Month: February 2021

The National Cyber Security Centre (NCSC) has issued a family-oriented guide to help parents and caretakers ensure a safe digital learning experience for students.

Although remote education provides continuous learning outside physical classrooms, parents need to be aware of the potential issues and risks associated with the increased use of digital tools and second-hand devices issued by school districts.

The latest guide addresses the use of second-hand devices, video conferencing tools and online account security.

Factory reset for previously owned devices ­

Parents should run a factory reset on any previously owned smart equipment received from the schools, including smartphones or tablets. By resetting the device, the user ensures that any information belonging to the former owner is deleted. This may include passwords, browsing history, photos, documents and Wi-Fi codes.

“If you’ve received a second-hand device from your child’s school, it should be ready to use straight away without performing a reset, but if you’ve any concerns or need any help, contact the school,” the NCSC said. “If you’re already using a second-hand device, but you haven’t yet performed a factory reset, don’t worry. We’d encourage you to make a backup of any important information as soon as you can, and then reset the device.”

Keep operating systems and apps up to date

No matter what devices your child is using to attend online classes, make sure the operating systems and apps are always up to date with the latest patches that may fix potential security issues. This way, you can help protect against malware attacks or unauthorized access to the device.

Enabling two-factor authentication

Adding two-factor authentication to your child’s existing e-learning account can also boost security. If account passwords are unwittingly exposed, malicious actors will not access their accounts and personally identifiable information.

Use video conferencing tools safely

Video conferencing is an integral component of remote learning used by educators while conducting remote classes. Even if you and your child are already familiar with using these tools, you should always make sure that any video-conferencing software you download on the devices comes from the official website. Never, share the credentials for online classroom lessons via social media or other platforms to avoid any disruptions from unauthorized individuals or malicious actors.

The New York Department of Financial Services (NYDFS) has issued an alert to instant-quote websites, particularly car insurers, warning of a growing campaign to steal nonpublic information (NPI).

The agency says it learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers.

According to the guidance, “the insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote.”

The NYDFS says its cyber intelligence unit has discovered communications on cybercrime forums offering to sell techniques to access driver’s license numbers from auto insurance websites and step-by-step instructions on how to steal them.

The growing threat is partly attributed to heightened fraud during the COVID-19 pandemic.

“The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits,” the guidance reads.

Targeted entities are instructed to immediately review data analytics and website traffic metrics for spikes of quote requests and server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.

NYDFS recommends that instant-quote websites take the following steps when displaying or transmitting NPI:

• Conduct a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations
• Limit access that users have to manipulate website content using web developer tools
• Confirm that data redaction and obfuscation solutions for NPI are properly implemented
• Ensure that privacy protections are up-to-date and working by reviewing who is authorized to view it
• Search and scrub public code repositories for proprietary code
• Block the IP addresses of suspected unauthorized users
• Consider implementing quote limits per user session

The NYDFS also provides recommendations to secure data, noting that regulated entities should review whether it is necessary to display any NPI, including redacted NPI.

A threat actor dumped 12,000 email addresses of NuseryCam users online last Friday, prompting the service to suspend operations.

NurseryCam is a remote webcam service used by around 40 daycare centers across the UK, allowing parents to watch and monitor their children’s activities.

News of the breach reached NurseryCam after the attacker notified the Register that he obtained the names, email addresses, usernames and hashed passwords of users. After verifying the leaked credentials with the help of IoT security expert Andrew Tierney, the media outlet immediately notified NurseryCam’s developers.

“A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online,” the online publication said. “Although this person claimed to have ‘redacted’ those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users.”

NurseryCam services were suspended on Saturday, and the company disclosed a possible data breach to the Information Commissioner’s Office (ICO), which is now investigating.

According to NurseryCam’s director Dr. Melissa Kao, the breach was possible due to an undisclosed vulnerability in the system, allowing the attacker to view and exfiltrate personal data including usernames, email addresses, names and hashed passwords.

“The person who identified the loophole has so far acted responsibly,” Kao said in statement for the BBC. “He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures.”

Were you a victim of a data breach? Find out with Bitdefender’s Digital Identity Protection tool.

88 publicly traded companies in Japan compromised personal information last year, either because of a malware infection or misconfigured access protocols. As many as 30% of the incidents occurred simply because someone sent an email by mistake.

Credit reporting agency Tokyo Shoko Research (TSR), which compiled the data, says the number is the highest since it began collecting it in 2012,  reported the Japan Times.

Personal information on a total of 25.15 million people was compromised, but the real figure is likely much higher since many unlisted companies also suffered breaches and / or data leaks.

“Computer viruses and unauthorized access accounted for about half of the total cases reported,” according to the Japan Times. “Such errors as sending emails by mistake made up some 30%.”

In the case of PayPay Corp., a server containing information on all 2.6 million member stores was hit by unauthorized access. The smartphone payment service provider saw more than 20 million pieces of information compromised in the incident, including the names of representatives of the member stores and PayPay employees, the report says.

Experts cited by TSR say many companies rushed to promote digitalization and remote work, leading to security gaps that attackers leveraged.

“There is a possibility of companies failing to take sufficient security measures,” said Masayo Fujimoto, a professor at the Institute of Information Security.

As organizations move workloads to the cloud, the chance for misconfigurations increases while the visibility of threats diminishes, Bitdefender recently reported.

Attacks enabled by misconfiguration have become increasingly common in the work-from-home era as organizations often neglect systematic hardening processes and policies to properly close entry points. Endpoint misconfiguration accounts for 27 percent of entry points exploited by attackers seeking access to IT environments, research by ESG shows.

Kroger is notifying customers of a data breach, two months after the supermarket chain’s file transfer service Accellion disclosed a cyberattack.

The supermarket giant is the latest victim of the zero-day vulnerability exploited by malicious actors in the December 23 attack. Although Accellion released a patch for the vulnerability within 72 hours of its discovery, cybercriminals quickly capitalized on the exploit, stealing confidential information from multiple companies that use their FTA file-transfer service.

According to a data breach security notification, the incident did not impact Kroger’s IT systems directly, and no financial information of customers was compromised.

“The incident was isolated to Accellion’s services and did not affect Kroger’s IT systems or any grocery store systems or data,” the advisory reads. “No credit or debit card (including digital wallet) information or customer account passwords were affected by this incident. After being informed of the incident’s effect on January 23, 2021, Kroger discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.”

However, the preliminary investigation shows that employee data, pharmacy records and money services records may have been exposed. Although Kroger’s data security incident page lacks a detailed description of compromised data, we can speculate as to the nature of potentially stolen information based on past security incidents.

For example, pharmacy records may include diverse personal and health information, including customer name, address, contact information, prescription data, and health plan. In some instances, this information can also include highly  sensitive data such as Social Security numbers.

Kroger said it is contacting all potentially impacted customers or “associates” via email and that, as a preventive identity theft measure, it will provide a free year of credit monitoring.

“While at this time we have no indication of fraud or misuse of personal information as a result of this incident, we are offering free credit monitoring to all impacted individuals out of an abundance of caution,” Kroger’s data breach advisory explains.

Were you a victim of a data breach? Find out with Bitdefender’s Digital Identity Protection tool.

Cryptocurrency money-laundering services seem to be booming, with funds surging in from criminal activities, but it turns out that a small number of deposit addresses received 75% of all cryptocurrency, by value, sent from illicit addresses in 2020, according to a new report.

Criminals who receive their payments in cryptocurrency can’t really access those funds at their leisure and often go to third parties such as cryptocurrency services and money services businesses (MSBs) to launder their money. Only a few deposit addresses are responsible for receiving much of the illegal funds, but tracking many of these services is challenging.

“The data shows that a group of just 1,867 deposit addresses received 75% of all cryptocurrency value sent from illicit addresses in 2020,” notes the Chainalysis report. “A smaller group of 270 deposit addresses received 55%.”

“Thinking in terms of raw value rather than percentages, those 270 addresses collectively received $1.3 billion worth of illicit cryptocurrency in 2020, and a smaller group of just 24 received over $500 million worth of illicit cryptocurrency in 2020,” the analysis reveals.

It’s good news that 1,867 addresses received 75% of all criminally linked cryptocurrency funds in 2020. That makes it much easier for law enforcement to pressure those online services, knowing that shutting them down has a significant effect on the criminal gangs operating these schemes.

The Chainalysis analysis outlines another trend: Russia is the primary recipient of dark market funds, likely due to the Hydra dark market that serves Russian and many other Russian-speaking countries. China takes second place, but only because of the criminal activity related to the Lazarus Group (APT38), which is linked to North Korea.

On the last note, the silver lining is that most of the funds moved through these cryptocurrency services don’t seem illicit in nature, and only a small amount is tied to criminal groups.

Kia Motors America was hit by a ransomware attack, and the criminals asked for a $20 million ransom to provide a decryptor, BleepingComputer reported.

The initial reports referred to an IT outage across the US for Kia Motors America. Later, someone tried to pick up a car from a dealership only to be turned back because ransomware reportedly locked the systems. The company acknowledged it has some problems but didn’t confirm it was attacked.

“KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO,” the company said to BleepingComputer. “We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

In the meantime, a ransom note appeared online, seemingly from the DoppelPaymer gang. DoppelPaymer, however, mentions Hyundai as the target, although that’s the parent company of Kia.

Criminals say that they also stole a lot of data from the company and threatened to release it in the next few weeks if the $20 million ransom isn’t paid. Moreover, if the 404 bitcoins they requested are not paid on time, the ransom increases to 600 bitcoins, now roughly $30 million.

The BleepingComputer report also says Hyundai Motors suffers from similar outages, but the major difference is that Hyundai denies that criminals hit it with a ransomware attack.

“At this time, we can confirm that we have no evidence of Hyundai Motor America’s involvement in a ‘ransomware’ attack,” said the company.

Computer systems at Lakehead University (LU) in Ontario, Canada, remain offline after a cyberattack hit the public research institution on Tuesday.

In response to the attack, officials shut down all computer systems at the Thunder Bay and Orillia campuses. The message sent to faculty members and students doesn’t say how the threat actors managed to infiltrate the information systems of the university:

“Lakehead University’s Technology Services Centre (TSC) team is currently managing a cyber attack that is affecting our campuses’ servers. In order to protect our systems and data as much as possible, TSC has removed all access to our servers which affects both our campuses.”

All of Lakehead’s data and servers, including access to its website, have been offline since February 16. Online events such as two virtual tours of their campuses were also postponed.

In the latest update, the TSC said the attackers targeted LU’s file share servers. Consequently, the university cut off all access to these services, and campus computers remain unavailable until IT and cybersecurity experts determine the extent of the breach.

The attack will also likely affect upcoming events in the academic year. Students were advised to remain patient until faculty members provide further instructions.

“As course requirements and deadlines differ across programs, individual students may be impacted in multiple and varying ways,” Lakehead officials said. “Faculties are currently reviewing the situation and students will be updated by program or individual instructors about how concerns relating to assignments, exams and similar issues will be addressed.”

The COVID-19 pandemic has intensified both the threat of fraud and the response to it, with corporate environments and banking in particular aligning on defensive automation, according to a new report.

Bottomline and Strategic Treasurer this week published the 2021 Treasury Fraud & Controls Survey, the duo’s sixth such annual survey. The survey gathered details about corporate and banking experiences, actions and plans regarding fraud.

The key takeaway: as the pandemic heightened the threat of fraud, organizations started to invest in automated cyber defenses.

Respondents increased spending on security significantly from 2019 to today, (2019: 17%; 2020: 19%; 2021: 22%). The reason ties in to another key finding, namely that 86% of bank respondents perceive Business Email Compromise (BEC) as their greatest risk over the next 1-2 years. The research also found that a fifth of fraud experiences had a COVID-19 connection (21%).

This finding is echoed in the most recent Bitdefender threat landscape report, where we note that four out of 10 COVID-themed emails are spam, likely motivated by fraud.

Bottomline and Strategic Treasurer researchers also found that smaller firms were hit hardest – 26% of small business fraud had a link to the virus, as opposed to only 17% for larger companies.

“Presumably, their potential payouts previously fell below the radar of criminals who now, with the development of greater automation and a backdrop of expanded vulnerabilities, have broadened their sights to include targets of all sizes,” the surveyors reason.

“Against a multi-year trend of increasing sophistication and automation of fraud, opportunistic criminals leveraged the pandemic-driven push to remote operations to strike in a blitz offensive,” the researchers say. “The rapid transition to a work from home (WFH) environment created exposure s that outpaced structural and procedural defenses, resulting in accelerated threats and fraud loss.”

In response to the threat, organizations are enhancing both human and technical aspects of defense, the survey found. For example, staff assignments in accountability for managing fraud have grown by 50% from just two years ago. On the technology side, businesses are increasing their use of backend functions like fraud interdiction and optimizing the use of digital tools to improve customer experience and close any gaps that attackers might exploit.

“Ultimately, we are seeing digital warfare escalation, in which firms are meeting the criminal use of automation with their own defensive tools and controls,” says Craig Jeffery, managing partner of Strategic Treasurer.

The California Department of Motor Vehicles (DMV) is investigating a data breach at an address verification company that may have compromised vehicle registration information of millions of Californians.

Yesterday, the DMV started notifying vehicle owners that their registration records may have been exposed in a ransomware attack at the Automatic Funds Transfer Services (AFTS), a Seattle-based contractor the government agency uses.

The ransomware attack earlier this month”may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records,” the DMV said.

Potentially exposed data includes names, addresses, license plate numbers and vehicle identification numbers (VIN). Fortunately, AFTS had no access to Social Security numbers, date of birth, voter registration, immigration status or driver’s license information, and that information was not compromised in the breach, the DMV explained.

Once the DMV learned of the attack, it ceased transferring any further vehicle owner information to the AFTS, contracting a different vendor’s services to avoid affecting customer services.

The agency also notified law enforcement and the FBI, emphasizing that for the time, they found no indication that data records accessed in the AFTS ransomware attack were used for malicious purposes.

“Data privacy is a top priority for the DMV. We are investigating this recent data breach of a DMV vendor in order to quickly provide clarity on how it may impact Californians,” DMV Director Steve Gordon said. “We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with.”

Vehicle owners are advised to report any suspicious activity to local police.

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection tool!