Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label US Federal Agencies. Show all posts

Amazon Faces Lawsuit for Deceptive Prime Practices

Amazon, the e-commerce giant known for its convenience and customer-centric approach, is currently under fire as it faces allegations of tricking Prime customers. The company, which boasts millions of loyal subscribers to its Prime membership program, is now being sued by the US Federal Trade Commission (FTC) for deceptive practices.

According to the FTC, Amazon employed a misleading strategy to encourage customers to sign up for a more expensive Prime subscription when their intention was simply to stream videos. The lawsuit alleges that the company took advantage of its customers' desire for a seamless streaming experience and misled them into paying for a Prime membership without their explicit consent.

The complaint filed by the FTC reveals that Amazon's tactics involved a series of deceptive prompts and clickable links during the video streaming sign-up process. These prompts led customers to believe they were accessing the content they desired, only to be redirected to a page where they were prompted to join Prime at a cost of $119 per year.

The lawsuit further claims that Amazon failed to adequately inform customers about the subscription charges and the automatic renewal policy associated with the Prime membership. Many users were reportedly unaware that they were being charged for the service until they noticed unexpected charges on their credit card statements.

The FTC's legal action follows an investigation prompted by numerous consumer complaints regarding Amazon's billing practices. The regulatory body seeks to seek restitution for affected customers and to prohibit Amazon from engaging in similar deceptive practices in the future.

In response to the allegations, Amazon has defended its actions, stating that its practices were transparent and that customers were provided with clear information about the costs and benefits of Prime membership. The company believes that the FTC's claims are unfounded and intends to fight the lawsuit vigorously.

This lawsuit has significant implications for Amazon, as the Prime membership program is a cornerstone of the company's success. With Prime offering benefits such as free and expedited shipping, exclusive discounts, and access to a vast library of streaming content, it has attracted millions of subscribers worldwide. If found guilty, Amazon may face substantial financial penalties and be required to revise its practices to ensure greater transparency and customer consent.

The outcome of this legal battle will undoubtedly shape the future of Amazon's relationship with its Prime customers and may influence the broader e-commerce industry's approach to subscription-based services. In an era where consumer trust and transparency are paramount, companies must prioritize ethical practices and clear communication to foster long-term customer loyalty.

Threat Actors Hack US Federal Agency Using Telerik Bug to Steal Data


In a joint security advisory on Wednesday, CISA reported that the threat actors have exploited a three-year-old Progress Telerik UI flaw in order to compromise a server at a federal civilian executive branch agency. 

An unidentified federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server was compromised by a number of threat actors, including an advanced persistent threat (APT). The advisory, which includes in-depth technical information and indicators of the breach, was created by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 

Apparently, a critical.NET deserialization flaw in the Progress Telerik UI for ASP.NET AJAX component allowed hackers to compromise a Microsoft Internet Information Services (IIS) web server used by a U.S. government agency last year. 

As per the advisory, the threat actors acquired access to the servers between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unidentified FCEB agency’s network. To acquire remote code execution, at least two threat actors (among them the Vietnamese XE Group) accessed the unpatched server. 

According to CISA, the central vulnerability was linked with the Telerik UI flaw on the IIS server – CVE-2017-11357 and CVE-2017-11317 – However, the forensic investigation was unable to conclusively verify which of the two was utilized, or even whether they were. 

The agency's instance was version 2013.2.717; the advisory stated that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935. "Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan[…]This may be the case for many software installations, as file paths widely vary depending on the organization and installation method," the advisory noted. 

Similar to the 2017 Equifax hack, it was caused in part by a vulnerability assessment for a severe Apache Struts flaw that overlooked an earlier system that was subsequently infiltrated by threat actors. 

CISA, the FBI, and MS-ISAC advised companies to use central log collection and monitoring. Moreover, it has been recommended to implement process monitoring in order to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935. 

Progress CISO Richard Barretto wrote in an email to TechTarget Editorial "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades," he also included a link to Progress' knowledge base's specific article about the problem. 

"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered[…]Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status," he added.  

Missing Cryptoqueen: Leaked Police Files May Have Alerted the OneCoin Fraudster Ruja Ignatova

 

Best known as the “Missing CryptoQueen,” convicted fraudster Ruja Ignatova who was included on the most wanted list by the US Federal Bureau of Investigation (FBI) is assumed to be receiving the information of the investigation before her disappearance. 
 
The 42-year-old fraudster, based in Bulgaria is convicted of her suspected involvement in the $4 billion OneCoin cryptocurrency fraud. The details of the scam were uncovered in a BBC podcast ‘The Missing Cryptoqueen’ devoted to the infamous fraudster. 

The police documents related to the case were apparently shown in the podcast by Frank Schneider, a former spy and trusted adviser to Ignatova. Following the allegations, Schneider is now facing extradition to the US for his role in the OneCoin fraud. 

While the metadata on the files suggests that Ignatova acquired the said documents through her own contacts in Bulgaria, Schneider denies the claims of obtaining the documents himself, which he says were obtained on a USB memory stick by Ignatova. 
 
Ignatova disappeared on October 25th, 2017, after being made aware of the police investigation into her OneCoin cryptocurrency. Following this, in June 2022 she was included in the FBI's most wanted list.
 
In an interview with the BBC, Schneider informed about the police files containing presentations made at a Europol meeting named ‘Operation Satellite.’ The meeting was attended by officials from Dubai, Bulgaria, the UK, Germany, and the Netherlands along with the FBI, the US Department of Justice, and the New York District Attorney five months before the disappearance of Ignatova. 
 
The said documents contained details of US authorities having a “high-placed confidential informant”, bank accounts from OneCoin receiving investor funds, and failed attempts of the UK's City of London to interview Ignatova. 

On being asked about the aforementioned files, Schneider said "When the Bulgarians participated at certain Europol meetings, it only took hours for her to get a complete rundown and get the minutes of what was said in those meetings.” “I can only deduce that it came from the circles that she was in and the she had through a variety of influential personalities.”

US Federal Agencies Warn of Cyber Attacks Targeting UPS Devices

 

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy released a joint advisory warning for U.S. organizations to secure Internet-connected uninterruptible power supply (UPS) devices from ongoing cyber assaults.

UPS devices are regularly used as emergency power backup solutions in mission-critical environments and are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features also expose them to malicious attacks. 

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.

"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet." 

To safeguard against such threats, CISA and DoE are recommending concerned entities ensure all UPS systems are disconnected from the internet. If linking their management interfaces to the Internet is not viable, admins are advised to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and use strong passwords or passphrases in accordance with the National Institute of Standards and Technology guidelines. 

Additionally, the advisory includes auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked. U.S. organizations are also urged to execute login timeout/lockout policies to mitigate these ongoing assaults against UPSs and similar systems. Besides default credentials, malicious actors can also exploit critical security loopholes to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely. 

The warnings come three weeks after security firm Armis uncovered multiple high-impact vulnerabilities in APC Smart-UPS devices that could be exploited remotely by unauthenticated attackers without user interaction as a physical weapon. Two of the main vulnerabilities include flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory bug, and the second is a problem with the way SmartConnect’s TLS handshake works.

White House Directs Federal Agencies to Improve Logging Capabilities

 

The White House has directed federal agencies to improve their logging capabilities in order to accelerate cybersecurity incident response, according to a memo from the Office of Management and Budget. 

The memo, issued by acting OMB Director Shalanda Young, includes a maturity model for event log management intended to guide federal agencies' implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.

"These tiers will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high-value assets,” according to OMB. 

By working through these various tiers, federal departments will align more with the types of log management capabilities present in the private sector, according to Mike Hamilton, the former vice-chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. 

The memo follows a May 12 executive order by President Joe Biden issued following the SolarWinds hack that compromised nine federal agencies, a ubiquitous government contractor, and about 100 U.S. companies.

“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on federal information systems — for both on-premises systems and connections hosted by third parties, such as cloud services providers — is invaluable in the detection, investigation, and remediation of cyber threats,” reads the memo. 

The departments now have 60 days to assess their capabilities against the maturity model and plan to address resource and implementation gaps. Those plans must be sent to the OMB Resource Management Office and Office of the Chief Information Officer desk officer. OMB expects federal agencies to prioritize their high-impact systems and high-value assets first as they implement EL requirements.

Agencies were also told to share logs with third parties like the FBI and Cybersecurity and Infrastructure Security Agency. “This sharing of information is critical to defend federal information systems,” reads the memo. The memo directs CISA to deploy teams to advise agencies in their assessment of their logging capabilities and release tools with the FBI to help assess logging maturity. 

Meanwhile, the Department of Commerce must have the National Institute of Standards and Technology maintain Special Publication 800-92, its “Guide to Computer Security Log Management” and incorporate the memo’s requirements into its next revision and other relevant publications.