Volkswagen discloses data breach impacting 3.3 million
Volkswagen America said that a data breach at a third-party vendor it was using for sales and marketing purposes exposed the personal details of more than 3.3 million of its customers, most of which were Audi car owners. The breach took place between August 2019 and May 2021, Volkswagen said in a letter to the Maine Attorney General. The company said the leak occurred because the vendor left one of its systems unsecured online. Volkswagen learned of the leak on 10 March this year, however, it took the vendor another two months before it secured its server.
For approximately 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s licence numbers. A very small number of records include data such as dates of birth, social security or social insurance numbers, account or loan numbers, and tax identification numbers. The car vendor said the exposed data was gathered from US and Canadian customers between 2014 to 2019. It is currently unknown if the data might have been downloaded by unauthorised parties before it was secured or why the third-party vendor took two months to secure its server.
Nuclear weapons subcontractor hit by cyber attack
Sol Oriens, a subcontractor for the US Department of Energy (DOE) that works on nuclear weapons with the US National Nuclear Security Administration (NNSA), was hit by a cyberattack last month that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang. The Albuquerque, N.M. company’s website has been unreachable since at least 3 June, but Sol Oriens officials confirmed to Fox News and CNBC that the firm became aware of the breach sometime last month. The company’s statement was captured in a Tweet stream posted by CNBC’s Eamon Javers.
“In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorised individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved.”
Whether REvil – or whichever gang proves to be responsible for the attack – got its hands on more sensitive, secret information about the country’s nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. It wouldn’t be surprising if initial reports of REvil being responsible prove accurate. The RaaS group’s ambitions are apparently boundless. Earlier this week, an official of JBS Foods confirmed that the company paid the equivalent of $11 million in ransom after a cyberattack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.
REvil is known for both audacious attacks on the world’s biggest organisations and suitably astronomical ransoms. The answer, unfortunately, is probably as varied as the group’s relentlessness, persistence and whatever-it-takes tactics. On Friday, cybersecurity firm Sophos issued a report detailing how, as the firm puts it, “No two criminal groups deploy the [RaaS] … in exactly the same way.”
Industrial automation giants Siemens and Schneider Electric security advisories
Industrial automation giants Siemens and Schneider Electric on Tuesday released several security advisories to inform customers about tens of vulnerabilities affecting their products. The companies have provided patches and recommendations for reducing the risk of exploitation. The eight new advisories released by Siemens cover roughly two dozen vulnerabilities affecting its Simcenter Femap, SIMATIC TIM, Solid Edge, SIMATIC NET, Mendix, JT2Go, Teamcenter Visualization and SIMATIC RF products. The only advisory with an overall severity rating of critical describes 15 vulnerabilities affecting the SIMATIC NET CP 443-1 OPC UA, specifically its NTP (Network Time Protocol) component. The flaws were discovered in NTP between 2015 and 2017, but it’s not uncommon for industrial solutions providers to patch third-party software components years after the fixes were made available.
Schneider Electric also described roughly two dozen vulnerabilities in the new advisories published on Tuesday. One advisory describes 13 flaws affecting the company’s Interactive Graphical SCADA System (IGSS) SCADA product. The security holes have been rated high severity and their exploitation can result in loss of data or remote code execution. An attacker could exploit the vulnerabilities by getting the targeted user to open malicious files. Two advisories describe a dozen vulnerabilities affecting two of Schneider’s PowerLogic products. The flaws, the most serious of which allows an attacker to gain admin-level access to a device, were reported to Schneider by a researcher from industrial cybersecurity firm Dragos.
GitHub discloses Linux vulnerability
GitHub this week disclosed the details of an easy-to-exploit Linux vulnerability that can be leveraged to escalate privileges to root on the targeted system. The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorisation service that is present by default in many Linux distributions. The security hole was discovered by Kevin Backhouse of the GitHub Security Lab. On Thursday, the researcher published a blog post detailing his findings, as well as a video showing the exploit in action. A local, unprivileged attacker can use the flaw to escalate privileges to root with only a few commands executed in the terminal. The vulnerability has been confirmed to impact some versions of Red Hat Enterprise Linux, Fedora, Debian and Ubuntu. A patch for CVE-2021-3560 was released on 3 June.
“The bug I found was quite old,” Backhouse said. “It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently.”
The vulnerable component, polkit, is a system service designed for controlling system-wide privileges, providing a way for non-privileged processes to communicate with privileged processes. The vulnerability discovered by the researcher is easy to exploit with just a few commands in the terminal. However, due to some timing requirements, it typically takes a few tries for the exploit to be successful.
CVE board slams DWF project for "unauthorized" CVE records
The board responsible for overseeing the Common Vulnerabilities and Exposures (CVE) vulnerability identification program has criticised the Distributed Weakness Filing (DWF) project for publishing what it says are “unauthorised” CVE records. The CVE system is a widely used program for cataloguing and tracking security vulnerabilities. Due to the countless vulnerabilities found and reported every day, the Mitre Corporation’s CVE board authorises organisations to act as CVE Numbering Authorities (CNAs) which are permitted to assign CVE numbers for bugs.
As far back as 2016, Mitre came under fire for alleged backlogs in CVE assignments, leading to concerns that the program – called by some a “cornerstone” of the industry – could become less relevant in the fight against cybersecurity threats in the future. These complaints led to the creation of the Distributed Weakness Filing (DWF) system. The DWF project says that the point of the exercise is to address pain points in the CVE assignment process, as well as improving speed, latency and volume with the assistance of automation.
There are currently 169 registered CNAs worldwide. The DWF was previously a CNA but no longer acts in this capacity. The organisation claims that the DWF has begun “attempting” to issue CVE IDs via its GitHub repository and that at least eight records have been pushed. But as the project is not a named or approved CNA, issuing CVE IDs is causing “confusion in the CVE contributor and user communities”. Furthermore, the group says that this activity – no matter the numbering order used – could “undermine public trust in the entire CVE system.”
“This erosion of trust degrades the CVE community’s ability to provide a free public resource to track vulnerabilities and reduce cybersecurity risk,” the statement reads.
To push the matter from the realm of confusion into the legal, the CVE board also says that issuing unauthorised CVE IDs is a “misappropriation” of the CVE brand, unfair competition, and may allegedly be an abuse of a “registered trademark of the Mitre Corporation”.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
More articles by Richard
Cyber Pulse: Edition 165 | 26 November 2021
Cyber Pulse: Edition 164 | 17 November 2021
Cyber Pulse: Edition 163 | 1 November 2021
Cyber Pulse: Edition 162 | 8 September 2021
Cyber Pulse: Edition 161 | 27 August 2021
Cyber Pulse: Edition 160 | 20 August 2021
Cyber Pulse: Edition 159 | 06 August 2021
Cyber Pulse: Edition 158 | 23 July 2021
Cyber Pulse: Edition 157 | 16 July 2021
Cyber Pulse: Edition 156 | 2 July 2021