News Items

Cybercriminals may have accessed the protected health information (PHI) of hundreds of thousands of patients of a network of community health centers based in California. Nonprofit Community Medical Centers (CMC) primarily serve low-income patients, migrants, and homeless people in the Northern California counties of San Joaquin, Solano, and Yolo. CMC stated that some unusual network activity was detected on October 10th. During the investigation, they found that unauthorized individuals had gained access to parts of its network in which patients' protected health information was stored. Data that the hackers may have obtained includes medical information, first and last names, mailing addresses, dates of birth, demographic information, and Social Security numbers.

Infosecurity reports: "California Health Network Reports Data Breach"

Researchers at the University of Michigan have automated a technique called formal verification, which is a step towards ensuring the safety, security, and proper functioning of protocols implemented to dictate how networked services operate. The system developed by the researchers proves, without human effort, that Paxos, one of the most foundational distributed computing protocols, does meet its specifications. This achievement disproves the notion that Paxos and other similar protocols are too complex to be proven secure without hours of human effort. The growth of cloud computing and the increased use of technologies such as blockchain applications have changed how organizations and individuals engage with computing, thus resulting in a world powered by networked machines that face a continuously growing load. This makes critical infrastructure more vulnerable to widespread, adverse effects from hackers, server outages, and more. Therefore, it is important to have airtight distributed protocols to ensure that software systems can run on machines spread globally. Paxos is one of the significantly complex algorithms defining how machines in a network can work together in a single system. It describes an approach known as consensus, which is used in almost all critical distributed systems, including applications supported by cloud computing. This article continues to discuss the Paxos consensus protocol, the concept of formal verification, and the study on the automatic verification of Paxos.

University of Michigan reports "Distributed Protocol Underpinning Cloud Computing Automatically Determined Safe and Secure"

Security researchers at Symantec have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant. Dubbed "Exmatter," the tool is designed to steal specific file types from selected directories and then upload them to a server under the control of BlackMatter attackers. The researchers stated that this process of whittling down data sources to only those deemed most profitable or business-critical is designed to speed up the whole exfiltration process, presumably so the threat actors can complete their attack stages before being interrupted. After retrieving the drive names of all logical drives on a victim computer and collecting all file pathnames, Exmatter disregards anything under specific directories such as "C:\Documents and Settings." The tool only exfiltrates specific file types such as PDFs, Word docs, spreadsheets, and PowerPoints and aims to prioritize those for exfiltration using LastWriteTime. Once exfiltration has been completed, Exmatter looks to overwrite and delete any traces of itself from the victim's computer. The researchers noted that they found various versions of the tool, indicating that its developers have tried to refine its functionality to accelerate the process of data theft as far as possible.

Infosecurity reports: "BlackMatter Group Speeds Up Data Theft with New Tool"

According to Europol, 12 individuals believed to be connected to ransomware attacks against over 1,800 victims in 71 countries have been arrested. The law enforcement report revealed that the actors launched ransomware strains, including LockerGoga, MegaCortex, and Dharma. They also deployed malware such as TrickBot and post-exploitation tools like Cobalt Strike. LockerGoga emerged in the wild in January 2019, when it was used to attack the French engineering and R&D consultant Altran Technologies. The number of LockerGoga and MegaCortex infections was the highest during that year. A report from the National Cyber Security Centre (NCSC) in the Netherlands linked 1,800 infections to Ryuk and those two strains. The most notable case attributed to the suspects is a 2019 attack against the Norwegian aluminum production giant Norsk Hydro, which disrupted the company's operations. An announcement posted by the Norwegian police said that they never stopped hunting for the threat actors as they worked with foreign counterparts to take them down. The arrests were made in Ukraine and Switzerland on October 26, 2021. The simultaneous raids also led to police seizing $52,000 in cash, electronic devices, and more. Europol described the arrested individuals as high-value targets because they are believed to have initiated multiple high-profile ransomware incidents. In addition, the cybercriminals had specialized roles in a highly organized criminal organization, with each of them being responsible for different operations. For example, some of them carried out activities in network penetration, while others executed brute force attacks, performed SQL injections, or handled credential phishing operations. This article continues to discuss the arrest of 12 hackers who were behind more than 1,800 ransomware attacks.

Bleeping Computer reports "Police Arrest Hackers Behind Over 1,800 Ransomware Attacks"

The FBI recently issued a report on the Indicators of Compromise (IOCs) for the Ranzy Locker ransomware, which has been targeting businesses in the US since late 2020. By July 2021, Ranzy Locker ransomware compromised over 30 victims in the information technology sector, transportation sector, construction subsector of critical manufacturing, and the academia subsector of government facilities. In addition to sharing the IOCs for the ransomware, the FBI lists a series of recommended mitigations for protecting systems from Ranzy Locker. These mitigations include periodically updating applications and operating systems, backing up all data offline, implementing network segmentation, reviewing logs, auditing user accounts, enabling multi-factor authentication, and disabling unused protocols. This article continues to discuss a typical Ranzy Locker ransomware attack and the report released by the FBI on the IOCs for this ransomware.

Security Week reports "FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware"

Security researchers at Website Planet have found an unsecured database leaking over 886 million sensitive patient records online. The non-password-protected data trove was traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed. Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes. The researchers stated that the exposed data included: date, document type, physician note, encounter IDs, patient ID, notes, UUID, patient type, note ID, date of service, note type, and detailed note text. The researchers noted that the notes and physician information were stored in plain text, meaning anyone who discovered the database could have accessed intimate details of patient illnesses. Patient IDs were encrypted, but it's unclear how strongly. This would make it harder for opportunistic cybercriminals to unmask the victims. However, if an adversary were able to do so, the 68.5GB database would seem to offer plenty of information to use in possible extortion attempts or to sell on the dark web. The researchers stated that hypothetically, this exposure could have provided scammers with a list of 89,143 medical professionals that they could target using insider information and their own notes to gain trust.

Infosecurity reports: "Misconfigured Database Leaks 880 Million Medical Records"

SoS Musings #54 -

The Role of Psychology in Cybersecurity

Cybersecurity Snapshots #23 -

Cybercriminals Are Decreasing Their Use of Bitcoin

The email security provider Inky has released a report detailing a new phishing campaign in which both Craigslist and OneDrive are used to trick people into installing malware. The attackers behind the phishing campaign used different tactics to pull off their scam. They sent emails to active Craigslist users instead of random people. The phishing messages came from a Craigslist domain and a legitimate Craigslist IP address. Since the messages appeared legitimate, they were able to evade standard email security protocols. As Craigslist did not intend to send those emails, Inky believes the site could have been compromised by malicious actors, especially since users were specifically targeted. The actors also abused a Craigslist function known as "mail relay" to remain anonymous. In addition, the attackers used a legitimate Microsoft OneDrive site, impersonated DocuSign, and displayed Norton and Microsoft logos. Inky recommends that users be on the lookout for unusual requests and signs of indirect ways to resolve an issue. The provider also suggests that users be suspicious of the mixing of platforms, such as the use of a document uploaded to OneDrive to resolve a Craigslist problem. This article continues to discuss the recent phishing attacks that have exploited Craigslist and Microsoft OneDrive.

TechRepublic reports "Phishing Attack Exploits Craigslist and Microsoft OneDrive"

Ido Hoorvitch, a security researcher at the identity and access management provider CyberArk discovered that he could recover network passwords for over 70 percent of the networks he scanned just by using information gathered as he biked, walked, or drove along the streets of Tel Aviv, Israel. He used a wireless scanner made up of a $50 network card connected to a laptop running Ubuntu, in addition to the Hcxdumptool tool available on GitHub, to collect Wi-Fi Protected Access (WPA) packets from nearby networks. Of the 5,000 networks from which the researcher collected information, 44 percent had a cellphone number as a password. Another 18 percent were discovered to be on the common password list called "RockYou.txt." The rest of the passwords were other simple combinations of numbers and letters. In total, the study found passwords for 3,633 of the 5,000 targeted networks. Using a strong, complex password for a wireless network is said to protect against the attack. Although 18 percent of the passwords were found through the use of the popular password list RockYou.txt, nearly 50 percent of the passwords used only numbers, most of which are users' cellphone numbers, thus providing little security. While multi-factor authentication (MFA) is often cited as a solution to password security issues and would bolster wireless network security, it is difficult to implement on consumer Wi-Fi networks. This article continues to discuss the cracking of 70 percent of neighborhood Wi-Fi passwords in a study conducted by CyberArk and why wireless networks continue to be a weak point for many consumers and enterprises.

Dark Reading reports "Wardrivers Can Still Easily Crack 70% of Wi-Fi Passwords"

Security researchers at Deloitte did a new study where they surveyed 577 C-suite executives worldwide on their organization's cybersecurity programs. The researchers found that almost all (98%) US-based organizations and 86% of non-US organizations experienced at least one cyber event in the past year. A considerable proportion (86%) of US companies faced increased cyber threats due to COVID-19. Interestingly, a significantly lower proportion (63%) of non-US executives reported experiencing an increased rate of attacks during the pandemic. The researchers found that breaches caused organizations operational disruption (28%), share price drop (24%), leadership change (23%), intellectual property theft (22%), and loss of consumer trust (22%). Despite this, 14% of US executives admitted their organization has no cyber threat defense plans, which compares to just 6% of non-US executives. According to the survey, the three most significant barriers to US organizations' cybersecurity management programs were increases in data management, perimeter and complexities (38%), inability to match rapid technological changes (35%) and a need for better prioritization of cyber-risk across the enterprise (31%). Another major security challenge for US companies is recruitment, with 31% of US executives stating they cannot attract or retain cyber talent. This compares to just 16% of non-US companies.

Infosecurity reports: "Almost All US Organizations Experienced a Cyber Event in the Past Year"

According to researchers at (ISC)2, the global cybersecurity skills shortage has fallen for the second consecutive year, but the size of the workforce is still 65% below what it needs to be. The researchers interviewed 4,753 cybersecurity professionals and IT workers who dedicate at least 25% of their time to security tasks. The researchers found that the shortfall of skilled workers in the industry had sunk from 3.12 million last year to 2.72 million. According to respondents, staff shortages can mean more chance of misconfigured systems, patching delays, process oversights, rushed deployments, sub-par threat detection and response, and less time for proper risk assessments. Fortunately, organizations are taking some steps to alleviate the impact of shortages. These include training (36%), provision of more flexible working (33%), investing in diversity, equity, and inclusion (DEI) initiatives (29%). Other respondents cited the use of cloud service providers (38%), automation of manual tasks (37%), and getting staff involved earlier in third-party relationships (32%).

Infosecurity reports: "Global Security Skills Shortage Falls to 2.7 Million Workers"

Researchers at the industrial cybersecurity firm Claroty discovered 17 types of vulnerabilities in the Versiondog data management product made by Germany-based AUVESY. The flaws, which have now been patched by the vendor, affected Versiondog, a product that provides automatic backup and version control capabilities, and can be integrated into various industrial systems. The vendor's site revealed that this product has been used by companies such as Nestle, Coca-Cola, Kraft Foods, and many automotive giants. Some of the largest industrial enterprises run Versiondog to store and document software versions automatically, and back up data that can be compared to current error-free versions to ensure plants run efficiently. The disruption or manipulation of information handled by the product poses significant risks to the safety and integrity of an industrial process. Versiondog was found to contain vulnerabilities that can allow remote attackers to evade detection, elevate privileges, access hardcoded cryptographic keys, manipulate files, cause denial-of-service (DoS), and more. These security holes were found in Versiondog's OS Server API, Scheduler, and WebInstaller components. This article continues to discuss the severity, potential exploitation, and disclosure of the critical vulnerabilities in Versiondog.

Security Week reports "Critical Vulnerabilities Found in AUVESY Product Used by Major Industrial Firms"

According to Microsoft, the group behind the SolarWinds attack, Nobelium, is now targeting technology companies that resell and provide cloud services for customers. The researchers stated that Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. The researchers noted that they believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers. The researchers found that the group has not tried to find vulnerabilities in software but is using techniques like phishing and password spray to gain entry to the targeted networks.

NPR reports: "The Russian Hacker Group Behind The SolarWinds Attack Is At It Again, Microsoft Says"

Malware authors often leverage vulnerabilities contained by software. However, malware could also have bugs and coding errors that cause it to crash or serve as backdoors for white hat hackers. Zscaler researchers studied the types of vulnerabilities that exist in some of the most prevalent malware families. They explored the use of these bugs or vulnerabilities to prevent malware infection, and to find out whether they are real vulnerabilities and coding errors or escape mechanisms. The researchers analyzed a dataset of malicious samples collected from 2019 to March 2021. Using behavioral similarities, they clustered the samples. They also used MITRE's Common Weakness Enumeration (CWE) system to classify malware. By looking at multiple examples of malware consisting of different types of vulnerabilities, the researchers were able to observe that malware sometimes does not validate the output of a queried Application Programming Interface (API) or cannot handle different types of command-and-control (C&C) responses. Malware is often developed based on the author's local environment. Oftentimes, malware authors also do not consider other techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) that are needed to load modules in malware, which causes them to crash. Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, points out that these bugs may be the result of rushing, inexperience in using development best practices, or other resource constraints. Security vendors could use these bugs to write different types of signatures for the identification and blocking of such malware attacks. This article continues to discuss key findings from Zscaler's study on the types of vulnerabilities in malware and how security researchers can use these bugs.

Security Magazine reports "Bugs in Malware Creating Backdoors for Security Researchers"

The FIN7 hacking group, also known as Carbanak, is now creating fake cybersecurity companies that perform network attacks under the guise of penetration testing. FIN7 has been involved in cyberattacks and campaigns aimed at stealing money since 2015, when the group first emerged, infecting ATMs with man-in-the-middle (MITM) attack-enabling malware. Researchers at Gemini Advisory uncovered the fake cybersecurity firm called Bastion Secure, set up by FIN7. According to the researchers, the website created for the fake corporate entity contained stolen and recompiled content from other websites. Bastian Secure's website claims that the company is based out of England, but the researchers observed the site serving 404 error pages in the Russian language. The website's 'About' page also states that the company is a spin-off of the legitimate cybersecurity firm Convergent Network Solutions Ltd. FIN7 was found offering between $800 and $1,200 per month to recruit C++, PHP, and Python programmers as well as Windows system administrators and reverse engineering specialists. The researchers believe the hacking group also wanted to hire system administrators because they would be able to map compromised corporate systems, conduct network reconnaissance, and locate backup servers and files, all of which are skills required for the pre-encryption stages of ransomware attacks. This article continues to discuss the evidence that suggests FIN7 was behind the creation of the fake Bastion Secure cybersecurity firm.

Bleeping Computer reports "Hacking Gang Creates Fake Firm to Hire Pentesters for Ransomware Attacks"

CISA, the US Cybersecurity and Infrastructure Security Agency has awarded NPower and CyberWarrior contracts worth $2m to bring cybersecurity training to underserved communities such as the unemployed and underemployed. One of the goals of these programs is to develop cybersecurity talent from non-traditional sources to address the shortage of workers in this area. They will be looking to increase underrepresented groups in the industry such as people of color, women, military spouses and veterans from both urban and rural communities.

The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) awarded $2 million to NPower and CyberWarrior in support of the development of cyber workforce training programs. The two organizations will focus on unemployed, underemployed, and underserved communities in urban and rural areas. They will also focus on commonly underserved populations, including veterans, military spouses, women, and people of color. The awards are part of CISA's mission to recruit diverse cybersecurity talent and build a skilled workforce. They are also the first of their kind to be given by CISA. The CISA Director Jen Easterly pointed out that addressing the cyber workforce shortage requires proactively searching and fostering prospective talent from nontraditional places. NPower and CyberWarrior will work with CISA to develop a scalable and replicable proof-of-concept program that identifies and trains talented individuals in cybersecurity. The three-year pilot program will develop and implement a comprehensive cybersecurity pathways retention strategy, deliver entry-level cybersecurity training via innovative training hubs, place talented individuals into entry-level cybersecurity jobs to decrease the cyber workforce shortage, and more. This article continues to discuss CISA's latest workforce development effort that aims to benefit communities and populations that may not currently have access to cybersecurity training programs.

HSToday reports "CISA Awards $2 Million to Bring Cybersecurity Training to Rural Communities and Diverse Populations"

The Space Information Sharing and Analysis Center (Space ISAC) and the NY Metro InfraGard Members Alliance (NYM-IMA) will work together to strengthen cybersecurity in space. The organizations signed a Memorandum of Understanding, thus allowing them to collaborate in different ways. This collaboration will focus on raising further awareness about the various activities in the space domain among space users and operators. The Space ISAC's mission is to improve the ability to prepare for and respond to vulnerabilities, incidents, and threats. The organization also wants to spread timely and actionable information to member entities, and serve as the main communications channel for the space sector regarding such information. Through this collaboration, the Space ISAC will develop a platform that enables collaboration and communication among organizations involved in the space industry. This article continues to discuss the partnership formed between the Space ISAC and the NYM-IMA to bolster space cybersecurity.

Cyber Intel reports "Space ISAC and NY InfraGard Collaborate To Advance Cybersecurity in Space"

Researchers at Check Point have discovered new multi-function malware abusing the core functions of popular group app platform Discord. The researchers found several malicious GitHub repositories featuring malware based on the Discord API and malicious bots. It included various features, including keylogging, taking screenshots, and executing files. Discord bots help users automate tasks on the Discord server. However, they can also be used for malicious ends, the researchers warned. For example, the Discord Bot API can easily be manipulated to turn a bot into a simple Remote Access Trojan (RAT). This doesn't even require the Discord app to be downloaded to a target's machine. The researchers noted that communications between attacker, Discord server, and victim's machine are encrypted by Discord, making it much harder to detect any malware. The researchers said that this could provide attackers with an "effortless" way to infect machines and turn them into malicious bots. The researchers noted that the Discord API does not require any type of confirmation or approval and is open for everyone to use. Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. The researchers noted that preventing Discord malware can't be done without harming the Discord community, and as a result, it is up to the users' actions to keep their devices safe. The researchers also found dozens of instances where threat actors used Discord as a malicious file hosting service, with their privacy protected by the app.

Infosecurity reports: "Threat Actors Abusing Discord to Spread Malware"

Security researchers at Akamai analyzed 10,000 malicious JavaScript samples that represent threats such as malware droppers, phishing pages, scammers, cryptomining malware, and more. The analysis revealed that at least 25 percent of the samples used JavaScript obfuscation methods to evade detection. According to the researchers, this finding suggests the continued adoption of obfuscation techniques by cybercriminals to remain undetected. They call on the use of more advanced Machine Learning (ML) techniques to detect malicious obfuscation. These ML techniques should enable the differentiation between malicious and benign obfuscated JavaScript. The researchers also say an approach to detection should use additional indicators and automatically consider obfuscated code as suspicious until proven otherwise. This article continues to discuss key findings from Akamai's analysis of malicious JavaScript samples.

ITPro reports "A Quarter of All Malicious JavaScript Is Obfuscated"

A cyberattack on the vendor of a network of dental practices may have exposed the data of tens of thousands of patients. An adversary used a phishing attack to gain access to the computer systems of North American Dental Management between March 31 and April 1, 2021. Pittsburgh-based North American Dental Management provides administrative and technical support services for Professional Dental Alliance (PDA) offices. PDA notified patients that an unauthorized individual may have accessed some of their protected health information (PHI) after the security breach. The information that may have been exposed was stored in email accounts that the attacker could breach. At this time, the identity of some individuals is known, but the vendor's investigation is ongoing. After discovering the breach, North American Dental Management took steps to secure the compromised email accounts and launched an investigation. PDA noted that it had not found any evidence of any actual misuse of personal information and that its investigation of the matter indicates that the attack was limited to email credential harvesting. The threat actor did not access PDA's patient electronic dental record or dental images; however, the Alliance found that some sensitive personal information may have been present in the compromised email accounts. The full extent of the potentially affected personal information is not yet known and will vary between persons, but it may include the following: name, address, email address, phone number, dental information, insurance information, Social Security Number, and/or financial account numbers. The breach was reported to the DHS's Office for Civil Rights, impacting 125,760 patients in Connecticut, Florida, Georgia, Illinois, Indiana, Massachusetts, Michigan, New York, Texas, and Tennessee.

Infosecurity reports: "Data Breach Hits US Dental Patients"

The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) published a joint cybersecurity advisory regarding BlackMatter ransomware cyber intrusions that have targeted two U.S. food and agriculture sector organizations and other U.S. critical infrastructure entities. The advisory provides technical details and an assessment of BlackMatter ransomware. It also includes mitigation actions to consider taking, to reduce the risk of a BlackMatter ransomware attack. Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, says the advisory emphasizes the need for a collective public and private approach to reduce the impact and frequency of ransomware attacks. This article continues to discuss the advisory released by CISA, the FBI, and the NSA about the BlackMatter ransomware gang and recommended best practices for organizations to protect their networks, systems, and data.

CISA reports "CISA, FBI, and NSA Release BlackMatter Ransomware Advisory To Help Organizations Reduce Risk of Attack"

New research from the Cyentia Institute explored the top 50 multi-party breaches, finding that the average large-sized breach involved 31 organizations and cost an average of $90 million, compared to the average loss of $200,000 due to a typical cybersecurity incident. Although system intrusions impacted the most organizations, ransomware and wiper incidents resulted in the greatest loss. Cyentia also found that attacks involving valid accounts and those that nation-state actors carried out, caused significantly greater damages per incident. These findings further emphasize the importance of companies increasing their efforts to ensure that their vendors and contractors are not opening their networks to attacks. The lesson learned from the largest multi-party breaches is that companies' cybersecurity and risk mitigation efforts must focus on attackers targeting businesses as well as those targeting third parties, which ripples down to vendors' clients. Wade Baker, the co-founder of Cyentia calls on organizations to approach risk management with more supply chain or third-party-centric thinking to help deal with nation-state actors or cybercriminal gangs. This article continues to discuss key findings from Cyentia's Information Risk Insights Study (IRIS).

Dark Reading reports "Damages Escalate Rapidly in Multi-Party Data Breaches"