Month: July 2020

A Maryland-based nursing home disclosed that it has fallen victim to a ransomware attack, exposing personal information of 47,754 residents.

Lorien Health Services said some of their systems’ files were encrypted in the attack on June 6. The family-owned facility has hired a team of security experts to determine the extent of the breach and what type of information was accessed by the attackers. Four days into the investigation, it was established that bad actors also breached the personal identifiable information of its residents. Social Security number, dates of birth, addresses, treatments and health diagnosis were among the private information accessed.

The attack has been attributed to the Netwalker ransomware gang, which apparently leaked some of the exfiltrated information after Lorien Health Services refused to pay the ransom. A data dump consisting of a password-protected 147MB archive is currently available for download. Similar files may also appear in the near future, since it is presumed that the attackers only shared a small batch of the scraped data.

According to a data breach notification posted on the facility’s website, Lorien reported the attack to the FBI, and will continue to “provide whatever cooperation is necessary to hold perpetrators accountable.”

All potentially impacted residents were notified via letter 10 days after the incident, on June 16. “The letters include information about the incident and about steps that can be taken to protect personal information,” Lorien officials said. The facility is now offering complimentary credit monitoring and identity protection services for its residents, and has also set up a call center for assistance.

The breach could have potentially devastating effects on victims, since thieves can use the Social Security numbers and dates of birth to conduct identity fraud and medical identity theft.

No industry or business has been spared since the beginning of the pandemic, and healthcare facilities make for an easy target. Amid the chaos brought on by the coronavirus, bad actors have diligently targeted healthcare facilities to steal and encrypt sensitive data, hoping that businesses will cave in to their demands.

However, paying ransom demands does not assure data recovery. It’s critical for companies to assess their network and device security, and make sure that employees are aware of the dangers of accessing or downloading suspicious files on their systems.

Diebold Nixdorf has issued a warning of a wave of
jackpotting attacks against ATM in a number of European countries, with the
vast majority directed at ProCash 2050xe USB terminals.

Jackpotting attacks target ATMs to steal money from the
machines. Other attacks use devices on ATMs to clone and steal credentials of
regular customers, but jackpotting goes directly after the money. It’s a much
more complex attack that requires knowledge of the ATM’s inner workings, and
it’s much more challenging to pull off.

In these recent attacks, criminals destroy parts of the
fascia to access the hardware, disconnect the USB cable between the CMD-V4
dispenser and the special electronics, or the cable between special electronics
and the ATM PC. They then connect their black box and send commands to the
machine, allowing them to dispense money.

The biggest problem with this method, aside from the theft,
is that the attacker likely has access to the software stack or at least some
part of it, which they use in their black boxes.

“Some incidents indicate that the black box contains
individual parts of the software stack of the attacked ATM,” says the
company in the advisory.
“The investigation into how these parts were obtained by the fraudster is
ongoing. One possibility could be via an offline attack against an unencrypted
hard disc.”

So far, it looks like most attacks affected the ProCash
2050xe USB ATM, which means that the criminals might have access to the
software stack for that specific model. In any case, the company advises banks to
update the software stack to the latest versions, use a secure configuration of
encrypted communications, and get the latest firmware for their devices.

Since this is also a physical attack, terminal operators are
advised to frequently inspect the ATMs and control access to areas used by
personnel to service them.

Remote work has become the new normal for millions of employees across the world. While it might have seemed unfeasible at first, the shift was eagerly embraced by workers, who often expressed the highlights and difficulties encountered during the transition phase.

According to a new Lenovo survey, 63% of remote workers state that they are more productive working at home than at the office. But this productivity comes with a price. On top of physical concerns amid the coronavirus pandemic, nearly 1 in 3 respondents worry about their device and data security.

Data breaches and cyber-attacks have flooded the headlines alongside coronavirus developments, and employees have expressed their concerns regarding WFH, and how telework can make their companies even more susceptible to data breaches. 72% of participants noted they are “extremely” “very” or “somewhat” concerned about protecting their personal data on their work devices.

“As a result, security will need to be built into employees’ hardware, software and services (including deployment, set-up and maintenance) from the get-go,” the study reads.

Despite these concerns, 79% of employees “strongly” or “somewhat agree” that they have become their own IT person since working from home, with nearly 70% of employees saying they have bought new technology to accommodate the new work-from-home requirements during the pandemic.

Between May 8 and May 14, the company surveyed 20,262 workers from the United States, Brazil, Mexico, the United Kingdom, France, Germany, Italy, China, India and Japan. While remote work has been embraced across all regions, employees feel that their company tech is not keeping up with their needs.

Only 19% of respondents believe their employers “are leaders in their industries when it comes to adopting new and emerging tech, and are strongly committed to staying up to date”. 82% of global employees claim that their employers face various difficulties as they strive to keep up with technological advancements. The top roadblocks named by respondents include:

• Difficulties training employees to use new and emerging tech
• Prioritizing budgets and overall affordability
• Lack of understanding of employee needs

Orange, the French telecommunications giant, has confirmed a ransomware attack that exposed the records of 20 enterprise customers. The announcement was made after the actors behind the Nefilim ransomware leaked a snippet of exfiltrated data from Orange’s Business Solutions customer database.

The 339MB file titled ‘Orange_leak_part1.rar’ is said to contain data stolen during the cyber-attack. Researchers analyzing the files told BleepingComputer that the archive consists of emails, airplane schematics, and files from a French aircraft manufacturer, data that could indicate the company is one of Orange’s business customers.

According to a company statement, the attack took place between July 4 and July 5, and involved data hosted on one of the mobile carriers’ IT platforms. “A cryptovirus-type computer attack was detected by Orange teams during the night of Saturday 04 July to Sunday 05 July 2020,” the report said. “Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems. According to initial analysis by security experts, this attack has concerned data hosted on one of our Neocles IT platforms, “Le Forfaitinformatique,” and no other service has been affected. However, this attack seems to have allowed hackers to access the data of around 20 PRO / SME customers hosted on the platform.”

The company said it has informed affected customers, and will continue to monitor and investigate the breach.

Details regarding the ransom demands have not surfaced yet, but recent ransomware attacks have made a profitable business for bad actors. Just last month, the University of California San Francisco (UCSF) succumbed to the demands of the attackers, paying no less than $1.14 million to recover their data.

Orange is ranked the fourth-largest mobile operator in Europe, boasting more that 266 million customers and nearly 150,000 employees. The aftermath of the data breach could have serious consequences for the telecoms company, especially with the European privacy watchdog knocking at their doorstep. However, it’s not just about the prospect of a hefty fine they should be worried about.

Data safety and privacy have been the talk of the town for years, and companies that fail to protect their users’ data often risk damaging their reputation and losing customers.

Social media
giant Twitter is sharing updates coming out of the second day of investigations
into this week’s hack of high-profile accounts by Bitcoin scammers.

Avid readers will recall that Twitter recently fell victim to a massive social engineering scheme that compromised several high-profile accounts, including those belonging to Elon Musk, Barack Obama, Joe Biden, Kanye West, Bill Gates, Jeff Bezos, Uber, Apple and others.

“We detected
what we believe to be a coordinated social engineering attack by people who
successfully targeted some of our employees with access to internal systems and
tools,” Twitter said in a series of updates posted to Twitter Support
yesterday, hours after the attack was discovered.

The
attackers, which some believe may have ties to Russia, used this access to take
control of multiple verified accounts and tweet on their behalf, demanding
Bitcoin donations for Coronavirus relief with the promise to reimburse donors
two-fold. According to reports, the scammers had amassed over $100,000 in
cryptocurrency before Twitter severed the hackers’ ties to the compromised
accounts.

“We’re
looking into what other malicious activity they may have conducted or
information they may have accessed and will share more here as we have it,” the
company said.

Earlier today, Twitter resumed the update stream revealing what came out of the second day of its investigations into the breach.

“Based on
what we know right now, we believe approximately 130 accounts were targeted by
the attackers in some way as part of the incident. For a small subset of these
accounts, the attackers were able to gain control of the accounts and then send
Tweets from those accounts,” the first update says.

“We’re
working with impacted account owners and will continue to do so over the next
several days. We are continuing to assess whether non-public data related to
these accounts was compromised, and will provide updates if we determine that
occurred,” reads another.

Twitter
users will be unable to download a copy of their data while the investigation
is still ongoing. The company has taken“aggressive steps” to secure its systems
and is now assessing longer-term steps it may take. Twitter promises to share
more details as soon as it can.

“Thank you
for your continued patience and understanding while we investigate this
incident. We’ll continue to provide updates when we have them,” the last update
reads.

Cybersecurity journalist Brian Krebs postulates thatthe threat actors are a group of SIM swappers whorecentlyclaimed they could change the email address associated with any Twitter account.

Organizations from the US, UK and Canada involved in
COVID-19 research have been targeted by a hacking group known as APT29.

APT, or Advanced Persistent Threat, groups are usually
nation-state or state-sponsored groups, working to compromise critical
infrastructure and gain access to networks belonging to other countries. Many
active hacking groups exist, and their allegiance is usually known.

The United Kingdom’s National Cyber Security Centre
(NCSC) and Canada’s Communications Security Establishment (CSE) say that APT29
(also known as ‘the Dukes’ or ‘Cozy Bear’) is likely a part of Russian
intelligence services. Law enforcement agencies, including NCSC, CSE, DHS CISA,
and the NSA issued a joint advisory regarding the recent activities of APT29.

“Throughout 2020, APT29 has targeted various
organizations involved in COVID-19 vaccine development in Canada, the United
States and the United Kingdom, highly likely with the intention of stealing
information and intellectual property relating to the development and testing
of COVID-19 vaccines,” states the advisory.

“APT29 is using custom malware known as ‘WellMess’ and
‘WellMail’ to target a number of organisations globally. This includes those
organisations involved with COVID-19 vaccine development. WellMess and WellMail
have not previously been publicly associated to APT29.”

The group probes IP-facing networks of organizations
working in COVID-19 research and is looking to exploit known vulnerabilities,
some with success. Examples include Citrix, Pulse Secure, FortiGate, and Zimbra
vulnerabilities.

They also resort to spear phishing in an effort to obtain
legitimate credentials. After the group gains access to a particular system, it
deploys other tools and, in some cases, a malware named WellMess that allows
them to run shell commands, upload and download files.

The advisory also provides indicators of compromises and
some detection rules, indicating the need to patch existing systems and
networks. The law enforcement agencies haven’t said how successful APT29 was in
its attempts or if they managed to obtain the data they were looking for.

A new banking malware is pushed on Android devices, and
it’s using source code from the older, now defunct, Xerxes, and an even older
variant called LokiBot. The attackers target apps that haven’t been compromised
in other campaigns.

Banking trojans are always evolving along with the
operating systems they are trying to infect. Since they are usually spotted in
apps before being distributed through official stores, criminals choose other
channels, such as unofficial stores and shady websites offering third-party
files.

When new Android versions are released, the older malware
doesn’t work, so new versions appear, usually based on older code. The
BlackRock variant is only the latest one, but its foundations use code from
malware that appeared over the past four years.

ThreatFabric looked at how the new BlackRock malware acts
once it infects a device. As expected, once it gets a hold of a device, all information
can be compromised.

“When the malware is first launched on the device,
it will start by hiding its icon from the app drawer, making it invisible to
the end-user,” say
the researchers. “As second step it asks the victim for the Accessibility
Service privileges. As visible in following screenshot, the Trojan’s largest
campaigns are posing as fake Google updates.”

The Accessibility Service on Android has an entirely
different purpose, but it’s powerful and often exploited by malware operators
to gain the necessary right.

Commands supported by BlackRock include the option to
send an SMS, to send SMS copies of personal emails to control and command
centers, to start apps on boot, to force devices to stay on the HOME screen, to
add a managed admin profile for the malware on the device, and much more.

Since this is a banking trojan, it will try to steal
credit card credentials, either with a grabber view or with a phishing overlay
specific to each app. The malware steers the user to local files as opposed to
the web version, after which the details are uploaded to the C&C center.

Many apps targeted by the malware are not financial, but
social media, communication, or dating apps. It’s just one of the many ways to
steal credentials that can be used in other situations.

As for the targets themselves, the malware is directed at
European banks and users, followed by those in Australia, the US and Canada.

People should only use official distribution channels for
their Android apps and have an endpoint security solution installed at all
times.

Several high-profile Twitter accounts, including those
belonging to Apple, Bill Gates and Elon Musk, started to tweet in support of a
Bitcoin scam, promising to double the money that people would send to their
wallets.

Such high-profile Bitcoin scams don’t happen often, and
the scale of the latest scam on Twitter indicates a much deeper approach than
just merely phishing. Being able to have all of these famous people seemingly
tweeting at the same time is a complex operation, and it looks like all verified
accounts are impacted.

The messages were crafted individually so that it at
least seemed to have been legitimate. Bill Gates is made to say that people
have been asking for him to give back, so he will return $2000 for every $1000
people send to his wallet. All messages ended with the address of a Bitcoin
wallet.

Twitter is now investigating, but from the looks of it,
the attackers somehow managed to get access to internal tools.

“We detected what we believe to be a coordinated social
engineering attack by people who successfully targeted some of our employees
with access to internal systems and tools,” said
the company. “We also limited functionality for a much larger group of
accounts, like all verified accounts (even those with no evidence of being
compromised), while we continue to fully investigate this.”

The first indication seems to point to a phishing
campaign directed at Twitter employees. Somewhere along the line, bad actors
obtained the proper credentials and compromised Twitter’s internal tool,
without raising any alarms. When the time was right, the attack was deployed
across known Twitter accounts, including Apple, Barack Obama, Joe Biden, Uber,
Kanye West, and others.

The cybercriminal group that pulled this off remains
unknown, but their goal was clear: to trick as many people as possible into
sending their money to Bitcoin wallets, then disappear with the funds.

PrivacyAffairs,
a leading source of data privacy and cybersecurity research, has issued a
report tallying fines issued under the 2018 General Data Protection Regulation
(GDPR). It also lists the countries where the highest fines were dealt, as well
as the nations with the most punishable incidents.

According to
the research firm, since its rollout in May 2018, the GDPR has claimed 340
‘victims’ for unlawful data protection practices. The report notes that every single one of the
28 EU nations, including the now Brexited United Kingdom, has issued at least
one penalty under the new data protection legislature.

“Whilst GDPR
sets out the regulatory framework that all EU countries must follow, each
member state legislates independently and is permitted to interpret the
regulations differently and impose their own penalties to organisations that
break the law,” according to PrivacyAffairs.

The report
breaks down the nations with the highest fines and those with the most fines as
follows:

Nations
with the highest fines:

France:
€51,100,000

Italy:
€39,452,000

Germany:
€26,492,925

Austria:
€18,070,100

Sweden:
€7,085,430

Spain:
€3,306,771

Bulgaria:
€3,238,850

Netherlands:
€3,490,000

Poland:
€1,162,648

Norway:
€985,400

Nations
with the most fines:

Spain: 99

Hungary: 32

Romania: 29

Germany: 28

Bulgaria: 21

Czech
Republic: 13

Belgium: 12

Italy: 11

Norway: 9

Cyprus: 8

France tops the list of highest fines because of a €50 million fine issued by French authorities to Google in January 2019 on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” By contrast, the smallest fine to date under the GDPR is a €90 penalty issued to a Hungarian hospital on November 18, 2019.

UK
organizations have been issued seven fines by the Information Commissioner’s
Office, totaling over €640,000.Two potentially massive fines, for Marriott
International (€204,600,000) and British Airways (€110,390,200) are still under
review.

The report
also tracks the highest fines issued to private individuals, including a €20,000
penalty issued to an individual in Spain for unlawful video surveillance of
employees and an €11,000 penalty issued to a soccer coach in Austria who was
found secretly filming female players while they were taking showers. It also
mentions a €2,500 fine issued to a Germany resident who sent emails to several
recipients where each could see the other recipients’ email addresses.

Readers
interested in learning more about the fines dealt under the GDPR in the past
two years can access the full research here.

The U.S.
Security and Exchange Commission’s (SEC’s) Office of Compliance Inspections and
Examinations (OCIE) has issued an alert warning of an escalated number of
ransomware attacks on financial institutions.

The office details
its findings in a free PDF and offers advice to targeted infrastructures on how
to bolster their cybersecurity defenses.

“Recent
reports indicate that one or more threat actors have orchestrated phishing and other
campaigns designed to penetrate financial institution networks to, among other
objectives, access internal resources and deploy ransomware,” the document
reads.

“OCIE has
also observed an apparent increase in sophistication of ransomware attacks on
SEC registrants, which include broker-dealers, investment advisers, and
investment companies,” it notes.

According to
the office, those behind the attacks demand ransom to “maintain the integrity
and/or confidentiality of customer data or for the return of control over
registrant systems.”

OCIE has also observed attacks on service providers working with targeted financial institutions. It advises potential targets to monitor alerts published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The documentation underscores the tactics and techniques employed by threat actors, along with related indicators of compromise (IOCs) and key mitigation strategies.

The office dispenses
further guidance based on success stories seen at organizations with robust
incident response and resiliency policies, procedures and plans.

Operational
resiliency is high on the list of recommendations, as it helps determine which
systems and processes can be restored during a disruption so services can still
be delivered.

Other
highlights include awareness and training programs, vulnerability scanning and
patch management, access management, and perimeter security.