Month: October 2020

Cyberattackers have managed to steal personal and medical information of children and adults involved in Child Protective Services (CPS) and DHS Division of Family & Children Services (DFCS) cases, the Georgia Department of Human Services (DHS) has disclosed.

According to a press release, unauthorized individuals gained access to DHS employee email accounts between May 3 and May 15, compromising customers’ personal identifiable information and protected health information (PHI).

“On August 10, 2020, DHS learned that the attackers had been able to retain certain emails that contained personally identifiable information and protected health information of children and adults involved in Child Protective Services (CPS) cases of the DHS Division of Family & Children Services (DFCS),” the notification reads.

Although the type of compromised information varies for each case, cybercriminals managed to exfiltrate information including:

• Full names of children and household members
• Dates of birth, age and county of residence
• DFCS case and identifications numbers
• Phone numbers and email addresses
• Social Security numbers
• Medicaid identification number and Medicaid medical insurance number
• Medical provider name and appointment date

The breach also exposed psychological reports, counseling notes, medical diagnoses and substance abuse information for 12 individuals, and the bank account number of one.

The DHS said that are contacting affected customers, providing instructions on how to protect against identity theft crimes.

“As of September 21, 2020, DHS examined the emails in question and began identifying the customers whose information had been accessed,” the DHS added.“Affected clients are being contacted directly by DHS, and instructions are being provided on how clients can protect themselves from further harm.”

Cybercriminals sell stolen PHI on dark web marketplaces or use it in identify-theft-related crimes. Victims should be extra vigilant and check their medical insurance statements for any suspicious entries. In case of fraudulent charges, affected individuals should notify their local authorities and healthcare providers.

It is also recommended to watch out for any unsolicited emails that ask to confirm personal or financial information.

A security researcher has discovered a critical security lapse in a popular video visitation service for correctional facilities that exposed the call logs and transcriptions of conversations between inmates and the outside world – including calls supposedly protected by attorney-client privilege.

HomeWAV prides itself on offering a state-of-the-art suite of communication solution and hardware for detention facilities across the US.

The firm markets the product as a reliable revenue stream for detention facilities, as well as an efficient monitoring tool:

“From Day One, revenue from usage is shared with the detention facility … Placement of stations in secure areas eliminates need to move inmates for visitation,” reads the marketing copy on homewav.com. “No-contact visits reduce risks for contraband transfer. 100% recording and monitoring of all visits is provided.”

As reported by TechCrunch, security researcher Bob Diachenko found “a dashboard for one of its databases exposed to the internet without a password, allowing anyone to read, browse and search the call logs and transcriptions of calls between inmates and their friends and family members.”

The same database also contained transcripts of calls between inmates and their attorneys that were supposed to be protected by attorney-client privilege.

HomeWAV shut down the system hours after the news site alerted it to the security lapse. CEO John Best told the news outlet that one of its third-party vendors was to blame, adding that the company will inform inmates, families and attorneys of the incident.

Two attorneys reached by TechCrunch reportedly “expressed alarm that their calls had been recorded.”

Yet, according to HomeWAV’s website, “unless a visitor has been previously registered as a clergy member, or a legal representative with whom the inmate is entitled to privileged communication, the visitor is advised that visits may be recorded, and can be monitored.”

It is unclear if HomeWAV broke the law by recording conversations between inmates and their lawyers, but it risks finding itself in hot water. It is also unclear whether any of the exposed data was stolen before HomeWAV shut down the service to secure it. After all, Diachenko is one of several white-hat researchers purposefully seeking to uncover exposed databases on the web and alert their owners of their lapses. Alas, there are also black hat hackers out there, equally skilled in finding unsecured databases.

In fact, the same researcher made an almost identical finding earlier this year when Telmate, another company that facilitates monitored inmate communications with the outside world, had exposed a large database containing tens of millions of call logs, private messages, and personal information about inmates and their contacts.

Employees at the Tesla car-manufacturing plant in Freemont, California, have been informed by company officials that a former worker “maliciously sabotaged” operations at the factory last month.

According to an internal memo obtained by Bloomberg News, the unnamed employee was caught trying to cover his tracks by attempting to destroy a company computer, and even blamed a colleague for the incident.

“Two weeks ago, our IT and InfoSec teams determined than [sic] an employee had maliciously sabotaged a part of the Factory,” Tesla’s legal chief Al Prescott said in the company email. “Their quick actions prevented further damage and production was running smoothly again a few hours later.”

The employee apparently confessed and was fired. It remains unclear if the worker will face legal consequences for his actions, and Tesla has yet to release an official statement regarding the incident.

“We place tremendous trust in our employees and value everyone’s contribution,” Prescott added. “However, whatever the personal motivations of the attacker were, these are crimes, violations of our code of conduct, and are unfair to other employees. We will take aggressive action to defend the company and our people.”

Two months ago, Tesla dodged a similar attack, and a Russian national was arrested for attempting to bribe an employee to plant ransomware on company systems.

More than 60 Springfield Public Schools shut down remote learning after a cyberattack affected the school district’s IT network on October 8.

Yesterday, the second-largest school district in Massachusetts, offering classes for over 25,000 students, announced the cancellation of virtual classes due to network systems issues.

“Due to issues with our network, school and remote learning activities are canceled for the remainder of today (Thursday, October 8),” Springfield Public Schools said in a tweet.

An additional update posted by school officials on Facebook, initially attributed the network issues to repeated power outages:

“UPDATE: Classes are now canceled for the remainder of the day.
Please note: Due to power outages, we are experiencing technical difficulties with the Student Applications page (the webpage that loads when you first open your internet browser).”

According to Bleeping Computer, which cited a source in the cybersecurity industry, the network disruptions were due to a ransomware attack, discovered on the morning of October 8.

Although officials have yet to disclose additional information on the attack, Mayor Domenic J. Sarno and Superintendent Daniel Warwick issued a comment on the security incident.

“Out of an abundance of caution the Springfield Public Schools have issued an early dismissal from school today and have temporarily suspended remote learning due to potential threats to the network that have been identified,“ the statement reads.

“Early this morning, the Springfield Public Schools identified a potential threat to their IT network. To ensure that the District can effectively mitigate the potential incident and restore access to all software and services as quickly as possible, school and remote learning activities are canceled for the remainder of today, Thursday, October 8th, 2020.It is anticipated that the risk will be cleared and resolved in the near future so that remote learning may continue.”

While it remains unclear if the cyberattack has been fully contained, the latest Springfield Public Schools post announced that remote learning will resume October 9.

Personal information of roughly 150 patients of Toronto-based St. Michael’s Hospital has been stolen in a data breach, allegedly by a former third-party employee accused of taking them while on duty.

According to a letter obtained by a local news channel, Unity Health Toronto, the entity overseeing three Catholic hospitals in the city, including St. Michael’s, learned of the incident on May 13.

“We learned that a former employee of the company had taken and kept copies of several reports that he had transcribed,” the letter reads. “The former employee held onto the reports improperly after his employment with the company ended.”

The transcribed clinical notes dictated by St. Michael’s physicians were allegedly used to extort payment from the company. Although the reports included no financial information or insurance numbers, the rogue employee allegedly stole sensitive patient data such as full names, medical and family history, diagnosis, treatment plans and medication.

On Wednesday, St. Michael Hospital officials said that the incident was reported to local law enforcement and Ontario’s privacy watchdog.

“St. Michael’s Hospital is working with the outside vendor responsible for this incident to learn more about what happened and what steps they are taking to fix it,” the statement reads. “We take this matter seriously and have notified all impacted patients.”

Moreover, Unity Health Toronto reported that police officials seized the computer on which the reports were stored. Unity Health said that they have enhanced information security practices and trained staff on patient data confidentiality and proper use of patient information to prevent future incidents.

As a side note, the latest alert posted on Unity Health’s official website is warning patients of fake text messages requesting personal information.

“Please do not respond and if you have any questions, direct them to your health care team,” Unity Health said. “Unity Health Toronto does not send unsolicited emails, text messages, nor make telephone calls asking for information, such as a photo of your health card.”

eResearchTechnology, a company that offers clinical services and builds software used by the biomedical industry, was hit by a ransomware attack on September 20. Due to the extensive use of its tool by companies involved in Coronavirus research worldwide, the attack slowed down the research itself.

People eagerly await any new development related to COVID-19 research, particularly vaccines and quick tests. Cybercriminals usually have other plans, and they often hit industries involved in critical tasks. Ransomware is often wielded in these situations because such organizations could be more inclined to pay the ransom.

The company didn’t report the initial attack, and details only came to light in a New York Times report. Drew Bustos, ERT’s vice president of marketing, admitted that the ransomware incident took place on September 20, after which they called security experts and notified the FBI.

eResearchTechnology makes software used in numerous clinical trials, including by companies actively working to develop Coronavirus vaccines and therapeutics. That includes IQVIA, an organization that manages AstraZeneca’s COVID vaccine trial, and Bristol Myers Squibb, a pharmaceutical company working to develop a quick test.

Bustos also said systems are finally coming back online and should be working in the coming days. This means that it took them more than two weeks to fix the problem. It’s unclear whether the company paid the ransom or had other means to restore services.

While the cybersecurity incident didn’t stop the trials and therapeutics’ development, it likely prompted a slowdown. The ransomware attacks didn’t affect other vaccine trials, like those of Pfizer and Johnson & Johnson.

Unfortunately, this is not the first time a cybersecurity incident has hindered COVID-19 vaccine development. Just a few months ago, law enforcement agencies including NCSC, CSE, DHS CISA and the NSA issued a joint advisory regarding recent activities of APT29 targeting organizations from the US, UK and Canada involved in COVID-19 research.

The Emotet botnet is picking up steam again, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA). The agency directly warns state and local governments because they appear to be the main targets.

Emotet is a trojan that spreads mainly through phishing campaigns and links. When the victim clicks on the link, the payload launches and the malware attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives.

“Emotet resurged in July 2020, after a dormant period that began in February,” says the advisory. “Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.”

Due to the malware’s design, Emotet continues to persist because it can infect entire networks. Moreover, it uses modular Dynamic Link Libraries to evolve and update its capabilities continuously.

CISA’s intrusion system has detected approximately 16,000 alerts related to Emotet activity since July 2020. The campaign has used Microsoft Word email attachments in phishing emails as the principal infection vector, and the situation drastically changed in August as “security researchers observed a 1,000 percent increase in downloads of the Emotet loader.”

The US isn’t the only country targeted by campaigns, with Canada, France, Japan, New Zealand, Italy and the Netherlands observing similar incidents.

CISA also released signatures to allow cybersecurity companies to detect the threat more easily and published a huge list of possible mitigations, some of which are useful in many situations, not only for Emotet.

• Block email attachments commonly associated with malware (e.g.,.dll and .exe).
• Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
• Implement Group Policy Object and firewall rules.
• Implement an antivirus program and a formalized patch management process.
• Implement filters at the email gateway and block suspicious IP addresses at the firewall.
• Adhere to the principle of least privilege.
• Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
• Segment and segregate networks and functions.
• Limit unnecessary lateral communications.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Enforce multi-factor authentication.
• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
• Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to suspicious or risky sites.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
• Scan all software downloaded from the internet prior to executing.

With physical offices shifting to a virtual environment during the pandemic, most remote workers can work from anywhere – café, a hotel or even a mountain lodge.

However, this newfound mobility has drawbacks. Working from public locations with unsecured Wi-Fi connections could lead to the compromise of personal and company data.

The latest Federal Bureau of Investigation (FBI) public service announcement warns citizens to be careful when using wireless hotel networks for remote work.

“The FBI has observed a trend where individuals who were previously teleworking from home are beginning to telework from hotels,” the announcement reads.

“US hotels, predominantly in major cities, have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment. While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks.”

By exploiting the lack of necessary safeguards against cyberattacks, criminals can target hotel networks to gather sensitive guest information, such as names and credit card information

Cybercriminals could even create a malicious network (“evil twin attack”) masquerading as the hotel’s network to steal private data or take over the guest’s device.

“Hotel networks are often built favoring guest convenience over robust security practices,” the FBI added. “Smaller hotels will often post placards at the service desk stating the password for Wi-Fi access, and change this password very infrequently.”

With no industry standard to impose secure Wi-Fi access, people working from a hotel should adhere to good cybersecurity practices to minimize the risks of using these wireless networks.

The risks increase with old or outdated equipment often found in some hotels. However, the FBI highlights that, even if a hotel’s network system uses modern equipment, a “guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment’s default passwords.”

Additionally, connecting a personal or business device to an unsecure hotel network could allow bad actors to compromise the device and access the employee’s business network to deploy malware and ransomware.

The signs of device compromise may include:

• Sudden slowdowns of your mobile devices such as phones, tablets or laptops
• Websites automatically redirect away from the initial website
• The mouse cursor moves on its own
• Apps installed on the device launch without your consent
• Increased pop-up advertising
• Sudden data usage increase
• Unusual battery drain
• Unexplained outgoing calls, texts and emails

If you suspect your device may have been compromised, the alert advises you to immediately disconnect the device from the network and turn off Wi-Fi and Bluetooth connections. Never forward suspicious emails or files and consult with your corporate IT department of malicious activity. It’s also recommended to report any cyberattacks and scams directly to the Internet Crime Complaint Center at IC3.gov.

Following good cybersecurity practices can minimize risks associated with using hotel Wi-Fi for telework. If you are thinking of working from a hotel, here’s a list of recommended practices:

• Use a Virtual Private Network while working to encrypt network traffic
• If possible, use your phone data instead of the hotel Wi-Fi network for telework
• Make sure your device operating systems and software is up to date, and back up any important data
• Install a local security solution
• Avoid accessing banking websites or making online purchases while connected to the network
• Disable the Bluetooth connection on your device
• Enable multi-factor or two-factor authentication when logging into your accounts

Visa Payment Fraud Disruption (PFD) has warned of a malware campaign targeting point-of-sale (POS) terminals, as cybercriminals have a clear strategy to steal card data.

Credit card data sells at a premium on the dark web, and stealing it straight from POS devices is the shortest route for criminals. Unlike less sophisticated attacks, such as phishing, take longer. On the other hand, compromising POS devices is more difficult, requires technical knowledge, and is not a tool that’s widely available.

Attackers targeted two companies in North America. A successful phishing campaign allowed criminals to log in using legitimate user accounts, including an administrator account. With those credentials, the bad actors used administrative tools to access the cardholder data environment (CDE) within the merchant’s network.

“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments,” notes VISA in the advisory.

“The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”

The second attack, on a different merchant, was more sophisticated as criminals used the malware variants RtPOS, MMon (aka Kaptoxa) and PwnPOS. According to VISA, a lot less is known about the method employed by these attacks. The company could not recover the malware used.

VISA also published the indicators of compromise for each incident and a list of best practices:

• Employ the IOCs contained in the report to detect, remediate and prevent attacks using the POS malware variant.

• Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, disable remote access when not needed, and use two-factor authentication for remote sessions.

• Enable EMV technologies for secure in-person payments (chip, contactless, mobile and QR code).

• Provide each admin user with individual credentials. User accounts should also only be provided with the permissions vital to the job responsibilities.

• Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.

• Monitor network traffic for suspicious connections and log system and network events.

• Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.

• Maintain a patch management program.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning to help Americans spot spoofed election-related domains and email accounts that subject them to the risks of cybercrime and disinformation.

The alert, part of a series of public service announcements meant to prepare the American electorate for a cyber-safe election year, teaches people how to avoid becoming a victim of cybercriminals.

Domain spoofing is an effective tool used by cybercriminals to gather sensitive information such as usernames, passwords and email addresses or spread malware that could lead to financial and data compromise.

“Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains,” the alert reads. “A spoofed domain may feature an alternate spelling of a word (“electon” instead of “election”), or use an alternative top-level domain, such as a “[.]com” version of a legitimate “[.] gov” website.”

The FBI and CISA say citizens could unintentionally visit these spoofed websites when seeking information about the 2020 election, or receive official-looking emails that harbor malicious files or links.

It’s imperative for citizens to carefully analyze websites they visit and email correspondence they receive. Below is a list of helpful recommendations:

• Check the spelling of websites and email addresses that may closely imitate legitimate election websites
• Seek information from trustworthy sources only, such as The Election Assistance Commission (https://www.eac.gov)
• Ensure all operating systems and apps are up to date
• Use security solutions on your internet-enabled devices
• Don’t enable macros on documents downloaded from an email unless necessary. If you must, make sure the file is not malicious
• Disable or remove unnecessary software from devices
• Enable two-factor authentication where possible
• Never access emails or attachments from unknown individuals and don’t communicate with unsolicited email senders
• Never give out personal information via email, phone or links