SANS NewsBites

Amazon Fined for Ring and Alexa Privacy Abuses; More Years-Old Toyota Data Breaches Discovered; Make Sure You Can Detect Qakbot

June 2, 2023  |  Volume XXV - Issue #44

Top of the News


Amazon Fined $30.8 Million Over Alexa and Ring Data Privacy Issues

The US Federal Trade Commission (FTC) has fined Amazon a total of $30.8 million to settle charges that inadequate security practices compromised Ring and Alexa user privacy. The FTC has charged “Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.” The FTC also charged Amazon with “violat[ing] the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceiv[ing] parents and users of the Alexa voice assistant service about its data deletion practices.”

Editor's Note

This is a small fine when you look at Amazon’s overall revenue, but the Ring product line is about a $200M business – hopefully a Ring line of business manager is now a convert to why building security in is good for profitability.

John Pescatore
John Pescatore

Back when Ring was new, (pre-Amazon), it was a little distressing the level of access their support staff had to my device. Now that they are part of a larger entity, there is no excuse to not limit access and restrict information sharing. Amazon claims to have addressed this years ago. With today's privacy rules, running fast and loose isn't going to fly; you need to make sure you're using separation of duties, implement data protection and deletion practices in accordance with all applicable regulations such as COPPA, GDPR, HIPAA, CCPA, etc.

Lee Neely
Lee Neely

While Amazon may dispute the charges, this settlement indicates that Amazon believed their data privacy policies were loose enough to have violated privacy protection rules. The settlement should become a case study for every organization that maintains user data. The study should focus on data collection; data use by company employees; reporting of data misuse; and data retention. The $30.8 million settlement seems a small price to pay for such an egregious violation of data privacy protection rules.

Curtis Dukes
Curtis Dukes

It will be interesting to see if the Irish Data Protection Commission (Amazon’s EU Headquarters is based in Dublin, Ireland) will investigate if the same issues impact the data of any EU residents. If so, this could be a costly lesson on respecting the human rights of their customers for Amazon.

Brian Honan
Brian Honan

Three possibilities here: oversight or poor management, where $30.8 million might focus management's attention, or it is part of the business plan and $30.8 million is merely a cost of doing business?

William Hugh Murray
William Hugh Murray


SC Magazine: Amazon to pay $30.8M for Alexa and Ring privacy violations

The Register: Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine

Ars Technica: FTC: Amazon/Ring workers illegally spied on users of home security cameras

Cyberscoop: FTC settles with Amazon Ring over hacking, security incidents

Gov Infosecurity: Ring Settles FTC Allegations of Poor Cybersecurity, Privacy

FTC: FTC and DOJ Charge Amazon with Violating Children’s Privacy Law by Keeping Kids’ Alexa Voice Recordings Forever and Undermining Parents’ Deletion Requests

FTC: Complaint for Permanent Injunction, Civil Penalties, and Other Relief (PDF)

FTC: FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users' Cameras

FTC: [Proposed] Stipulated Order for Injunction and Monetary Judgment (PDF)


Toyota: More Misconfigured Cloud Servers Leaked Customer Data

Toyota has disclosed that a pair of misconfigured cloud servers have been leaking personal data belonging to 260,000 customers for seven years. The situation was discovered during an investigation prompted by a different security incident that compromised information belonging to 2.15 million customers for 10 years.


Qakbot’s Evasion Techniques

Researchers from Lumen Black Lotus Labs “tracked Qakbot’s more recent campaigns to observe the network structure, and gained key insights into the methods that support Qakbot’s reputation as an evasive and tenacious threat.” Among their findings: one-quarter of Qakbot’s command and control servers are active for a single day, and half are active for a week or less. Qakbot also hides its command and control infrastructure “in compromised web servers and hosts existing in the residential IP space.”

The Rest of the Week's News


WordPress Force Installs Jetpack Plugin Update

Developers of the Jetpack plugin for WordPress have released updates to fix a critical vulnerability that has been present in an API since Jetpack 2.0, which was released in November 2012. WordPress has pushed out patches to vulnerable sites. Jetpack has more than 5 million active installations.

Editor's Note

JetPack provides a variety of services, grouped into security, performance and growth, and has released 102 updates going back to version 2.0. After you verify that you're on a patched version, make sure you're also on the current 12.1.1 version. If you’re not, make plans to migrate so you're supported.

Lee Neely
Lee Neely

This is a good move by the WordPress team; there is nothing better than to force this type of patch when you can.

Moses Frost
Moses Frost

This vulnerability highlights that security/quality assurance testing while important, cannot test for every possible code defect – the vulnerability has been around for 11 years. Given the large install base and criticality of the vulnerability, a ‘forced’ install of the patch became necessary. Perhaps if we automated [forced] patching for all critical vulnerabilities, it would change the exploit advantage an adversary has today.

Curtis Dukes
Curtis Dukes


Assume Unpatched Zyxel Firewalls are Compromised

Shadowserver has warned that if you have not patched your Zyxel firewalls against a critical command injection vulnerability (CVE-2023-28771), you should assume they have been compromised. Zyxel released fixes for the flaw on April 25, 2023. The US Cybersecurity and Infrastructure Security Agency (CISA) warns that the vulnerability is being actively exploited and has added it to the Known Exploited Vulnerabilities (KEV) catalog.


Recently Patched Barracuda ESG Vulnerability Has Been Exploited Since October 2022

Barracuda Network says that an investigation into a vulnerability affecting its Email Security Gateways (ESGs) has found that the flaw was being exploited in October 2022 and possibly even earlier. The issue affects all hardware and virtual versions of Barracuda ESG appliances. Barracuda pushed a patch to all appliances on May 20; they followed the patch with “a script … deployed to all impacted appliances to contain the incident and counter unauthorized access methods” on May 21.


GAO: US Dept. of Energy Has Not Fully Implemented Insider Threat Protection Program

According to a report from the US Government Accountability Office (GAO), the Department of Energy (DoE) has failed to adopt security practices to protect the agency from insider threats. Specifically, “DoE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.” Furthermore, DoE does not track or report on its progress in implementing the required measures for the insider threat program. The report recommends six executive actions. GAO gave two of the recommendations priority status: better integrate insider threat program responsibilities, and ensure that the program “achieves a single, department-wide approach to managing insider risk.”


Harvard Pilgrim Health Care Ransomware Attack Affected 2.5 Million Individuals

Harvard Pilgrim Health Care (HPHC) has disclosed that an April ransomware attack compromised protected health information and other personal data belonging to 2.5 million people. In a breach notice, HPHC acknowledges that the sensitive data were exfiltrated from its systems between March 28 and April 17, 2023.


Managed Care of North America Breach Affects More Than 8.9 Million People

Atlanta-based Managed Care of North America (MCNA) has notified nearly 9 million individuals that their personal data were compromised in a breach earlier this year. Intruders gained access to MCNA systems in late February and exfiltrated data between then and March 7.


Cyberattack Affects Rural Idaho Hospitals

A cyberattack has forced Mountain View Hospital, Idaho Falls Community Hospital and their associated clinics to send some patients to other facilities while they recover from the incident. As of midday, Wednesday, May 31, both hospitals are open, and most clinics are seeing patients.

Internet Storm Center Tech Corner

After 28 Years, SSLv2 is Still Not Gone

Apache NiFi Attacks

Malspam Pushes ModiLoader Infection for Remcos Rat

Operation Triangulation: iOS Devices Targeted With Previously Unknown Malware

MOVEit Transfer Critical Vulnerability

Code Injection Vulnerability in Reportlab Python Library

Gigabyte App Center Backdoor

Salesforce Ghost Sites

CVE-2023-34152: Shell Command Injection in ImageMagick

MacOS SIP Bypass

OpenSSL Update

Barracuda Email Security Gateway Appliance Vulnerability Details,Endpoint%20IOCs,-Table%204%20lists

Void Rabisu RomCom Backdoor

Nextcloud Vulnerability

Zyxel NAS Vulnerability

Wait Just An Infosec: Higher Ed