Avantia Threat Update
EMOTET: THE WORLD”S MOST DANGEROUS BOTNET DISRUPTED BY MAJOR POLICE OPERATION.
This Past Week:
Police take down Emotet Malware infrastructure; Hackers publish thousands of files after government agency refuses to pay ransomware; Dutch COVID 19patient data sold to cyber criminals; Here’s how the new Microsoft Password Monitoring system works; Apple gears up to release “Expensive” VR headsets as early as 2022 and Major Breaches in AUSTRALIA; SWEEDEN; UNITED KINGDOM; CANADA and UNITED STATES.
Dark Web ID's Top Threats This Week
Top Source Hits: ID Theft Forum Top Compromise Type: Domain Top Industry: Health & Medical Research Top Employee Count: 501+
EMOTET MALWARE ‘NAILED’ BY MAJOR POLICE OPERATION:
The world's most prolific and dangerous malware botnet (computer network) has been taken down following a global law enforcement operation that was two years in planning. Europol, the FBI, the UK's National Crime Agency and others coordinated action which has resulted investigators taking control of the infrastructure controlling Emotet in one of the most significant disruptions of cyber-criminal operations in recent years. Emotet first emerged as banking trojan in 2014 but evolved into one of the most powerful forms of malware used by cyber criminals. Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware – regular themes include invoices, shipping notices and information about COVID-19. Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware. It resulted in Emotet becoming what Europol describes as "the world's most dangerous malware" and "one of the most significant botnets of the past decade", with operations like Ryuk ransomware and TrickBot banking trojan hiring access to machines compromised by Emotet in order to install their own malware. The takedown of Emotet, therefore, represents one of the most significant actions against a malware operation and cyber criminals in recent years. "This is probably one of the biggest operations in terms of impact that we have had recently and we expect it will have an important impact," Fernando Ruiz, head of operations at Europol's European Cybercrime Centre (EC3) said. "We are very satisfied." A week of action by law enforcement agencies around the world gained control of Emotet's infrastructure of hundreds of servers around the world and disrupted it from the inside. Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations."Emotet was our number one threat for a long period and taking this down will have an important impact. Emotet is involved in 30% of malware attacks; a successful takedown will have an important impact on the criminal landscape," said Ruiz. "We expect it will have an impact because we're removing one of the main droppers in the market – for sure there will be a gap that other criminals will try to fill, but for a bit of time this will have a positive impact for cybersecurity," he added. The investigation into Emotet also uncovered a database of stolen email addresses, usernames and passwords. People can check if their email address has been compromised by Emotet by visiting the Dutch National Police website. Europol is also working with Computer Emergency Response Teams (CERTs) around the world to help those known to be infected with Emotet. In order to help protect against malware threats like Emotet, Europol recommends using anti-virus tools along with fully updated operating systems and software – so cyber criminals can't exploit known vulnerabilities to help deliver malware. It's also recommended that users are trained in cybersecurity awareness to help identify phishing emails. The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany's Federal Crime Police, France's National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK's National Crime Agency, and the National Police of Ukraine. The investigation into Emotet, and identifying the cyber criminals responsible for running it, is still ongoing.
HACKERS PUBLISH THOUSANDS OF FILES AFTER GOVERNMENT AGENCY REFUSES TO PAY RANSOMWARE.
A Ransomware gang publishes stolen data after Scottish Environment Protection Agency (SEPA) refuses to pay ransom - as agency confirms operations remain disrupted. The hackers behind the ransomware attack on the Scottish Environment Protection Agency (SEPA) have published thousands of stolen files after the organisation refused to pay the ransom. Scotland's Government Regulator for protecting the environment was hit with a ransomware attack on Christmas Eve, with cybercriminals stealing 1.2 GB of data in the process. Almost a month on from the attack, SEPA services remain disrupted – but despite this, the agency has made it clear it won't engage with those behind the attack. SEPA hasn't confirmed what form of ransomware it has fallen victim to, but the Conti ransomware gang claimed responsibility for the attack. As a result of the non-payment, Conti has published all of the stolen data on its website, posting over 4,000 documents and databases related to contracts, commercial services and strategy. The latest update from SEPA confirms that at least 4,000 files have been stolen and published. "We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds," said Terry A'Hearn, chief executive of SEPA. "We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We're working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals," he added. Agencies SEPA is working with in continued efforts to investigate the attack and fully restore the network include the Scottish Government, Police Scotland and the National Cyber Security Centre (NCSC). Despite the impact of the attack, SEPA is still able to provide flood forecasting and warning services, as well as regulation and monitoring services. Stealing data and threatening to make it public if a ransom isn't paid in exchange for the decryption key has become an increasingly common tactic for the most successful ransomware gangs, with that extra leverage helping them to make millions of dollars in bitcoin per attack. In some cases, victims who have the capability to restore the network without the decryption key are still paying ransoms just to prevent hackers from leaking stolen data. Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and criminals show no signs of slowing down campaigns because, for now at least, ransomware gangs are still successfully extorting large payments from a significant percentage of victims.
DUTCH COVID-19 PATIENT DATA SOLD TO THE CRIMINAL UNDERGROUND.
Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry's COVID-19 systems on the criminal underground. The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.
The ads consisted of photos of computer screens listing data of one or more Dutch citizens. The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG's contact-tracing systems. Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person. Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person's BSN identifier (Dutch social security number). In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint. Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said. According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases. The names of the two suspects, scheduled to appear in court tomorrow, were not released; in accordance with Dutch law. "Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today. "We have seen this before in the Netherlands with influencers and VIPs. "The BSN number (Dutch social security number) is important because this makes financial fraud easier for criminals," Gevers added."But also for blackmailing purposes. Especially when they know where you live."
HERE'S HOW THE NEW MICROSOFT PASSWORD-MONITORING SYSTEM ACTUALLY WORKS.
Just as Google starts rolling out new password protection features in Chrome 88, Microsoft has revealed the inner workings of its password monitor features in its Chromium-based Edge browser. The stable version of Microsoft Edge version 88 gained the Password Monitor feature, which Microsoft announced in March 2020. Not to be confused with a password manager, this is Microsoft's alert for passwords that have been exposed in data breaches and leaked online. Google added a feature to Chrome in 2019; Mozilla started testing its password breach alert service in 2018. Browser makers are keen to get us to sign-in, but how do you get users to sign in to a browser when there's no perceived value beyond syncing browsers across desktop and mobile? Security, or more specifically, a security service that alerts the users to a password that's been leaked online could be a key benefit here. Like other browser-based password breach notification services, Microsoft's Password Monitor alerts Edge users if any of their passwords saved in the browser's password manager match a password exposed in a data breach. "When you turn on Password Monitor, Microsoft Edge checks the passwords you've saved in the browser against a large database of known leaked passwords that are stored in the cloud. If any of your passwords match those in the database, they'll appear on the Password Monitor page in Microsoft Edge Settings. Any passwords listed there are no longer safe to use and you should change them immediately," Microsoft notes in a support page.
"Make sure you're signed in to Microsoft Edge using your Microsoft account or your work or school account," it says. Microsoft, Google and Mozilla don't actually see the user's passwords for websites. As Microsoft researchers point out: "The underlying technology ensures privacy and security of the user's passwords, which means that neither Microsoft nor any other party can learn the user's passwords while they are being monitored."Microsoft explains its approach with Edge relies on "homomorphic encryption" and offers a plain language description of what it's doing to monitor passwords without actually viewing them. Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first, the researchers explained. "At a high level, when a password is saved in Edge, the browser needs to contact a server to check if the password was found in a breached list. It is also necessary to periodically check this in case there are new instances of breached passwords found," Microsoft researchers explain. Edge servers must not learn any information about a person's usernames or passwords, and ensure that potential attackers can't access information while the check happens – which involves looking at traffic as it travels between users and Edge servers, just like a man-in-the-middle attack. Microsoft's researchers said they have built on the Microsoft SEAL homomorphic encryption library to implement a new protocol to bring Password Monitor to Edge users. This meant modifying the library to support low-end devices, to have multi-platform support (Mac, ARM, x86), and to optimize the protocol for network efficiency.
APPLE GEARS UP TO RELEASE ‘EXPENSIVE’ VR HEADSETS AS EARLY AS 2022.
Researchers claims that this "niche" product will be "far more expensive than those from rivals" and that Apple may only sell one per day per retail store. Apple is gearing up for the first new product since the Apple Watch. According to a report by Bloomberg, this will be the long-anticipated VR headset with limited AR capability. And it could land as soon as 2022, and would be the precursor to a dedicated AR product. Details are, as you'd expect at this stage, vague. The price is described as "far more expensive than those from rivals," with the headset being "high-end," and "niche," so niche that some Apple insiders are reported as believing that Apple "may sell only one headset per day per retail store," which works out at about 500 per day, or 180,000 a year. As you'd expect, there are hurdles that Apple needs to overcome, some technical, but others regulatory, specifically around selling a product that includes prescription lenses. The real question isn't whether Apple could develop a VR headset (just look at the ingenuity of the AirPods Max), and there's little doubt that people will buy it (again, we only need look at the AirPods Max), but will there be the content to support it? If the ecosystem is only going to be 180,000 users after a year, that's really not going to get developers and content makers fired up to make content, so it might leave Apple in a position where it will have to bankroll this content itself for the first few years while the ecosystem grows, much like Apple did during those early days of the iPhone.
MAJOR THREAT BREACHES THIS PAST WEEK – RISK SCORES GUIDE
1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.
United States – Teespring
Exploit: Hacking Teespring: eCommerce Platform
Risk to Business: 2.129 = Severe
Hackers have dropped a huge trove of user and creator data allegedly from Teespring, an e-commerce platform that specializes in enabling designers to market their wares. The two massive files of stolen data include email addresses and last update dates for 8,242,000 user accounts.
Individual Risk: 2.221 = Severe
The info dump contains 4,000,000+ user records, including usernames, full names, locations, phone numbers, Creator IDs, referral information, trust score, whitelisted seller campaigns, storefronts, bank check payouts, and other analytics data. This data could be used to conduct business email compromise attacks and spear phishing attempts.
Customers Impacted: 8,242,000
How it Could Affect Your Business: Data like this is sought-after by cybercriminals and often hangs around for years on the Dark Web, acting as fuel for future cybercrime.
Avantia Cyber Security & ID Agent to the Rescue: Watch for threats from the Dark Web without lifting a finger using Dark Web ID, 24/7/365 credential monitoring that alerts you to trouble fast. Call Avantia on 07 30109711 for a FREE ‘REAL TIME’ DARK WEB search.
United States – Circuit Court of Cook County
Exploit: Unsecured Server Circuit Court of Cook County: Municipal Court System
Risk to Business: 1.775 = Severe
An unsecured Elasticsearch server is the cause of a huge data exposure containing more than 323,277 Cook County court-related records. Researchers estimate that the database may have belonged to a specialist Cook County department of caseworkers working with people who needed additional help.
Risk to Business: 1.612 = Severe
The records contained PII such as full names, home addresses, email addresses, and court case numbers and notes on the status of both the case and the individuals concerned. Criminal, family and immigration cases are in the mix. This data could be used to mount an array of attacks like blackmail, identity theft and spear phishing attempts.
Customers Impacted: Unknown
How it Could Affect Your Business Failing to take a simple step to secure a server that contains sensitive information doesn’t speak well to an organization’s commitment to cybersecurity.
Avantia Cyber Security & ID Agent to the Rescue: Everyone needs to understand the seriousness of today’s threats. Our Security Awareness Champion’s Guide makes understanding cyber threats easy and fun. Call Avantia on 07 30109711 to get your free copy of the Ebook.
United States – MeetMindful
MeetMindful: Dating Site
Risk to Business: 1.979 = Severe
Details of an estimated 2.28 million users of dating site MeetMindful was just released online in the latest in a series of stolen data dumps by cybercrime gang ShinyHunters. There’s no clear origin of the data, but researchers expect that it may have come from an unsecured AWS S3 bucket.
Individual Risk: 1.779 = Severe
The dumped data includes users’ real names, email addresses, address information, physical descriptions, dating preferences, marital status, birth data, location data, IP addresses, Bcrypt-hashed passwords, Facebook user IDs and Facebook authentication tokens. This information puts users at risk for spear phishing attacks.
Customers Impacted: 2.28 million
How it Could Affect Your Business: Keeping data safe from hackers starts with keeping data secure using strong access point controls and basic security protocols like multifactor authentication.
Avantia Cyber Security & ID Agent to the Rescue: Passly provides the toolkit that businesses need to keep cybercriminals locked out of data and systems including multifactor authentication and secure shared password vaults. Call Avantia on +61 7 30109711 for more information.
United States – Bonobos
Bonobos: Menswear Retailer
Risk to Business: 1.979 = Severe
Men’s clothier Bonobos has experienced a huge 70GB data breach exposing millions of customers’ personal information after a cloud backup of their database was snatched. ShinyHunters, who had a very busy week, posted the full Bonobos database to a free hacker forum. ShinyHunters was kind enough to transform the stolen password data into a handy list for credential stuffing.
Individual Risk: 2.006 = Severe
The leaked data included customers’ addresses, phone numbers, partial credit card numbers (last four digits), order information and password histories. This information can be used in many cyberattacks including spear phishing and credential stuffing.
Customers Impacted: 7 million
How it Could Affect Your Business: Data theft is an increasingly worrisome problem for everyone. Not only is the original business impacted, the addition of such large troves of information to the Dark Web fuels further cybercrime.
Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID provides 24/7/365 protection against surprise credential compromise by sending up a red flag when a stolen credential that could impact your business appears on the Dark Web. Call Avantia on 07 30109711 to get a FREE Scan of the Dark Web for your stolen Usernames/Passwords.
Canada – City of Montmagne
City of Montmagne: Municipal Government
Risk to Business: 2.211 = Severe
The municipal government of Montagne in Quebec has fallen victim to a ransomware attack that crippled city systems. Some services have been restored including the phone system which was down for 6 days, but the recovery could be slow.
Individual Risk: No personal or business financial information or PII was reported as stolen in this incident that is still under investigation.
Customers Impacted: 17,553
How it Could Affect Your Business: Ransomware is almost always the result of a phishing attack. Failing to keep up with security awareness training will put businesses at risk for more cyberattacks.
Avantia Cyber Security & ID Agent to the Rescue: BullPhish ID makes it easy to keep up with training for users and trainers with customizable training portals for each user. Call Avantia on +61 7 30109711 for more information.
United Kingdom – the7stars
the7stars: Talent Agency
Risk to Business: 1.411 = Severe
Clop ransomware is at the root of a data breach at the7stars, a London-based talent agency that handles clients with connections to Atlantic Records, Suzuki and Penguin Random House. Internal client records, business agreements, photographs, business records, and other communications were included in this haul. The agency announced that it was able to restore its systems from back-ups and are continuing to investigate.
Individual Risk: 1.221 = Severe
The stolen data includes scans of passports, invoices, and other sensitive information about the agency’s clients. This information can be used for identity theft and spear phishing.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware is a huge risk for every business, and it’s essential that everyone in your team is on board to spot and stop ransomware attacks.
Avantia Cyber Security & ID Agent to the Rescue: Go back to school to learn why ransomware has become such a prevalent threat in today’s landscape and how to stop it in our ebook Ransomware 101. Call Avantia on +61 7 30109711 to get your FREE copy
Exploit: Third Party Data Breach
Pixlr: Photo Editing Software Developer
Risk to Business: 1.827 = Severe
ShinyHunters are at it again, this time with a dump of data from Pixlr. The gang claims that the Pixlr data was obtained through their earlier successful breach at stock photo site 123rf, which is owned by the same parent company. The Pixlr database posted by ShinyHunters contains 1,921,141 user records consisting of email addresses, login names, SHA-512 hashed passwords, a user’s country, whether they signed up for the newsletter, and other internal information.
Individual Risk: 1.717 = Severe
User information was stolen that includes basic contact information for users, leaving them at risk for spear phishing attacks.
Customers Impacted: 1,921,141
How it Could Affect Your Business: Third party data breaches are becoming all too common as Dark Web data grows, creating even more risk for businesses, especially around credential stuffing.
Avantia Cyber Security & ID Agent to the Rescue: Get protection from password-based cyberattacks like credential stuffing fast with secure identity and access management from Passly. Call Avantia on +61 7 30109711 for more info.
Australia – Australia Securities and Investments Commission
Australia Securities and Investments Commission: Securities Regulator
Risk to Business: 1.616 = Severe
A security breach at Australia’s security regulator may have led to a significant data exposure. The breach occurred on a server that the organization used to transfer files including credit license applications where some information may have been viewed. This breach may have been caused by a suspected flaw in third-party software that may have also spurred a similar breach at the New Zealand central bank a few weeks ago.
Individual Risk: No personal or business data was reported as confirmed to be stolen in this incident that is still under investigation.
Customers Impacted: Unknown
How it Could Affect Your Business: Taking precautions against potential third party data breaches is sensible for every business because you can never be sure how another company’s cybersecurity flaws may impact your business.
Avantia Cyber Security & ID Agent to the Rescue: Passly is the multipurpose secure identity and access management solution that every business needs to guard systems and data against unexpected trouble fast. Call Avantia on 07 30109722 for more info.
How Strong is the Lock on the Door to Your Data?
You wouldn’t trust a flimsy old lock to secure the door to your business. Why are you trusting one to secure your business systems and data? It sounds logical that you’d want the most secure lock on your office door, but many companies don’t extend that logic to the access points to their systems and data, leaving them wide open to cybercriminal mischief. In a recent survey, only 24% of businesses were using security access controls, like a secure identity and access management solution instead of old-fashioned password-based security. That’s a boon for cybercriminals – compromised passwords are the key to entry for them in around 85% of all data breaches. Strong access point security isn’t just something for major corporations anymore. Every business needs it, and solutions like Passly ensure that every business can afford it.
Protecting your systems and data with just a password isn’t going to cut it anymore. Even if your employees are making good, complex passwords and practicing excellent password hygiene, relying on passwords alone is outmoded and dangerous. Huge stores of passwords that have been stolen in past data breaches are available in Dark Web markets and data dumps to power credential stuffing attacks and other cybercrime. Passly makes it easy and affordable to defend against password-based attacks with the tools that experts recommend: multifactor authentication, single sign-on, secure shared password vaults and more. Plus, Passly deploys in days, not weeks for an immediate security improvement. Don’t wait to beef up your access point security. Add a secure identity and access management solution today and make sure that the access points to your systems and data are really protected.
CLICK THIS LINK TO REVIEW OUR OUR CYBER SECURITY PARTNERS - THE BEST OF THE BEST
Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.
*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.