Cyber Risk News

Online Retailers Brace for #COVID19 Fraud Surge

Info Security - Wed, 05/20/2020 - 09:50
Online Retailers Brace for #COVID19 Fraud Surge

Most UK retailers are expecting a surge in online fraud due to the current COVID-19 pandemic, with many customers having already experienced account takeover (ATO) attacks, according to Riskified.

The fraud-screening firm polled 1000 consumers and over 120 e-commerce professionals to better understand their challenges during the current crisis.

It found that a fifth (20%) of customers have suffered an account takeover attack over the past year. This is often done via phishing or credential stuffing, where reused logins are tried over numerous accounts and sites simultaneously by fraudsters.

Once inside, they could steal personal information and card details stored in the account, use it to fraudulently pay for goods, or sell access to the account on the dark web.

Despite the significant numbers of customers already affected, and the fact that 52% of retailers think fraud will increase during the pandemic, over a quarter (26%) admitted to having no measures in place to tackle ATO.

This is a concern, not just because of the extra fraud losses it could incur but also in terms of the long-term customer relationships. More than half (51%) of respondents said they’d stop shopping with a retailer if they suffered ATO and a similar number claimed they’d delete their account. Over a third (37%) would go to a competitor.

Part of the problem is that detecting ATO is difficult because the attacker effectively looks like a legitimate customer. This might account for the fact that just 4% of consumers that suffered ATO learned their accounts were compromised from the retailer.

Riskified warned that mandating two-factor authentication or long-and-strong passwords for improved account security would cause extra friction that may put shoppers off.

Instead, retailers need systems that can check for things like device and network details, proxy usage and previous logins as well as subsequent purchasing behavior, it said.

UK e-commerce fraud losses on cards are said to have topped £359 million last year, but fraud often rises during recessions.

Categories: Cyber Risk News

African Fraud Gang Files for Millions in #COVID19 Payments

Info Security - Wed, 05/20/2020 - 09:11
African Fraud Gang Files for Millions in #COVID19 Payments

A notorious West African BEC gang may have made millions defrauding the US government out of COVID-19 business compensation payments, according to Agari.

The security company said it had been tracking the Scattered Canary group for over a year and has now briefed the Secret Service of its findings.

The group — which has been involved in BEC, social security fraud and student aid fraud schemes in the past — has targeted at least eight states so far: Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.

In Washington state, it has filed at least 174 fraudulent claims for unemployment benefit since April 29. Agari calculated that these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Plus, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week up to July 31.

This amounts to a potential windfall for the cybercrime gang of $4.9 million in this one state alone, assuming all claims are approved.

Between April 15 and April 29, Scattered Canary filed at least 82 fraudulent claims for CARES Act Economic Impact Payments, 30 of which were accepted by the IRS, explained Agari founder Patrick Peterson.

The scammers are using a tactic first revealed by Agari last year to scale their operations. Namely, they take advantage of a little-known feature in Gmail which means that a single user controls all “dotted versions” of their email address.

Thus, they can register multiple addresses for separate claims payments which are effectively the same address with dots in different places. They will then all redirect to a single inbox.

“As a result of our analysis, we have identified 259 different variations of a single email address used by Scattered Canary to create accounts on state and federal websites to carry out these fraudulent activities,” explained Peterson.

The group is also taking advantage of Green Dot prepaid cards to cash out its fraudulently obtained government payments. These cards are able to receive direct payments and government benefits up to four days before they’re due to be officially paid, meaning they have obvious benefits for fraudsters.

“It shouldn’t be a surprise that scammers are trying to get a piece of the billions of dollars that has flooded the system to try and provide relief to millions of people who have been impacted by the pandemic,” concluded Peterson.

“Based on what we’ve seen from Scattered Canary’s 10-year history of scamming, they will continue to expand their portfolio of cybercrime to try and find new ways to con individuals, businesses, and governments out of as much money as they can.”

Categories: Cyber Risk News

Ukrainian Police Arrest Suspected Combo List Mastermind

Info Security - Wed, 05/20/2020 - 08:40
Ukrainian Police Arrest Suspected Combo List Mastermind

Ukrainian intelligence officers have arrested a man they believe to be Sanix, a notorious cyber-criminal responsible for selling billions of log-ins online.

In concert with cyber police, agents from the Secret Service of Ukraine (SBU) swooped on the individual, who lived in the Ivano-Frankivsk region.

They seized 2TB of stolen user information, mobile phones “with evidence of illegal activities” and cash from illegal transactions amounting to around 190,0000 hryvnias ($7100) and more than $3000.

Officers also took from the arrested man’s apartment PINs for bank cards, cryptocurrency wallets, PayPal account details, and “information about computers hacked for further use in botnets and for organizing DDoS attacks.”

Sanix is widely believed to have been responsible for selling the “Collection” combo lists of email usernames and passwords that first emerged in January 2019.

The first data dump, dubbed “Collection #1,” contained 772 million unique email addresses, the largest single trove to be fed into the HaveIBeenPwned breach notification site, and more than 21 million unique passwords.

It subsequently emerged that this collection contained data that was two or three years old, gathered from multiple sources. However, the person trying to sell them, dubbed “Sanixer” on Telegram, told Brian Krebs at the time that the other packages up for sale were more current.

Together, he claimed they amounted to around 4TB of data, or many billions of records.

Such lists are typically bought and used in credential stuffing attacks, where they’re fed into an automated program and tried simultaneously on multiple sites and accounts in a bid to crack them open.

The reason cyber-criminals have success with this tactic is that computer users continue to reuse their passwords across multiple services.

The SBU said it found evidence of Collection #1 on Sanix’s machine along with “at least seven similar databases” of stolen and cracked/decrypted passwords.

Categories: Cyber Risk News

REvil to Auction Stolen Madonna Data

Info Security - Tue, 05/19/2020 - 17:58
REvil to Auction Stolen Madonna Data

A threat group that claims to have stolen nearly a terabyte of data from a prominent entertainment law firm has said it will put sensitive information relating to Madonna up for auction.

REvil allegedly made off with 756GB of data from New York lawyers Grubman Shire Meiselas & Sack in a ransomware attack earlier this month. The law firm, whose celebrity client list includes LeBron James and Mariah Carey, confirmed last week that it had fallen victim to a ransomware attack. 

After their initial ransom demand for $21m in Bitcoin was not met, REvil doubled it and released 2GB of data that appeared to be taken from contracts involving Lady Gaga. But so far, the law firm has not paid the criminals a dime.

In a statement to Page Six, Grubman Shire Meiselas & Sack said: “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law.”

However, paying to retrieve the encrypted files may not have been ruled out entirely by the law firm, which told Bleeping Computer: “Unless the FBI determines the ransomware was deployed by a designated terrorist organization or nation state, the FBI treats ransomware investigations as criminal matters.”

Now the threat group, intent on monetizing their crime, has said it will auction off stolen data relating to the singer Madonna on May 25. Bidding is set to start at $1m. 

The criminals claim that the auction will take place confidentially and that they will delete their copy of the data after the sale has been completed. 

Earlier this week, REvil claimed to have data about Donald Trump for sale. The group said that the data was not stolen from Grubman Shire Meiselas & Sack but was "accumulated over the entire time of our activity."

Without producing any evidence to back up its claim, REvil is now conveniently saying that the data on Trump has been sold. On its Tor site, the group stated: "Interested people contacted us and agreed to buy all the data about the US president." 

Commenting on the alleged sale of the Trump data, Emsisoft's Brett Callow said: "Whether they had the presidency-destroying information that they claimed to have is something we may never know. But I still think it was probably a bluff!"

Categories: Cyber Risk News

Minnesota Sees Surge in Sex Crimes Against Minors Online

Info Security - Tue, 05/19/2020 - 17:08
Minnesota Sees Surge in Sex Crimes Against Minors Online

Minnesota law enforcement agencies have reported a surge in reports of sexual crimes against children online since lockdown measures were introduced to impede the spread of the novel coronavirus. 

Authorities believe the jump in crime is linked to children's and predators' spending more time online as schools and businesses remain closed.

The Minnesota Bureau of Criminal Apprehension recorded more than 1,000 complaints involving child pornography or other forms of cyber exploitation of minors in March and April 2020. The disturbing statistic represents a 30% increase in complaints received over the same period last year. 

Drew Evans, superintendent of the Bureau of Criminal Apprehension that operates the Internet Crimes Against Children investigative unit, said it was "very unusual to see such a large jump" year on year.

Sadly, the spike in reports of online child exploitation while the United States is under lockdown isn't unique to Minnesota. The National Center of Missing and Exploited Children recorded more than 6 million tips concerning online child exploitation in March and April 2020. This figure is three times higher than the number recorded over the same time period in 2019.

“That’s probably the largest number of reports in a two-month period that we’ve ever received,” said John Shehan, vice president of the center’s Exploited Children Division. 

According to Shehan, child predators have openly stated on the dark web that they are taking advantage of stay-at-home orders to indulge their illegal predilections. 

Shehan said that the majority of tips received by the center are reports of child pornography, but many concern sextortion incidents in which children are enticed into sharing lewd photos online, usually on social media.

Under social distancing restrictions, Minnesota has suspended the use of grand juries since March 23. Without them, federal prosecutors are struggling to indict crimes involving the sexual exploitation of children online. 

“We’re not indicting cases, but they’re still coming in and we’re still working them,” said Minnesota US Attorney Erica MacDonald. 

She said her office was working with county prosecutors and law enforcement to ensure “we don’t leave people in the community who are posing an imminent threat” to minors.

MacDonald anticipates a boom in indictments once the temporary suspension is lifted.

Categories: Cyber Risk News

New Program Trains Dallas Veterans for Cybersecurity Careers

Info Security - Tue, 05/19/2020 - 15:52
New Program Trains Dallas Veterans for Cybersecurity Careers

A new program to train veterans and their families for careers in cybersecurity was announced today by NPower and AT&T.

NPower is a national nonprofit organization that specializes in delivering cutting-edge information technology training to veterans and their families from underserved communities. The new training program, which starts in late June, will support veterans living in Dallas, Texas, as they embark on a second career in the cybersecurity field.  

AT&T has worked with NPower to augment the curriculum of the new program. The telecommunications company has also supported the program with a cash injection of $200,000. 

AT&T’s contribution to NPower will support 25 veterans and military spouses as they learn the skills necessary to succeed in a new cybersecurity role.  

According to the US Department of Labor (DOL), while some industries are struggling with the effects of lockdown measures introduced to slow the spread of COVID-19, the employment prospects for information security analysts are bright. 

The DOL states that employment of information security analysts is projected to grow 32% from 2018 to 2028, much faster than the average for all occupations.

“As more people use digital communications to stay connected during the COVID-19 crisis, our country needs more cybersecurity professionals who are ready to help lead the fight against cybercrime,” said Roger Thornton, VP, Products and Technology, AT&T Cybersecurity. 

Thornton said that the training veterans receive from the military gives them transferable skills for a new career in digital defense.

“Military veterans are perfect candidates for these positions because they already have many of the technical skills required for a career in information technology," said Thornton. 

"At AT&T, we are proud to employ a large number of military veterans, and we are pleased to be working with NPower to prepare even more veterans for a rewarding career that will allow them to help protect our critical digital infrastructure.” 

NPower’s curriculum exposes students to security and cloud architecture and teaches them how to diagnose networks, manage operating systems, and utilize security tools to address vulnerabilities and threats. Students have an opportunity to earn both CompTIA Security+ and Linux+ certifications.

Categories: Cyber Risk News

NTT Report Demonstrates Changing Approaches of Cyber-Criminals

Info Security - Tue, 05/19/2020 - 15:16
NTT Report Demonstrates Changing Approaches of Cyber-Criminals

There was a marked increase in the volume of cyber-attacks across all industries in 2019 compared with 2018, according to NTT’s 2020 Global Threat Intelligence Report (GTIR) published today. The study also revealed the extent to which cyber-criminals are innovating their methods, which is causing major challenges to all organizations.

According to the global technology service company, the most common methods used by malicious actors last year were remote code execution (15%) and injection (14%) attacks. Such attacks were found to be effective due to organizations’ poor practices related to network, operating system and application configuration, testing, security controls and overall security hygiene.

Additionally, the growing use of artificial intelligence (AI) and machine learning to automate attacks by cyber-criminals was highlighted, with 21% of malware detected found to be in the form of a vulnerability scanner.

NTT also said it had seen a re-emergence of Internet of Things (IoT) weaponization in 2019, with a resurgence of Mirai and derivatives underpinning these attacks.

In the wide-ranging report, it was revealed that technology was the sector most targeted by cyber-criminals last year, involved in 25% of all attacks compared with 17% in the previous year. More than half of attacks aimed at this industry were application-specific (31%) and DoS/DDoS (25%). This was followed by government, at 16% of all attacks, and finance at 15%.

Around 20% of attacks targeted content management systems such as WordPress, Joomla!, Drupal and noneCMS, which criminals see as a means of stealing data from businesses and launching further attacks.

Mark Thomas, global head of threat intelligence at NTT, commented: “The technology sector experienced a 70% increase in overall attack volume. Weaponization of IoT attacks also contributed to this rise and, while no single botnet dominated activity, we saw significant volumes of both Mirai and IoTroop activity. Attacks on government organizations nearly doubled, including big jumps in both reconnaissance activity and application-specific attacks, driven by threat actors taking advantage of the increase in online local and regional services delivered to citizens.”

The report also made some observations regarding the activities of cyber-criminals so far in 2020, particularly in light of the COVID-19 pandemic.

Matthew Gyde, president and CEO of the security division, NTT, said: “The current global crisis has shown us that cyber-criminals will always take advantage of any situation and organizations must be ready for anything. We are already seeing an increased number of ransomware attacks on healthcare organizations and we expect this to get worse before it gets better. Now more than ever, it’s critical to pay attention to the security that enables your business, making sure you are cyber-resilient and maximizing the effectiveness of secure-by-design initiatives.”

Categories: Cyber Risk News

easyJet Says Details of Nine Million Customers Accessed in Data Breach

Info Security - Tue, 05/19/2020 - 13:08
easyJet Says Details of Nine Million Customers Accessed in Data Breach

easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a “highly sophisticated” cyber-attack on its system. This includes credit card details of a small subset of these customers (2208), with the airline confirming it has already taken action to contact and offer support to those individuals.

For the rest of the customers affected, email addresses and travel details were accessed. Easyjet said these customers will be contacted in the next few days to and the company will “advise them of protective steps to minimize any risk of potential phishing.”

The company took immediate steps to manage the incident once it was aware of the attack and closed off the unauthorized access. It also stated that it has notified the National Cyber Security Centre and the Information Commissioner's Office (ICO) of the breach. The firm has not given any details on the nature of the breach.

There is currently no evidence that the information accessed has been misused; however, the airline is urging its customers to stay alert to any unsolicited communications and to be “cautious of any communications purporting to come from easyJet or easyJet Holidays.”

Johan Lundgren, easyJet chief executive officer, said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

The incident has come a particularly bad time for easyJet, who face the possibility of a large fine under General Data Protection Regulation (GDPR) rules.

Commenting on the breach, Felix Rosbach, product manager at data security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant. On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.”

Last year, British Airways (BA) was hit by a record £183m GDPR (intention to) fine after failing to prevent a digital skimming attack in 2018.

Categories: Cyber Risk News

Trust in Data and Metrics Processes Cause Security Headaches for Financial Services

Info Security - Tue, 05/19/2020 - 11:20
Trust in Data and Metrics Processes Cause Security Headaches for Financial Services

Security leaders are being challenged to create business metrics, but without having total trust in the data they work with.

According to research by Panaseer of over 400 security leaders in financial services organizations, 96% of companies use metrics to measure their cyber-posture, but 36% said their biggest challenge in creating metrics to measure and report on risk is trust in the data.

Other issues included the resources required to produce metrics (21%), the frequency of requests (14%) and confusion over knowing what metric to use (15%). Fewer than half of respondents (47%) could claim to be very confident that they are using the right security metrics to measure cyber-risk.

Nik Whitfield, CEO, Panaseer, said not knowing the accuracy, timeliness or even limitations of a security metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface.

“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis,” he said. “Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the board can then have a better understanding of what risks are and aren't acceptable to keep customer data safe.”

The research determined the primary use for security metrics to be risk management (41%), demonstrating the success of security initiatives (28%), supporting security investment business cases (19%) and board and executive reporting (10%).

The research also found that teams are wasting an inordinate amount of time processing metrics, as it can take an average of five days to produce them. Auditors demand data most frequently at every 10.4 days per month, while boards have a need for updated metrics almost twice a month or more.

Commenting, Bob Sibik, vice-president of Fusion Risk Management,  said that most CEOs “are starved for metrics and want solid metrics as they use them to prepare for how secure they are.” Talking to Infosecurity, Sibik said CEOS like “internal metrics” to show trends and to be able to compare themselves to their peers.

“We rely heavily [on metrics] and metrics are huge for us, and they come in handy and are crucial for day-to-day operations and to define a future strategy,” said Fusion director of cybersecurity, Safi Raza.

Manual processes were also cited as fueling data mistrust. Over half (59%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52% are using custom scripts. Nearly one in five (18%) admitted to relying exclusively on manual processes to develop their security metrics for risk.

Categories: Cyber Risk News

FBI Unlocks Pensacola Shooter’s iPhones as Barr Slams Apple

Info Security - Tue, 05/19/2020 - 10:41
FBI Unlocks Pensacola Shooter’s iPhones as Barr Slams Apple

The US attorney general has again attacked Apple for its stance on device encryption even as he revealed that FBI investigators had managed to access a deceased terrorist’s iPhones.

At a press conference to announce updates to the investigation into fatal shootings at Pensacola Naval Air Station, William Barr, claimed the “relentless efforts and ingenuity of FBI technicians” had helped reveal more about Mohammed Saeed Alshamrani’s ties to Al Qaeda.

However, he couldn’t resist doubling down on long-standing government criticism of Silicon Valley over encryption.

“Apple made a business and marketing decision to design its phones in such a way that only the user can unlock the contents no matter the circumstances,” Barr argued.

“In cases like this, where the user is a terrorist, or in other cases, where the user is a violent criminal, human trafficker, or child predator, Apple’s decision has dangerous consequences for public safety and national security and is, in my judgment, unacceptable.”

Barr again repeated the belief, roundly debunked by the world’s leading encryption experts, that “there is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.”

In fact, it is widely believed in security circles that if Apple or any tech firm engineered de facto backdoors into their products, the information would eventually end up on the cybercrime underground, undermining security for hundreds of millions of legitimate users.

The Cupertino giant hit back at Barr’s suggestion it had not been any help in the investigation, claiming that it provided iCloud backups, account info and other information on Alshamrani to the FBI.

“The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security,” it continued in a statement.

“It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers.”

Categories: Cyber Risk News

NHS Trusts Fail Government Cybersecurity Tests

Info Security - Tue, 05/19/2020 - 09:38
NHS Trusts Fail Government Cybersecurity Tests

Only one of hundreds of NHS trusts has passed the government-backed Cyber Essentials Plus assessment, according to a concerning new report from the National Audit Office (NAO).

Of the 204 trusts with on-site assessments in place, the average score was 63%, according to a new report from the NAO on digital transformation in the health service.

Although this is an increase from an estimated 50% in 2017, trusts require a 100% pass rate. The scheme tests areas such as vulnerability management, access controls, end-user devices, servers and network security.

“NHSX and NHS Digital consider some trusts have reached an acceptable standard, even though they did not score 100% in the assessment, and note there has been a general improvement in cybersecurity across the NHS,” the NAO explained.

“However, while some attempts have been made to address underlying cybersecurity issues, and progress has been made, it remains an area of concern. A 2019 survey of 186 IT leaders across the sector showed that 61% considered cybersecurity one of their top priorities (sixth highest priority overall).”

The NAO expressed particular concerns over legacy systems in the NHS, although it claimed that since the 2017 WannaCry incident a Windows 10 licensing agreement has been reached which should partly address this. A Data Security Centre was also launched to help prevent, detect and respond to cyber-attacks.

The NAO’s report on the ransomware worm laid the blame on systemic failures at the NHS and Department of Health. Although NHS Digital issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry, there was no formal mechanism for checking whether trusts had complied, it found.

Incident response plans were also found not to have been tested at a local level, meaning some trusts couldn’t communicate with national bodies when the ransomware struck.

Around a third of trusts were disrupted due to the cyber-attack, with an estimated 19,000 appointments and operations cancelled. It’s calculated to have cost the NHS £92m, mainly in emergency IT support.

Categories: Cyber Risk News

Cloud Exposes SMBs to Attack as Human Error Grows

Info Security - Tue, 05/19/2020 - 09:02
Cloud Exposes SMBs to Attack as Human Error Grows

SMBs are increasingly seeing the same kinds of cyber-attacks as their larger counterparts as cloud and web-based applications help to close the gap between the two, according to Verizon.

The vendor’s annual Data Breach Investigations Report is compiled from an analysis of 32,002 security incidents and 3950 confirmed breaches.

The report claimed that smaller businesses comprised just over a quarter (28%) of the total number of breaches.

However, more telling was the alignment of top breach-related threats: phishing came top for both SMBs and larger firms, with password dumper malware and stolen credentials featuring in the top four for both.

More than a fifth (20%) of attacks on SMBs were against web applications and involved the use of stolen credentials.

In fact, attacks against cloud-based data were on the up overall with web app threats doubling to 43%. Credential theft, errors and social attacks like phishing accounted for over two-thirds (67%) of breaches.

Preventing human error has also become an increasingly important factor in cybersecurity. This year’s report found that related breaches are even more common than malware-driven breaches and almost as popular as phishing.

In total, human error accounted for 22% of all breaches, with misdelivery of emails slightly more common than the growing challenge of misconfiguration.

“The fact that misconfiguration is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities,” argued Tripwire VP of product management, Tim Erlin.

“At a high level, the key things for every organization to worry about are brute forced and stolen credentials, and web applications.”

On the plus side, patching appears to be getting better: just one in 20 breaches exploit vulnerabilities, and 81% were contained within a day or less.

Elsewhere, the insider threat remains pronounced, accounting for 30% of all breaches, while organized crime dominated the external breaches, comprising 55% of the overall total.

“If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure,” said Erlin.

Categories: Cyber Risk News

Chicago Children's Hospital Sued Over Data Breaches

Info Security - Mon, 05/18/2020 - 19:30
Chicago Children's Hospital Sued Over Data Breaches

Lurie Children's Hospital of Chicago is being sued by the parent of a pediatric patient over two recent data breaches. 

An anonymous plaintiff and her 4-year-old daughter filed a complaint against the hospital and two former employees in the Circuit Court of Cook County, Illinois, on May 8. 

Mother and daughter, referred to as Jane Doe and Baby Doe, are seeking class-action status and a trial by jury with the support of law firm Edelson P.C. 

In the suit, the plaintiffs accuse Lurie of breach of contract, breach of confidentiality, and negligent supervision for allegedly failing to keep Baby Doe's medical records safe. 

Jane Doe received a letter on December 24, 2019, informing her that her daughter's records had been accessed by an unnamed nursing assistant without authorization between September 10, 2018, and September 22, 2019

Baby Doe, then aged 3, had been taken to Lurie for an examination after her mother developed a suspicion that the toddler had become a victim of sexual abuse. 

The suit alleges that Baby Doe's records were accessed as part of a larger data breach in which thousands of patients’ names, addresses, dates of birth, and medical information like diagnoses, medications, appointments, and procedures were accessed without authorization. 

Lurie fired the employee at the center of the cybersecurity incident after the breach was detected. The hospital stated at the time that no evidence had been found to suggest the employee had misused or shared any patient data. 

On Monday, May 4, Jane Doe was notified of a second data breach concerning her daughter's medical records by Lurie. The hospital said that Baby Doe's records were accessed without authorization by another unnamed hospital worker between November 1, 2018, and February 29, 2020.

The plaintiffs allege that Lurie failed to state what action would be taken to ensure the security of the patient’s medical records.

In a statement, Lurie spokesperson Julie Pesch said: “In December 2019 and May 2020, Lurie Children’s notified some of our patients about two nurse assistants who had accessed certain patients’ medical records without an identified patient need. We have no reason to suspect any misuse of patient information associated with this incident. Lurie Children’s addressed this issue in accordance with our disciplinary policies, and the employees no longer work for the Hospital.”

Categories: Cyber Risk News

Texas Takes Second Ransomware Hit

Info Security - Mon, 05/18/2020 - 18:14
Texas Takes Second Ransomware Hit

The Texas Department of Transportation (TxDOT) has been hit by ransomware just days after the state's judiciary system suffered the same fate. 

According to a May 15 message posted on Twitter by TxDOT, the attack struck on May 14, when a threat actor gained unauthorized access to the department's computer network.

The network was shut down as soon as the attack was detected in an effort to contain the threat and prevent any further unauthorized access. 

TxDOT executive director James Bass said in the statement: "We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption."

Federal law enforcement was informed of the attack, and TxDOT said that no mercy will be shown to whomever is found to be responsible for it.

Bass said: "TxDOT is working closely with the FBI to find the individual(s) responsible and prosecute them to the fullest extent of the law."

TxDOT oversees all air, road, and railway transportation in the state. At time of publication, the department's website was back up and running. 

News of the TxDOT attack comes days after a ransomware attack hit the state's judicial agencies and appellate courts on May 8. As a result of the incident, access to case management systems was lost and court offices were unable to connect to the internet.

With the usual channels disabled by cyber-criminals, staff were reduced to using social media to announce legal rulings. 

The first attack was identified by the Office of Court Administration (OCA). No information as to whether the two attacks were linked in any way has been forthcoming. 

Neither the OCA nor TxDOT shared any information regarding what, if any, data had been encrypted or stolen. Similarly, neither ransomware target has disclosed any details of a ransom demand.

Texas is fast becoming a hotspot for cyber-attacks. In 2019, ransomware was used to target 22 local governments across the Lone Star State in a single attack. The collective ransom demand for the coordinated assault was $2.5m.

Categories: Cyber Risk News

Cyber Insurers Increase Scrutiny Amid Pandemic

Info Security - Mon, 05/18/2020 - 17:45
Cyber Insurers Increase Scrutiny Amid Pandemic

Heightened cybersecurity risks triggered by the outbreak of COVID-19 are causing insurers to grill policyholders more closely.

According to the Wall Street Journal, insurers have increased their scrutiny of policyholders' security arrangements as the rise in remote working drives up risk. 

Stephen Viña, a senior vice president in Marsh & McLennan Co.’s cyber insurance brokering business, told the WSJ that insurers want more details than ever before. 

Describing the surveys insurers ask companies to complete so that their risk can be assessed and their premiums calculated, Viña said: "There are a lot more questions being asked."

Companies are now expected to supply more details than before regarding how they would respond to a data breach and what action they would take if hit by ransomware or any other form of cyber-attack.

Depending on how the companies answer the survey, they could end up with a costlier policy or in some cases be denied coverage. 

Viña said insurers are deeply concerned that working conditions during the pandemic will expose companies to additional risks that simply weren't considered when their insurance policy was being created. 

For example, companies that had tight control over the security of employees working in a central office could face increased and unplanned-for risks as workers toil remotely to comply with lockdown measures, relying on home networks and personal equipment. 

Chief innovation officer at London-based insurer CFC Underwriting Ltd. Graeme Newman said policyholders were being asked to show insurers that remote-working situations had been taken into account in their business continuity plans.

Cyber-insurance claims have increased as data breaches and ransomware attacks continue to blight every industry. According to data from regulatory filings compiled by Fitch Ratings, direct loss ratios for stand-alone cyber-insurance policies rose to 47% in 2019 from 34% in 2018. Direct loss ratios measure the percentage of income paid to claimants by insurance companies.

Fitch managing director Jim Auden said that although the data is incomplete because it doesn't contain certain elements, including reimbursements insurers received from their own insurers, it is a good indicator of overall trends. 

He said: “We think that with more risk being covered, and maybe newer underwriters getting into the business that don’t have that pricing expertise, that’ll lead to more losses over time."

Categories: Cyber Risk News

Responsible Cyber Announces Identity Acquisition and New Shareholders

Info Security - Mon, 05/18/2020 - 11:30
Responsible Cyber Announces Identity Acquisition and New Shareholders

Singaporean startup Responsible Cyber has announced the acquisition of fellow startup Secucial and new shareholders.

The Secucial acquisition adds a mobile digital identity wallet to its portfolio; a decentralized identity system that includes a mobile app with an identity wallet to provide secure authentication with biometrics and contextual multi-factor authentication to enable exchange of ID documents with a third party.

Responsible Cyber is part of the ICE71 Scale program, a landing pad that helps international and local cybersecurity startups seize opportunities and grow their businesses in Singapore and within Asia Pacific.

As a result of the acquisition, Responsible Cyber has also added NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as new shareholders. NUS Enterprise and Singtel Innov8 are the co-founders of ICE71, the region’s first cybersecurity entrepreneur hub.

Secucial was part of the first cohort to graduate from ICE71 Accelerate, a three-month accelerator program designed to help early-stage cybersecurity startups achieve a product market fit in a unique technical and demanding industry. 

“We welcome NUS Enterprise and Singtel Innov8 as our shareholders, especially during uncertain times like these,” said Magda Chelly, founder and managing director, Responsible Cyber.

“Our platform addresses the needs of business owners who do not have the right means and technical knowledge to implement cybersecurity measures for their businesses. By providing a user-friendly cybersecurity solution, we help small and medium businesses to continue operating remotely, reliably and securely, especially during this COVID-19 pandemic.”

Categories: Cyber Risk News

Crypto-Miners Take Out Supercomputers Working on #COVID19

Info Security - Mon, 05/18/2020 - 11:00
Crypto-Miners Take Out Supercomputers Working on #COVID19

Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research.

One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.”

Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down at the time of writing.

The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) organization revealed two potentially related security incidents in an analysis on Friday. In both, a malicious actor was blamed for targeting academic data centers for CPU mining.

“The attacker is hopping from one victim to another using compromised SSH credentials,” it explained.

The attackers were logging in from three compromised networks, at the University of Krakow in Poland, Shanghai Jiaotong University and the China Science and Technology Network. It has been claimed that some credentials are shared between academic institutions, making it easier for would-be attackers.

It’s also claimed that the attackers are exploiting CVE-2019-15666 for privilege escalation before deploying a Monero cryptocurrency miner.

Other institutions affected by the campaign include the Swiss Center of Scientific Computations (CSCS), the bwHPC, which runs supercomputers across the German region of Baden-Württemberg, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ) and an unnamed facility in Barcelona.

“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto-mining malware used for the attack,” argued ESET cybersecurity specialist, Jake Moore.

“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”

Categories: Cyber Risk News

Police Catch Suspects Planning #COVID19 Hospital Ransomware

Info Security - Mon, 05/18/2020 - 09:40
Police Catch Suspects Planning #COVID19 Hospital Ransomware

Police in Europe have swooped on a cybercrime gang they suspect of planning ransomware attacks using COVID-19 lures against hospitals.

The four-man “Pentaguard” group was formed at the start of the year, according to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).

It amassed tools including ransomware, remote access trojans (RATs), and SQL injection tools to launch attacks against public and private sector organizations with the aim of stealing data, defacing websites and encrypting key systems.

“They intended to launch ransomware attacks, in the near future, on some public health institutions in Romania, generally hospitals, using social engineering by sending a malicious executable application, from the Locky or BadRabbit families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID-19,” the DIICOT update explained.

“Through this type of attack, there is the possibility of blocking and seriously disrupting the functioning of the IT infrastructures of those hospitals, part of the health system, which plays a decisive role at this time, to combat the pandemic with the new coronavirus.”

Officers carried out three house searches in Romania and one in neighboring Moldova.

Hospitals around the world have been under constant attack over the past few weeks as ransomware gangs try to take advantage of the current pandemic to put pressure on their victims to pay.

Microsoft warned recently that many of these attacks were detected using APT-style techniques such as exploitation of a VPN or remote access vulnerability, followed by reconnaissance, privilege escalation and lateral movement.

In April, INTERPOL was forced to issue a Purple Notice to all of its 194 member countries about the cyber-threat to hospitals and other front-line organizations.

Categories: Cyber Risk News

REvil Ransomware Gang Threatens to Release Dirt on Trump

Info Security - Mon, 05/18/2020 - 08:45
REvil Ransomware Gang Threatens to Release Dirt on Trump

Ransomware attackers that stole data from a New York law firm on its celebrity clients have doubled their demand and threatened to release sensitive information on US President Donald Trump.

The REvil group claimed to have lifted 756GB of data from Grubman Shire Meiselas & Sack, which counts the likes of Madonna, Bruce Springsteen, Run DMC and Mariah Carey among its clients.

The media and entertainment law firm confirmed last week that it had been a victim of a cyber-attack and that it was “working around the clock to address these matters.”

However, the ransomware group’s original deadline for payment of $21m ran out at the end of last week, and it has now upped the demand to $42m.

To show they mean business, the cyber-criminals recently released over 2GB of stolen documents related to contract dealings of Lady Gaga.

They also threatened to publish dirt on Donald Trump, although reports suggest he was never a client of the law firm.

“There's an election race going on, and we found a ton of dirty laundry on time. Mr Trump, if you want to stay President, poke a sharp stick at the guys, otherwise you may forget this ambition forever,” they claimed on a dark web site.

“To you voters, we can let you know that after such a publication, you certainly don't want to see him as President. Well, let's leave out the details. The deadline is one week.”

Recorded Future’s senior solutions architect, Allan Liska, pointed to the threats as just the latest in a long line of incidents where ransomware groups first breach their victims in a bid to force payment.

“Ransomware groups have grown increasingly bold in their targets and their ransom demands and so far have been able to operate with very little pushback,” he added.

“In addition, it has long been suspected that this group operates within Russia's locus of control. The Kremlin generally turns a blind eye to these activities, as long as the threat actors don't target Russian citizens. However, going after an ally of Russia may force Russian cybersecurity forces to turn their attention to the REvil team as well.”

Trump has consistently refused to comply with demands from federal prosecutors to release information on his financial affairs. Separate investigations are looking at whether he committed tax fraud and if his business dealings left him subject to the influence of foreign individuals or governments.

Categories: Cyber Risk News

Iowa Civil Rights Meeting Zoom-bombed

Info Security - Fri, 05/15/2020 - 18:04
Iowa Civil Rights Meeting Zoom-bombed

A Des Moines civil rights meeting was abandoned yesterday after being digitally crashed twice by racist cretins.

The joint meeting between the city's Civil and Human Rights Commission and Des Moines City Council was being held virtually using the videoconferencing app Zoom due to lockdown measures intended to decelerate the spread of COVID-19.

Before the meeting was called to order, an unknown person gained access to the online gathering to aim offensive comments at the commission. The attacker singled out two specific members of the commission, leveling several ignorant, racist slurs and trotting out the n-word.

As the meeting opened, Joshua Barr, Des Moines's civil and human rights director, told the council that he and other members of the commission had been "zoom-bombed."

“There were some racial slurs and things that were posted. I’ll just be candid with it," Barr told the virtual meeting attendants. "If that does happen again, we will have to end the meeting for the protection of the public."

After Barr's acknowledgement, an attempt was made to continue with the meeting. But moments later, as Mayor Frank Cownie delivered his opening remarks, a Zoom-bomber interrupted proceedings with more repellant rubbish.

To spare the attendees from any more offensive idiocy, the meeting was then cancelled. 

Cownie described the actions of the zoom-bomber as a "disgusting and sickening display of racial intolerance" that would only strengthen the city's resolve to educate those unfortunate people who in 2020 are somehow still mired in a ridiculous historical hatred.

Commission chair Kameron Middlebrooks said the sorry incident underlined the need for the community to come together in a spirit of love, equality, and positivity. 

"What occurred proves hate and ignorance is alive and well. But I stand steadfast in my resolve to continue to be an agent of change," said Middlebrooks. "Our commission has started the path to bridging the gap we face in our community and will continue to work cooperatively with council and Des Moines residents to ensure we drive this hate into the darkness and uplift neighbors with love and equitable policies."   

The City of Des Moines is currently operating under a Proclamation of Emergency issued on March 5, 2020, and Governor Jay Inslee’s Stay-at-Home order issued March 23, 2020, in response to the COVID-19 pandemic.

Categories: Cyber Risk News