By Joe Fay
A week of surprises as a decade long data exposure is revealed in the car industry and Western allies move to shut down Russian malware.
US And Allies Deploy PERSEUS To Cut Off Russia’s Snake Malware
US authorities and allied governments claimed last week to have disrupted a massive Russian controlled malware operation that had been running for over 20 years. The US Justice Department and FBI said its operation “MEDUSA” had been aimed at a “global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, attributed to a unit within Centre 16 of Russia’ FSB. The unit had been using successive versions of the malware to steal sensitive documents from systems in at least 50 countries, the DoJ announced. It had been neutralized using an FBI-built tool called PERSEUS. The US and its allies have issued a joint advisory on Snake to allow cybersecurity professionals to find and neutralize the malware on their networks.
Toyota Admits Japanese Customer Data Was Exposed For 10+ Years
Vehicle data for 2.15 million Toyota customers in Japan was left exposed for over a decade due to human error, the auto giant has admitted. The breach affected customers of Toyota and its luxury offshoot Lexus who signed up for its main cloud service platform, Reuters reported. Data exposed included vehicle IDs and locations. It came about simply because someone set the cloud-based system to public and there were no “active detection mechanisms” to spot the mistake. Toyota said it was introducing a system to audit and monitor systems and update employees on data obligations.
CISA Pledges to Help Smaller Organizations
CISA director Jen Easterly pledged to help protect “cyber poor” organizations in the U.S. from cyber attackers, while speaking at a Hack the Capital Event last week. Easterly said smaller businesses, medical facilities, schools, and local government agencies often didn’t have the funding or knowledge to protect themselves. The agency would research how it could extend more help to protect them against and respond to attacks, she said. The U.S. government has previously said in its most recent Cybersecurity Strategy paper that the burden of protection had to shift to those most able to bear it.
Draft E.U. Rules On “Sensitive Data” Would Force Amazon and Others to Find European Partners
A proposed E.U. cybersecurity certification scheme for cloud providers that handle sensitive data would require non-European companies to partner with a continental organization, according to a leaked draft. Reuters reported that an ENISA proposal for certifying services handling data of “particular sensitivity” would mean that the likes of Microsoft and Google would have to partner with an EU-based entity and could not hold a majority stake in any such venture. Employees would have to undergo specific screening. Any such service would have to be E.U.-based and operated, with customer data not leaving the E.U., along with being subject to E.U. laws. The proposal is likely to enrage U.S. providers.
Capita Advises Uni Pension Scheme to Assume Member Data Exposed
Details of half a million members of the U.K.’s biggest private pension scheme could have been accessed in a massive data breach at Capita in March it has emerged. The attack was carried out by Black Basta, a Russia-linked group. The Universities Superannuation Scheme said on Friday that it had been informed that “details of USS members were held on the Capita servers accessed by the hackers”. Capita could not confirm whether the data had been exfiltrated but had advised the scheme to “work on the assumption it was”.
Former Ubiquiti Networks Staffer Turned Data Extortionist Jailed for Six Years
The former Ubiquiti Networks staffer who pleaded guilty to stealing confidential data from and attempting to extort the network vendor has been sentenced to six years in prison. Nickolas Sharp, from Portland, Oregon, must also serve three years of probation, and pay a $1.5m fine. Sharp’s now-deleted LinkedIn page stated he worked as a "cloud lead" for Ubiquiti Networks from August 2018 to March 2021. He stole the data in 2020 and deleted logs that would have exposed him before demanding $2 million from the firm. He was then assigned to the team investigating the leak. He used a VPN to cover his tracks but was exposed when a brief power outage meant his home IP address was exposed.