Cybersecurity news headlines for 1-15 March 2019

Cybersecurity news headlines for 1-15 March 2019

We’re already halfway through March and while we do have three stories to report on, nothing of major impact has happened in regards to cybersecurity in the last two weeks. In this edition of cybersecurity news, we discuss a local government paying a $400,000 ransom, adware found in Android apps, and 809 million records exposed by a marketing firm.

Georgia county pays $400,000 to recover ransomware-infected systems

Jackson County, Georgia, agreed to pay a sum of $400,000 to cyber criminals in order to regain access to their files after a ransomware infection crippled their systems. The ransomware has been identified as Ryunk (most likely referring to Ryuk), a currently undecryptable ransomware possibly operated by a group in Eastern Europe.

The attack on the county’s internal network happened on March 1, and systems remained crippled for a two-week period. Reportedly, except for the website and the 911 emergency system, most of the local government’s IT systems were offline, forcing government officials to use pen and paper. Law enforcement were able to book suspects in criminal cases but all paperwork needed to be filled by hand.

After negotiations with the cyber crooks, the county agreed to buy the decryption key for $400,000. The local government wasn’t left with much choice besides paying, as there were no backups, and a full system restoration could take months. Furthermore, it was estimated that it would cost as much or even more money. Officials are currently in the process of restoring their affected systems and recovering encrypting files.

While it may not seem that way initially, a ransomware infection can do millions of dollars in damages, as rebuilding IT networks is expensive. Thus, it is understandable why the county has made the decision to pay. Nevertheless, engaging with cyber crooks and paying the ransom is not recommended by both law enforcement agencies and cybersecurity specialists.

New SimBad Android adware downloaded by 150 million users

Google pulled 206 apps from the Play Store after it was discovered that they were infected with SimBad adware. Collectively, the apps had nearly 150 million download, with Snow Heavy Excavator Simulator having the largest download number at 10 million. The discovery was made by cybersecurity firm Check Point, who alerted Google.

The apps involved were legitimate, most of them games, and it is believed developers were tricked into using a fake advertising kit RXDrioder. The kit was used to hide the malware in the apps.

“We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer,” Check Point researchers have said.

The security firm divides SimBad into three groups – show ads, phishing and exposure to other applications. The people operating SimBad can carry out spear-phishing attacks on users by generating phishing pages and opening them in the browser. Furthermore, the malware could install rogue apps and show other apps in stores.

Google has been struggling to keep malware out of the Play Store, as numerous threats have slipped past its defences. But to be fair to the tech giant, SimBad was rather sneaky as it was hidden in legitimate apps. Nevertheless, this highlights an already familiar problem Google has with detecting rogue apps in its own store.

Email marketing company exposes 809 million records

Data leaks are unfortunately nothing new. There are smaller ones that involve up to a million users (yes, that is considered to be small in comparison), and then there are ones that affect hundreds of millions of users.

Security researcher Bob Diachenko discovered a publicly accessible and completely unprotected MongoDB database that contains 150GB of plaintext data. There were a total of 808,539,939 records grouped into three sections – Emailrecords (798,171,891 records), emailWithPhone (4,150,600 records), businessLeads (6,217,358 records). The most worrying part is that some records included personal information, such as phone numbers, home address, ZIP codes, IP addresses, and dates of birth. The database could have been accessed by anyone.

The records were cross-checked with the HaveIBeenPwned database, a service which allows users to check whether their emails have been part of data leaks, and the researcher concluded that the records are a completely unique set of data.

It was later discovered that the data belongs to a company called Verifications.io, a marketing firm offering ‘Enterprise Email Validation’ services. Reportedly, when emails were uploaded for verification, they were mistakenly stored in plain text. The researcher has reported the data leak to Verifications.io, who have since taken the database down.