Month: December 2019

A provider of
IT management and cloud hosting services in California has been forced to pay
cybercrooks ransom to free its systems from Sodinokibi’s stronghold. Attacks by
the Sodinokibi (aka rEvil) ransomware gang have been reported steadily across
the United States in recent weeks.

Synoptek is a managed service provider that serves more than 1,100 customers across such industries as state and local governments, financial services, healthcare, manufacturing, media, retail and software. As reported by Brian Krebs, the company’s systems got infected with Sodinokibi ransomware on December 23, which ended up crippling operations for many of its customers. After compromising the company, the attackers used a remote management tool to install the ransomware on client systems. Because of the immense backlash from clients, Synoptek was forced to pay the attackers an undisclosed ransom in cryptocurrency to get rid of the Sodinokibi infection.

Ransomware operators
have started putting increased pressure on their victims to increase the
chances of a payout. One method employed by two prolific gangs (Sodinokibi and
Maze) is to copy the victim’s data before destroying it for them. With the data
in hand, the attackers threaten to publish it online in case the victim opts
not to pay. Another method is to focus on service providers which, which
results in customers venting on social media

Sodinokibi/rEvil operators have targeted several service providers across the United States in 2019, including PercSoft in August (Hackers breach IT vendor shared by 400 medical practices infecting every office with ransomware), and Complete Technology Solutions only a few weeks ago (Sodinokibi ransomware gang infects yet another IT provider serving dentists; 100+ offices hit).

Patients of Roosevelt General Hospital in Portales, New Mexico are told to monitor their credit reports after the healthcare unit discovered malware on a digital imaging server used in radiology that contained patient information.

Although it’s unclear if any patient data was compromised in the hack, RGH is alerting potentially affected patients and offering assistance in monitoring their information, local news outlet The Roosevelt Review reports.

Information contained on the server included names, addresses, date of birth, driver’s licenses numbers, Social Security numbers, phone numbers, insurance information, medical information and gender, the hospital said in its advisory. In other words, enough personally identifiable data to allow buyers on the dark web to conduct fraud.

RGH says its IT staff “secured and restored” the server and patient information as soon as the breach was identified, suggesting the infection may have damaged the data – i.e. a ransomware contagion.

The hospital has also performed an evaluation of server vulnerabilities while all other risks have been mitigated, according to the local news site.

RGH Marketing and Public Relations Director Jeanette Orrantia advises patients who receive a notice to monitor their credit reports.

“With security events such as this one, time was taken to thoroughly investigate what occurred and identify individuals who have been affected. Since then, the server has been secured and patient information has been restored. Health and Human Services was notified within the 60-day reporting timeframe,” said Orrantia.

RGH CEO Kaye Green added, “Although we are continuing our investigation, there is no evidence at this time that any patient data has been wrongfully used. The malware identified on the radiology server was contained and terminated immediately upon detection. This breach did not affect our electronic health record system or billing system.”

If you are among the affected RGH customers, be sure to follow your bank statements for any suspicious activity in the coming months and don’t hesitate to apply for any credit card monitoring service offered to you by the hospital. Fraudsters value patient records tremendously and use that information to craft sophisticated social engineering schemes to hack your finances or open up a new bank account in your name.

The
chief executive officer of a telemarketing company in Sherwood, Arkansas has
let go 300 employees after the company failed to recover from a ransomware
infection months back.

In a
deeply apologetic letter to employees, The Heritage Company CEO Sandra Franecke
said two months ago their servers were attacked by hackers who demanded a
ransom to unlock the systems. Despite paying the attackers what they demanded,
the company struggled to get back on its feet. The company could no longer pay
wages so the CEO decided to close shop and let everyone go.

The letter, obtained by local news station KATV, is reproduced below in full:

Dear
Employees of The Heritage Company,

I
know that you are all angry, confused, and hurt by the recent turn of events.
Please know that I am just as devastated as you all are, especially that we had
to do this at this particular time of year.

Please
know that we would have NEVER gone to this extreme if we were not forced to.
Now is the time to be honest and open about what is REALLY happening so that
all of you know the truth, directly from me, especially since some of you have
incorrect information and the spreading of untruths thru social media is
damaging us further.

Unfortunately,
approximately two months ago our Heritage servers were attacked by malicious
software that basically “held us hostage for ransom” and we were forced to pay
the crooks to get the “key” just to get our systems back up and running. Since
then, IT has been doing everything they can to bring all our systems back up,
but they still have quite a long way to go. Also, since then, I have been doing
my utmost best to keep our doors open, even going as far as paying your wages
from my own money to keep us going until we could recoup what we lost due to
the cyber attack.

I
know how confusing this must be, especially after we just gave away 7 cruises
just this week, but again, that was money that I spent out of my own personal
money to give you the best Christmas gift I possibly could, but that was before
our systems were hacked. Afterwards I didn’t want to disappoint everyone by
taking them back. We started the Prizes and Bingo the first of November when
again I was being told the systems would be fixed that week.

What
we hope is just a temporary setback is an opportunity for IT to continue their
work to bring our systems back and for leadership to restructure different
areas in the company in an attempt to recoup our losses which have been
hundreds of thousands of dollars.

It
is extremely important right now that we all keep the faith and hope alive that
The Heritage Company can and will come back from this setback. It is also
important that we all keep to the facts and keep calm. And so, I ask that you
please share this with the employees who may not be on this page or may not
have Facebook. To share this out of the group, you will need to copy the text
of this post and share it as your own status.

Please
know that when I made my speech at the “Future is Bright” luncheons, everything
was sincere and heartfelt. We had no way of predicting that our systems would
be hacked at that time. Once we were hit with this terrible virus we were told
time and time again that things would be better each week, and then the next
week, and the week after that. Accounting was down and we had no way of
processing funds. The mail center was down as we had no way of sending
statements out, which meant that no funds could come in.

Had
we known at the time that this would have hurt the company this badly, we would
have made a statement to the employees long ago to warn everyone what this
might mean. The ONLY option we had at this time was to close the doors
completely or suspend our services until we can regroup and reorganize and get
our systems running again. Of course, we chose to suspend operations as
Heritage is a company that doesn’t like to give up.

I
also want to apologize for the way many of you found out we were closing our
doors. When we left the meeting yesterday afternoon, everyone had a plan for
what was to happen, but we never considered that the word would spread so fast
and far to each of you before your managers could speak to the employees who
had already gone home for the day. No one is sorrier than I about you finding
out from other sources who did not necessarily have the correct information.

So
here it is: The Heritage Company is temporarily suspending our services. On
January 2nd, there will be a message left on the weather line. That message
will give you updated information on the restructuring of the company and
whether or not we’ve made progress on our system.

In
the meantime, I urge each and every one of you to please keep faith with us. We
know how extremely hard you all work for each of the wonderful charities we all
represent. We want you all back where you belong in two weeks’ time. We are a
family, and my hope is that we will stay a family for a long time, despite this
setback.

My
mother started this company 61 years ago, and I am committed to keeping
Heritage open if it is in my power to do so.

Sincerely,

Sandra Franecke,

Owner
and CEO,

The
Heritage Company”

Interviewed
by reporters, one disgruntled employee, Dave Denny said, “let your employees
know something, give them a chance to make our own decisions for ourselves, not
really take our own lives in your own hands and basically play God with
everybody’s lives.”

The
layoff comes mere days before Christmas, leaving many unsure if they will start
2020 with a job. The CEO asks everyone to check back on January 2 to see if
they will get their jobs back.

This is not the first time ransomware shutters a business in the United States this year. Brookside ENT and Hearing Center, a doctor’s office in Battle Creek, Michigan was forced to close its doors after hackers infected its systems with ransomware, compromising everything from patient records to billing information. Unlike The Heritage Company, Brookside ENT did not pay the ransom, likely figuring the incident would have the same outcome anyway.

These
attacks, and many others reported in the past year alone, underscore the dire
need to protect any business, big or small, from ransomware.

While
large enterprises are typically backed by a dedicated security operations
center and cyber-insurers, the same cannot be said for small and medium-sized
businesses with tight IT budgets and cybersecurity skill gaps.

Bitdefender helps small and medium-sized businesses fight ransomware with its Small Office Security offering, which offers complete protection for Windows, macOS, Android and iOS devices. The solution not only protects businesses against ransomware and all new and existing cyber threats, it also helps prevent data breaches and secures clients’ personal and financial data. Best of all, installation takes under 5 minutes and no IT skills are needed. Learn more.

The U.S. Department of Justice has announced the sentencing
of three members of the network behind the GozNym cyberattacks on U.S. entities
resulting in the theft of $100 million.

Krasimir Nikolov, 47, of Varna, Bulgaria, was sentenced on
December 16, 2019, in federal court in Pittsburgh to a period of time served. He
already served more than three years in prison following his conviction on
charges of criminal conspiracy, computer fraud, and bank fraud.

Nikolov’s role in the conspiracy was that of a
“casher” or “account takeover specialist.”

“In that capacity, Nikolov used victims’ stolen online
banking credentials captured by GozNym malware to access victims’ online bank
accounts and attempt to steal victims’ money through electronic transfers into
bank accounts controlled by fellow conspirators,” the DOJ said.

Nikolov conspired with fellow gang members charged in a
related Indictment announced in May 2019 in The Netherlands.

Alexander Konovolov, of Tbilisi, Georgia, was the primary
organizer and leader of the GozNym network. He assembled the team of cybercriminals
charged in the Indictment, in part through underground online criminal forums,
according to the press release.

Marat Kazandjian, of Kazakhstan and Tbilisi, Georgia, was
Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian
were arrested and prosecuted in Georgia for their roles in the GozNym criminal
network, in what the U.S. DOJ calls an unprecedented level of cooperation
between the FBI, the U.S. Attorney’s Office and Europol.

Konovolov was sentenced to five years and Kazandjian to seven,
the Georgia Prosecutor’s Office said in a press release.

The GozNym banking malware has been used aggressively against
businesses and financial institutions in multiple regions.

GozNym operators would infect computers – likely through spam campaigns – and capture victims’ online banking login credentials. They then used the credentials to access victims’ online bank accounts. After stealing the cash, operators would launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants. A botnet of over 40,000 computers was used to siphon a total $100 million from victims, the Europol said in May.

Twitter today began emailing Android users about a security issue that could have compromised their account. Users are urged to download the latest version of Twitter for Android as soon as possible.

“We recently fixed an issue that could have compromised your account,” reads the email notice.

The company links to a blog post with details about the vulnerability, what it could lead to – if exploited correctly – and the steps users can take to secure their account.

The vulnerability in question only affects Android clients (not iOS). Through a complicated process involving the insertion of malicious code into restricted storage areas of the app, a motivated bad actor could exploit the bug to “see nonpublic account information or to control your account”. If someone were to find and exploit the vulnerability, Twitter says it may have been possible for them to send Tweets or Direct Messages, access the user’s DM conversations and protected Tweets, as well as access location information from the app, according to the advisory.

The company hasn’t found evidence that the flaw has been exploited in the wild, but is nonetheless warning users of this issue out of an abundance of caution.

“We don’t have evidence that malicious code was inserted into the app or that this vulnerability was exploited, but we can’t be completely sure so we are taking extra caution,” Twitter says,

The latest versions of Android contain a patch for the issue. According to Twitter Support, version 7.93.4 (released last month for KitKat) and version 8.18 (released in October for Lollipop and newer) already have this bug fixed. This suggests Twitter has been aware of the flaw for a while but held off the announcement to make sure enough people had new versions installed before the issue was made public.

“Please update to the latest version of Twitter for Android as soon as possible to make sure your account is secure,” the company says. “We’re sorry this happened and will continue working to keep your information secure on Twitter.”

In accordance with data protection laws, Twitter tells users they can reach out to the company’s Office of Data Protection to request information regarding their account security. Under the European Union’s General Data Protection Regulation (GDPR), Twitter is obliged to respond to this request in 30 days or less.

Malware was discovered in Wawa’s payment processing
servers, and it’s believed that all convenience store locations were affected. The
stolen information includes names and credit card numbers, among other data.

Wawa CEO Chris Gheysens said that all of the company’s 842
stores in the United States had malware installed in the point-of-sale systems
for almost 10 months. In that period, the hackers managed to steal credit card
and debit card numbers, expiration dates and names.

The company determined that the incident started on March
4 and only ended on December 14, 2019. Interestingly, even if all of the stores
were infected by the malware, not all of them accessed had data leaks.

“As soon as we discovered this malware on December 10,
2019, we took immediate steps to contain it, and by December 12, 2019, we had
blocked and contained it,” says
Gheysens. “We believe this malware no longer poses a risk to customers using
payment cards at Wawa. As indicated above, we engaged a leading external
forensics firm to conduct an investigation, which has allowed us to provide the
information that we are now able to share in this letter.”

Recently, Visa warned merchants about point-of-sale (POS) system attacks carried out by cybercrime groups against North American fuel dispenser merchants. And while Visa didn’t name the merchants at that time, it’s clear that it’s a much bigger problem than anticipated.

The recent POS attacks are attributed to an Advanced
Persistent Threat (APT) group that has expanded its operations to eCommerce
merchants. Visa named Fin8 as one group that could have pulled this off, but
there’s no indication, at least not for now, that the Wawa incident is related to
Visa’s advisory.

If you’ve paid with a credit card at a Wawa station, keep
a close eye on your card statement and report any suspicious transactions
immediately.

Google says it plans to be more proactive in its bug and
vulnerability hunting and is now offering money before patch work is completed,
as opposed to after the fact.

Security needs to be a proactive enterprise, which
usually means that companies such as Google have to fund bug-hunting programs
so that they know about the problems before they can cause a problem. The Patch
Rewards program for third-party open-source projects is a good example, and,
until now, it worked by rewarding developers for discovering vulnerabilities
and other issues.

One change Google is implementing in the Patch Rewards
program is to make it proactive. More precisely, it will pay the developers of
third-party open-source programs for security improvements.

“We’re not only going to reward proactive security improvements after the work is completed, but we will also complement the program with upfront financial support to provide an additional resource for open source developers to prioritize security work,” said Google’s Jan Keller, Technical Program Manager.

“For example, if you are a small open source project and
you want to improve security, but don’t have the necessary resources, this new
reward can help you acquire additional development capacity.”

For now, Google is offering two support levels. The smaller
one, of $5,000, is meant as an incentive for fixing vulnerabilities identified
in open source software by bug bounty programs such as EU-FOSSA 2.

The second tier is much bigger, at up to $30,000, and is
aimed at large projects that need to invest in hiring new developers or add new
security features.

The money will be attributed after a short nominalization
process and after the projects submit their plans for strengthening security. The
regular Patch Rewards program will continue unabated, with the current changes
working only as an addendum.

In November,
cyber crooks told services company Allied Universal that they would make its
files public if the company didn’t pay a ransom. Allied refused and the hackers
stuck to their threat, releasing a portion of the data onto the open internet.
The same gang has now published a website issuing similar threats to other victims
that have refused to pay ransom. If their demands are met, other ransomware
gangs will likely replicate the strategy to increase their chances of getting
paid, or to maximize their profits.

The gang
behind Maze ransomware recently erected a website (found by security reporter Brian Krebs)
listing the company names and websites of eight victims of their malware.
Besides an infection with the same ransomware strain, all these entities have
one thing in common: they all refused to pay up, deciding to recover the hard
way (i.e. from backups).

But the Maze
gang is not the only one threatening victims with data exposure if their ransom
demands aren’t met. The people behind Sodinokibi/rEvil made similar threats on
a popular dark web forum recently. Others before them issued similar threats,
but rarely kept their promise. While the method of twisting the victim’s armis
not new, 2019 marks the first time the bad guys are making good on their
promise. If the Maze gang is not lying about having exfiltrated victims’ data
before encrypting it, they will likely stick to their end of the bargain. If
that happens, there is no reason to believe other ransomware operators won’t do
the same in 2020 and beyond.

Ransomware
becoming synonymous with data breach has serious implications: the victim’s
reputation can become tarnished, while the legal repercussions (GDPR, CCPA,
HIPPA etc. ) can inflict millions and even billions in losses. For some, a
serious cyber incident can spell bankruptcy.

One thing
ransomware operators never fail to do is to replicate every method that has
worked in the past to coerce victims to cooperate. If the end of 2019 is any
indication, ransomware in 2020 will become more hazardous than ever –
especially for big businesses.

A network of 265 fake websites that were promoting
anti-Pakistan news and sharing pro-India news were found operating in 65
countries. Some of the websites were built in a way meant to influence high-ranking
members of the European parliament.

 According to a BBC
report, the
entire enterprise was linked to a single source, an Indian company named
Srivastava Group, but the investigators found no link with the Indian
government. The network was discovered by EU Disinfo Lab, a non-profit
organization from Brussels.

While it might not be a phishing scheme, per se, it
operated pretty much the same way. Fake websites were set up to offer
credibility to the entire scheme, sometimes using domain names very similar to
the original ones, or even resurrecting publications that went out of print
almost 100 years ago.

Whale phishing is a term that describes the targeting of
a senior executive by cybercriminals in an effort to compromise them. The
method used by fake websites is not all that dissimilar to phishing because
high-ranking officials in the EU were directly targeted. Making matters worse,
a few of them fell for it, wrote articles, and gave interviews.

Following the investigation by the EU Disinfo Lab, many
of the websites disappeared and or went inactive. The NGO identified a woman
named Madi Sharma as the heart of the disinformation campaign, which could only
be described as a business broker operating among EU officials. She’s also a
British member of the European Economic and Social Committee (EESC), but the
EESC says that its members are free to do whatever they want.

Santa is coming to town, and he’s packing a white hat
this Christmas as he brings good tidings, gifts and advice for people to stay cybersafe
over the holidays.

In a modern world where Christmas gifts often consist of
smartphones, tablets and assorted connected gadgets, Santa’s white hat shows
the recipients they can be safe despite the proliferation of online dangers. The
color shows that the hacker behind the keyboard is a benevolent one, and not a
nasty “black hat” hacker. And that makes the difference between a world in
which people safely enjoy their devices and one in which their private data is splattered
all over the Internet.

Cybersecurity is a positive word, but we usually hear
about it in not-so-happy circumstances. Maybe someone hacked our Instagram
account or some hacker leaked emails and passwords from our favorite fitness
app. Suddenly, the word cybersecurity is thrown around, along with the term hacker,
accompanied by images showing people in hoodies hunched over a keyboard in the
dark.

White hat hackers,
though, investigate vulnerabilities and uncover problems with software and
hardware. They report their findings and try to make the world safer, with no
concern for material gains.

Black hat hackers
are on the other side of the law. They look to compromise companies and social
media accounts to steal data, install ransomware, launch phishing campaigns,
and much more. Profit by any means is their mantra.

In the middle come the grey hat hackers, and they only want to show that it can be done.
They usually surf around the net, trying to find holes in critical
infrastructures and companies, and sometimes they might even ask for money in
return for disclosing their penetration methods.

The shopping
season and the white hat Santa

In the cybersecurity world, Santa’s hat can only be
white, especially if we consider that his arrival coincides with the busiest
shopping season of the year.

And when people find online offers that seem too good to
be true, they sometimes throw security out the window. Adults forget that they
shouldn’t open emails from unknown senders, they shouldn’t provide personal
information over the Internet, and they really shouldn’t click on ads with
products offered for ridiculously low prices.

The Christmas shopping season is a black hat hacker’s
favorite. But they can be foiled by following a few simple rules. And by
wearing a white hat so we know you’re in the right corner.

–       Protect
against unknown threats by installing a security solution that anticipates
problems, such as ransomware and other issues, in real time

–       Make sure your
data is secure from intrusions

–       Use a
specially designed Internet browser that ensures your online payments are
completely safe

–       Store your
personal or sensitive files in specially protected environments where no
malware has access

–       Always know
where your devices are and find them with ease if they are ever misplaced or
stolen.

If you want a solution that has everything, you should
really take a look at Bitdefender
Total Security, which covers all of the above, and a lot more.