Google to pay $29.5 million to settle lawsuits over user location tracking
This payout is intended to settle two different lawsuits brought by Indiana and Washington, D.C., over Googles location tracking practices. The split is $9.5 million to D.C. and $20 million to Indiana after the states sued the company for charges that it tracked users’ locations without their express consent. The settlement adds to the $391.5 million Google agreed to pay to 40 states over similar allegations last month. The company is still facing two more location-tracking lawsuits in Texas and Washington. The lawsuits came in response to revelations in 2018 that the internet company continued to track users’ whereabouts on Android and iOS through a setting called Web & App Activity despite turning Location History options off.
(The Hacker News)
Ransomware gang cloned victim’s website to leak stolen data
The ransomware operators at ALPHV have become creative with their extortion tactic and, in at least one case, created a replica of the victim’s site to publish stolen data on it. The gang, also known as BlackCat , is known for testing new extortion tactics as a way to pressure and shame their victims into paying. On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat decided to leak the data, consisting of memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport scans, on a site that mimics the victim’s as far as the appearance and the domain name go. This was done to ensure wide availability of the stolen files as opposed to publishing on the dark web.
LockBit gang apologizes, gives SickKids Hospital free decryptor
The LockBit ransomware gang has apologized to Toronto’s Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization. It then sent them a free decryptor. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times. In a statement that included the apology, the gang blamed a partner who “violated our rules, is blocked and is no longer in our affiliate program.”
Personal health information of 42M Americans leaked over 5 years
Researchers from medical research and media group Jama Network analyzed trends in ransomware attacks on US hospitals, clinics, and health care delivery organizations between 2016 and 2021. They found that from 2016 to 2021, the annual number of ransomware attacks more than doubled, from 43 to 91, exposing the personal health information of nearly 42 million patients.” It continued, “during the study period, ransomware attacks exposed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities.” The report also notes that 20 percent of healthcare organizations that suffered a ransomware attack were able to restore data from backups.
Thanks to this week’s episode sponsor, AppOmni
Chinese scammers targeting Chinese students in the U.K.
Chinese international students in the U.K. have been targeted by persistent Chinese-speaking scammers for over a year as part of an activity dubbed RedZei (aka RedThief). Cybersecurity researcher Will Thomas stated in a post last week, “the RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation.” The most notable aspect about the operation is the steps taken by the threat actors to bypass steps taken by users to prevent scam calls, using a new pay-as-you-go U.K. phone number for each wave so as to render phone number-based blocking ineffective. The primary reason for the scam is to trick Chinese international students into shelling out huge sums of money to avoid getting deported.
(The Hacker News)
Russia risks causing IT worker flight with remote working law
Russia’s bruised IT sector risks losing more workers in the new year because of planned legislation on remote working, as authorities try to lure back some of the tens of thousands who have gone abroad. IT workers featured prominently among the many Russians who fled after Moscow sent its army into Ukraine on Feb. 24 as well as the hundreds of thousands who followed when a military call-up began in September. The government estimates that 100,000 IT specialists currently work for Russian companies overseas. Now, legislation is being mooted for early this year that could ban remote working for some professions. An additional fear for the lawmakers is that more Russian IT professionals could end up working in NATO countries and inadvertently sharing sensitive security information, and have therefore proposed banning some IT specialists from leaving Russia.
Ransomware ecosystem becoming more diverse for 2023
In CSO Online, senior writer Lucian Constantin posts that the ransomware ecosystem changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms. He quotes researchers from Cisco’s Talos group in their annual report, who date the accelerated landscape changes back to the Colonial Pipeline DarkSide ransomware attack and subsequent law enforcement takedown of REvil led to the dispersal of several ransomware partnerships.” In some good news, half of Cisco Talos’s ransomware-related incident response engagements have been in the pre-ransomware stage, showing that companies are getting better at detecting TTPs associated with pre-ransomware activities.