I came across this article, and found it really interesting how cybercriminals were able to trick the town of Peterborough not once, but twice into making false payments through emails.
In summary, cybercriminals leveraged public information to impersonate
1. A school district
2. A local construction firm
and emailed the town of Peterborough notifying them of missing payments. Payments were made to the cybercriminals bank accounts, and Peterborough lost $2.3m as a result.
I am pretty impressed by the cybercriminals who were able to leverage public information to impersonate a school district and a construction firm to facilitate payments to their bank accounts, but I found it surprising that who ever was in charge of making those false payments on behalf of the town of Peterborough did not question the emails, or find anything suspicious about the contents of the emails (there is also the possibility that the cybercriminals were just that good/convincing).
In either case, I think this goes to show that cybercriminals are still out there, and that we should be aware of all the different attack avenues that we are potentially vulnerable to (phishing, social engineering, etc.).
Insider threats are some of the most difficult security threats an organization must contend with because these types of threats are often challenging to detect, and attacks are unpredictable. Additionally, insider threats already have credential access to company resources. In this article by IT Security Guru, DemonWare ransomware gang is attempting to recruit disgruntled employees to help provide a foothold into the target organization. As we have learned the human element of our security chain can render all our security efforts useless if an employee opens the “door” to attackers. The article goes on to provide actionable steps to audit your human attack surface. Some key actions to take for controlling the insider threat include: “restrict access to others on a need-to-know basis, actively manage online presence and social media, and require all account changes be subject to authorization via strong two-factor authentication” (Gurus, 2021).
I found this article really interesting as it took me back to the first chapter when we talked about technical and business problem can affect an organization. Basically, this is about a misconfiguration of a database that appears to be a scheme by Amazon vendors giving fake reviews for their products. When reviewing the safety guidelines(by a third party team called the AV Safety detectives), they found that the China Elasticsearch server was not enough secured meaning there was no passwords protections and encryption to the data. With little knowledge of cybersecurity, people could access all the data on this server. The server had over millions of people personal information( Amazon account profiles of reviewer) including Whatsapp phone numbers, email addresses, names, PayPal accounts etc.. The interesting part was that the scammers were paying people (reviewer) to give them a 5 star review on their product and in return after leaving the comments, the reviewer get money via PayPal accounts and can keep the product for themselves as a payment. The book outlines very well that Data protection is very important for an organization as “data security is at a core of what needs to be protected in terms of information security and mission critical systems”. ( Vacca, John 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann). In this situation, we faced a lot of incorrect policies and procedures due to the restriction and access of those data which we would classify in the confidentiality part. Proper training was also another issue as this could have been avoided if the IT team in Amazon had created a secure email system and encrypted the data.
“Critical F5 bug could lead to wide range of security vulnerabilities”
An application delivery networking firm called “F5”, had their work cut out for them when they dealt with 30 vulnerabilities from their devices. Over a dozen were high-severity security vulnerabilities, including one receiving a score of 9.9 in the Common Vulnerability Scoring System (CVSS), which is in the most severe bracket. This gives an “authenticated” attacker entrance to the Configuration utility after the vulnerability has been exploited to create, delete, disable services, and do other malicious activities. F5’s BIG-IP, which is software and hardware solutions that provides traffic management, high availability of applications, access control, and security, was one of the targets by attackers because of the “vulnerable and external nature of the product.” Some of the application services allows internet users to connect to its service. However, because of the vulnerabilities in the F5 products, this gives attackers the tools they need to get into their network. It is recommended that vulnerabilities be patched by organizations as soon as possible, or use other methods to mitigate the risks.
Wiz a cyber security company discovered a major vulnerability in Microsoft Azure, one of the most widely used public cloud platforms. A privilege escalation vulnerability in Jupyter notebook (a data science tool) allows intruders access to the Cosmos DB keys of other organizations. This makes it possible for the intruders to go in and modify or delete the saved data in the database or anywhere in the cloud. Wiz was able to determine that this vulnerability did impact several large corporations including Coca-Cola, Symantec, Rolls-Royce, and others.
Cloud providers are known to provide the best security for holding the data of outside organizations, but a single vulnerability can impact many more organizations compared to data that is hosted privately.
With the COVID Pandemic going on world wide, governments and organizations are requiring employees to provide proof of COVID test prior to entering places of business. According to the Cybersecurity firm called Inky, crooks are sending out emails with COVID test forms attached, that are impersonating actual email from HR to employers. Anyone who clicks on the form goes to what looks like a MS-Office outlook web login page. The page requires them to enter their username and passwords to see the form, and that is where the scam to capture passwords is hidden. If an employer blindly continues to enter the Microsoft password, then the next page requires them to enter their name and birth date leading to a security breach and loss of personal information. If your organization, or your company manager hasn’t notified or told you personally to expect a form like this, please speak to them for confirmation. Otherwise inform your Cybersecurity team to investigate this kind of scam form or any kind of vulnerabilities to protect yourself and your organization.
Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities
During Blackhat 2021 Ami Luttwak and Shir Tamari of Wiz.io presented on cloud vulnerabilities allowing them to access data from different customers despite isolation efforts by the vendor. These vulnerabilities were largely addressed by the vendors; however they are still prevalent due to misconfigurations on customer instances. Their work points to a need for a common database, similar to Common Vulnerabilities and Exposures (CVE), that focuses on known cloud vulnerabilities. Such a database will guide customers on remediating known issues and help them to keep up with the rapid development of cloud products.
I found this article concerning ransomware very interesting. We are all familiar with ransomware being in the news and therefore know how it works. This particular sting of ransomware, however, works in a different way than most. It only encrypts every other 16 bytes of information on the files on a system. This helps it evade dynamic ransomware defenses. Also worth noting that the ransomware deletes itself after successful encryption, so there are no binary’s left on the system for incident responders to analyze. It’s intriguing that no matter how the industry responds and defends, threat actors will continue to adapt their tools and approach. Knowing this, it reinforces the argument that training people will be the most impactful area to focus, rather than just throwing all of a company’s money/time on tools. If the ransomware tools are constantly being evaded, like they are with this specific ransomware, then the best way to avoid data loss is by training the employees not to click on the links that infect the system in the first place.
Check Point Buys Cloud Email Security Provider Avanan. Israeli security giant Check Point Software Technologies announced a deal with Avanan on Monday to join the online security shopping frenzy. The deal is valued at $250 million. Avanan is a startup company that sells technology to protect cloud email infrastructure. Avanan will be integrated into the Check Point Infinity integrated architecture to provide the world’s most secure email security products. Check Point said in a statement that this will be the only unified solution on the market that protects remote employees from malicious files and phishing in email, the Web, the network, and endpoints.
Chinese Cryptocoin exchange robbed of $600 Million
For crypto Currency enthusiasts:
In what we now observe as a common trend in recent attacks, the Chinese Crypto trading platform, Poly Networks was recently robbed of $600 million due to an existing back door in the back-end codes attributed to their blockchain for crypto currency trading activities.
How does a back door work? A back door could exist either as a malware or an open communication channel that allows the attacker to send commands and control the remote host. After a backdoor is installed, specific commands will be sent to be executed in the target machine. These commands will in turn manipulate the machine as the command of the hacker.
In this case, it was further revealed that the attack most likely evolved from an SQL injection used to initiate a bug in the crypto trading platform data. An SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. In simple English, it tampers with data to initiate activities at the back end the system to cause data disruption or theft.
In this case the hot wallet of the victim was compromised, and crypto coins were stolen. The Hacker in the name of Mr. White Hat however notified Poly Networks (the victim), returned the funds and has recently been hired to help remediate the bug going forward. This could have however been averted if mitigating controls such as data sanitization, data filtering and periodic code reviews, were periodically implemented.
This article discusses the current state of ransomware. The average cost of ransomware in 2020 ranges from $1.5m (for those organizations that paid the ransom) to $732k (for those that didn’t pay the ransom.). The article then proceeds to mention a few dozen ransomware that have been most prevalent in the last few years. Below are some I found most interesting, but more or listed in the article:
Conti is the successor of Ryuk, and this RaaS (ransomware as a service) threatens both withholding the decryption key and publishing stolen data. It operates a website – conti news – where this data is published. It’s operated by an unidentified group.
Darkside is similar to conti in that it threatens both encryption and data theft. But interestingly, the claim to not target NPOs, hospitals, funeral parlors, education Institutes, and government organizations. They’re believed to operate out of Russia.
Jigsaw puts a timer on when you need to pay by. It deletes a file per hour until the 72 hour mark, where it will delete all remaining files.
Maze operates by infiltrating a network through stolen or guessed credentials, then it does reconnaissance and attempts to escalate privilege.
SECURITY IS NOT A TECHNICAL ISSUE.
I found this article during my research on this week reading and was absolutely interesting. And it was clearly stated in the article that security days as just technical issues are long gone and thus becoming increasing concern for leaders at the highest level of many organizations and governments transcending national borders. The implication of the article is that security information is not technical issue any more but rather business issue where everyone must get involved in finding solutions to technical issues.
Source:https://us-cert.cisa.gov/bsi/articles/best-practices/governance-and-management/security-is-not-just-a-technical-issue.
Microsoft commits to spend $20 billion on cybersecurity over five years
Due to the amount of Microsoft users, and the increasing rate of cyberattacks and breaches, Microsoft (MSFT) has pledged $20 billion on cybersecurity functions throughout the next five years—four times its previous investments of $1 billion per year in the past. The reasoning for this investment is to protect the millions of MSFT users and organizations that rely on Microsoft for day-to-day capabilities. The increasing amount of MSFT users also poses the entity as a large target for cyberattacks. Microsoft is also donating funds, as well as its services, to governmental, educational and non-profit entities to promote cybersecurity, as well as organizational preparedness. Given the interdependence these organizations have with one another, MSFT’s investments are helping augment cyberspace security. In addition, relevant movements with cybersecurity are occurring with the Biden administration, who is working with some of the most profound technology companies to promote public-private partnerships. These partnerships will help connect American critical infrastructure with the private sector, to assist in preventing future incidents like the Colonial Pipeline ransomware attack in early 2021. In consideration of MSFT’s cybersecurity investments, and increasing revenue in cybersecurity products like Sentinel, alongside federal cybersecurity initiatives, more attention, action and awareness is being allocated to protecting national assets from cyberthreats.
“Comparitech research shows cybercrime victims lose $17.4 billion annually in the UK”
Interesting article that gives us an estimate on just how much is loss in cyber crime annually. It seems the UK has the most cyber crime victims reported for last year and the main methods are through social media and email
This was a good read as it puts into perspective just how much is loss through cyber crime each year
In recent weeks, the cellular carrier T-Mobile was the victim of a data breach which exposed confidential customer data. It appears the hackers bypassed at least one or even several technical controls, Krebs writes, “hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes”. Amongst the 100 gigs of data were names, date of birth, social security numbers, drivers license of 40 million current, former, and prospective (likely not anymore 🙂 ) customers.
JP Morgan Chase Bank Notifies Customers of Data Exposure
Last week, JP Morgan Chase Bank sent out an email to their customers stating that their private information may have been accidentally exposed to other JP Morgan Chase customers in the system. Due to a technical bug, some members were able to access other members’ private information through the Chase Mobile App as well as the home website, chase.com. The information that was at risk of being exposed included transactions and balance data. Chase asked that their customers go through their statements and balances and inform them of any inconsistencies that they notice, that way Chase can resolve the issue. After completing an investigation, Chase stated that there was no evidence found of customer data being abused.
DuPage Medical Group has stated they recently has a data breach. They have notified 600,000 patients that their personal information could’ve been compromised. DuPage Medical Group had experienced a connectivity issue with their computers and phone systems for almost a week in mid-July. They have worked with cyber-forensic specialists to perform the investigation and found that “unauthorized actors” has assessed their network. During the investigation, they have determined their patient’s information was being assessed by the attacks. The information may include the names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates of the patients. DuPage Medical Group has also indicated social security number of small number of people could been compromised. As of August 30, 2021, DuPage Medical Group stated they are not aware of any the patient information being misused due to that breach.
Here’s a short and simple article published by the New York Times that explains the relationship between Apple and China that leads some privacy issues by the users.
The fact that “Apple assembles nearly all of its product in China and sells $55 billion there” shows us how important the regulations and procedures Chinese government requires Apple to follow for.
The article also mentions the security experts that were able to figure out that Apple’s was not that innocent in China like it promises its users to protect the persona information. Unfortunately, Chinese government has control over to accessing the data.
It is certainly not news that healthcare systems are notoriously insecure. This article from SC Media discusses quite a few relevant real examples of the material recently covered in this course. It covers the impact of a cyber attack on Memorial Health System in Ohio, which caused critical processes to fail at branches of the organization. The graphic provided in the article demonstrates how serious the concept of availability of critical systems is for a healthcare entity like a hospital. The attack wiped out availability of critical systems including radiological IT systems, causing any radiology exams, but also more importantly, any urgent surgeries to be diverted to the closest unaffected facilities with the necessary equipment. The article explains that this health system is the third “U.S. health system to be hit with ransomware in the last two weeks alone.” The impact of the incident was quite substantial: despite whether or not the ransom was paid which is not disclosed in the article, about $113 million in just downtime alone was lost.
One of the other two healthcare systems attacked as mentioned by the article, Eskenazi Health in Indianapolis, is still suffering from the impact of the cyber attack on August 4th, even despite allegedly quick incident response and detection. At the time of the article’s writing, it states that the website for Eskenazi Health is still offline, demonstrating the impact of systems availability after an incident, and how a business continuity plan at an organization like a hospital will literally be the difference between life and death for some patients who were about to undergo critical urgent surgical procedures, but had to be transferred to other locations.
I was able to pull this article from a site a colleague at work gave.
It’s an article highlighting the concerns internet of things (IOT) devices being connected on large scale 5g networks as they expand and infrastructure becomes more connected. Ransomware attacks have been on the rise with the recent pipeline attack which caused gas shortages within southern United States I found this article to be quite relevant as technically it already happened to systems not residing in 5g environments.
If attackers were able to exploit city infrastructure via 5g networks; there could be potential to wreak havoc on ‘smart cities’ with insecure devices. Which is why organizations should be regularly checking access control and ensuring that logins are secured to protect credentials. As well as checking to see if higher level employees have had their accounts and passwords breached recently.
Given the recent ransomware attacks in recent years I would not be surprised if there is vulnerable infrastructure connected at this very moment that could result in a wide-spread attack. As networks become more intertwined with city structure the threat and severity of attack increases resulting in a much higher risk. And seeing how Wannacry & pipeline were successful attacks against infrastructure in internal networks; I wouldn’t surprised if we see a city-wide crisis within the next 5-10 years.
Coinbase is a publicly traded & the largest cryptocrrency in the United States. Due to a company error, the organization sent out a false alert to about 125,000 of their customers. They had all been notified that their 2 factor authentication security settings had been changed. Many customers were confused, and a few even panicked. A lot of their customers were justifiably concerned that their Coinbase accounts had been compromised. This is especially true, due to the fact that a week prior, some user accounts were actually hacked. Many of those customers made complaints against the company last week for their lack of customer service and their perceived unwillingness to answer any of their questions. They also complained that the company did not make themselves available to help rectify the problems that they were experiencing. (There is a link in the article that redirects you to that story.)
Furthermore, one of their customers details to the news the events that followed after he had received these false notifications from the company. He said he first contacted his daughter and her boyfriend to seek advice on if he should sell his crypto or not. He ultimately decided to sell all of it, which was a total of $60,298. I’m sure he’s not the only customer who has had that reaction. The company says they have been working hard to be transparent with their customers and to regain their trust. They take full responsibility for the unfortunate internal mistake.
Quantifying risk and cyber breach cost.
This is a quick read article that contains a link to a longer report. The article does contain a very interesting graphic that shows the cost of various types of cyber incidents that occurred in 2020. It answers the question – what is the cost of a data breach? It answers that question for a variety of breach types – phishing, malicious insider, compromised credentials, cloud misconfiguration etc.
My article that I am choosing to summarize / discuss this week is titled “T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’. It was published on the Wall Street Journal 8/27 and was written by Drew FitzGerald and Robert McMillan.
The article goes in depth about the recent T-Mobile hack and data breach and how it was done by a 21 year old kid named John Binns. He is an American citizen who recently moved to Turkey around three years ago. John discovered a router on T-Mobile’s network that was unprotected by relentlessly scanning known T-Mobile internet addresses with software that is widely available to the public. Binn said that carried out the hack to expose the lackluster security of T-Mobile and, seemingly, for fun. He contacted the Wall Street Journal from an alias messenger account that outlined plans of the attack in other messages before it was even carried out. It is not known whether Binns got paid to carry out the attack, or if he sold or used the PI that he extracted in any way.
This is the third time in two years that T-Mobile has had a large security breach. It is also the second largest mobile service provider in the United States. Binns got access to an extremely large amount of PI, including social security numbers and ID’s.
“Attackers Behind Trickbot Expanding Malware Distribution Channels”
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force. https://thehackernews.com/2021/10/attackers-behind-trickbot-expanding.html?&web_view=true
The article of international journal Advances in Data Analysis and Classification (ADAC) is apparently being designed as a forum for high standard publications on research and applications about the extraction of knowable aspects from many types of data. The articles explain structural, quantitative, or statistical approaches for the analysis of data; advances in classification, clustering, and pattern recognition methods; strategies for modeling complex data and mining large data sets; methods for the extraction of knowledge from data, and applications of advanced methods in specific domains of practice. Articles illustrate how new domain-specific knowledge can be made available from data by skillful use of data analysis methods. The journal article intrinsically highlight on survey papers that outline and illuminate the basic ideas and techniques of special approaches for many business organizations in 21st century.
I came across this article, and found it really interesting how cybercriminals were able to trick the town of Peterborough not once, but twice into making false payments through emails.
In summary, cybercriminals leveraged public information to impersonate
1. A school district
2. A local construction firm
and emailed the town of Peterborough notifying them of missing payments. Payments were made to the cybercriminals bank accounts, and Peterborough lost $2.3m as a result.
I am pretty impressed by the cybercriminals who were able to leverage public information to impersonate a school district and a construction firm to facilitate payments to their bank accounts, but I found it surprising that who ever was in charge of making those false payments on behalf of the town of Peterborough did not question the emails, or find anything suspicious about the contents of the emails (there is also the possibility that the cybercriminals were just that good/convincing).
In either case, I think this goes to show that cybercriminals are still out there, and that we should be aware of all the different attack avenues that we are potentially vulnerable to (phishing, social engineering, etc.).
Source : https://statescoop.com/new-hampshire-town-lost-2-3-million-in-email-scam/
Insider threats are some of the most difficult security threats an organization must contend with because these types of threats are often challenging to detect, and attacks are unpredictable. Additionally, insider threats already have credential access to company resources. In this article by IT Security Guru, DemonWare ransomware gang is attempting to recruit disgruntled employees to help provide a foothold into the target organization. As we have learned the human element of our security chain can render all our security efforts useless if an employee opens the “door” to attackers. The article goes on to provide actionable steps to audit your human attack surface. Some key actions to take for controlling the insider threat include: “restrict access to others on a need-to-know basis, actively manage online presence and social media, and require all account changes be subject to authorization via strong two-factor authentication” (Gurus, 2021).
Gurus, T. (2021, August 20). DemonWare ransomware gang attempts to RECRUIT disgruntled employees in insider threat scheme. IT Security Guru. https://www.itsecurityguru.org/2021/08/20/demonware-ransomware-gang-attempts-to-recruit-disgruntled-employees-in-insider-threat-scheme/.
I found this article really interesting as it took me back to the first chapter when we talked about technical and business problem can affect an organization. Basically, this is about a misconfiguration of a database that appears to be a scheme by Amazon vendors giving fake reviews for their products. When reviewing the safety guidelines(by a third party team called the AV Safety detectives), they found that the China Elasticsearch server was not enough secured meaning there was no passwords protections and encryption to the data. With little knowledge of cybersecurity, people could access all the data on this server. The server had over millions of people personal information( Amazon account profiles of reviewer) including Whatsapp phone numbers, email addresses, names, PayPal accounts etc.. The interesting part was that the scammers were paying people (reviewer) to give them a 5 star review on their product and in return after leaving the comments, the reviewer get money via PayPal accounts and can keep the product for themselves as a payment. The book outlines very well that Data protection is very important for an organization as “data security is at a core of what needs to be protected in terms of information security and mission critical systems”. ( Vacca, John 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann). In this situation, we faced a lot of incorrect policies and procedures due to the restriction and access of those data which we would classify in the confidentiality part. Proper training was also another issue as this could have been avoided if the IT team in Amazon had created a secure email system and encrypted the data.
https://www.infosecurity-magazine.com/news/database-exposes-200k-fake-amazon?
“Critical F5 bug could lead to wide range of security vulnerabilities”
An application delivery networking firm called “F5”, had their work cut out for them when they dealt with 30 vulnerabilities from their devices. Over a dozen were high-severity security vulnerabilities, including one receiving a score of 9.9 in the Common Vulnerability Scoring System (CVSS), which is in the most severe bracket. This gives an “authenticated” attacker entrance to the Configuration utility after the vulnerability has been exploited to create, delete, disable services, and do other malicious activities. F5’s BIG-IP, which is software and hardware solutions that provides traffic management, high availability of applications, access control, and security, was one of the targets by attackers because of the “vulnerable and external nature of the product.” Some of the application services allows internet users to connect to its service. However, because of the vulnerabilities in the F5 products, this gives attackers the tools they need to get into their network. It is recommended that vulnerabilities be patched by organizations as soon as possible, or use other methods to mitigate the risks.
https://www.securitymagazine.com/articles/95969-critical-f5-bug-could-lead-to-wide-range-of-security-vulnerabilities
Wiz a cyber security company discovered a major vulnerability in Microsoft Azure, one of the most widely used public cloud platforms. A privilege escalation vulnerability in Jupyter notebook (a data science tool) allows intruders access to the Cosmos DB keys of other organizations. This makes it possible for the intruders to go in and modify or delete the saved data in the database or anywhere in the cloud. Wiz was able to determine that this vulnerability did impact several large corporations including Coca-Cola, Symantec, Rolls-Royce, and others.
Cloud providers are known to provide the best security for holding the data of outside organizations, but a single vulnerability can impact many more organizations compared to data that is hosted privately.
https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databases
Lemos, R. (2021, August 27). Microsoft Azure cloud vulnerability Exposed thousands of databases. Dark Reading. https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databases.
With the COVID Pandemic going on world wide, governments and organizations are requiring employees to provide proof of COVID test prior to entering places of business. According to the Cybersecurity firm called Inky, crooks are sending out emails with COVID test forms attached, that are impersonating actual email from HR to employers. Anyone who clicks on the form goes to what looks like a MS-Office outlook web login page. The page requires them to enter their username and passwords to see the form, and that is where the scam to capture passwords is hidden. If an employer blindly continues to enter the Microsoft password, then the next page requires them to enter their name and birth date leading to a security breach and loss of personal information. If your organization, or your company manager hasn’t notified or told you personally to expect a form like this, please speak to them for confirmation. Otherwise inform your Cybersecurity team to investigate this kind of scam form or any kind of vulnerabilities to protect yourself and your organization.
https://www.itbusiness.ca/news/cyber-security-today-aug-27-2021-alleged-t-mobile-hacker-comes-forward-a-covid-19-vaccination-form-scam-and-more/119343
Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities
During Blackhat 2021 Ami Luttwak and Shir Tamari of Wiz.io presented on cloud vulnerabilities allowing them to access data from different customers despite isolation efforts by the vendor. These vulnerabilities were largely addressed by the vendors; however they are still prevalent due to misconfigurations on customer instances. Their work points to a need for a common database, similar to Common Vulnerabilities and Exposures (CVE), that focuses on known cloud vulnerabilities. Such a database will guide customers on remediating known issues and help them to keep up with the rapid development of cloud products.
https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities/d/d-id/1341594?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
I found this article concerning ransomware very interesting. We are all familiar with ransomware being in the news and therefore know how it works. This particular sting of ransomware, however, works in a different way than most. It only encrypts every other 16 bytes of information on the files on a system. This helps it evade dynamic ransomware defenses. Also worth noting that the ransomware deletes itself after successful encryption, so there are no binary’s left on the system for incident responders to analyze. It’s intriguing that no matter how the industry responds and defends, threat actors will continue to adapt their tools and approach. Knowing this, it reinforces the argument that training people will be the most impactful area to focus, rather than just throwing all of a company’s money/time on tools. If the ransomware tools are constantly being evaded, like they are with this specific ransomware, then the best way to avoid data loss is by training the employees not to click on the links that infect the system in the first place.
https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html
Check Point Buys Cloud Email Security Provider Avanan. Israeli security giant Check Point Software Technologies announced a deal with Avanan on Monday to join the online security shopping frenzy. The deal is valued at $250 million. Avanan is a startup company that sells technology to protect cloud email infrastructure. Avanan will be integrated into the Check Point Infinity integrated architecture to provide the world’s most secure email security products. Check Point said in a statement that this will be the only unified solution on the market that protects remote employees from malicious files and phishing in email, the Web, the network, and endpoints.
Cited from https://www.securityweek.com/check-point-buys-cloud-email-security-provider-avanan
Chinese Cryptocoin exchange robbed of $600 Million
For crypto Currency enthusiasts:
In what we now observe as a common trend in recent attacks, the Chinese Crypto trading platform, Poly Networks was recently robbed of $600 million due to an existing back door in the back-end codes attributed to their blockchain for crypto currency trading activities.
How does a back door work? A back door could exist either as a malware or an open communication channel that allows the attacker to send commands and control the remote host. After a backdoor is installed, specific commands will be sent to be executed in the target machine. These commands will in turn manipulate the machine as the command of the hacker.
In this case, it was further revealed that the attack most likely evolved from an SQL injection used to initiate a bug in the crypto trading platform data. An SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. In simple English, it tampers with data to initiate activities at the back end the system to cause data disruption or theft.
In this case the hot wallet of the victim was compromised, and crypto coins were stolen. The Hacker in the name of Mr. White Hat however notified Poly Networks (the victim), returned the funds and has recently been hired to help remediate the bug going forward. This could have however been averted if mitigating controls such as data sanitization, data filtering and periodic code reviews, were periodically implemented.
Source: https://nakedsecurity.sophos.com/2021/08/20/japanese-cryptocoin-exchange-robbed-of-100000000/
This article discusses the current state of ransomware. The average cost of ransomware in 2020 ranges from $1.5m (for those organizations that paid the ransom) to $732k (for those that didn’t pay the ransom.). The article then proceeds to mention a few dozen ransomware that have been most prevalent in the last few years. Below are some I found most interesting, but more or listed in the article:
Conti is the successor of Ryuk, and this RaaS (ransomware as a service) threatens both withholding the decryption key and publishing stolen data. It operates a website – conti news – where this data is published. It’s operated by an unidentified group.
Darkside is similar to conti in that it threatens both encryption and data theft. But interestingly, the claim to not target NPOs, hospitals, funeral parlors, education Institutes, and government organizations. They’re believed to operate out of Russia.
Jigsaw puts a timer on when you need to pay by. It deletes a file per hour until the 72 hour mark, where it will delete all remaining files.
Maze operates by infiltrating a network through stolen or guessed credentials, then it does reconnaissance and attempts to escalate privilege.
https://www.csoonline.com/article/3607649/csos-guide-to-the-worst-and-most-notable-ransomware.html
SECURITY IS NOT A TECHNICAL ISSUE.
I found this article during my research on this week reading and was absolutely interesting. And it was clearly stated in the article that security days as just technical issues are long gone and thus becoming increasing concern for leaders at the highest level of many organizations and governments transcending national borders. The implication of the article is that security information is not technical issue any more but rather business issue where everyone must get involved in finding solutions to technical issues.
Source:https://us-cert.cisa.gov/bsi/articles/best-practices/governance-and-management/security-is-not-just-a-technical-issue.
Microsoft commits to spend $20 billion on cybersecurity over five years
Due to the amount of Microsoft users, and the increasing rate of cyberattacks and breaches, Microsoft (MSFT) has pledged $20 billion on cybersecurity functions throughout the next five years—four times its previous investments of $1 billion per year in the past. The reasoning for this investment is to protect the millions of MSFT users and organizations that rely on Microsoft for day-to-day capabilities. The increasing amount of MSFT users also poses the entity as a large target for cyberattacks. Microsoft is also donating funds, as well as its services, to governmental, educational and non-profit entities to promote cybersecurity, as well as organizational preparedness. Given the interdependence these organizations have with one another, MSFT’s investments are helping augment cyberspace security. In addition, relevant movements with cybersecurity are occurring with the Biden administration, who is working with some of the most profound technology companies to promote public-private partnerships. These partnerships will help connect American critical infrastructure with the private sector, to assist in preventing future incidents like the Colonial Pipeline ransomware attack in early 2021. In consideration of MSFT’s cybersecurity investments, and increasing revenue in cybersecurity products like Sentinel, alongside federal cybersecurity initiatives, more attention, action and awareness is being allocated to protecting national assets from cyberthreats.
https://finance.yahoo.com/news/microsoft-commits-to-spend-20-billion-on-cybersecurity-213039278.html
“Comparitech research shows cybercrime victims lose $17.4 billion annually in the UK”
Interesting article that gives us an estimate on just how much is loss in cyber crime annually. It seems the UK has the most cyber crime victims reported for last year and the main methods are through social media and email
This was a good read as it puts into perspective just how much is loss through cyber crime each year
https://www.itsecurityguru.org/2021/08/11/comparitech-research-shows-cybercrime-victims-lose-17-4-billion-annually-in-the-uk/
https://krebsonsecurity.com/2021/08/t-mobile-investigating-claims-of-massive-data-breach/
In recent weeks, the cellular carrier T-Mobile was the victim of a data breach which exposed confidential customer data. It appears the hackers bypassed at least one or even several technical controls, Krebs writes, “hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes”. Amongst the 100 gigs of data were names, date of birth, social security numbers, drivers license of 40 million current, former, and prospective (likely not anymore 🙂 ) customers.
JP Morgan Chase Bank Notifies Customers of Data Exposure
Last week, JP Morgan Chase Bank sent out an email to their customers stating that their private information may have been accidentally exposed to other JP Morgan Chase customers in the system. Due to a technical bug, some members were able to access other members’ private information through the Chase Mobile App as well as the home website, chase.com. The information that was at risk of being exposed included transactions and balance data. Chase asked that their customers go through their statements and balances and inform them of any inconsistencies that they notice, that way Chase can resolve the issue. After completing an investigation, Chase stated that there was no evidence found of customer data being abused.
https://www.securityweek.com/jpmorgan-chase-bank-notifies-customers-data-exposure
DuPage Medical Group has stated they recently has a data breach. They have notified 600,000 patients that their personal information could’ve been compromised. DuPage Medical Group had experienced a connectivity issue with their computers and phone systems for almost a week in mid-July. They have worked with cyber-forensic specialists to perform the investigation and found that “unauthorized actors” has assessed their network. During the investigation, they have determined their patient’s information was being assessed by the attacks. The information may include the names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates of the patients. DuPage Medical Group has also indicated social security number of small number of people could been compromised. As of August 30, 2021, DuPage Medical Group stated they are not aware of any the patient information being misused due to that breach.
Schencker, Lisa. 2021. DuPage Medical Group notifying 600,000 patients that their personal information may have been compromised in cyberattack. Retrieved from: https://www.chicagotribune.com/business/ct-biz-dupage-medical-group-breach-personal-information-20210830-frv74cy23nhftgufbwc3caknie-story.html
Here’s a short and simple article published by the New York Times that explains the relationship between Apple and China that leads some privacy issues by the users.
The fact that “Apple assembles nearly all of its product in China and sells $55 billion there” shows us how important the regulations and procedures Chinese government requires Apple to follow for.
The article also mentions the security experts that were able to figure out that Apple’s was not that innocent in China like it promises its users to protect the persona information. Unfortunately, Chinese government has control over to accessing the data.
To see the article: https://www.nytimes.com/interactive/2021/06/17/technology/apple-china-explainer.html
It is certainly not news that healthcare systems are notoriously insecure. This article from SC Media discusses quite a few relevant real examples of the material recently covered in this course. It covers the impact of a cyber attack on Memorial Health System in Ohio, which caused critical processes to fail at branches of the organization. The graphic provided in the article demonstrates how serious the concept of availability of critical systems is for a healthcare entity like a hospital. The attack wiped out availability of critical systems including radiological IT systems, causing any radiology exams, but also more importantly, any urgent surgeries to be diverted to the closest unaffected facilities with the necessary equipment. The article explains that this health system is the third “U.S. health system to be hit with ransomware in the last two weeks alone.” The impact of the incident was quite substantial: despite whether or not the ransom was paid which is not disclosed in the article, about $113 million in just downtime alone was lost.
One of the other two healthcare systems attacked as mentioned by the article, Eskenazi Health in Indianapolis, is still suffering from the impact of the cyber attack on August 4th, even despite allegedly quick incident response and detection. At the time of the article’s writing, it states that the website for Eskenazi Health is still offline, demonstrating the impact of systems availability after an incident, and how a business continuity plan at an organization like a hospital will literally be the difference between life and death for some patients who were about to undergo critical urgent surgical procedures, but had to be transferred to other locations.
https://www.scmagazine.com/analysis/backup-and-recovery/surgeries-canceled-care-diverted-as-memorial-health-responds-to-cyberattack
I was able to pull this article from a site a colleague at work gave.
It’s an article highlighting the concerns internet of things (IOT) devices being connected on large scale 5g networks as they expand and infrastructure becomes more connected. Ransomware attacks have been on the rise with the recent pipeline attack which caused gas shortages within southern United States I found this article to be quite relevant as technically it already happened to systems not residing in 5g environments.
If attackers were able to exploit city infrastructure via 5g networks; there could be potential to wreak havoc on ‘smart cities’ with insecure devices. Which is why organizations should be regularly checking access control and ensuring that logins are secured to protect credentials. As well as checking to see if higher level employees have had their accounts and passwords breached recently.
Given the recent ransomware attacks in recent years I would not be surprised if there is vulnerable infrastructure connected at this very moment that could result in a wide-spread attack. As networks become more intertwined with city structure the threat and severity of attack increases resulting in a much higher risk. And seeing how Wannacry & pipeline were successful attacks against infrastructure in internal networks; I wouldn’t surprised if we see a city-wide crisis within the next 5-10 years.
https://www.zdnet.com/article/ransomware-its-only-a-matter-of-time-before-an-iot-smart-city-falls-victim-to-an-attack-if-action-isnt-taken-now/
Coinbase is a publicly traded & the largest cryptocrrency in the United States. Due to a company error, the organization sent out a false alert to about 125,000 of their customers. They had all been notified that their 2 factor authentication security settings had been changed. Many customers were confused, and a few even panicked. A lot of their customers were justifiably concerned that their Coinbase accounts had been compromised. This is especially true, due to the fact that a week prior, some user accounts were actually hacked. Many of those customers made complaints against the company last week for their lack of customer service and their perceived unwillingness to answer any of their questions. They also complained that the company did not make themselves available to help rectify the problems that they were experiencing. (There is a link in the article that redirects you to that story.)
Furthermore, one of their customers details to the news the events that followed after he had received these false notifications from the company. He said he first contacted his daughter and her boyfriend to seek advice on if he should sell his crypto or not. He ultimately decided to sell all of it, which was a total of $60,298. I’m sure he’s not the only customer who has had that reaction. The company says they have been working hard to be transparent with their customers and to regain their trust. They take full responsibility for the unfortunate internal mistake.
https://www.cnbc.com/2021/08/30/coinbase-sent-erroneous-account-security-notifications-to-125000-customers.html
Quantifying risk and cyber breach cost.
This is a quick read article that contains a link to a longer report. The article does contain a very interesting graphic that shows the cost of various types of cyber incidents that occurred in 2020. It answers the question – what is the cost of a data breach? It answers that question for a variety of breach types – phishing, malicious insider, compromised credentials, cloud misconfiguration etc.
It is generally difficult to get hard numbers to quantify risk and this report supplies some of those numbers.
https://securityintelligence.com/posts/how-to-quantify-cost-of-data-breach/
My article that I am choosing to summarize / discuss this week is titled “T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’. It was published on the Wall Street Journal 8/27 and was written by Drew FitzGerald and Robert McMillan.
The article goes in depth about the recent T-Mobile hack and data breach and how it was done by a 21 year old kid named John Binns. He is an American citizen who recently moved to Turkey around three years ago. John discovered a router on T-Mobile’s network that was unprotected by relentlessly scanning known T-Mobile internet addresses with software that is widely available to the public. Binn said that carried out the hack to expose the lackluster security of T-Mobile and, seemingly, for fun. He contacted the Wall Street Journal from an alias messenger account that outlined plans of the attack in other messages before it was even carried out. It is not known whether Binns got paid to carry out the attack, or if he sold or used the PI that he extracted in any way.
This is the third time in two years that T-Mobile has had a large security breach. It is also the second largest mobile service provider in the United States. Binns got access to an extremely large amount of PI, including social security numbers and ID’s.
https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105
“Attackers Behind Trickbot Expanding Malware Distribution Channels”
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force.
https://thehackernews.com/2021/10/attackers-behind-trickbot-expanding.html?&web_view=true
“Advances in Data Analysis and Classification”
The article of international journal Advances in Data Analysis and Classification (ADAC) is apparently being designed as a forum for high standard publications on research and applications about the extraction of knowable aspects from many types of data. The articles explain structural, quantitative, or statistical approaches for the analysis of data; advances in classification, clustering, and pattern recognition methods; strategies for modeling complex data and mining large data sets; methods for the extraction of knowledge from data, and applications of advanced methods in specific domains of practice. Articles illustrate how new domain-specific knowledge can be made available from data by skillful use of data analysis methods. The journal article intrinsically highlight on survey papers that outline and illuminate the basic ideas and techniques of special approaches for many business organizations in 21st century.
https://www.springer.com/journal/11634?utm_source=bing&utm_medium=cpc&utm_campaign=SRMT_DEC_EXTL_P5_Statistics_Hig