The Department of Justice (DoJ) has warned that Zoombombers could receive a prison sentence if found and convicted, as the COVID-19 pandemic forces meetings online.
The number of daily meeting participants on Zoom has risen from 10 million in December last year to a staggering 200 million by March, the firm revealed last week. However, users who fail to pay attention to their privacy settings may find their meetings disrupted by uninvited guests.
Reports have emerged of meetings interrupted by live-streams of adult content, and threatening language.
“You think Zoombombing is funny? Let’s see how funny it is after you get arrested,” warned Matthew Schneider, US attorney for Eastern Michigan. “If you interfere with a teleconference or public meeting in Michigan, you could have federal, state or local law enforcement knocking at your door.”
The charges, punishable by fines or even imprisonment, could include disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications.
The DoJ reiterated best practice advice for video conferencing users including the following: change screen-sharing to “host only,” don’t share meeting ID on social media, keep software on the latest version, update corporate home working policies and don’t make meetings public.
Zoom has also been trying to educate users on how to keep the Zoombombers out. It now generates a password automatically for all new meetings, and the use of personal meeting ID for new meetings is switched off by default, meaning a one-time code will be issued.
Users are also encouraged to enable: “waiting room” which means attendees can’t join unless a host selects them individually from a list and a feature which allows the host to put any attendee on hold.
However, the firm was criticized last week after researchers easily found user meeting recordings stored online without a password. They blamed the Zoom default naming convention for files.
Hackers are attempting to compromise Docker servers en masse via exposed APIs in order to spread cryptocurrency mining malware, according to researchers.
Aqua Security claimed to have tracked the organized campaign for several months, revealing that thousands of attempts to hijack misconfigured Docker Daemon API ports are taking place almost every single day.
“In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts,” it explained.
The Ubuntu container itself is designed to disable security measures and clear logs, and kills applications on the system including any other malware, as well as downloading the kinsing malware designed to mine for digital currency on the compromised Docker host.
Once kinsing is downloaded it tries to connect with C&C servers in Eastern Europe, with a different server used for each function. It then attempts to spread laterally across the container network, by collecting and using SSH credentials.
“Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network,” said Aqua Security.
The cryptominer itself, kdevtmpfsi, is designed to mine for Bitcoin.
DevSecOps teams must up their response to run least privilege access policies, scan images, look for anomalies in user behavior and invest in cloud security tools to enforce policies, argued the vendor.
Containers are increasingly on the front line when it comes to enterprise cyber-threats. Last year researchers found over 40,000 misconfigured Kubernetes and Docker containers online.
It’s not all about user error; in April 2019 Docker Hub, the world’s largest container image library, discovered unauthorized access to its platform affecting 190,000 accounts.
Researchers have discovered thousands of private Zoom recordings exposed online, in another blow to the firm’s security credentials as it struggles to support a huge surge in users.
Former NSA researcher Patrick Jackson told The Washington Post that he was able to find the videos via a simple cloud storage search.
Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords, and because the Zoom default naming convention is relatively easy to guess, they were simple to find.
One search for videos named in this way apparently revealed 15,000 separate recordings, some of them containing highly sensitive information.
These ranged from elementary school remote classes, featuring the faces of students, to private therapy sessions, business meetings including financial details and even a beauty therapist demonstrating to students how to give a Brazilian wax.
Zoom allows users to record and save meetings to its own cloud service, but it also offers customers the choice of saving videos to their preferred location, without a password.
It’s the latter type that appear to have been exposed, with experts arguing that the firm should mitigate the issue by forcing users to create a unique file name when saving videos.
In a statement, Zoom clarified that it offers users a “safe and secure” way to store their recordings.
“Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud,” it said.
“Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants' reasonable expectations.”
The news comes after a tough week for the video conferencing platform, which has seen daily meeting participants grow from 10 million in December to roughly 200 million in March.
CEO Eric Yuan listed a range of measures the firm was taking to improve privacy and security including: patches for three new zero-day bugs, the removal of the Facebook SDK in its iOS client, after privacy complaints and clarification of new default settings to help prevent “Zoombombing.”
Yuan also announced a “feature freeze” which will see all engineering resources shifted to focus on trust, safety and privacy issues.
Google published reports today that use aggregated phone location data to show how closely lockdown regulations are being followed around the world.
The company said its COVID-19 Community Mobility Reports would "provide insights into what has changed in response to work from home, shelter in place, and other policies aimed at flattening the curve of this pandemic."
The reports use aggregated, anonymized data gathered from cell phones to chart movement trends over time. Specifically, they reveal how busy popular destinations such as shops, parks, recreation spaces, grocery stores, pharmacies, transit stations, residential areas, and workplaces have been since the majority of countries asked people to stay at home.
Initially, the reports will cover 131 countries and regions and show trends that have emerged over several weeks, with the most recent data included at least 48 hours old.
Today's reports show a traffic comparison over a five-week period between February 16 and March 29.
Data gathered from the UK shows that visits to transport station are down 75%, while 85% fewer people are frequenting public recreation places such as restaurants, cafes, and movie theaters.
In Italy, where around 14,000 people have died after contracting the novel coronavirus, strict lockdown measures have resulted in 94% fewer people in shops, restaurants, and cafes, and parks have seen footfall drop by 90%.
By contrast, in Sweden, where no strict measures have been introduced to keep people in their homes, Google found that 18% fewer people were in work, 24% fewer were using recreational spaces, and use of transport stations had dropped by 36%.
Only data from users who have turned on the Location History setting will be used to create the reports. Currently, this setting is turned off by default.
People who have location history turned on can turn it off at any time from their Google account and can also delete location history data directly from their timeline.
Google says the reports will not intrude on the privacy of individual people, because "no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point."
A threat group is using gift cards, sweet-faced teddy bears, and the United States Postal Service to carry out a new physical phishing campaign.
The deceptive ruse has been identified as the work of FIN7, otherwise known as the Navigator Group and the Carbanak Group.
Victims receive a new furry friend in their mailbox together with a gift card, a malicious USB drive, and a fake letter purporting to be from the customer relations department of Best Buy. The scam lures victims into plugging the bad drive into their computer with the promise of a freebie.
The letter states: "Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick."
After discovering the scam, the Federal Bureau of Investigation issued a flash alert warning to businesses.
“Recently, the cybercriminal group FIN7, known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles,” warned the FBI.
The USB device used by FIN7 is a commercially available tool known as a "BadUSB" or "Bad Beetle USB" device. Schemes that make use of such malicious USBs are known as "Bash Bunny" attacks.
Sticking with the animal theme, similar attacks, which rely on the victim's using a malicious USB stick that is in reality a malicious USB keyboard preloaded with keystrokes, are called "Rubber Ducky" attacks.
According to MITRE, FIN7 is a financially motivated threat group that has primarily targeted the US retail, restaurant, and hospitality sectors since mid-2015, often using point-of-sale malware. In 2017, the group became known for sending stores and corporate offices a string of food poisoning complaints with malicious attachments in a threat campaign dubbed FINdigestion.
A bill permitting the use of facial recognition technology with certain restrictions has been signed into law in Washington State.
Governor Jay Inslee signed the new bill on March 31 after it was passed by the Washington State House of Representatives on March 12 by a vote of 27 to 21 in favor. The new law will come into effect next year.
The new legislation will limit the "unconstrained use of facial recognition services by state and local government agencies" because it "poses broad social ramifications that should be considered and addressed."
Under the new law, state and local government agencies "may use facial recognition services to locate or identify missing persons, and identify deceased persons, including missing or murdered indigenous women, subjects of Amber alerts and silver alerts, and other possible crime victims, for the purposes of keeping the public safe."
Before developing, procuring, or using facial recognition technology, a state or local government agency must file a notice of intent with a legislative authority and produce an accountability report.
The new legislation has won the support of Microsoft president Bill Smith, who praised it in a recent blog post.
"This balanced approach ensures that facial recognition can be used as a tool to protect the public, but only in ways that respect fundamental rights and serve the public interest,” wrote Smith.
Washington's state agencies are not permitted to use facial recognition based on a person’s “religious, political or social views or activities,” or “participation in a particular noncriminal organization or lawful event,” or “actual or perceived race, ethnicity, citizenship, place of origin, immigration status, age, disability, gender, gender identity, sexual orientation or other characteristic protected by law.”
Use of facial recognition technology in the United States is not currently governed by any federal rules. Washington is the first state to pass legislation to allow the constrained use of facial recognition technology, while elsewhere in America, some have moved to ban it.
In 2019, San Francisco, Oakland, and Berkeley, California, and the Boston, Massachusetts, suburbs of Somerville and Brookline all moved to ban the use of the new technology.
Zoom has announced a freeze on new features as it grapples with emerging security and privacy issues, including three new security bugs revealed this week.
The video conferencing app has been catapulted into the mainstream after widespread COVID-19 government lockdowns across the globe force home working and schooling on a massive scale. The number of daily meeting participants has grown from 10 million in December to roughly 200 million in March, according to the firm.
However, this has led to increased scrutiny of the platform: researchers this week published details of a new vulnerability in the Zoom Windows client which could be exploited to steal user passwords, and two flaws in the macOS app which could be abused to remotely install malware or eavesdrop on users.
These follow discoveries of serious vulnerabilities in the product last year.
Although Zoom CEO Eric Yuan revealed in a post on Thursday that the firm had promptly patched all three bugs disclosed this week, concerns persist about the platform’s approach to security and privacy.
Organizations as diverse as the UK’s Ministry of Defence, SpaceX and NASA have banned employees from using the tool, and there has been widespread criticism after the firm appeared to mislead users into thinking their video meetings were end-to-end encrypted, when in fact they aren’t.
Yuan apologized for that, and clarified several steps that the firm is taking to improve privacy, including removing the Facebook SDK in its iOS client, after reports emerged that it was sending user data to the social network, even for non-Facebook users.
It has also permanently removed an “attention tracker” feature which critics claimed could allow employers to spy on their staff.
Zoom has also been trying to educate users into following best practices like not sharing meeting IDs online, and using protective features on the platform which could prevent “Zoombombing” — incidents where uninvited guests join and disrupt meetings.
Going forward, the firm will enact a “feature freeze” in order to devote all engineering resources to security and privacy issues. It will also carry out a comprehensive review with third-party experts to improve security in consumer use cases, and engage with security leaders via a new CISO council.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” Yuan argued.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”
A group of civil society organizations has called for restraint after warning that governments around the world are rolling out invasive surveillance programs on a massive scale to track and manage the spread of COVID-19.
A statement signed by 100 civil liberties groups argued that “efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.”
It claimed that human rights should still be respected even in extraordinary times.
“An increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities – undermining the effectiveness of any public health response,” the letter continued. “Such measures also pose a risk of discrimination and may disproportionately harm already marginalized communities.”
Privacy International claimed that telecoms-based tracking is already underway in 23 countries, while 14 have deployed tracking apps.
Back in mid-March, the UK government was revealed to be receiving tracking data from mobile carriers to check whether citizens were respecting its social distancing guidelines. A similar strategy is thought to be in play in the US.
However, that’s some way from the extreme surveillance seen in China, where some local authorities are offering people rewards for informing on ill neighbors, and even getting into one’s apartment or workplace requires scanning a QR code, and logging name, ID number, temperature and travel history.
“The wave of surveillance we’re seeing is truly unprecedented, even surpassing how governments across the world responded to 9/11,” argued Privacy International advocacy director, Edin Omanovic.
“The laws, powers and technologies being deployed around the world pose a grave and long-term threat to human freedom. Some measures are based on public health measures with significant protections, while others amount to little more than opportunistic power grabs.”
The rights groups have issued a list of eight conditions governments should meet, including the use only of “lawful, necessary and proportionate” surveillance which continues only as long as the pandemic.
The Internal Revenue Service (IRS) is warning taxpayers of a new wave of phishing calls and messages designed to trick victims into handing over financial details by capitalizing on the COVID-19 pandemic.
A large number of these scams attempt to use as a lure the government’s recent announcement of an economic impact payment of $1200 to every US citizen.
According to the IRS, they might use terms such as “Stimulus Check” or “Stimulus Payment” and ask victims to confirm personal and banking information to in order to ‘speed up’ payment.
In similar scams, the phisher could ask victims to sign over an economic impact check to them directly, or else mail them a fake one with an odd amount and then require the taxpayer to call a number or verify information online in order to cash it.
The range of these scams, across phone, email, social media, text and even face-to-face, show the lengths fraudsters are prepared to go to tap the huge federal emergency giveaway.
“History has shown that criminals take every opportunity to perpetrate a fraud on unsuspecting victims, especially when a group of people is vulnerable or in a state of need,” said IRS criminal investigation chief, Don Fort.
“While you are waiting to hear about your economic impact payment, criminals are working hard to trick you into getting their hands on it. The IRS Criminal Investigation Division is working hard to find these scammers and shut them down, but in the meantime, we ask people to remain vigilant.”
The IRS reminded taxpayers that in most cases their economic impact payment would be deposited directly into the account previously provided on tax returns. Those who have not previously provided this info will be able to enter their banking details online in a secure IRS portal in April. Otherwise a check will be mailed to the address the IRS has on file.
At least 19 websites have fallen victim to a new data skimmer that appears to have been developed by threat group Magecart Group 7.
Dubbed 'MakeFrame' by researchers at RiskIQ, the new data skimmer has been spotted out in the wild in several different versions.
Researchers first came across the skimmer on January 24. Since then, MakeFrame has been spotted hosting skimming code, loading the skimmer on other compromised websites, and exfiltrating stolen data.
"There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7," wrote researchers.
RiskIQ has identified three distinct versions of the skimmer with varying levels of obfuscation, from clear JS code to encrypted obfuscation. Some of these appear to be dev versions running debug processes, one of which even includes a version number.
"Magecart Group 7 also used victim sites for skimmer development, as we observed when they compromised OXO in 2017 and twice in 2018," said researchers.
The team at RiskIQ said the multiple versions of MakeFrame were evidence of threat actors' constant hunt for new ways to cheat and steal from yet more victims.
"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach," wrote researchers.
When studying the new threat, researchers noted that MakeFrame was targeting the same victim pool as Group 7.
"Each of the [compromised] sites belongs to a small or medium-sized business, and none are particularly well known, with OXO being a bit of an outlier in their history."
The nefarious data-stealing methods used by MakeFrame also echo those deployed by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration.
Researchers noted that data-skimming attacks were on the rise at a time when people the world over are working and shopping from home as a result of the COVID-19 outbreak.
"RiskIQ data shows Magecart attacks have grown 20% amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever," wrote researchers.
A digital wallet app with millions of users has become the latest organization to be caught storing customer data in unsecured Amazon Web Services (AWS) S3 buckets.
The Key Ring app allows users to upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. It is also commonly employed by users as a convenient way to scan and store copies of their ID, driver's license, gift cards, and credit cards.
The misconfigured buckets, which were set to "public" rather than "private," were found to contain 44 million images uploaded by Key Ring users.
Data exposed in the Key Ring data leak included government IDs, NRA membership cards, medical marijuana ID cards, credit cards with all the details, including the CVV numbers, and medical insurance cards.
Other information exposed in the data leak included CSV files detailing membership lists for prominent North American retailers who use Key Ring as a marketing platform. These lists contained the personally identifiable information (PII) data of millions of people.
Companies whose customers' details were exposed in the leak include Walmart, Kleenex, La Madeleine Bakery, Foot Locker, and Mattel.
VpnMentor researchers said that every Key Ring file they viewed could also be downloaded and stored offline, making them completely untraceable.
"These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud," said researchers.
"We can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring."
VpnMentor researchers discovered the buckets in January 2020 using web-scanning tools.
"Once the details of the leak were confirmed, we immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after," said researchers.
Scammers are targeting Londoners with fake fine notification texts that accuse victims of flouting the country's lockdown rules.
The malicious text has been designed to look like a genuine COVID-19 alert sent by the UK government. Victims who receive the message are told that they have been fined £35 after being spotted leaving their home on multiple occasions over the course of a single day.
Under current restrictions in place in the UK, people have been asked to only leave home for essential work, to purchase basic necessities, and to carry out "one form of exercise a day."
Under Welsh law, exercise must be taken outside “no more than once a day.” However, the law in England, Scotland, and Northern Ireland does not specify exactly how many times a day people can leave their home, so police cannot enforce a limit or issue fines to people for simply leaving their houses.
The malicious text appears to have been sent by the UK government, with the sender's details displayed as "UK.Gov." In a bid to look authentic, the text references a genuine media campaign currently in use by the government—to protect the National Health Service by staying at home and minimizing the spread of the novel coronavirus.
The message reads: "GOV.UK CORONAVIRUS ALERT. We would like to inform you that you have been recorded as leaving your home on 3 occasions yesterday. A fine of £35 has been added to your gov.uk account. For further information please visit gov.uk/coronavirus-penalty-payment-tracking. Protect the NHS. Save Lives."
Victims who click on the link contained with the message are asked to provide their payment details.
The timing and medium of the scam has been well-chosen to make the message appear genuine. After lockdown measures were announced, the British government sent a text message out across all the cell phone networks in the UK to inform the public of the new restrictions in force.
The local government in the London borough of Richmond upon Thames issued a warning on March 30 about this fake text and other malicious communications that are currently doing the rounds.
Cllr Gareth Roberts, leader of Richmond Council, said: "Anyone who receives this text should ignore it. It is simply another ruse to steal the payment details of users."
Infosecurity Europe 2020, due to take place June 2-4, has been postponed due to the COVID-19 pandemic, event organizers Reed Exhibitions have announced.
Held annually at London Olympia, Infosecurity Europe is Europe’s largest and most comprehensive information security event, attracting thousands of visitors from the information security industry every year.
A statement from Reed Exhibitions said:
“After monitoring the constantly evolving COVID-19 pandemic, we have made the decision to postpone Infosecurity Europe, which was scheduled to take place from June 2-4 in Olympia, London. The health and safety of our exhibitors, visitors, partners and staff remains our number one priority and we will remain guided by the expert advice of the public health authorities. We believe this is the best course of action for the information security industry and the communities we serve and it also reflects our desire to give everyone involved as much notice as possible.”
The statement explained that Reed Exhibitions is now working closely with its partners and venues to obtain new dates for the event later in the year and will announce the new dates on the Infosecurity Europe website as soon as possible.
“In the meantime, we want to ensure we keep the conversation going within our community and will be providing a program of virtual content 2-4 June 2-4,” the company added. “More information will be available on the Infosecurity Europe website soon.”
Over 2000 new phishing domains have been set up over the past month to capitalize on the surging demand for Zoom from home workers, according to new data from BrandShield.
The brand protection company analyzed data from its threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted by BrandSheild have activated an email server, which the firm claimed proves these domains are being used to facilitate phishing attacks.
These could include attempts to: covertly download malware to the victim’s machine, steal money from Zoom users who think they’re buying a subscription and harvest user details to compromise accounts and/or infiltrate sensitive calls.
“With global businesses big and small becoming increasingly reliant on video conferencing facilities like Zoom, sadly, cyber-criminals are trying to capitalize,” argued BrandShield CEO, Yoav Keren.
“Businesses need to educate their employees quickly about the risks they may face, and what to look out for. The cost of successful phishing attacks is bad for a company’s balance sheet at the best of times, but at the moment it could be fatal.”
The news comes as experts continue to warn Zoom users of the potential security risks involved in logging-on to the video conferencing app.
The app was banned for employee use by the UK’s Ministry of Defence (MoD), although the Prime Minister, Boris Johnson, still used it for a Cabinet meeting.
Experts have urged users not to share meeting IDs on social media, and to ensure they generate a password for each meeting, or else risk being “Zoombombed” — that, is having uninvited guests enter the meeting.
Trend Micro principal security strategist, Bharat Mistry, argued that cyber-criminals are always on the lookout for opportunities to make a fast buck from globally trending news.
“It’s no surprise that hackers are looking to take advantage and exploit the current situation with Covid-19 especially with the mass explosion of remote working and even remote social interactions taking place,” he told Infosecurity.
Privacy experts have also expressed concerns over employer monitoring of their staff, as admin settings can provide detailed usage statistics for each employee.
Toni Vitale, head of data protection at JMW Solicitors, argued that transparency is key.
“Employees need to be told that their activities are being monitored,” he said. “In the rush to get everyone online I doubt many companies checked their HR policies.”
Microsoft has been forced to alert several dozen hospitals in a “first of its kind notification” that their gateway and VPN appliances are vulnerable to ransomware groups actively scanning for exposed endpoints.
The tech giant claimed that attackers behind the REvil (Sodinokibi) variant, for one, are probing the internet for vulnerable systems, with VPNs in high demand at the moment as COVID-19 forces home working.
The group appears to be repurposing malware infrastructure it used last year in the new attacks, which aim to take advantage of vulnerable healthcare organizations already under extreme pressure dealing with infected patients.
These “human-operated” attacks differ from commodity ransomware efforts in that the hackers use their extensive knowledge of system administration and common network security misconfigurations, said Microsoft.
“Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” it continued.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints or applications that have been compromised.”
Reports emerged earlier this year that ransomware attackers including REvil were targeting flaws in Citrix ADC and Gateway products. It’s also suspected that the group exploited vulnerabilities in the Pulse Security VPN platform to compromise Travelex last year.
The National Cyber Security Centre (NCSC) and the NSA pushed out alerts last October that these products were being targeted by APT groups.
Microsoft’s advice is to patch promptly, monitor remote access carefully, turn on attack surface reduction rules in Windows, and switch on AMSI for Office VBA in Office 365 environments.
A report it issued last month details further steps to mitigate targeted ransomware.
Businesses have been urged to tighten their data protection technologies, policies and procedures after a UK Supreme Court ruling yesterday left the door open for employers to be sued by their staff for insider breaches.
The case involved supermarket chain Morrisons, which suffered such a breach in 2014 when former internal auditor Andrew Skelton published online the details of nearly 100,000 employees — included NI numbers, birth dates and bank account data.
Some 5000 of these employees then brought civil proceedings against the firm, arguing it was liable for the misuse of their data. Both the High Court and the Court of Appeal ruled that, although the supermarket chain was not primarily to blame, as its security safeguards were sound, it was “vicariously liable” for Skelton’s actions.
“In simple terms Morrisons had to underwrite Skelton’s actions as an employee,” explained legal firm Cordery Compliance. “This was in part because they had selected Skelton for the trusted position of being the middle-man in transferring the [HR data] to KPMG.”
However, the Supreme Court has now ruled in Morrisons’ favor: in effect saying that in this case the employer cannot be held vicariously liable as the employee (Skelton) was pursuing a vendetta.
This is a victory for the supermarket, and several legal experts have argued that employers will also be breathing a sigh of relief that they won’t be held liable in similar circumstances.
Yet firms aren’t completely off the hook, according to Claire Greaney, senior associate at Charles Russell Speechlys.
“It wasn’t all good news for businesses today. The court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open,” she argued.
“In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.”
Cordery Compliance speculated that the case may also have gone differently had the subject of primary liability been considered.
“Under GDPR there is a very strong emphasis on organizations having ‘technical and organizational measures’ (TOMs) in place to ensure GDPR compliance, including with regard to keeping data secure,” it argued.
“Whilst the law was similar pre-GDPR it could be argued that employers should be more conscious of TOMs like access rights and data loss prevention now that GDPR is in force. With this in mind, had the Morrisons case been decided under GDPR might there have been a different outcome as regards primary liability and the personal data that left Morrisons’ systems?”
It’s also true that companies can still be held liable for the actions of their staff in a data breach context, if those employees are not acting outside the course of their employment: i.e. accidental leaks and negligence.
A cybersecurity company has launched a lockdown-friendly hacking competition that doesn't require any travel or socializing.
Participants of Cyber 2.0's new Home Hackers Challenge can compete for a cash prize without having to leave their houses.
The competition is open to every hacker in the world, and the premise is simple—the first competitor to break into a computer-simulated organization scoops the glory and 10,000 NIS, equivalent to 2,850 USD.
Protecting the fake organization is the company's own patented cybersecurity solution, the Cyber 2.0 program.
Cyber 2.0's Sneer Rozenfeld has no qualms about laying the reputation of the company and its cybersecurity products on the line. He said previous attempts to break through their protective layer by private hackers, companies, and specialized military units had all failed.
"We did two hacking challenges already—this is our third one. We ran the first one in 2018 in Israel; no-one succeeded. Then in 2019, we ran a second competition in Atlanta, Georgia, with a $100,000 prize, and no-one succeeded. So, we do believe our system will not be hacked."
The competition will take place on April 6 between 11 a.m. and 3 p.m. (GMT+3). Hackers can enter through the company's website, cyber20.com.
Rozenfeld said: "The prize will go to the first hacker who breaks in with no prize for second place."
In previous years, when no hacker was able to defeat the company's cybersecurity program, Cyber 2.0 kept the prize money. However, this year, if no hacker manages to successfully break into the faux organization, the prize money will be donated to an Israeli charity that supports families in need.
Rozenfeld said: "Everyone is affected by the coronavirus, so we want to be humble and this time not keep the money but give it away."
The ongoing health crisis has meant that Cyber 2.0 can only give hackers a short window in which to complete the challenge.
Rozenfeld said: "Holding this sort of challenge takes a lot of resources of the company so we decided to do it for 4 hours. Due to coronavirus regulations in Israel, we can't have more than 2 people on the premises, and we need more than 2 for supporting the challenge."
An American healthcare provider whose patients' records were allegedly published online in a ransomware attack has told patients their data is secure.
Affordacare runs an urgent care walk-in clinic network out of five locations in Texas. The organization was hit by a ransomware attack in February.
In a breach notification published on the organization's website, Affordacare wrote: "Hackers attacked Affordacare’s servers and were able to compromise some limited, confidential information on or around Feb. 1, 2020. The hackers also installed ransomware on the servers."
The healthcare provider said that data exposed in the incident included names, addresses, telephone numbers, dates of birth, ages, dates and locations of visits, reasons for visits, insurance plan providers, insurance plan policy numbers, insurance group numbers, treatment codes and descriptions, and comments from health care providers.
Despite refusing to pay the ransom, Affordacare told patients that "this incident did not affect your electronic health records, labs, Social Security number or any personal payment information."
The healthcare provider said that the majority of health care records were stored in a cloud-based electronic health records system that was not affected by the incident.
Ransomware group MAZE has claimed responsibility for the February attack on Affordacare. The threat group claims to have exfiltrated more than 40 GB of data from the healthcare provider, including sensitive patient health data.
MAZE published what it claims is Affordacare data in a data dump on February 1 at http(colon)//mazenews(dot)top/site after the healthcare provider allegedly refused to pay the ransom.
After viewing the alleged Affordacare data, Emsisoft threat analyst Brett Callow told Infosecurity Magazine: "The dump includes information relating to numerous patients, including reports that were presumably requested by Affordacare from other medical practices, as well as details relating to Affordacare’s own payroll and the resumes of people who had applied for employment."
What appear to be Affordacare patient records published online by MAZE and viewed by Infosecurity Magazine included names, Social Security numbers, and details of a testicular sonogram.
After notifying patients about the breach by letter on March 30, Affordacare stated on its website: "At this time, we do not know if your information was actually taken or misused."
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published March 31 by CyberEdge shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The CyberEdge 2020 Cyberthreat Defense Report states 62% of organizations were victimized by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
"Ransomware is trending in the wrong direction . . . again," states the report's authors.
"This rise is arguably fueled by the dramatic increase in ransomware payments."
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
To create the annual report, CyberEdge surveyed 1,200 qualified IT security decision makers and practitioners from organizations with over 500 employees in 19 different industries. The organizations were located in 17 countries across North America, Europe, the Middle East, Africa, Asia Pacific, and Latin America.
Another key finding of the report was that last year, for the first time ever, more than a third (35.7%) of organizations experienced six or more successful attacks.
When questioned over the future cybersecurity of their organization, respondents revealed that they were picking up bad vibes.
"The number of respondents saying that a successful attack on their organization is very likely in the coming 12 months reached a record level," states the report.
Of those IT security professionals surveyed, 69% believe a successful attack to be in the cards in 2020. This doom-laden percentage was up from 65% in 2019 and 62% in 2018.
As for which cyber-threats caused the greatest amount of concern, survey respondents said malware was the biggest problem, closely followed by phishing and ransomware, which tied in second place.
This year was the first time that the CyberEdge survey respondents were asked if they were concerned about attacks on brand and reputation in social media and on the web. This new threat tied in tenth place with watering-hole attacks, but the report's authors predict it will place higher next year.
They wrote: "We think this category (which includes hijacking social media accounts, using typo squatting website for fraud, and selling counterfeit goods online) will become more of a concern in the cybersecurity community."
UK businesses could be putting customer data at risk by having a low understanding of important data protection legislation. Research from IONOS has shown that 44% of IT decision makers in the UK do not have a comprehensive understanding of the US CLOUD Act. In contrast, 92% had a comprehensive understanding of the EU’s General Data Protection Regulation (GDPR).
The survey included 500 UK-based IT decision makers, analyzing their knowledge of key data legislation, attitudes towards data storage and cloud services usage. In particular, it highlighted a significant lack of understanding of the US CLOUD Act, passed into law in 2018. Among the provisions of the Act, it gives US law enforcement agencies the power to request data stored by most major cloud providers. Around six months ago, the UK and US signed the CLOUD Act agreement, making it applicable to UK businesses.
The study revealed that 47% of the IT decision makers were unaware that, under the legislation, US cloud hosting providers may be required to disclose customers’ data to US officials. This applies regardless of whether the information was stored inside or outside of the US, and is irrespective of GDPR regulations.
“GDPR compliance has been a key focus for many European and global businesses since it was introduced, but IT professionals are under pressure to keep up with the constantly evolving data security landscape,” explained Achim Weiss, CEO at IONOS. “The US CLOUD Act adds another layer of potential misunderstanding for those hosting with US cloud providers.”
Surprisingly, a high proportion of those polled were willing to store sensitive information in the cloud, including personal customer and employee details (54%) and accounting data (50%).
Weiss added that much more education around the US CLOUD Act as well as storage best-practice is required for UK businesses to ensure their data is safe and secure.