Security News

Hackers breach 150,000 security cameras

Avast Security News Team, 12 March 2021

Plus, Twitter sues the Texas Attorney General and T-Mobile announces it will share user data

A hacking collective facetiously calling itself “Advanced Persistent Threat 69420” has breached the video archives and live feeds of security software company Verkada Inc., gaining access to 150,000 active surveillance cameras and every video archived by Verkada customers.

The Silicon Valley-based company services a wide range of businesses and institutions including Tesla, Cloudflare, hospitals, prisons, police departments, and schools. One of the hackers told Bloomberg that the group simply found the credentials for a Verkada administrator account publicly exposed online and used used that to gain access. But shining a light on the security company’s poor security was only part of their intent. The hacker said the breach was “intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into.” Certain subjects of the video footage, such as gym members and hospital patients, may not be aware they are being surveilled. Once Verkada learned of the hack, the login credentials were changed and the group lost the connection.

Microsoft fixes bug targeted by Lazarus group

Microsoft issued a patch on Tuesday to fix a vulnerability recently exploited by the North Korean state-sponsored hacking group Lazarus, AKA Zinc. Members of the group posed as white hat hackers in order to gain the trust of security researchers and then attack them. Google and Microsoft announced the attacks in blog posts several weeks ago. The Lazarus group took measures to appear trustworthy and legitimate, going so far as to create Twitter personas and set up a research blog. Once trust was established with the researchers, they sent project files laced with malware that then attacked the researchers’ systems. 

90% of world’s airlines may be impacted by data breach

Some airlines, including Singapore Airlines, New Zealand Air, and Malaysia Airlines, have warned passengers about a security breach that may have impacted their data, after aviation IT provider SITA issued a press release earlier this month announcing it had become the victim of “a highly sophisticated attack” that involved certain passenger data. A spokesperson for SITA told ZDNet that the breached information does include airline passengers’ personal data. SITA, which claims to serve 90% of the world’s airlines, said the attack occurred February 24 this year. See the story in The Guardian for more.

Twitter sues Texas AG for harassment 

Attorneys for social media giant Twitter filed a lawsuit this week seeking “declaratory and injunctive relief” from Texas Attorney General Ken Paxton. “Twitter seeks to stop AG Paxton from unlawfully abusing his authority as the highest law-enforcement officer in the State of Texas to intimidate, harass, and target Twitter in retaliation for Twitter’s exercise of its First Amendment rights,” reads the court filing. Twitter claims that Paxton launched an investigation into the platform and accused it of conspiracy in what was simply a punishing, retaliatory action for banning Trump from the service following his instigation and flaming of the violence of January 6. Paxton accused Twitter of politically conspiring with the other online services that banned Trump after the Capitol Hill riot, and he demanded Twitter and the other services hand over their content moderation policies for review. Read more about this story on CNET.

T-Mobile to begin sharing customer data with 3rd parties

In a recent privacy policy update, T-Mobile informed its customers that they will be automatically enrolled into a data-sharing policy unless they manually opt out. Beginning April 26, all T-Mobile customers – including all migrated customers from the 2020 Sprint merger – will have their web and app data shared with advertisers. According to The Wall Street Journal, a T-Mobile spokeswoman said subscribers wanted the change, stating, “We’ve heard many say they prefer more relevant ads so we’re defaulting to this setting.” Users who want to opt out can do so on their T-Mobile app under the Advertising & Analytics tab. 

This week’s ‘must-read’ on The Avast Blog

There are several US states which are on track to pass new data privacy laws during 2021. Here's what's happening at the state level.