Mint Mobile notified a “small number” of customers last weekend that their personal information was compromised between June 8 and June 10, when a threat actor ported the phone numbers of those customers to another carrier without authorization.

According to the breach notification sent to those customers, “While we immediately took steps to reverse the process and restore your service, an unauthorized individual potentially gained access to some of your information, which may have included your name, address, telephone number, email address, password, bill amount, international call detail information, telephone number, account number, and subscription features.”

Mint Mobile is strongly encouraging those customers to change the passwords on their accounts, monitor their accounts and “protect other accounts that use your phone number for validation purposes and to reset account passwords.”

Following the release of a U.S. Cybersecurity & Infrastructure Security Agency (US-CERT)  Coordination Center VulNote “for a critical remote code execution vulnerability in the Windows Print spooler services” on June 30, 2021, Microsoft issued new guidance for the vulnerability (CVE-2021-34527) on July 1, updated guidance on July 2, 2021, and an emergency patch on July 6, 2021.

According to US-CERT, the “update does not address the public exploits that also identify as CVE-2021-1675.” US-CERT has confirmed that “an attacker can exploit this vulnerability-nicknamed PrintNighmare-to take control of an affected system.”

What to do about the Windows Print Spooler vulnerability?

According to CISA, “CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, “domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.”

Security researchers are urging that the patch be deployed as soon as possible, since the vulnerability is being actively exploited in the wild, and the vulnerability can take over a Windows domain controller. Although the Kaseya security incident is receiving the bulk of media attention, this vulnerability could affect many more businesses that use Windows.

According to Microsoft, the patch will provide additional security for the enabling of print software. It stated in a recent blog post that, “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

Consider this patch a priority if using Windows. It was so urgent, that the emergency patch was issued by Microsoft a week before its normal monthly software updates.

The most recent in a long list of IT security firms that have been hit with ransomware in the past year, Miami-based Kaseya Ltd disclosed late last week that it was hit with a ransomware attack that may affect hundreds, even thousands, of U.S.-based companies.

Kaseya has publicly stated that it is investigating the attack on its product VSA, which is a widely-used tool that remotely monitors and manages networks and servers, network devices, and printers. According to Kaseya, “a small number of on-premises customers” (which it estimates to be fewer than 60) may have been affected. Kaseya has urged its customers to turn off their servers that were using VSA. Unfortunately, many of the 60 Kaseya customers are IT providers to other companies, so Kaseya believes that the “total impact thus far has been to fewer than 1,500 downstream businesses.”

It is widely believed that REvil, a notorious ransomware group based in Russia was behind the attack. The supply-chain attack is expected to affect managed services providers that use VSA for small business customers.

Kaseya has stated that it will be sending out a patch in the next few days. In the meantime, any company that believes it may be affected by the attack is urged to contact FBI’s Internet Crime Complaint Center and “to immediately follow the guidance from Kaseya including shutting down your VSA servers and implementing CISA’s and FBI’s mitigation techniques.”

British Airways settled a data breach class action lawsuit this week resulting from a 2018 data breach that affected thousands of its customers.

In 2018, the personal data of approximately 420,000 customers and staff was leaked, including names, addresses, and bank account information. When U.K. regulators investigated this incident in 2018, it was reported that British Airways had been saving card payment details in plain text since 2015 and had not implemented multi-factor authentication in its organization.

The suit was filed under the European Union’s General Data Protection Regulation, which increased the potential penalties for failing to protect consumers’ personal information.

The sum of the settlement was not disclosed.

Notably, the pandemic has hit the airline hard and in October 2020, the U.K. Information Commissioner’s Office reduced the fine it had imposed for the data breach from $254 million to about $27 million as a result of the financial hardship.

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging, and ultrasounds.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), the vulnerable systems “can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Health care organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”

It is estimated that 130 health systems have not patched the PACS systems and are vulnerable.

HC3 recommended that “PACS security begins by checking and validating connections to ensure access is limited only to authorized users,” and that systems “should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.

“Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them.” According to HC3, “[T]he vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software.”

Keeping up to date on patching vulnerabilities is vital for the security of health information of patients, and health systems that have not attended to the patching of the PACS vulnerabilities may wish to follow the recommendation of HC3.

Although app platforms guard against fake apps, criminals are working hard to get around app platform rules to scam victims out of a cryptobuck. Apple and Google throw apps off their platforms if they don’t play by the rules, yet fake and scam apps have proliferated and continue to scam victims.

Recently, security researchers at Lookout found more than 170 apps that offered cryptomining services were fake. The apps advertised that they provided cryptomining services for a fee, but no services existed. Victims lured into the belief that the app mined cryptocurrency for them put their credit card numbers into an app that looked legitimate and the app took the money and provided no service.

According to Cyberscoop, “Lookout estimates that the apps have scammed more than 93,000 victims out of more than $350,000.”

This example proves the same lesson that we have heard many times before: “If it is too good to be true, it is.” And as I have said many times before, be careful of the apps you download and what information they are asking for, what you give them, and research them before you download. On top of that, if they have anything to do with cryptocurrency, BEWARE! According to the FTC, between October 2020 and March 2021, close to 7,000 individuals reported that they lost more than $80 million in cryptocurrency scams.  That’s an alarming statistic.

I love seeing another win for law enforcement in the cyber context.

Servers and web domains owned by DoubleVPN, a virtual private network, were seized recently following a collaborative law enforcement effort involving the Dutch National Police, the FBI, Europol, and the U.K.’s National Crime Agency.

DoubleVPN is a security tool that has been used by criminal hackers that allows them to disguise their ransomware attacks and email scams. According to law enforcement, DoubleVPN was based in Russia and marketed its services to assist in the commitment of crimes. The hackers also promised customers that they could use the tool to hide their location and internet traffic from law enforcement.

The seizure of the servers and the information on the servers, including personal information, logs, and statistics that DoubleVPN was storing about their customers (all of whom may have been using DoubleVPN for nefarious purposes) means that the service is no longer able to be bought and used to hide criminal activity, including launching ransomware attacks and phishing schemes. It also means that those criminals who were subscribers of DoubleVPN are now known to law enforcement, so we expect to see additional crack downs on customers of DoubleVPN. A win-win.

Another fall-out from the SolarWinds incident has surfaced prompting Microsoft to issue a notice to affected customers that an attacker gained access to one of its customer service agents to launch hacking attacks against some of its customers.

During its continued analysis of the SolarWinds incident, Microsoft recently identified that the Nation-State associated NOBELLIUM group was able to access a customer service agent that it could leverage to launch attacks against customers. Microsoft warned certain customers that NOBELLIUM was able to “review information regarding your Microsoft Services subscriptions.” It is being reported by Reuters that the information that may have been accessed by the threat actor included the Microsoft customers’ billing contact information and the services the customers were paying for. This specific information could be used by the attackers to launch targeted attacks against the customers.

Microsoft warned affected customers so they can be vigilant in communications with billing contacts and to have customer billing contacts change usernames and passwords.

This week, Volkswagen AG’s U.S. entity and its Audi brand were hit with a class action for a data breach that allegedly compromised 3.3 million consumers’ personal information. In the U.S. District Court for the District of New Jersey, a California consumer filed a suit against the automakers on behalf of other current and prospective car buyers whose information was allegedly compromised by hackers.

In June 2021, Volkswagen and Audi notified consumers of an incident in which consumer information was potentially obtained and/or accessed when one of their vendors left the data unsecured. The information potentially affected by this incident included the consumers’ names, contact information and (for some) driver’s license numbers or other similar identification number. The suit alleges that the automakers did not adequately safeguard consumer data from 2014-2019, which was gathered for purposes of sales and marketing campaigns.

The suit alleges claims of negligence, unjust enrichment, breach of confidence, breach of implied contract, as well as violations of the Driver’s Privacy Protection Act and the California Consumer Privacy Act. Plaintiff is seeking damages, reimbursement of costs for out-of-pocket expenses such as credit monitoring services, and improvements to Volkswagen’s and Audi’s data security systems.

We will monitor this suit, especially in regard to the claims under the California Consumer Privacy Act, to see what (if any) lessons can be learned or precedent set.

University Medical Center in Las Vegas announced that it recently became the victim of a ransomware attack by REvil, a well-known threat actor that has attacked many hospitals and health systems with the Sodinokibi malware variant.

It is being reported that during the attack, REvil was able to exfiltrate personal information that it then published publicly, including individuals’ drivers’ license and passport information and Social Security numbers.