A ransomware gang that launched a "catastrophic" cyber-attack against the Irish health system is now reportedly helping in its recovery.
The attack on the Health Service Executive (HSE) of the Republic of Ireland, carried out with Conti ransomware, started when a single computer stopped working and its user responded to a prompt to click on a link.
HSE was alerted to the attack at 4am on May 14 and subsequently shut down all of its IT systems nationwide. The closure caused the cancellation of appointments, including maternity scans, radiology services and outpatient appointments.
A ransom of $20m was demanded by the attackers to restore files that were encrypted in the attack. The Irish government has said that it has no intention of paying the cyber-criminals who hit the HSE.
On its site on the dark net, the ransomware gang said it would give the decryption tool needed to restore the files to the health service free of charge. However, the gang is still threatening to publish data it claims to have stolen during the attack unless a ransom payment is received.
"We are providing the decryption tool for your network for free," wrote the gang, "but you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation."
Ireland's minister for health, Stephen Donnelly, said that the ransomware gang's unexpected gift was being trialed.
"No ransom has been paid by this government directly, indirectly, through any third party or any other way. Nor will any such ransom be paid," he told Irish broadcaster RTÉ.
"It came as a surprise to us. Our technical team are currently testing the tool. The initial responses are positive."
In an interview with Malwarebytes, an Irish doctor dealing with the fallout from the attack said: “I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”
Global cybersecurity leaders may not be practicing what they preach after new research revealed that many are engaging in risky behavior online.
Constella Intelligence polled over 100 global IT security bosses across multiple verticals to compile its latest report, Cyber Risk in Today’s Hyperconnected World.
It revealed widespread poor security practice: a quarter (24%) admitted to using the same passwords across work and personal use and nearly half (45%) connect to public Wi-Fi without using a VPN.
Public Wi-Fi is thought to be so dangerous that the FBI regularly warns the public not to connect when out-and-about.
A similar number (48%) of CISO respondents said they use their work computer to log-in to social networking sites and 77% accept friend requests from people they don’t know, including LinkedIn (63%).
According to MI5, foreign spies have contacted over 10,000 British citizens via LinkedIn over the past five years, using fake profiles.
“The consequences of engaging with these profiles can damage individual careers, as well as the interests of your organization, and the interests of UK national security and prosperity," the government said in a recent awareness campaign.
Security leaders continue to engage in risky behavior even though attacks targeting them increase.
Over half (57%) have suffered an account takeover (ATO) attack in their personal lives — mainly through email (52%) LinkedIn (31%) and Facebook (26%). Nearly three-quarters (74%) said they’d been targeted by a phishing or vishing attack in the past 90 days. In a third (34%) of cases, threat actors impersonated their CEO, according to the report.
“Amidst the rise in cyber-attacks on organizations, many of which are perpetrated through C-suite impersonations, employee cybersecurity awareness is now arguably as important as an organization’s security infrastructure,” said Constella Intelligence CEO Kailash Ambwani.
“As the professional and personal spheres become increasingly digitally intertwined, both leaders and employees must pay close attention to the role each one of us plays in collective cybersecurity hygiene.”
There were 193 billion credential stuffing attempts during 2020 as cyber-criminals looked to capitalize on surging numbers of online users, according to Akamai.
The security vendor’s latest 2021 State of the Internet / Security report revealed the sheer scale of attempts to crack open users’ accounts using previously breached credentials.
Focusing mainly on the financial sector, the report claimed that Akamai detected 3.4 billion credential stuffing attempts targeting the vertical — a 45% increase on the previous year.
Akamai also detected nearly 6.3 billion web application attacks in 2020, over 736 million of which were aimed at financial services organizations — an increase of 62% from 2019.
In the financial services industry, Local File Inclusion (LFI) attacks were the number one web application attack type in 2020, accounting for 52% of the total, followed by SQLi (33%) and cross-site scripting (9%).
However, globally across all sectors, SQLi was in top spot — accounting for 68% of all web application attacks in 2020 — while LFI attacks came second with 22%.
“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” said Steve Ragan, Akamai security researcher and report author.
“Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”
The report detailed the rise of smishing and phishing attacks against the financial services sector, specifically via two popular toolkits: Kr3pto and Ex-Robotos.
Akamai said threat intelligence company WMC Global detected smishing campaigns launched via Kr3pto which spoofed 11 brands in the UK, across more than 8000 domains since May 2020.
In total, the firm tracked over 4000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in Q1 2021.
“It's important to remember that employees are consumers too, and with the prevalence of work from home, as well as mobile device usage in corporate environments, criminals are not shy about attacking people no matter where they are, which explains the recent growth in SMS-based phishing attacks,” argued WMC Global senior threat hunter, Jake Sloane.
Misconfiguration of back-end cloud services by more than 20 mobile app developers may have exposed the personal data of over 100 million Android users, according to researchers.
A team at Check Point investigated 23 Android applications in a new piece of research, and found users’ emails, chat messages, location, passwords and photos all exposed by poor security practices.
There were three main issues. First, misconfiguration of the real-time databases that developers use to store data in the cloud and synchronize it with every client instantaneously.
In 13 of the apps studied, no authentication was deployed, enabling would-be attackers to access highly sensitive user data such as email addresses, passwords and private chats.
The second security snafu regarded push notification manager services.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” Check Point explained. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
The third issue was with cloud storage: again the researchers were able to find cases where developers had stored keys in the app file itself, enabling attackers to access sensitive user information.
Check Point said some, but not all, of the developers it contacted prior to publication had changed their configurations to mitigate the highlighted issues.
“This is the perfect storm of three issues — cloud misconfigurations, cloud credential leaks, and overly permissive mobile apps collecting more personal information than needed. Mobile apps usually rely on public cloud-based backend services like databases, analytics, and storage which are prime candidates for misconfiguration,” argued Saumitra Das, CTO of Blue Hexagon.
“Additionally, they release their code openly on app stores making it easier for folks to reverse engineer the inner workings. It is a common mistake to leave cloud access keys in code repositories and apps. Simple encodings like base64 are not enough to obscure the access keys which can allow anyone to then get access to customer PII being collected by the app in the cloud.”
As has long been the tradition at the annual RSA Conference, the final panel event is the Top 5 Most Dangerous New Attack Techniques session, and the virtual 2021 edition of the conference was no exception.
Ed Skoudis, fellow and director at SANS Institute, identified undermining software integrity as one of the biggest attack vectors that he is seeing today. Software integrity includes supply chain security for all the embedded libraries and components that make up a modern application.
"Our software development and distribution processes today are focused on speed, getting new code and features out faster," Skoudis said. "They're not focused on trust and cybersecurity, and this is a pretty profound problem."
According to Skoudis, there is no single solution to the problem of software integrity and software supply chain management. The first thing that needs to happen is organizations need to know what software they have in their environments so that they can defend it. The next step is to have a software bill of materials, which essentially identifies all the components that make up a given set of software applications. Skoudis also recommends that organizations integrate threat-hunting activities into their workflows as well to help actively look for potential risks.You may not be able to solve every challenge, but don't get overwhelmed – start somewhere.Katie Nickels
The Risk of Improper Session Handling
Heather Mahalik, director of digital intelligence at SANS Institute, identified improper session handling as a top risk.
Every time a user logs in to an application or a service, some form of access token is granted to enable access to the session. Mahalik warned that some sessions don't properly secure tokens, opening up the possibility that data could be leaked or manipulated.
The risk of improper session handling can be reduced with a number of simple steps. The most obvious that Mahalik suggested is for users to log out of devices and application sessions when they are done.
"Many of us like to leave our screen open, we like to leave our devices available, and we will check the box saying use this access for the next seven days, but that's not secure," Mahalik said. "Developers, I encourage you to make tokens that expire and kick people off the network."
Beware of Artificial Intelligence
Johannes Ullrich, dean of research, SANS Technology Institute, warned that a potential risk comes from artificial intelligence and machine learning that is used for malicious purposes. Ullrich warned that attackers could influence or manipulate machine learning training data sets, which would impact what actions an artificial intelligence system would take.
"Your training data matters, and you need to understand these models," Ullrich said. "So, figure out what they're doing, and figure out how to tune them."
Ransomware Is More Than an Availability Problem
Katie Nickels, certified instructor and director of intelligence at SANS Institute, warned that while ransomware isn't a new threat, the ransomware of 2021 is in fact introducing new risk.
She noted that, historically, ransomware has been discussed as an availability problem. That is, data is encrypted by an attacker, and the user can't get access to the data. In her view, ransomware is no longer just an availability concern; it's also increasingly being linked to data exfiltration. Nickels explained that attackers are now also taking the data and then using it for different purposes, before encrypting data and holding it for ransom.
"In fact, in the fourth quarter of 2020 we found that over 70% of ransomware cases involved some kind of exfiltration and extortion," Nickels said. "This is one of the most dangerous new attack techniques because this is the new normal, thinking about not just the availability, but also the confidentiality of your data, and realizing that adversaries are very likely to exfiltrate and then export your data."
As ransomware has shifted from being just an availability issue, so too have the recommendations on what organizations should do to defend themselves. Simply having an offline backup is not sufficient, according to Nickels. Organizations should also be taking preventative measures like disallowing any file-sharing tools that aren't needed in a network, which can help to prevent some exfiltration from happening.
With the pressures of the pandemic and a seemingly never-ending array of threats that defenders need to be concerned about, Nickels provided an aspirational and inspirational suggestion. She noted that former US president Theodore Roosevelt once said, "Do what you can with what you have, where you are." In her view, that suggestion is an idea that resonates well for IT security professionals.
"You may not be able to solve every challenge, but don't get overwhelmed – start somewhere. Start with improving your detections, whatever that means for your organization," Nickels said. "Do what you can with what you have, where you are, whether it's in cybersecurity or in life."
There are a number of common executive cybersecurity roles today, including chief security officer (CSO) and chief information security officer (CISO), and now it's time to add one more – the chief product security officer (CPSO).
In a session on May 20 at the 2021 RSA Conference, Chris Wysopal, founder and CTO at Veracode, and Joshua Corman, chief strategist for the healthcare sector at CISA, outlined why it's time for organizations to have a chief product security officer (CPSO).
"Software trustworthiness, or rather the lack of trustworthiness, is at the forefront of everyone's mind right now," Corman said.
Corman noted that software development practices really haven't properly considered the consequences of having an insecure development model. For example, during the presentation he pulled up a quote attributed to Reid Hoffman, founder of LinkedIn – If you're not embarrassed by the first version of your product, you've launched too late. Corman emphasized that no physical engineer would say the same thing about a building or a bridge, where failure would result in the loss of life and property.
"We've learned through high-consequence failures in physical engineering," Corman said. "I'm hoping we will find our footing for what it's going to take for digital infrastructure, because as the world increasingly depends on that digital infrastructure, they increasingly are depending on you."The idea is we need this new individual to do something that spans many different many different departments nowChris Wysopal
Enter the Chief Product Security Officer
Having an executive that is dedicated to product security is an important step to help improve security outcomes.
Wysopal explained that a CSO or CISO is typically concerned with an organization's overall security, regulatory compliance and protecting a business's brand. In Wysopal's view, the kind of software that is being developed today is actually adding a lot more risk to the world, and there is a clear and present need to take steps to reduce that risk.
"The idea is we need this new individual to do something that spans many different many different departments now," Wysopal said.
Wysopal said that the role of chief product security officer spans engineering, compliance, supplier management and information risk. He added that it's also important to have both a developer and enterprise risk management view of software security.
"If you're going to be the CPSO you have to go in both directions, you have to engage with the individual developer, and get that individual developer to find and fix the vulnerabilities in the code," Wysopal said. "But on the other hand, you need to look at the bigger picture."
That bigger picture involves understanding the potential impact of an application or product vulnerability. There is also a need to understand that the attack surface for applications has grown significantly in recent years. Wysopal said that with ubiquitous connectivity and public-facing APIs, there are more opportunities for attackers to find vulnerabilities and exploit an application.
Securing Products with Cloud Native Development Approaches
In the application development space, developers in recent years having been making use of cloud native development approaches that can actually aid prospective chief product security officers.
Wysopal said that technologies such as containers and infrastructure-as-code approaches can narrowly define how a specific component of an application should be deployed in a repeatable manner. By reducing the attack surface and defining application deployments as code, Wysopal said that it's possible to deploy faster and actually build a more secure product.
"We can start to take our security tooling that used to be disparate processes, that sometimes were manual, and actually just make them another developer tool that's part of the process," Wysopal said.
Corman advised that prospective chief product security officers should also take advantage of threat modeling to help reduce risk.
"Instead of using buzzwords and marketing terms like zero trust, actually start implementing some of the ideas behind them, like least privilege and trust boundaries," Corman said.
The global cyber-threat environment is the “worst it’s ever been” due to the increasingly reckless behavior of the four major nation-state actors in this area: China, Russia, North Korea and Iran. That was the message of Dmitri Alperovitch, chairman, Silverado Policy Accelerator, and Sandra Joyce, executive vice president, head of global intelligence at FireEye, who provided the annual Global Threat Brief during a keynote session on day 3 of the 2021 RSA virtual conference.
Alperovitch began by describing how 2020 was a particularly challenging year for the cybersecurity sector. “We’ve had the global pandemic, we’ve seen cyber-adversaries of all types take advantage of stress and workload that is brought on to defenders, but also we’ve had the elections, and the cyber-interference that we all expected.”
The two standout cyber-attacks of the past year – the SolarWinds and Microsoft Exchange incidents – were the first port of call for the two experts in this session. The pair noted the highly targeted nature of the SolarWinds hacks, with Alperovitch commenting that “this was a traditional espionage operation” by the Russian state that targeted foreign governments, particularly areas of the US government, and “other countries that would be used to facilitate access to those government networks.”
He added that a killswitch was in operation to shut down the malware, which was enacted in 99% of the victims – the ones that were irrelevant to their operation – to keep it in “stealth mode” as long as possible. Overall, this attack represents a modernized approach of getting “inside supply chains that are hard to detect and stay in there for long periods of time,” mimicking the previous tactic of using undercover human agents to infiltrate other nations.
Joyce observed that only very specific information was targeted in the attack, with even lucrative data like financial information ignored. “This was an operation to satisfy national-level collection requirements, and that’s espionage,” she stated.“This was an operation to satisfy national-level collection requirements, and that’s espionage”
The targeted nature of SolarWinds was in stark contrast to the Microsoft Exchange attack this year, believed to be perpetrated by Chinese state actors. What started out in quite a traditional manner, with vulnerabilities exploited to target traditional targets such as dissident groups and Uigurs, turned into going “after literally everyone once they learned that Microsoft was going to patch these vulnerabilities,” explained Alperovitch.
This highly aggressive tactic had the effect of leaving many organizations that didn’t have the capacity to patch quickly very vulnerable to follow-on attacks by other cyber-threat actors. “It’s amazing to see this contrast where Russia is the more responsible actor in this particular case,” commented Alperovitch, adding that “the reckless nature (of the exchange attack) is quite unprecedented.”
The pair went on discuss the recent cyber-activities of China more broadly. Perhaps unsurprisingly given the pandemic, Chinese APT groups have been heavily targeting the healthcare/biotech sector, particularly vaccine developers and researchers, with the primary aim of “understanding the decision-making process of countries around the world,” according to Joyce.
Interestingly though, “we’re not seeing a lot of destructive or disruptive capability coming out of China,” in comparison to Iran and Russia. Joyce said this is part of China’s long-term strategy.
Another interesting trend the experts saw with China has been the re-emergence of the PLA (People’s Liberation Army) in cyber-operations recently, including in the Equifax hacks. This is quite a common tactic employed by Chinese APT groups, said Joyce, explaining that when exposed, they often go into “hibernation and retooling” and “what’s emerged is a much more focused and disciplined operation.”
China is also increasingly going after mobile devices to target dissident groups within the country. Joyce commented: “They’re using cyber means in order to perpetrate their political aims,” which “is going to continue into the future.”
Alperovitch first expressed surprise that Iran largely “held back” from targeting the US in cyberspace throughout last year, despite the assassination of Iranian General Qasem Soleimani at the start of 2020 following a US drone attack.
However, he noted they did interfere in the November presidential elections “in a more aggressive way than the Russians did in cyberspace.” This was exemplified by the Proud Boys spoof email campaign, which attempted to intimidate registered Democratic voters.
This demonstrated “a real evolution in the information operations, where they used cultural elements,” said Joyce, adding that “it really changed our thinking as to what the Iranian government is willing to carry out.”“It really changed our thinking as to what the Iranian government is willing to carry out”
Alperovitch also highlighted the innovative ways Iran is leveraging social network sites like LinkedIn “to identify people within companies that they can target, particularly for espionage purposes – that’s now one of the major ways they’re getting inside organizations.”
Turning to North Korea, Alperovitch observed that “when you think about it, they’ve come up with some of the most innovative attacks we’ve seen yet.” This included the model pioneered with their attacks on Sony several years ago – the so-called hack and leak approach.
Joyce also noted how the North Korean government sponsors general cybercrime to gain funding, the first nation-state to employ this kind of crossover. This means groups such as APT838 regularly attempt bank heists around the world, at one point “targeting 16 different financial organizations at once.”
The speakers additionally highlighted that unlike Iran, Russia and China, which often leverage common off-the-shelf tools like Cobalt Strike to help prevent attacks' being attributed to them, North Korea is increasingly developing and using its own home-grown tools.
This is part of the Juche principle, which emphasizes the need to stay independent from other countries, and is also being demonstrated by North Korea’s development of its own cryptocurrencies.
Finally, Alperovitch noted that North Korea has been “pioneers” in supply chain attacks. “They’ve targeted AV vendors, even cryptocurrency software to insert backdoors into their applications,” he said, adding that “it’s incredible levels of sophistication we’re seeing from North Korea.”
Interestingly, there was very little in the way of Russia targeting the US elections last year. Nevertheless, Alperovitch said that “we still saw some major activities that were quite disturbing from Russia aside from SolarWinds in 2020.”
This included the targeting of a number of VPN exploits and the noticeable use of the Golden SAML technique in the SolarWinds attack, which “allowed them to mint their own tokens and then have access to multiple applications within the same federated environment,” explained Joyce. The innovative techniques used by Russia in the past year were also very successful at obfuscation, according to Joyce. For example, “they would name their own infrastructure after their target infrastructure so you couldn’t tell the difference.”
Russia has also ramped up its targeting of cloud providers recently, and its heavy targeting of authentication and identity systems “makes it super hard for defenders to actually do incident response, because if the actor’s using legitimate credentials of a real employee inside the network, it’s so difficult to figure out if the action that you’re looking at was done by a legitimate user within the network or by the adversary,” said Alperovitch.
Another hugely concerning activity of Russian state actors has been its growing targeting of critical infrastructure, including notably that of the transportation industry by the Tmep.Isotope group. Joyce emphasized that these types of threats have a huge impact, “not just to the systems themselves but in instilling fear in people.”
Topping any of these activities though, in terms of the threat posed, is ransomware, according to Alperovitch. “It’s impacting everyone on the planet from your grandmother, who now has to find Bitcoins to unlock her family photos, to smaller organizations, small districts and hospitals, to the largest companies,” he outlined.
Joyce noted that ransomware actors are increasingly using shame as a tool to extort their victims, for example threatening to “dump data that they’ve found – they’ll even call competitors and your customers. They want to make sure they can use shame as a tool and that puts organizations in an impossible situation.”
The experts also highlighted that the size of ransom demands has exploded recently, one example being a recent extortion attempt of $50m.
Another interesting observation made by Alperovitch was that “most of these operations, in terms of the hard-core criminals that are developing the malware and capabilities, are in Russia or Russian speaking and many of them are being hidden or in some cases assisted even by the Russian intelligence services.”
Alperovitch and Joyce concluded the session by outlining some of the cyber-threat trends they expect to see in the coming months and years. Most immediately, they predicted the upcoming Olympic Games in Japan will be heavily targeted, as Joyce noted it provides an opportunity “to send a message and do it at scale.”
A more general trend highlighted was that threat actors, particularly the nation-states discussed, are becoming increasingly reckless and shameless, unafraid of the consequences of their actions.
As a result, Alperovitch believes “the threat environment is the worst it’s ever been,” largely because “from a geopolitical perspective, the four primary adversaries we face – Russia, China, Iran and North Korea – our relationship with them from a Western standpoint is the worst it’s been for at least 60 years.”
He noted they have largely stopped caring about a good relationship with the US and have become increasingly reckless as a result. He added: “I really fear for what’s to come with the growing sophistication of these adversaries and also their willingness to push us further and further because they don’t fear the consequences.”
There are a lot of common activities that security professionals will often associate with enabling a successful security program, but which ones actually work? That's a question that was answered in a keynote session on May 20 at the 2021 RSA Conference.
Wendy Nather, head of advisory CISOs at Cisco, worked together with Wade Baker, partner and co-founder and professor at Cyentia Institute and Virginia Tech, to conduct a survey and the associated Cisco 2021 Security Outcomes Study. Nather explained that the report looked at 25 different common security practices grouped under three top-level categories: Business & Governance, Strategy & Spending, and Architecture & Operations.
"We wanted to find out, does anything matter in security?" Nather said.
What Makes a Successful Security Program
The good news, according to Baker, is that most common security practices do in fact lead to some kind of positive outcome, though some are more successful than others.
"What we do in security matters. There is good evidence here that these standard practices, all of which by the way are pretty general, do actually achieve the outcomes that people tell us that they want to achieve," Baker said.
Nather said that, in particular, there were five common practices that were the most connected to an organization's having a successful outcome:
- Proactive tech refresh
- Well-integrated tech
- Timely incident response
- Prompt disaster recovery
- Accurate threat detection
Nather observed that while the top two common practices are technology related, in that organizations might need to acquire and adopt technology, the other three are more about people and process. She noted that timely incident response, prompt disaster recovery and accurate threat detection are all activities that occur after a security incident occurs.
Baker added that while protection-related activities are still needed, they ranked toward the bottom of the list in terms of being correlated to enabling better outcomes for a security program.
"We do not see this as saying that protection isn't important," Baker said. "We see this as more indicative of the fact that we need to build more diverse programs."
Baker commented that for a long time in security the focus was largely on protection, but now detection, response and recovery are at least equally important. The data from the survey, he noted, is good evidence that things other than protection are critical to security program success.
The Least Correlated Practices for Successful Outcomes
The bottom five practices out of the 25 evaluated according to the study include:
- Identify top cyber risks (spot 21)
- Secure development approach (spot 22)
- Someone owns compliance (spot 23)
- Understand security and business (spot 24)
- Security measures reviewed (spot 25)
Baker emphasized that while the bottom five practices weren't as strongly correlated to having a positive security outcome, they are still important to consider. There is also some nuance across the list in that different issues can impact an organization in a specific industry or of a certain size.
"The things that matter most in security change based on an organization's size, the industry, and the geography that that organization is in," Baker said. "We saw a lot of variation across these things, so just because something is number one overall doesn't mean it's going to be number one for you."
The United States Postal Service (USPS) is reportedly using the facial recognition technology Clearview AI to spy on American citizens.
According to interviews and documents reviewed by Yahoo News, the use of the technology by the USPS Inspection Service is part of a program that tracks citizens' social media activity and shares the information with law enforcement agencies.
Under the Service's Internet Covert Operations Program (iCOP), analysts use Clearview’s collection of images scraped from public websites to "identify unknown targets" and report on them to the authorities.
According to Yahoo News, iCOP accesses Clearview’s facial recognition database of over 3 billion images from arrest photos uploaded to social media “to help identify unknown targets in an investigation or locate additional social media accounts for known individuals.”
Materials reviewed by the news source appear to show the USPS scouring social media using software designed by Zignal Labs. Inspection Service documents show the software being used to run keyword searches on social media event pages to identify potential threats from forthcoming scheduled protests.
To maintain anonymity during these covert operations, the analysts searching social media reportedly use the software Nfusion. This software lets users create and maintain untraceable and anonymous social media accounts.
“This review of publicly available open-source information, including news reports and social media, is one piece of a comprehensive security and threat analysis, and the information obtained is the same information anyone can access as a private citizen,” said the USPS Inspection Service.
“News reports and social media listening activity helps protect the 644,000 men and women who work for the Postal Service by ensuring they are able to avoid potentially volatile situations while working to process and deliver the nation’s mail every day.”
Civil rights groups have raised concerns over the USPS Inspection Service's large-scale surveillance operation.
"If these efforts are directed toward surveilling lawful protesters, the public and Congress need to know why this is happening, under what authority and subject to what kinds of oversight and protections," said Rachel Levinson-Waldman, deputy director of the Liberty & National Security Program of the Brennan Center for Justice.
Supermodel turned cook and TV personality Chrissy Teigen has lost contracts with three major American retailers over previous cyber-bullying.
A decade ago, Teigen bullied non-binary teenage reality TV star Courtney Stodden over their marriage to the then 51-year-old actor Doug Hutchinson.
In an interview with The Daily Beast, Stodden said they received a lot of hateful comments online but Teigen's, which were made via the social media platform Twitter, were among the worst.
Stodden said: “She wouldn’t just publicly tweet about wanting me to take ‘a dirt nap’ but would privately DM me and tell me to kill myself. Things like, ‘I can’t wait for you to die.'”
The model has since apologized for her abuse of Stodden, but saying sorry has not prevented Teigen's cooking career from sliding into hot water.
Page Six reported that department store Bloomingdale's scrapped plans to stock Teigen's "Cravings by Chrissy" range of cookware after news of the online abuse came to light. An unnamed source told Page Six that Bloomingdale's and its parent store Macy’s were planning to sell 31 items of Teigen’s kitchen and dining line but pulled out at the last minute.
The supermodel cook is also feeling the heat around her partnership with retailer Target, with whom she exclusively launched her cookware line in 2018. Target stopped selling it shortly after Teigen’s cyber-bullying hit the news, though TMZ reports that the store’s split with the supermodel was decided mutually in December.
In addition to cyber-bullying Stodden, Teigen has also reportedly levied online insults at the actress Quvenzhané Wallis, who was nominated for the Academy Award for Best Actress at age 9 for her role in Beasts of the Southern Wild.
Following Stodden's exposé, Teigen took to Twitter once again, but this time to apologize for her past actions.
“Not a lot of people are lucky enough to be held accountable for all their past bulls–t in front of the entire world. I’m mortified and sad at who I used to be," wrote Teigen.
“I’m so sorry, Courtney. I hope you can heal now knowing how deeply sorry I am.”
Teigen has not apologized for her alleged cyber-bullying of Wallis, who has not spoken publicly about the alleged abuse.
A Nigerian governor's aide has been suspended after being arrested in the United States in connection with a multi-million-dollar unemployment benefits scam.
Abidemi Rufai, aka Sandy Tang, was arrested on Friday at JFK Airport in New York. The 42-year-old resident of Lekki, Nigeria, has been charged with wire fraud.
Rufai is accused of stealing the identities of more than 100 people in Washington state to file fraudulent claims for $350,000 in unemployment benefits, which were then paid into online payment accounts or wired to bank accounts controlled by "money mules."
Some of the proceeds were then allegedly mailed to the Jamaica, New York, address of Rufai’s relative. Law enforcement found more than $288,000 was deposited into an American bank account under Rufai's control between March and August 2020.
The Seattle Times reports Rufai's arrest as being part of a wider investigation into Washington state's $650m unemployment fraud.
Investigators allege that Rufai avoided fraud detection by Washington state's Employment Security Department by making small variations to his email address when registering for financial assistance.
Kiro7 reports that Rufai gave the impression of being multiple applicants by scattering his regular Gmail address with periods. Since periods in email addresses are unrecognized by Gmail, all the messages sent by the Employment Security Department ended up in Rufai's inbox.
Rufai is further accused of filing fraudulent unemployment claims with Hawaii, Wyoming, Massachusetts, Montana, New York, and Pennsylvania.
In Nigeria, Rufai held the position of senior special assistant (SSA) on special duties to the Ogun State governor, Prince Dapo Abiodun.
Reacting through his chief press secretary, Kunle Somorin, to news of Rufai's arrest, Abiodun said: "We received the very disturbing news of the arrest of one of the governor's political appointees, Mr. Abidemi Rufai, in New York over alleged unemployment benefits and fraud in the United States, this morning.
"While the governor cannot be held responsible for the actions of a full-grown adult, especially outside the jurisdiction of Ogun and Nigeria, he has since suspended the suspect from office to enable him answer the charges leveled against him."
HM Revenue & Customs (HMRC) has spent over a quarter of a million pounds (£262,251) on cybersecurity training for its staff during the past two financial years, according to official figures obtained by the Parliament Street think tank following a Freedom of Information request.
The UK’s tax authority spent £111,795 in the most recent financial year (20–21), which was a reduction on the £150,456 invested in 19–20. This funding covered 80 training enrollments in FY 20–21 and 69 in FY 19–20 for staff working in HMRC’s chief digital and information officer group.
The data also provided a breakdown of the types of courses that staff from this group enrolled in. The most popular course, involving 12 attendees, was to become certified in the Art of Hacking, costing a total of £15,978. The next most popular course was a six-day bootcamp to become a certified information systems security professional, which attracted 11 members of staff.
Two employees trained to become certified in Ethical Hacking, while nine took part in an Introduction to Cybersecurity course.
The data revealed that training to become a certified cloud security professional was the most expensive course used by HMRC in 20–21, with £34,103 spent to train seven staff members from the chief digital and information officer group.
Additionally, all HRMC staff (around 9,500) completed a mandatory phishing attacks course during the two-year period, which was free of charge.
Commenting on the data, Edward Blake, area vice president EMEA, Absolute Software, said: “Organizations which handle large volumes of personal financial information like HMRC are a top target for cyber-criminals, so ensuring staff are fully trained with the latest cyber-skills is essential to prevent a potential data breach.
“With the COVID-19 pandemic forcing many employees to work from home, it’s also critical that organizations like HMRC ensure they have complete visibility into the security standards across all devices such as laptops, to ensure encryption is turned on and cyber protection is in place for each and every employee.
“It’s also important that organizations can track, freeze and wipe lost or stolen devices, in the event of loss or theft, to keep taxpayer data completely safe from outsider threats.”
There have been numerous examples of scams involving the impersonation of HMRC during the COVID-19 pandemic, with cyber-criminals looking to use various government financial support schemes as phishing lures throughout the crisis.
Web application vulnerabilities enabled attackers to breach organizations on average twice each last year, with bot-based raids the biggest challenge, according to Barracuda Networks.
The security vendor polled 750 application security decision makers to compile its latest report: The state of application security in 2021.
It revealed that nearly three-quarters (72%) of firms suffered at least one breach from a web app flaw, a third (32%) were hit twice and 14% were compromised three times.
Such incidents can be extremely damaging for organizations as they could enable attackers to steal sensitive customer information and credentials.
According to the latest Verizon Data Breach Investigations Report (DBIR), attacks on web applications represented 39% of all breaches it analyzed over the past year.
Respondents to the Barracuda Networks study claimed that bad bots were the biggest challenge for defenders (43%) followed by supply chain attacks (39%), vulnerability detection (38%) and securing APIs (37%).
Over two-fifths (44%) of respondents also claimed that malicious bots also led to a successful breach involving vulnerability exploitation.
As well as scanning for and exploiting flaws in web applications, bots can be set to work in price scraping, content scraping, account creation and takeover, fraud, denial of service and denial of inventory, according to Imperva.
The vendor claimed that bad bot traffic stood at 26% of all traffic last year, the highest percentage since it started measuring in 2014.
Supply chain attacks have also gained notoriety since the SolarWinds campaign in which sophisticated nation state operatives planted malware in software updates, breaching the defenses of at least nine US government agencies.
Tim Jefferson, Barracuda’s SVP engineering for data, networks and application security, argued that the rapid shift to remote work in 2020 has made web applications an even bigger target for threat actors.
“Organizations are struggling to keep up with the pace of these attacks, particularly newer threats like bot attacks, API attacks, and supply chain attacks, and they need help filling these gaps effectively,” he added.
Threat actors are “winning the race” to find vulnerable assets to exploit, launching scans within minutes of CVE announcements, a leading security vendor has warned.
The 2021 Cortex Xpanse Attack Surface Threat Report from Palo Alto Networks was compiled from scans of 50 million IP addresses associated with 50 global enterprises, carried out January-March 2021.
The report revealed that as soon as new vulnerabilities are announced by vendors, attackers rush to take advantage, utilizing cheap cloud computing power to back their efforts.
“Scans began within 15 minutes after CVE announcements were released between January and March. Attackers worked faster for the Microsoft Exchange Server zero-days, launching scans within five minutes of Microsoft’s March 2 announcement,” the report noted.
“On a typical day, attackers conducted a new scan once every hour, whereas global enterprises can take weeks.”
Remote Desktop Protocol (RDP) servers accounted for the largest number of security issues (32%), although in this case, attackers aren’t scanning for software vulnerabilities but endpoints that can have their credentials brute-forced or cracked. It’s an increasingly popular initial access vector for ransomware attackers.
Also heavily targeted were misconfigured database servers, exposure to high-profile zero-day vulnerabilities from vendors like Microsoft and F5, and insecure remote access through Telnet, Simple Network Management Protocol (SNMP), Virtual Network Computing (VNC), and other protocols.
However, it was cloud systems that comprised the largest number of critical security issues (79%), according to the report.
Travis Biehn, principal security consultant at Synopsys Software Integrity Group, argued that organizations must minimize their exposure footprint and take zero trust approaches to remote worker security, in order to tilt the balance in their favor.
“The most sophisticated attackers — those who have clear objectives and targets known far in advance — map the corporate network footprint across private data centers and cloud in advance,” he warned.
“They also have automation and infrastructure ready to take advantage of new vulnerabilities before defenses can kick in.”
The boss of a critical East Coast fuel line has admitted he authorized a multimillion-dollar payment to a ransomware group that compromised the organization earlier this month.
Affiliates working with the DarkSide group were blamed by the FBI for the attack, which forced operational systems offline — leading to major fuel shortages across much of America and rising prices for several days.
Colonial Pipeline CEO, Joseph Blount, reportedly admitted that the decision was not taken lightly but was done in the national interest.
“Tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public,” a spokesperson confirmed to The Guardian.
Its report revealed that rapid action from Colonial’s IT team to shut down systems following the incursion, prevented the malware’s spread to operational controls.
However, the payment was apparently made as the firm didn’t know the extent of the damage or the group’s footprint inside its network.
Americans are still being affected by the incident. Although the pipeline was only out-of-action for five days, restarting on May 12, it warned on Tuesday, “it will take some time for the fuel supply chain to fully catch-up.”
Experts welcomed the company’s openness in talking about the incident.
“No company or CEO should be shamed for this. Instead, we should learn from these incidents to understand how attackers got in, what data was actually returned and what could have been done differently to secure a different outcome,” argued Lewis Jones, threat intelligence analyst at Talion.
“Attackers collaborate on their attacks, and the only way to get ahead of them is to collaborate on our defenses.”
Edgard Capdevielle, CEO of Nozomi Networks, added that ransomware breaches are rapidly becoming a case of “when, not if” for organizations.
“Companies need to get into a post-breach mentality, pre-breach, and harden systems so that when they are faced with an attack, they know exactly how they will respond and what they stand to lose depending on their response,” he added.
Cryptocurrency, most notably Bitcoin, has become increasingly popular and valuable in recent years and with it have come a number of associated security risks, according to a pair of security experts speaking at the 2021 RSA Conference on May 19.
Kenneth Geers, external communications analyst at Very Good Security, used the first part of the presentation to explain the history of money and why the US dollar has emerged as the world's dominant reserve currency.
"Good money is scarce, authentic, durable, portable and stable," Geers said. "If digital currency is to survive, thrive and reach its potential, it should have the exact same traits."
Risks from Mining Cryptocurrency
Cryptocurrencies like Bitcoin are generated by a process known as mining.
Kathy Wang, CISO at Very Good Security, explained that essentially what miners are doing is trying to be the first to come up with a solution to a puzzle. That puzzle is a cryptographic hashing algorithm that a computer system, the miner, is trying to solve. Cryptocurrency mining today requires vast amounts of computing power, which has led to different types of cybersecurity risks.Miners are very resourceful, they're very financially motivated, and some of them are attacking and compromising internet-facing computers to gain control of large numbers of resources to conduct mining activities.Kathy Wang
One risk comes from miners that attempt to abuse free resources on the internet provided by cloud and application service providers. Wang explained that what the miners might do is create many free accounts on these cloud infrastructures and get a good deal of computing power, at the expense of the service provider. She noted that such activity is considered to be against the terms of service, but the activity still needs to actually be identified so it can be stopped.
"Blocking crypto-mining activity, just like any detection work, is very much an arms race," Wang said.
She noted that detecting indicators of crypto-mining activity can include conducting analysis of DNS traffic or monitoring for specific streams or patterns in network packets. As defenders are trying to identify the crypto-mining activity, she warned, the miners are also reacting to that activity and are working hard to avoid being detected.
Another risk Wang spoke about is cryptojacking.
"Miners are very resourceful, they're very financially motivated, and some of them are attacking and compromising internet-facing computers to gain control of large numbers of resources to conduct mining activities," Wang said.
Among the ways that cryptojacking is executed is with malware, such as WannaMine, which users are somehow tricked into installing by malicious sites.
Cryptocurrency Wallets Under Attack
Wang emphasized that the security pillars of confidentiality, integrity and availability all apply to cryptocurrency as well.
One of the key points of attack in the cryptocurrency world is what are known as cryptocurrency wallets. These are typically software-based vaults or "wallets" where users store the private cryptographic keys for the cryptocurrency they hold.
"If you get access to a cryptocurrency wallet, you effectively own the currency," Wang said.
Attackers have been going after cryptocurrency wallets in different ways. One approach cited by Wang is with the ElectroRAT malware that is able to take over vulnerable wallets. Wang explained that the malware is placed on cryptocurrency forums in ads and in posts that entice users to click and download a particular app to help them get more Bitcoin. Ironically, once they install the app, the only one who gets more Bitcoin is the attacker.
"It was able to evade signature-based malware-detection capabilities for quite some time because it was written from scratch," Wang said.
Zero Trust for Crypto
One of the ways that users can protect themselves from the risk of an account takeover is by using a zero trust approach.
With zero trust, access is very restricted to only provide the bare minimum permissions. For example, Wang said that access to a cryptocurrency wallet could be restricted to only a specific user utilizing a specific device. Additionally, implementing multi-factor authentication schemes can help to further secure access.
While cryptocurrency's popularity is growing, Geers said in the near term it's unlikely that Bitcoin will challenge the US dollar. The future, however, is less certain.
"The security risks have to be better understood and addressed, and the speed in the payment system needs to be faster," Geers said. "So it will take time, but over the long term there will be plenty of interest in cryptocurrency."
The pandemic has forever changed people's relationship with technology, and with it their expectations of user privacy, according to a pair of privacy experts speaking at the 2021 RSA Conference on May 19.
Julie Brill, chief privacy officer at Microsoft, noted that during the pandemic increasing numbers of people came to realize that they can work from home, learn from home, and socialize and still be deeply productive. With that increased reliance on technology has come growing awareness and concern about the privacy implications of different technologies and online services.
"People are saying more and more that they're concerned about how their data is being used and that they want more privacy," Brill said. "They want companies to do more, and they want governments to do more, to ensure that their data is well protected."
While access to online services has been a way of life during the pandemic, Brill emphasized that the pandemic should not be the reason why people are being asked to give up their privacy. In her view, it should be the case that companies that are providing online tools to schools, community groups and other end users need to be thinking about ensuring they are providing trusted technology.
In the absence of a comprehensive privacy law, which is still the state of affairs in the US, Brill said that it's critical that groups and individuals can trust the technologies they are using to go about daily life.People's relationship to who they are and how they want to be portrayed has often been framed in the context of control, empowerment and engagement.Julie Brill
Defining Privacy Harm
A key challenge with privacy is precisely determining how it is violated in the eyes of the law, in terms of harm that can occur that is quantifiable, according to Danielle Citron, Jefferson Scholars Foundation Schenck Distinguished Professor in Law at the University of Virginia.
Citron observed that existing privacy laws in the US are not well suited to the problems of the 21st century. She noted that privacy laws that exist were made in an era when there was mass media publishing stories about people and advertisers using someone's face without permission.
"Now so many of our 21st-century problems are about the collection, the use and the sale of information," Citron said. "Tort law and civil claims haven't quite caught up, and courts really insist upon really tangible harms that are financial and physical."
The Promise of Privacy Laws
In Brill's view, emerging standards and privacy laws such as the European Union's GDPR are positive steps.
While there isn't yet a national data privacy rule in the US, there are currently multiple rules in different states, including California and Virginia, with more to come in the months ahead. Brill said that she sees a lot of hopes and aspirations for privacy laws for a few reasons.
Brill commented that privacy laws are about choosing when the individual wants to engage and having the ability to choose how their personal data is used. In her strong view, privacy is a fundamental right and foundational to other basic human rights.
"People's relationship to who they are and how they want to be portrayed has often been framed in the context of control, empowerment and engagement," Brill said. "And when you really think about it, that's what privacy laws are about."
New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021, which was hosted by Laura Koetzle, VP and group director at Forrester.
This included the revelation that the attackers may have accessed the system as early as January 2019, and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.
Starting the session, Ramakrishna explained that he was first informed of the attacks while sitting down to his birthday dinner on December 12, 2020, after receiving a phone call from the company’s legal officer. Ramakrishna was at the time still waiting to take up the position of CEO at SolarWinds on January 4, 2021.
Koetzle asked Ramakrishna whether he ever considered backing out of taking the role as more details about the scale of the incident emerged in the following days. While a number of friends had advised him to do so, Ramakrishna said that “he decided to persevere with this opportunity” after speaking to the SolarWinds chairman, Bill Bock. He was given continuity and support from the previous CEO, Kevin Thompson, as he began the role in January, which helped him enact a fast response to the event.
With SolarWinds believing as many as 18,000 of its customers had been affected by the breach, as that was the number that had downloaded the malicious update, Ramakrishna explained that in the immediate aftermath, the SolarWinds security team looked to contact everyone possible to try to address their concerns and questions.
He was also asked about how SolarWinds is supporting its customers now. Ramakrishna explained it was a step-by-step approach. “What started out as a reactive measure turned into learning about and addressing issues, and at the foundation of what we’re trying to do is transparency,” he said, adding that the company had worked with its global partners to develop the Orion Assistant Program. This offers extra support to those customers that do not have the resources to upgrade or rebuild, and “in many cases [involved] working side by side with them as they completed their upgrades.”"The foundation of what we’re trying to do is transparency"
Ramakrishna noted that his previous experience in dealing with security incidents as CEO at Pulse Secure has helped him deal with the fallout of the SolarWinds attacks. In these prior incidents, the response “was rooted in being transparent, being communicative and updating everybody on progress, even at times when you do not have all the details in place.”
The discussion then moved on to the details that have subsequently been discovered about the attack. When asked exactly how the attackers were able to stay undetected for such a long period of time, Ramakrishna emphasized the sophisticated nature of the perpetrators. “The tradecraft that the attackers used was extremely sophisticated where they did everything possible to hide in plain sight,” he explained, adding that “they were able to cover their tracks at every step of the way. Given the resources of a nation-state, it was very difficult for one company . . . to uncover.”
Interestingly, Ramakrishna said that SolarWinds has since “stumbled across” some old configurations of code, which enabled it to figure out what the attackers did. After assessing “hundreds of terabytes of data and thousands of virtual build systems,” it was discovered “that the attackers may have been in the environment as early as January 2019,” which is much earlier than initially thought. “They were doing very early reconnaissance activities in January 2019, which explains what they were able to do in September/October 2019,” he added.
When reflecting on his, and SolarWinds’, response to the attacks, Ramakrishna expressed regret for comments he made during his testimony to Congress in February 2021, which concerned the exposure of a weak FTP password by an intern at the company back in 2017. He outlined: “I have long held a belief system and an attitude that you never flog failures – you want your employees, including interns, to make mistakes and learn from those mistakes . . . so what happened at the congressional hearing where we attributed it to an intern was not appropriate and is not what we are about.”
Finally, Ramakrishna revealed that another way the company’s response could have been improved was to have coordinated a better media response, stating it was not prepared for being thrust into the limelight in the way it was. “I wish we had more resources, more proactive outreach. We’ve learned from that and we continue to grow our communications team,” he outlined.
A lawsuit filed against an American healthcare provider over a 2020 data breach has been allowed to proceed, but only for one patient.
UHS employs around 90,000 people at the approximately 400 care centers and hospitals it operates in the United Kingdom, Puerto Rico, and the United States.
Sensitive data belonging to UHS was exfiltrated in September last year when the company was targeted by the Ryuk ransomware gang.
All UHS sites in Puerto Rico and the US were affected by the cyber-attack, which caused the company's IT systems to go offline for a month. Some scheduled appointments were postponed as a result.
The Fortune 500 healthcare organization said in March that the attack had cost it an estimated $67m in downtime and related expenses.
The law firm Morgan & Morgan filed a lawsuit in the US District Court, Eastern District of Pennsylvania against UHS on behalf of three patients who accused the healthcare company of negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence.
Claims made by two of the plaintiffs who said that the data breach had made them vulnerable to fraud and identity theft were dismissed by US District Judge Gerald McHugh as too speculative in an opinion filed Monday.
However, McHugh adjudged that Motkowicz had sufficient grievance to proceed. When Motkowicz's surgery was canceled because of the attack, he was forced to take additional time off work. This caused him to lose his health insurance through his employer, with the result that he had to purchase an insurance policy at a higher price.
Referring to the two claimants whose claims he dismissed, McHugh said: "A court is still left to speculate . . . whether the hackers acquired plaintiffs' (private health information) in a form that would allow them to make unauthorized transactions in their names, as well as whether plaintiffs are also intended targets of the hackers’ future criminal acts."
Of Motkowicz, McHugh said: “Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery."
The Data-to-Everything Platform providers shared news of their proposed acquisition on Tuesday. The terms of the deal have not been disclosed.
TruSTAR was founded in 2016 by Patrick Coughlin and Paul Kurtz on the mission to make threat detection and response simpler and more efficient. The company has more than 50 clients, including BNP Paribas, LogMeIn and Rackspace.
"They share our passion for the value of data and the power of turning data into doing," said Splunk's senior vice president, cloud and chief product officer, Sendur Sellakumar.
"I’ve been very impressed with the growth not only of their solution but of their business."
Sellakumar went on to identify three core principles that Splunk and TruSTAR share. The first of these was the view that organizations "need a unified, data-centric view across their cloud environments, paired with the right analytics at the right time, for intelligent detection and response."
According to Sellakumar, both companies also hold the notion that the most effective way to accelerate efficiencies in the SOC is "to prioritize data with a focus on automation, improving your MTTD and MTTR outcomes."
The third principle to which TruSTAR and Splunk adhere is that "managing and integrating internal and external sources of intelligence accelerates outcomes across the security operations lifecycle, delivering customers critical and timely value," said Sellakumar.
TruSTAR is known for its Intelligence Platform, through which its customers can operationalize all sources of security intelligence across their teams, tools and partners.
Should the acquisition go ahead as planned, TruSTAR’s capabilities will be added to the Splunk Data-to-Everything Platform, allowing customers to autonomously improve their detection and response workflows with information from third-party threat intelligence sources as well as from their internal historical intelligence.
“We founded TruSTAR to help security teams unlock the signal in their data to accelerate automation and power seamless intelligence sharing while preserving privacy in the cloud,” said TruSTAR CEO Coughlin.
“We're thrilled to join Splunk. Combining TruSTAR with Splunk's leading enterprise data platform will bring security and IT teams to a new level of integration, automation and resilience.”