A mysterious group of hacktivists has poisoned the DNS records of several Sri Lankans (.lk) websites on Saturday and redirected users to a web page detailing various social issues impacting the local population.
While most of the affected domains were websites for local businesses and news sites, two high-profile domains for Google.lk and Oracle.lk, were also impacted, readers told ZDNet on Saturday.
The following message was displayed on Google.lk for a few hours before authorities intervened. The message highlights issues with the local tea-growing industry, freedom of the press, the alleged corrupt political class and judicial system, and racial, minority, and religious issues.

Image: ZDNet
This attack took place on Saturday, February 6, just two days after Sri Lanka’s official national independence day, on February 4, which explains the nationalistic message.
NIC.lk, the administrator of the country’s national LK top-level domain space, confirmed the attack on Saturday in a message posted on its website.
“An issue with the .LK Domain Registration System arose early in the morning of Saturday, February 6th, which affected a few domains registered in .LK,” the organization said. “This issue was attended to expeditiously, and the matter was resolved by approx. 8.30 a.m.”
The Telecommunications Regulatory Commission of Sri Lanka also confirmed the incident in a tweet on its account.

Details about the attack and the number of impacted domains have not been made public. A NIC.lk spokesperson did not respond to a request for comment sent by ZDNet on Sunday.
The attack didn’t go unnoticed in Sri Lanka, and several users tweeted about it over the weekend, even if the incident was active for only a few hours.

Users in #SriLanka hv complained that https://t.co/bFifSYuMZa domain is being redirected to a site which highlights issues faced by teaworkers in #lka. Expert @aselawaid tweeted this appears to be a major domain level hijack which seems to be redirected to a propaganda page.
— Jamila Husain (@Jamz5251) February 6, 2021

This is the second cyber-security-related incident that impacts the NIC.lk organization. In 2013, hackers used an SQL injection attack to breach its database and steal data about .lk domain owners. More

The New South Wales government has announced a cybersecurity vulnerability management centre will be established in Bathurst. To be operated by Cyber Security NSW, the centre will be responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies when operations commence in July. Minister for Customer Service Victor Dominello said the […] More

Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.”This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” Cisco said in a statement. “Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”The vulnerability only affects the RV Series Routers if they have UPnP configured but the UPnP service is enabled by default on LAN interfaces and disabled by default on WAN interfaces.The company explained that to figure out if the UPnP feature is enabled on the LAN interface of a device, users should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.Cisco said that while disabling the affected feature has been proven successful in some test environments, customers should “determine the applicability and effectiveness in their own environment and under their own use conditions.” 

They also warned that any workaround or mitigation might harm how their network functions or performs. Cisco urged customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.The vulnerability and Cisco’s notice caused a minor stir among IT leaders, some of whom said exploiting it requires the threat actor to have access to an internal network, which can be gained easily through a phishing email or other methods. Jake Williams, CTO at BreachQuest, added that once inside, a threat actor could use this vulnerability to easily take control of the device using an exploit. “The vulnerable devices are widely deployed in smaller business environments. Some larger organizations also use the devices for remote offices. The vulnerability lies in uPnP, which is intended to allow dynamic reconfiguration of firewalls for external services that need to pass traffic inbound from the Internet,” Williams told ZDNet. “While uPnP is an extremely useful feature for home users, it has no place in business environments. Cisco likely leaves the uPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product. Staff in these environments need everything to ‘just work.’ In the security space, we must remember that every feature is also additional attack surface waiting to be exploited.” Williams added that even without the vulnerability, if uPnP is enabled, threat actors inside the environment can use it to open ports on the firewall, allowing in dangerous traffic from the Internet. “Because the vulnerable devices are almost exclusively used in small business environments, with few dedicated technical support staff, they are almost never updated,” he noted.Vulcan Cyber CEO Yaniv Bar-Dayan said UPnP is a much-maligned service used in the majority of internet connected devices, estimating that more than 75% of routers have UPnP enabled. While Cisco’s Product Security Incident Response Team said it was not aware of any malicious use of this vulnerability so far, Bar-Dayan said UPnP has been used by hackers to take control of everything from IP cameras to enterprise network infrastructure. Other experts, like nVisium senior application security consultant Zach Varnell, added that it’s extremely common for the devices to rarely — or never — receive updates. “Users tend to want to leave well enough alone and not touch a device that’s been working well — including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately, vulnerable,” Varnell said. New Net Technologies global vice president of security research Dirk Schrader added that while UPnP is one of the least known utilities to average consumers, it is used broadly in SOHO networking devices such as DSL or cable router, WLAN devices, even in printers. “UPnP is present in almost all home networking devices and is used by device to find other networked devices. It has been targeted before, and one of the big botnets, Mirai, relied heavily on UPnP. Given that the named Cisco devices are placed in the SOHO and SMB segment, the owners are most likely not aware of UPnP and what it does,” Schrader said. “That and the fact that no workaround or patch are available yet is a quite dangerous combination, as the installed base is certainly not small. Hope can be placed on the fact the — by default — UPnP is not enabled on the WAN interfaces of the affected Cisco device, only on the LAN side. As consumers are not likely to change that, for this vulnerability to be exploited, attackers seem to need a different, already established footprint within the LAN. But attackers will check the vulnerability and see what else can be done with it.” More

EyeMed has agreed to $600,000 in penalties to settle the case of a 2020 data breach that exposed the information of roughly 2.1 million consumers. 

The agreement was announced this week. According to New York Attorney General Letitia James, the data breach exposed sensitive information, including names, mailing addresses, full or partial Social Security numbers, dates of birth, driving licenses, healthcare IDs, diagnoses and condition notes, and treatment information. Out of the 2.1 million individuals involved in the security incident, 98,632 New York state residents.  Based in Cincinnati, Ohio, EyeMed Vision Care is a network provider for independent optometrists, opticians, ophthalmologists, as well as eye doctors in retail settings. The organization caters to over 60 million users.  According to court documents (.PDF), on or around June 24, 2020, an unknown attacker used stolen credentials to access an enrollment email account used by EyeMed. Over the course of a week, the threat actor was able to view correspondence and access sensitive consumer data.  The cybercriminal was able to exfiltrate this data, in theory, but a cyberforensics firm hired to investigate the incident was unable to conclude whether or not they did steal consumer information.  In July, the attacker then used the email account to send roughly 2,000 phishing emails to clients. 

“The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker,” the settlement document reads.  EyeMed was alerted to the intrusion once the scam messages were sent and booted the attacker from its system.  It took a further two months before impacted clients began to be notified of the data breach — and as this has been conducted on a rolling basis, customers were still being told up to January 2021. Clients have been offered credit monitoring services, fraud consultation, and identity theft restoration. Minors, too, were affected — and for this group, EyeMed has also offered Social Security Number trace.  The Office of the Attorney General launched its own investigation into the data breach and concluded that the original email account was not protected with multi-factor authentication (MFA).  “Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information,” the office says. “The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.” Under the terms of the agreement, EyeMed will pay the state of New York penalties totaling $600,000. In addition, the company must improve its cybersecurity posture maintain “reasonable” account management protocols, including the implementation of MFA in remote and administrative settings, and sensitive information collected from consumers must be encrypted.  If it is no longer necessary to store consumer information, the company is now under orders to permanently delete it.  A penetration testing program must also be implemented to identify any vulnerabilities or further security issues in the EyeMed network.  “New Yorkers should have every assurance that their personal health information will remain private and protected,” commented Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest.” ZDNet has reached out to EyeMed with additional queries, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Blake Cheek
A US judge has sentenced a 22-year-old hacker to eight years in prison for engaging in DDoS extortion schemes, making fake bomb threats against companies and schools across the world, and possession of child pornography materials.

Identified as Timothy Dalton Vaughn, a resident of Winston-Salem, North Carolina, the hacker was arrested in February 2019, pleaded guilty in November of the same year, and was sentenced to 95 months in prison on Monday, following delays to his sentencing due to the COVID-19 pandemic.
Vaughn, who went online as “Hacker_R_US” and “WantedbyFeds,” was a member of Apophis Squad, a hacker group who made a splash in the first eight months of 2018 and then fizzled out of existence after a law enforcement crackdown.
The group was your typical loudmouth hacker squad that bragged about launching DDoS attacks on their Twitter account, but according to court documents, they also extorted some of their targets in private, asking for money to stop their attacks.
But while they’re not the only hacker group to engage in DDoS extortion, Apophis Squad members went off the rails in the summer of 2018, when, for no apparent reason, they escalated their online nuisance to a whole new level by beginning to make erratic bomb threats against a wide range of targets that included schools, airports, government organizations, and many private companies.
Obviously, the switch to such brazen tactics didn’t go unanswered and a law enforcement crackdown followed soon after, especially after one of their fake bomb threats forced a plane to make an emergency landing.
UK police arrested the group’s leader in August 2018, and Vaughn’s arrest followed the next February.

The group’s leader, who went online by nicknames such as “optcz1,” “DigitalCrimes,” and “7R1D3N7,” was identified as George Duke-Cohan, 19, from Hertfordshire, UK.
Duke-Cohan was linked to DDoS extortions and fake bomb threats, and the hacker was quickly trialed in the fall of 2018 to receive a three-year prison sentence in December 2018.
In the follow-up case in the US, authorities similarly linked Vaughn to a $20,000 DDoS extortion against a Long Beach company and bomb threats made against 86 school districts, where he and other co-conspirators claimed to have planted ammonium nitrate and fuel oil bombs in school buildings; rocket-propelled grenade heads under school buses; and land mines on sports fields.
During a subsequent arrest and house search, the FBI said it also found child pornography materials on Vaughn’s devices and tacked on additional charges.
Vaughn was sentenced to 95 months for the child pornography possession charge and 60 months for the other charges. The terms will be served concurrently for a sentence of 95 months (7 years and 11 months) in prison. More