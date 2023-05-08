Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! I’ve been to multiple flower-related festivals of late. The one this past weekend was a delight. Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning. Wp Get the full experience. Choose your plan ArrowRight Below: A judge dismisses an FTC lawsuit against a data broker, and a WordPress bug has exposed over a million sites to attacks. First:

The ransomware attacks that pose a risk to life and health

Investigators weren’t able to get information on the history of police calls to the home of a mass killing suspect due to a ransomware attack that knocked Dallas government computers down, law enforcement officials told Rebecca Lopez of news channel WFAA in a story this weekend.

Police and fire leaders in the same city, meanwhile, said that response times had slowed. Officers are relying on backup plans like resorting to using pen and paper during system outages, Kelli Smith reported for the Dallas Morning News. That comes amid assurances from a city leader that “key public safety functions continue as usual.”

Advertisement

The cyberattack on the Dallas government illustrates ransomware’s potential, if not actual, risks to public health and safety. Some details about the Dallas cyberattack are still unknown; a city official is expected to discuss the hack when he appears before a Dallas City Council panel today.

The economic impacts of ransomware have long been established as concrete. This weekend brought the two-year anniversary of the attack on Colonial Pipeline, which prompted a fuel panic on the East Coast.

But ransomware attacks on government agencies and hospitals present the danger of a more physical kind of harm.

“All of these things create a very obvious potential for lives to be lost,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me.

The hospital history

Whether a ransomware attack has actually cost anyone their lives remains a subject of open debate.

Advertisement

A woman sued a Texas hospital in 2021 after her baby died, alleging that a ransomware attack led to a preventable death because staff was cut off from key medical equipment.

German police pursued homicide charges against ransomware attackers stemming from the death of a woman there. But they ultimately opted against charges after concluding there wasn’t enough conclusive evidence that she died because her ambulance had to be routed to another hospital.

But there have been, at minimum, claims of scares. A ransomware attack contributed to a child being given too high of a dose of painkillers last fall in Iowa, a mother said. That same incident led to reports of difficulties obtaining prescription medications.

The law enforcement history

Dallas law enforcement and emergency personnel are far from alone in ransomware attacks impacting their work, or at least potentially doing so.

Advertisement

Police agencies have lost as much as eight years’ worth of evidence following ransomware infections, with suspected drug dealers and others going free because of it.

In 2021, ransomware operators threatened to reveal the identities of confidential informants if the city of D.C. didn’t pay a $50 million ransom. In the end, it wasn’t clear if the gang authentically had that information, but the hackers released internal records on police officers.

A ransomware attack in New Mexico last year deactivated automated doors at a county jail, and also took down surveillance cameras. That prompted authorities to largely confine inmates to their cells.

The state of the attacks

While there has been a reported slowdown in ransomware attacks from 2021 to 2022, overall attacks on U.S. hospitals doubled between 2016 and 2021, according to one study. Emsisoft has tracked nearly 200 ransomware attacks on the public sector since the start of last year.

Advertisement

Attacks on local government agencies and hospital systems are among the most worrying in the current battle against ransomware, Megan Stifel, a co-chair of the joint public-private Ransomware Task Force, told me last week.

And federal officials say many ransomware attacks go unreported, so the accuracy of any tallies are lacking. A bill signed into law last year would require critical infrastructure owners and operators to report to the federal government when they suffer major cyber incidents or make ransomware payments. The law’s definition of covered entities required to report would include critical government facilities owned by state, local and federal governments, but the Cybersecurity and Infrastructure and Security Agency is still writing the regulations that fill out more details.

And while there’s evidence that ransomware victims are growing less willing to pay to unlock their systems, some still do. San Bernardino County, Calif., officials acknowledged last week that the county paid ransomware operators $1.1 million to free up sheriff’s department computers. A county spokesperson, David Wert, told KCAL News that “insurance covers most of the payment.”

Advertisement

The fact that ransomware gangs are still getting paid is “why these attacks keep on happening,” Callow said.

“All of these incidents, whether involving health care, police or other emergency services, do put lives at risk,” Callow said. “If lives haven’t already been lost because of ransomware attacks, it’s inevitably only a matter of time until they will be.”

The keys

Verified Facebook pages hacked, impersonating Meta and sharing suspicious links to followers

A slew of verified Meta-owned Facebook pages were hacked and posed as Meta-affiliated pages that shared fake links to their followers, Taylor Hatmaker reports for TechCrunch.

The hacked pages impersonated Meta and other major tech companies, which were able to buy Meta ads and post suspicious download links, according to the report.

“Social consultant Matt Navarra first spotted some of the ads, sharing them on Twitter,” Hatmaker writes. “The compromised accounts include official-sounding pages like ‘Meta Ads’ and ‘Meta Ads Manager.’ Those accounts shared suspicious links to tens of thousands of followers, though their reach probably extended well beyond that through paid posts.”

Those identified impersonator pages have since been disabled, the report said. It’s possible that the compromised pages were taken over with DuckTail malware, which has been used frequently over the past year to compromise Facebook business pages.

Advertisement

DuckTail has “increasingly turned” to AI-themed lures in an effort to compromise business pages with Facebook ad accounts, according to TechCrunch.

“We invest significant resources into detecting and preventing scams and hacks,” a Meta spokesperson told TechCrunch. “While many of the improvements we’ve made are difficult to see — because they minimize people from having issues in the first place — scammers are always trying to get around our security measures.”

Judge dismisses FTC lawsuit against data broker Kochava

A federal judge in Idaho dismissed a Federal Trade Commission lawsuit against data broker Kochava, ruling that the consumer protection agency did not have enough evidence to support its allegations that the company was unfairly selling data on people’s precise locations, Natasha Singer reports for the New York Times.

The court agreed with the agency that consumers could face severe harms by having their location tracked by a third party, but the Idaho judge ruled the FTC did not have enough evidence to prove that would substantially harm consumers, according to the report.

“The ruling deals at least a temporary blow to recent aggressive efforts by the commission to crack down on the sale and use of potentially sensitive information, like data on consumers’ drug prescriptions, religious affiliations or sexual orientation,” Singer writes.

Many fear that law enforcement officials from states that have adopted stricter abortion rules post-Roe may prosecute residents that seek an abortion in another state using their electronically available health data.

The FTC last August filed the lawsuit on the grounds that the company’s selling of smartphone geolocation data could track people’s visits to sensitive locations like houses of worship or abortion clinics and therefore amounted to a severe intrusion of their privacy. The court gave the commission a chance to amend its lawsuit.

Advertisement

“We are pleased the Court agreed with our key argument and we look forward to continuing to press our case on behalf of American consumers,” FTC spokesperson Douglas Farrar told the Times.

“We are hopeful that challenging the F.T.C. will bring necessary regulatory clarity that will ultimately benefit consumers and advertisers,” Kochava chief executive Charles Manning said, according to the Times.

Companies’ handling of sensitive data have increasingly been in the public spotlight and scrutinized by regulators. Online therapy platform BetterHelp in March agreed to pay $7.8 million to the FTC over allegations it shared customers’ sensitive health data with third parties for advertising purposes.

WordPress bug exposes over 1 million sites to vulnerability

A bug in two WordPress custom field plugins with millions of installs are vulnerable to cross-site scripting (XSS) attacks, Bill Toulas reports for Bleeping Computer, citing research from Patchstack’s Rafie Muhammad.

Cross-site scripting, or XSS, is a security vulnerability in which malicious code is injected into a website. The plugins, “Advanced Custom Fields” and “Advanced Custom Fields Pro,” are widely used by WordPress developers and have around 2 million downloads, according to the report.

Advertisement

“Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and escalate their privileges on an impacted WordPress site,” Toulas writes.

But a user would have to be tricked into triggering the vulnerability, because it can only be invoked by users who are logged into WordPress and have those plugins installed.

“The plugin’s developer was notified of the issue upon Patchstack’s discovery and released a security update on May 4, 2023, in version 6.1.6,” the report said, adding that the flaw was patched and that users are advised to update their WordPress to abate the vulnerability as soon as possible.

Government scan

Hill happenings

Securing the ballot

Industry report

National security watch

Global cyberspace

Cyber insecurity

Privacy patch

Daybook

The Center for Strategic and International Studies holds an event on countering gender-based harassment and disinformation tomorrow at 11 a.m.

Secure log off

Baker in training.pic.twitter.com/NZwfzDWQlt — cats with jobs 🛠 (@CatWorkers) May 7, 2023

Thanks for reading. See you tomorrow.

GiftOutline Gift Article