top

EBrief

top
securityfirms

Security firms breached?

A hacking group (believed to be Fxmsp) is advertising access to the networks of at least three information security companies in the U.S. and source code for their software products. The current known victims are Symantec, McAfee and Trend Micro. Upwards of 30 terabytes has been stolen.

The initial asking price was $250,000 for access information and $150,000 for the source code but they were ready to sell both for at least $300,000 depending on the company the buyer is interested.

While the merits of Antivirus are questionable (its good for compliance and stopping a lot of well known stuff) this is not good news. Once source code has been obtained its much easier to find at least clues to where security holes are.

We will continue to monitor this situation.

securityfirms
microsoft

Microsoft remained the number 1 impersonated brand in phishing attacks.

After a big dip in activity over the holidays, when hackers shifted their sights to consumer targets, Microsoft phishing slowly recovered in January before resuming its torrid pace in February and March. In fact, the week of March 4th was the biggest single week for Microsoft phishing since we started our analysis. Because of the sluggish start to the year, though, the number of Microsoft phishing URLs actually declined in Q1 for the first time, finishing down a modest 4.5% from Q4 2018.

Microsoft’s sustained popularity with hackers stems from the lucrativeness of Office 365 credentials, which provide a single entry point to the entire Office 365 platform while enabling them to conduct multi-phased attacks using compromised accounts. In fact, Microsoft’s own research estimates that Office 365 phishing increased 250% from Jan – Dec 2018.

There continues to be a variety of Office 365 phishing attacks, from suspended account claims to links to phony OneDrive or SharePoint documents. Overall, the sophistication of these attacks is growing, with many Office 365 phishing pages being virtually indistinguishable from the real thing. To accomplish this, hackers mirror the actual Office 365 login page, pulling JavaScript and CSS directly from the legitimate website and inserting their own script to harvest credentials.

In addition, there are pages that redirect users to legitimate Microsoft pages once they’ve submitted their credentials in an attempt to convince them that nothing is amiss. For instance, one recent attack targeting multiple customers would redirect users to Office.com after they “logged in”. What’s also noteworthy about this phishing email is that the reply-to was a legitimate Microsoft email: support@microsoft.com. Again, this is intended to create a false sense of security with the user.

Source: Vade Secure

microsoft
doctorsoffice

Doctors office closes after ransomware attack

A computer virus recently injected itself into the electronic medical record system of Brookside ENT & Hearing Services and ruined the business.

The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack, according to half a dozen cybersecurity experts contacted in the past week. Hackers are targeting Minnesota hospitals and clinics at an escalating pace, including four breaches involving patient files already reported in 2019, though any interruptions of work have been temporary.

Ransomware, which encrypts sensitive information and then demands a small financial payment to unlock the files, has become the most common form of malicious software affecting businesses, typically arriving via e-mail, Verizon’s 2018 data-breach report says.

Brian Stevenson, president of Roseville cyber security firm FocusPoint Technologies, said about one-third of ransomware victims who pay the ransoms end up getting their data back. Yet, “people are paying the ransoms behind closed doors quite often, because the cost of not being operational for days is worse than the cost of paying,” he said.

At Brookside ENT in Battle Creek, Mich., the ransomware virus started by deleting and overwriting every medical record, bill and appointment, including the backups. The virus left behind a duplicate of the deleted files, which could be unlocked with a password that the attacker promised to provide for $6,500 in U.S. currency wired to an account, doctors at the clinic said.

The practice’s two ENT surgeons — Dr. William Scalf, 64, and Michigan state senator Dr. John Bizon, 66 — refused to pay the attacker’s ransom. Scalf said in an interview that there was no guarantee the password would work, or that the malware wouldn’t crop up again.

Scalf said an “IT guy” advising them on the attack determined that the attacker did not view the medical records, so the infection wasn’t formally reported as a breach under the federal HIPAA law. But lacking any medical and billing records, the doctors closed the business on April 1 and retired about a year before they planned to.

But there was no way to communicate that to patients. “We didn’t even know who had an appointment in order to cancel them,” Scalf said. “So what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”

Local resident Ann Ouellette, whose teen daughter’s records were lost in the attack, told west Michigan CBS affiliate WWMT that her daughter came down with a sinus infection a month after getting surgery and now needs to find a new provider for her follow-up care. Past hearing-test results were lost in the attack, too.

Six cybersecurity researchers and consultants contacted by the Star Tribune said this appears to be the first time this type of scenario has played out in the U.S.

“This is the first time I’ve heard of a practice shutting down because of ransomware,” cybersecurity researcher Billy Rios said via e-mail. Rios, founder of security firm WhiteScope and a well-known critic of lax security in health care products, said some of the medical data might still be recoverable, but it’s impossible to tell without access to the infected system.

Beau Woods, a leader with the I Am the Cavalry cybersecurity initiative, said in an e-mail that the majority of small businesses are underprepared for ransomware threats, including many health care delivery organizations. Unlike larger organizations, many smaller providers have no full-time IT employee, let alone a cybersecurity specialist.

“Without better security capabilities and awareness, we can expect to see more frequent, more impactful ransomware incidents impacting health care,” Woods wrote.
The digital barrage of attacks against small business IT systems is not limited to health care. But doctors and hospitals hold information of unique value — your personal medical records.

Already in 2019, four health care providers in Minnesota have reported breaches of patients’ personal health information to the U.S. Health and Human Services Department, including a malware attack at a Woodbury reproductive medicine clinic affecting 40,000 patients — the second-largest health records exposure in Minnesota since reporting began in 2010, federal records show.

Other patient-data breaches reported in the state in the first quarter of 2019 included hacking and e-mail phishing at a behavioral health clinic in the Duluth area (1,200 records), a Catholic-run hospital in Baudette (885 records), and a community hospital district in Blue Earth (2,143 records), federal records show.

Those totals put Minnesota on track to exceed the 10 health data breaches recorded in 2018. The largest breach last year affected 20,800 records following an e-mail hacking incident at the Minnesota Department of Human Services.

The largest reported health care data breach in Minnesota ever was the theft of a laptop owned by medical suppliers Empi and DJO LLC, containing 160,000 medical records, reported in August 2015. Minnesota’s most infamous health care data breach — the 2011 theft a laptop from billing consultant Accretive — involved the unencrypted medical records of 14,623 Fairview Health Services patients.

For all of the reported incidents, security researchers say there are many other cases in which providers are quietly paying the ransoms to unlock their files without any public notification.

“The reality is that many victims are paying ransom and successfully recovering as a result. Ransomware is a proven successful business model for attackers, complete with customer service to facilitate payments,” said Justine Bone, CEO of the med-tech cybersecurity research firm MedSec, via e-mail.

Todd Carpenter, chief engineer at Minneapolis cyber security firm Adventium Labs, said he applauded the owners of Brookside ENT for refusing to pay the $6,500 ransom.

“Much better than paying the ransom, pretending it didn’t happen, muddling through — which some hospitals and clinics have done,” Carpenter said.

The attack on Brookside ENT was reported to the FBI, Scalf said. Scalf wasn’t optimistic that the investigation would result in charges, but Carpenter said ransomware attacks should be reported to the FBI immediately. The next step would be to get a reputable “data forensics” specialist to review the files, Carpenter said.

The fact that Brookside ENT’s backup files were corrupted underscores the importance of keeping additional data backups that are kept offline, away from attacks that can spread over a network.

The Healthcare Sector Coordinating Council published a detailed guidebook last year listing ways to improve what it called “cyber hygiene” in health care settings, including detailed guidance for making e-mail more secure, protecting networks with antivirus protections, limiting network access and actively looking for vulnerabilities that can be addressed.

Or as Bone put it: “Consumers and businesses both large and small need to either make a security investment up front, or manage risk by stashing that ransom for a rainy day. What will get even more interesting is when cyber risk insurers respond to these situations by recommending or making payments on behalf of their clients. It would not surprise me if this were already happening, unfortunately.”

Source: Star Tribune

doctorsoffice
georgiatech

Georgia Tech Data Breach Exposed 1.3 million records.

Georgia Tech announced that a vulnerability in a web application allowed an attacker to gain access to the personal information of up to 1.3 million students, college applications, staff, and faculty members.

On March 21st, George Tech developers were investigating a performance issue in one of their web applications and discovered that an unauthorized third-party had gained access to the server.

Upon further investigation, it was determined that the intruders gained access on December 14th, 2018 through a vulnerability in a web application.

“Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019,” stated Georgia Tech’s announcement. “During this investigation it was determined the performance issue was the result of a security incident.”

Through this vulnerability, the intruders were able to gain access to a database that contained the personal information of up to 1.3 million students, applicants, and staff members. This information included a person’s name, addresses, social security numbers, and birth dates.
“The information illegally accessed by an unknown outside entity was located on a central database. Georgia Tech’s cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system, which may include names, addresses, social security numbers, and birth dates.”
While the vulnerability in the web application has since been patched, Georgia Tech has not disclosed what was causing the performance issue that led them to discover the breach. It is possible that the attackers were utilizing the server for further attacks on external servers or had installed malware, such as mining software that utilized server’s resources and impacted performance.

The university has already contacted the U.S. Department of Education and will be notifying those who were affected.

Second breach in a year

To make matters worse, this is the second security incident that Georgia Tech was affected by in the past year.

According to DataBreaches.net, a staff member accidentally mass emailed a spreadsheet to students that contained the personal data of 8,000 people. This data included student’s ID numbers, Home address, Visa info, GPA, Academic standing, and Hours earned.
Source: Bleeping Computer

georgiatech
vaccine

Trolls spreading false vaccine information on Twitter

A study found that Russian trolls and bots have been spreading false information about vaccination, in support of the anti-vaccination movement. The false information was generated by propaganda and disinformation specialists at the Kremlin-affiliated, St. Petersburg-based IRA. The Kremlin employed IRA to conduct a broad social media disinformation campaign to sow discord and deepen divisions in the United States.

Researchers at George Washington University examined thousands of tweets sent between July 2014 and September 2017. They discovered several accounts—now known to belong to the same Russian trolls who interfered in the US election—as well as marketing and malware bots, tweeted about vaccines and skewed online health communications.

“The vast majority of Americans believe vaccines are safe and effective, but looking at Twitter gives the impression that there is a lot of debate. It turns out that many anti-vaccine tweets come from accounts whose provenance is unclear. These might be bots, human users or ‘cyborgs’—hacked accounts that are sometimes taken over by bots,” said David Broniatowski, a SEAS assistant professor.

Content polluters—bot accounts that distribute malware, unsolicited commercial content and disruptive materials—shared anti-vaccination messages 75 percent more than average Twitter users.

Russian trolls and more sophisticated bot accounts posting equal amounts of pro- and anti-vaccination tweets.

Source: American journal of public health

vaccine
aws

Sacked IT guy annihilates 23 of his ex-employer's AWS servers

An employee-from-hell has been jailed after he got fired (after a measly four weeks), ripped off a former colleague’s login, steamrolled through his former employer’s Amazon Web Services (AWS) accounts, and torched 23 servers.

The UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.

Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.

As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.

In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers.
The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.

It took months to track down the culprit. Needham was finally arrested in March 2017, when he was working for a devops company in Manchester.

Should-a, could-a, would-a

Voova, like all companies, should have done a few things to protect itself from this sort of nightmare. Security experts had agreed, prosecutor Richard Moss noted during the trial, that Voova could have done a better job at security.

Voova CEO, Mark Bond, admitted to the court that the company could have implemented two-factor authentication (2FA):

There was no multi-factor authentication, a means of confirming the user ID which requires a user to verify their identification by something they know or possess.

2FA would have made it much harder for Needham to traipse through Voova’s AWS account posing as “Speedy.”

Of course, you also have to lock the door after employees leave by shutting down their accounts.
Make sure you have a plan in place for when employees leave that covers everything from physical access to your property and hardware like laptops, phones and access tokens, to email and call forwarding, and logins for all the company software and services they had access to.

Source: Naked security

aws
airports

Airports and operational technology: four attack scenarios

Critical airport systems including baggage control, runway lights, air conditioning, and power, are managed by means of network-connected digital controllers that are much less organized than conventional IT networks, rarely monitored as closely, and are often left untouched for years, making them vulnerable to attacks. Here are the risks identified:

Threat 1: Baggage Handling:

As baggage-handling systems are the most customer-facing operational technology (OT) system found in airports, they are a common target. A malicious actor has the ability to hack into the baggage-handling system to either redirect a bag to another flight or prevent it from being subject to a secondary security check in order to smuggle something illicit or dangerous onto the plane. These systems are extremely attractive targets for an attack because they can be executed remotely; the attacker would not need to board the plane.

Threat 2: Aircraft Tugs:

Tugs are usually vehicles that latch on the wheel bar or axle and are essential to do the kind of maneuvering needed to back a plane into the gate to connect the jet bridge and other deplaning equipment. Many modern tugs are wireless, and there is a huge push to make all next-generation tugs wireless, driverless, and OT and IT connected. Attackers could potentially hijack a tug’s weight sensors and back a large jet into a gate at the velocity used for a small plane, causing it to crash through the wall of the airport.

Threat 3: De-icing Systems:

The liquid chemicals used for de-icing are stored at on-site facilities. These facilities use OT devices to regulate and maintain the composition of de-icing chemicals. If those systems were attacked and the composition of the solution altered, this could easily cause ice to form on the body of a plane. Even a single millimeter of ice can dramatically affect the aerodynamics and ability of a plane to maneuver. Tampering with the aerodynamics of a plane by hacking into de-icing systems is one way to cause it to crash without loading explosives onto it, which is likely why as obscure a risk vector as it is, de-icing systems are often one of the first OT systems airports monitor.

Threat 4: Fuel Pumps:

Fuel trucks that pump gas from storage tanks in the ground are connected via a sprawling network of underground pipes that use OT systems to regulate the valves, controls, and equipment used to store, transfer, and dispense various types of fuel used by commercial aircraft. An attacker could hack into a fuel trucks, causing the wrong type or mixture of fuel to be pumped into a plane, resulting in anything from engine problems to an explosion.

Source: Dark reading

airports