25 May 2021

Purpose You may need to manually copy/paste/execute hyperlinks depicted below if your25 computer’s
May 2021
Educate recipients of cyber
events to aid in protecting security settings disable embedded hyperlinks displayed within a PDF file
electronically stored DoD,
corporate proprietary, and/or
Personally Identifiable
Information from unauthorized BLUETOOTH WOES RESULT IN URGENT PATCHES
access, theft or espionage

Source A leading U.S. university’s examination of 31 different Bluetooth devices has resulted in a flurry of security
This publication incorporates
open source news articles to
patches issued by hardware manufacturers. The vulnerabilities enable an attacker to ‘appear’ to be a
educate readers on cyber legitimate Bluetooth device that can slip into a system without having their identity validated. Expect to
security matters IAW USC Title
17, section 107, Para a. All receive software update notifications for your favorite devices shortly.
articles are truncated to avoid
the appearance of copyright
infringement Source: https://thehackernews.com/2021/05/new-bluetooth-flaws-let-attackers.html?&web_view=true
Newsletter Team
* SA Sylvia Romero
Albuquerque FBI
* CI Agent Scott Daughtry
Purple Arrow Founder
INDIA’S PIZZA LOVERS GOT MORE THAN THEY BARGAINED FOR
Subscription/Questions
Click HERE to request for your
One of America’s largest pizza company’s India-based file servers that stored sensitive customer
employer-provided email information related to 18 million orders was hacked last week. The hacker posted proof of the stolen data,
address to be added to this
product’s distribution list which he claimed amounts to 13TB of consumer and employee data that he’s made available for sale.
Some of the stolen data that is posted online has been deemed as legitimate and usable for criminals to
Purple Arrow Overview
The Purple Arrow Working leverage against consumers. This is allegedly the second time the hacker infiltrated the same network.
Group formed in 2009 to
address suspicious reporting
originating from New Mexico Source: https://ciso.economictimes.indiatimes.com/news/user-info-linked-to-18cr-dominos-orders-
(NM) cleared companies. Purple
Arrow is a subset of the NM CI
leaked/82899181
Working Group

Purple Arrow Members

AMERICAN-BASED STEREO CORPORATION HELD FOR RANSOM

Our membership includes
representatives from these New
Mexico-focused agencies:
902nd MI, AFOSI, DOE, DCSA,
DTRA, FBI, HSI, NCIS and the US The Massachusetts-based company whose products provide homes, automobiles and consumers with
Attorney Office
audio equipment was infiltrated by hackers on 7 March 2021, who immediately deployed ransomware on
Disclaimer
Viewpoints, company names, or
their computer network. The company’s spokesperson stated they hired external cybersecurity experts to
products within this document remove the malware and they did not pay the ransom fee to restore their data; however, employee data
are not necessarily the opinion
of, or an endorsement by, the was accessed by the hackers that contained Personally Identifiable Information (PII).
FBI or any member of the Purple
Arrow Working Group or NM CI
Working Group Source: https://www.bleepingcomputer.com/news/security/audio-maker-bose-discloses-data-breach-
after-ransomware-attack/?&web_view=true
Distribution
You may freely forward this
product to U.S. person
co-workers or other U.S. agency
/ U.S. company managed email
accounts WHEN IS HOME SECURITY EQUIPMENT NOT SO SECURE?
Personal Email/Foreigners
The FBI will not send Purple A popular brand of home security devices were identified by cybersecurity experts as being remotely
Arrow products to a non-United
States employer-provided email exploitable by an attacker; hardcoded passwords contributed to the problem. The vendor has released a
account (e.g. Hotmail, Gmail) firmware patch that consumers should immediately evaluate and potentially use to update their affected
home security system.

Source: https://www.securityweek.com/trend-micro-patches-vulnerabilities-home-network-security-
devices?&web_view=true

UNCLASSIFIED
 UNCLASSIFIED

U.S. INTELLIGENCE AGENCY WARNING TO DEFENSE SECTOR

A national-level U.S. intelligence agency warned against connecting “Operational Technology” (i.e. computer systems that monitors
and manages industrial process assets and manufacturing/industrial equipment.), which includes industrial control systems, onto
the Internet. Their statement was included within their cybersecurity guide that was released on 29 April 2021 and applies to the
Defense Department, entities within the National Security System and the defense industrial base.

Source: https://www.nextgov.com/cybersecurity/2021/04/nsa-defense-sector-think-twice-connecting-operational-technology-
internet/173740/

PARKING DATABASE OF 21.8 MILLION CUSTOMERS STOLEN

A popular smartphone app used in many American cities to pay parking fees via their smartphone is now posted online for free by
hackers. A spreadsheet containing 21,887,299 users of the application was posted online after the hackers failed to sell copies for
the asking price of $125k. Hackers, after failing to sell stolen material, will often post stolen data for free to boost their reputation.
Included within the stolen information was the user’s full name, address, cell #, email account, license plate and car information.

Source: https://www.bleepingcomputer.com/news/security/your-stolen-parkmobile-data-is-now-free-for-wannabe-
scammers/?&web_view=true

NO HONOR AMONGST (CYBER) THIEVES?

A Russian-based underground website used by cyber criminals to share/sell stolen data experienced a dose of karma – their own
database filled with over 623k payment card records was hacked and then leaked online by hackers. Cybersecurity experts opined
that the hacking website was compromised by another hacking team for bragging rights and to turn a quick profit by leveraging the
stolen PII without having to work for it.

Source: https://www.bleepingcomputer.com/news/security/your-stolen-parkmobile-data-is-now-free-for-wannabe-
scammers/?&web_view=true

UNCLASSIFIED