Cyber Intelligence Weekly (December 17, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a new article written by yours truly! In celebration of the new SEC Cybersecurity rules for public companies being effective on December 18th, I thought it would be helpful to arm readers with a list of 10 questions to ask to determine if an incident is material.

Away we go!

1. Strangers in Your Network: The Ubiquiti Device Access Debacle

Users of Ubiquiti's Wi-Fi products are encountering some interesting and unusual activity as of late. Reports are emerging of individuals gaining unauthorized access to security camera footage, photographs, and control over devices belonging to others when logging into their own Ubiquiti accounts. A user highlighted a particularly concerning incident where they found themselves with access to 88 devices from another account upon attempting to log into their network.

This breach was initially brought to light through a post on the Ubiquiti forums, where a user detailed their experience of being presented with consoles from another account. These 'consoles' refer to a range of internet-connected Ubiquiti products, such as WiFi routers, smart doorbells, and security cameras. The post emphasized that the user had complete control over these devices, akin to their own, until they refreshed their browser.

Further instances were reported on Reddit. A user in Germany described receiving a notification from UniFi Protect, Ubiquiti's home security product, which included an image from an unfamiliar security camera. Screenshots shared by this user showed notifications and images from security cameras they did not own. Other users echoed similar experiences, with one stating they were logged into someone else's account, allowing them to view and modify settings.

Ubiquiti's response has been to acknowledge these individual cases, with their official account commenting on Reddit that this is not the expected behavior. Despite this, the company has not recognized a widespread problem. In communication with 404 Media, Ubiquiti mentioned conducting a review but did not provide clarity on the issue.

Ubiquiti later updated with an explanation, attributing the problem to an upgrade in their UniFi Cloud infrastructure. This upgrade mistakenly linked 1,216 accounts from one group with another 1,177 accounts, leading to unauthorized access. While Ubiquiti resolved this issue, the lack of initial transparency has left many users frustrated and concerned about the potential implications.

Ubiquiti's range of products, widely used in residential and commercial settings, includes security cameras, routers, network switches, and smart door locks. These devices are interconnected through a single system, UniFi, allowing for remote management. This incident highlights the critical nature of Ubiquiti's access to sensitive security and surveillance systems, emphasizing the importance of robust security measures in the interconnected world of smart devices.

2. Congress Discovers Pharmacies Hand Over Patient Records Without Warrants

A comprehensive congressional review of eight major pharmacy chains has revealed alarming practices regarding the sharing of customer records with law enforcement. According to Senator Ron Wyden's announcement, none of these pharmacies require a warrant before handing over customer records to law enforcement. Furthermore, three of these chains — CVS Health, the Kroger Company, and Rite Aid Corporation — don't even mandate a legal review for such requests. This revelation has sparked concerns, especially in light of the Supreme Court's 2022 abortion decision, prompting Senator Wyden to call for urgent revisions to the Health Insurance Portability and Accountability Act (HIPAA) rules to protect Americans' pharmaceutical records from unwarranted law enforcement access.

The current HIPAA rules concerning pharmacy records are under scrutiny by the Health and Human Services (HHS) Department's Office of Civil Rights, with a particular focus on reinforcing the protection of reproductive health care information. The congressional investigation found disparities among the pharmacies in their approach to handling law enforcement requests. For instance, only Amazon Pharmacy alerts patients when sharing their records with law enforcement, and just a few, like CVS Health and Walgreens Boots Alliance, commit to publishing annual transparency reports. The pharmacies' justification for their practices, including the lack of legal review, centers around the pressure pharmacy staff face to respond swiftly to law enforcement demands.

This issue has broader implications, especially given recent legal developments in reproductive rights. Senator Wyden, along with other members of Congress, has been pushing HHS to overhaul HIPAA, advocating for stronger regulations that would require law enforcement to obtain a warrant before accessing medical records. The goal is to align the privacy standards for pharmaceutical records with those established for tech companies' handling of users' emails, as mandated by a 2010 court decision. The lack of uniformity and transparency in the current pharmacy practices raises significant privacy concerns, highlighting the need for more stringent regulations to safeguard sensitive personal health information.

3. Ukrainian Telecom Targeted in Cyberattack by Russian-Affiliated Hacker Group

A hacker group known as Solntsepek, believed to be linked to Russia's GRU military intelligence agency and its notorious Sandworm hackers, has claimed responsibility for a major cyberattack on Kyivstar, one of Ukraine's largest mobile and internet providers. This attack is part of a series of cyber operations that have targeted Ukraine's infrastructure over the years, including power grids, financial systems, media, and government agencies. The recent attack on Kyivstar significantly disrupted the company's services, affecting millions of users and even temporarily compromising Kyiv's air raid warning system.

Kyivstar's CEO, Oleksandr Komarov, acknowledged the severity of the attack on Ukrainian national television, stating that it caused substantial damage to the company's infrastructure and led them to physically shut down their system to prevent further intrusions. The Ukrainian government, however, has not officially attributed this cyberattack to any specific group. Nonetheless, the connection to Solntsepek was suggested by a Ukrainian official in the SSSCIP computer security agency, following the group's claim of responsibility on Telegram. In their message, Solntsepek boasted about destroying Kyivstar's computers, servers, cloud storage, and backup systems, justifying their actions by stating that Kyivstar supports the Ukrainian Armed Forces and government agencies.

Various threat intel experts support the notion that Solntsepek could be a front for Sandworm, based on their history of similar activities and their focus on disrupting Ukrainian infrastructure. Sandworm, a unit of Russia's GRU, has a track record of using various covers, including hacktivist groups and cybercriminal gangs, to mask its operations. In response to the allegations, Kyivstar denied the extent of the damage claimed by Solntsepek, asserting that the rumors about the destruction of their systems were false. They also announced efforts to restore network operations and cooperate with Ukrainian authorities in investigating the attack.

The scale and impact of the Kyivstar attack highlight the ongoing cyber warfare tactics employed by Russia against Ukraine, particularly since the full-scale invasion began in February 2022. Russia's cyber campaigns have included a range of disruptive operations, from data-destroying wiper attacks to sabotaging satellite modems and causing blackouts. The intent behind these attacks remains a subject of speculation, whether to cause general disruption or achieve more specific tactical goals like intelligence-gathering or hindering military communications. There certainly is much potential of telecom targets in cyber warfare: they provide significant intelligence opportunities and can significantly disrupt civilian and military activities.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about