Hackers May Have Manipulated Athlete Data, Can Remotely Administer Insulin and Defaced Buzzfeed

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

WADA Questions Data in Latest Medical Records Dump

The Fancy Bear hacking collective released more confidential medical information on Olympic athletes, but this time the World Anti-Doping Agency questions the data's validity.

WADA confirmed Oct. 3 Fancy Bear released therapeutic-use exemption data about 20 the athletes from 14 countries. TUE allows athletes to use otherwise medicines they would otherwise be banned from using. As with the Sept. 13 data dump, WADA states hackers accessed the Anti-Doping Administration and Management System database via an account for the Rio 2016 Games.

The agency called the incident “a cheap shot at innocent athletes whose personal data has been exposed” and “not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS data.”

All ADAMS users are urged to be on the lookout for additional phishing attempts and other suspicious emails, the statement said.

Security experts link Fancy Bear with the Russian government and other efforts to disrupt the U.S. presidential elections.

Insulin Pump Vulnerability Lets Attackers Remotely Administer Dose

A security firm found a flaw in a brand of insulin pump systems that could allow a hacker to remotely administer a dose of insulin.

Diabetics use insulin pumps to self-administer insulin and regulate blood sugar. The Animas OneTouch Ping systems include a meter that checks blood sugar and controls the pump through wireless communications.

Security firm Rapid7 found the communications aren’t encrypted and someone could spoof the signal, allowing them to eavesdrop on the information or send a dose of insulin to the wearer. Rapid7 said an attacker could execute the attack within two kilometers of the device, and a U.S. Computer Emergency Readiness Team alert said the attacker would need a high-skill level.

“We want to flag that we believe the risk of wide-scale exploitation of these insulin pump vulnerabilities is relatively low, and we don’t believe this is cause for panic,” a Rapid7 blog post said.

Animas, a subsidiary of Johnson & Johnson, issued a statement advising worried users to turn off the radio frequency feature, which stops all communication with the meter. Alternately, users who want to keep using the meter could set dosage limits and turn on vibrating alerts so they know doses have been administered.

OurMine Hackers Strike After Buzzfeed Story

Another hacking group appears to be retaliating against a media outlet.

Buzzfeed lastTuesday published an investigation into hacking collective OurMine, stating it was likely a sole Saudi teenager who likes to take over the social media accounts of celebrities and tech company CEOs. The following day, someone claiming to be from OurMine defaced and likely deleted several Buzzfeed articles and site’s database, according to a Motherboard report.

Buzzfeed tweeted it was working to restore the altered articles. The company statement didn’t include how attackers accessed its systems, but the group highlights the danger is re-using passwords as it often uses information dumped in large breaches to access other accounts, according to a Wired report.