Cyber Risk News
C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a study from MobileIron. The report, entitled Trouble at the Top found that while these executives are highly targeted by cyber-criminals in attacks on organizations, they are also more likely than anyone else to have a relaxed attitude to mobile security.
In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.
As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organization’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).
“These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach,” commented Brian Foster, SVP product management, MobileIron. “Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.”
To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.
Foster added: “These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols.”
Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report by Barracuda Networks. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.
According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.
Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).
Overall, the use of the Google brand by cyber-criminals to trick users appears to be increasing: Barracuda Networks observed Google-brand impersonation attacks represented 4% of all spear-phishing attacks during the first four months of 2020. This figure is expected to rise, as it has proved to be successful in the harvesting of credentials.
Steve Peake, UK systems engineer manager, Barracuda Networks, outlined: “Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber-criminals are taking the opportunity to flood people’s inboxes with these scams. The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users.”
There has been a substantial rise in phishing attacks recently as a result of the increase in people working from home during the COVID-19 pandemic, with security systems and practices difficult to maintain for many businesses in these circumstances.
Barracuda Networks added that security methods such as multi-factor identification and email security software are especially vital for organizations at this time.
Security researchers are claiming victory after unmasking an infamous hacktivist who defaced nearly 5000 websites in more than 40 countries over the past few years.
The individual, known online as “VandaTheGod” on Twitter, took to social media to publicize his exploits, sometimes under aliases such as “Vanda de Assis” and “SH1N1NG4M3,” according to Check Point.
This activity first alerted the security firm to his presence, and also provided a trail of clues which ultimately led them to his real identity: an individual living in the south-eastern Brazilian municipality of Uberlandia.
Active since 2013, the hacktivist never reached his stated personal goal of compromising over 5000 websites. However, thousands of government, academic and corporate sites were apparently defaced with anti-government and social justice messages thanks to his work.
In the last year, over half (57%) were located in the US — where victims included the official website of the state of Rhode Island and the city of Philadelphia — while Australia and the Netherlands rounded out the top three targeted countries.
VandaTheGod was also active in his home country, defacing a Brazilian government website with the hashtag #PrayforAmazonia, in response to the increase in rainforest clearing approved by right-wing President Bolsonaro.
However, his motives weren’t always so altruistic, and occasionally strayed into theft of credit card details and log-ins. VandaTheGod is said to have attempted to breach details from public figures, universities and even hospitals — one on occasion offering to sell the medical records of one million New Zealand patients for $200 per record.
“This case highlights the level of disruption that a single, determined individual can cause internationally. Although ‘VandaTheGod’s’ motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cybercrime is thin,” argued Check Point manager of threat intelligence, Lotem Finkelsteen.
“We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques. Revealing the person’s true identity and disclosing it to law enforcement should put an end to their extensive disruptive and criminal activities.”
Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data from Group-IB.
The Singapore-based security vendor claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.
As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.
The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.
As mentioned, last year saw an increasing number of attackers focus their efforts on larger targets, often using sophisticated APT-style tactics, according to Group-IB. This included trojans such as Dridex, Emotet, SDBBot, and Trickbot to compromise victims and post-exploitation frameworks such as Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic to gather info on the targeted network. Data theft also became a popular way to force payment.
Phishing emails continued to be the number one initial threat vector, alongside RDP compromise and websites infected with exploit kits, the security vendor added.
“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” said Group-IB senior digital forensics specialist, Oleg Skulkin.
“Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”
Ransomware operators have indeed picked up where they left off at the end of 2019, launching a blizzard of attacks against firms struggling to adapt to mass remote working, as well as hospitals fighting COVID-19.
According to Coveware, the average ransom paid in the first three months of the year surged by 33% quarter-on-quarter. However, contrary to Group-IB’s analysis, it claimed that despite the “big game hunting” narrative, most victims are likely to be SMBs.
The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.
The supply of dark web drugs soared nearly 500% over the first few months of this year as dealers took to the internet to continue trading, according to new data from Sixgill.
The cyber-intelligence company monitors multiple underground sites and forums for its customers.
It reported that although the supply of malware, phishing kits, and stolen accounts has been pretty steady over the past 12 months, that of illegal drugs has spiked recently as government lockdowns forced individuals off the streets.
The firm claimed that the number of items for sale in December 2019 stood at 4154, but this had risen to 24,719 by April 2020 — an increase of 495%.
MDMA postings apparently grew 224%, cannabis postings were up 555%, and cocaine posts spiked 1000% over the period.
“Feedback, while an imperfect metric for purchase volume, is a reliable indicator of the rate of transactions,” Sixgill explained. “Feedback volume for cannabis, cocaine, and MDMA all nearly doubled over the past half year.”
However, despite this surge in online supply and a likely uptick in sales, the underground market was not immune to the same dynamics as legitimate economic sectors.
“As with all online shopping, shipping delays occurred, with dark web chatter suggesting that slower delivery times dinged the reputations of vendors among a cynical customer base that’s always vigilant for scammers. Though the rise in chatter and concerns was temporary, it did make both vendors and consumers more conscious of the risks of international shipping for illegal goods,” the security firm explained.
“While supply surged, demand lagged and never caught up, rising later and at a slower pace. That led to a 10-fold surge in mentions of ‘bargains’ and ‘discounts’ in early 2020. That’s not only a response to oversupply, but a reaction to consumers’ precarious economic situation during the economic freeze.”
An American cryptocurrency investor is suing a New York high school senior over the theft of $23.8m in digital currencies.
Michael Terpin has filed a civil complaint against 18-year-old Ellis Pinsky alleging that in 2018, at the tender age of 15, Pinsky masterminded a plot to defraud Terpin out of millions.
Pinsky was allegedly the leader of what Terpin described as a "gang of digital bandits" who stole from multiple victims after using SIM swapping to gain control of their smartphones.
None of the teen's alleged co-conspirators were named in the complaint, in which Terpin accuses them and Pinsky of racketeering and computer fraud.
Terpin claims that, after hijacking the native wallet on his BlackBerry, Pinsky cockily bragged to his peers that he would get away with his cybercrime.
“On the surface, Pinsky is an ‘All American Boy,’” Terpin said in a complaint filed May 7 in a federal court in White Plains, New York. “The tables are now turned.”
In May last year, Terpin won a $75.8m civil judgement in a California state court in a related case against an alleged associate of Pinsky, Nicholas Truglia, who has faced criminal hacking charges. Now Terpin is gunning for Pinsky, seeking triple damages of $71.4m.
According to Reuters, court records show that Terpin is also suing his carrier AT&T Mobility in Los Angeles for $240m.
To his classmates at Irvington High School, Pinsky was an unremarkable individual who achieved decent grades and liked playing soccer.
At the time of the alleged crypto-heist, Pinsky was living in a $1.3m home he shared with his family. An anonymous insider told the New York Post that Pinsky explained his newfound wealth to his parents by saying that he had gotten lucky making Bitcoin online through video games.
The teen allegedly used the stolen money to travel by private jet, purchase an Audi R8, and splash out on the latest sneakers.
Pinsky's attorney, Noam Biale, told the New York Post: “Ellis was a child at the time of the alleged conduct. . . . It is deeply unfortunate that Mr. Terpin has chosen to bring [a] lawsuit, full of smears and baseless allegations, for no imaginable purpose other than spite.”
Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.
The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.
Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.
Bank of America, which is headquartered in Charlotte, North Carolina, said that access to the information was limited.
In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."
The bank neglected to share any specifics of which applicants were affected by the breach, stating only that it was a "small number" of clients. The exposed data was drawn from a pool of nationwide applications, meaning that businesses in multiple states may have been impacted.
More than 305,000 PPP relief applications have been processed by Bank of America with the SBA.
Upon discovering the breach, the bank asked the Small Business Administration to remove the visible information. According to the filing, the SBA resecured the exposed data within one day of its being accidentally exhibited.
The bank said that the PPP application and submission processes were not affected by the cybersecurity mishap. An internal investigation has been launched to determine how the data came to be exposed.
Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.
Minds is a free and open source distributed social networking service that gives users ERC20 tokens that can be used to promote content or crowdfund other users. Tokens are awarded based on the time a user spends accessing the service and the number of interactions that they have.
The platform was founded in 2011 and is headquartered in Wilton, Connecticut. Unlike some social media platforms that are moving toward increased censorship, Minds describes its content policy as "based on the First Amendment and governed by a community jury in order to minimize bias and censorship."
Minds founder Bill Ottman told Coconuts Bangkok that the platform saw a spike of 100,000 new Thai users in a single day last week, causing the service to crash temporarily. According to Minds, there are now more than 200,000 Minds users in Thailand.
Ottman said: “We are thrilled to provide privacy, internet freedom and digital rights for Thai netizens. This is exactly the reason Minds exists.”
Among the Thai Twitter users to defect to Minds was prominent writer and social critic Sarinee Achavanuntakul. Her final tweet, posted on May 21, read, “Say goodbye to Twitter and meet at Minds.”
Twitter became popular in Thailand as a way for citizens to speak their minds anonymously in a country where speech is harshly restricted and the lese-majeste law forbids the insulting of the monarchy.
Journalists who criticize Thailand's military rule are detained by the government and subjected to what the Committee to Protect Journalists describes as "attitude adjustment sessions."
According to Quartz, Thais have "grown wary and distrustful of Twitter over a recent string of developments on the platform that sparked privacy concerns."
The update came days after Twitter announced in a blog post that the company had launched an official Twitter Thailand account and partnered with the Thai government and local NGOs.
Achavanuntakul said in recent months, young users "who have been critical of the monarchy” on Twitter have received visits from the police at home.
The National Grid Gas Transmission (NGGT) and National Grid Electricity Transmission (NGET) in the UK have become the newest members of the European Network for Cybersecurity (ENCS), in a move designed to better protect the European energy sector against cyber-attacks. The NGGT and NGET will now engage in information sharing regarding cyber-threats with a number of major utility organizations across Europe.
The ENCS already works on cybersecurity in electricity and gas across Europe, both at the distribution and transmission levels. In addition to sharing expertise, energy organizations that are part of the group collaborate on capacity building, conduct training and provide security testing and standards for a range of components such as smart meters.
The NGGT and NGET are both part of National Grid plc, which is one of the world’s largest investor-owned energy utilities, and works to deliver electricity and gas safely and efficiently to customers in the UK.
Anjos Nijk, managing director of the ENCS, commented: “The National Grid already ranks among the most sophisticated transport system operators (TSOs) in terms of cybersecurity, and by joining the ENCS, it demonstrates its commitment to that improving even further – and of course, brings a wealth of experience to the table that our members will benefit from.
“The energy sector is only becoming more interconnected, and it is vital those of us looking to protect it do the same.”
The NGGT and NGET become the first UK-based organizations to join the ENCS.
Paul Lee, engineering manager for cyber and control systems at National Grid, added: “We have robust cybersecurity measures in place across all our operational infrastructure and IT to protect against cyber-threats, but our membership will help us to benefit from the ENCS knowledge base as we share information with other members, contributing to increased protection across all critical infrastructure.”
The energy sector has been a frequent target of cyber-criminals. Last month, it was claimed that energy firm EDP was hit with a €10m ransomware threat.
Cybersecurity experts are calling for the legal sector to be defined as critical to securing national infrastructure, after revealing that 100% of law firms were targeted by attackers in the first quarter of 2020.
BlueVoyant appraised thousands of law firms worldwide between January and March 2020, to compile its latest report, Sector 17 – The State of Cybersecurity in the Legal Sector.
Of those targeted, some 15% are likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use, it said.
The near-$1 trillion sector is a prime target for financially motivated attacks as well as nation state actors looking for sensitive information they can use to make money or leverage geopolitically.
The report details examples of ransomware threats, financial data and PII theft, third-party risks, password breaches, insider leaks and hacktivism.
These include stand-out cases such as the 2016 Panama Papers breach of law firm Mossack Fonseca, the 2017 ‘ransomware’ outage at DLA Piper caused by NotPetya, and this year’s Luanda Leaks breach which revealed incriminating evidence on the former President of Angola.
BlueVoyant, a firm which counts former GCHQ director Robert Hannigan as its chairman, wants the sector to be added to the 16 others defined by the Department of Homeland Security as critical to securing national infrastructure, resources and resiliency.
“The stakes could not be higher. While the legal sector is performing well in comparison to the other 16 sectors, attacks against law firms constitute some of the most sensational and damaging cyber-attacks in history. We have already seen how recent incidents can cause substantial geopolitical fallout, not to mention tremendous direct and indirect financial repercussions for law firms,” argued CEO Jim Rosenthal.
“Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised.”
New research has found a measurable increase in DNS cache miss traffic levels, and a number of previously unknown DDoS events.
According to Farsight Security, analysis of DNS cache miss traffic levels over the two-month period of March-April 2020 revealed “a macroscopic phenomenon.” The analysis was done over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.
Using its DNSDB intelligence solution, Farsight said that it looked at daily DNS transactions for over 300 sites and when reviewing traffic for these sites, it looked at the DNS cache miss traffic for all hostnames under a given delegation point. This revealed some websites experiencing spikes in volume, which Farsight stated represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.
It said at least two distinct reflective DDoS attack patterns took place among the studied sites: one pattern type which appeared to be purely associated with abusive DNS SOA (Start of Authority) queries, and a second pattern type which melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.
Also some sites experienced spikes in volume that were so large that the spikes caused most of the “normal variation” in traffic volume to “wash out” due to the dominance of the spike or spikes.
Dr. Paul Vixie, chairman, CEO and co-founder of Farsight Security, said whilst headlines focused on a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. “Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses,” he said.
Farsight also discovered a step up pattern in traffic, typically reflecting a four-to-seven-times increase in DNS cache miss traffic levels, across most or all verticals during the same period.
To reduce the risk of DDoS events, Farsight recommended that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommended all authoritative name server operators confirm that their current configurations have RRL enabled.
Donald Trump has decided to pick a fight with Twitter after one of his posts on the upcoming election was labelled misleading by the social media platform.
The original tweet claimed that Mail-In (postal) ballots during the November Presidential election would be “substantially fraudulent.”
The issue has become a partisan one of late, as Democrats push for voters to have the option of mailing in their votes to avoid the risk of COVID-19 infection at the polling booth. They claim that otherwise, millions of voters may be disenfranchised as they stay at home.
Many Republicans, including Trump, believe higher voter turnouts enabled by postal voting would give their opponents an advantage, as groups that would otherwise stay home are more likely to vote Democrat.
Twitter labelled Trump’s tweet with a clickable blue notification stating "get the facts about mail-in ballots," which takes them to a page debunking the false assertion that postal votes lead to election fraud.
Unsurprisingly, Trump hit back, branding Twitter’s response as stifling free speech and interfering in the 2020 election.
In fact, many commentators have argued that Twitter has been too easy on Trump in recent months and years, saying that his status and 80 million followers have given him carte blanche to say things that others would be blacklisted for.
Twitter’s decision can be seen in the context of its newly updated policy on misleading information. Because the propensity for harm was judged “moderate” in this case, the platform merely labelled Trump’s tweet, but if that rating is upped to “severe” then future posts could be removed.
Either way, the incident is likely to be just the first of many ahead of the election as Trump seeks to fire up his base with increasingly outlandish statements on social media.
The UK’s plans to ease its COVID-19 lockdown have been thrown into doubt after half the public said it does not trust the government to handle their data collected via a key contact tracing app.
The app is a crucial part of the best practice “test, track and trace” strategy being rolled out around the world to help businesses and society get back to normal after weeks of social distancing.
“The NHS COVID-19 app automates the process of contact tracing,” noted the NHS. “Its goal is to reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves, the people they care about and the NHS.”
It’s currently being trialled on the Isle of Wight ahead of a slated June 1 launch nationwide.
However, in a new survey of 1000 UK adults, Anomali found that 48% do not trust the government to keep the data collected by the app safe. A further 43% said they were concerned it would give hackers an opportunity to send phishing emails and texts — something only 52% said they felt savvy enough to be able to spot.
“It’s tough to predict the increase in the volume of attacks we’ll see. However, we’re already seeing thousands of rogue and spoof COVID-19 domains being registered and used in attacks,” Anomali head of EMEA, Jamie Stone, explained.
“Global interest around the virus, and each nation’s track-and-trace apps, means that attackers will likely use many of these domains to host phishing attacks via both email and SMS. People using COVID tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”
Respondents also raised concerns about government surveillance: a third (33%) claimed the app may be able to track their whereabouts and 36% said that it may allow the government to collect data on them.
Unlike many being developed across Europe and elsewhere, the NHS app is said not to rely on an API developed by Apple and Google’s which allows collected data to be stored on the user’s device.
Instead, it is centralized, although the NHS claimed that no personally identifiable data is collected, the app will conform to UK law, and that data “will only ever be used for NHS care, management, evaluation and research.”
For voluntary contact tracing apps like this one to make a meaningful contribution to “test, track and trace” they need to be downloaded and used by 80%+ of current smartphone users. That makes confidence in the government’s approach crucial.
Yet there is widespread suspicion of government surveillance and data misuse in the UK thanks to incidents like the Windrush scandal and 2016 legislation known as the Investigatory Powers Act, aka the Snooper’s Charter.
This has been compounded by recent events, in which the Prime Minister’s chief advisor, Dominic Cummings, was found to have driven over 250 miles during lockdown, breaking the guidelines he helped to draw up.
A former deputy sheriff has pleaded guilty to cyberstalking and sexually exploiting a teenage girl whom he met through playing Minecraft online.
When 26-year-old Texan Pasquale T. Salas first encountered his victim in 2014, she was just 12 years old.
Salas engineered a relationship with the child by sending her messages in private chat rooms. The former deputy sheriff with the Matagorda County Sheriff’s Office then systematically used Skype, Snapchat, and text messages to groom the little girl.
Authorities said that during their digital exchanges, Salas put repeated pressure on his tweenage victim to capture sexually explicit images of herself and send them to him.
At his coercion, the victim sent hundreds of lewd videos and images of herself to Salas over a two-year period. Some of the images were sent as they communicated via Minecraft.
In a sick attempt to make the exploitation appear like a genuine relationship, Salas sent his victim jewelry, Edible Arrangements, and iTunes gift cards and granted her access to his Amazon Prime account.
The exploited girl, who is from Worcester County, tried to break off contact with Salas in 2016. The self-confessed sexual predator responded by repeatedly threatening to send lewd images of the victim to her family and friends unless she kept communicating with him.
Salas used technology to control his victim. He manipulated her into granting him access to her Snapchat, then used a tracking option on the app to keep tabs on the girl's whereabouts.
The girl was ordered to obey a list of rules written by Salas that dictated what she could wear and whom she could speak with.
According to authorities, Salas threatened to harm the girl's sister if she disobeyed him. He also meted out punishments to his victim when she went against his wishes.
Salas told the girl, “You belong to me. You’re my property so I can treat you however I want, whenever I want.”
Authorities said a second female victim had been sexually exploited by Salas for four years. Victim number 2 was also aged 12 when she met Salas via Minecraft.
Salas, who is in custody at the Donald W. Wyatt Detention Facility in Rhode Island, will be sentenced on September 3.
A plea from the Cyber Peace Institute for healthcare providers to be protected against cyber-threats has attracted international support.
Major players in cybersecurity, academics, and numerous political movers and shakers have backed the call for governments to work together "with civil society and the private sector" to defend hospital, healthcare, and medical research facilities from digital assaults.
In a strongly worded plea published May 26, the Cyber Peace Institute asked governments to assert in unequivocal terms that the targeting of healthcare facilities by cyber-criminals is both "unlawful and unacceptable."
"We call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations," wrote the CPI. "To this end, governments should work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions."
The CPI highlighted recent cyber-assaults against healthcare providers around the world, cynically timed to coincide with the outbreak of COVID-19 in nearly every corner of the planet.
"Over the past weeks, we have witnessed attacks that have targeted medical facilities and organizations on the frontlines of the response to the COVID-19 pandemic," wrote CPI.
"These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients."
While the rate of deaths caused by the novel coronavirus continues to fall in some countries, bringing hope that the pandemic is ebbing, the CPI's plea warns against complacency.
"With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever," wrote the CPI. "This will not be the last health crisis."
Political bigwigs who have signed the Institute's rally call include former presidents of the Soviet Union, Uruguay, Brazil, Liberia, Chile, Swiss Confederation, Mexico, Colombia, Denmark, Poland, and Slovenia, as well as former US secretary of state Madeleine Albright.
Signatories from the cybersecurity industry include Kaspersky CEO Eugene Kaspersky, Microsoft president Brad Smith, and Trend Micro CEO Eva Chen.
The National Guard has been working to keep Maryland safe from cyber-attacks.
Maryland governor Larry Hogan called in the National Guard by executive order on March 12 to bolster the state's COVID-19 pandemic response. In addition to assisting the Old Line State with its coronavirus testing and screening program, the Guard has been helping out with cybersecurity assessments.
Baltimore, Maryland's largest city, was rocked by a catastrophic ransomware attack last year that prevented government officials from performing even basic tasks like sending an email.
In an interview with Federal Computer Week, Colonel Reid Novotny, Maryland National Guard's joint staff (J6) lead for IT and cyber, said that surviving a major attack did not make Baltimore invulnerable to cyber-criminals.
"During this crisis, we are in daily contact with them [in] an elevated status," said Novotny. “There have been ransomware attacks that have affected hospitals that are treating COVID patients."
Novotny wouldn't specify which hospitals had been targeted but said that attacks had been observed in Baltimore and Baltimore County.
"Yes, that stuff has actually happened, and the department of IT has responded back, and the Guard has supported that response," he said.
"Patients and the residents of that county that went to that hospital were assured that everyone was up and working."
The state's chief information security officer, Chip Stewart, said that malicious activity against Maryland had increased since the outbreak of COVID-19.
"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," said Stewart.
To counter the threats, Maryland has established a security operations center to monitor attacks on its digital infrastructure.
According to Stewart, the National Guard is supporting the state's efforts to thwart cyber-attackers by performing "routine external assessments of the state's websites and networks to identify issues proactively."
As of May 15, the Maryland National Guard has supplied over 3,000 hours of support to four different state agencies across four of Maryland's counties. Novotny said the commercial value of the Guard's cyber-support was roughly $1m.
Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.
The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.
ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.
The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.
“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”
Security experts have warned that default regional settings and pre-loaded applications may be exposing Android devices in some countries to a greater risk of cyber-attack.
F-Secure claimed today that large numbers of pre-bundled apps can expand the attack surface of a device.
The impact is potentially worse when country-specific rules block access to Google Play, meaning that users have to rely on third-party stores curated by the phone manufacturers themselves.
F-Secure claimed it found multiple vulnerabilities in the Huawei AppGallery which could be used to “create a beachhead” to launch additional attacks, such as one targeting the Huawei iReader which could allow hackers to execute code and steal data from devices.
Meanwhile, a simple phishing email/message could be enough to compromise the default configuration on the Xiaomi Mi 9 for China, India, Russia and maybe other countries, the security vendor claimed.
In another case, the research team compromised a Samsung Galaxy S9 by exploiting the fact that the device changes its behavior according to which country issued the SIM inside it.
“To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi),” F-Secure explained.
“If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.
F-Secure warned that as the number of customized Android builds grows, the white hat community needs to double down on research.
“It’s important for vendors to consider the security implications when they’re customizing Android for different regions,” added senior security consultant, Toby Drew.
“People in one region aren’t more or less entitled to security than another, and if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks.”
The personal details of over 29 million Indian jobseekers have been posted to a dark web site, free for anyone to access.
Cybersecurity firm Cyble, which discovered the trove on an unnamed hacking forum, has in turn added the compromised information to its breach notification site AmIBreached.
It claimed to have found the posting during a regular sweep of the dark and deep web. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer and other details on job-hunters from all over India.
“Cyber-criminals are always on the lookout for such personal information to conduct various nefarious activities such as identity thefts, scams and corporate espionage,” said Cyble.
The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.
It continues to investigate these claims.
In the meantime, it spotted another threat actor posting nearly 2000 Aadhar identity cards for free onto a hacking forum. They appear to originate from Madhya Pradesh state.
Also over the weekend, Cyble claimed that three hacking forums have themselves been breached, exposing user details and private chats.
The firm said it had been able to obtain databases related to Sinful Site, SUXX.TO and Nulled.
“All these hacking forums are based on general discussion and sharing of related resources. It is a place where users can find lots of great data leaks, hacking and cracking tools, software, tutorials, and much more. Along with that, over here the users can also take part in active discussions and make new friends,” it explained.
Specifically, the firm now has detailed info on users of SUXX.TO and Nulled, which were dumped on May 20, and private messages from Sinful Site, which were leaked on May 15.
A specialist in group litigation has filed a potential £18bn class action claim against easyJet in London’s High Court, following the firm’s major data breach disclosure last week.
International law firm PGMBM said it had been contacted by “numerous affected people” and is urging more to come forward to join the case, which would pay out £2000 per impacted customer.
It clarified that Article 82 of EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.
The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.
Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks.
Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.
PGMBM has also claimed that the exposure of customers’ travel plans could pose security risks to those individuals, as well as being a gross invasion of privacy.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” argued managing partner, Tom Goodhead.
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”
The case highlights the potentially serious financial repercussions of a major data breach, on top of the large fines GDPR regulators can theoretically impose.
The ICO has come in for some criticism recently after reports emerged that it may be considering a significantly lower fine than the £183.4m figure posted in a notice of intent last summer, in response to a major breach at British Airways.