FTC warns VoIP providers about robocalls
The US Federal Trade Commission warned VoIP providers that it will take legal action against them if they do not hand over information related to its investigation on robocalls. The agency issued FTC Civil Investigative Demands to many VoIP operators, which require a response in full. The FTC recently issued these demands to VoIP providers XCast Labs and Deltracon Inc as part of an investigation into robocalls to numbers on the DNC registry. FTC data shows that between January and September 2021, it received 3,395,386 complaints about robocalls. The FTC has stepped up action on robocalls in recent years, eliminating the need to issue warnings to robocallers before issuing fines, and increasing the maximum fines for intentionally unlawful calls to $10,000.
SEC outlines new cybersecurity rules for investment firms
A new proposal released by the U.S. Securities and Exchange Commission sets out cybersecurity rules for investment funds. Under the proposal, funds and registered investment advisors would have to create written policies for handling cybersecurity incidents, as well as be required to report significant incidents to investors and regulators within 48 hours. Data breaches would qualify as a significant incident under the SEC proposal. These incidents would also have to be listed on investor materials for two years.
(WSJ)
Rampant plagiarism hits NFT marketplace
The NFT marketplace Cent halted buying and selling most NFTs on its platform since February 6th. According to CEO Cameron Hejazi, the platform found rampant issues like users selling unauthorized copies of other NFTs, minting NFTs of content they do not own, and selling sets of NFTs almost like a security. The company may introduce centralized controls on minting NFTs as a stop-gap measure to re-open its marketplace. The company still operates its business of selling NFTs of tweet, which it calls “valuables.” Last month, the NFT marketplace OpenSea said 80% of NFTs created with its free minting tool were plagiarized works, fake collections, and spam.
(Reuters)
ModifiedElephant APT at work for a decade
Researchers at Sentinel One published a report details the work of an APT dubbed ModifiedElephant, which it claims targeted human rights activists, academics, and lawyers across Indian since at least 2012. The group repeated targeted specific individuals during this time, using commercially available remote access trojans delivered using spearphishing. The group used free email service providers, and have been observed shifting backend infrastructure and malicious attachment tactics over the years. Sentinel One believes the group has links to other advanced threat actors operating in the area.
Thanks to our episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!
Texas sues Meta over facial recognition
Texas Attorney General Ken Paxton filed a lawsuit against Meta over its use of facial recognition on Facebook. Met announced in November that it was shutting down Facebook’s facial recognition system, no longer identifying users and deleting more than a billion facial recognition templates. Despite being shut down, Texas alleges the program violated the state’s privacy laws while it was in operation. The lawsuit seeks civil penalties in the hundreds of billions of dollars. This isn’t Meta’s first case involving biometric privacy. Last year Meta was ordered to pay $650 million for violating Illinois’ Biometric Information Privacy Act.
Russian cybercrime drives crypto-based money laundering
A new report from Chainalysis found that in 2021, about 74% of ransomware revenue went to organizations with ties or affiliation to Russia, totaling over $400 million in cryptocurrency. These include ransomware organizations that avoid Russian-speaking countries in the Commonwealth of Independent States, the Evil Corp organization, and groups with characteristics indicating a Russian origin, like language. An estimated 13% of funds from ransomware addresses went to users believed to be in Russia, more than any other country. Crypto funds deemed risky or potentially Illicit in the financial district of Moscow City accounted for 29% to 47% of all funds received in 2021. Most of these funds in Moscow City specifically originated from scam and darknet market linked organizations.
QNAP unsupported devices are sort of supported
QNAP NAS devices have been hit with more than their fair share of ransomware over the years. This was made particularly worse by many devices being out of support for vulnerabilities that could otherwise be patched. Now QNAP has extended support for some end-of-life NAS devices until October 2022. The company says this should give users time to upgrade unsupported devices to protect them from “evolving security threats.” QNAP generally provides four years of security updates after a product goes EOL. The company further urged customers not to expose EOL NAS devices to the Internet due to unpatched vulnerabilities under active exploitation.
GiveSendGo goes offline
We reported last week that the crowdfunding site used by the Ottawa trucker “freedom convoy” left an exposed Amazon S3 bucket online. Now Vice reports that the personal details of over 92,000 donors leaked online. This shows a top anonymous donation of $215,000, with 56% of donations coming from the US, and 26% from Canada. Email addresses exposed in the leaked data include ones from the US Department of Justice, NASA, the US military, Federal Bureau of Prisons, and TSA. The site was also redirected to a different URL on Sunday night, and the website appeared offline as of February 14th. At least the trove of exposed data was removed from the website before it went down.