At a glance.

  • ACLU report confirms DHS purchased phone location data to monitor citizens.
  • Hacker lets Neopets’ cat out of the bag. 
  • Black Basta takes credit for attack on Knauf Insulation.

ACLU report confirms DHS purchased phone location data to monitor citizens.

The American Civil Liberties Union (ACLU) has released thousands of pages of documents demonstrating how the US Department of Homeland Security (DHS) accesses mobile location data to track citizens, often purchasing the data without following appropriate protocols. After obtaining the documents through a Freedom of Information Act (FOIA) lawsuit, Wired explains, the ACLU found evidence that DHS worked with surveillance companies Babel Street and Venntel to access hundreds of millions of Americans’ cell phones between 2017 and 2019, obtaining “more than 336,000 location data points across North America.” As well, the documents confirm that ​​immigration officers under the Trump administration used location data to track people’s movements in an unprecedented fashion, and continued to do so until the contract expired just last year. US Customs and Border Patrol says the location data helped them improve immigration enforcement, as well as human trafficking and narcotics investigations. No laws currently prohibit data sales to the government, so the DHS’s actions fall into a gray area, but the data collection was questionable enough to motivate a DHS privacy officer to order the Department to “stop all projects involving Venntel data” in June 2019. However, the contract was resumed, and last winter Immigration and Customs Enforcement signed a new contract with Ventell that runs through June 2023. The ACLU says they’re expecting additional documents that will confirm DHS has been circumventing the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people’s cell phone location information quietly extracted from smartphone apps.”

Hacker lets Neopets’ cat out of the bag. 

Bleeping Computer reports virtual pet platform Neopets has suffered a data breach exposing source code as well as the personal information of more than 69 million users. Hacker “TarTarX” posted the source code and database for sale for four bitcoins, or approximately $94,000, and screenshots indicate the stolen data includes users’ real names, email addresses, dates of birth, gender, location, and other game-related information. Owner of the BreachedForums pompompurin verified the authenticity of the data by registering himself on Neopets.com. The hacker forwarded him data from his newly created account, proving not only that the claims of theft were true, but that the attacker still has access to the site. Neopets has confirmed on Twitter and their unofficial Discord server that they are aware of the incident and working to resolve the issue. They advise users to change their passwords, though it’s unclear whether this will do much good. A Discord announcement reads, “We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is.”

Added, 7:30 EDT, July 21st, 2022.

Since publishing, we received some comment from industry experts on the Neopets breach. Elad Amit, VP of Product Management at PerimeterX, sees the incident as something that should put other online businesses on notice:

“This Neopets data breach is a wake-up call to all online businesses to stop the theft, validation and fraudulent use of account and identity information.

“Now that this breach has happened, the next step is to stop credential stuffing attacks in which cybercriminals try to validate stolen usernames and passwords. A good strategy would be to look for solutions that flag when a known compromised credential is being used and force an action such as a simple password reset. Once a valid username and password pair is found, cybercriminals can use the credentials to log into — and take over — legitimate accounts, typically on a number of sites since password reuse is common. Since most websites don’t have security checks post-login, attackers are free to navigate through and abuse the account, no questions asked. This abuse could include transferring money, cashing out credits or buying products that are easy to resell. Validating that a user had the right credentials was previously enough to keep accounts safe. But given this scenario, businesses need to think about continuous post-login validation. It’s time to look beyond login to make sure the user is in fact who they say they are and is doing what they should be doing in the account. This kind of comprehensive account protection approach will pay dividends in the form of reducing chargebacks, lowering calls to customer service, reducing strain on IT resources, and protecting brand reputation and revenue”

Javvad Malik, security awareness advocate at KnowBe4, thinks that there’s no business that can count on being overlooked by cybercriminals:

“All organizations, regardless of size or industry can be targeted by cyber criminals. We’ve seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect. Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur. Similarly, we see criminals aggressively targeting NFTs, or cryptocurrencies or other components of web 3.0. This is why it’s important for organizations to take into consideration all security requirements before embarking on the journey to implement new technologies. Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere and if so, change them immediately.”

Black Basta takes credit for attack on Knauf Insulation.

International building materials manufacturer Knauf Insulation has confirmed a cyberattack that disrupted operations and resulted in the shutdown of all of the company’s IT systems. The incident occurred on June 29, and though Knauf has not specified the nature of the attack, Bleeping Computer says all signs point to ransomware. Earlier this week the Black Basta ransomware group added Knauf to its list of victims on their extortion site, and the hackers published a sample of the data allegedly stolen. The fact that not all of the data has been released indicates that ransom negotiations are still ongoing, TechMonitor notes. Black Basta ransomware appeared on the scene in April as a ransomware-as-a-service operation known for double-extortion tactics and targeting high-profile victims, and by June the gang was in cooperation with Qbot for payload delivery. 

We received a number of comments from industry experts on the incident. Sally Vincent, Senior Threat Research Engineer at LogRhythm, reminds us of the importance of patching, and also notes that backups, while important, don’t offer protection from extortionate doxing:

“Knauf, the German-based multinational building and construction materials producer, has been the target of a cyberattack that has forced their global IT systems to shut down. Ransomware gang Black Basta has recently claimed responsibility for the attack and published 20% of the extorted files including user credentials, production documents, email communication, employee contact information and ID scans. The group operates RaaS and has hit a large number of high-profile targets in a small amount of time. Although the nature of the attack is still unknown, signs point to ransomware as Knauf continues the process of forensic investigation, incident response and remediation. 

“Unfortunately, ransomware attacks continue to affect companies housing extensive data in their IT systems, and successfully defending against these rampant cyberthreats requires proper preparation. Organizations must take a proactive approach and invest in cybersecurity solutions that detect malicious cyberactivity before it takes hold, and enable network infrastructure to block any further access attempts. Patching is crucial as Black Basta has been known to take advantage of vulnerabilities like PrintNightmare (CVE-2021-34527). Additionally, companies should create backups, prepare a response plan and prioritize educational training to ensure they are equipped to handle attacks and proceed operations without disruption. While backups will help an organization recover from a ransomware attack, they will not prevent damage from data being leaked, so organizations should also keep their prevention and detection technologies top of mind by ensuring that they have the appropriate protective controls in place, as well as visibility into what is happening across their environment.”

Stephan Chenette, Co-Founder and CTO at AttackIQ, draws attention to the collateral damage ransomware and extortion can create:

“Ransomware attacks often have collateral damage and impact beyond the ransom. The incident not only impacts Knauf Group itself but also its customers. The company is still currently investigating the attack. The threat group that has claimed responsibility for this attack, Black Basta which is a rebrand of the Conti ransomware group, has leaked 20% of the files they have stolen. If personally identifiable information (PII) is included in these leaked files, it can be bought and sold for top dollar on the dark web, further exposing victims to future fraud or phishing attacks. 

“As evidenced by this and many other recent ransomware attacks, it’s no longer an issue of just whether or not to pay the ransom – it is likely that the organization will suffer reputational damage and loss of data and business. Because of this, it’s important for organizations to defend against ransomware by understanding the common tactics, techniques, and procedures used by the adversary.

“In doing so, companies can build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim. This approach should be tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information.” 

Josh Rickard, Security Automation Architect at Swimlane, sees the opportunity costs cyberattacks of this kind impose:

“Unfortunately, this attack on building materials giant Knauf has resulted in system-wide IT downtime. Although the nature of the cyberattack has not been fully disclosed, signs are currently pointing to ransomware. Black Basta, a newly emerging ransomware gang, has already published 20% of exfiltrated data on their website, including production documents, email communication, user credentials, ID scans and employee contact information. 

“With all IT systems down in an attempt to isolate this incident, Knauf is not able to carry out routine business processes in an efficient and reliable way. Time spent offline can lead to production decline, dissatisfied customers and ultimate loss of revenue, making the effects of these kinds of attacks even worse. In order to mitigate the impact of ransomware and other malicious cyberactivity, organizations must be equipped with the proper cybersecurity controls to handle these kinds of threats. Companies should consider implementing one all-encompassing platform that centralizes detection, response and investigation protocols into a single effort and helps security teams automate certain tasks. By leveraging the power of low-code security automation, companies can respond to more alerts in less time, vastly decreasing the risk of a targeted cyberattack without increasing the workload on security operations staff.”