Cyberpunk 2077 was one of the most anticipated video game releases of all time. However, when it was released many gamers were let down by the game’s endless number of bugs and glitches. Despite this rough launch for CD Projekt Red, the game’s stolen code seems to be worth a significant sum of money on the open hacking market after a ransomware attack.
In addition to sharing full details of CDPR’s ransomware compromise, we discuss the breach of a Florida water treatment facility, a new push by cybersecurity experts to give CISA more authority, and much more in this week’s installment of Byte Sized News.
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on only the most compelling developments in the field.
2020 wasn’t video game developer CD Projekt Red’s (CDPR) best year for press. Now, according to a story from The Verge, their success in 2021 and beyond is in jeopardy.
CDPR was hit with a ransomware attack earlier this week, an attack that included adversaries obtaining source code for high-profile releases like The Witcher 3 and Cyberpunk 2077. At the time of compromise disclosure, CDPR said that they had no intention of paying the ransom put on the code, even if that meant that the code would be leaked online. It’s clear now that the adversaries weren’t bluffing with their threat.
The adversaries responsible for the breach now appear to be showcasing their stolen data on the open market with the end goal of auctioning off the code for a payday worth millions of dollars. A portion of the ransomed data from CDPR’s game Gwent has been showcased to the public in many online forums, while others claim that more valuable code has been displayed on the hacking forum Exploit.
Game code for all CDPR games stolen — including The Witcher 3 and Cyberpunk 2077 — are going for a “buy now” price of $7 million dollars.
According to The Hacker News, poor password management and security led to a recent water treatment facility hack.
The breach was an unsuccessful attempt to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the supervisory control and data acquisition (SCADA) system at the water treatment plant. This attempt was quickly spotted and reversed by the system’s plant operator. While this initial story broke earlier this week, new details have emerged since.
The cyber actors infiltrated the SCADA system through TeamViewer software installed on one of the plant’s several computers connected to the system. This computer was compromised largely due to a weak password that was obtained and used to bypass the device’s computers and enter the network.
This breach is another dangerous reminder that many small public utilities remain stuck with aging security infrastructure and under-resourced IT staff.
Auburn Pub brings us our next story, one that highlights a pair of cybersecurity experts who believe that CISA should “quarterback” the Federal Government’s cybersecurity.
This information was stressed to the U.S. Rep. John Katko during a House Homeland Security Committee hearing. If this action were to be taken, the Cybersecurity and Infrastructure Security Agency (CISA) would be in charge of more than 100 other federal agencies’ cybersecurity.
The two security experts — who testified at said House Homeland Security Committee hearing — were Dmitri Alperovitch and Chris Krebbs. Alperovitch is the executive chairman of Silverado Policy Accelerator, while Krebbs is the former director of the agency discussed (CISA). The committee hearing both testified at was primarily focused on cyber threats and defending against outside intrusions.
Katko, who is the ranking Republican member on the committee, asked both Alperovitch and Krebbs about CISA’s role in leading cybersecurity efforts among federal government agencies. While Cyber Command handles cybersecurity for the Department of Defense, there isn’t a similar arrangement for civilian agencies. Alperovitch thinks this needs to change.
“The fact of the matter is when you look at over 130 different executive branch agencies, the vast majority of them will never have the talent, the expertise, the resources to defend themselves against the most sophisticated nation-states out there, such as Russia and China, that are trying to break into their networks,” he said.
An article from CSO Online gives us a great explanation of the expansions and changes to the Children’s Online Privacy Protection Act (COPPA).
Broadly speaking, COPPA looks to place strict limits on what you can do with data from kids that are 13 and younger who use online services. These limits are to be significantly more strict than those governing data for older people. This law also offers parents the ability to monitor and approve some of the information that their children share online. Undoubtedly, this law adds another level of privacy regulation to companies that collect personally identifiable information (PII).
So, how are websites to deal with changes in regulation? Some sites will attempt to comply with COPPA by banning young users altogether. Other sites may not consider themselves to be appealing to the under-13 set and therefore not subject to COPPA rules. However, the FTC will have final say on if this is true.
While the law originated in the early days of the Internet, it is even more important in the age of social media and consistent technology use. More so, the FTC’s COPPA settlement with Google in 2019 has resulted in major changes to how YouTube ads work, which threw online video creators into an uproar.
So do you need to comply with COPPA? According to the FTC, you are subject to COPPA’s regulations if meet any of the following criteria:
Our last news story from the week comes to us from The Hacker News, which details a report of ten people belonging to a criminal network who have been arrested in connection with a series of celebrity SIM card swapping attacks.
This SIM-swapping attack resulted in the theft of more than $100 million through the hijacking of mobile phone accounts linked to high-profile individuals in the United States. The Europol-coordinated, year-long investigation was carried out by law enforcement authorities from the U.K., U.S., Belgium, Malta, and Canada.
“The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families,” Europol said in a statement. “The criminals are believed to have stolen from them over $100 million in cryptocurrencies after illegally gaining access to their phones.”
The sweep comes almost a year after Europol led an operation to dismantle two SIM swap criminal groups that stole €3.5 million ($3.9 million) by orchestrating a wave of more than 100 attacks targeting victims in Austria, emptying their bank accounts through their phone numbers.
These SIM card swaps usually are carried out via social engineering lures that include tricking cell phone providers into porting their victims’ cell services to a SIM card that is under their control. This SIM swap allows attackers access to incoming phone calls, text messages, and one-time verification codes typically sent via SMS messages to enable multi-factor authentication (2FA).