identify and fix software issues, disclose information about them, and take these issues seriously,” said José Castañeda, a Google spokesperson. “This matter concerns a product that no longer exists, and we are pleased to have it resolved.” (Gerrit De Vynck / Washington Post)

Verizon, one of the largest American telecommunications companies, has disclosed a data breach impacting 63,206 individuals, reflecting over half of the 117,000 employees Statista estimates it had in 2002.

The inadvertent disclosure of personal data was attributed to employee wrongdoing.

In a data breach notification filed with authorities in the US state of Maine, Verizon disclosed that around September 21, 2023, a company employee obtained a file containing certain employees' personal information without authorization and violating Verizon policy.

According to Verizon’s letter to affected users, the information contained in the file may include name, address, Social Security number or other national identifier, gender, union affiliation, date of birth, and compensation information.

“At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue. We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter,” the notification reads. (Ernestas Naprys / Cybernews)

Related: Maine Attorney General

Student rideshare startup HopSkipDrive has confirmed a data breach involving the personal data of more than 155,000 drivers.

In a filing with Maine’s attorney general, HopSkipDrive confirmed that it had experienced a cybersecurity incident in June that resulted in a data breach affecting 155,394 drivers. HopSkipDrive said the stolen data included names, email and postal addresses, driver's license numbers, and other non-driver identification card numbers.

HopSkipDrive spokesperson Campbell Millum said those affected include “people who drive on our platform or who applied to drive on our platform.” Millum added that no employee or customer data was accessed in the breach.

The company confirmed that it first discovered the breach on June 12, 2023, when it “discovered suspicious activity on certain third-party applications utilized by our organization.” The company declined to name the compromised applications.

In a letter sent to those affected, HopSkipDrive said it first became aware of the issue after receiving an email from an unknown threat actor.

A HopSkipDrive spokesperson said that the company first notified affected individuals in the first week of July and has “continued communications since then.” (Carly Page / TechCrunch)

Related: Maine Attorney General, Medium, Cybernews

Apple is telling buyers of its Vision Pro headsets that if they lose their passcodes, they must bring the device to a store or mail it to AppleCare customer support to get it working again.

Apple will then erase and reset it.

When customers enter their passcode incorrectly too many times, the headset will be disabled. If users still can’t recall their passcode after a waiting period, they’ll need to send it back to Apple to be reset, according to guidance given to the company’s support staff. At that point, all content on the device will be erased.

It’s a quirk that doesn’t exist with Apple’s other products. The company’s smartwatch, for instance, has a mechanism that lets users set it up again if a passcode is forgotten.

On Apple’s community forum, one customer said he spoke to an agent who was flooded with calls about the problem. “He’s had to deal with a lot of angry customers after telling them their only recourse is to return to the store,” the user wrote. “He said Apple Support was really caught off guard by this and apologized for not being better prepared.”

One complication with the Vision Pro is it doesn’t have a USB-C port that lets users plug it into a Mac for troubleshooting. The company released a special strap for developers to attach the headset to a Mac last week, but that accessory costs about $300 and isn’t meant for consumers. (Mark Gurman / Bloomberg)

Related: Apple Community Forum, MacRumors, Engadget, The Verge, MySmartPrice, SamMobile, iThinkDifferent, Digital Trends, Appleosophy, South China Morning Post, 9to5Mac, Business Today, AppleInsider, iMore

Hewlett Packard Enterprise (HPE) is investigating a potential new breach after the threat actor IntelBroker put allegedly stolen data up for sale on a hacking forum, claiming it contains HPE credentials and other sensitive information.

IntelBroker shared screenshots of some of the supposedly stolen HPE credentials but has yet to disclose the source of the information or the method used to obtain it.

"Today, I am selling the data I have taken from Hewlett Packard Enterprise," the threat actor says in a post on the hacking forum.

"More specifically, the data includes: CI/CD access , System logs , Config Files , Access Tokens , HPE StoreOnce Files (Serial numbers warrant etc) & Access passwords. (Email services are also included)."

This latest investigation comes after HPE disclosed two weeks ago that the company's Microsoft Office 365 email environment was breached in May 2023 by hackers the company believed to be part of the Russian APT29 hacking group linked to Russia's Foreign Intelligence Service (SVR).

IntelBroker is best known for the breach of DC Health Link, which led to a congressional hearing after it exposed the personal data of U.S. House of Representatives members and staff. (Sergiu Gatlan / Bleeping Computer)

Related: CRN, Security Affairs

Google announced a grant of $1 million to the Rust Foundation, meant to help improve the interoperability between Rust and C++ code, saying that Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem.

Google also said it aggregates and publishes audits for Rust crates used in open-source Google projects.

The support for Google has allowed the Rust Foundation to launch a new ‘Interop’ initiative to make it easier for interested organizations to invest in Rust. (Ionut Arghire / Security Week)

Related: Google Security Blog, The New Stack, The Register, Silicon Angle

Spirit Technology Solutions has acquired Sydney-headquartered cybersecurity company InfoTrust for an undisclosed sum.

The acquisition will see Spirit combine the threat detection and response capabilities of its security operations center (SOC) through its Intalock business with InfoTrust’s assurance and governance, risk management, and compliance (GRC) services.

"This strategic acquisition aligns with our vision of becoming the go-to cybersecurity partner in Australia," Spirit's MD and CEO Julian Challingsworth said. (Andrew Starc / CRN)

Related: ARN, Financial Review

Best Thing of the Day: No One Is Immune to Scammers

Noted journalist, science fiction author, and internet safety expert Cory Doctorow tells the tale of how he got scammed out of $8,000 by a phone phisher, who turned around and attempted to perform the same scam a week later.

Worst Thing of the Day: Caesars Is Not the Place to Be in August

Caesars abruptly terminated its contract with DEF CON without explanation, leaving the conference in the lurch just seven months before the event. However, the quick-acting con organizers arranged for DEF CON to be held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.

Bonus Worst Thing of the Day: Maybe This Guy Won’t Flee From Justice Again

Julius Kivimäki, who extorted thousands of patients of the Vastaamo psychiatric practice in 2020, has been released from pretrial detention by the district court's decision and has been ordered to a travel ban, even though he fled to France, where he was arrested in 2023.

Closing Thought

Read more