Telemetry data from 800K VW Group EVs exposed online

Infosec in Brief Welcome to 2025: hopefully you enjoyed a pleasant holiday season and returned to the security operations center without incident - unlike Volkswagen, which last week admitted it exposed data describing journeys made by some of its electric vehicles, plus info about the vehicle’s owners.

We're just as shocked as you that a massive firm left data exposed online, but here we are yet again. This time the issue began at VW subsidiary Cariad, per German outlet Der Spiegel. The wholly-owned VW company, tasked with developing a software platform for VW Group electric vehicles, exposed internal application data through poorly secured web subpages. These subpages could be systematically discovered, revealing the address of a memory dump file from an internal Cariad application. A whistleblower accessed the exposed file and shared their discovery with Der Spiegel and the Chaos Computer Club.

One contained access credentials to an AWS cloud storage server that - surprise, surprise - included telemetry data from around 800,000 VW, Seat, Audi and Skoda EVs located in Europe and elsewhere in the world.

Among the data points obtained from the AWS server were battery level, inspection status, whether cars were on or off, and even geolocation data. Around half of the vehicles in the dataset had data so precise that it tracked EVs to within ten centimeters, allowing for a potential miscreant to steal detailed information about journeys the vehicles made.

To make matters worse, additional access data to a VW-specific service was found that made it possible to link vehicle telemetry to the names and contact details of drivers, owners, or fleet managers.

The Chaos Computer Club said that the matter was promptly addressed when it informed Cariad, and the data is no longer accessible. Customers do not need to take any action, and it's not clear whether any of the data was exposed other than by the researchers.

Regardless, it's just another example of a company not properly securing its cloud resources and creating privacy headaches for consumers - welcome to the future.

Tenable CEO passes away

Security visibility tools vendor Tenable on Saturday announced the sudden passing of its CEO and chair Amit Yoran, aged just 54

Yoran took medical leave of absence starting December 5, 2024, reportedly to seek treatment for cancer.

“Amit was an extraordinary leader, colleague, and friend,” said Art Coviello, Tenable’s lead independent director. “His passion for cybersecurity, his strategic vision, and his ability to inspire those around him have shaped Tenable’s culture and mission. His legacy will continue to guide us as we move forward.”

Tenable is a listed company so the announcement of Yoran’s passing includes advice that the company expects revenue targets to be met, and that co-CEOs Steve Vintz and Mark Thurmond will continue to serve as the company seeks a new leader.

- Simon Sharwood

Do Kwon extradited to US over alleged crypto crimes

Alleged crypto fraudster Do Kwon was last week extradited to the US and pleaded not guilty charges including securities fraud, wire fraud, commodities fraud and money laundering conspiracy.

Kwon, the cofounder and former CEO of Terraform Labs, went on the run in 2022 after South Korea issued an arrest warrant for alleged violations of his home country's capital markets law. The US charged him with multiple crimes related to allegedly fraudulent schemes involving false and misleading statements about Terraform's cryptocurrency stablecoin protocol, blockchain technology, and financial products, aimed at creating the illusion of a functioning, stable, and decentralized financial system to inflate the value of the cryptocurrencies.

If convicted on all counts, Kwon faces up to 130 years in US prison - and that's not including what he might be up for in South Korea.

MetLife denies ransomware hit core systems

Insurance giant MetLife has reportedly fallen prey to a ransomware attack, at least according to the RansomHub ransomware group that claimed this week to have obtained a terabyte of data from the organization with plans to publish it.

However, MetLife told The Register that the above-mentioned X (formerly Twitter) post was inaccurate - the incident did not involve its core enterprise systems.

"We are aware of a cyber incident impacting Fondo Genesis, a financial services company which operates only in Ecuador, and is owned by one of MetLife's subsidiaries," the firm told us in an emailed statement. "Fondo Genesis operates separately from MetLife's enterprise systems. Therefore, the impact of this incident is limited only to Fondo Genesis."

RansomHub, which last year emerged as a major ransomware player following the downfall of LockBit and ALPHV, claims it’s infected auction house Christie's, Frontier Communications, Rite Aid, and others.

It's unknown if Fondo Genesis plans to pay the ransom to prevent the publication of the data.

DoJ finalizes rule banning data export to 'countries of concern'

China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela have all been banned from importing or processing certain types of sensitive data that describes Americans under a new Department of Justice rule finalized in late December 2024.

The DoJ rule finalizes an executive order issued by the Biden administration in February last year that bans US citizens from selling data to, or processing data within, any of the six countries named in the order, provided a dataset meets certain thresholds.

These thresholds include personal health or financial data for up to 10,000 individuals, precise geolocation data for up to 1,000 devices, and human genomic data for up to 100 individuals.

Exceptions are included, naturally, and the DoJ is allowing individuals and companies to request additional leeway, too.

So relax: Your personal data is most assuredly safe now - there's no way anyone would find a way around those restrictions, right?

Clickjacking gets a 2X upgrade

Security researcher Paulos Yibelo, who previously called attention to a new form of clickjacking dubbed "gesture jacking", has claimed every known form of clickjacking protection can be defeated with a double-click.

Dubbed DoubleClickjacking, Yibelo says this attack can lead to account takeovers on platforms that use OAuth-based login flows or API permission screens. Unlike classic clickjacking that relies on using hidden buttons to trick users into clicking things they don't want to, this new version exploits timing and event orders to trick users into double-clicking. After the first click, the content in the parent window swaps to a sensitive authorization page, while the second click unknowingly approves the action and unwittingly grants permission for malicious code placed by an attacker to run, leaving them free to take over accounts.

"In simpler terms … it is a sleight of hand type trick," Yibelo wrote.

Yibelo provided some JavaScript code he thinks can mitigate the attack. ®