Breach Roundup: Pegasus on Exiled Russian Journalist's Phone - Source: www.govinfosecurity.com

Also: 9-Year Prison Sentence for Insider Trading Fueled by Password Theft

Anviksha More (AnvikshaMore) •
September 14, 2023

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, exiled Russian journalist Galina Timchenko’s iPhone was found to contain NSO Group’s Pegasus spyware, a Russian businessman was sentenced for insider trading, more than 300,00 people were affected by an attack on See Tickets and period-tracking apps raised privacy concerns in the U.K.

Also, Google warned of a campaign targeting security researchers, Rollbar acknowledged a data breach and the AP Stylebook disclosed a breach.

Exiled Russian Journalist Targeted by Pegasus Spyware

The iPhone of exiled Russian journalist Galina Timchenko was found to contain an infection of NSO Group’s Pegasus commercial surveillance spyware, researchers at digital rights advocacy group Access Now revealed Wednesday. An investigation conducted in cooperation with the University of Toronto’s Citizen Lab dated the infiltration of Timchenko’s phone to approximately Feb. 10, when the co-founder, CEO and publisher of independent outlet Meduza had been in Berlin to discuss Russian censorship and Kremlin threats.

Timchenko submitted her phone for forensic analysis after receiving on June 22 a notification from Apple that state-sponsored attackers may have targeted her phone, Access Now said.

The Russian government in January outlawed Latvia-based Meduza, declaring it to be an “undesirable organization.” Neither Access Now nor The Citizen Lab has attributed the attack. Meduza Editor-In-Chief Ivan Kolpakov said the likely culprit is a “European government.”

“Independent journalists from Russia and other countries may be caught between a rock and a hard place: On one side is their own governments, with their monstrous security apparatuses, and on the other side is the intelligence services of the countries where they’re seeking refuge,” he said.

Journalism in Russia is controlled by the Kremlin “directly or through state-owned companies and friendly business magnates,” Freedom House said in a 2023 report ranking Russia as “not free.”

Russian Businessman Gets 9-Year Sentence for Insider Trading

A U.S. federal judge last Thursday sentenced Kremlin linked-Russian businessman Vladislav Klyushin to nine years in prison for his role in a $93 million insider trading scheme involving hacked earnings information from multiple companies. Klyushin owned the Moscow-based media monitoring and cybersecurity services firm M-13. Between 2018 and 2020, he and his alleged co-conspirators hacked into the networks of two U.S.-based filing agents that publicly traded companies used to make quarterly and annual filings. Klyushin used the information about earnings for insider trading, including stock market trades on Tesla, Roku and Snap.

M-13 used its “malicious infrastructure” to steal login information for systems used by employees of the two unnamed service providers. The scheme was lucrative, with returns of 900% during a period when the broader stock market returned 25%, the U.S. Department of Justice says. “Klyushin and his co-conspirators earned close to $100 million in earnings trading from roughly $9 million in investments using inside information, even as they lost close to $10 million in non-earnings trading.”

Web Skimmer Attack on See Tickets Affects 300,000

The data of more than 300,000 individuals was compromised following a web skimmer attack against international ticketing services firm See Tickets, the agency disclosed in a breach notification letter.

See Tickets, owned by Vivendi Ticketing, said it had detected the attack in May and fully mitigated it by July. An investigation by a forensics firm revealed that hackers injected malicious code into the agency’s e-commerce checkout pages resulting in their acquisition of customer payment card data, including PIN numbers, that had been used to buy tickets between Feb. 28 and July 2. Approximately 323,500 people are affected by the hack.

Period Apps Raise Concerns Over Data Privacy

U.K. data protection watchdog the Information Commissioner’s Office is launching a review of period tracking and fertility tracking apps due to data security concerns raised by women. The ICO has asked app developers for information and is encouraging users to share their experiences.

The ICO found in a recent survey that more than half of app users reported an increase in baby- or fertility-related advertisements, and 17% reported finding them “distressing.”

The regulator’s investigation will focus on issues such as complicated privacy policies, excessive personal data requests or storage by apps, and users receiving unwelcome targeted ads.

ICO also warned developers of connected devices to adhere to data protection laws. They stressed the need for transparency regarding data collection and usage to maintain trust.

Google Warns of Campaign Targeting Security Researchers

Google’s Threat Analysis Group issued a warning last Thursday about cyberattacks by North Korean state hackers targeting security researchers involved in vulnerability research and development. Hackers are using at least one zero-day vulnerability in an undisclosed popular software.

TAG did not specify details regarding the exploited vulnerability or the affected software, likely due to ongoing patching efforts by the software vendor. To lure security researchers, the attackers use social media platforms such as Twitter and Mastodon to build a rapport and later move to encrypted messaging apps such as Signal, Wire or WhatsApp. Subsequently, malicious files designed to exploit the zero-day are sent to the targeted individuals.

The attackers’ payload, when executed, checks for virtual machine environments and then transmits collected information, including screenshots, to the attackers’ command-and-control servers. The payload also uses an open-source tool called GetSymbol that is designed for reverse engineers but used nefariously to download and execute arbitrary code.

Rollbar Acknowledges Data Breach

Software bug-tracking company Rollbar disclosed a data breach that occurred in early August, in which attackers had infiltrated its systems and gained access to customer access tokens. Rollbar identified the breach on Sept. 6 during a review of data warehouse logs, the company said in a data breach notification letter posted online by Troy Hunt.

The threat actors accessed sensitive customer information including usernames, email addresses, account names and project details, such as environment names and service link configurations, for a three-day period between Aug. 9 and Aug 11.

The software development and error tracking platform is used by more than 400 million application end users and numerous global companies, including Salesforce, Twilio, Uber, Twitch and Pizza Hut.

AP Stylebook Discloses Breach

The Associated Press issued a warning about a data breach affecting its AP Stylebook customers, after suffering a targeted phishing attack. The AP Stylebook is a widely used reference guide for journalists and media organizations worldwide.

The breach occurred on an outdated third-party-managed AP Stylebook site that was no longer in use and took place in mid-July. During the incident, hackers stole data belonging to 224 customers. The compromised information includes customers’ names, email addresses, physical addresses, city, state, ZIP codes, phone numbers and user IDs such as Social Security numbers or employer identification numbers.

The AP became aware of the potential data breach on July 20, after receiving reports from AP Stylebook customers who had received phishing emails requesting updates to their credit card information.