Cyber Pulse: Edition 162 | 8 September 2021

Ireland's Data Privacy Commissioner (DPC) issues €225 million fine

Ireland's Data Privacy Commissioner (DPC) has hit Facebook-owned messaging platform WhatsApp with a €225 million (£193 million) administrative fine for violating the EU's GDPR privacy regulation after failing to inform users and non-users on what it does with their data. The fine follows an investigation started in December 2018 after the data watchdog received multiple complaints from "individual data subjects" (both users and non-users) regarding WhatsApp data processing activities.

Throughout the investigation, Ireland's DPC "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," the regulator explained.

WhatsApp's fine reflects the infringements the EU regulators found:

• In respect of Article 5(1)(a) of the GDPR (a fine of €90 million);
• In respect of Article 12 of the GDPR (a fine of €30 million);
• In respect of Article 13 of the GDPR (a fine of €30 million); and
• In respect of Article 14 of the GDPR (a fine of €75 million).

On top of the fine, the Irish data watchdog also ordered WhatsApp to bring its processing into compliance with GDPR’s requirements by taking a range of specified remedial actions with a deadline that will expire in three months. The decision of the Irish DPC can be found and read in full here.

In related news, Amazon has also been hit with a record-breaking €746 million (£638 million) fine in July by the Luxembourg National Commission for Data Protection (CNPD) for GDPR violations regarding its targeted behavioural advertising, the largest ever fine issued by an EU data watchdog for GDPR violations.

WhatsApp ‘admins’ monitor private messages – despite end-to-end encryption claims

WhatsApp, which uses end-to-end encryption and makes a big deal about privacy, is not actually as private as owner Facebook claims, according to a new report by ProPublica. Facebook's moderator contract firm, Accenture, employs at least 1,000 moderators who sit in offices in Texas, Austin, Dublin and Singapore and sift through users' private messages, flagged by the service's own algorithms and other users.

The moderators review flagged messages for spam, blackmail, hate speech, disinformation, potential terrorist threats, and "sexually oriented businesses". Based on the content, they can block the account, put it on watch or leave it alone. Once the flagged message reaches them, moderators can see the last five messages in a thread. WhatsApp moderators told ProPublica that the service's machine learning algorithms often misidentify content. For instance, they frequently misunderstand pictures of kids in a bathtub as being abusive.

If true, this arrangement contradicts claims from WhatsApp that it does not read end-to-end encrypted messages sent between users.

In 2018, when US authorities began their initial probe into Facebook, the company's founder and CEO Mark Zuckerberg announced in the Senate that all content on WhatsApp is encrypted. He clearly stated, "We don't see any of the content in WhatsApp, it's fully encrypted." Now, it appears that that just isn't true – even if your conversations are perfectly innocent, if WhatsApp's machine learning system flags as many false positives as the report implies.

43% of all malware downloads are hidden in Office docs

According to researchers at Atlas VPN, nearly 43% of all malware downloads are hidden in infected MS Office documents. Such files are quite popular among threat actors because they can easily evade detection from a majority of antivirus software. To trick users into downloading malware, attackers infect Office docs by creating malicious macros and send these files to unsuspecting users through emails. Usually, people easily get tricked into enabling macros as MS Office, and hence, they open the malicious file without thinking twice.

It is worth noting that Atlas VPN’s findings are based on another report titled Netskope Threat Lab Cloud and Threat Report: July 2021 Edition, which covered how cybercriminals were exploiting Office docs. In their research, Netskope Threat Lab assessed documents from different platforms, including Google Docs and PDF files apart from Microsoft Office 365. According to the report, in the second quarter of 2020, around 14% of all downloadable malware were found hidden in Office documents, and by the third quarter of 2020, this percentage jumped to 38%, mainly due to increased reliance on remote working.

Personal details of 8,700 French visa applicants exposed by hackers

A cyber-attack has compromised the data of around 8,700 people applying for visas to visit or move to France via the France-Visas website. According to local news reports, the attack was "quickly neutralised" although certain personal details – including names, passport and identity card numbers, nationalities and birth dates – had been leaked. The Ministry of Foreign Affairs and the Ministry of the Interior, who jointly manage France-Visas, announced that the cyber-attack had targeted a section of the site, which receives approximately 1.5 million applications per month. 

A spokesperson for the Ministry of Foreign Affairs explained that no details of the nationalities affected or other information about the applicants could be given out to the press. The Ministry of Foreign Affairs worked with the Ministry of the Interior to “secure the platform” and prevent “events of this type from happening again.” The French information science commission, Cnil, was informed about the attack and a judicial investigation is currently underway.

Critical auth bypass bug affect Netgear smart switches

Networking, storage and security solutions provider Netgear on Friday issued patches to address three security vulnerabilities affecting its smart switches that could be abused by an adversary to gain full control of a vulnerable device. The flaws were discovered and reported to Netgear by Google security engineer Gynvael Coldwind. According to Coldwind, the flaws concern an authentication bypass, an authentication hijacking, and a third as-yet-undisclosed vulnerability that could grant an attacker the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.

The three vulnerabilities have been given the codenames Demon's Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD). In light of the critical nature of the vulnerabilities, companies relying on the aforementioned Netgear switches are recommended to upgrade to the latest version as soon as possible to mitigate any potential exploitation risk.

Hackers playbook leaked

Researchers recently obtained a leaked playbook linked to Conti, the Ransomware-as-a-Service (RaaS) group. It has revealed a plethora of information about the threat actors that also contains the Cobalt Strike manual that was referenced while creating the playbook. The sensitive playbook documents are believed to be leaked by a disgruntled partner of Conti. Talos researchers noted that the level of details included in the documentation could enable any low-skilled cybercriminal to perform cyberattacks.

The attackers use the Net command to list users and tools such as AdFind to identify users with Active Directory access, along with OSINT and LinkedIn to spot users with privileged access. One of the main tools covered in the playbook is the threat emulation software Cobalt Strike. Additionally, other used tools are Armitage, SharpView, SharpChrome and SeatBelt, among others. The Conti playbook could be a crucial contribution to the security community as it offers a glance into the behaviours of these groups and the tools they tend to leverage while performing attacks. For researchers and security analysts, this is an opportunity to deploy the right logic in place to detect and mitigate such threats.