News Items

The Center for Internet Security (CIS) officially announced the launch of CIS Controls v8. The Controls have been enhanced to keep up with evolving threats and technology, including modern systems and software. The CIS Controls are prioritized Safeguards that mitigate the most common cyberattacks targeting networks and systems. They are referenced by many legal, policy, and regulatory frameworks. The continued integration of cloud resources and mobile devices into enterprise networks prompted the update to the CIS Controls. CIS Controls v8 combines and consolidates the CIS Controls based on activities rather than by who manages the devices. The new version of CIS controls. Attempts to streamline the Controls and organize them by activity have decreased the number of Controls from 20 to 18. The 18 top-level Controls consist of 153 Safeguards intended to help enterprises improve their cybersecurity posture. The whole ecosystem surrounding the Controls has been or will soon be updated too. This ecosystem includes the CIS Controls Self-Assessment Tool (CSAT) (Hosted & Pro), Community Defense Model (CDM), CIS Risk Assessment Method (CIS RAM), CIS Controls Mobile Companion Guide, CIS Controls Cloud Companion Guide, and more. This article continues to discuss the development and launch of CIS Controls v8 and updates to the whole ecosystem surrounding these controls.

CIS reports "Center for Internet Security (CIS) Releases CIS Controls v8 to Reflect Evolving Technology, Threats"

Developers should be more responsible for the security of their code. One of the best ways to ensure software quality is to perform source code reviews to identify and remediate security risk before an application moves into production. Developers already spend a significant number of hours finding and fixing bugs in code. According to a recent survey conducted by the software firm Rollbar, 32 percent of developers spend up to 10 hours a week remediating bugs, while 16 percent spend up to 15 hours a week, and 6 percent dedicate up to 20 hours a week fixing bugs instead of writing new code. Open-source code is also widely used in software development. Currently, 99 percent of codebases have at least one open-source component, and 91 percent have components that are either out-of-date by more than fours or have not seen development activity in the last two years. Efforts for securing open-source code remain in the wild west phase. Some of the best tactics for performing security code review include determining the most common vulnerabilities for the type of application that you are working with, tracking data flow, ensuring your application is using secure settings based on best practices, and findings the right tools that can help remediate security issues more efficiently. This article continues to discuss how much time developers dedicate to finding and fixing bugs in code, and some best practices for performing security code reviews.

Help Net Security reports "The Basics of Security Code Review"

Akamai's new "State of the Internet" report reveals that the number of credential stuffing attacks reached 193 billion in 2020. The number of login attempts using stolen or reused credentials increased more than 310 percent from 47 billion in 2019. An unspecified amount of the login attempts was attributed to an increase in customers and an improved view of credential stuffing attacks. The increases not only show that attackers are throwing more requests at websites but also an increase in threats. Many businesses have moved a greater portion of their infrastructure to the cloud to enable access to corporate applications and data for remote works, over the past year. Therefore, attackers have focused more on cloud services that are accessible using a username-password combination. They have also been focusing more on Virtual Private Network (VPN) gateways. Akamai also emphasized the leak of millions of new usernames and passwords in early 2020, which contributed to the significant increase in credential stuffing observed later in the year. Akamai blocked a smaller volume of Web application attacks. However, such attacks can pose considerable danger. SQL injection (SQLi) attacks, which are executed against databases used to power websites, made up more than two-thirds of overall Web application attacks. Local File Inclusion (LFI) attacks follow SQLi attacks, accounting for nearly 22 percent of the total number of such attacks. This article continues to discuss key findings from Akamai's report on the state of the Internet.

Dark Reading reports "Credential Stuffing Reaches 193 Billion Login Attempts Annually"

A team of security researchers at Website Planet discovered an AWS S3 bucket left unprotected and unsecured by FastTrack Reflex Recruitment, now TeamBMS. The 5GB trove contained 21,000 files, including CVs featuring personal information such as email addresses, full names, mobile phone numbers, home addresses, and social network URLs. Other details included dates of birth, passport numbers, and applicant photos, according to Website Planet. The data could have been used to commit follow-on identity theft, fraud, and craft phishing attacks designed to steal more personal details or deploy malware if found by threat actors. The researchers also claimed that the information contained in the bucket could have been used for corporate espionage or to target victims' homes for burglary. The research team discovered the leak on December 29 last year and reached out several times to TeamBMS's parent company TeamResourcing and the UK CERT. The bucket was finally secured on March 23.

Infosecurity reports: "Recruiter's Cloud Snafu Exposes 20,000 CVs and ID Documents"

The FBI is warning families of missing persons to be on their guard for extortion demands from cyber-criminals claiming to have abducted their loved ones. The adversaries typically scour social media posts to gather information about missing persons and their families. They'll carry out open-source research to find out more about the individual to make their claims more realistic. The adversaries will then contact those family members online or call/message them using third-party apps to disguise their phone numbers. Usually, they'll request between $5000 and $10,000 in ransom, the FBI claimed. The FBI stated that generally, offenders do not offer proof of life. However, in one instance, an accomplice made telephone calls to family members claiming to be the missing person. Offenders often claim the missing person is ill or injured, adding to the urgency of the situation and putting additional pressure on family members to pay the ransom. Since the onset of COVID-19 nationwide stay-at-home orders, law enforcement has received several reports of scammers targeting families who have posted on social media about their missing family member. Such scams had increased over the past three years, with COVID-19 offering extortionists more opportunities to strike the vulnerable. The FBI is urging anyone who has been targeted in this way to contact their local law enforcement agency or FBI field office, file an online complaint with the Internet Crime Complaint Center and be sure to keep all records of communication with the individuals concerned.

Infosecurity reports: "Families of Missing Persons Receive Fake Ransom Demands"

The Irish Health Service Executive (HSE) recently faced a ransomware attack that led to disruptions to essential healthcare and social services in hospitals and community centers throughout Ireland. The Irish government warns that the attackers could leak sensitive medical information and other patient data. Experts have confirmed that the attack involved the human-operated ransomware variant called Conti. HSE's systems were also found to contain a remote access tool called Cobalt Strike Beacon, which the hackers used to move within the computer networks before carrying out the attack and demanding a ransom. Conti uses double extortion attacks in which hackers threaten to leak stolen information to the public if the victim chooses not to give in to ransom demands. However, the Irish government has confirmed that it will not pay the attackers' demanded ransom. Early findings indicate that the Eastern European-based threat group known as Wizard Spider was behind the attack on Ireland's health care system. This article continues to discuss the impact of the HSE ransomware attack, the use of the Conti variant in the attack, the threat group suspected to be behind the incident, and what HSE is doing to restore impacted computer systems.

ZDNet reports "Patient Data Could Be 'Abused' after Health Service Attack, Warns Irish Government"

According to Maddie Stone, a security researcher with Google's Project Zero bug-hunting team, about 21 zero-day vulnerabilities have been discovered so far in 2021. The number of zero-day vulnerabilities is expected to reach more than 60 if that pace continues. The team found a total of 24 zero-day flaws last year. The significant growth in zero-day vulnerabilities is said to be a result of improved visibility into the bigger picture. Stone says the key to battling zero-day exploits is raising defensive barriers and employing new methods that increase work for exploit writers. There are various ways to raise attacker costs, including time and money. Software developers are encouraged to write better patches to ensure that associated vulnerabilities are addressed by one patch, as nearly 25 percent of zero-day flaws discovered in 2020 were closely related to previously disclosed vulnerabilities. The window of time between the detection of a zero-day flaw and patch release must also be minimized, as this timeline often stretches from a few weeks to a couple of months. To shrink this timeline, Stone calls on the reimagination of vulnerability mitigation for software and devices, with emphasis on making mitigation options available within seven days to weaken the impact of the flaw. It is also important to increase the adoption of Rust, Go, and other memory-safe programming languages designed to prevent programmers from introducing certain types of bugs related to how memory is used. This article continues to discuss the growth in zero-day vulnerabilities and different strategies for raising costs for attackers in the exploitation of such flaws.

InfoRiskToday reports "Making Zero-Day Flaws Disappear"

The US Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance to organizations impacted by the SolarWinds attack, which includes steps for evicting the attackers from compromised networks. The sophisticated cyberespionage campaign, attributed to Russian Foreign Intelligence Service (SVR) actors, affected many US government agencies, security vendors, and other different organizations. CISA's analysis report, AR21-134A, is tailored for federal agencies that used impacted versions of SolarWinds' Orion IT monitoring software and have discovered SolarWinds attacker activity in their environments. The report provides resource-intensive and highly complex steps that organizations should take to evict the adversaries from their compromised environments. These steps require disconnecting the enterprise network from the Internet for three to five days. The remediation plans outlined by CISA include steps to detect and identify adversary activity within the network, actions to remove the attacker from on-premises and cloud environments, and measures to ensure the success of the eviction operation. This article continues to discuss CISA's recently released eviction guidance for networks affected by the SolarWinds attack.

Security Week reports "CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network"

The DarkSide ransomware group behind the shutdown of the Colonial Pipeline seems to have gone dark, making it unclear as to whether the group is ceasing or altering its operations or is attempting to pull an exit scam. All eight of the dark web sites used by DarkSide to communicate with the public went down. The crime gang announced in a post that its website and content distribution infrastructure had been taken down by law enforcement, and the cryptocurrency it had received from victims had been confiscated. The group also said it would distribute a free decryptor to all victims who have yet to pay a ransom. However, there's no evidence that proves the group's claims. When law enforcement from US and Western European countries seize a website, they typically post a notice on the site's front page that discloses the seizure. However, none of the DarkSide sites display that notice. Most of them show blank screens or time out. DarkSide's claims follow the announcement from a prominent criminal underground forum called XSS that it was banning all ransomware activities. The site has served as a significant resource for ransomware groups, including REvil, Babuk, DarkSide, LockBit, and Nefilim, for recruiting affiliates who use the malware to infect victims and, in exchange, share a cut of the revenue generated. The decision by XSS will significantly disrupt the ransomware ecosystem as it removes a key recruiting tool and source of revenue. This article continues to discuss the alleged shutdown of the DarkSide ransomware operation and the future of the ransomware ecosystem.

Ars Technica reports "Pipeline Attacker DarkSide Suddenly Goes Dark--Here's What We Know"

Bruce Schneier, an internationally renowned security technologist, has been examining the potential unintended consequences of Artificial Intelligence (AI) on society, particularly how AI systems could evolve in a way that enables them to automatically and inadvertently abuse societal systems. Schneier highlights the idea of the AI being the hacker rather than malicious actors hacking AI systems. The main question posed in his research is, "what if artificial intelligence systems could hack social, economic, and political systems at the computer scale, speed, and range such that humans couldn't detect it in time and suffered the consequences?" It's the stage at which AI systems can creatively find hacks. Schneier points out that AI systems are already doing that in software to find vulnerabilities in computer code but are not very proficient at it. However, AI systems will likely improve while humans stay the same in their capability to discover vulnerabilities. He predicts that AI systems will soon be able to defeat humans in capture-the-flag hacking contests because AI technology will evolve and surpass human abilities. We should be prepared for AI systems that can create their own solutions regarding hacks and vulnerabilities, and the use of this evolution by humans to make money. According to Schneier, the biggest risk posed by AI systems is that they will find a way to hack rules without humans realizing it. The core problem is that AI doesn't have the same human cognitive functions like empathy or a hunch that could allow it to know where not to cross the line. There are many studies on incorporating context, ethics, and values into AI programs, but they still aren't built-in functions of AI systems used today. Schneier admits that the idea of AI systems being hackers remains speculative, but it's an issue that should be considered and addressed. He recommends using AI to improve defense activities, such as finding and fixing all vulnerabilities in a program before it is released. This article continues to discuss key insights shared by Bruce Schneier in his research on the potential dangers of AI hackers.

Dark Reading reports "When AI Becomes the Hacker"

A new study conducted by Kenna Security and the Cyentia Institute explores whether exploit code releases before patch availability help or harm security defenders. Some believe that releasing exploit code as soon as a vulnerability is discovered helps in penetration testing, presents an incentive for patching, and makes the vulnerability seem more real. Others believe that the early publication of exploits allows hackers, including those who would otherwise be unable to generate the code themselves, to reappropriate the exploit code. Kenna Security and the Cyentia Institute analyzed 6 billion vulnerabilities impacting 12 million active assets across almost 500 organizations during the study. Three key hypotheses explored in the study are that publishing exploit code encourages fixes, published exploits improve defense, and releasing exploit code accelerates breaches. They found that publishing exploits had minimal impact on whether organizations applied fixes, and releasing exploits pre-patch left a larger window of time between publishing a vulnerability and creating defensive signatures. It was discovered that network defenders were nearly exactly as likely to mitigate a problem when an exploit had been published before the patch. Patches were found to be more common when the first exploit was released after the patch. According to the study, hackers are also more likely to target vulnerabilities when an exploit is released, as vulnerabilities with exploit code were exploited 15 times more than those without a published exploit. This article continues to discuss key findings from the study on whether publishing exploits before patches are available does more harm than good.

SC Media reports "Publishing Exploits Early Doesn't Encourage Patching or Help Defense, Data Shows"

Mathy Vanhoef, a researcher at New York University Abu Dhabi, discovered a set of new Wi-Fi security vulnerabilities dubbed FragAttacks (fragmentation and aggregation attacks). These vulnerabilities impact all computers, smartphones, and other Wi-Fi devices released since 1997. Three of the vulnerabilities are said to be Wi-Fi 802.11 standard design flaws in the frame aggregation and fragmentation functionalities, while the other vulnerabilities stem from widespread programming mistakes made in Wi-Fi products. Experiments conducted by Vanhoef show that every Wi-Fi product is affected by at least one of the vulnerabilities and that most Wi-Fi products are impacted by many vulnerabilities. According to Vanhoef, the discovered vulnerabilities affect all Wi-Fi security protocols, including WEP and WPA3. Attackers have to be in the Wi-Fi range of targeted devices in order to abuse these design and implementation flaws. The exploitation of these flaws can allow attackers to steal sensitive user data and execute malicious, which could lead to the full takeover of devices. Vendors are developing patches for their products to mitigate the FragAttacks bugs. Cisco Systems, HPE/Aruba Networks, Juniper Networks, Microsoft, and more, have already released security updates and advisories for FragAttacks security. This article continues to discuss the discovery, impact, and mitigation of the FragAttacks vulnerabilities.

Bleeping Computer reports "All Wi-Fi Devices Impacted by New FragAttacks Vulnerabilities"

Proofpoint's 2021 Voice of the CISO report shares findings from a survey to which more than 1,400 CISOs at mid-sized to large companies across different industries worldwide responded. According to these findings, 66 percent of CISOs feel unprepared to handle cyberattacks. Over 50 percent of the CISOs expressed more concern about the consequences of a cyberattack in 2021 than in 2020. The survey also revealed that most CISOs consider human error the greatest vulnerability, which stems from the increase in remote work due to the COVID-19 pandemic. The security challenges presented by the widespread work-from-home model are expected to extend into the next year and beyond. CISOs are encouraged to increase efforts to secure more points of attack and educate users on long-term remote and hybrid work. This article continues to discuss key findings from the Proofpoint 2021 Voice of the CISO report regarding CISOs' growth in concerns surrounding cyberattacks in 2021 and the types of attacks that are of top concern to them.

Dark Reading reports "66% of CISOs Feel Unprepared for Cyberattacks"

President Biden has issued a long-awaited executive order (EO) designed to improve supply chain security, incident detection, response, and overall resilience to threats. The executive order comes amidst unprecedented attacks on the US government and critical infrastructure, in the form of the SolarWinds, Exchange Server, and Colonial Pipeline attacks, to name just a few. Among the key measures is a requirement for all federal government software suppliers to meet strict rules on cybersecurity. Eventually, the plan is to create an "energy star" label so both government and public buyers can quickly and easily see whether software was developed securely. Other measures included in the executive order are an "aircrash investigation-style" Cybersecurity Safety Review Board, which will make recommendations for improvements after any significant incident, and a standardized playbook for government incident response. The executive order will also mandate a drive to secure cloud services and zero trust, including multi-factor authentication and data encryption at rest and in transit, by default. Security experts have welcomed the executive order.

Infosecurity reports: "Biden Executive Order Mandates Zero Trust and Strong Encryption"

During new research conducted by researchers at HP Inc., they surveyed 8443 adults and 1100 IT decision-makers. The researchers found that young adults and parents of young children could be inviting cyber-threats by using work devices for risky personal tasks. Most (71%) of employees surveyed are accessing more company data more frequently from home than they did pre-pandemic, with over three-quarters (76%) admitting that working-from-home (WFH) has blurred the lines between their personal and professional lives. While a third (33%) of respondents are now downloading more to their devices from the internet, the figure rises to 60% for those aged 18-24-years-old. The researchers stated that this age group is more likely (60%) to watch online streaming services than the average (36%). In addition, over two-fifths (43%) of parents of children aged 5-16-years-old admitted to using work devices to play more games today than pre-pandemic. Over half (57%) of this group are also likely to use their work device for homework and online learning, versus an average of 40%. The researchers stated that this matters because threat actors are increasingly looking to target these behaviors. The research also revealed a significant number of home workers are using potentially insecure personal devices for work to access corporate applications (37%) and networks/servers (32%). Over half (51%) of IT decision-makers have seen evidence of compromised personal PCs being used to access company and customer data over the past year.

Infosecurity reports: "Home Working Parents and Young Adults Are Most Risky IT Users"

Both Israel and the US are facing more costly cyberattacks that could result in significant damage to critical energy infrastructure. A new consortium led by Ben-Gurion University of the Negev (BGU) and Arizona State University (ASU) will receive up to $6 million under a U.S.-Israel Energy Center research funding grant for energy infrastructure cybersecurity. Georgia Tech Research Corporation (GT) and several other tech partners are also included in the consortium. The consortium is working on a project titled "Comprehensive Cybersecurity Technology for Critical Power Infrastructure AI-Based Centralized Defense and Edge Resilience." This consortium aims to develop, integrate, and test technologies, as well as demonstrate high-value technologies capable of mitigating cyberattacks on the energy infrastructure. Data analytics, Artificial Intelligence (AI), and Machine Learning (ML) will be applied. This article continues to discuss the new consortium that brings BGU, ASU, and GT together and allocates resources to develop new technology for improving the cybersecurity of critical energy infrastructure.

Homeland Security News Wire reports "Protecting Critical Energy Infrastructure"

The National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) has released the final version of a white paper titled "Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms." The purpose of this paper is to help organizations prepare for post-quantum cryptography. NIST has been working with researchers to develop cryptographic algorithms that can withstand the privacy and security threats that quantum computers will present. The paper emphasizes that the transition from today's standards to the new post-quantum public-key standards will likely be more challenging than the introduction of new classical cryptographic algorithms. As there is still a lack of implementation planning, it may take decades before the community replaces most of the vulnerable public-key systems being used today. It will not be easy to replace currently used encryption standards with quantum-resistant ones as some quantum-resistant candidate algorithms involve enormous signature sizes, require excessive processing, and use significantly large public or private keys. These factors would make it challenging to implement the solution widely. NIST emphasizes the need for various post-quantum algorithms in order to overcome sensitivity to large signature sizes and other implementation constraints. This article continues to discuss NIST's key points surrounding post-quantum cryptography challenges and how to overcome them.

GCN reports "NIST Previews Post-Quantum Cryptography Challenges"

St. Petersburg is participating in the development of a Smart City program that will provide new services to increase citizens' safety. This system depends on digital services. The environment adapts to the needs of humanity through the use of Internet of Things (IoT) systems. Therefore, cyberattacks against this infrastructure could pose a significant danger. Specialists at Peter the Great St. Petersburg Polytechnic University (SPbPU) developed a methodology for assessing cyber risks in a Smart City's intelligent system. They tested the methodology on the "smart crossroads" test bench, which is a component of the smart transport system of a Smart City. The scientists pointed out that cybercriminals' goals are to disrupt large enterprises and urban infrastructure and to intercept the control over them. Using wireless links, attackers can remotely infiltrate a target subnet or a group of devices, intercept traffic, launch denial-of-service (DoS) attacks, and hijack IoT devices to create botnets. The methodology developed by SPbPU researchers can be used to analyze cybersecurity risks, identify threats, calculate risks, and analyze the resulting risk values. It is based on a quantitative approach and is said to be easily computable. This article continues to discuss the Smart City program, potential cyberattacks against digital infrastructures in a Smart City, and the methodology developed by SPbPU researchers to assess cyber risks in the intelligent systems of a Smart City.

EurekAlert! reports "Scientists Will Protect the Smart City from Cyber Threats"

A cybersecurity researcher named Jeremiah Fowler found an exposed database sitting exposed online without even basic password protection on April 18th. The database was filled with the medical records of nearly 200,000 U.S. military veterans. The database was exposed online by a vendor working for United Valor which is a Veterans Administration. The exposed data included patient names, birth dates, medical information, contact information, doctor information, and appointment times. All of this data could be used in socially engineered attacks, Fowler explained. The database also exposed unencrypted passwords and billing details. Fowler stated that the database was set to open and visible in any browser (publicly accessible), and anyone could edit, download or even delete data without administrative credentials. The researcher also found evidence that ransomware attackers might have exfiltrated the data. The dataset also contained a ransomware message titled "read_me" that claimed all of the records were downloaded, and they would be leaked unless 0.15 Bitcoin ($8,148) was paid.

Threatpost reports: "200K Veterans' Medical Records Likely Stolen by Ransomware Gang"

Rensselaer Polytechnic Institute (RPI) was forced to shut down most of their computer network after unauthorized access was detected on Friday. Student assessments, research, and other academic activities have been impacted. All final examinations, term papers, and project reports that were due between May 8th and May 10th have been canceled. Rensselaer Polytechnic Institute, which has around 7,900 students, is a private university situated in Troy, New York. Information Technology and Web Science are among the academic disciplines taught at the institute. RPI did not share any further details of the incident, such as what information may have been accessed. The institute has also not shared when its network will be up and running again. The university is currently making modifications to grading policies to accommodate for the disruption caused by the cyberattack.

Infosecurity reports: "University Cancels Exams After Cyber-Attack"

Although electronic records continue to advance, paper is still a common method of preserving data. Invisible ink can be used to hide classified economic, commercial, or military information, but many popular inks have toxic compounds or can be seen with predictable methods like chemicals, light, or heat. Carbon nanoparticles, which are low in toxicity, can be invisible under ambient lighting but can create vibrant images when exposed to ultraviolet (UV) light. Advances in Artificial Intelligence (AI) models can ensure that messages can only be deciphered on properly trained computers. A team of researchers trained an AI model to identify and decrypt symbols printed in a fluorescent carbon nanoparticle ink that reveal hidden messages when exposed to UV light. They taught the AI model, made up of multiple algorithms, to recognize the symbols illuminated by UV light and decode them through the use of a special code book. Then they tested whether the AI model can decode messages printed using a combination of regular red ink and the UV fluorescent ink. The AI model read the regular ink symbols as "STOP," with 100% accuracy. When a UV light illuminated the writing, the invisible ink showed the desired message "BEGIN." According to the researchers, since these algorithms can notice modifications in symbols, this approach has the potential to encrypt messages securely using hundreds of different unpredictable symbols. This article continues to discuss the approach to improving paper information recording and security protection using invisible ink and AI.

Science Daily reports "An Uncrackable Combination of Invisible Ink and Artificial Intelligence"

A group of security researchers found weaknesses at the Fermilab physics laboratory in the US that could lead to the exposure of documents, proprietary applications, project details, and more. Fermilab is a particle accelerator and physics laboratory in Batavia, Illinois, and is a part of the US Department of Energy (DOE). The lab has remediated the security issues that were unintentionally exposing a lot of information. One database they discovered allowed them to have unauthenticated access to over 5,700 documents and more than 50,000 file entries. They used Amass to enumerate Fermilab's subdomains. They also used dirsearch and Nmap for discovering open ports and enumerating services. These probes revealed multiple entry points. One of the entry points led into the lab's IT ticketing system, which revealed 4,500 trouble tickets. A malicious actor could gather project names, configuration data, and communication information by viewing the ticketing system. The researchers also found that part of a web application exposed names, emails, user IDs, security workgroups, assigned login groups, and documents. It was emphasized that Fermilab's security issues could have made its network and equipment targets for a ransomware attack. This article continues to discuss the discovery of Fermilab's security issues and the lab's quick response to the researchers' findings.

Data Breach Today reports "US Physics Laboratory Exposed Documents, Credentials"

Possible security threats linked to recycled phone numbers.

According to security researchers at Sophos, an organization involved in COVID-19 research lost a week's worth of critical data after a Ryuk attack that used a stolen password. The problem was traced back to one of the university students that the European research institute collaborates with as part of its outreach programs. That student obtained what they thought was a 'crack' version of a data visualization tool they needed, except that it contained information-stealing malware. The malware harvested keystrokes, stealing browser, cookies, clipboard data, and, it transpired, the student's log-ins for the research institute. Thirteen days later, a remote desktop protocol (RDP) connection was registered on the institute's network using the student's credentials, the researchers stated. Although the unnamed biomolecular specialist had backups, they were not fully up-to-date, meaning that a week's worth of vital research was lost. The firm also suffered a significant operational cost as all computer and server files had to be rebuilt from the ground-up before data could be restored. The researchers stated that it is unlikely that the operators behind the 'pirated software' malware are the same as those who launched the Ryuk attack.

Infosecurity reports: "#COVID19 Researchers Lose a Week's Work to Ryuk Ransomware"