Feed aggregator

Schools Forced to Shut Following Critical Ransomware Attack

Info Security - Thu, 06/10/2021 - 10:39
Schools Forced to Shut Following Critical Ransomware Attack

Two schools in the south of England have been forced to temporarily close their doors after a ransomware attack that encrypted and stole sensitive data.

The Skinners' Kent Academy and Skinners' Kent Primary School were attacked on June 2, according to a statement on the trust’s website which said it is currently working with third-party security experts, the police and the National Cyber Security Centre (NCSC).

It revealed that on-premise servers were targeted at the Tunbridge Well-based schools. As student and staff emergency contact details, medical records, timetables and registers were encrypted by the attackers, the decision was taken to close on Monday.

“Data stolen includes: a wealth of teaching resources, school trip information, policies, human resources files and a significant amount of staff data, some student data including medical information and data pertaining to our iPad scheme,” an FAQ statement noted.

“Data encrypted (and therefore not accessible to the school anymore) includes our management information system, which contains the bulk of contact details for parents. Therefore, it is the latter that we have had to ask parents to re-submit to the trust.”

Students and parents have been advised to change any passwords, and parents have been told to inform their bank that account information may have been taken.

“The details of bank accounts may have been accessed through details taken for the iPad scheme for example,” the trust said.

The news comes just days after the NCSC warned of a surge in ransomware attacks on the UK’s education sector.  It claimed that phishing, RDP hijacking, and targeting vulnerabilities in VPNs and other systems were the primary attack vectors.

“As a result of the pandemic, schools have shifted to remote and hybrid learning, leading to an increase in the types of devices accessing the school’s cloud-based servers to attend classes and complete schoolwork,” argued Lookout security engineer, Burak Agca.

“A lack of visibility and a high degree of fragmentation in operating system platforms and device types introduces several security gaps and risks which schools have been struggling to deal with."

Categories: Cyber Risk News

High Street Banks Exposing Customers to Phishing Attacks

Info Security - Thu, 06/10/2021 - 09:14
High Street Banks Exposing Customers to Phishing Attacks

A consumer rights group is calling on all high street banks to improve their anti-phishing capabilities after spotting that a key protocol is sometimes not configured to offer maximum protection.  

Domain-based message authentication, reporting and conformance (DMARC) is a tried-and-tested way to help brands block phishing emails to customers.

It helps to verify that the domain of the sender hasn’t been impersonated, although it must be set to “p=reject” in order to prevent suspicious emails from being sent to customer inboxes.

Consumer group Which? asked tech firm 6point6 to audit some of the biggest names on the high street to check their DMARC policies.

At the time of the study, it found that Bank of Ireland and Lloyds Bank-owned Agricultural Mortgage Corporation had not introduced DMARC at all, although both have since taken action.

It also found that Nationwide, TSB and Virgin Money had not set DMARC to p=reject, although the latter two claimed they were planning to do so.

The Co-operative Bank, First Direct, Starling and Tesco Bank had DMARC in place for their primary domains but not their alternative domains, which phishers could theoretically abuse.

Starling and Tesco Bank have now taken action to close this security loophole, Which? claimed.

“It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked — so it is crucial that banks take every measure to protect their customers from these devastating scams,” said Which? Money editor, Jenny Ross.

“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”

On the plus side, most UK banks have signed up to a “do not originate” (DNO) number scheme designed to clamp down on number spoofing, which scammers often use in vishing (phone-based phishing) attacks, Which? said.

Last year, a Proofpoint report found that only 13 out of the 64 accredited financial institutions it studied had implemented the strongest DMARC policy.

Categories: Cyber Risk News

JBS Admits Paying REvil Ransomware Group $11 Million

Info Security - Thu, 06/10/2021 - 08:44
JBS Admits Paying REvil Ransomware Group $11 Million

A meat processing giant recently hit by ransomware has confirmed it paid its extorters $11 million, reigniting the debate over the ethics of doing so.

A statement published by Sao Paolo-headquartered JBS, whose US and Australia businesses were hit in the incident last week, claimed that at the time of payment, the “vast majority” of its facilities were operational.

“In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” it added.

Usually, the attackers have already exfiltrated sensitive data in such attacks, and payment is made to prevent them from publishing it.

However, there’s no guarantee that the attackers will not try to monetize the data anyway.

Last November, a Coveware report claimed that data exfiltration is now a tactic in over half of ransomware attacks.

It warned that groups such as REvil (Sodinokibi), which was blamed for the JBS attack, sometimes still publish data after payment, and, in some cases, demand a second payment.

It’s unclear whether JBS paid the ransom with the expectation its insurance provider would cover it. The issue is increasingly controversial, with AXA recently stating that it would stop reimbursing clients in France for ransom payments.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

The firm’s statement goes on to boast a $200 million annual IT budget and state that its ability to bounce back quickly from the attack was due to “its cybersecurity protocols, redundant systems and encrypted backup servers.”

Edgard Capdevielle, CEO of Nozomi Networks, argued that enterprises must now be prepared for the inevitable ransomware attack.

“That's why in addition to strengthening cybersecurity defenses, it’s equally important to invest in business resilience in the face of an attack,” he added.

“This post-breach mindset establishes a strong cybersecurity culture that asks the tough questions, anticipates worst-case scenarios and establishes a recovery and containment strategy aimed at maximizing your organization’s resiliency, long before an attack occurs.”

It’s generally advised that victims do not pay ransomware groups as it simply encourages more of the same malicious activity. However, when critical supply chains are involved, it’s not quite so simple.

“Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything,” argued John Bambenek, Threat Intelligence Advisor at Netenrich.

“President Biden’s meeting with Vladimir Putin next week is critical in attempting to change the trajectory of this threat to bring the rogue state responsible for harboring this threat to heel.”

Categories: Cyber Risk News

Probe into Leak of Cuomo Accuser’s Personnel File

Info Security - Wed, 06/09/2021 - 18:36
Probe into Leak of Cuomo Accuser’s Personnel File

An investigation has been launched to determine whether New York governor Andrew Cuomo broke the law by allegedly leaking the personnel file of the first of eleven women to accuse him of sexual harassment. 

Cuomo's former aide Lindsey Boylan first accused him of sexual harassment in December on Twitter. In February, Boylan shared details of the alleged harassment, claiming that Cuomo had compared her to one of his former girlfriends, asked her to play strip poker with him, and made unwanted sexual advances toward her, including forcibly kissing her on the lips.  

Hours after Boylan’s first accusations were made, her personnel records, which included disciplinary recommendations and bullying allegations, were released to media organizations. Boylan, who worked for Cuomo's team from March 2015 to October 2018, claims the leak was part of a smear campaign orchestrated by Cuomo and his aides to damage her reputation.

It is alleged that Cuomo personally met with advisors to discuss what action to take after Boylan's accusations came to light. 

New York state whistleblowing laws make it illegal to take retaliatory action against alleged victims of sexual harassment. According to a new report by the Washington Post, investigators for New York State Attorney General Letitia James are probing whether Cuomo and his aides committed a crime by allegedly releasing Boylan's records. 

In February 2021, Charlotte Bennett, an executive assistant and health policy advisor to Cuomo, accused him of sexual harassment. In the weeks that followed, allegations of inappropriate sexual comments and conduct by the governor were made by former Obama administration member Anna Ruch, policy and operations aide Ana Liss, former press aide Karen Hinton, reporter Jessica Bakeman, Bloomberg reporter Valerie Bauman, aide Alyssa McGrath, attorney Sherry Vill, an anonymous member of the governor's Executive Chamber staff, and an unnamed aide.

Some of the alleged victims accuse Cuomo's chief aide Melissa DeRosa of making "intimidating" phone calls after Boylan's allegations first came to light. DeRosa is further accused of being involved in the drafting of a letter sent to staffers to sign to try to discredit Boylan. 

Cuomo has repeatedly denied the allegations made against him by nearly a dozen professionals. The governor claims he has "never touched anyone inappropriately" and "never made any inappropriate advances."

Categories: Cyber Risk News

Nebraska Medicine Data Breach Settlement Approved

Info Security - Wed, 06/09/2021 - 17:34
Nebraska Medicine Data Breach Settlement Approved

A preliminary settlement has been reached in a lawsuit brought against Nebraska Medicine over a 2020 data security incident. 

Omaha-based Nebraska Medicine suffered a cyber-attack in September 2020. The attack disrupted the healthcare provider's information technology system, leading to the postponement of patient appointments. 

Staff in the system’s hospitals and clinics had to chart by hand, and access to Nebraska Medicine's patient portal and to patients' electronic health records was impacted. 

An investigation into the incident revealed that an unauthorized party used malware to gain access to Nebraska Medicine and University of Nebraska Medical Center’s shared computer network between August 27 and September 20. 

In February, Nebraska Medicine and UNMC began notifying patients and employees whose personal information may have been compromised in the attack. 

Nebraska Medicine reported the hacking incident to the Department of Health and Human Services in February 2020 as a HIPAA breach affecting nearly 216,500 individuals in Nebraska and in other states.

Data exposed in the incident included names, addresses, health insurance details, clinical information, Social Security numbers, and driver's license numbers.  

A limited number of patients seen at Faith Regional Health Services in Norfolk, Great Plains Health in North Platte, and Mary Lanning Healthcare in Hastings, and whose information was in the Nebraska Medicine/UNMC network, were also impacted by the data breach. 

A class-action lawsuit was filed against Nebraska Medicine in February, citing the exfiltration of sensitive personal data and medical records of tens of thousands of individuals.

A judge for the US District Court of Nebraska has approved a proposed suit settlement that would make all class members who submit a valid claim by a currently unspecified deadline eligible for a reimbursement of up to $300 cash for time and money spent on dealing with the breach.

Claimants who can show documented proof of "extraordinary monetary losses" that were "more than likely" incurred because of the data breach can claim up to $3,000 for an extra year of credit monitoring.

The preliminary settlement provides benefits to only around 126,000 individuals who were notified of the data breach through the mail, including nearly 13,500 who were informed that their Social Security number and/or driver’s license number may have been compromised in the incident.

Categories: Cyber Risk News

Pennsylvanian Charged over Trump Impersonation Fraud

Info Security - Wed, 06/09/2021 - 16:48
Pennsylvanian Charged over Trump Impersonation Fraud

A food delivery driver from Pennsylvania has been charged with impersonating former president Donald Trump to defraud social media users. 

Joshua Hall, of Mechanicsburg, was arrested on Tuesday morning and charged with wire fraud and aggravated identity theft.

Prosecutors allege that the 22-year-old defrauded hundreds of people from across the United States in a year-long fundraising scam that he devised and executed alone. 

Hall is accused of posing as a former president and as members of that president's family to create social media accounts that attracted more than 100,000 followers.

Victims of the scam were led to believe that they were donating money to a genuine political organization. Prosecutors say that the organization was fictitious and that Hall pocketed thousands of dollars in donated funds for his own use.

Hall is accused of using photographs of the former president's family members, including his minor child, to make the fake social media accounts associated with the scam appear authentic.

FBI assistant director-in-charge William F. Sweeney, Jr., said: “Hall led hundreds of people to believe they were donating to an organization that didn’t exist by pretending to be someone he wasn’t, as alleged. As we continue to investigate fraud in all its many forms, we urge the public to remain aware of the prevalence of online scams and exercise due diligence when making donations online.”

The time at which the alleged offense was committed was not specified in a statement published on Tuesday by the US Attorney’s Office for the Southern District of New York, nor were Trump or his family referred to by name. 

However, NBC New York cited an FBI source who said that the Trump family had been exploited in the scam.

In December 2020, Twitter shut down an account allegedly used by Hall to run the scam after the New York Times exposed the account as fake. 

“There was no nefarious intention behind it,” Hall told the Times after the account was closed. “I was just trying to rally up MAGA supporters and have fun.”

If convicted of both charges, Hall could be sentenced to a prison term of up to 22 years.

Categories: Cyber Risk News

Single Fastly Customer Sparked Global Internet Meltdown

Info Security - Wed, 06/09/2021 - 15:00
Single Fastly Customer Sparked Global Internet Meltdown

Yesterday’s wide-scale internet outage was triggered when a single Fastly customer changed their settings, it has emerged.

The problem took place on Tuesday June 8, when Fastly, a cloud computing services company, experienced a bug on its content delivery network (CDN). This led to several major websites, including Amazon, Reddit, The Guardian and New York Times being forced offline for 30-40 minutes from around 11am. Additionally, specific sections of other services were affected by the failure.

The problem was resolved relatively quickly, with Fastly revealing in a tweet that it had disabled a “service configuration that triggered disruptions across our POPs globally.”

In a post on its website earlier today, Nick Rockwell, senior vice president of engineering and infrastructure at Fastly, revealed that the problem occurred when one of its customers changed their settings. This exposed a bug in a software update that was issued by the company on May 12 “that could be triggered by a specific customer configuration under specific circumstances.”

It has since created a permanent fix for the bug, which was deployed at 17.25 UTC on June 8.

Rodwell acknowledged that Fastly should have anticipated the outage and said the company is currently “conducting a complete post mortem of the processes and practices we followed during this incident.”

Apologizing for the impact caused, he added: “This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them.”

The update has raised concerns about the resilience of the internet and in particular, the reliance on a handful of companies to run its vast infrastructure. Tim Mackey, principal security strategist at the Synopsys CyRC, commented: "All software has bugs, and it’s not always realistic to test all deployment configurations prior to deploying a new software version. Due to the scalability present in most cloud solutions, businesses have grown accustomed to the resiliency of cloud platforms. So when a bug meets up with an untested deployment configuration in a cloud solution, you can end up with precisely the scenario that Fastly customers found themselves with – a major outage."

However, Mackey did praise the cloud service provider’s response to the incident so far. “To their credit, the Fastly team quickly identified the issue and created a patch, but not before a number of high-profile web properties were impacted,” he outlined. “The Fastly team indicate that they will be performing a review of their release practices to determine how the bug was able to escape remediation prior to the outage. Such reviews are common within teams following the blameless review cyber-incident process used by DevOps teams. Should that review identify a weakness in development practices commonly found within DevOps teams, I would hope the Fastly team take this opportunity to highlight how other large scale organizations might improve their operations by learning from the Fastly experience.”

Categories: Cyber Risk News

#Infosec21: NCSC Outlines Biggest Cyber Threats During COVID19

Info Security - Wed, 06/09/2021 - 13:05
#Infosec21: NCSC Outlines Biggest Cyber Threats During COVID19

The main cyber-threat trends during COVID-19 and how they will affect the UK going forward were discussed by Eleanor Fairford, head of incident management at the National Cyber Security Centre (NCSC), during the keynote session on day two of the Infosecurity Europe virtual conference.

Fairford began by describing the new opportunities that the COVID-19 pandemic has presented to cyber-criminals and nation-state actors. Cyber-criminals have been able to “make the most of people’s vulnerabilities during this period and the increased threat surface that was presented by everyone working from home.” And for hostile nation-states, the pandemic provided more chances to steal highly sensitive information from other governments to gain an advantage over them, such as vaccine development.

She outlined the three areas NCSC regard as the biggest cyber-attack trends of 2020: cyber and fraud during COVID-19, the SolarWinds supply chain attacks and the proliferating ransomware threat.

Cyber and Fraud During COVID-19

In terms of cyber and fraud, Fairford revealed that during 2020, the NCSC observed more online scams “than in the previous three years combined.” Unsurprisingly, many were related to the COVID-19 pandemic - prominent examples include fake celebrity endorsement scams, vaccine adverts and fake online shops purporting to sell medical equipment or even COVID-19 ‘cures’. She added: “These are the sorts of techniques that really preyed on people’s vulnerability.” This is because of the enormous toll the pandemic has had on areas like health and the economy, making people far more anxious than they would typically be, and therefore more liable to be tricked.

Fairford also highlighted new measures the NCSC has taken to mitigate these scams and protect individuals and businesses. These include updating its active cyber-defense tools and measures, “which are being rolled out as widely as possible to provide a baseline level of protection.”

According to Fairford, the NCSC has emphasized protecting the NHS, the vaccine supply chain, and research institutions in this period. This includes monitoring for attempts to harvest NHS credentials in order to spoof this institution via phishing. In total, the NCSC observed 122 phishing campaigns in 2020 that used NHS branding, making them appear genuine. This compared to just 36 in 2019.

Fairford outlined another key initiative introduced by the NCSC last year to tackle the threat of online scams. This is the Suspicious Email Reporting Service, “which enables members of the public to send into the NCSC emails they had received which looked like phishing emails.” This has proven highly successful so far, with over six million reports received as of May 31 2021, leading to the removal of more than 45,000 scams and 90,000 URLs.

Encouragingly, Fairford said the NCSC took down nearly 30,000 COVID-19-themed attack groups last year alone.

SolarWinds Attack

She then moved onto the SolarWinds attacks that took place at the end of 2020, which she described as “the key cyber-espionage act of the last decade.” This incident, believed to have been perpetrated by Russian state-backed actors, was particularly “unique and noteworthy,” according to Fairford. This was primarily due to the method used by the threat actors to compromise SolarWinds and subsequently enable them to access the systems of up to 180,000 of its customers.

This was achieved by interfering with SolarWinds software updates, meaning that “as you routinely updated your SolarWinds package, you would install a tampered update, and that provided a backdoor into your network.” She, therefore, noted that all customers that follow guidance on patching and installing updates “were more likely to be a victim of this particular attack.”

Part of the novelty of this method was that services remained unaffected, allowing attackers to go through affected organizations’ systems unnoticed for a very long time. In its subsequent analysis of the incident, she added that the NCSC observed “high levels of operational security techniques” being employed by the attackers, including wiping all traces of their activity.

Fairford believes the attack may well have remained undetected had it not been for FireEye’s initial discovery in December 2020.

“It directly interrupts people’s access to workplaces, learning and key services"

The Surge of Ransomware

Unlike SolarWinds, in which the perpetrators operated behind the scenes and caused no disruption to any services, ransomware attacks have been shown to have a huge impact on individuals and organizations, especially in the past year or so. Fairford commented: “It directly interrupts people’s access to workplaces, learning and key services so this really does create an impact on people’s lives.”

She outlined two major incidents on local authorities in the UK last year – Redcar & Cleveland and Hackney councils. Both led to severe consequences: in the Redcar case, online public services were unavailable to 135,000 local residents for over a week and total recovery costs exceeded £10m, while in the Hackney council case, sensitive personal data of staff and residents ended up being published on the dark web.

There has also been particularly heavy targeting of hospitals and other healthcare institutions since the start of COVID-19, including the recent attack on Ireland’s healthcare service. Fairford also cited a ransomware attack on a hospital in Germany last year, which potentially contributed to the death of a critically ill patient who had to be redirected to another hospital.

Finally, Fairford discussed the recent ransomware attack on the Colonial Pipeline company, which led to the US’ largest fuel pipeline being taken offline. This demonstrated the substantial threat that ransomware poses to countries’ critical national infrastructure. A ransom of $4.4m was paid to the attackers, but pleasingly, the majority of the money has reportedly been seized by the US Department of Justice.

Fairford also highlighted how ransomware groups are becoming increasingly professionalized in their approaches, with many even “behaving like a sophisticated business-type operation.” In one example she gave, a group even has its own list of FAQs, detailing how victims should behave in the event of an incident.

Fairford concluded by outlining how these trends are expected to impact the UK cyberspace over the coming year. Firstly, she believes “the health sector will continue to be a priority target for nation state operations, particularly as research continues into variants and vaccines,” while disinformation campaigns related to the pandemic are likely to still be heavily utilized by malicious actors. Additionally, it is predicted that ransomware will continue to proliferate, including the growth of the double extortion tactic.

Another area she believes will grow are supply chain attacks, with SolarWinds demonstrating just how effective these can be to compromise a large number of organizations globally. Finally, Fairford said she expects to see extensive targeting of “UK companies that are really at the forefront of things like emerging technologies.”

Categories: Cyber Risk News

A Third of Execs Plan to Spy on Staff to Guard Trade Secrets

Info Security - Wed, 06/09/2021 - 10:28
A Third of Execs Plan to Spy on Staff to Guard Trade Secrets

Most senior executives believe more money is needed to protect trade secrets from malicious third parties and insider threats, and many are prepared to spy on staff to do so, according to a new study from global law firm CMS.

The firm commissioned The Economist Intelligence Unit to interview over 300 senior corporate executives from various sectors in China, France, Germany, Singapore, the UK and the US.  

Three-quarters (75%) agreed that greater investment was needed to guard trade secrets, with cybersecurity (49%) and employee leaks (48%) viewed as the most serious threats.

Most pointed to lost business and competitive advantage as the main risk of not doing so.

Security controls (53%) were seen as the most important step, followed by confidentiality agreements and policies (46%) and restricted access (42%). Less than a third (31%) thought that creating a culture that incentivizes trade secret protection would be effective.

When it came to mitigating the insider threat, around a third of respondents are planning various measures over the next two years, including changes to company culture, avoiding cloud storage, new offboarding measures and encouraging the reporting of leaks.

Controversially, a similar number (33%) said they were planning surveillance of employees’ digital activity. Those in China, Singapore and the US were most likely to snoop on staff, with European respondents more reluctant, due to GDPR safeguards.

Hannah Netherton, employment partner at CMS, argued that employee leaks are driving a need for new strategies to guard key assets.

“Companies must find the right balance between perfecting their cybersecurity protections and creating a healthy company culture that incentivizes trade secret protection and encourages speaking up through appropriate channels — even the most rigorous of protocols won’t prevent every employee leak or a disgruntled whistleblower,” she added.

“The pandemic has opened doors to a digital workspace, where it’s easier for employees to accidentally or purposefully access and expose confidential information. It is impossible to protect trade secrets if employees are not aware of the sensitivities around these assets, so putting the right values and measures in place has never been more important to an organization’s success.”

Categories: Cyber Risk News

Microsoft Fixes Seven Zero-Days This Patch Tuesday

Info Security - Wed, 06/09/2021 - 09:58
Microsoft Fixes Seven Zero-Days This Patch Tuesday

Microsoft announced patches for a half-century of CVEs this month, including seven zero-day vulnerabilities, six of which are being actively exploited in the wild.

The six vulnerabilities in question start with CVE-2021-31955, an information disclosure bug in Windows kernel, and remote code execution flaw CVE-2021-33742.

The rest are elevation of privilege bugs in Windows NTFS (CVE-2021-31956), the Microsoft Enhanced Cryptographic Provider (CVE-2021-31199 and CVE-2021-31201) and the Microsoft DWM Core Library (CVE-2021-33739).

In addition, CVE-2021-31968 is a denial of service vulnerability in Windows Remote Desktop Services, which has been publicly disclosed but not yet seen in attacks.

Chris Goettl, Ivanti senior director of product management and security, said that CVE-2021-31199 and CVE-2021-28550 are related to a previously exploited Adobe flaw, CVE-2021-28550, released in the Adobe Security Bulletin ID APSB21-29.

“Customers running affected versions of Microsoft Windows should install the June security updates to be fully protected from these three vulnerabilities,” he added. “This vulnerability affects Windows 7, Server 2008 and later Windows OS versions and is rated as ‘important’ with a CVSSv3 base score of 5.2, which could be missed in some organizations’ prioritization.”

In fact, many of the zero-days published on Tuesday don’t at first glance appear to be particularly risky for organizations due to their low CVSS scores.

“This brings a very important prioritization challenge to the forefront this month. Vendor severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases,” warned Goettl.

“Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware.”

Elsewhere this month, Recorded Future senior solution architect, Allan Liska, urged sysadmins to focus on CVE-2021-31963, a critical remote code execution vulnerability in Microsoft SharePoint Server.

Although not previously disclosed or exploited in the wild, similar bugs have been used to deliver payloads, including ransomware in the past, he warned.

Categories: Cyber Risk News

Police Access Encrypted Devices in Major Global Crime Bust

Info Security - Wed, 06/09/2021 - 08:29
Police Access Encrypted Devices in Major Global Crime Bust

Global law enforcers are celebrating today after a three-year operation across 16 countries led to the arrest of 800 and the seizure of over 30 tons of narcotics.

Europol described operation Greenlight/Trojan Shield as “one of the largest and most sophisticated law enforcement operations to date.”

According to The Economist, it was made possible after the developer of an encrypted device service known as Anom turned informant back in 2018.

This allowed the FBI and the Australian Federal Police to effectively take over the distribution of Anom-equipped hardened devices to the criminal underworld. One narcotics kingpin, Hakan Ayik, is reported to have unwittingly recommended Anom to others.

Anom eventually grew to support 12,000 devices and over 300 criminal syndicates in more than 100 countries, Europol claimed.

Thanks to their access to messages, global police recently searched 700 homes, made over 800 arrests and seized more than eight tons of cocaine, 22 tons of cannabis and cannabis resin, two tons of synthetic drugs, six tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in fiat and cryptocurrencies.

Further “spin-off” operations will be launched over the coming weeks using evidence gathered from the 27 million Anom messages intercepted by the police, Europol added.

The willingness of criminals to sign-up for the service stemmed from previous disruption efforts, which led to the dismantling of the EncroChat platform in July 2020 and the takedown of Sky ECC in March this year.

“Encrypted criminal communications platforms have traditionally been a tool to evade law enforcement and facilitate transnational organized crime. The FBI and our international partners continue to push the envelope and develop innovative ways to overcome these challenges and bring criminals to justice,” said the FBI’s Criminal Investigative Division assistant director Calvin Shivers.

“We are grateful to Europol for their commitment to fighting transnational organized crime and their partnership with the FBI.”

Categories: Cyber Risk News

MoviePass Operators Settle Data Security Allegations

Info Security - Tue, 06/08/2021 - 17:57
MoviePass Operators Settle Data Security Allegations

The operators of subscription service MoviePass have agreed to settle Federal Trade Commission allegations of fraud and data security failures. 

It is alleged that MoviePass used an elaborate three-prong approach to prevent and discourage subscribers from using its $9.95 "one movie a day" monthly subscription service as advertised.

First, according to the FTC complaint, the company blocked as many as 75,000 subscribers from accessing content by purposefully invalidating their passwords. 

The FTC said: "MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected 'suspicious activity or potential fraud' on the accounts. MoviePass's operators did this even though some of its own executives raised questions about the scheme."

Their next alleged tactic was to create a time-sensitive ticket verification program that discouraged thousands of subscribers from using the service. 

"This program required subscribers to take and submit pictures of their physical movie ticket stubs for approval through the MoviePass app within a certain timeframe," said the FTC.

"Subscribers who failed to submit their tickets could not view future movies and could have their subscriptions canceled if they failed to verify their tickets more than once."

Finally, MoviePass’s operators allegedly set “trip wires” to block set groups of subscribers from using the service after they collectively hit certain thresholds based on their monthly cost to the company. The FTC alleges that this tactic was used against subscribers who typically watched three or more movies per month.

The operators of the now defunct app were further accused of storing the personal information it collected from subscribers in plain text and allowing unrestricted access to customers' names, email addresses, birth dates, credit card numbers, and geolocation information.

In August 2019, MoviePass confirmed that it suffered a data breach that may have exposed customer credit card numbers.

MoviePass Inc., which was founded in 2011 and headquartered in New York City,  shuttered its mobile ticketing service in 2019. In January 2020, its parent company Helios and Matheson Analytics, Inc., filed for bankruptcy

Under the proposed settlement, MoviePass, Helios, former MoviePass CEO Mitchell Lowe, and former Helios CEO Theodore Farnsworth will be barred from misrepresenting their business and data security practices.

The order also states that any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.

Categories: Cyber Risk News

Cyber-attack on NYC Law Department

Info Security - Tue, 06/08/2021 - 17:35
Cyber-attack on NYC Law Department

An intrusion into the IT system of the New York City Law Department is being co-investigated by the New York Police Department and the FBI’s Cyber Task Force.

The hack was first reported by The Daily News, which learned that sensitive information belonging to more than a thousand department employees may have been exposed in the security incident.

After discovering the intrusion, the city restricted admission to the system, preventing government lawyers from accessing documents. 

On June 7, the city government confirmed that it was examining “unauthorized access within the NYC Law Department’s IT environment.”

In a statement released Monday, Laura Feyer, a spokesperson for Mayor Bill de Blasio, told The Daily News that “the City’s Cyber Command" had "promptly launched an investigation into the matter.”

Feyer added: “As the investigation remains ongoing, the City has taken additional steps to maintain security, including limiting access to the Law Department’s network at this time.”

The New York City Law Department is staffed by approximately 1,000 lawyers and 890 support professionals. 

Mayor de Blasio said last night that investigators were yet to find any evidence that data belonging to the Law Department had been “compromised” in the attack.

“We’re still tracking down exactly who was behind it,” he told NY1. “So far, we believe the defenses have held.”

News of the intrusion came to light on Monday morning when The Daily News discovered that a city lawyer had cited technical problems when a filing a request to extend a case due to be heard in Manhattan federal court by one week. 

“The Law Department has been experiencing a connectivity issue since yesterday, and, as a result, no one is currently able to log on to the Law Department’s computer system,” city attorney Katherine Weall wrote to Judge P. Kevin Castel.

“I am therefore unable to access and file the answer I have drafted in this case, which is due today,” she added.

Nicholas Paolucci, a Law Department spokesperson, said the agency was taking steps “to ensure there was minimal impact to cases.”

The incident comes just days after Metropolitan Transportation Authority officials revealed that at least three of the agency's 18 database systems had been accessed by hackers.

Categories: Cyber Risk News

Illinois County Stricken with Grief

Info Security - Tue, 06/08/2021 - 16:06
Illinois County Stricken with Grief

A new organized cybercrime group claims to have stolen sensitive data belonging to a county in Illinois. 

St. Clair County disabled its website on June 2 out of “an abundance of caution” after suffering a cyber-attack. Ransomware gang Grief has claimed responsibility for the digital assault.  

Because of the incident, several county services were rendered unavailable from May 28, including access to court records and payment for ticket fees. 

The county jail's network was also impacted, with one woman telling 5 On Your Side that her partner was held past his release date because of the cyber-attack.

"I keep being told that the jail is on lockdown because there has been a system failure since last Saturday, and I want to know what's going on," said the anonymous woman. "Nobody can get released. Nobody can post bond. They can't check out any information." 

County Information Technology Director Jeff Sandusky said: “Beginning around May 28, St. Clair County became aware of a cybersecurity incident involving our computer systems.

"We immediately responded to secure our systems and commence an investigation into the nature and scope of the incident." 

The county notified appropriate law enforcement authorities of the incident and said it has been "working diligently with industry-leading third-party cybersecurity specialists to investigate the source of this disruption and confirm the impact on our systems."

Sandusky added that the county has dedicated substantial resources to gauging the attack's full scope and will provide relevant updates as the findings emerge. 

The county's website via www.co.st-clair.il.us was restored by June 4, but some services remain unavailable.

Grief is an emerging ransomware group, which claims to have swiped data from at least five entities, including Mobile County, Alabama, and HDHC Home Decor. 

Screenshots of the group’s website in the TOR network show the group claims to have purloined 2.5 gigabytes of data from St. Clair. Internal company documents and personal and customer information are among the allegedly stolen data.

Grief emerged at around the same time as another new ransomware gang, Prometheus, which claims to have ties to REvil. 

Categories: Cyber Risk News

CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform

Info Security - Tue, 06/08/2021 - 15:38
CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform

The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with Bugcrowd to launch the first ever federal civilian enterprise-wide crowdsourced vulnerability disclosure policy (VDP) platform.

The move will allow Federal Civilian Executive Branch (FCEB) agencies to coordinate with the civilian hacker community about vulnerabilities in their critical systems. FCEB agencies will now be able to receive security feedback from Bugcrowd’s community of ethical hackers around the world, helping them quickly identify and monitor vulnerabilities in their critical systems.

The collaboration follows the publication of the Binding Operational Directive (BOD) 20-01 in September last year. This directive mandates all FCEB agencies to develop and publish a VDP “for purposes of safeguarding federal information and information systems.”   

Bugcrowd and CISA will work with Endyna, a government contractor that provides technology-based solutions, to deliver the VDP platform. Endyna’s will provide a Software as a service (SaaS) component to CISA’s VDP platform, and has been awarded a one-year contract with four option years.

In addition to the CISA-funded VDPR platform, the initiative will allow FCEB agencies to create their own bug bounty programs from Bugcrow and Endyna as part of any new digital transformation strategies they undertake.

Ashish Gupta, CEO and president of Bugcrowd, commented: “As seen in the commercial and defense sectors, crowdsourced cybersecurity and vulnerability disclosure programs are a critical safeguard in helping reduce the risk of breach.

“The need for cyber resilience and risk management is unprecedented in today’s digitally connected world and the partnership between CISA and Bugcrowd provides the most powerful crowdsourced cybersecurity platform solution to address the government’s growing need for contextually intelligent security assessments to protect its vast attack surface. We are honored to be the first crowdsourced cybersecurity vendor to work with CISA on an FCEB-wide proactive defense strategy through our VDP solution.”

Ashok Siddhanti, CEO of Endyna, stated: “We are firmly committed to enhancing government defenses and improving security operations across network infrastructures.

“Our fundamental goal is to radically improve the FCEB’s ability to detect and remediate security gaps within these respective agencies’ digital infrastructures, and we look forward to working with Bugcrowd to advance government security.”

Categories: Cyber Risk News

#Infosec21: Cybersecurity to Become a "Matter of Life and Death"

Info Security - Tue, 06/08/2021 - 15:26
#Infosec21: Cybersecurity to Become a "Matter of Life and Death"

The internet is both “the best and worst innovation of our time,” and as reliance on it grows, our ability to secure it could become a matter of life and death. This is according to Mikko Hypponen, researcher at F-Secure, speaking during the keynote session on Day 1 of the Infosecurity Europe virtual conference.

Hypponen firstly outlined how threat actors have changed significantly since he started working in the industry in 1991. Back then, “viruses and other kinds of malware we were finding were all written by teenage boys,” just for fun. At that point he could never have envisioned today’s scenario, in which the main threat actors are highly sophisticated organized crime groups and governments.

This change has been brought about by the internet revolution, according to Hypponen. He noted that the “first wave” of this is now over, in which all computers are online, and we are currently in the midst of the second, in which “everything else” becomes connected. These include smart devices and even more significantly, devices that don’t even require an internet connection, such as kitchen radios. This will be purely for the purpose of manufacturers to obtain diagnostics information.

Hypponen believes that as this process carries on, and more areas become interconnected, the internet will become as essential to society as electricity is today. “When technology is useful enough, we can’t live without it,” he commented. Currently, he observed that internet outages are an inconvenience but generally, not a matter of life and death. However, Hypponen expects it will reach this status within the next 20-30 years. “If your network cuts out it is going to be just as bad as getting your power cut,” he said, adding that in fact one day “when we have an internet outage, it’s going to cut power.”

“If your network cuts out it is going to be just as bad as getting your power cut”

In this landscape, the challenge for the cybersecurity industry “is to make sure the connectivity stays online regardless of the attacks that might be launched against it.” This is going to be very difficult – Hypponen highlighted how the internet has become a major vehicle for cybercrime and other malicious activities in recent years. Preventing these is to some extent a thankless task for cybersecurity professionals, with no credit given for stopping attacks, while failure to prevent incidents is highly visible.

Hypponen went to describe the changing threat landscape since the start of the COVID-19 pandemic. Many organizations that have shifted to remote working are now far more vulnerable to being breached, largely because a substantial number of corporate file servers have moved from internal networks to the public internet and are “only protected by usernames and passwords.”

Another trend he observed is that there has been a sharp rise in attacks on healthcare organizations over the past 15 months, including hospitals, clinics and research facilities. Previously, Hypponen didn’t see these types of bodies as prime targets for cyber-criminals, as they were not particularly lucrative compared to other sectors such as finance. This appears to be changing, with institutions like hospitals viewed by many threat actors as more likely to pay ransoms when their systems are encrypted or medical data stolen.

The last year or so has also seen the rise of double extortion ransomware attacks, also known as ransomware 2.0, where in addition to locking systems, malicious actors steal data and threaten to release it if a fee is not paid. This tactic has proved very successful, according to Hypponen, who gave the example of the Maze ransomware gang, which reportedly retired from operating in October 2020 as a result of the financial gain they have made from their attacks. He commented: “This is exactly what we don’t want to happen – we don’t want high tech lowlifes to be successful,” and encourage more people to go down this pathway.

Another area discussed in Hypponen’s address was supply chain attacks, which he said was particularly favored by nation-state actors, “looking for very specific victims” for espionage purposes. Unlike cyber-criminals, these actors will not deviate from their target if it becomes difficult to get into a system, and will therefore look for alternative routes, as demonstrated by the recent SolarWinds incident.

The root cause of these kinds of attack vectors “is always either a technical problem or a human problem,” noted Hypponen. While technical problems, such as unpatched servers, can be solved, albeit with difficulty, human error, like falling for phishing scams, is another matter. He stated: “There’s no patch for human brains.”

In the view of Hypponen, the solution is to become less reliant on humans in cybersecurity in general. For example, in the future, he believes machine learning will be used to write code, removing the need for human programmers. “When we have advanced, powerful systems writing all the code around us, there will be less Bucks, which means there will be less vulnerabilities,” he outlined.

On flip side, one day we could see machine learning be used by malicious actors to write malware. However, Hypponen noted that there is research being undertaken today looking at how this potential threat can be mitigated.

Concluding, Hypponen said that his 30-year career in cyber had demonstrated to him “how hard it is to forecast the future.” He added that we are living in an age of technological revolution and these advances are both the best and worst thing to happen in our lifetime.

Categories: Cyber Risk News

Large Parts of Internet Offline Today Following Cloud Provider Issue

Info Security - Tue, 06/08/2021 - 11:48
Large Parts of Internet Offline Today Following Cloud Provider Issue

Large parts of the internet were temporarily offline today, including Amazon, Reddit and Twitch, it has been reported. Other significant organizations whose websites were affected by the incident included media outlets the Financial Times, The Guardian and New York Times and the UK’s Gov.uk. When users attempted to enter these websites, they were met with messages like “Error 503 Service Unavailable” and “connection failure.”

Experts have traced the issue to a Fastly content delivery network (CDN) failure, which underpins many major websites. Fastly is a cloud computing services provider that runs an “edge cloud” designed to speed up loading times for websites, protect them from denial-of-service attacks and help them deal with bursts of traffic.

The Guardian reported that the outage started at around 11 am BST, lasting for approximately 30 minutes.

While the failure brought some websites down entirely, specific sections of other services were also damaged. These include the servers on Twitter that host the social network’s emojis.

The affected websites now appear to back online, and at around 12.10 BST, Fastly tweeted: “We identified a service configuration that triggered disruptions across our POPs globally and have disabled that configuration. Our global network is coming back online.” The company has also provided continuous updates about the issue on its service status pages.

Security experts were quick to express their concerns about the failure in Fastly’s system, as it highlights the reliance many organizations have on CDN infrastructure for the running of their websites and may provide opportunities for cyber-criminals to strike. Michael Barragry, operations lead and security consultant at edgescan commented: “CDNs have become ubiquitous in today’s web. Although they are primarily used to ensure smooth delivery of resources so that websites can perform optimally, they also often supply additional security features such as WAF-like traffic filtering and DDoS protection.

“The exact nature of this “issue” is unclear, but given how vast the impact appears to be, it looks to have transcended any failover or redundancies that were in place. This outage could also represent a window of opportunity for further attacks – especially against those sites which have an over-dependence upon CDN infrastructure for their security. Additional independent security layers should be used where appropriate to ensure that no single point of failure is present.”

Sergio Loureiro, cloud security director at Outpost24, said: “We have yet to gain insights into what exactly lead to this global outage. Based on the Fastly status pages, all their content delivery systems are affected by this issue. This global outage that affects many high-profile companies does highlight the dependency we have on cloud services and their availability. This directly impacts many businesses, including for example Reddit who’s entire business is based around their website.”

Categories: Cyber Risk News

Evil Corp Rebrands Ransomware to Escape Sanctions

Info Security - Tue, 06/08/2021 - 10:58
Evil Corp Rebrands Ransomware to Escape Sanctions

Threat actors behind a notorious Russian cybercrime group appear to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them.

Experts took to Twitter to point out that a leak site previously run by the Babuk group, which famously attacked Washington DC’s Metropolitan Police Department (MPD), had rebranded to “PayloadBin.” The Babuk group claimed that it was shutting down its affiliate model for encrypting victims and moving to a new model back in April.

A ‘new’ ransomware variant with the same name has also been doing the rounds of late, but according to CTO of Emsisoft, Fabian Wosar, it’s nothing more than a copycat effort by Evil Corp.

“Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations,” he said.

If that’s correct, it would appear to be the latest in a long line of rebranding by the group from its original BitPaymer effort in a bid to circumvent US sanctions.

Michael Gillespie, the creator of the ID Ransomware service, explained that aside from WastedLocker, the group has used “Hades” and “Phoenix” as new names for the same malware.

Wosar said it was easy to identify the same underlying code in all of those ‘variants.’

“EvilCorp malware sticks out like a sore thumb simply because of the obfuscator they use,” he tweeted. “But the cryptographic scheme is identical, encrypted file format is identical, MO is identical, configuration format is identical, the list goes on and on.”

The group was placed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list in December 2019 after being accused of using the Dridex banking Trojan to steal over $100 million globally.

That meant corporate victims were effectively prohibited from paying the group a ransom or risk themselves being accused of breaking sanctions.

Mitch Mellard, a threat intelligence analyst at Talion, argued that rebranding could be widespread in the underground economy.

“I feel that this situation is somewhat of an indictment of ransomware insurance as a whole. We have reached the point where instead of blanket condemnation of paying ransoms across the board, two lists of criminals have been created,” he added.

“The first list is comprised of actors who have achieved such renown that paying them is actually treated as ... paying criminals. The second list is, by nature of its contents, also entirely criminals, but those who it is somehow acceptable to reward monetarily for their illegal activities.”

Categories: Cyber Risk News

French Antitrust Regulator Slaps $268 Million Fine on Google

Info Security - Tue, 06/08/2021 - 09:52
French Antitrust Regulator Slaps $268 Million Fine on Google

The French antitrust regulator has fined Google €220 million ($268 million) for abusing its dominant position in the online advertising market.

The fine, which Google has not disputed, was levied because the tech giant favored its own Google Ad Manager technologies.

This put competitors — such as publishers News Corp, Le Figaro group and the Rossel La Voix group, who brought the initial complaint — at a disadvantage, according to the Autorité de la concurrence.

The proprietary technologies in question were the DFP ad server — which allows site and app publishers to sell their advertising space — and the SSP AdX sales platform — which enables publishers to sell impressions to advertisers.

Autorité de la concurrence president, Isabelle de Silva, argued that this investigation was the first to look into the algorithmic processes by which online display advertising works.

“The particularly rapid investigation revealed processes by which Google, building on its considerable dominance in ad servers for websites and applications, outperformed its competitors on both ad servers and SSP platforms,” she added.

“These very serious practices penalized competition in the emerging online advertising market, and allowed Google not only to maintain but also to increase its dominant position. This sanction and these commitments will make it possible to re-establish a level playing field for all players, and the ability for publishers to make the most of their advertising space.”

Google France legal director, Maria Gomri, said the firm had “agreed on a set of commitments to make it easier for publishers to make use of data and use our tools with other ad technologies.”

These will be tested and developed over the coming months, with some changes set to be rolled out globally, she added.

Google has been on the receiving end of multiple fines in Europe over recent years, most notably a $1.7 billion antitrust penalty from the European Commission in 2019 — again for abusing its dominant position in the online advertising market.

The tech behemoth was also one of the first to receive a major GDPR fine, when the French regulator CNIL imposed a €50 million penalty for failing to notify users about how their data is used.

Categories: Cyber Risk News

DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

Info Security - Tue, 06/08/2021 - 08:32
DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

The US authorities have scored a rare win in the fight against ransomware after claiming to have seized the majority of the funds paid to Russian ransomware hackers by Colonial Pipeline.

The Department of Justice (DoJ) announced on Monday that it had been able to track and access 63.7 out of the 75 Bitcoins paid by the East Coast fuel transportation company to the DarkSide gang. That amounts to roughly $2.3 million of the $4.4 million reportedly paid to the extorters.

The news is a coup for the newly launched DoJ Ransomware and Digital Extortion Task Force, which coordinated the operation.

Law enforcers were apparently able to review the public Bitcoin ledger and track the transfers to a specific address, for which the FBI had a private key, enabling it to access and seize the funds.

Deputy attorney general, Lisa Monaco, argued that “following the money” is still one of the most powerful tools investigators have in tracking down and disrupting cybercrime.

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” she added.

“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

Experts welcomed the news.

“It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law,” argued John Hultquist, VP of analysis at Mandiant Threat Intelligence.

“In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.”

Categories: Cyber Risk News