Info Security
More Tribes Given Enhanced Access to US Crime Data
More Native American tribes are going to be given enhanced access to critical databases containing national crime information for the United States.
In an announcement made September 16, the Department of Justice said that 12 tribes have been newly selected to participate in the Tribal Access Program for National Crime Information (TAP), bringing the total number of federally recognized participating tribes to 108.
TAP was set up in 2015 after tribal leaders raised concerns about not being able to directly access crime data held in federal systems. Using the program, tribes can view shared information for non-criminal justice purposes such as screening employees or volunteers who work with children.
Information accessible to tribes via TAP includes data on missing persons; registered convicted sex offenders; entered domestic violence orders of protection for nationwide enforcement; criminal history checks; identified and arrested fugitives; entered bookings and convictions; and completed fingerprint-based record checks.
In 2019, the Department of Justice announced that tribal governments already participating in TAP could directly input data and gain access to the FBI’s National Sex Offender Registry (NSOR) using the Tribe and Territory Sex Offender Registry System (TTSORS).
The twelve tribes joining the program are the Confederated Tribes of the Warm Springs Reservation; Cow Creek Band of Umpqua; Fort Belknap Indian Community; Grand Traverse Band of Ottawa and Chippewa; Havasupai Tribe; Lower Brule Sioux Tribe; Menominee Tribe; Mille Lacs Band of Ojibwe; Muckleshoot Tribe; Passamaquoddy Tribe; Shingle Springs Band of Miwok; and United Keetoowah Band of Cherokee.
Under the program, the tribes will be given training as well as software and biometric/biographic kiosk workstations to take mugshots, process fingerprints, and submit information to FBI Criminal Justice Information Services (CJIS) systems.
“Timely access to federal criminal information can help protect domestic violence victims, place foster children in safe conditions, solve crimes and apprehend fugitives on tribal land, among other important uses,” said Deputy Attorney General Lisa Monaco.
“Increasing tribal access to criminal databases is a priority of the Justice Department and this administration, and essential to many tribal government efforts to strengthen public safety in their communities.”
Prison for AT&T Phone-Unlocking Fraudster
A cyber-criminal who defrauded American telecommunications giant AT&T out of more than $200m through a phone-unlocking bribery scheme has been sentenced to prison.
Muhammad Fahd, a 35-year-old citizen of Pakistan and Grenada, led a seven-year conspiracy in which AT&T employees were bribed to unlawfully unlock nearly two million customers' cell phones for profit.
The plot began in 2012 when Fahd colluded with others to recruit AT&T staff working at a call center in Bothell, Washington. The employees were bribed to use their AT&T credentials to unlock cell phones for ineligible customers.
"Unlocking a phone effectively removes it from AT&T’s network, thereby allowing the account holder to avoid having to pay AT&T for service or to make any payments for purchase of the phone," said the Department of Justice's Office of Public Affairs in a statement released September 16.
Fahd used the alias Frank Zhang to contact an AT&T employee through Facebook and offer them large sums of money to secretly unlock phones' International Mobile Equipment Identity numbers (IMEIs). Fahd also asked the employee to enlist other AT&T staff in the scheme.
The recruited employees were instructed by Fahd to establish fake businesses and set up bank accounts for those businesses. These accounts were used to give the illusion that the fraudulent payments and fictitious invoices that formed part of the scheme were genuine.
"AT&T’s forensic analysis shows the total number of cellular telephones fraudulently unlocked by members of the scheme was 1,900,033 phones," said the Office of Public Affairs.
"AT&T has further determined that the loss it suffered because customers, whose cellular phones were illegally unlocked, failed to complete payments for their cellular telephones was $201,497,430.94."
When AT&T implemented a new unlocking system in 2013 that made unlocking the IMEIs harder, Fahd hired a software developer to design malware to unlock phones more efficiently and in larger numbers. Fahd then had AT&T employees install the malware on AT&T's computer system.
Fahd was indicted in 2017 and arrested in Hong Kong in 2018. After being extradited to the US in 2019, in September 2020 Fahd pleaded guilty to conspiracy to commit wire fraud. On September 16, he was sentenced to 12 years in prison and ordered to pay restitution of $200,620,698.
Free REvil Decryptor Launched
Antivirus vendor Bitdefender has launched a free universal decryption tool to help victims of REvil ransomware, also known as Sodinokibi.
The new tool, which was made available on Thursday, can restore many files impacted by the crypto-locking malware before July 13, 2021. However, the tool's instructions include the warning that "some versions" of REvil "are not yet decryptable."
REvil victims can download the tool and a step-by-step tutorial on how to use it via the Bitdefender website. The free decryptor is also from the No More Ransomware project, a public-private collaboration involving Europol, Dutch cybercrime law enforcement, and multiple private security firms.
Bitdefender said that the decryption tool was created in collaboration with "a trusted law enforcement partner" while the investigation into REvil's criminal activities continues.
"Please note this is an ongoing investigation and we can’t comment on details related to this case until authorized by the lead investigating law enforcement partner," Bitdefender said in a statement released September 16.
"Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible."
REvil first came on the cybercrime radar as a Ransomware-as-a-Service (RaaS) operator in April 2019 and grew to become one of the most prolific ransomware gangs on the dark web.
After successfully extorting millions of dollars from thousands of technology companies, retailers, and managed services providers around the world, REvil's website went down earlier this year following a major supply-chain attack on IT software provider Kaseya.
"On July 13 of this year, parts of REvil’s infrastructure went offline, leaving infected victims who had not paid the ransom unable to recover their encrypted data," said Bitdefender.
"This decryption tool will now offer those victims the ability to take back control of their data and assets."
Bitdefender and its unnamed law enforcement partner suspect that more attacks from REvil could be about to occur.
"We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two-month hiatus," said Bitdefender. "We urge organizations to be on high alert and to take necessary precautions."
Romance Scammers Make $133m in First Half of 2021
Over $133m has already been lost this year to romance scams, with victims increasingly urged to invest in fraudulent cryptocurrency opportunities, according to the FBI.
A new Public Service Announcement was published yesterday revealing that the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints from January 1 to June 31 this year, resulting in soaring losses for victims.
Victims are typically approached on dating and social media sites, where the scammer establishes a relationship with them designed to build confidence. In time, the scammer will share information on a new cryptocurrency investment or trading opportunity, which is claimed to generate significant profits, according to the FBI.
The victim is then directed to a scam website where they hand over some money for the investment. To add legitimacy to the scheme, the fraudsters purportedly make it appear as if the victim has made a profit and allow them to withdraw a small amount of money.
“After the successful withdrawal, the scammer instructs the victim to invest larger amounts of money and often expresses the need to ‘act fast.’ When the victim is ready to withdraw funds again, the scammers create reasons why this cannot happen,” the Public Service Announcement continued.
“The victim is informed additional taxes or fees need paid, or the minimum account balance has not been met to allow a withdrawal. This entices the victim to provide additional funds. Sometimes, a ‘customer service group’ gets involved, which is also part of the scam. Victims are not able to withdraw any money, and the scammers most often stop communicating with the victim after they cease to send additional funds.”
Romance scams are a perennial money-maker for fraudsters. In fact, they collectively accounted for over $600m in losses last year, second only to Business Email Compromise, according to official FBI figures.
The addition of a cryptocurrency element taps into a growing parallel trend of scammers making money from eager investors looking to get rich quickly.
According to the FBI, investment scams are the third-highest earner for cyber-criminals, bringing in over $336m last year.
Experts Concerned Over New Digital Secretary's Lack of Cyber Knowledge
Privacy and security experts have signaled their concern over the appointment of Nadine Dorries to the post of digital and culture secretary.
This week, Boris Johnson announced the move as part of a major Cabinet reshuffle designed to stamp his authority on government and drive momentum into the next General Election campaign.
However, while most of the appointments were well received, question marks have been raised over Dorries’ tech credentials. As secretary of state for digital, culture, media and sport, she will be expected to master the detail of complex regulatory issues and sell Britain’s growing prowess in digital and cyber abroad.
However, in 2017 she invited widespread criticism from security experts after publicly admitting that her staff logged into her work computer using her credentials “every day.”
“Dorries spent much of her parliamentary career as a backbencher — and didn’t attend a single session when appointed to the Science and Technology Committee in 2010,” argued ProPrivacy digital privacy expert Hannah Hart.
“This is even more alarming when you weigh her seemingly lack of digital knowledge against the fact that the UK is facing an increasing amount of high-profile cybersecurity attacks. The education sector has faced a flurry of ransomware attacks, 2020 was a landmark year for hacking attempts, and the pandemic has seen opportunities for phishing scams soar as we do most of our banking and shopping online.”
Others raised concerns about the potential regulatory impact of the appointment.
“Given the government is currently pondering whether we should ‘relax’ data protection regulation and move away from the GDPR, it would be great to have the confidence that our parliamentarians had the technical and legal understanding of this complex issue,” Bournemouth University professor of IT ethics, Andy Phippen, told the i newspaper.
“Equally, observing the Online Safety Bill as it moves through parliament, one would hope those debating greater regulation of big tech understand both what technology is capable of in terms of content monitoring and filtering, and the implications of legislation on everyone’s online experiences. Sadly, with a few exceptions, I do not have that confidence.”
CISA: Patch Zoho Bug Being Exploited by APT Groups
The US government is urging organizations to patch a newly identified Zoho vulnerability since state-sponsored attackers are actively exploiting it.
CVE-2021-4053 is a critical authentication bypass vulnerability affecting REST-based API URLs which could enable remote code execution if exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA).
It affects ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.
Zoho released a patch for this bug on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August, using various tools and techniques.
“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software,” it warned.
“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”
CISA claimed that threat actors might be looking for “US research” in multiple sectors.
Sean Nikkel, a senior cyber threat intel analyst at Digital Shadows, claimed that this is the fifth critical bug to be found in ManageEngine this year.
“Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of ‘blending in with the noise’ of everyday system activity. It’s reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes,” he argued.
“The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin.”
US Imprisons World’s Largest Facilitator of CSAM
A dual Irish-American citizen has been sentenced to 27 years in US federal prison for sharing on the dark web millions of images depicting the sexual abuse of children, toddlers and infants.
Dublin resident Eric Eoin Marques was extradited to the United States on March 23, 2019, to face federal criminal charges filed in Maryland on August 8, 2013. On February 6, 2020, 36-year-old Marques pleaded guilty to conspiracy to advertise child pornography on the dark web.
According to his plea agreement, between July 24, 2008, and July 29, 2013, Marques operated a free, anonymous web-hosting service (AHS) called Freedom Hosting that hosted more than 200 child exploitation websites on the dark net. The websites hosted by Marques housed millions of images of child exploitation material, including over 1.97 million videos and images featuring victims not previously known to law enforcement.
"Many of these images involved sadistic abuse of infants and toddlers to include bondage, bestiality and humiliation to include urination, defecation and vomit," said the US Attorney's Office for the District of Maryland in a statement published Wednesday.
In his guilty plea, Marques admitted distributing child sexual abuse material (CSAM) that involved children aged under twelve and sadistic or masochistic material or depictions of violence.
According to Acting United States Attorney for the District of Maryland Jonathan F. Lenzner, “Eric Marques was one of the largest facilitators of child pornography in the world.”
On September 15, US District Judge Theodore D. Chuang sentenced Marques to 27 years in federal prison, followed by lifetime supervised release.
The Marques prosecution was part of a global investigation targeting thousands of users of more than 200 websites operating on the Tor network that were dedicated to trading in CSAM. This investigation led to the disruption of the activities of tens of thousands of online child sexual abuse material creators and the seizure of over four million images and videos of child sexual abuse.
“Today’s sentencing of Eric Marques sends a clear message to perpetrators of this egregious crime that no matter where you are in the world, law enforcement will hold you accountable and bring you to justice,” said FBI Assistant Director Calvin Shivers.
Australia, UK, and US Announce Security Partnership
The United States, United Kingdom and Australia have announced a historic trilateral security and defense agreement.
Under the new AUKUS pact, the three nations will cooperate more closely than ever before in several areas that include artificial intelligence, cyber capabilities, quantum computing critical technology, and defense-related industrial bases and supply chains.
The partnership was announced on Wednesday in a joint virtual press conference between US president Joe Biden, UK prime minister Boris Johnson, and Australian prime minister Scott Morrison.
Biden said: "AUKUS will bring together our sailors, our scientists, and our industries to maintain and expand our edge in military capabilities and critical technologies, such as cyber, artificial intelligence, quantum technologies, and undersea domains."
A joint statement released by the three world leaders on September 15 read: "This is an historic opportunity for the three nations, with like-minded allies and partners, to protect shared values and promote security and prosperity in the Indo-Pacific region."
A primary initiative of AUKUS will be an 18-month plan to provide Australia with nuclear-powered submarines and the necessary technology and infrastructure to maintain them.
A statement from 10 Downing Street read: "AUKUS is a concrete articulation of the UK’s ambition, made in the Integrated Review, to deepen defense, security and foreign policy ties with like-minded allies across the globe. The agreement reflects the unique level of trust and cooperation between our three countries, who already share extensive intelligence through the Five Eyes alliance."
Commenting on the new partnership, the United States Studies Centre said: "Though it aims to deepen diplomatic, security and defense cooperation between the three states, AUKUS will focus specifically on deepening integration in defense-related science, technology, industrial bases and supply chains, with particular emphasis on cyber capabilities, artificial intelligence, quantum technologies and new undersea capabilities."
AUKUS has not been positively received by the People's Republic of China. Chinese foreign ministry spokesperson Zhao Lijian stated that Australia, the UK and the US “should abandon the obsolete Cold War zero-sum mentality and narrow-minded geopolitical concepts and respect regional people’s aspiration and do more that is conducive to regional peace and stability and development – otherwise they will only end up hurting their own interests.”
FTC: Health Apps Must Notify Consumers of Data Breaches
The United States Federal Trade Commission (FTC) has warned the developers of health apps and connected devices that they must disclose data breaches to consumers or face a fine.
In a policy brief issued Wednesday, the Commission clarified that healthcare apps that collect or use consumers' health information are subject to the Health Breach Notification Rule requiring entities not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify consumers when their health data is breached.
In a 3–2 vote held during an open virtual meeting, the FTC agreed to approve a policy statement affirming that developers of health apps and connected devices are considered to be healthcare providers, and that sensitive information disclosed by them without authorization constitutes a breach.
Every breach, even breaches that did not occur as the result of a malicious cyber-attack, must be reported. The FTC stated that companies that fail to comply with the rule could be subject to financial penalties of up to $43,792 per violation per day.
The FTC said in a statement that "health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers.
"These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information."
The Commission noted that the use of health apps and other connected devices that collect personal health data increased during the COVID-19 pandemic. It observed that despite being a "ripe" target for scammers and cyber-attackers, "too few privacy protections" were in place for such apps.
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC chair Lina M. Khan.
“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
Household Names Hit with £500K Fine for Spamming Consumers
Three big-name UK brands have been collectively fined nearly half a million pounds by the privacy regulator after sending hundreds of millions of nuisance marketing messages to consumers.
We Buy Any Car was fined £200,000 by the Information Commissioner’s Office (ICO) after bombarding consumers with over 191 million emails and 3.6 million nuisance texts.
Saga Services and Saga Personal Finance were handed £150,000 and £75,000 penalties, respectively, for sending 157 million emails between them.
Recipients had not given direct consent to receive such messages, and the firms have been hit with an additional enforcement notice warning that court action could follow if their illegal marketing continues.
Finally, high street retailer Sports Direct was fined £70,000 after sending 2.5 million emails as part of a re-engagement campaign between December 2019 and February 2020. Recipients had not been contacted for some time, and the firm couldn’t show any evidence of consent.
ICO head of investigations, Andy Curry, argued that nuisance emails and texts are “frustrating and intrusive” and that the firms involved should have known better.
“Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organization, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected,” he added.
“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”
The ICO issued the fines under the UK’s Privacy and Electronic Communications Regulations (PECR), which govern nuisance marketing messages and calls. Unlike under the GDPR, or UK Data Protection Act 2018, the maximum the regulator can fine individual companies via PECR is £500,000.
Misconfigured APIs Account for Two-Thirds of Cloud Breaches
Shadow IT and misconfigured APIs accounted for the vast majority of security incidents in the cloud last year, according to a new report from IBM Security X-Force.
The threat intelligence player drew on multiple data sources, including dark web analysis, pen-testing data, incident response cases and threat intelligence to compile the 2021 IBM Security X-Force Cloud Threat Landscape Report.
It revealed that attackers are actively looking to exploit weaknesses in enterprise protection, many of which come about due to human error.
To this end, over half of breaches came about as a result of shadow IT, when systems were spun up without being subject to corporate security policy — and therefore lacked vulnerability and risk assessments and hardened security protocols.
Additionally, two-thirds of the incidents studied involved improperly configured APIs.
“APIs lacking authentication controls can allow anyone, including threat actors, access to potentially sensitive information,” said senior cyber threat intelligence analyst, Charles DeBeck. “On the other side, APIs being granted access to too much data can also result in inadvertent disclosures.”
The overall result of these security issues has been to enable cryptojacking and ransomware, the top two malware types, which accounted for over half of cloud compromises.
IBM also noted a thriving dark web market for public cloud access, dominated by ads offering Remote Desktop Protocol (RDP) access to cloud resources (71%).
The report claimed that threat actors often jump from on-premises to cloud environments. This type of lateral movement accounted for a quarter of incidents X-Force responded to last year.
“Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premises, which leads to a fragmented and more complex security environment that is tough to manage,” DeBeck argued.
“Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back.”
Banks Slammed for Low Fraud Reimbursement Rates
The UK’s high street banks have been called out for “shockingly low” reimbursement rates for Authorized Push Payment (APP) fraud.
APP fraud is an increasingly popular type of scam in which the fraudster — posing as a trusted entity such as a family member or business — tricks the victim into transferring money to a bank account under their control. It cost an estimated £479m in 2020.
Until a voluntary banking code of conduct was recently introduced, victims had no course to reclaim funds because they technically initiated the payment.
When the code was rolled out 14 months ago — in combination with pop-up warnings online if payee names and account details don’t match — it was hoped things would change.
However, that doesn’t appear to have been the case, according to consumer rights group Which?.
“Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions,” it noted, citing official figures.
“Financial Ombudsman Service (FOS) data indicates that banks are getting most of these decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.”
Which? argued that scammers have an increasingly formidable array of tools and techniques at their disposal to trick victims into making payments. These include number spoofing, hijacking email accounts via phishing, SIM swap fraud and more.
Banks are taking too long to adjudicate in fraud cases, and their final decisions lack consistency, making reimbursement a “lottery,” the group said.
“The Payment Systems Regulator (PSR) is due to make an announcement imminently on how to improve consumer protections against APP fraud – and Which is calling for strong and urgent action from the regulator to ensure that banks do more to protect consumers, and treat victims fairly and consistently,” it concluded.
“Instead of continuing to pursue another version of a code, we believe the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation.”
Eset cybersecurity specialist, Jake Moore, argued that consumers must also get more cyber-savvy.
“Scammers often use fear, scarcity or credibility as a way to socially engineering their prey into following simple orders,” he added. “However, people must question the motive at all times and err on the side of caution with any call or text before they move any money or hand over sensitive information.”
Serious Flaw Found in HP OMEN Driver
A serious flaw has been found in the driver of a popular PC gaming software used by millions.
Researchers from SentinelLabs published details of the vulnerability in the HP Omen Gaming Hub on September 14. They said that attackers could exploit the flaw to locally escalate to kernel-mode privileges.
“With this level of access, attackers can disable security products, overwrite system components, corrupt the OS, or perform any malicious operations unimpeded,” wrote researchers.
Omen comes preinstalled on all HP OMEN desktops and laptops and can be used to control and optimize settings such as device GPU, fan speeds, CPU overclocking, memory and more.
The vulnerability was reported to HP on February 17, 2021, and was later given a Common Vulnerability Scoring System (CVSS) score of 7.8, making it a high-severity flaw.
No evidence of the flaw’s being exploited in the wild was discovered by SentinelOne.
“While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, using any OMEN-branded PC with the vulnerable driver utilized by OMEN Gaming Hub makes the user potentially vulnerable,” noted researchers. “Therefore, we urge users of OMEN PCs to ensure they take appropriate mitigating measures without delay.”
Commenting on the newly unearthed flaw, Jamie Boote, security consultant at the Synopsys Software Integrity Group, said, "With the rise of remote workers during the Covid-19 Pandemic, the collision between corporate IT environments and personal hardware will only rise as employees supply more of their own hardware to continue to customize and equip their home offices.
“It is impossible to anticipate all potential driver and hardware vulnerabilities that can arise from these situations, so it is important for IT departments to recognize and react to threats such as these when they’re made public.”
Boote added that the enforcement of proactive security measures such as keeping up with threat intelligence feeds, limiting software installations to only approved software sources and maintaining approved workstation images can limit the impact of threats such as this gaming hub privilege escalation bug.
“Perhaps this vulnerability is a reminder of why it’s called 'The Bleeding Edge,'” said Boote.
Arizona Medical Practice Permanently Loses EHR Data
A medical practice in Arizona has lost nearly all the data entered into its electronic health record (EHR) system due to a cyber-attack.
Desert Wells Family Medicine, which has been serving patients in Queens Creek for 20 years, was attacked by cyber-criminals on May 21. The practice had backed up all its EHR data before the attack took place, but the attackers managed to encrypt both the original files and the backup files using ransomware.
The practice has begun notifying 35,000 patients that their protected health information has been compromised. Information that may have been accessed by the attackers during the security incident included patient names, dates of birth, addresses, billing account numbers, medical record numbers, treatment information, and Social Security numbers.
Desert Wells said it had done everything that it could to retrieve the encrypted data, including engaging external specialists, but their efforts had proved fruitless.
All EHR information added into Desert Wells’ system prior to the date of the attack has been lost forever, and the practice is currently in the process of constructing an entirely new EHR system.
“Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data,” said Daniel Hoag, MD, a family medicine physician at Desert Wells.
“Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21, 2021, are unrecoverable.”
The practice said that no evidence has been found to suggest that any of the compromised patient data has been misused. Third-party computer forensics experts hired to investigate the incident found no evidence that any patient data had been exfiltrated from Desert Wells before the files were encrypted.
“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause,” said Hoag. “I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events.”
Hoag added that Desert Wells is continuing to take steps to enhance the security of its systems, including improving its endpoint detection, implementing 24/7 threat monitoring, and providing additional training and education to staff.
Americans Fined After Hacking for Foreign Government
Three former members of the United States military or United States Intelligence Community (USIC) have been fined for providing hacking-related services to a foreign government.
United States citizens, 49-year-old Marc Baier and 34-year-old Ryan Adams, and 40-year-old former US citizen Daniel Gericke were investigated by the Department of Justice (DOJ) over claims that they had violated U.S. export control, computer fraud, and access device fraud laws.
On September 7, the three men entered into a deferred prosecution agreement (DPA) with the DOJ that requires them to pay $1,685,000 in penalties. The agreement also places restrictions on the future activities and employment of the three men.
According to court documents, between 2016 and 2019, all three defendants worked as senior managers at a company based in the United Arab Emirates (UAE) that performed and supported hacking for the benefit of the UAE government.
Services carried out by the defendants included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer-hacking and intelligence-gathering systems capable of compromising a device without any action being taken by the target.
The zero-click exploits were later deployed by other employees at the UAE-based company to illegally obtain and use access credentials for online accounts issued by companies in the United States. The exploits were further used to obtain unauthorized access to mobile phones and computers in the United States and around the world.
The State Department’s Directorate of Defense Trade Controls (DDTC) informed the defendants on multiple occasions that the work they were doing was a “defense service” as defined under the International Traffic in Arms Regulations (ITAR) and that they needed a license from the State to provide the services they were carrying out.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division.
Software Supply Chain Attacks Surge 650% in a Year
The insatiable global demand for open source code packages has led to a triple-digit year-on-year surge in upstream software supply chain attacks, according to Sonatype.
The supply chain management specialist compiled its 2021 State of the Software Supply Chain report from publicly available and proprietary data.
It claimed that global developers would borrow over 2.2 trillion open-source packages or components from third-party ecosystems to accelerate time-to-market. This includes Java downloaded from the Maven Central Repository, Python packages downloaded from PyPi, JavaScript from npmjs and .NET NuGet packages.
These shared code packages often contain publicly disclosed vulnerabilities that threat actors can exploit. However, increasingly cyber-criminals are getting more proactive, Sonatype warned.
“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted.
“By shifting their attacks ‘upstream,’ bad actors can gain leverage and the crucial benefit of time that that enables malware to propagate throughout the supply chain, enabling far more scalable attacks on ‘downstream’ users.”
Such attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year, Sonatype said.
There were 216 such attacks detected over four years between February 2015 and June 2019. However, this figure rose to 929 during just a year (July 2019–May 2020). That number surged to a staggering 12,000 over the past year.
“We now know that popular projects contain disproportionately more vulnerabilities,” argued Sonatype EVP, Matt Howard.
“This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up-to-date with optimal versions.”
Major cyber-threat campaigns, including the attacks on SolarWinds and Codecov, highlight the potentially severe repercussions of code supply-chain compromises.
Nearly a Third of Brits Say They Feel Unsafe Online
Nearly a third (29%) of Brits feel unsafe while using the internet, according to a new report by Veriff.
The survey of 2000 UK citizens revealed a range of factors that have caused this sentiment. One of these is rising scam attempts, with over two-fifths (42%) of those surveyed experiencing a package delivery scam during the past three months. The next most common type of scam is those relating to tax rebates (25%) followed by TV licenses (19%).
Veriff also found that 13% of Brits have received a COVID-19 vaccine scam during this period, further highlighting how fraudsters have leveraged the circumstances of the pandemic to target people in the past 18 months.
The potential impact of ‘digital trails’ being left on the internet was also a significant concern for people. Almost half (48%) of millennials expressed fears that old posts online will come back to haunt them, while more than two-thirds (37%) of all those surveyed said they regretted sharing personal details online.
Additionally, more than half (52%) of Brits were worried that their images may be used online without their permission. More than two-thirds (68%) agreed that social media companies should require users to show ID when signing up to their site in order to help combat issues like identity fraud and online abuse.
Surprisingly, Generation Z (16-24-year-olds) were more likely to feel unsafe online than any other age group (41%). This compared to just 18% of those aged 55 and older feeling unsafe.
In terms of internet usage, people who spend more than 30 hours online per week were least likely to feel unsafe online (21%). In contrast, almost half (48%) of people who spend just one or two hours online per week were most likely to feel safe online.
Janer Gorohhov, co-founder and CPO at Veriff, commented: “Cyber-criminals are continuously thinking of new ways to commit fraud, with the pandemic sadly providing them with more opportunities than ever — from COVID-19 vaccination scams to fake delivery texts — which is why we wanted to uncover how the nation really feels online and how the future of identity verification can help people feel safer.
“With the common misconception being that the older generation is most susceptible to online fraud, we were interested to find that the younger generations were the most likely to feel unsafe online. With the internet playing such a vital role in the lives of many young Brits, unfortunately, their hours spent online does not make them any less of a target of online fraud, if anything, it heightens the risk.”
Quarter of Fortune 500's External IT Assets Are a Cyber Risk
The external attack surface of Fortune 500 companies contains known, exploitable vulnerabilities and security issues, according to new research from Cyberpion.
The Israeli startup compiled its findings from a “single-pass scan” of the public and internet-facing assets of every Fortune 500 company in the first half of 2021.
Nearly three-quarters (73%) of these organizations’ IT infrastructure is now located externally, but this outsourcing trend appears to have created a significant visibility gap. Some 24% of these assets are considered risky or have a known vulnerability, Cyberpion claimed.
This includes a quarter (25%) of externally hosted cloud-based assets that failed at least one security test, such as misconfigured storage.
The report also claimed that the average Fortune 500 firm has 126 different login pages for customers and employees — but 10% of these allow data transmission over unencrypted HTTP or have invalid certificates.
Fortune 500 firms also connect to an average of 951 cloud assets, but almost 5% of these are vulnerable to severe abuse, Cyberpion claimed. This includes AWS buckets misconfigured, which could allow hackers to read or overwrite customer data or code.
The vendor warned that attackers could take advantage of these gaps in visibility and protection to launch Magecart-style attacks, DNS hijacks or brand abuse — resulting in financial and reputational damage.
“Security teams often can’t effectively defend against attacks stemming from third parties because they lack visibility into the total inventory and volume of assets they are connected to,” said Cyberpion CEO Nethanel Gelertner.
“They are unaware of the exposure to these external vulnerabilities and can’t identify and mitigate against these risks. In addition, the growth of these interconnected assets continues to explode due to trends in cloud-first architectures and digital transformation initiatives, meaning that assessing and protecting the attack surface has become even more challenging over time.”
Microsoft Patches OMIGOD, MSHTML and PrintNightmare Bugs
Microsoft fixed over 60 CVEs in this month’s Patch Tuesday update round, including a zero-day being actively exploited in the wild.
First made public last week, CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML engine.
A second zero-day, which was publicly disclosed but not actively exploited, is CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS. It is labeled “important” by Microsoft and only impacts Windows 7 and Windows Server 2008.
However, these vulnerable legacy systems could appeal to threat actors as targets, according to Ivanti VP of product management, Chris Goettl.
“In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running these systems but not continuing with extended security updates (ESU) from Microsoft,” he explained.
“If you fall into this group, there is yet more reason to either subscribe to Microsoft’s ESU for Windows 7 and Server 2008/2008 R2 or migrate off of these platforms, as the risk of running these end-of-life systems continues to grow.”
Elsewhere there was also an updated patch for one of the print spooler bugs known as PrintNightmare, to fix new issues discovered by researchers beyond the original fix. With exploit code available for this CVE, it’s also a matter of urgency to patch, said Goettl.
Other noteworthy CVEs that got the patch treatment this month were CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649 — affecting Microsoft’s Open Management Infrastructure (OMI) agent.
Dubbed “OMIGOD” by researchers at Wiz.io, the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure.
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,” the firm warned.
Massachusetts AG Launches Probe into T-Mobile Data Breach
The attorney general of Massachusetts, Maura Healey, has announced a probe into the recent data breach suffered by American telecommunications company T-Mobile.
In August, the United States wireless carrier disclosed a data breach impacting around 54.6 million individuals. Data exposed in the security incident included names, addresses, birth dates, phone numbers, Social Security numbers, information from driver’s licenses, International Mobile Equipment Identity (IMEI) numbers, and International Mobile Subscriber Identity (IMSI) numbers belonging to T-Mobile pay monthly customers and to people who applied for T-Mobile credit.
Healey proclaimed on Tuesday that an investigation has been launched by her office to examine what safeguards T-Mobile had put in place prior to the breach to protect consumers’ data and mobile device information.
The probe will also delve into how the breach occurred, how T-Mobile handled the incident, and what actions were taken by the company to notify impacted customers and T-Mobile credit applicants.
“My office is extremely concerned about how this data breach may have put the personal information of Massachusetts consumers at risk,” Healey said in a statement.
“As we investigate to understand the full extent of what’s happened, we urge impacted consumers to take the necessary precautions to ensure their information is safe, and to prevent identity theft and fraud.”
Turkey resident John Binns claimed to the Wall Street Journal that he was responsible for the T-Mobile hack that led to the major data breach. The 21-year-old American said he used an unprotected router exposed on the internet to gain access to T-Mobile servers sited in a data center near East Wenatchee, Washington, in July.
In a written statement issued last month, T-Mobile CEO Mike Sievert told customers he was “truly sorry” for the security breach.
Sievert said that the company “didn’t live up to the expectations we have for ourselves to protect our customers” and added, “Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
In response to the breach, T-Mobile is offering consumers various free theft-protection services, including scam and account take-over protection for their cell phones.