CyberWire staff | thecyberwire.com
At a glance.
- Capcom gamers’ data exposed.
- WhatsApp’s privacy dustup.
- An emerging precedent in data breach tort law.
- Ubiquiti’s third-party breach.
- Comment on the Mimecast certificate compromise.
Game developer suffers critical hit.
In November, the CyberWire reported that Capcom, Japanese video game developer known for classic titles like Street Fighter and Resident Evil, had experienced a ransomware attack that resulted in threat actors publishing Capcom’s stolen data on the dark web. Now, Threatpost reports, instead of the original 40,000 customers Capcom thought were impacted, the game developer has found evidence that that number is closer to 400,000. The announcement stated that further compromises could be discovered as the investigation continues.
As the CyberWire reported last week, messaging platform WhatsApp recently announced changes to its privacy policies that will allow sharing of user data with Facebook (who acquired the company in 2014) and its family of companies. Users are being alerted to the changes in the app’s terms of service via an in-app notification, and with no choice to opt-out, the public has expressed some resentment over essentially being forced to either agree to the terms or stop using the app. MacRumors reports that, in an attempt to mitigate the negative response, WhatsApp is updating their FAQ page and publishing posts on social media reassuring users that the privacy changes will mainly affect businesses using Facebook’s hosting or commerce services. As CPO Magazine notes, users who feel uneasy about the change could be drawn to competitors, though the only messaging platform that currently comes close to WhatsApp’s popularity is Facebook’s own Messenger app. Elon Musk has been vocal lately about promoting his app Signal, known for its highly secure end-to-end encryption (which WhatsApp used as the basis for its own encryption, back when privacy was its major selling point), even posting tweets disparaging Facebook’s privacy policies and urging the public to “use Signal” instead.
(A corporate bystander was affected, too: as Seeking Alpha reports, the tweet might have left some readers confused, as the similarly-named company Signal Advance has seen an otherwise unexplained spike in the stock market.)
Developing trend in data breach law.
The National Law Review details how recent litigation is setting a precedent that, when it comes to data breaches, accepting payment may equate to accepting liability. In other words, as soon as a business accepts payment from a customer, it’s also accepting responsibility for what happens to that customer’s payment information should that information fall into the wrong hands. A recent case concerning a breach at convenience store chain Rutters saw plaintiffs citing negligence, implied breach of contract, and unjust enrichment, with the court agreeing that the defendant assumed a legal duty as soon as the store retained the consumer’s credit card data.
The origin story of Rogue malware.
Check Point Software examines the career of the Rogue malware mastermind, a threat actor who goes by the name of Triangulum. Focusing on mobile remote access Trojans, or MRATs that target Android devices, his first product hit the dark web in 2017, but it wasn’t until he combined forces with fellow threat actor HexaGoN Dev in 2019 that he hit his stride. The two partnered to create the infamous Rogue malware, an especially stealthy MRAT that avoids detection by disguising itself as the Google service Firebase, delivering all of its malicious commands through the service’s infrastructure and threatening to wipe all of the device’s data if the user attempts to revoke permissions.
Reaction to the Ubiquiti breach.
IoT and Wi-Fi vendor Ubiquiti yesterday disclosed a data breach, saying that its IT systems were accessed through a third-party cloud provider. Ubiquiti recommends that customers change their passwords and enable two-factor authentication.
Brad Keller, Chief Strategy Officer at Shared Assessments, commented that when you outsource, you’ve got to take steps to ensure that your vendors are managing their own supply chain in a reasonably secure way: “While it is difficult based on what has been released to determine what might be the root cause of the unauthorized access, there is one statement that can be made at this time. Outsourcers must ensure that their vendors are properly assessing and managing their own service providers. This appears to be a classic example of a “4th party vendor” being the source of the problem. Whether the unauthorized access stems from the failure of the un-named cloud provider to have proper security controls in place or that Ubiquiti failed to properly manage their cloud accounts is yet to be determined. But the need to assess vendors’ ability to manage their outsourced risk is a certainty.”
And comment on the Mimecast compromise.
Mimecast warned this week that “a sophisticated threat actor” has compromised a Mimecast-issued certificate used to authenticate some of its products to Microsoft 365 Exchange Web Services. The products involved include Mimecast Sync and Recover, Continuity Monitor, and IEP. The incident affects about ten percent of Mimecast’s customers, who’ve been asked to “immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate [Mimecast has] made available.” The risk of the compromise is that the unidentified threat actor could intercept email traffic.
It’s another form of software supply chain compromise. Reuters said late this morning that three distinct security researchers, speaking on condition of anonymity, told the wire service that they believed it likely that the same actor behind Solorigate was responsible for the Mimecast incident.
Saryu Nayyar, CEO of Gurucul, thinks this looks like the same actor (or one very much like it) that was responsible for compromising SolarWinds’ Orion platform: “The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies. This shows the skill and tenacity State and State-sponsored actors can bring to bear when they are pursuing their agenda. Against this sort of opponent, civilian organizations will need to up their game if they don’t want to become the next headline. Basic cybersecurity is not enough. Organizations need to employ industry best practices, and then go farther with user education, programs to review and update their security, and deploying best in breed security solutions, including security analytics. The long term advantage is that defenses designed to resist a State level attack should be more than enough to thwart the more common cybercriminal.”
External Link: Capcom’s data breach. WhatsApp’s privacy blues. Precedent in data breach torts. Ubiquiti and Mimecast updates.