Month: November 2020

• Ransomware encrypts internal network, and data stolen
• 2% of stolen data published by attackers on dark web

The world’s largest maker of industrial computers, Taiwan’s Advantech, has reportedly been hit by a ransomware attack – with cybercriminals demanding a ransom worth approximately US $14 million for a decryption key, and to prevent the public leaking of stolen data.

According to local media reports, Advantech identified earlier this month that its internal network had been compromised by hackers, and although action was taken to stem the spread of the attack it was not enough to prevent the theft of data and the encryption of some databases.

It is claimed that the attackers have demanded a ransomware payment of 750 Bitcoins (worth approximately US $14 million at current exchange rates) from the firm which is a world leader in industrial IoT (IIoT) solutions.

Although Advantech has not confirmed details the type of malware that has locked up its data, it has been suggested that it has fallen victim to the Conti ransomware.

The Conti ransomware is different from some other ransomware attacks, as it is designed to be activated by hackers who have already compromised a computer system, in comparison to attacks launched via a malicious email attachment or download.

Because of this it is possible for an attacker who has been present on a compromised network for some time, gathering information about the company’s infrastructure, to target specific parts of the network for attack, potentially reducing the chances of being spotted in the act, and further frustrating recovery by a company’s IT team.

Bleeping Computer reports that the Conti ransomware gang published an archive of over 3GB of data – said to be just 2% of the total information stolen from Advantech – on the dark web at the end of last week, after the firm failed to give in to the criminals’ ransom demands.

The risk is, of course, that not only will Advantech’s operations be disrupted by the ransomware attack, and sensitive data be leaked into the public domain, but also that its reputation with customers and partners suffer serious damage as a consequence of the data breach.

At the end of October, the US government issued an updated warning about the threat posed by ransomware against the US healthcare industry, specifically calling out the Conti ransomware, and its close cousin Ryuk.

Other recent alleged victims of the Conti ransomware include coffee machine maker De’Longi and customer information firm Ixsight Technologies.

Reuters today is running a story saying “suspected” North Korean hackers have targeted employees at British drugmaker AstraZeneca in an attempt to infect their computers with malware. The company is one of the leading groups developing a promising COVID-19 vaccine.

Two people with knowledge of the matter who asked to remain anonymous said the hackers posed as recruiters on LinkedIn and WhatsApp and approached AstraZeneca staff with fake job offers. The documents purporting to be job descriptions were laced with “malicious code designed to gain access to a victim’s computer,” according to the report.

Though they were not successful, the attacks targeted a broad set of employees, including those working on COVID-19 research. The North Korean mission to the United Nations in Geneva reportedly declined to comment on the allegations.

The sources told Reuters “the tools and techniques used in the attacks showed they were part of an ongoing hacking campaign that U.S. officials and cybersecurity researchers have attributed to North Korea.”

The attack bears similarities to recent hacking campaigns against defense companies and media organizations, investigators said.

Microsoft issued an advisory this month warning that two North Korean hacking groups were targeting COVID vaccine developers in several countries. Their modus operandi, Microsoft said, was “sending messages with fabricated job descriptions.”

North Korea has been blamed for some of the most prominent cyber incidents, including the 2014 attack on Sony Pictures deployed in retaliation for the blockbuster movie “The Interview,” the global WannaCry ransomware pandemic in 2017, and many others.

Earlier this year, the US Departments of State, Treasury and Homeland Security, as well as the FBI, released a report offering guidance on the emerging North Korean cyber threat, highlighting the malicious activities of state-funded hacking groups.

The US government at the time offered a $5 million reward “for information leading to the identification of any individual who, at the direction of or under control of the North Korean government, aids or abets a violation of the Computer Fraud and Abuse Act.”

• US Fertility network took two months to go public about attack.
• Health information of patients may be at risk.

Fertility clinics across the United States have been struck by a ransomware attack that has not only encrypted networks, but also stolen patients’ sensitive personal and medical information.

US Fertility, a network of fertility clinics which boasts 55 locations across the United States, has revealed that it became aware ransomware had infected its network on September 14 2020, encrypting data on servers and workstations.

The company says that third-party experts were able to help it restore its systems six days later, but that a subsequent investigation has determined that a “limited number of files” had been accessed by an unknown hacker between August 12 2020, and the activation of the ransomware on September 14.

Such tactics are not unusual in modern ransomware attacks, where criminal gangs increase pressure on their victims by not only locking them out of their organisation’s computer systems by encrypting data, but also stealing sensitive files with the threat of publishing them online or selling them on to others.

The company warned that the security breach might “affect the security of certain
individuals’ protected health information.”

According to US Fertility, the types of data accessed by the attackers included patients’ names, addresses, phone numbers, email addresses, dates of birth, medical record numbers (MPI), and – in some cases – social security numbers.

A list of infertility clinics affected by the attack are listed in US Fertility’s press release.

US Fertility CEO Mark Segal apologised for the security breach occurring, and said that the firm was committed to safeguarding the privacy and security of information patients entrusted to it:

“We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals.”

The firm has set up a dedicated call center for patients who have questions or concerns.

One question I would have is just why it has taken over two months for the business to share its news about a security breach. The arrival of the bad news does seem somewhat conveniently timed, coming as it does just as most Americans are enjoying the Thanksgiving holiday.

It may not be the case that US Fertility deliberately held back public disclosure until now in order to try to minimise publicity around the successful attack on their computer systems, but it certainly looks that way.

No doubt US Fertility would say that it was waiting until it completed its investigation, wanting to know the extent of the problem, and just how many patients may have been impacted (although, tellingly, they have chosen not to share that figure.)

I have some sympathy for companies wanting to know all the facts before they share them with the world, but I lean more towards telling potentially infected individuals that there might be a problem, and to be on their guard from possible attacks exploiting potentially stolen data, much more.

For the past 32 years, Computer Security Day has been held every November 30 to remind internet users of the importance of protecting all internet-connected devices, and personal and business information from malicious attacks and unauthorized access to data.

This year we’re celebrating a bit early, as a means to raise awareness and provide meaningful insights on how to maintain online security for future digital endeavors.

There’s never been a better time to catch up on good cybersecurity practices, as malware attacks and data breaches makes headlines on a daily basis, serving as a constant reminder of the active role users play in computer security.

Bitdefender is constantly monitoring the state of cyber-threats and malware, which have adapted to suit the events surrounding the ongoing health crisis.

Phishing attacks and spam

From coronavirus-themed spam and malspam to fraudulent offers and charities, bad actors continue to trick victims into providing sensitive information or installing malware on their devices. Spikes in coronavirus-themed spam were noticed in March, and the focus on phishing emails has not diminished over time, with an average of 60% of all emails received between May and June marked as fraudulent, according to Bitdefender telemetry.

Malware attacks and ransomware

Spikes in malware attacks across all platforms were also noticed, as cybercriminals exploited fear and misinformation alongside the increased number of employees working from home.

Although the attacks focused more on social engineering and less on sophisticated types of malware, the 2020 threat landscape shows cybercriminals’ versatility in deploying their schemes.

Ransomware families continue to rise and fine-tune their attacks, with Sodinokibi (also known as REvil or Sodin) Maze, DoppelPaymer and Nemty continuing to pose risks for business and consumers worldwide. Fileless malware, exploits and banking Trojans also made this year’s threat list. Throughout April, May and June, info-stealing banking Trojans such as Emotet and Trickbot acounted for 64.52 percent of all banker reports during the first half of 2020.

Android-based attacks

During the health crisis, internet use surged, with recent studies finding that seven in 10 internet users spend more time on mobile phones and laptops than in 2019. Moreover, work-from-home and social distancing measures seem to have bolstered cybercriminal activity targeting Android devices. Restrictions brought on by the pandemic show that users started downloading more and more applications from untrusted sources, including a malicious version of popular video-conferencing app Zoom used to infect devices with malware.

Internet of things at risk

Suspicious IoT incidents have also increased 46% between January and June, proving the relentlessness of bad actors exploiting lockdown conditions. Although smart devices and gadgets such as smart TVs, security cameras, baby monitors, smart locks and thermostats add comfort and convenience to our lives, the advent of internet-connected devices has also created new attack vectors for cybercriminals. 55.73% off all identified network incidents within household were port scanning attacks to find vulnerable devices that could be used to compromise a network. Additionally, 22.62% of attacks involved password-stealing attempts via HTTP, where bad actors aim to catch plaintext credentials sent over unencrypted connections.

How to protect against phishing attacks and scams

• Check the sender’s address before opening the email
• Never download attachments from unsolicited messages that create a sense of urgency
• Examine the message closely and check the  grammar before clicking on any links with offers and deals
• Don’t give personal or financial information to individuals who contact you via email, social media, phone or text messages
• Use strong and unique passwords for all of your online accounts
• Use a security solution with an antispam filter to block phishing attempts
• Delete and report any unsolicited or suspicious email with your service provider

How to protect against ransomware

• Back up your data periodically in the cloud or on a local storage device that is not directly connected to your system. If your system gets infected with ransomware, you don’t have to worry about losing precious data or paying ransom for a decryption key.
• Monitor your email activity for unsolicited emails and never click on suspicious links or ads.  Most ransomware is delivered via email attachments with carefully crafted spam messages that entice users to click on or download malicious files on their devices. Thus, screening Inboxes for phishing emails becomes one of the most important steps you can take to prevent ransomware infections and financial loses.
• Keep your systems and applications up to date to avoid infections exploiting vulnerabilities in third-party plugins or apps
• Stick to trusted sources when downloading a new app to avoid corrupt applications that steal and encrypt your data 

How to protect IoTs and secure your smart home

• Secure your router by using a strong encryption method such as WPA2 that uses encryption and strong passwords for your Wi-Fi network.
• Change default credentials on all of your smart devices to avoid cybercriminals from accessing your IoT devices by choosing strong and unique passwords
• Change and update the default settings for smart devices and disable features that you don’t need
• Keep software up to date and enable two-factor (2FA) or multi-factor (MFA) authentication for your smart apps and online accounts, where possible

Even the most cyber-savvy individuals can have a hard time fending off cyber threats. On top of adopting good-cyber hygiene practices, running a security solution that can detect emerging ransomware and block malware, and filter spam can help you create a safe ecosystem for all of your internet-enabled devices.

Home Depot has agreed to pay $17.5 million as part of a multistate lawsuit settlement following a cyber incident that occurred six years ago. As part of the settlement, the home improvement retailer is finally hiring its first chief information security officer (CISO).

A press release from the New York Attorney General’s office says the multistate agreement with Home Depot resolves an investigation into a 2014 data breach that compromised payment card information of approximately 40 million consumers in 46 US states plus the District of Columbia.

In 2014, hackers gained access to Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. Once in, they obtained payment card information of customers who used self-checkout lanes at the retailer’s stores throughout the US between April 10  and September 13 of that year.

The agreement obliges Home Depot to pay the 46 affected states and the District of Columbia a total of $17.5 million. New York State, for its part, gets $597,459.80 out of the deal.

In addition to the financial settlements, Home Depot also agreed to take a series of steps to strengthen its cybersecurity posture. According to the press release, those measures include: 

• Employing a duly qualified chief information security officer — reporting to both senior or C-level executives and the board of directors regarding The Home Depot’s security posture and security risks;
• Providing resources necessary to fully implement the company’s information security program;
• Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
• Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
• Undergoing a post settlement information security assessment — consistent with previous state data breach settlements — that, in part, will evaluate its implementation of the agreed upon information security program.

While these provisions are certainly welcome news, it’s unclear why the retail behemoth waited six full years to open a CISO position following such a serious cyber incident.

Cyber actors have spoofed legitimate FBI websites in an effort to trick people, possibly by disseminating false information or gathering credentials, according to an FBI advisory.

Spoofing official domains, whether they belong to private companies or public institutions, is just one of many steps cybercriminals take before launching an attack. In this situation, the FBI noticed that unnamed actors registered numerous domains that imitate the official URL. In most cases, the attackers are only interested in featuring the FBI letters along with other words and vastly different domain names.

“Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can easily be mistaken for legitimate websites or emails,” says the FBI. “Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.”

The attackers changed some of the domain names from gov to org or com. They also added other words with results like ‘cyber-crime-fbi.org’, ‘agenciafbi.ga’, ‘fbi.systems’ and many others. While it’s possible to train security solutions to recognize spoofed domains, it’s also up to users to pay close attention to links they open.

The FBI also issued several simple recommendations, such as keeping the operating systems and applications updated to the most current versions, update the anti-virus and anti-malware solutions to their latest version, regularly conduct network scans, and verify that the visited website has a Secure Sockets Layer (SSL) certificate.

Spoofing URLs is not exclusive to government agencies, and many companies, especially the bigger ones, face this problem every day. It’s one of many tools in the hacker’s arsenal, and it’s especially effective in phishing campaigns.

An Elasticsearch database with over 380 million records, including login credentials, was used to target Spotify accounts, according to vpnMentor researchers.

Although the origin and owners of the leaked database are unknown, researchers speculate that hackers may have collected the data from previously breached platforms, and used it in credential-stuffing attacks against Spotify platform users.

“The incident didn’t originate from Spotify,” researchers said. “The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.”

The database contained over 72 GB of data, such as verified Spotify account usernames, passwords, email addresses, country of residence and, in some instances, IP addresses. However, the IP addresses are believed to have originated from “proxy servers belonging to the operators of the network on which the database was hosted.”

Researchers notified Spotify on July 9, which immediately prompted a mandatory password reset for all affected users.

“Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users,” the report said. “We also helped the company isolate the issue and ensure its customers were safe from attack.”

Risks associated with the leak

As with any credential-stuffing attacks and data breaches, affected users should be wary of any phishing emails sent to trick them into exposing additional personal or financial information.

It’s also recommended to reset the passwords for all online accounts that shared the login credential combination with Spotify, to avoid account takeover, fraud, and identity theft. “Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts,” the researchers added. “With this information, they could build complex profiles of users worldwide and target them for numerous forms of financial fraud and identity theft.”

Manchester United played West Bromwich Albion as scheduled on Saturday, despite a recent cyber-attack on United, officials said. The football club has enlisted the help of cybersecurity pros to investigate what appears to be a targeted attack.

United said it took swift action to contain the incident, although it found no signs of any breach of personal data.

The club is now “working with expert advisers to investigate the incident and minimize the ongoing IT disruption,” it said in a press release last week, right before its friendly game against West Bromwich Albion.

“Club media channels, including our website and mobile app, are unaffected and we are not currently aware of any breach of personal data associated with our fans or customers,” the club said. “All critical systems required for matches to take place at Old Trafford remain secure and operational and tomorrow’s game against West Bromwich Albion will go ahead.”

While it refuses to answer media inquiries, United has disclosed one key detail about the incident – that it was by no means accidental.

“Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk,” it said Friday. “Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.”

The Register was eager to learn what type of cyber threat United faced last week (i.e. ransomware) but the spokesman reportedly said “there was nothing further to add at this stage,” according to the news site.

Considering the British site’s reporting, one might think the club is overly secretive about the hack on its systems. However, it’s common to withhold all technical details pertaining to a cyber-incident until at least the initial investigation unfolds.

Right now, the important thing is the actors behind the attack don’t seem to have obtained anything valuable from the hack. That being said, it’s not out of the question that any potentially stolen data will surface on the dark web at some point. After all, not being “aware” of any breach of personal data doesn’t mean it hasn’t happened.

A Google Zero security researcher discovered a Facebook Messenger bug that allowed attackers to initiate a call and begin listening as soon as it started ringing. The severity of the bug prompted Facebook to award one of the largest bounties ever.

Vulnerabilities that don’t require any interaction from the victim are the most dangerous. In this case, attackers could have received audio data until the recipient of the call answered or the call timed out. It was also possible to send a custom message by using some reverse-engineering tools. Fortunately, some conditions had to be met for the vulnerability to be exploited.

“To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook),” says Facebook.

Security researcher Natalie Silvanovich published details on this bug, including the proof of concept and the exact steps an attacker would need to take for an intrusion.

“There is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately,” Silvanovich explains. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”

The proof of concept was tested on version 284.0.0.16.119 of Facebook Messenger for Android. Facebook received a 90-day disclosure deadline and it released an update for the application before details become public.

“After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling,” said Facebook. “This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact.”

Mercy Iowa City hospital has revealed a data breach that may have compromised the personal and health information of 60,473 patients.

According to a letter sent earlier this month, the security incident was discovered in June when an unauthorized party sent out phishing emails from a staff member’s account.

“On or about June 24, 2020, Mercy discovered that one employee’s email account had been used to send out spam/phishing emails,” the letter reads. “Upon conducting an investigation, Mercy determined that an unauthorized third party gained access to one Mercy employee’s email account from May 15, 2020 until June 24, 2020.”

During the investigation, the hospital established that personal information could have been viewed by the unauthorized third party, including Social Security numbers, driver’s license numbers, date of birth, medical treatment information and health insurance information of over 60,000 Iowans.

“Mercy is not aware of any fraud or identity theft to any individual as a result of this incident,” the hospital added.

Following the breach, Mercy said that it secured the compromised account, and hired a security company to investigate and audit the security of its IT systems. Additionally, “Mercy is undertaking efforts to reduce the risk of a similar incident occurring in the future, including enhancing its technical safeguards and implementing multifactor authentication.”

While there have been no reports of fraud so far, the hospital is offering a complimentary 12-month credit monitoring and identity theft protection service for residents whose Social Security and driver’s license numbers were affected by the breach.

However, all impacted patients should closely monitor their bank and health insurance statements, and be wary of any phishing emails asking for additional financial or personal information.