ISA is committed to keeping the security community up to date with the latest cybersecurity news. 

Update: Charges laid in Twitter hack

Just two weeks after a massive hack at Twitter, three individuals have been charged in connection with the incident. As we reported in late July, Twitter suffered a significant breach with some of its highest-profile users’ accounts compromised in an apparent Bitcoin scam in mid-July. After the incident came to light, Twitter said the hackers had targeted select employees “with access to internal systems and tools”. It is believed that up to eight internal accounts were breached by using a phone-based spear-phishing scam allegedly conducted by the three accused.

A 19-year-old living in Bognor Regis (a town 90 km southwest of London, England), and a 17-year-old and a 22-year-old from Florida were taken into custody. Some 30 felony charges were laid against the Tampa, Florida teenager – who was reportedly the “mastermind” of the hack – according to Florida State Attorney Andrew Warren. The charges include 17 counts of communication fraud, ten counts of fraudulent use of personal information, a single count of fraudulent use of personal information with over $100,000 (all figures USD) or 30 or more victims, a single count of organized fraud, and a single count of access to computers or electronic devices without authority.

The 17-year-old teen, who reportedly has over $3 million worth of Bitcoin in his personal accounts, is no stranger to law enforcement. During an unrelated matter in April, the Secret Service seized more than $700,000 worth of Bitcoin from the teen before returning it due to insufficient evidence in their investigation. He is being held without bail until his first court appearance on August 2.

Twitter said in a tweet acknowledging the arrests, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.”

SHA-1 signed content retired by Microsoft

Effective Monday, August 3, Microsoft will no longer publish content that is signed using the legacy cryptographic hash algorithm “SHA-1” on the Microsoft Download Center. An early standard in encryption going back to 1995, SHA-1 was deemed crackable and therefore unsafe by 2005, and experts have discouraged its use ever since, with NIST outlawing its use in 2010, and (with a few exceptions) digital certificate signing authorities discontinuing its use in 2016.

According to a Microsoft tech community posting, Microsoft “no longer uses SHA-1 to authenticate Windows operating system updates due to security concerns associated with the algorithm, and has provided the appropriate updates to move customers to SHA-2 as previously announced.” Microsoft went on to urge customers, “If you are still reliant upon SHA-1, we recommend that you move to a currently supported version of Windows and to stronger alternatives, such as SHA-2.” Secure Hash Algorithm 2 (SHA-2) is more widely used and offers better protection against content spoofing, and phishing or man-in-the-middle attacks. Most browsers use the 256-bit variety of SHA-2, called SHA256.

Most modern browsers have flagged SHA-1 signed certificates as unsafe for years. While the end of Microsoft support should not have an impact on most websites (even the world’s oldest webcam – the San Francisco FogCam – uses SHA256), it is an important symbolic milestone in finally retiring the obsolete algorithm.

SHA-1 compatibility was primarily being maintained by Microsoft to provide support for older systems that cannot support SHA-2. Customers still using old versions of Microsoft software or operating systems are encouraged to review Microsoft’s SHA-2 Code Signing Support statement for a chronology and status of the changes.

Global travel agency CWT reportedly pays $4.5 million ransomware demand

According to a Reuters report, global travel management firm CWT (formerly known as Carlson Wagonlit Travel) fell victim to – and paid ransom for – a RagnarLocker ransomware attack that locked some 30,000 corporate computers and over two terabytes of corporate data. According to a tweet from a member of MalwareHunterTeam, the data may have included “billing info, insurance cases, financial reports, business audit, banking accounts… corporate correspondence… [and] information about [CWT] clients,” which included several high-profile customers.

The attack reportedly occurred on July 27, with ransom negotiations concluding before the end of the July. The initial demand for releasing control of the assets was reportedly $10 million (all figures USD), but was negotiated down to $4.5 million by the Minnesota-based travel firm. On August 2, CWT’s website was functioning, but no official announcement or acknowledgement of the incident was posted online. Their only comment to date was a prepared statement earlier this week:

“CWT experienced a cyber-incident [on] the weekend. We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased. We immediately launched an investigation and engaged external forensic experts. While the investigation is at an early stage, we have no indication that PII/customer and traveller information has been affected. The security and integrity of our customers’ information is our top priority.”

While the statement suggests that the incident has now “ceased”, RagnarLocker attacks frequently involve data exfiltration (and a leaked screen shot of the negotiations implies that the hackers may indeed have a copy of the data on their servers), so there may be continuing concern even after the ransom has been paid.

Already reeling by the effects of the COVID-19 pandemic, the timing of the attack on the travel industry is particularly troubling.