SolarWinds Attackers Develop New FoggyWeb Backdoor

Microsoft has discovered a new post-exploitation backdoor attributed to the SolarWinds attackers, designed to help them gain admin-level access to active directory federation services (AD FS) servers.

Dubbed “FoggyWeb,” the malware has been in use since around April 2021, allowing the Russian-linked APT group known as Nobelium (aka APT29) to steal info from compromised servers and receive and execute additional malicious code.

AD FS are on-premises servers that support single sign-on (SSO) for cloud applications used in Microsoft environments. They, therefore, represent an attractive target for data thieves on the hunt for sensitive information.

“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” explained Ramin Nafisi, senior software security engineer at Microsoft.

“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”

Microsoft has informed all customers currently being targeted by the malware, but it urged others who suspect they may be a victim to audit their entire on-premises and cloud infrastructure, to look for changes the threat actors may have made to maintain persistence.

It also recommended organizations remove user and app access and issue new, strong credentials. They should also use a hardware security module (HSM) to prevent the exfiltration of sensitive info by FoggyWeb, said Nafisi.

He listed multiple suggested techniques to harden and secure AD FS deployments, including restricting admin rights, deploying multi-factor authentication (MFA), removing unnecessary protocols and Windows features, sending AD FS logs to a SIEM, and using complex passwords with over 25 characters.

Since its discovery, the threat actors behind the infamous SolarWinds campaign, which compromised multiple US government departments, have been building out their toolset.

Following the Sunburst backdoor and Teardrop malware used in the attacks, they developed GoldMax, GoldFinder and Sibot malware for layered persistence and EnvyScout, BoomBox, NativeZone and VaporRage for early-stage infections.

Cyber-attack Floors British Payroll Firm

A "sophisticated" cyber-attack has forced a British payroll company to shut down its entire network, leaving some contractors without pay. 

Giant Group confirmed on September 24 that it had taken its network and its fully integrated IT infrastructure, phone, and email systems offline last Wednesday after detecting suspicious activity. 

In a statement published on its website September 27, the company said: "We can confirm that Giant Group was the victim of a sophisticated cyber-attack on September 22nd. International law firm Crowell & Moring immediately put in place a team of experts in the US, UK and Brussels who have been carrying out necessary steps as part of the ongoing investigation. 

"Together, we continue to work with our insurers, the ICO and the NCA on the investigation, alongside a number of other specialist advisers and have been sharing updates as soon as we are advised that it is safe to do so."

The attack did not affect Giant Screening, and the company said that its precision portals and Giant Finance+ services were now operational. However, the cyber-attack did prevent an unspecified number of people from receiving their pay at a time when the UK is suffering from a panic buying–induced fuel shortage and a dearth of HGV drivers and food caused by Brexit.

"Although we had no portals to operate from, we managed to pay over 8,000 workers last week," stated Giant Group. 

"We appreciate that not everyone would have received their expected payment and for that we are sincerely sorry. We are aiming to be able to process your payroll and pay you by Friday."

The company hasn't stated whether any sensitive information was accessed by the threat actor(s) behind the attack but did confirm that "our databases are encrypted."

Announcements Giant Group made concerning the incident on Twitter have been greeted with angry comments.

On September 25, @tiggy_ayoub tweeted: "Upset is hardly the word for what you are doing to us, Giant Group. No update today, no pay in my account, no food in my kitchen and no fuel in my car.  Thanks to you, unable to go to work next week. Wow."

US Deports Convicted Cyber-criminal to Russia

A cyber-criminal imprisoned in the United States for operating websites devoted to fraud and computer hacking has reportedly been deported to Russia. 

Aleksei Burkov was 30 years old when a senior district judge in the Eastern District of Virginia sentenced him, in June 2020, to nine years in prison.

Russian native Burkov was placed under lock and key after he admitted running an illegal online marketplace that sold payment card numbers, most of which had been stolen through computer intrusions. 

Stolen credit card data sold via Burkov’s Cardplanet site enabled fraudulent purchases of more than $20m to be made using thousands of compromised US credit card accounts.

Another site operated by Burkov was run as an invite-only club through which elite cyber-criminals advertised stolen goods, including personal identifying information and malicious software, and criminal services, such as hacking and money laundering. 

To join the club, prospective members had to fork out a deposit of $5K and get three 'trusted' cyber-criminal members to vouch for them.

Burkov was arrested at Ben-Gurion Airport near Tel Aviv, Israel, in December 2015, and extradited to the United States on November 11, 2019. On January 23, 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering. 

According to Russian news agency TASS, Burkov was detained at a Moscow airport after being deported by the United States. Since no extradition treaty exists between the United States and Russia, Burkov's deportation is surprising. 

TASS quotes Russia's interior minister, Irina Volk, as saying on Monday that Burkov was apprehended at Sheremetyevo Airport after being charged in absentia in Russia over the manufacture and sale of counterfeit bank cards and trading in confidential data belonging to customers of credit and financial institutions.

Adam Darrah, director of threat intelligence services at ZeroFox, said the deportation "might be a gesture of goodwill and a signal from the new administration of the extent to which they are invested in and open to further cooperative actions in the cybercrime space."

Darrah added that while there was likely more going on behind the scenes, "the intentional or misguided ransomware attacks against key US food, energy, business, government, and medical institutions must stop, and any way to diffuse the tension between Russia and the United States is worth a try.”

Nebraska County Attorney Indicted for Cyber-stalking

A former attorney for Dodge County, Nebraska, has been indicted by a federal grand jury on two charges of cyber-stalking.

According to an indictment returned on September 24, Oliver J. Glass, age 46, stalked and harassed his estranged wife and her new romantic partner for nine months in 2020. 

Oliver and Katie Glass wed on March 28, 2009. She filed for separation in November 2018, and then for divorce in January 2020, around a month after she began a new romantic relationship. 

Oliver discovered in March 2020 that his estranged wife was seeing someone new. From March 6 to December 22, 2020, Oliver allegedly "used facilities of interstate commerce to engage in a course of conduct meant to harass and intimidate and to place under surveillance with the intent to harass and intimidate Victim 1 and Victim 2."

The indictment states that Oliver, along with two other employees at the Dodge County Attorney's Office, trawled an online law enforcement database to find data on Katie's new partner. Using their official credentials, the trio accessed the Nebraska Criminal Justice Information System (NCJIS) roughly 16 times to gather information on the man, including his vehicle registration data "and other personal information."

Oliver is accused of using this information to surveil his estranged wife's partner's apartment. He allegedly drove slowly by the residence regularly and asked another Dodge County Attorney’s Office employee and members of local law enforcement to do likewise.

It is alleged that Oliver sent his wife's partner threatening and abusive messages via Facebook and iMessage in which he referenced the victim's car and home address. 

Multiple law enforcement officers, after hearing comments or receiving text messages from Oliver, reported believing that the attorney might harm his estranged wife and her partner. Oliver allegedly told a state trooper: "I'm so mad right now I could kill them both."

Oliver is further accused of asking officers with the Sheriff's Office and the Fremont Police Department to try to arrest his estranged wife and her partner for driving while under the influence.

Katie's partner was committed to a hospital, where he reportedly spent six days receiving psychiatric care, because of Oliver's alleged stalking and abuse.

New Emergency Fraud Hotline Launched in UK

A new emergency fraud hotline has been set up to help tackle surging financial scams in the UK.

UK citizens who believe someone is maybe trying to trick them into handing over money or personal details can now be automatically connected with their bank’s fraud prevention service by dialing 159.

The service will work in a similar way to non-emergency police (101) or NHS (111) inquiries, offering a memorable and secure number to receive help and advice quickly.

Anyone who receives a call or message from someone asking for money to be transferred or any other financial matter is being urged to hang up immediately and dial 159. They will then be connected to their bank’s fraud prevention service to advise them on what to do.

The scheme is being sponsored by Stop Scams UK, a coalition of banking and technology companies. It is initially being run as a 1-year pilot, and if successful, will be made into a universal service.

Currently, the banks involved in the initiative are Barclays, Lloyds (including Halifax and Bank of Scotland), NatWest (including Royal Bank of Scotland and Ulster Bank), Santander and Starling Bank. These banks represent over 70% of UK primary current account holders. TSB will join up in January, and Stop Scams UK is hoping that more will sign up over the course of the pilot.

Most major consumer telephone firms are taking part, and more than 80% of UK mobiles and landlines will be able to use 159 at the outset. It is hoped this will reach 100% during the pilot.

Stop Scams UK also emphasized that 159 “will never call you.”

The BBC quoted Ruth Evans, chair of Stop Scams UK, who stated: "Criminals rely on forcing people into heat-of-the-moment decisions, and calling 159 is a simple, practical tool to break their spell."

The initiative aims to stem surging fraud cases during the past 18 months. A recent analysis by money.co.uk found that Brits have lost over £1bn to fraud and cybercrime in the first six months of 2021.

Commenting on the news, George Patsis, CEO of Obrela Security Industries, said: “The pandemic created a perfect breeding ground for cybercrime. Not only were people getting more deliveries to their homes, banks were also offering new services to help people cope financially through the pandemic. However, this created a multitude of new avenues for cyber-criminals to thrive, and the latest figures show that they succeeded.

“Today, banking fraud scams are rife, and thousands of people are falling victim to them every day, losing millions of pounds with little information on whom to contact to report attacks. However, this new emergency line will address this issue.

“The government also needs to work with banks so information is clearly communicated about how victims can get their money back, as this is another grey area that leaves many people confused.

“It is also vital that banks continue to educate customers on the techniques fraudsters use to trick people into handing over money and their account details because the more people know about these scams, the less likely they are to fall victim.”

Half of Regulated Firms See Pandemic Spike in Financial Crime

Around half of firms in the financial services, property and legal sectors have reported rising levels of financial crime over the past 12 months, according to new data from SmartSearch.

The anti-money laundering (AML) specialist polled 500 regulated businesses in the UK to better understand the levels of risk facing players in each vertical.

Overall, 48% of respondents said they’d seen a rise in financial crime, and a quarter (26%) admitted they’d been a victim of attacks.

Legal firms, including conveyancers, experienced the most significant number of compromises, with a third (33%) saying they had been a victim of financial crime.

The sector is an increasingly attractive target for both state-backed and financially motivated cyber-criminals, given the wealth of sensitive client information that legal practices typically hold.

However, while the threat from external actors is certainly acute, separate research earlier this year revealed that most breaches reported to regulator the Information Commissioner’s Office (ICO) come from negligent insiders.

The SmartSearch study also revealed variations across different regions of the UK. For example, almost two-thirds (64%) of regulated businesses in the East Midlands reported a rise in fraud attempts, versus 55% in London.

SmartSearch CEO John Dobson argued that the rush to adapt to new business practices during the pandemic may have exposed some organizations to a rise in financial crime and money laundering.

In particular, crucial Know Your Customer (KYC) checks and other due diligence processes required by AML regulations became harder as face-to-face meetings were banned.

The Money Laundering and Terrorist Finance Act introduced in September gave the green light for firms to streamline these processes via digital verification. Yet 13% of those SmartSearch spoke to aren’t even aware of the changes.

“There’s no doubt the conditions since the outbreak of coronavirus have been ripe for criminals to seize the opportunity for money laundering and other fraudulent activities in the property market,” argued Dobson.

“The message for regulated business that comes out of these findings is that switching to electronic verification is the smart thing to do, providing confidence through automated perpetual KYC processes. If the country is on the brink of another lockdown this winter, it is vital that businesses are not caught out by not having the right tools to avoid business disruption.”

FCC: Applications Open Soon for Huawei/ZTE Replacement Fund

The US telecoms regulator revealed more details on a scheme to reimburse smaller carriers who procured kit from Chinese providers, which was subsequently deemed a national security risk.

The Federal Communications Commission (FCC) officially designated Huawei and ZTE a security risk in July 2020, having first revealed plans to force carriers to rip-and-replace Chinese equipment the previous year.

An update yesterday claimed that small telecoms carriers would be able to apply for a portion of the Secure and Trusted Communications Networks Reimbursement Program from October 29. However, the window for applications will close on January 14 2022.

There’s $1.9bn up for grabs in total, but several rules are attached. First, carriers must serve 10 million or fewer customers, and the equipment in scope is limited to that produced by Huawei and ZTE and purchased before June 30 2020.

The FCC’s Wireline Competition Bureau will assess whether an application is eligible based on the “reasonableness of the cost estimates” provided by the applicant. These must cover the costs for removing, replacing, and disposing of communications equipment and services.

If there’s a problem with applications, the carrier will have 15 days to fix any highlighted issued before it is denied in full.

If older networks can’t be replaced due to the legacy nature of the equipment, they may be replaced by 5G/LTE kit.

Huawei and ZTE’s fortunes have taken a tumble since the US singled the firms out for special treatment. Allies, including the UK, Australia, and New Zealand, have taken steps to ban Huawei’s and ZTE’s equipment from their 5G networks.

In related news, Huawei CFO Meng Wanzhou was released from house arrest in Vancouver over the weekend after striking a plea deal with US prosecutors.

Under the terms of the deal, she admitted misleading a global banking partner about the nature of the firm’s business in Iran and its efforts to evade US sanctions.

Crypto Developer Pleads Guilty to North Korean Plot

A former Ethereum developer has pleaded guilty to helping North Korea escape US sanctions by providing technical advice on cryptocurrency.

Singapore resident and US citizen Virgil Griffith, 38, conspired to violate the International Emergency Economic Powers Act (IEEPA) on one count, which carries a maximum term of 20 years in prison.

According to the Department of Justice (DoJ), he began developing and funding cryptocurrency infrastructure in the hermit nation as far back as 2018, knowing that the spoils from mining digital coins could help the country evade sanctions and fund its nuclear weapons program.

In April the following year, he’s said to have given a presentation in Pyongyang, along with several unnamed co-conspirators, in which he explained how cryptocurrency could be used to evade sanctions and how smart contracts could be used in weapons negotiations with the US. This is despite the State Department denying Griffith permission to travel to the North Korean capital.

He’s also said to have attempted to recruit other US citizens to join his scheme. However, during this period, no attempt was made to contact the Treasury’s Office of Foreign Assets Control (OFAC) to request a license for exporting goods, services or technology to North Korea.

Griffith initially pleaded not guilty back in January 2020, following his arrest at Los Angeles International Airport in November 2019.

It emerged in August this year that four unauthorized FBI staffers were able to view data that had been extracted from Griffith’s Twitter and Facebook accounts due to a bug in the Palantir analytics software they were using.

However, it doesn’t seem to have had any bearing on the investigation or the criminal case against the developer.

“As he admitted in court today, Virgil Griffith agreed to help one of our nation’s most dangerous foreign adversaries, North Korea. Griffith worked with others to provide cryptocurrency services to North Korea and assist North Korea in evading sanctions, and traveled to North Korea to do so,” said US attorney Audrey Strauss.

“In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.”

Computer Scientist Jailed Over Dark Web Conspiracy

A computer scientist has been charged with using computers belonging to the California Department of Technology for illegal purposes.

Jonathan Patrick Turrentine was employed by the department as a system software specialist as recently as 2016, according to the Transparent California online database. 

The 39-year-old was booked into the Sacramento County Main Jail on Wednesday on suspicion of drug trafficking, money laundering, and trafficking in counterfeit goods. He is being held without bail.

A 50-page criminal complaint unsealed on Thursday alleges that Turrentine, using screen names including Caliplugmike, sold a variety of contraband items via the dark website Empire Marketplace. 

The complaint states: “As of April 4, 2020, Caliplugmike had 904 reviews on Empire Marketplace, with a customer service score of 97.13% positive market feedback.”

Turrentine is accused of selling “various amounts of LSD, cocaine, Xanax pills, Adderall pills, psilocybin mushroom, ecstasy and herbal products of marijuana in various forms including edibles, vape pens / cartridges, and marijuana buds in gram, ounce and pound amounts" alongside compromised emails and passwords. 

An investigation was launched in November 2018, after drug-detecting sniffer dogs flagged a suspicious package that arrived at Royal Oaks post office, addressed to Turrentine.

When law enforcement officers opened the package, they found several thousand apparently fake Xanax pills. Turrentine said he wasn't expecting a delivery and denied any knowledge of the pills. 

Since Turrentine was on probation after being convicted in 2018 of illegally accessing a computer network to mine Monero, investigators were able to conduct an immediate search of his room.

A bottle containing 67 tablets that officers described as "identical to the pills that were in the suspicious package" was discovered along with prepaid shipping labels and vacuum bags.

Investigators also observed a computer with an active monitor on, displaying "communications that matched those of an individual operating a darknet vendor site to distribute illegal narcotics."

Court documents state: “A quick computer search revealed that Turrentine controlled several dark web provider accounts and used the nicknames Mushmike1776, Calicartconnect, Calicarts, Bigboycarts, and Californiabudz.”

Undercover agents tracked Turrentine, using Bitcoin to purchase illegal goods, including drugs and a $1 list of 1.4 billion email addresses and passwords, from his alleged dark web accounts.

#IMOS21: Global Threat Brief - The Most Dangerous Attack Techniques in 2021

During Infosecurity Magazine's North American Online Summit, editorial director Eleanor Dallaway moderated a session dedicated to the most dangerous attack techniques in 2021. In her opening statement, she stated that the last two years have seen a huge amount of change and evolution, and cyber attack vectors and attack techniques have been no exception. 

Dallaway was joined by an expert panel including Brad LaPorte, partner of High Tide Advisors,  Miranda Richie, director of cyber threat operations at Orbia; and Michael F.D. Anaya, head of attack surface analysis, Palo Alto Networks & ex-cyber special agent, FBI. 

Cyber Attacks and COVID-19

The opening question of the Q&A concerned the speed of cyber-attacks changing in the context of COVID-19. LaPorte brought up  that crimeware-as-a-service (CaaS) has become widespread. He pointed out that around 2018, criminals changed their hacking approach. In effect, cyber-criminals have become managed service providers. The attack surface is now "everywhere" because of hybrid work models. Moreover, cyber-threat groups are more extensive and can now make a lot of money. Anaya responded to the question by stating that criminals will always find new opportunities. Phishing is still a big thing; it is easy to execute and will not disappear anytime soon, he noted. Richie raised the topic of initial access brokers, who she claims are enjoying rich pickings amid the COVID-19 chaos. LaPorte points out that alongside crime-as-a-service, DDoS-as-a-service and ransomware-as-a-service have become very popular during the pandemic. Additionally, hacker groups can easily break into companies and then sell the keys to the highest bidder.

 Anaya, agreeing with the points raised by the other two panelists, emphasized that while it's true that threats are also evolving because of the amount of information sharing on the dark web, it's also happening on open forums. At this stage, Richie asks Anaya whether this typically goes beyond collaborative efforts. What about the mafia? Anaya claimed that it is hard for law enforcement to obtain the identities of threat actors because of the factor of anonymity. 

Threat Actors and Competition

The second question  concerned whether there is an ostensible competition between threats actors? Anaya gave a succinct response, claiming that, unlike most organizations that struggle to share information because of legal barriers, there are no obvious barriers between threat actors. However, this is something that needs to change, according to Anaya, because organizations must share information more freely and effectively. 

"International hacker networks, nation-states and gangs are all collaborating"Brad LaPorteThreat Actors Working Together

Dallaway shifted the question to the topic of money and how threats actors work together. LaPorte responded, stating that it makes sense to work together if no person's wallet is affected. If people do not believe that threat actors are working together, people need to "wake up," he said, adding that international hacker networks, nation-states and gangs are all collaborating.

The first audience poll asked viewers which of the following attack techniques do they consider to be the most dangerous. The results were as follows: 

1. Supply chain attack (46%) 
2. DDoS as a ransom (26%)
3. RaaS (14%)
4. API attacks (12%)

Ransomware-as-a-Service

The conversation shifted at this stage when Dallaway raised the question of ransomware-as-a-service. To this question, Richie explained what ransomware-as-a-service is while emphasizing the rise of double-extortion techniques, particularly exfiltration and encryption.  Anaya emphasized that when publicly sharing information when an organization is a victim of a ransomware attack, there is no regulation to force an organization to disclose it publically. LaPorte drew attention to 2018 when one third of ransomware victims would report an attack. However, in 2021 that number has shrunk to 13%. Unfortunately, even the FBI doesn't have relevant information since many organizations don't come forward. 

Off the back of this point, Dallaway asked whether fewer people are paying up. LaPorte contended that cyber-attacks are increasing in frequency, but also ransom demands are increasing. Essentially, attacks are still happening. Worryingly, hackers will look at other ways to get organizations to pay. Moreover, the costs associated with breaches are also increasing. Miranda Ritchie questioned whether authorities are going after the attackers en masse.

Michael F.D. Anaya argued that the FBI was trying to identify threat actors, but the task was very complicated since attackers are notoriously hard to identify

To this previous point, Anaya replied that the FBI was trying like other government departments, but the task was very complicated: he contended that attackers are notoriously hard to identify. According to Anaya, there is a lot of delineation in the government, and the FBI is "siloed," which presents various problems. LaPorte added that this gets more complicated when factoring in things like insurance. The best practice should be to share intel and to make the process "ubiquitous." Here Anaya added that organizations could not achieve this without being empowered to share intel strategically so law-enforcement agencies can identify threat actors. 

Commodity Malware

Dallaway shifted the conversation to a question posed by the audience regarding commodity malware, asking why cybersecurity experts do not place enough emphasis on this.  Anaya replied to this point by asking to look at the most significant threat: commodity malware. Furthermore, this is what government entities are setting their sights on. 

The results of the second poll, namely, which of the following attack techniques do voters consider to be the most dangerous, were: 

1. Supply Chain Zero Day exploit (50%) 
2. Cloud misconfiguration (26%)
3. Business email compromise (19%)
4. EPP/EDR bypass (3%)

Ransomware and Supply Chain Attacks

Dallaway raised another critical topic in the global threat landscape in light of the second poll results. Directing the question at  Richie, Dallaway asked why voters likely picked ransomware and supply chain attacks as the most concerning threats. Richie highlighted that we should look at the Kaseya supply chain attack this year, which caused widespread downtime for over 1,000 companies. The SolarWinds attack this year is another example, which targeted US federal agencies and over 100 companies. Not only do they have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend. LaPorte emphasized remote code execution — if attackers can execute this effectively, they have significant power in their attacks. 

"Ransomware and supply chain attacks not only have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend"Miranda RichieArtificial Intelligence

Dallaway raised a question from the audience focusing on AI-based attacks. Since attackers are using AI to execute supply chain attacks, the question asked, must companies use AI to protect themselves effectively? LaPorte responded by pointing out that companies using AI will decrease work and costs. Moreover, AI-led detection and response are significantly effective at protecting organizations.

Anaya remarked that machine learning could assist businesses greatly since AI can learn patterns of "normal" behavior in an organization and detect and investigate anomalies. In response to this point, LaPorte claimed that studies show an 80% reduction in costs when organizations use both AI and automation. Richie added that the industry is well aware of SOC fatigue; AI can help automate the repetitive tasks SOCs typically tackle. 

Cloud Misconfiguration

The penultimate question raised concerned the threats associated with cloud misconfiguration. Anaya responded that the MFA (multi-factor authentication) base isn't rotated enough, presenting innumerable threats. Additionally, rotation isn't a policy that organizations enforce enough. A follow-up point concerned EPP and EDRs being bypassed and zero-day exploits. LaPorte highlighted that attackers can, in effect, do various things on IoT without detection. Additionally, modern tech is an ever more complicated and increasing issue. 

The result of the third poll, asking voters what 2022 will be the year of, revealed the following:

1. Ransomware…again (43%)
2. Who on earth knows?! (25%) 
3. Zero trust (16%)
4. AI (9%)
5. Data breaches (4%)

2022 Is the Year Of? 

The final question was posed as a quick-fire round, asking what each panelist believed 2022 would be the year of. Richie believed 2022 to be when the lines between physical and digital will be blurred. Real-life examples include hospitals and pipelines. This trend, she argued, will increase. Anaya agreed with Richie, adding that there are three things that organizations can do here to protect themselves: 1) organize a dedicated team, 2) empower that team and 3) see cybersecurity as a critical cost. Finally, LaPorte wrapped up the commentary, stating that organizations can also protect themselves with 'operational readiness.' 

The session is now on-demand and can be viewed here.

California Hospital Sued Over Data Breach

An academic health-care system in California is facing legal action over a data breach that potentially exposed the information of nearly half a million patients, employees, and students.  

UC San Diego Health disclosed a security incident in July via a public notice. The notice indicated that unauthorized access to "some employee email accounts" had taken place from December 2, 2020, to April 8, 2021. 

The incursion occurred after an employee with a health-system email account took the bait proffered in a phishing attack. Suspicious activity was detected in the system's network on March 12, and compromised email accounts were shut down on April 8.

"When UC San Diego Health discovered the issue, we terminated the unauthorized access to these accounts and enhanced our security controls," said the health-care provider.  

The health system said that data potentially accessed and exfiltrated in the attack may include the full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames, and passwords of a "subset of our patient, student and employee community."

On September 7, UC San Diego Health began notifying 495,949 individuals – where contact information was available – that they may have been affected by the breach.

The San Diego Union-Tribune reports that lawyers representing a cancer patient from El Cajon filed a suit last week against UC San Diego Health over the data breach. The plaintiff has accused the health-care system of breach of contract, negligence, and violating California consumer privacy and medical confidentiality laws.

“This breach was preventable had UC San Diego Health had the right data protection protocols in place,” said San Diego attorney Jason Hartley.

The plaintiff asserts that the health-care system failed to adequately train employees on how to avoid phishing attacks and neglected to implement reasonable security practices. 

The suit is seeking class-action status and unspecified damages for all the individuals whose medical data and personal information may have been exposed.

Port of Houston Quells Cyber-Attack

A leading port in the United States has successfully fended off an attempted cyber-attack, which authorities believe was sponsored by a foreign power.  

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly revealed to a Senate committee on September 23 that malicious hackers had targeted the Port of Houston in August.

The 25-mile-long port complex is one of the largest on the US Gulf Coast and handles around 247 million tons of cargo per year, according to the port's website.

Easterly divulged to the Senate Homeland Security and Governmental Affairs Committee that while attribution of cyber-attacks "can always be complicated," she was of the opinion that a "nation-state actor" was to blame in this case. 

"At this point in time, I would have to get back with my colleagues, but I do think it is a nation-state actor," said Easterly. However, the cyber leader did not go so far as to name which one she believed to be responsible. 

The Port of Houston put out a brief statement on Thursday announcing that a digital assault against its systems had come to naught.

"The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result," read the statement.

Hackers exploited a previously unknown vulnerability in password management software to break into one of the port's web servers at 2:38pm UTC on August 19, according to Coast Guard analysis of the incident, obtained by CNN.

The threat actor installed malicious code to expand their access to the system and then exfiltrated all the log-in credentials for a piece of Microsoft password management software used to control network access. 

"If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network," the unclassified report by US Coast Guard Cyber Command reportedly reads.  

"With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations."

Huawei CFO Released After Admitting She Misled Bank

Huawei’s CFO is finally back in China after striking a plea deal with the US authorities in which she admitted playing a pivotal role in a scheme designed to defraud a global financial institution.

Meng Wanzhou, the daughter of Huawei founder Ren Zhengfei, was indicted by the US in 2019 on charges associated with the firm’s alleged breaking of US sanctions on Iran.

According to the Department of Justice (DoJ), she lied to a banking partner about the scale and nature of the firms’ business in Iran to preserve the relationship with the financial institution.

Specifically, she told the senior exec at the bank that subsidiary Skycom, which operated in Iran, was just a business partner rather than wholly controlled by Huawei. She also said Huawei had sold all its shares in Skycom, when, in fact, it sold them to another entity controlled by Huawei.

The DoJ said she also lied in claiming Huawei “operates in Iran in strict compliance with applicable laws, regulations and sanctions” and that “there has been no violation of export control regulations” by “Huawei or any third party Huawei works with.”

As a result of her false reassurances, the bank helped clear around $100m in transactions from Skycom, some of which came from its Iran dealings, in contravention of US sanctions.

According to the plea deal, Meng pleaded not guilty to charges of bank fraud and wire fraud, conspiracy to commit bank fraud and conspiracy to commit wire fraud, but did admit most facts underpinning the DoJ’s case.

“Her admissions in the statement of facts confirm that, while acting as the Chief Financial Officer for Huawei, Meng made multiple material misrepresentations to a senior executive of a financial institution regarding Huawei’s business operations in Iran in an effort to preserve Huawei’s banking relationship with the financial institution,” said acting US attorney Nicole Boeckmann.

“The truth about Huawei’s business in Iran, which Meng concealed, would have been important to the financial institution’s decision to continue its banking relationship with Huawei. Meng’s admissions confirm the crux of the government’s allegations in the prosecution of this financial fraud — that Meng and her fellow Huawei employees engaged in a concerted effort to deceive global financial institutions, the US government and the public about Huawei’s activities in Iran.”

Meng had been under house arrest in Canada awaiting extradition to the US when the deal was struck. However, the two Canadians under arrest by the Chinese authorities in an apparent tit-for-tat ploy were released shortly after, apparently countering Beijing’s claims that they had committed severe spying offenses.

US-Led Quad Launches New Cyber Group

The Quadrilateral Security Dialogue (Quad) has signaled its commitment to cybersecurity by announcing a dedicated new group that will promote best practices and shared standards.

The announcement came after the first-ever in-person meeting of the Quad, which comprises the US, India, Japan and Australia in an alliance of democratic nations designed to counter Chinese aggression.

A White House briefing on the leaders’ summit detailed multiple areas of cooperation between the four nations, from COVID-19, climate change and infrastructure to emerging technologies, space and cybersecurity.

“Building on longstanding collaboration among our four countries on cybersecurity, the Quad will launch new efforts to bolster critical infrastructure resilience against cyber threats by bringing together the expertise of our nations to drive domestic and international best practices,” it noted.

The newly announced Quad Senior Cyber Group looks set to be the key driver of new initiatives in this space.

“Leader-level experts will meet regularly to advance work between government and industry on driving continuous improvements in areas including adoption and implementation of shared cyber standards; development of secure software; building workforce and talent; and promoting the scalability and cybersecurity of secure and trustworthy digital infrastructure,” the briefing claimed.

There was also progress on critical and emerging technologies which may have cybersecurity implications, most notably a new dialogue designed to promote Open RAN deployment.

The open standard is seen as a critical way to reduce democratic nations’ reliance on 5G infrastructure from China, which has raised significant security concerns in the West.

The Quad also announced it would establish new “contact groups” focused on standards development and research for AI and advanced communications. This could be viewed in the context of concerns that Chinese engineers have been instrumental in setting 5G standards, providing the nation with a potential geopolitical advantage.

The Quad news comes just days after the US, UK and Australia announced a new AUKUS pact that will see close cooperation between the Anglophone nations on AI, quantum, cybersecurity and more.

EU Slams Russia Over Disinformation Hacking Campaign

The European Union has urged Russia to respect the democratic process after calling out Kremlin-backed hackers for an ongoing information-stealing and disinformation campaign.

On Friday, a declaration from foreign policy chief Josep Borrell claimed several unnamed member states had observed malicious activity associated with the Ghostwriter hacking group.

“These malicious cyber activities are targeting numerous members of parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data,” the statement continued.

“These activities are contrary to the norms of responsible state behavior in cyberspace as endorsed by all UN member states, and attempt to undermine our democratic institutions and processes, including by enabling disinformation and information manipulation.”

Ghostwriter is well known in government cybersecurity circles, having been pegged in 2020 for a years-long campaign designed to spreading false information and incite animosity towards the US and NATO among eastern European and Baltic states.

Earlier this month, Germany’s Foreign Ministry claimed Ghostwriter was attempting to steal the login details of federal and state lawmakers to publish fake messages from their accounts to influence voters.

In its latest missive, the EU denounced such activities and called for an immediate cessation — hinting that further action may be taken if its demands weren’t met.

“We urge the Russian Federation to adhere to the norms of responsible state behavior in cyberspace,” it concluded.

“The European Union will revert to this issue in upcoming meetings and consider taking further steps.”

However, given Russia’s track record on such matters, it’s unlikely that such words will lead to a significant change in strategy by the Putin administration, which cemented its grip on power after a recent election victory widely believed to have been rigged.

LG to Acquire Cybellum

The board of directors at Korean electronics company LG Electronics has approved the acquisition of Israel-based vehicle cybersecurity startup Cybellum.

In announcing the deal on Thursday, LG said it would assume a stake of around 64% in Cybellum, which was valued at $140m. The remaining shares will be acquired soon, at which time the final valuation and total investment amount will be confirmed.

LG called the acquisition "a strategic move that will enhance LG’s cybersecurity capabilities and accelerate its efforts to become an Innovation Partner for Future Mobility."

Alongside its investment, LG committed to a simple agreement for future equity (SAFE) that will see an additional $20m invested in Cybellum in the fourth quarter of 2021 upon conclusion of the trading process.

Cybellum was founded in 2016 in Tel Aviv by CEO Slava Bronfman and CTO Michael Engstler, both of whom served in the elite Israeli military intelligence group, Unit 81. 

“We’re excited about this partnership with LG and the great return we’ve been able to deliver to our stakeholders,” said Bronfman. “Cybellum has developed the most comprehensive product security management offering in the industry, and joining forces with LG will enable us to further accelerate the realization of our vision. We expect to grow significantly in the near future.”

Thirty-five of Cybellum's 50 employees are based at the company's research and development center in Tel Aviv. Since its creation, the company has seen investment from RSBG Ventures, Blumberg Capital, and Target Global amid other sources.

Working in partnership with the likes of Jaguar and Nissan, Cybellum provides automotive original equipment manufacturers (OEMs) and suppliers with an agentless solution that can scan embedded software components and detect cyber vulnerabilities. The solution can also remediate risks at scale over a vehicle's entire life cycle. 

“It’s no secret the critical role software plays in the automotive industry and with it comes the need for effective cybersecurity solutions,” said Dr. Kim Jin-yong, president of the LG Electronics Vehicle Component Solutions Company. 

“This latest deal will further strengthen LG’s solid foundation in cybersecurity, enabling us to be even more prepared for the era of connected cars.”

Florida Yet to Spend $30M Allocated for Cybersecurity

Lawmakers in Florida are asking why the state has failed to spend millions of dollars it was assigned to fund the implementation of new cybersecurity measures.

The Miami Herald reports that despite lawmakers’ allocating $30m for the improvements months ago, the Sunshine State is yet to spend a single cent.

The office of Florida’s statewide chief information officer, Jamie Grant, requested the money seven months ago with the understanding that it would be used for threat assessments, new software, and infrastructure hardening.

While $672,000 was to be spent on training, $3.2m was to be used to fund a new Cybersecurity Operations Center.

Quizzed by lawmakers on Wednesday over his office’s fiscal inaction, Grant gave the response that his office was too short-staffed to draw up a spending plan. He later declined to say when a plan would be put in place when questioned by the Herald.

In August, it was reported that Florida’s year-old IT agency – the Florida Digital Service – was struggling to keep key positions filled. 

Grant, a former state representative appointed to his leadership role in 2020 by Governor Ron DeSantis, said last month that personnel changes taking place in the Florida Digital Service were "consistent" with his team's "shared principles."

Since taking over, Grant has seen two chief information security officers, the chief data officer, the enterprise architect, the chief operations officer, and half of the state’s new ten-member cybersecurity team leave their jobs.

According to the Herald, several of the individuals quit suddenly without giving notice, with some telling the news source that they found Grant’s management style antagonistic. 

The high number of unfilled roles within the agency has attracted criticism. James Taylor, CEO of the Florida Technology Council, described the vacant positions on the cybersecurity advisory board as “a massive concern.”

Visitors to the Florida Digital Service website are told: "We need your help. Join the team." The site does not contain a list of vacancies, but instead features an 'apply now' button that takes visitors to a contact form that they can use to state their skills or certifications and the policy area(s) in which they are interested. 

Complex New SMS Malware Discovered

Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.

Threat analysts at Cloudmark discovered the new low-volume campaign attacking Android mobile device users and named it TangleBot. This complex malware can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.

TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s). 

The malware allows the threat actor(s) to control everything from call logs and contacts to the phone camera and GPS on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device's user.

"The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone," wrote the analysts. 

The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text "New regulations about COVID-19 in your region. Read here:" followed by a malicious link.

Another preceded a malicious link with the statement: "You have received the appointment for the 3rd dose. For more information visit:"

Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.

"As we have seen with FluBot, TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials," noted the analysts.

"Also, TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network."

'Anonymous' Hackers Claim to Hit Website Hosting Firm Popular With Far-Right Groups

Last week, hacking group Anonymous claimed to have stolen and leaked data held by Epik, a website hosting firm popular with far-right organizations like the Proud Boys.

The reams of data, amounting to 150 gigabytes, include information about those who tried to overturn the 2020 presidential election. Epik has historically provided web hosting services to a number of conspiracy theorists and conservative media networks.

On Epik’s clientele list were several sites banned from other platforms for violating hate speech and misinformation policies. These include those associated with the Proud Boys, 8chan, Parler, and QAnon conspiracy groups. 

“On September 15, we confirmed that certain customer-account information for our domain-related systems was accessed and downloaded by unauthorized third parties,” tweeted the company, which calls itself the “Swiss Bank of Domains” on its website.

pic.twitter.com/ljBqeCqZyb

— Epik.com (@EpikDotCom) September 18, 2021

In a statement, Anonymous said they've stolen "a decade’s worth” of company data, including passwords, internal emails and clients’ home addresses and phone numbers.

The breach undermines Epik’s longstanding pledge that customer data would remain anonymous irrespective of views customers might share online. 

Megan Squire, a professor at Elon University who studies right-wing extremism, told The Washington Post that: “It’s massive. It may be the biggest domain-style leak I’ve seen and, as an extremism researcher, it’s certainly the most interesting. 

“It’s an embarrassment of riches — stress on the embarrassment.”

Cybersecurity Vulnerability Could Affect Millions of Hikvision Cameras

On Sunday, video surveillance giant Hikvision posted a security advisory on its website warning customers of a cyber vulnerability that could impact millions of cameras and NVRs deployed globally. 

The “command injection vulnerability” could allow threat actors to have complete control of compromised devices and was discovered by cybersecurity researcher Watchful IP in June and first reported on Monday by IPVM. 

According to the security advisory, the vulnerability received a base score of 9.8 out of 10 per the Common Vulnerability Scoring System (CVSS), which Watchful IP called “the highest level of critical vulnerability.”

Although the video surveillance giant has not disclosed how many products are likely impacted, posting only product names and firmware versions, IPVM estimates that more than 100 million devices could be affected. 

In a letter to its partners, Hikvision informed integrators to download an updated version of firmware on its website to remediate the vulnerability.  

It also said: “We recognize that many of our partners may have installed Hikvision equipment that is affected by this vulnerability, and we strongly encourage  you to work with your customers to ensure proper cyber hygiene and install the updated firmware.”

Hikvision also said that it worked with Watchful IP to patch the vulnerability. Additionally, the company has patched all vulnerabilities reported to the company in its latest firmware version.

“Hikvision is a CVE Numbering Authority (CNA) and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch, disclose and release updates to products in a timely manner that is commensurate with our CVE CNA partner companies’ vulnerability management teams,” the letter adds.

“Hikvision strictly complies with the applicable laws and regulations in all countries and regions where we operate and our efforts to ensure the security of our products go beyond what is mandated.”