Cyber Risk News

NHS Trusts Fail Government Cybersecurity Tests

Info Security - Tue, 05/19/2020 - 09:38
NHS Trusts Fail Government Cybersecurity Tests

Only one of hundreds of NHS trusts has passed the government-backed Cyber Essentials Plus assessment, according to a concerning new report from the National Audit Office (NAO).

Of the 204 trusts with on-site assessments in place, the average score was 63%, according to a new report from the NAO on digital transformation in the health service.

Although this is an increase from an estimated 50% in 2017, trusts require a 100% pass rate. The scheme tests areas such as vulnerability management, access controls, end-user devices, servers and network security.

“NHSX and NHS Digital consider some trusts have reached an acceptable standard, even though they did not score 100% in the assessment, and note there has been a general improvement in cybersecurity across the NHS,” the NAO explained.

“However, while some attempts have been made to address underlying cybersecurity issues, and progress has been made, it remains an area of concern. A 2019 survey of 186 IT leaders across the sector showed that 61% considered cybersecurity one of their top priorities (sixth highest priority overall).”

The NAO expressed particular concerns over legacy systems in the NHS, although it claimed that since the 2017 WannaCry incident a Windows 10 licensing agreement has been reached which should partly address this. A Data Security Centre was also launched to help prevent, detect and respond to cyber-attacks.

The NAO’s report on the ransomware worm laid the blame on systemic failures at the NHS and Department of Health. Although NHS Digital issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry, there was no formal mechanism for checking whether trusts had complied, it found.

Incident response plans were also found not to have been tested at a local level, meaning some trusts couldn’t communicate with national bodies when the ransomware struck.

Around a third of trusts were disrupted due to the cyber-attack, with an estimated 19,000 appointments and operations cancelled. It’s calculated to have cost the NHS £92m, mainly in emergency IT support.

Categories: Cyber Risk News

Cloud Exposes SMBs to Attack as Human Error Grows

Info Security - Tue, 05/19/2020 - 09:02
Cloud Exposes SMBs to Attack as Human Error Grows

SMBs are increasingly seeing the same kinds of cyber-attacks as their larger counterparts as cloud and web-based applications help to close the gap between the two, according to Verizon.

The vendor’s annual Data Breach Investigations Report is compiled from an analysis of 32,002 security incidents and 3950 confirmed breaches.

The report claimed that smaller businesses comprised just over a quarter (28%) of the total number of breaches.

However, more telling was the alignment of top breach-related threats: phishing came top for both SMBs and larger firms, with password dumper malware and stolen credentials featuring in the top four for both.

More than a fifth (20%) of attacks on SMBs were against web applications and involved the use of stolen credentials.

In fact, attacks against cloud-based data were on the up overall with web app threats doubling to 43%. Credential theft, errors and social attacks like phishing accounted for over two-thirds (67%) of breaches.

Preventing human error has also become an increasingly important factor in cybersecurity. This year’s report found that related breaches are even more common than malware-driven breaches and almost as popular as phishing.

In total, human error accounted for 22% of all breaches, with misdelivery of emails slightly more common than the growing challenge of misconfiguration.

“The fact that misconfiguration is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities,” argued Tripwire VP of product management, Tim Erlin.

“At a high level, the key things for every organization to worry about are brute forced and stolen credentials, and web applications.”

On the plus side, patching appears to be getting better: just one in 20 breaches exploit vulnerabilities, and 81% were contained within a day or less.

Elsewhere, the insider threat remains pronounced, accounting for 30% of all breaches, while organized crime dominated the external breaches, comprising 55% of the overall total.

“If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure,” said Erlin.

Categories: Cyber Risk News

Chicago Children's Hospital Sued Over Data Breaches

Info Security - Mon, 05/18/2020 - 19:30
Chicago Children's Hospital Sued Over Data Breaches

Lurie Children's Hospital of Chicago is being sued by the parent of a pediatric patient over two recent data breaches. 

An anonymous plaintiff and her 4-year-old daughter filed a complaint against the hospital and two former employees in the Circuit Court of Cook County, Illinois, on May 8. 

Mother and daughter, referred to as Jane Doe and Baby Doe, are seeking class-action status and a trial by jury with the support of law firm Edelson P.C. 

In the suit, the plaintiffs accuse Lurie of breach of contract, breach of confidentiality, and negligent supervision for allegedly failing to keep Baby Doe's medical records safe. 

Jane Doe received a letter on December 24, 2019, informing her that her daughter's records had been accessed by an unnamed nursing assistant without authorization between September 10, 2018, and September 22, 2019

Baby Doe, then aged 3, had been taken to Lurie for an examination after her mother developed a suspicion that the toddler had become a victim of sexual abuse. 

The suit alleges that Baby Doe's records were accessed as part of a larger data breach in which thousands of patients’ names, addresses, dates of birth, and medical information like diagnoses, medications, appointments, and procedures were accessed without authorization. 

Lurie fired the employee at the center of the cybersecurity incident after the breach was detected. The hospital stated at the time that no evidence had been found to suggest the employee had misused or shared any patient data. 

On Monday, May 4, Jane Doe was notified of a second data breach concerning her daughter's medical records by Lurie. The hospital said that Baby Doe's records were accessed without authorization by another unnamed hospital worker between November 1, 2018, and February 29, 2020.

The plaintiffs allege that Lurie failed to state what action would be taken to ensure the security of the patient’s medical records.

In a statement, Lurie spokesperson Julie Pesch said: “In December 2019 and May 2020, Lurie Children’s notified some of our patients about two nurse assistants who had accessed certain patients’ medical records without an identified patient need. We have no reason to suspect any misuse of patient information associated with this incident. Lurie Children’s addressed this issue in accordance with our disciplinary policies, and the employees no longer work for the Hospital.”

Categories: Cyber Risk News

Texas Takes Second Ransomware Hit

Info Security - Mon, 05/18/2020 - 18:14
Texas Takes Second Ransomware Hit

The Texas Department of Transportation (TxDOT) has been hit by ransomware just days after the state's judiciary system suffered the same fate. 

According to a May 15 message posted on Twitter by TxDOT, the attack struck on May 14, when a threat actor gained unauthorized access to the department's computer network.

The network was shut down as soon as the attack was detected in an effort to contain the threat and prevent any further unauthorized access. 

TxDOT executive director James Bass said in the statement: "We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption."

Federal law enforcement was informed of the attack, and TxDOT said that no mercy will be shown to whomever is found to be responsible for it.

Bass said: "TxDOT is working closely with the FBI to find the individual(s) responsible and prosecute them to the fullest extent of the law."

TxDOT oversees all air, road, and railway transportation in the state. At time of publication, the department's website was back up and running. 

News of the TxDOT attack comes days after a ransomware attack hit the state's judicial agencies and appellate courts on May 8. As a result of the incident, access to case management systems was lost and court offices were unable to connect to the internet.

With the usual channels disabled by cyber-criminals, staff were reduced to using social media to announce legal rulings. 

The first attack was identified by the Office of Court Administration (OCA). No information as to whether the two attacks were linked in any way has been forthcoming. 

Neither the OCA nor TxDOT shared any information regarding what, if any, data had been encrypted or stolen. Similarly, neither ransomware target has disclosed any details of a ransom demand.

Texas is fast becoming a hotspot for cyber-attacks. In 2019, ransomware was used to target 22 local governments across the Lone Star State in a single attack. The collective ransom demand for the coordinated assault was $2.5m.

Categories: Cyber Risk News

Cyber Insurers Increase Scrutiny Amid Pandemic

Info Security - Mon, 05/18/2020 - 17:45
Cyber Insurers Increase Scrutiny Amid Pandemic

Heightened cybersecurity risks triggered by the outbreak of COVID-19 are causing insurers to grill policyholders more closely.

According to the Wall Street Journal, insurers have increased their scrutiny of policyholders' security arrangements as the rise in remote working drives up risk. 

Stephen Viña, a senior vice president in Marsh & McLennan Co.’s cyber insurance brokering business, told the WSJ that insurers want more details than ever before. 

Describing the surveys insurers ask companies to complete so that their risk can be assessed and their premiums calculated, Viña said: "There are a lot more questions being asked."

Companies are now expected to supply more details than before regarding how they would respond to a data breach and what action they would take if hit by ransomware or any other form of cyber-attack.

Depending on how the companies answer the survey, they could end up with a costlier policy or in some cases be denied coverage. 

Viña said insurers are deeply concerned that working conditions during the pandemic will expose companies to additional risks that simply weren't considered when their insurance policy was being created. 

For example, companies that had tight control over the security of employees working in a central office could face increased and unplanned-for risks as workers toil remotely to comply with lockdown measures, relying on home networks and personal equipment. 

Chief innovation officer at London-based insurer CFC Underwriting Ltd. Graeme Newman said policyholders were being asked to show insurers that remote-working situations had been taken into account in their business continuity plans.

Cyber-insurance claims have increased as data breaches and ransomware attacks continue to blight every industry. According to data from regulatory filings compiled by Fitch Ratings, direct loss ratios for stand-alone cyber-insurance policies rose to 47% in 2019 from 34% in 2018. Direct loss ratios measure the percentage of income paid to claimants by insurance companies.

Fitch managing director Jim Auden said that although the data is incomplete because it doesn't contain certain elements, including reimbursements insurers received from their own insurers, it is a good indicator of overall trends. 

He said: “We think that with more risk being covered, and maybe newer underwriters getting into the business that don’t have that pricing expertise, that’ll lead to more losses over time."

Categories: Cyber Risk News

Responsible Cyber Announces Identity Acquisition and New Shareholders

Info Security - Mon, 05/18/2020 - 11:30
Responsible Cyber Announces Identity Acquisition and New Shareholders

Singaporean startup Responsible Cyber has announced the acquisition of fellow startup Secucial and new shareholders.

The Secucial acquisition adds a mobile digital identity wallet to its portfolio; a decentralized identity system that includes a mobile app with an identity wallet to provide secure authentication with biometrics and contextual multi-factor authentication to enable exchange of ID documents with a third party.

Responsible Cyber is part of the ICE71 Scale program, a landing pad that helps international and local cybersecurity startups seize opportunities and grow their businesses in Singapore and within Asia Pacific.

As a result of the acquisition, Responsible Cyber has also added NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as new shareholders. NUS Enterprise and Singtel Innov8 are the co-founders of ICE71, the region’s first cybersecurity entrepreneur hub.

Secucial was part of the first cohort to graduate from ICE71 Accelerate, a three-month accelerator program designed to help early-stage cybersecurity startups achieve a product market fit in a unique technical and demanding industry. 

“We welcome NUS Enterprise and Singtel Innov8 as our shareholders, especially during uncertain times like these,” said Magda Chelly, founder and managing director, Responsible Cyber.

“Our platform addresses the needs of business owners who do not have the right means and technical knowledge to implement cybersecurity measures for their businesses. By providing a user-friendly cybersecurity solution, we help small and medium businesses to continue operating remotely, reliably and securely, especially during this COVID-19 pandemic.”

Categories: Cyber Risk News

Crypto-Miners Take Out Supercomputers Working on #COVID19

Info Security - Mon, 05/18/2020 - 11:00
Crypto-Miners Take Out Supercomputers Working on #COVID19

Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research.

One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.”

Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down at the time of writing.

The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) organization revealed two potentially related security incidents in an analysis on Friday. In both, a malicious actor was blamed for targeting academic data centers for CPU mining.

“The attacker is hopping from one victim to another using compromised SSH credentials,” it explained.

The attackers were logging in from three compromised networks, at the University of Krakow in Poland, Shanghai Jiaotong University and the China Science and Technology Network. It has been claimed that some credentials are shared between academic institutions, making it easier for would-be attackers.

It’s also claimed that the attackers are exploiting CVE-2019-15666 for privilege escalation before deploying a Monero cryptocurrency miner.

Other institutions affected by the campaign include the Swiss Center of Scientific Computations (CSCS), the bwHPC, which runs supercomputers across the German region of Baden-Württemberg, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ) and an unnamed facility in Barcelona.

“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto-mining malware used for the attack,” argued ESET cybersecurity specialist, Jake Moore.

“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”

Categories: Cyber Risk News

Police Catch Suspects Planning #COVID19 Hospital Ransomware

Info Security - Mon, 05/18/2020 - 09:40
Police Catch Suspects Planning #COVID19 Hospital Ransomware

Police in Europe have swooped on a cybercrime gang they suspect of planning ransomware attacks using COVID-19 lures against hospitals.

The four-man “Pentaguard” group was formed at the start of the year, according to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).

It amassed tools including ransomware, remote access trojans (RATs), and SQL injection tools to launch attacks against public and private sector organizations with the aim of stealing data, defacing websites and encrypting key systems.

“They intended to launch ransomware attacks, in the near future, on some public health institutions in Romania, generally hospitals, using social engineering by sending a malicious executable application, from the Locky or BadRabbit families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID-19,” the DIICOT update explained.

“Through this type of attack, there is the possibility of blocking and seriously disrupting the functioning of the IT infrastructures of those hospitals, part of the health system, which plays a decisive role at this time, to combat the pandemic with the new coronavirus.”

Officers carried out three house searches in Romania and one in neighboring Moldova.

Hospitals around the world have been under constant attack over the past few weeks as ransomware gangs try to take advantage of the current pandemic to put pressure on their victims to pay.

Microsoft warned recently that many of these attacks were detected using APT-style techniques such as exploitation of a VPN or remote access vulnerability, followed by reconnaissance, privilege escalation and lateral movement.

In April, INTERPOL was forced to issue a Purple Notice to all of its 194 member countries about the cyber-threat to hospitals and other front-line organizations.

Categories: Cyber Risk News

REvil Ransomware Gang Threatens to Release Dirt on Trump

Info Security - Mon, 05/18/2020 - 08:45
REvil Ransomware Gang Threatens to Release Dirt on Trump

Ransomware attackers that stole data from a New York law firm on its celebrity clients have doubled their demand and threatened to release sensitive information on US President Donald Trump.

The REvil group claimed to have lifted 756GB of data from Grubman Shire Meiselas & Sack, which counts the likes of Madonna, Bruce Springsteen, Run DMC and Mariah Carey among its clients.

The media and entertainment law firm confirmed last week that it had been a victim of a cyber-attack and that it was “working around the clock to address these matters.”

However, the ransomware group’s original deadline for payment of $21m ran out at the end of last week, and it has now upped the demand to $42m.

To show they mean business, the cyber-criminals recently released over 2GB of stolen documents related to contract dealings of Lady Gaga.

They also threatened to publish dirt on Donald Trump, although reports suggest he was never a client of the law firm.

“There's an election race going on, and we found a ton of dirty laundry on time. Mr Trump, if you want to stay President, poke a sharp stick at the guys, otherwise you may forget this ambition forever,” they claimed on a dark web site.

“To you voters, we can let you know that after such a publication, you certainly don't want to see him as President. Well, let's leave out the details. The deadline is one week.”

Recorded Future’s senior solutions architect, Allan Liska, pointed to the threats as just the latest in a long line of incidents where ransomware groups first breach their victims in a bid to force payment.

“Ransomware groups have grown increasingly bold in their targets and their ransom demands and so far have been able to operate with very little pushback,” he added.

“In addition, it has long been suspected that this group operates within Russia's locus of control. The Kremlin generally turns a blind eye to these activities, as long as the threat actors don't target Russian citizens. However, going after an ally of Russia may force Russian cybersecurity forces to turn their attention to the REvil team as well.”

Trump has consistently refused to comply with demands from federal prosecutors to release information on his financial affairs. Separate investigations are looking at whether he committed tax fraud and if his business dealings left him subject to the influence of foreign individuals or governments.

Categories: Cyber Risk News

Iowa Civil Rights Meeting Zoom-bombed

Info Security - Fri, 05/15/2020 - 18:04
Iowa Civil Rights Meeting Zoom-bombed

A Des Moines civil rights meeting was abandoned yesterday after being digitally crashed twice by racist cretins.

The joint meeting between the city's Civil and Human Rights Commission and Des Moines City Council was being held virtually using the videoconferencing app Zoom due to lockdown measures intended to decelerate the spread of COVID-19.

Before the meeting was called to order, an unknown person gained access to the online gathering to aim offensive comments at the commission. The attacker singled out two specific members of the commission, leveling several ignorant, racist slurs and trotting out the n-word.

As the meeting opened, Joshua Barr, Des Moines's civil and human rights director, told the council that he and other members of the commission had been "zoom-bombed."

“There were some racial slurs and things that were posted. I’ll just be candid with it," Barr told the virtual meeting attendants. "If that does happen again, we will have to end the meeting for the protection of the public."

After Barr's acknowledgement, an attempt was made to continue with the meeting. But moments later, as Mayor Frank Cownie delivered his opening remarks, a Zoom-bomber interrupted proceedings with more repellant rubbish.

To spare the attendees from any more offensive idiocy, the meeting was then cancelled. 

Cownie described the actions of the zoom-bomber as a "disgusting and sickening display of racial intolerance" that would only strengthen the city's resolve to educate those unfortunate people who in 2020 are somehow still mired in a ridiculous historical hatred.

Commission chair Kameron Middlebrooks said the sorry incident underlined the need for the community to come together in a spirit of love, equality, and positivity. 

"What occurred proves hate and ignorance is alive and well. But I stand steadfast in my resolve to continue to be an agent of change," said Middlebrooks. "Our commission has started the path to bridging the gap we face in our community and will continue to work cooperatively with council and Des Moines residents to ensure we drive this hate into the darkness and uplift neighbors with love and equitable policies."   

The City of Des Moines is currently operating under a Proclamation of Emergency issued on March 5, 2020, and Governor Jay Inslee’s Stay-at-Home order issued March 23, 2020, in response to the COVID-19 pandemic.

Categories: Cyber Risk News

Norway's Wealth Fund Loses $10m in Data Breach

Info Security - Fri, 05/15/2020 - 17:21
Norway's Wealth Fund Loses $10m in Data Breach

Norway's state-owned investment fund Norfund has halted all payments after losing $10m in an "advanced data breach."

Norfund is a private equity company established by the Norwegian Storting in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget and is the largest sovereign wealth fund in the world. 

On May 13, Norfund announced that it was "cooperating closely with the police and other relevant authorities" after "a series of events" allowed fraudsters to make off with $10m. 

The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. 

Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. 

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified," said a Norfund spokesperson.

Funds were diverted to an account in Mexico under the same name as the Cambodian microfinance institution. The theft took place on March 16 but went undetected until April 30, when the scammers attempted to fraudulently obtain more money. 

“This is a very unfortunate situation," said Olaug Svara, chair of the board of directors. "We now have to get a full overview of the chain of events in order to get to the bottom of this."

Norfund's board has engaged PwC to undertake a full review of the company's security systems and routines.

Norfund CEO Tellef Thorleifsson said: "The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this.”

Commenting on how the fraud might have been committed, Chris Hazelton, director of security solutions at Lookout, said: “There is no specific information on how this attack took place, nevertheless, how the threat actors were able to 'manipulate the communication between Norfund and the intended recipient' points to either BEC or phishing as a likely entry point for attackers."

Categories: Cyber Risk News

API Attacks Increase During Lockdown

Info Security - Fri, 05/15/2020 - 16:40
API Attacks Increase During Lockdown

Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.

Threat research published today by California cybersecurity software company Cequence noted a huge spike in malicious traffic since April, with API endpoints being targeted far more than usual. 

Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose. 

"Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute," noted researchers. "Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase."

Attackers were found to be directing the lion's share of traffic at one login API endpoint for the Android application. 

Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: "Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored. 

"Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult."

According to Kent, the biggest trend observed in attacks instigated since "stay safe" became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly. 

"Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents," said Kent. 

"The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important.  The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against."

Categories: Cyber Risk News

AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

Info Security - Fri, 05/15/2020 - 15:15
AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

Advanced artificial intelligence (AI) and machine learning tools are becoming increasingly critical in detecting and combatting cyber threats. This is according to Stefaan Hinderyckx, Senior Vice President, Security - Europe at NTT Ltd. speaking at the virtual NTT European Digital Press Roundtable 2020 on May 13 2020.

According to Hinderyckx, with organizations now handling so much data, coupled with a current shortage of cybersecurity experts, identifying security threats efficiently and quickly is only possible using these technologies.

He said the global technology services company gets around 280 billion logs per month across all its clients; these can be reduced to 1000 possible threats through its automated AI and machine learning tools, which utilize complex mathematical techniques such as pattern matching and advanced correlation. NTT’s analysts can then focus on investigating these potential threats closely.

“We have this massive haystack and we put that into a manageable number of incidents that analysts can still look at,” commented Hinderyckx. “You still need humans; machine learning and AI cannot completely replace our analysts, but you can simply do it much more efficiently and the need for speed of course is there because you can’t wait for five hours from the logs coming in and flagging the alert, it has to be near real-time.”

Hinderyckx also stated how these technologies are also able to pick up new threats that conventional security analysis techniques, such as security information and event management (SIEM), find difficult to identify. He gave the example of the emerging threat of zero day exploits. “By using AI we’re effectively addressing the white space,” he added.

Categories: Cyber Risk News

Attacks on Banks Spike 238% During #COVID19 Crisis

Info Security - Fri, 05/15/2020 - 09:33
Attacks on Banks Spike 238% During #COVID19 Crisis

Attacks on financial institutions spiked by a massive 238% from the beginning of February to the end of April, as cyber-criminals took advantage of peaks in the COVID-19 news cycle, according to VMware Carbon Black.

The company’s third annual Modern Bank Heists report revealed that over a quarter (27%) of attacks so far this year have targeted either the healthcare or financial sectors.

Interestingly, rises in attack volumes seem to have coincided with major news events during the crisis, such as the first confirmed US case, the country’s first death, and the WHO declaring a pandemic. This could be because such events provide a useful lure for phishing emails.

Ransomware attacks against the financial sector increased nine-fold from the beginning of February to the end of April 2020.

Elsewhere, Emotet and Kryptik malware variants were among the most prolific, the latter used in the notorious 2015 attack on Ukrainian power grid. Aside from ransomware, the end goal is to transfer funds or exfiltrate sensitive data.

In fact, 82% of respondents claimed that attacks had become more sophisticated over the past year. Attackers have “dramatically increased” their understanding of internal policies and procedures and are aware of blind spots in incident response, the report claimed.

A third (33%) of respondents said they’d been hit by island hopping attacks via smaller supply chain partners, and a fifth (20%) had experienced a watering hole attack.

Of even greater concern is that a quarter (25%) said they’d been targeted by destructive attacks designed to cause maximum damage rather than to elicit a ransom payment.

“Over the years, bank heists have escalated to virtual hostage situations where cybercrime groups and nation-states have attempted to commandeer digital transformation efforts,” argued VMware’s head of security strategy, Tom Kellermann. “Now, as we address COVID-19’s impact on a global scale, it’s clear attackers are putting financial institutions directly in their crosshairs, according to our data.”

According to Accenture, the cost to address and contain cyber-attacks is higher for financial services than any other sector.

Categories: Cyber Risk News

ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

Info Security - Fri, 05/15/2020 - 09:00
ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

Legal experts have warned of more potential delays to the official GDPR fines set to be handed down to British Airways and Marriott International, potentially undermining the authority of the UK regulator.

The Information Commissioner’s Office (ICO), Europe’s largest data protection regulator by budget and employees, originally handed down a notice of intent to fine BA a massive £183.4 million fine after a Magecart-related breach on its site. A £99 million fine was slated for the hotel group soon after for its breach of 339 million customer records.

Although these were first published in July 2019, they’ve been subject to delays as the companies involved made detailed representations to the regulator.

The initial six-month period from notice of intent to fine was extended to May 2020, according to BA’s recent annual report.

However, experts at Cordery Compliance now believe the deadline will be pushed back again due to COVID-19, to around August-September time.

“Our understanding is that whilst still emphasizing the seriousness of the breaches, the ICO will apply a lenient approach to the amount of the fines due to the financial impact of COVID-19,” the compliance firm added in an alert.

This is likely to raise questions about the ability and resolve of the ICO to bring large cases against well-funded corporations.

“Although the impact of COVID-19 may explain some of the current continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should,” said Cordery.

“In addition, what was also expected to be a showcase for the first significant fines under GDPR in the UK may now be a let-down.”

That said, the two companies are still facing the prospect of potentially costly litigation from disgruntled customers, it added.

A report out last month argued that Europe’s GDPR regulators are woefully under-resourced financially and lacking in the in-house technical expertise needed to take on the major technology firms.

Categories: Cyber Risk News

UK Power Grid Biz Suffers Outage After Cyber-Attack

Info Security - Fri, 05/15/2020 - 08:30
UK Power Grid Biz Suffers Outage After Cyber-Attack

A UK power grid company has suffered a possible ransomware attack, although electricity supply to homes has not been affected.

Elexon administers a crucial part of the power supply chain, known as the Balancing and Settlement Code (BSC), with customers including the country’s suppliers, generators, distributors, traders, and energy importers and exporters.

The firm takes over one million meter readings everyday to compare what generators and suppliers say they will produce or consume with actual volumes, before calculating a price for the difference and transferring funds accordingly.

At nearly midday local time yesterday the firm posted an alert claiming its internal IT systems had been impacted by a cyber-attack.

“BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only. We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails,” the notice read.

A further message nearly four hours later revealed that the firm had “identified the root cause and we are taking steps to restore our internal IT systems.”

The National Grid took to Twitter to reassure customers about electricity supply.

“We’re aware of a cyber-attack on Elexon’s internal IT systems,” it noted. “We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber-threats.”

Although yet to be confirmed, the downtime to internal systems would seem to suggest a ransomware attack, although there are other possibilities.

The power grid, like other parts of critical national infrastructure (CNI), has come under increasing scrutiny from nation state actors in recent years, especially Kremlin-backed hackers.

Back in 2017, NCSC boss Ciaran Martin warned of Russian attacks on UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”

Earlier this month Donald Trump declared a national emergency over the threat of foreign adversaries launching crippling cyber-attacks against the US power grid.

Categories: Cyber Risk News

Ohio Votes to Outlaw Attempted Hacks

Info Security - Thu, 05/14/2020 - 17:51
Ohio Votes to Outlaw Attempted Hacks

The Ohio House of Representatives has voted through new legislation that will criminalize all malicious hacking attempts, whether they succeed or not. 

Backers of House Bill 368 say changes are necessary as currently only malicious computer hacks that succeed are punishable under Ohio law.  

House Bill 368 was passed yesterday with a vote of 93–1, with the lone "nay" cast by state Representative Tavia Galonski. 

If approved by the Senate, the new law will prohibit a person from gaining access to, attempting to gain access to, or causing access to be gained to a computer, computer system, or computer network when certain conditions apply. 

Ethical hackers, such as those hired to test a company's cybersecurity, would not be punishable under the new law, even if they were to accidentally access data that they were not supposed to.

The legislation also proposes making penalties for offenders convicted of computer trespass harsher if they are found to have acted recklessly or if they have deliberately targeted elderly or disabled users. 

Under the new bill, victims of cybercrime would be permitted to file a civil lawsuit pursuing compensation from offenders convicted of cyber-offenses. 

Currently, Ohio only has two categories of offense covering computer crimes: criminal mischief and unauthorized use of a computer. The new legislation would update and expand these offenses with several new felony-level offenses.

Electronic data tampering and electronic data manipulation, electronic data theft, unauthorized data disclosure, electronic computer service interference, and computer trespass are among the new felony-level offenses. 

The bill was sponsored by state Representative Brian Baldridge. Speaking in support of the bill on the House floor yesterday, state Representative David Leland said: “It really corrects some glaring holes in our criminal statute related to cybersecurity."

Leland added that the newly proposed offenses would penalize crimes such as a recent attempt by an unknown malicious hacker to partially take down Ohio’s unemployment benefits website. 

The website is used by employers to report workers who have quit or refused to work during the COVID-19 pandemic, putting them at risk of losing their unemployment benefits.

Categories: Cyber Risk News

Critical Flaws Found in Cyberoam Security Devices

Info Security - Thu, 05/14/2020 - 17:16
Critical Flaws Found in Cyberoam Security Devices

Critical flaws have been discovered in a cybersecurity company's next-generation firewall and VPN technology.

Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.

Cyberoam employs 550 people globally and serves 65,000 users in over 120 countries, offering security solutions to “global corporations in the manufacturing, healthcare, finance, retail, IT sectors, and more, in addition to educational institutions, public sector and large government organizations.”

The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs in the last quarter of 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020 and verified at vpnMentor's Research Lab.

"After confirming their findings, our team discovered a third flaw, which had also gone unnoticed," wrote researchers.

"These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands."

Cyberoam software works by forming a gateway that blocks unauthorized access to a network. Researchers revealed that the main flaw in Cyberoam’s security involved two separate weaknesses in how an email is "released from quarantine" on a Cyberoam device.

"Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding," wrote researchers. 

Hotfixes have been published by Sophos to resolve the vulnerabilities, which are not the first flaws to be discovered in Cyberoam's security products. 

"For many years, people have been identifying significant weaknesses in their software products and devices," wrote researchers, before citing three specific weaknesses.

The first of these dates back to July 2012, when it was revealed that Cyberoam was using the same SSL certificate across many of its devices, making it possible for hackers to access any affected device on the company's network and intercept its data traffic.

In 2018, massive portions of Cyberoam databases were discovered for sale on the dark web after being swiped by a hacker, according to Indian media reports.

Categories: Cyber Risk News

Identity Breaches at 79% of Organizations

Info Security - Thu, 05/14/2020 - 16:11
Identity Breaches at 79% of Organizations

New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.

The worrisome finding emerged from a study titled “Identity Security: A Work in Progress,” which is based on an online survey of 502 IT security and identity decision makers conducted in April. The study was carried out to identify trends in identity-related security and to deduce how forward-thinking companies are trying to reduce the risk of a breach.

Researchers found that identity-related breaches are as common as mud, with 94% of organizations experiencing this particular calamity at some point and 79% saying that a breach had occurred within the past two years. 

Of those surveyed, 99% believe that the breach they experienced was preventable, but fewer than half have fully implemented key identity-related security outcomes.

Asked for their views on how identity-related breaches typically occur, 66% of respondents identified phishing as the most common cause. The results suggested that cybersecurity training could reduce the risk of a breach.

"Phishing presents a significant challenge for security leaders—of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training," wrote researchers.  

The study revealed a link between an organization's attitude to cybersecurity and how recently it had experienced a breach. Only 34% of companies with a "forward-thinking" security culture have had an identity-related breach in the past year compared with 59% of companies that foster a "reactive" security culture.

Another key difference between reactive and proactive companies was the impact of a breach. Forward-thinking companies experienced similar phishing-related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), and socially engineered passwords (32% vs 41%).

Researchers concluded that organizations could do more to prevent future breaches. They said: "There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done."

Categories: Cyber Risk News

DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

Info Security - Thu, 05/14/2020 - 15:13
DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

DWF has appointed Mark Hendry as its director of data protection and cybersecurity, joining from Deloitte where he was responsible for data protection and cybersecurity risk and remediation projects for clients.

At DWF, Hendry will work alongside the global head of data protection and cybersecurity, Stewart Room, and the wider leadership team, to develop and grow the global legal business’ cybersecurity consultancy services. He will help clients from different sectors to address their cybersecurity issues and requirements, particularly in the areas of multi-disciplinary incident response services, strategic improvement and risk remediation.

Hendry’s appointment follows a lengthy career in data protection and cybersecurity. Prior to his role at Deloitte, he worked at PwC for nine years where he held a variety of positions, including group leader for the 100+ headcount London cybersecurity and business resilience business, technology audit lead for the FTSE100 practice and leadership team member of the multi-disciplinary data protection group.

Before then, he worked for Research Machines Plc and British Telecom in client facing technical project and program management roles.

Commenting on the appointment, Room stated: “We are delighted to be welcoming Mark to DWF. He is an extremely experienced data protection and cybersecurity professional who provides DWF with an added edge in the market. Mark will be critical in advising clients across a range of sectors to address their cybersecurity issues, with a focus on incident response services, strategic improvement and risk remediation."

Hendry is the latest high profile appointment for DWF already this year, following the recruitment of James Drury-Smith as its new UK national leader of privacy and cyber security last month and Room as partner and global head of data protection and cybersecurity in February.

Hendry commented: “I am delighted to have joined DWF which is a business in prime position to serve our clients and grow with them. The combination of DWF's legal expertise and associated legal and non-legal services globally provides an incredibly powerful and united platform from which to serve our clients and markets.” 

Categories: Cyber Risk News