A cloud misconfiguration at a leading security services multinational has exposed the details of countless airport staff across South America, according to a new report.

A team at AV comparison site Safety Detectives found an Amazon Web Services S3 bucket wide open without any authentication required to view the contents. After notifying the owner, Swedish security giant Securitas, on October 28 2021, the firm secured the database a few days later on November 2.

Inside the 3TB trove, the researchers found personally identifiable information (PII) on Securitas and airport employees dating back to November 2018.

At least four airports across Peru (Aeropuerto Internacional Jorge Chávez) and Colombia (El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport) are impacted.

Safety Detectives is not sure exactly how many workers are affected, but claimed the S3 bucket contained around 1.5 million files.

These include photos of ID cards featuring full names, occupations and national ID numbers, as well as other miscellaneous photos of employees, planes, luggage and more. The bucket was apparently live and being updated at the time of its discovery.

If found by threat actors, the database could have enabled not only follow-on identity fraud and scams, but far more serious criminal acts, Safety Detectives warned.

“Photos of IDs and employees could allow criminals to impersonate various members of staff – employees that can gain access to restricted areas of the airport, such as luggage-loading areas and even planes,” it said.

“Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”

Colombia in particular has a history not only of serious organized crime but also guerrilla warfare groups plotting to destabilize the country.

US law enforcers are urging participants at the Beijing Winter Olympics to leave their devices at home after warning of potential state-backed and cybercrime activity at the event.

An FBI alert issued yesterday claimed it was aware of no specific threat to the games but urged “partners” to remain vigilant.

While strict Communist Party COVID restrictions mean no foreign spectators will be allowed to attend the Olympics or Paralympics, athletes could be targeted, the Feds warned.

“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the games,” the notice read.

“The use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data.”

Alongside the potential for Chinese agents to spy on participants and other attendees, the FBI warned of the risk of disruption by third parties, who could target broadcasters, hotel networks, transport providers, ticketing services, event security and other Olympic support functions.

It cited the last event in Pyeongchang, South Korea, four years ago where Russian state actors managed to cause significant disruption to the official website and media center.

However, the reality is that few hostile nations will want to spoil China’s party, given the potential geopolitical repercussions, and Beijing will be marshaling all of its resources to keep cybercrime actors at bay.

That said, the FBI has released a set of recommended best practices for organizations and individuals with a presence at the event to mitigate network, remote working, ransomware and social engineering threats.

The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.

The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.

The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.

The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).

Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.

These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).

Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).

The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.

Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.

Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.

“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.

“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”

CISA now has over 350 vulnerabilities in its “must-patch” catalog.

A global education technology company based in Boston has signed a $191M deal to buy the cybersecurity training platform, Infosec.

Cengage Group announced the planned addition to its ed2Go business on Monday. The deal is expected to close in the first quarter of 2022. 

“The online, employer-paid cybersecurity training segment is currently a $1bn market, with expectations that it will grow to $10bn annually by 2027,” said Cengage CEO Michael Hansen. 

He added: “Combining Infosec with our already-successful Workforce Skills business will provide top-line growth, expand our base of recurring revenue and accelerate our opportunity within the space.”

Infosec was founded in 2004 by its current chief executive Jack Koziol who will remain at the helm to manage the transition. The company is based in Wisconsin and provides skills development and certification programs for the cybersecurity industry. 

“Cengage Group has the same level of passion for making learning accessible, affordable and applicable to today’s cybersecurity professionals,” said Jack Koziol, CEO and Founder of Infosec. 

He added: “Building on ed2go’s history in online training, Infosec will benefit from Cengage Group’s scale and expertise, which means we can reach more cybersecurity professionals and employers that are looking to not only grow their careers but to keep businesses, governments and people safe from cyber threats.”

Infosec employs around 100 people and offers more than 1,400 online cybersecurity courses. Nearly all Infosec’s current employees will reportedly be joining Cengage’s workforce of 4,500 people. 

According to Cyber Seek, there are just under 600,000 vacant cybersecurity roles in the United States. Research by Burning Glass Technologies suggests that around half of these positions require at least one certification. 

“We can’t hire people fast enough,” Hansen told The Boston Globe. “Right now, the demand for workforce skills courses is just exploding, and it’s exploding in very specific job categories,” he said. 

Hansen continued: “There is such a labor shortage. Every CEO tells me that…the labor shortage is really a skills shortage.”

News of Cengage’s planned purchase comes as rival British publishing house Pearson announced its acquisition of Credly, a digital workforce credentialing service provider, for around $200m.

A Russian-born tech entrepreneur has been extradited to the United States from Australia to face charges relating to a multi-million-dollar text messaging consumer fraud scheme.

The arrival in America of 41-year-old dual Russian and Australian citizen Eugeni Tsvetnenko was announced by the Federal Bureau of Investigation (FBI) on Friday. Tsvetnenko – also known as “Zhenya” – was extradited on charges of conspiracy to commit wire fraud, wire fraud, aggravated identity theft and conspiracy to commit money laundering.

Prosecutors allege that former Perth resident Tsvetnenko conspired with others to operate an auto-subscribing scheme that signed cell phone users to receive premium paid for content via text message without their knowledge or consent. 

“Eugeni Tsvetnenko is alleged to have surreptitiously subscribed hundreds of thousands of cell phone users to a $9.99 per-month charge for recurring text messages they did not approve or want,” said US attorney Damian Williams.  

Victims of the scheme received text messages on horoscopes, celebrity gossip and trivia facts. The scheme’s operators defrauded victims of approximately $41,389,725 and made around $20m in profits. 

Tsvetnenko’s alleged co-conspirators include Darcy Wedd, the operator of telecommunications company Mobile Messenger, and Fraser Thompson, Mobile Messenger’s senior vice president of strategic operations. 

“Tsvetnenko and his co-conspirators concocted a scheme that turned thousands of mobile phone customers into unwitting subscription service participants, as alleged,’ said FBI assistant director-in-charge Michael J. Driscoll said.

He added: “These customers incurred monthly charges for services they never subscribed to and, in many cases, disregarded as spam until the charges turned up on their monthly statements.”

Prosecutors allege that at the start of 2012, Wedd, Thompson and two other Mobile Messenger senior executives recruited Tsvetnenko to their auto-subscribing scheme to boost their company’s revenue. Tsvetnenko allegedly agreed and established two new content providers based in Australia, CF Enterprises and DigiMobi, to auto-subscribe on Mobile.

CC-3 allegedly provided Tsvetnenko with lists of phone numbers to target, along with instructions on how to auto-subscribe without being caught by making it appear as if the customers had genuinely chosen to buy the text-messaging services.

Tsvetnenko is further accused of working with co-conspirators to launder the proceeds of the auto-subscribing scheme.

A Canadian man has been sentenced to prison in the United States for trading in stolen identities and collaborating with the Dark Overlord cyber extortionist group.

Using the screen name GoldenAce, Slava Dmitriev bought and sold hundreds of illegally obtained IDs on the dark web. The 29-year-old resident of Vaughn, Ontario, traded in Social Security numbers and other personally identifiable information, including names and dates of birth belonging to American citizens. 

Between May 2016 and July 2017, Dmitriev made approximately $100K by selling 1,764 items (mostly stolen identities) via the darknet marketplace AlphaBay.

An investigation into Dmitriev’s cyber-criminal activities revealed that he aided the Dark Overlord with their illegal activities on multiple occasions. On June 16 2016, Dmitriev sent access credentials to the group for a New York-based dentist he had purchased on a criminal marketplace. The dentist subsequently became the victim of a cyber extortion attack perpetrated by the group. 

A month later, Dmitriev received a spreadsheet from the Dark Overlord containing approximately 200,000 stolen identities. Investigators also determined that in May 2017, Dmitriev sold data stolen by the group containing the identity of a victim residing in La Quinta, California.

Dmitriev was arrested in Greece in September 2020 through the coordinated efforts of the Federal Bureau of Investigation (FBI) and the Hellenic Police. When Greek police searched the residence where Dmitriev was staying, they located a computer containing emails discussing the buying and selling of identities and Social Security numbers, as well as a video about how to commit identity theft.

Dmitriev was extradited to the United States in January 2021 to face a charge of fraud and related activity in connection with access devices. On Wednesday, he was sentenced to three years in federal prison, followed by three years of supervised release.

“Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, acting special agent in Charge of FBI Atlanta.  

He added: “This sentence will serve as a reminder that the FBI will always work diligently with International Law Enforcement partners to bring justice to citizens who have been victimized.”