A health system in Georgia has begun notifying patients of a six-month-long data breach that culminated in a ransomware attack.
St. Joseph’s/Candler (SJ/C), one of the largest hospital systems in Savannah, became aware of suspicious network activity on the morning of June 17, 2021. A ransomware attack was confirmed, and steps were taken to limit its impact.
With its computers out of action, the health system used social media to spread word of the security incident, posting: “On the morning of June 17, St. Joseph’s/Candler became aware of suspicious network activity. As a security measure, SJ/C took immediate steps to isolate systems and to limit the potential impact.
“We also promptly initiated an investigation into the scope of the incident, which is ongoing and in its early stages, although SJ/C has confirmed that the incident involved ransomware."
SJ/C employees had to revert to downtimes procedures such as using pens and paper to complete documentation. While the incident led to EHR downtime, imaging, primary care, surgery, and special physician appointments were unaffected.
The health system said at the time of the attack that it would notify anyone whose personal data had been compromised. That notification process began on August 10 after an investigation revealed that sensitive information belonging to both SJ/C patients and employees had been accessed by an unauthorized third party.
In a statement released yesterday, the health system said: "Through SJ/C’s investigation it was determined that the incident resulted in an unauthorized party gaining access to SJ/C’s IT network between the dates of December 18, 2020, and June 17, 2021.
"While in our IT network, the unauthorized party launched a ransomware attack that made files on our systems inaccessible."
Data that may have viewed by the malicious hacker(s) included patient names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information regarding care received from the health system.
SJ/C is offering impacted individuals complimentary credit monitoring and identity protection services.
Financial Services (FS) companies expect to see an influx of email-borne attacks during 2021 due to increased volumes in email (81%), according to research.
Accordion to a report from cybersecurity firm Mimecast, 62% of FS organizations believe that it’s likely, extremely likely or inevitable that their company will experience negative business impact from attacks originating from emails. The research also found that 60% of its respondents saw increases in phishing with malicious links or attachments over the past year.
Johan Dreyer, cybersecurity expert at Mimecast, comments, “The use of digital and mobile in the financial services industry is only set to increase further, so we are definitely going to witness an increase in the rate and sophistication of cyberattacks on finance firms and their customers.
“As email remains the most common threat vector and its volume and sophistication of attacks is expected to increase, financial firms need to layer multiple security technologies to protect their email systems,” he continues. “This will ensure any active threat can be dealt with as quickly and efficiently as possible. Such multi-layered defences complement and backstop one another—if a given attack sidesteps one defence, there are others in place that can stop the threat.”
Respondents in the report also noted that they had seen an increase in the misuse of their brands via both email and spoofed cloned web domains (42%). Some also saw an influx in their brand’s misuse in cloned websites (42%) and significant increases in emails that “misappropriated their brands” (11%).
This could mean priorities will change for security specialists or chief information security officers (CISOs). The report found that 57% of respondents expected the volume of attacks to be among their biggest email security challenges of 2021, with 64% saying that sophisticated threats are amongst their biggest security challenges when it comes to email.
Ransomware attacks have also stoked fear in FS organizations, with 53% of the companies surveyed saying that an attack had impacted their business within the last 12 months. Because of these attacks, 44% of companies have had to paid a ransom. Downtime has also impacted businesses, with 30% of the companies having between one and four weeks of downtime from ransomware attacks.
“The threat of ransomware in particular and its potential costs all continue to increase,” warns Dreyer. “While most of these attacks are email-borne and layered defences can help, protecting data with rigorous backup and retention policies — that include off-network repositories — are important solutions for mitigating permanent loss of data for financial firms.”
However, according to Mimecast’s report, necessary protections have not been put in place, with only 44% of FS companies providing security awareness training on a monthly basis or at greater frequency. Further, the largest concentration of companies provide only quarterly training.
Of the finance firms surveyed, 47% said they did not have a cyber resilience strategy already in place.
Mimecast’s Dreyer advises what FS companies can do to mitigate these threats: “The biggest potential difference can be made by shoring up cybersecurity’s weakest links: the people. Financial firms need to extend their leading security awareness training practices with more personalized/individualized training and greater frequency. Preserving customer trust and reputation are critical to a financial firm’s business success.
The consumer rights and comparison firm made this calculation based on an analysis of cybercrime reports in 67 countries globally for which this information was available in either 2018-19 or 2019-20. It estimated that 71.1 million people fall victim to cybercrime each year, equating to nearly 900 victims per 100,000 people. The average victim lost $4476 per crime, according to the analysis.
Using these figures, Comparitech believes more than $129bn has been lost by victims of cybercrime across these 67 countries, amounting to a total of £318bn across the globe.
The countries that experienced the highest losses due to cybercrime were the US ($28bn), Brazil ($26bn), the UK ($17.4bn) and Russia ($15.2bn).
The country with the largest increase in cybercrime was Sri Lanka, where there was a 359% year-on-year rise from 2019 to 2020 (3566 to 16,376 reports). Most (15,895) of these reports related to social media crimes, likely due to the increased use of these platforms during the COVID-19 pandemic. Significant rises in reported cybercrime were also observed in Belarus (176%), Indonesia (140%), Puerto Rico (125%) and Panama (100%).
According to available figures, the country with the highest proportion of cybercrime victims was the UK, with 1095 per 100,000 people submitting reports. This was followed by Denmark (514 per 100,000 people), Spain (463 per 100,000 people), Brazil (415 per 100,000 people) and Austria (404 per 100,000 people).
Comparitech cautioned that there are vast differences in how each police force or government reports cybercrime; for example, some counties only provided financial losses to cybercrime but no precise victim numbers. It added: “With the lack of transparency and reporting around these types of crimes, it is difficult to gauge the true extent of the problem… until we’re able to see the real cost of these crimes on a country-by-country basis, cybercriminals will continue to have the upper hand. Lack of reporting will lead to a loss in victim confidence (and a reluctance to report the crime), gaps in the awareness of these types of crimes, and inadequate legislation and criminal procedures to hold cyber-criminals to account.”
Commenting on the analysis, PJ Norris, principal systems engineer at Tripwire, said, “We have seen a rise in cybercrime and most notably ransomware. Not only have ransomware attacks been growing globally, but the amounts they have been demanding have been getting higher, and there has been more specific targeting of victims.
“Many high-profile organizations have suffered and lost large sums due to ransomware. This rise in attacks might be a direct result of how profitable these attacks can be. After all, cybercrime in general – and ransomware in particular – is motivated by monetary gain.”
Javvad Malik, security awareness advocate at KnowBe4, stated: "These numbers are not surprising, but still are concerning. Cybercrime continues to be big business for criminals and with more services being digitally connected, it makes it even easier to make off with big gains.
"It's easy to create a tech service or to digitise existing services, however, security needs to be built in from the beginning to ensure that there are no vulnerabilities. This also includes educating users of products as to what kind of threats they can expect to face and how to report any suspicious activity. Without educating users to identify and report criminal activity, we won't be able to stem the flow of cybercrime."
The largest hack in recorded history took place yesterday when attackers exploited a vulnerability that could change the “keeper role” of a blockchain contract and make any transaction such as a withdrawal, according to a Medium post by Poly Network.
Poly Network, a platform that looks to connect different blockchains so that they can work together, confirmed that the vulnerability was due to the leakage of a keeper’s private key.
In a tweet thread, SlowMist confirmed that over $610m was stolen
1)The cross-chain interoperability protocol @PolyNetwork2 was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. The impact caused the transfer of large assets of the O3 Swap cross-chain pool.— SlowMist (@SlowMist_Team) August 10, 2021
The security team has also confirmed that it “has got the attacker’s mailbox, IP and device fingerprints through on-chain and off-chain tracking.”
The details of the attack are as follows, according to SlowMist:
“The core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function,” SlowMist explains. “Since the owner of the EthCrossChainData contract is the EthCrossChainManaget contract, [it] can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function…”
SlowMist goes on to say that the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function to execute the call to change the keeper role to the address of the specified attackers. “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.”
The contract attacked was a Bscscan contract and a Etherscan contract, which are now valued at $0. After the attack on the contract was finished, the keeper was modified, which caused other “normal transactions” to be reverted, says SlowMist.
The transactions published by SlowMist and Poly Network show that the exploiter made three withdrawals from the Bscscan contract: $133,023,777.79, $85,519,813.63, $87,594,029.67, $132,907,573.59, $132,907,574.59 and $133,029927.08 (USD). On the Etherscan contract, $93,343,903.87 Ether was withdrawn ($182,628,360.16 USD).
Poly Network took to Twitter to confirm the attack had taken place, addressing the hackers directly: “We want to establish communication with you and urge you to return the hacked assets.”August 10, 2021
In this tweet, the alliance confirmed that the hack is the biggest in the decentralized finance platform (DeFi) history and warns the hackers that law enforcement would consider it a “major economic crime.”
Poly Network has also called on miners of the affected blockchains — BinanceChain, Ethereum and Polygon — to blacklist tokens coming from the published addresses.
Microsoft fixed a total of 44 vulnerabilities during this month's patch Tuesday, seven of which were rated as 'Critical.'
While it was a much lighter Patch Tuesday than the past few months, the tech giant released several high-priority fixes.
These included new patches released to "more completely" address two publicly disclosed Print Spooler vulnerabilities, CVE-2021-34481 and CVE-2021-36936. Chris Goettl, senior director of product management at Ivanti, explained that these fixes should be an especially high priority in light of the public disclosure.
"In this case, right on the tails of multiple known exploited print spooler vulnerabilities, including PrintNightmare (CVE-2021-34527), the risk of these publicly disclosed vulnerabilities being exploited has increased," he said.
"As a threat actor investigates code for vulnerabilities, they will potentially be looking for multiple ways to exploit a weak code area. White Hat researchers were able to uncover and report these additional exploits, so we should expect threat actors to be able to identify these additional vulnerabilities as well."
Microsoft also published details of an elevation of privilege vulnerability, CVE-2021-36934, on July 20th. Adam Bunn, lead software engineer at Rapid7, said administrators should prioritize taking action on this vulnerability, which he warned requires significant workarounds. He explained, "With a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves."
Bunn believes another high priority for patching teams should be CVE-2021-36942, one of the vulnerabilities exploited in the PetitPotam attack. "After applying this update, there are additional configurations required in order to protect systems from other attack vectors using registry keys," he added.
A resolution was also released for an elevation of Privilege vulnerability (CVE-2021-36948) in Windows Update Medic Service, which Microsoft rated as 'Important.' This affects Windows 10 1809 and Server 2019 and later OS versions and has been publicly disclosed, which Goettl noted puts it "at higher risk of being exploited."
There was a fix for a zero day in Windows 10 1809 and Server 2019 and later OS versions, CVE-2021-36948. This elevation of privilege vulnerability in the Windows Update Medic Service was assigned as 'Important' by Microsoft.
Additionally, there were several updates released by Mozilla for Mozilla Firefox, Firefox ESR and Thunderbird this month. The Firefox updates are rated 'High', resolving 11 CVEs.
Consumer cybersecurity companies NortonLifeLock and Avast have announced an agreement for the Tempe-based cyber safety company to buy the digital security privacy company. NortonLifeLock’s closing share price was $27.20 as of July 13, 2021 — the last trading day before market speculation began — meaning the merger values between $8.1 bn and $8.6 bn.
According to a statement released yesterday (August 10 2021), under the terms of the merger, Avast shareholders will be entitled to receive a combination of cash consideration as well as newly issued shares in NortonLifeLock. The boards of both companies have said they believe the merger has a compelling “strategic and financial rationale” and will represent an attractive opportunity to create a “new industry-leading consumer cyber safety business.”
“This transaction is a huge step forward for consumer cyber safety and will ultimately enable us to achieve our vision to protect and empower people to live their digital lives safely,” says Vincent Pilette, chief executive officer of NortonLifeLock. “With this combination, we can strengthen our cyber safety platform and make it available to more than 500 million users.”
Both companies have a legacy within the cybersecurity space. NortonLifeLock, formally known as Symantec, is known for its consumer cyber safety software, Norton360. Avast is known for its free antivirus software and subscriptions such as Avast Ultimate.
The merger will see Avast’s chief executive officer, Ondřej Vlček, join NortonLifeLock as president and a member of the company’s board of directors. Pilette and chief financial officer, Natalie Derse, will remain in their positions at NortonLifeLock. Pavel Baudiš, co-founder and current director of Avast, is also expected to join NortonLifeLock’s board as an independent director.
The completion of the merger will see the companies be dual headquartered in Prague, Czech Republic and Tempe, Arizona, U.S. The combined company will also be listed on NASDAQ.
Speaking on the merger, Vlček says, “At a time when global cyber threats are growing, yet cyber safety penetration remains very low, together with NortonLifeLock, we will be able to accelerate our shared vision of providing holistic cyber protection for consumers around the globe.
“Our talented teams will have better opportunities to innovate and develop enhanced solutions and services, with improved capabilities from access to superior data insights. Through our well-established brands, greater geographic diversification and access to a larger global user base, the combined businesses will be poised to access the significant growth opportunity that exists worldwide.”
A survey by New Zealand's Ministry of Justice has found that victims of crime in the Land of the Long White Cloud are least likely to report falling prey to cybercrime and sexual assault.
A New Zealander was most likely to contact the police after being impacted by vehicle crime, according to the latest Ministry of Justice New Zealand Crime and Victim Survey. Researchers found that while car crime had an 89% chance of being reported, only around 7% of cybercrimes and sexual assaults were brought to the attention of the police.
Shame, embarrassment, fear of reprisal, and the threat of further humiliation were cited as reasons why victims of cybercrime and sexual assault were unlikely to report the illegal activity to law enforcement.
About 2% of adults experienced sexual assault in the previous 12 months. Victims were proportionately higher among females aged 15-19 (9%) and people with diverse sexualities aged 15-29 (14%).
The survey revealed that while more people are reporting assaults, around three quarters of all crime in New Zealand goes unreported.
The survey was set up in 2018 to collect information from around 8,000 randomly picked New Zealanders every year about their experience of crime. Participants must be aged 15 years or older.
Since the survey began, the rate of reported crime has stayed the same at 25%. However, the rates of assault, robbery, harassment and threatening behavior reported to the police rose from 25% in 2019 to 30% in 2020.
New Zealand police welcomed the increase in reports from victims of crime.
Assistant Commissioner Bruce O'Brien told the New Zealand Herald: "There's essentially more trust than ever that we will solve these incidents in a timely and effective manner."
He added: "If it's not reported to us then our chances of being able to make a difference are significantly reduced. We can only solve crimes that we know about."
The survey revealed a significant decline in the number of burglaries in New Zealand from 18 per 100 households in 2018 to 14 per 100 households in 2020, while the country was under lockdown to slow the spread of Covid-19.
Judicial approval has been given to a multi-million-dollar settlement concerning a data breach that happened at the University of Pittsburgh Medical Center (UPMC) seven years ago.
The agreement will see UPMC pay $2.65m to 66,000 employees whose personal data was pilfered by former Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson.
Detroit resident Johnson (aka TheDearthStar and Dearthy Star on the dark web) hacked into the center's Oracle PeopleSoft database in 2013 and 2014 using the nicknames "TDS" and "DS."
After gaining access to the Center's human resources server databases, Johnson stole sensitive PII and W-2 information belonging to UPMC employees that included names, addresses, Social Security numbers, salaries, and bank information.
Johnson later sold this information via forums on the dark web to cyber-criminals, who used it to file false tax returns. The Department of Justice said that hundreds of false 1040 tax returns were filed in 2014 using UPMC employee PII, with the result that hundreds of thousands of dollars of false tax refunds were claimed.
After converting this money into gift cards for online retailer Amazon, the cyber-criminals who had filed the false returns bought goods and shipped them to Venezuela. The scheme caused the IRS to lose $1.7m.
Following the breach, a class-action lawsuit was filed accusing the University of Pittsburgh Medical Center of negligence. The suit alleged that UPMC had failed "to comply with widespread industry standards relating to data security."
The claim was initially dismissed by the trial court and later by the Superior Court; however, it was then upheld on appeal by the Supreme Court of Pennsylvania. The Court decided in favor of the plaintiffs, stating that an employer has a legal duty to exercise reasonable care in how they store employees’ personally identifiable information.
Earlier this year, UPMC was embroiled in another data breach after a cyber-attack on a third-party vendor exposed the PHI of more than 36,000 patients.
More than half of employees who work remotely are deliberately ignoring or working around security policies put in place by their company, according to new research.
The insider threat was unearthed during a recent survey of IT and cybersecurity professionals across industries conducted by identity platform Axiad when putting together its 2021 Remote Workforce Security Report.
Researchers found that 52% of tech leaders reported that their remote employees had found workarounds to their company’s security policies.
"Employees were most resistant to complying with multi-factor authentication, mobile device management, and password managers, making it difficult for organizations to ensure all their employees are fully and securely authenticated to all their applications and devices," said Axiad founder and co-CEO Bassam Al-Khalidi.
"These gaps in authentication leave the business vulnerable to cyberattacks."
The report notes that phishing threats (71%) and malware (61%) were the most significant new threat vectors impacting remote work environments. More than half of respondents (56%) cited unpatched vulnerabilities as an issue, while 42% were bugged by malicious websites.
While identity theft was a concern for just 37% of respondents, nearly half (49%) were worried about unauthorized users and privileged access.
With the boom in remote working following the Covid-19 pandemic, companies have been taking steps to secure their employees' access to corporate resources. Researchers found that organizations purchased more user licenses for existing applications (47%), more hardware (29%), took on new vendors (26%), and invested in extra cloud applications (19%).
Another key finding was that 79% of security professionals use the same level of security controls and data management for every employee when corporate resources are being accessed remotely.
“We believe the dramatic increase in phishing threats, combined with 52% of remote workers undermining their company’s security practices, creates a perfect storm for tech leaders," said Al-Khalidi.
"It’s concerning that so many employees take shortcuts to get their job done, rather than embrace their personal responsibility to follow the policies of their company."
Al-Khalidi encouraged companies to find a way for their employees to authenticate quickly, securely, and without causing any friction with the IT team.
Researchers have found that the sale and purchase of unauthorized access to compromised enterprise networks are influenced by location and industry.
IntSights, a Rapid7 company, released new research today that highlights the dark world of network access, with findings showing that underground criminals sell access to organizations for up to $10,000.
“Some cyber-criminals specialize in network compromises and sell the access that they have obtained to third parties, rather than exploiting the networks themselves,” explained the researchers. “By the same token, many criminals that exploit compromised networks — particularly ransomware operators — do not compromise those networks themselves but instead buy their access from other attackers.”
The attackers who buy the information are often lacking in the skills needed to get the information themselves, according to the study. This is often also the reason they are sold.
“In September 2020, Russian-speaking username “hardknocklife” auctioned off remote desktop protocol (RDP) access to a U.S. hospital,” added the researchers. “He mentioned as a selling point that this RDP access yielded patient records, in which he reportedly had no interest.
“US patient records from healthcare organizations are a valuable resource for identity thieves and other fraudsters because they contain dates of birth, social security numbers and other personal details that they can use for fraudulent credit applications and other malicious purposes,” they went on to say. “This seller could have mined or monetized that data himself but lacked interest in doing so, perhaps because he could be more productive as an intruder than a fraudster, or because he lacked the fraud or criminal business skills to do so.”
This information started at the low price of $500 in the auction but put his “buy no” price of $5000 (USD).
IntSights analyzed a sample of 46 sales of network access on underground forums between September 2019 and May 2021. The sample included 30 offerings from Russian-language forums (65%) and 16 offerings from English-language forums (35%).
The researchers found that the average price for the 40 sales was approximately $9640 (USD), and the median price was $3000 (USD). IntSights researchers view the average price of $9640 (USD) as a better indicator of the higher end of the typical price range.
“When ranked in ascending order, the list of these 40 prices only met or exceeded the average of $9,640 USD in the top quartile, or among the 10 highest prices of these 40,” stated the team. “This higher end of the price range began at $10,000 USD, with three offerings at exactly that price.”
On the lower end of the scale, nine were just three figures out of the ten lowest prices. The more expensive offerings have five-figure prices.
“An examination of the higher and lower prices sheds light on the factors that influence pricing,” the research stated. “For example, the single lowest price of $240 was for access to a healthcare organization in Colombia.
“Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. Prices for access to healthcare organizations also trend lower due to the perception that they are easier to compromise.”
The research also shows that even though this tactic predates the COVID-19 pandemic, the “resulting increase in the use of remote access tools and services have given attackers more attack surface to exploit.” This has fueled the marked increase in sales to unauthorized access to networks, with some underground criminal forums dedicating specific sections to this offering.
Consumers have been warned about a new “convincing” smishing scam that impersonates international parcel delivery firm DPD.
The consumer group Which? provided insights into the smishing campaign, in which scammers attempt to trick recipients into giving away personal information, including payment details.
In the scam, consumers receive a text that states: “DPD: We tried to deliver your parcel however no one was available to receive it. To arrange your redelivery, please proceed via: *link.”
The Which? researchers were then taken to a very convincing DPD copycat website requesting the user’s personal details to rearrange delivery and payment of a small ‘redelivery’ fee.
Although the website looked very similar to the official DPD site, Which? noted an error in the date format used: it stated that the ‘parcel’ was in the depot on ‘-1 August’ and ‘0 August’.
Interestingly, the researchers were unable to take a screenshot of the website on the device they were using, raising further suspicion. “Some security measures on the copycat website were blocking us from doing so,” they explained.
Which? reported the scam text and website to DPD, who recommended that users download its ‘Your DPD’ app as a safe alternative to text and email notifications. The firm added: “We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk and dpdgroup.co.uk.
“With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/. We have worked with Action Fraud and regional police focus in the last couple of years on awareness campaigns and will continue to do so.”
The discovery of this new scam has followed the dramatic shift to online shopping during COVID-19, which has provided fraudsters with more opportunities to target consumers, including by impersonating delivery services.
In May, consumers were warned to be vigilant about a surge in meal kit delivery scams, following rising demand for these DIY recipe kits in the pandemic.
Commenting on Which? ’s investigation, Tony Pepper, CEO of Egress, said, “Cyber-criminals will always take advantage of any opportunity to trick people into giving up their valuable personal and financial information. Over the last year, there’s been a significant increase in this type of activity, and we’ve seen scams using the branding of well-known organizations such as DPD and Royal Mail to exploit people into sharing sensitive data. We urge anyone who has received a text message or email requesting their personal data to remain vigilant and always question why a company might need this information, and to double check with DPD directly if you’re unsure. We’d also encourage anyone who has received an email or text message of this nature to report it to the NCSC’s text reporting number at 7726, or to their Suspicious Email Reporting Service.”
Numerous publicly accessible Salesforce Communities are misconfigured and could expose sensitive information, says research published today.
A Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization. For example, they can open support tickets, ask questions, manage their subscriptions and more.
According to Varonis, anonymous users can “query objects that contain sensitive information such as customer lists, support cases and employee email addresses.” The research team explains in a blog post that a “malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign” at a minimum.
“At worst, they could steal sensitive information about the business, its operations, clients, and partners,” it goes on to say. “In some cases, a sophisticated attacker may be able to move laterally and retrieve information from other services that are integrated with the Salesforce account.”
Salesforce communities run on Salesforce’s Lightning framework — a rapid development framework for mobile and desktop sites. It is a component-oriented framework, using aura components — self-contained objects that a developer can use to create web pages. In the case of Salesforce, aura components can be used to perform actions such as viewing or updating records.
“In misconfigured sites, the attacker can perform recon by looking for information about the organization, like users, objects, and fields that expose names and email addresses and in many cases, they can infiltrate the system or steal information” explains the Varonis research team. “First, the attacker must find a community site to exploit.”
The researchers go on to explain that “there are common URL “fingerprints” that will indicate a website is powered by Salesforce Communities” such “/s/topic,” “/s/article” and “/s/contactsupport.” The attacker will then retrieve information about the site by returning the organization’s domain and some security settings and available objects.
According to the research team, Salesforce admins can take the following steps to protect themselves from attackers:
- Ensure guest profile permissions don’t expose things that shouldn’t be exposed such as account records, employee calendars, etc.
- Disable API access for guest profiles.
- Set the default owner for records created by guest users.
- Enable secure guest user access.
This finding shows that security teams need to access their SaaS exposure continually, says the research team.
The UK’s National Cyber Security Centre (NCSC) has unveiled the first five tech companies that will take part in its new startup program.
The NCSC For Startups initiative, first announced in June, will support innovative cybersecurity firms to develop products that will help protect critical areas of the UK’s economy and society from online harms.
The NCSC is collaborating with innovation company Plexal to run the program. It is the successor to the highly successful NCSC Cyber Accelerator initiative, which helped more than 40 startups raise over £100m in external investment.
The first five successful applicants for the new program focus on a range of areas within cybersecurity, including cyber fraud detection, SaaS and ransomware protection. They are as follows:
These companies will receive continuous onboarding from NCSC experts and Plexal’s cyber innovation team over 12 months. Additionally, they will gain access to wider technical and commercial opportunities with Plexal’s industry partners. The startups will also keep all intellectual property and equity created during the program, which is supported by Deloitte, CyNam, Cheltenham-based coworking space Hub8 and tech skills provider QA.
The onboarding will take place both in the NCSC for Startups HQ in Cheltenham and remotely.
Chris Ensor, NCSC deputy director for cyber growth, commented, “The UK has a thriving cybersecurity industry, and I’m excited to get to work with our first five companies and bring their innovations to life.
“Finding great ideas that can help protect all areas of society is a key part of our mission, and we look forward to collaborating with more startups as the program rolls on.”
Saj Huq, director of innovation at Plexal, said:, “We’re excited to welcome the first innovators to NCSC For Startups. The response to our call for applications has been phenomenal, and we’re looking forward to bringing on more startups throughout 2021 in response to specific challenges and technology needs in the cybersecurity market.
“The NCSC understands the UK’s cybersecurity challenges better than anyone, and the opportunity for innovative startups to benefit from its world-class insight and expertise is unique. Combined with Plexal’s extensive track record in supporting startups to become market leaders, NCSC For Startups will help companies address some of the most challenging security problems facing the government, businesses and society now and in the future.”
Further information on the program and how to apply can be found here.
Chinese espionage group UNC215 leveraged remote desktop protocols (RDP) to access an Israeli government network using stolen credentials from trusted third parties, according to research published today.
Mandiant, part of cybersecurity firm FireEye, analyzed data gathered from their telemetry and the information shared by Israeli entities in collaboration with the authorities. The data revealed multiple concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019.
FireEye has published the findings in a blog detailing the post-compromise tradecraft and operational tactics, techniques and procedures (TTPs) of UNC215. The group has targeted private companies, governments and various organizations in the Middle East, Europe, Asia and North America.
Mandiant’s research comes after a joint announcement by governments in North America, Europe, Asia and organizations such as NATO and the EU on July 19 2021. The announcement condemned widespread cyber espionage conducted on behalf of the Chinese government.
“These coordinated statements attributing sustained cyber espionage activities to the Chinese Government corroborate our long-standing reporting on Chinese threat actor targeting of private companies, governments, and various organizations around the world, and this blog post shows yet another region where Chinese cyber espionage is active,” says the blog post.
The group remotely executed FOCUSFJORD on their primary target. Since 2019, UNC215 has been exploiting the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads. Manidant says that even though it and FireEye telemetry has been working with Israeli defense agencies, UNC215 has been using TTPs to hinder “attribution and detection, maintain operational security, employ false flags and leverage trusted relationships for lateral movement.
“UNC215 made technical modifications to their tools to limit outbound network traffic and used other victim networks to proxy their C2 instructions, likely to minimize the risk of detection and blend in with normal network traffic,” the blog post explains.
The team also found a sample of a new malware (MD5:625dd9048e3289f19670896cf5bca7d8), which shares code with FOCUSFJORD. The malware is distinct and only contains functions to relay communications between another FOCUSFJORD instance and a C2 server, which the Mandiant team believes was used in the operation to reduce the likelihood of being detected.
“UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors,” explains the Mandiant Israel Research Team, U.S. Threat Intel Team, who authored the blog post. “The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic, and strategic objectives.” The blog post goes on to say that the activity demonstrates “China’s consistent strategic interest in the Middle East” against the backdrop of “China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israeli’s robust technology sector.”
The owner of a martial arts academy in Florida is in custody after allegedly installing hidden cameras in the restroom to spy on students.
Police in Broward County arrested 64-year-old martial arts instructor Robert Danilo Franco on Friday. An investigation was launched after a 17-year-old female student spotted the devices and tipped off police.
Investigators said the student discovered two cameras hidden inside picture frames that were placed on a shelf in the bathroom at Master Franco’s Taekwondo Academy on Pines Boulevard, Miami.
After photographing the cameras, the student confronted Franco, who then allegedly destroyed the frames and cameras. The student then walked out of the academy and called her father, who came to meet her and called the police.
Franco surrendered himself to the Broward County Jail on August 6 after a warrant was issued for his arrest.
Local10 news reported that a search of the martial arts instructor's phone and computer by law enforcement revealed content featuring children and adults.
Authorities think Franco may have been filming people without their consent since March 2021 when he took over the martial arts academy.
Pembroke Pines Police reportedly said that Franco provided them with an explanation regarding the presence of the cameras in the bathroom, but officers did not deem the explanation to be plausible.
“The Pembroke Pines Police Department fully anticipates more victims to come forward,” said Captain Adam Feiner with Pembroke Pines PD. “We haven’t identified them yet and need the community's help to do so.”
The police are asking anyone who used the restroom at Master Franco’s Taekwondo Academy, or whose children attended or visited the academy and used the bathroom, to contact Detective Jacob Childress at the Special Victims Unit at 954-743-1637.
Franco was charged with three counts of video voyeurism and one count of tampering with or fabricating physical evidence. His bond was set at $20,000.
A media release by the Pembroke Pines PD praised the actions of the teenager who allegedly discovered the cameras.
"The courageous actions of the juvenile student led to a thorough examination of all aspects of this investigation, the seizure of evidence, and ultimately an arrest warrant," read the statement.
Researchers have uncovered a new type of Android Trojan attack that spreads via social media hijacking.
Evidence of the malware was dug up by the zLabs team at mobile security company Zimperium. A forensic investigation revealed the malicious software to be part of a family of Trojans that use social engineering to compromise Facebook accounts.
Zimperium's Aazim Yaswant said: "A new Android Trojan codenamed FlyTrap has hit at least 140 countries since March 2021 and has spread to over 10,000 victims through social media hijacking, third-party app stores, and sideloaded applications."
The malware places victims at risk of identity theft by hijacking their social media accounts via a Trojan infecting their Android device. Data stolen by FlyTrap includes Facebook ID, location, email address, IP address, and cookies and tokens associated with the Facebook account.
"These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details," said Yaswant.
FlyTrap ensnares social media users by pretending to offer discount codes for Netflix and Google AdWords or asking users to vote for their favorite soccer team. Users are then taken to a fake Facebook login page and asked to enter their credentials.
Threat actors based in Vietnam are believed to have been running this session hijacking campaign since springtime.
The threat researchers found that the malicious applications were first distributed through both Google Play and third-party application stores.
"Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store. However, the malicious applications are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data," said Yaswant.
FlyTrap Trojan Android applications include Vote European Football (com.gardenguides.plantingfree) and Chatfuel (com.ynsuper.chatfuel).
A new poll has revealed that American and British adults would be put off using a virtual vaccination card by the fear that their personal data may not be protected.
Cybersecurity company Anomali teamed up with The Harris Poll to question more than 2,000 Americans and 1,000 Brits aged over 18 on how they would feel about using COVID-19 digital vaccine cards, should they become a requirement for participating in activities like traveling, in-person learning, attending sporting events, and entering a store or government building.
While nearly all the adults surveyed (93% in the US and 89% in the UK) had smartphones capable of supporting digital vaccination cards, only around three quarters of respondents said they would be likely to use them.
Brits were more enthusiastic than Americans, with 54% saying their adoption of such a card was "very likely" and 26% stating that it was "somewhat likely" compared with 45% and 23% of Americans, respectively.
Among Americans, 20% said they were not at all likely to use a digital vaccination card, compared with 12% of adults in the UK.
Parents were more likely to sign up for virtual vaccination cards, with 73% of US parents and 83% of British parents giving the possibility a thumbs up. Another group with a higher than average likelihood of using the cards was the affluent, with 85% of Brits earning over £30,000 and 78% of Americans taking home more than $100K pledging their approval.
The poll found that more than three quarters (80% of Americans and 76% of those in the UK) of respondents had cybersecurity concerns over using the cards. The main worry cited by both nationalities was identity theft, but respondents were also troubled by the possibility of a data breach.
The polled listed their third biggest cybersecurity concern as the worry that threat actors might be able to break into smartphones using fake digital vaccination cards.
Describing who they thought might carry out a cyberattack related to COVID-19 digital vaccination cards, Americans most frequently choose nation-states, including Russia, China, or North Korea (36%), while Brits pointed the finger at organized cybercriminal gangs (42%).
Average ransomware demands surged by 518% in the first half of 2021 compared to 2020, while payments climbed by 82% in the same period, according to new figures released by the Unit 42 security consulting group.
The researchers revealed that the average demand from ransomware gangs in H1 2021 was $50m, representing a massive increase from $847,000 in 2020. They noted that the highest demand made of a single victim so far in 2021 was $50m, which compares to $30m last year.
In addition, the average ransomware payment this year was a record $570,000, which compares to $312,000 last year. The team also noted that the average payment in 2020 was 171% higher than in 2019, further highlighting how lucrative this tactic has become during the past 18 months.
According to the researchers, the main factor in these increases was the use of new extortion approaches, meaning ransomware gangs are getting “greedier.” This included the rise of “quadruple extortion,” in which four extortion methods are used against a single victim:
- Encryption: making organizations pay to regain access to locked data and systems
- Data theft: threatening to release sensitive data if a ransom is not paid
- Denial of service (DoS): shutting down a victim’s public website
- Harassment: contacting customers, business partners, employees and media to tell them the organization has been compromised
The Unit 42 team also stated that they expect the ransomware crisis to worsen over the coming months and have observed threat actors “develop new approaches for making attacks more disruptive.” This includes encrypting hypervisors, which can corrupt multiple virtual instances running on a single server.
They also predict that managed service providers will be increasingly targeted in the wake of the recent high-profile Kaseya attack.
The researchers added: “While we predict that ransoms will continue their upward trajectory, we do expect to see some gangs continue to focus on the low end of the market, regularly targeting small businesses that lack resources to invest heavily in cybersecurity. So far this year, we have observed groups, including NetWalker, SunCrypt and Lockbit, demanding and taking in payments ranging from $10,000 to $50,000. While they may seem small compared to the largest ransoms we observed, payments that size can have a debilitating impact on a small organization.”
The findings have followed numerous instances of large ransomware payments in recent months. In May, it was reported that insurance giant CNA Financial paid its extorters $40m after its IT systems were locked down and data were stolen, while meat processing firm JBS confirmed it paid the REvil ransomware gang $11m in June.
Around half of businesses (45.49%) and consumers (52.35%) on average saw at least one sustained additional infection in May 2021, according to the latest metrics from Webroot Brightcloud Mid Year Threat Report.
In May 2021, the report revealed a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. It also showed that industries such as oil, gas and mining saw a 47% increase in the same six-month period, with manufacturing and wholesale traders seeing a 32% increase.
The report extends its yearly threat intelligence report, with updated metrics between January 1 and June 30 2021. It also investigates the latest trends in malware, phishing and crypto exchanges.
The Mid Year Threat Report found that big brands continued to suffer from cyber extortion and ransomware. PayPal accounted for 1% of the top 200 phished brands but saw a 1,834% spike in May — showing that financial institutions are a top target.
Webroot Brightcloud also found that technology supply chains were under attack. The management of companies and the enterprise industry showed a significant increase in malware infections — 57% versus the global average.
“People aren’t learning from their cyber mistakes, and more concerning, they aren’t equipped with knowledge on how to prevent repeat mistakes,” says Grayson Milbourne, security intelligence director at Webroot. “Organizations must take ownership of the issue and do all they can in leading their people to improve security awareness, knowledge and habits.”
The report also found that phishing attacks are increasingly targeting crypto exchanges and wallets. Observations by Webroot found that there was a 75% increase in Coinbase phishing pages using HTTPS immediately after Coinbase’s IPO.
It also found that crytojacking also remained active, but had declined since March 2020, says the report. This was due to the end of several crypto mining operations such as Minr, XMROmine and JSECoin. Webroot also found that cryptojacking activity saw a decline of 39% by the end of June 2021.
“Cryptocurrency is like leaving behind digital breadcrumbs on blockchain, and while cryptojacking in the browser is dead, crypto mining using applications is still very profitable and might yield a higher reward over time than a ransomware demand,” explains David Dufour, vice president of engineering at Webroot.
The UK House of Commons (HoC), the house of the UK Parliament, has pushed through over 2,600 out of 3,000 members of staff through cyber training following the Whitehall CCTV security leaks from the Matt Hancock scandal.
According to official figures obtained by Parliament Street think tank attained via Freedom of Information (FOI) requests, 2,658 HoC staff members were put through an eight-part cybersecurity training course during the 2020/21 financial year. The course, ‘Annual Essentials Certification,’ covers training in cybersecurity and cybercrime and is a government-backed scheme, according to the National Cyber Security Council (NCSC).
While HoCstaffers have been put through the course in previous years — 2,207 staff members attended the course in the financial year 2019/20 — an additional 400+ were put through in the most recent financial year.
Further, the FOI data revealed that the government pays a £56,400 annual subscription fee to its learning management system provider to access a broader range of courses as well as for maintenance.
In addition, in the recent financial year 2020/21, four HoC staff members were sent on a specialist training cybersecurity course costing £18,875, according to the FOI request. Over £7,000 was spent on two specialist training courses in the previous year — one on Cyber Threat Intelligence and another on becoming a cybersecurity manager.
“With rising cyber threats targeting government departments, boosting cyber skills and awareness for parliamentary staffers is a smart and necessary move,” says Andy Harcup, senior director and cyber expert at Gigamon, in a news release. “With the Covid-19 pandemic triggering a dramatic increase in flexible working, it’s more important than ever that public sector organizations have robust systems and training in place to identify potential threats.”
Whitehall, where the House of Commons is located, was under scrutiny when leaked CCTV footage showed former Health Secretary Matt Hancock kissing his aide in his office. Hancock resigned following the leaked footage. The Information Commissioner’s Office (ICO) has raided the homes of two people linked with the leak, according to the Guardian.
The FOI request put forward by Parliament Street asked for a breakdown of all employees within Whitehall who have undertaken cybercrime or cybersecurity training over the last two financial years; details on the nature of the course; and the money spent on each course.
Tim Sadler, CEO, Tessian welcomes the news that the government is investing more in cybersecurity training but warns that it’s not a one-off spend.
“It’s encouraging to see that Parliament is taking security training and awareness seriously,” he says. “Employees need access to the tools and knowledge to help them make smarter cybersecurity decisions and think twice before clicking.
“This training, though, can’t be a one-time, tick-box exercise,” he adds. “Training needs to be continuous and contextual if it’s going to resonate with people and stop mistakes from turning into breaches.”