THE REAL FACE OF CYBER CRIME
This week, a ransomware gang is convicted of infecting 400,000 computers worldwide, ransomware shuts down a major US medical practice, students hack their school’s Wi-Fi to avoid tests, Canadian pension plans go missing, Irish healthcare group is scammed, UK University Networks penetrated in under 2 hours and US University Health Centre served with a US$5million class action lawsuit after breach*.
This Past Week’s Top Dark Web Compromises*:
Top Source: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Medical & Healthcare Top Employee Count: 11 - 50 Employees
This Past Week’s Top Targeted Industries*:
Information Technology Hits: 87 | Targets: Microsoft, Sony Corp, F5 Networks, Netflix, Google
Software Hits: 82 | Targets: Microsoft, F5 Networks, Google, LinkedIn, Yahoo
Software Hits: 41 | Targets: F5 Networks, iSelect, Citrix Systems, Pandora, eBay Inc
Finance Hits: 40 | Targets: Equifax Inc, PayPal, JPMorgan Chase & Co., Western Union, Intesa Sanpaolo SpA
Computer Hardware Hits: 33 | Targets: Microsoft, Apple, ASUS, Cisco Systems Inc, Juniper Networks
This Past Week’s Top Threat Actor*:
Hezbollah Hits: 18 | Targets: Israel, Syria, Lebanon, Iran, United States
FIN 6 Hits: 15 | Targets: HPC POS System Corporation, Point of Sale, POS Systems, FireEye Inc, United States
Lazarus Group Hits: 13 | Targets: Sony Corp, South Korea, Cryptocurrency, United States, Bitcoin
APT32 OceanLotus Hits: 9 | Targets: Vietnam, Mac OS, Association of Southeast Asian Nations, China, Toyota Motor Corp.
BAYROB Group Hits: 8 | Targets: Cryptocurrency
This Past Week’s Top Malware Exploits*
HOPLIGHT Hits: 97 | Targets: United States, Critical infrastructure systems
Emotet Hits: 35 | Targets: Germany, United Kingdom, Banking, Microsoft Windows, United States
Reveton Hits: 31 | Targets: Microsoft Windows, MIKE ROLAND, Europe, Green Dot MoneyPak, United Kingdom
Wcry Hits: 27 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea
TRISIS Hits: 22 | Targets: Schneider Electric, Triconex SIS, Critical infrastructure systems, Triconex, Industrial Control Systems
In Other News:
Malware gang convicted of infecting over 400,000 computers worldwide, stealing millions through online auction fraud*:
A US court has convicted two Romanian hackers belonging to the Bayrob malware gang after they infected over 400,000 computers around the world, and stole millions of dollars. Bogdan Nicolescu (aka “Masterfraud”) and Radu Miclaus (aka “Minolta”), both of Bucharest, Romania, have been convicted by a federal jury of 21 counts related to the infection of hundreds of thousands of computers with malware in order to steal credit card details, mine for cryptocurrency, and engage in online auction fraud. 36-year-old Nicolescu, 37-year-old Miclaus, and a co-conspirator – Tiberiu Danet (aka “Amightysa”) – who pleaded guilty, started their criminal campaign in 2007 with the creation of malware which they spammed out posing as communications from the likes of Western Union, the IRS, and Norton AntiVirus. Unsuspecting recipients of the emails who clicked on the attachments had malware surreptitiously installed on their PCs, hijacking them into a botnet. (computer network) Once in place the malware would access contact details of other potential victims from email accounts and address books in order to spread further. Further exploiting the infected computers, the hackers commanded the compromised PCs in the botnet to create email accounts with AOL. In all, more than 100,000 email accounts were created with the service, and then used to send tens of millions of malicious emails. That would be bad enough, but infected computers were also harvested by the remote hackers to steal personal information, such as passwords, usernames, and payment card details. For instance, when users visited websites such as Facebook, eBay and PayPal, the malware would intercept the browser request and redirect infected computers to a phishing site. In this way the hackers were able to steal account credentials. Hacked accounts and stolen credit card details was put to use by the criminals to fund their criminal activities, including the rental of server space, buying domain names using fictitious identities, and the purchase of VPN services to cover their online tracks. As a press release from the US Department of Justice makes clear, the hackers’ criminal endeavours didn’t stop at that: The defendants were also able to inject fake pages into legitimate websites, such as eBay, to make victims believe they were receiving and following instructions from legitimate websites, when they were actually following the instructions of the defendants. They placed more than 1,000 fraudulent listings for automobiles, motorcycles and other high-priced goods on eBay and similar auction sites. Photos of the items were infected with malware, which redirected computers that clicked on the image to fictitious webpages designed by the defendants to resemble legitimate eBay pages. Naturally, anyone who fell for the bogus eBay listings never received the items they believed they had purchased, and never got their money back. All they got was a slideshow of the car they hoped they were buying, with an unpleasant bonus of a malware infection. Security researchers discovered that to string victims along, the criminals even created a fake transportation firm which would supposedly truck purchased vehicles to their new owner, with an accompanying website to appear more credible. The bogus company even operated a phone line to appear more convincing as it informed victims that delivery of their vehicle had been delayed. Finally, in addition to all of the above, in an attempt to avoid detection, the malware was able to disable anti-virus protection and blocked victims’ browsers from accessing law enforcement websites. This clearly was a highly organised and sophisticated criminal operation, and federal prosecutors spent more than two weeks presenting evidence to the jury about how it was co-ordinated, and how the gang successfully stole more than four million dollars.
US Lawmakers Want to Fund Cyber Upgrades for State and Local Governments.*
A bipartisan bill introduced last Monday into the US Lower House would require the US Homeland Security Department (equ to Australia’s Home Affairs Ministry) to fund efforts by State and Local Governments to boost their Cyber Defenses. The Cyber Resiliency Act would create a federal grant program to support cybersecurity upgrades for governments that often lack the resources to fund their own endeavors. It would also mandate states that participate in the program work to improve recruitment and retention in their cyber workforce. “As cyberattacks increase in frequency and gravity, we must ensure that our nation—from our local governments on up—is adequately prepared to protect public safety and combat cyber threats,” said Sen. Mark Warner, D-Va., who cosponsored the bill with Sen. Cory Gardner, R-Colo. “Nearly 70 percent of states have reported that they lack adequate funding to develop sufficient cybersecurity. This bill will aim to mitigate that need by providing grants to state and local jurisdictions so that they are better prepared to take on these emerging challenges.” Under the legislation, states would be eligible for up to two grants to create a holistic cyber resiliency plan that touches on issues like network security, continuous vulnerability checks, workforce development and critical infrastructure protection. Once the strategy is approved by the Homeland Security secretary, states could receive another two grants to put it into practice. States awarded implementation grants would be able to funnel funding to specific local and tribal governments. The legislation would also create a 15-person committee to review grants and resiliency plans, and keep tabs on how states are spending the grants. The committee would help states craft effective cyber improvement policies and submit annual reports on the program to Congress. If passed, the bill would fund the program through fiscal 2025. Lawmakers didn’t specify how much money would be allocated.
25% of Phishing Emails Sneak into Office 365: Report*
Researchers analyzed 55.5 million emails and found one out of every 99 messages contains a phishing attack. One in every 99 emails is a phishing attack, and a new study shows 25% of those phishing attacks bypass default security measures built into Office 365, researchers reported today. The data comes from Avanan's Global Phish Report, which analysed 55.5 million emails sent to Microsoft Office 365 and Google G Suite accounts. They found roughly 1% of all messages are phishing threats that use malicious attachments or links as the attack vector. Of those, 25% were marked safe by Exchange Online Protection (EOP) built into Office 365 and delivered to users. Cloud-based email has rung in a new era of phishing, explains Yoav Nathaniel, Avanan lead security analyst and report author. "The connected nature of cloud email allows an attacker to get access to a bigger bounty from a single successful phishing attack since the credentials give them access to other connected accounts such as cloud file sharing or cloud HR," he says. Of 55.5 million total emails analysed, 561,947 were phishing attacks. Researchers broke the malicious messages into four categories: over half (50.7%) had malware, 40.9% were harvesting credentials, 8% were extortion emails, and 0.4% were spear phishing attempts. Researchers scanned about 52.4 million emails directed to Office 365, of which 546,427 (1.04%) were phishing emails. They only analysed 3.12 million emails for G Suite, of which 15,700 (0.5%) were phishing emails. In the report, researchers note how the messages were scanned after they had gone through default security but before they were delivered to users' inboxes. They then took a closer look at how phishing emails were classified by Office 365 EOP, Microsoft's cloud-based filtering service. In EOP, emails are first sent through connection filtering, which verifies the sender's reputation and scans for malware. Most spam is deleted here, Microsoft says. Messages continue on through policy filtering, where they're evaluated against custom rules admins can create and enforce. They're also passed through content filtering, where they're checked for words and properties associated with spam. Based on settings, spam can be redirected to the Junk folder or quarantined. After going through these layers, messages deemed benign are delivered to the inbox. Avanan reports of the phishing emails that made it through EOP, 20.7% were marked as phishing emails and about half (49%) were marked spam. About 5% were whitelisted by admin configurations, and 25% were marked clean and successfully sent to the target user. Bypassing Filters: How do some emails sneak through? Nathaniel says part of the reason is obfuscation, which rely on emails being displayed to end-users differently than how they appear to the machine-based security layer. Obfuscation comes in different ways: rare but legitimate email formats, which aren't properly analyzed by security but are delivered to inboxes; malformed emails and attachments that parse HTML to confuse the security layer but appear safe to the email client; and hidden characters in the email body, which are intended to trick the security filer. Obfuscation makes up "quite a small number of attacks," says Nathaniel. "We see them targeting extremely high-profile individuals … they save it for special occasions." This may include targeting a CEO or C-suite executives of Fortune 500 companies, using attacks they don't want to land in a Junk folder. Analysts also pulled data on different characteristics of phishing emails, which yielded some interesting data. For example, 35% of messages containing links to WordPress websites are phishing attacks. "Just the fact that it sent you a link to a WordPress site already makes the email suspicious," Nathaniel points out. And Bitcoin wallet links are almost a sure red flag: 98% of messages with cryptocurrency wallet links turn out to be malicious, researchers learned. "It's important to note there's rarely a legitimate reason to send a cryptowallet address via email," he continues. This is typically done via text, or money is sent using an app. Finally, the report notes out of every 25 branded emails, it's likely at least one is a phishing attempt. Microsoft is the most frequently impersonated brand (43%) for most of the year, followed by Amazon (38%), which takes the lead during the holiday shopping season.
Celebgate 2.0: attacks on the Apple accounts of Musicians and Athletes*
A Georgian man has confessed to hacking the Apple accounts of NFL and NBA players, along with famous musicians. By creating fake accounts and impersonating Apple’s customer service, Kwamaine Jerell Ford was able to send phishing emails that coaxed victims into providing their login credentials as early as 2015. Once he had taken over the accounts, he would change the email addresses and passwords, and proceed to purchase air travel, hotels, and furniture. With credit card information from Apple in hand, he was also able to transfer money to his own online payment accounts. Ford has pleaded guilty to one count of computer fraud and one count of aggravated identity theft. He will be sentenced on June 24. Such an incident serves as a strong reminder of just how much damage can be inflicted through phishing. To prevent this highly effective form of cyberattack, small businesses and security providers invest in solutions that are specifically designed with customers and employees in mind,
THREAT FOCUS: Burrell Behavioural Health – USA*
Exploit: Unsecured business associate portal BBH: Mental health service provider based in Missouri Risk to Small Business: 2.333 = Severe: BBH has sent letters to patients notifying them of a breach that occurred in August of last year. Potential attackers would be able to infiltrate a business associate’s portal to access electronic protected health information (ePHI) and compromise sensitive records. The mental health service provider noted that there was no evidence of unauthorized access, but will be providing free identity monitoring, protection, and reporting from agencies including Equifax, Experian, and TransUnion. Along with the direct costs associated with offering such services to patients, the organization will have to pour funds into reputation management.
Individual Risk: 2.571 = Severe: The exposed records included names, addresses, contact information, DOBs, medical history information, driver’s license numbers and SSNs. Given the amount of time that has lapsed, patients are at high risk and should immediately begin monitoring their identity and credit reports.
Customers Impacted: 67,493 patients
Effect On Customers: As breaches continue to become more commonplace, companies are being held accountable for providing free identity protection for their customers and employees. Such damage can be disabling for small businesses, especially when combined with the costs that come with managing public relation.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Brookside ENT and Hearing Centre – USA*
Exploit: Ransomware attack Brookside: Medical practice in Battle Creek, Michigan Risk to Small Business: 2 = Severe: The doctor’s office of Dr. William Scalf and Dr. John Bizon will be forced to close on April 30th after falling victim to a ransomware attack and refusing to pay $6,500 to regain access. Although hackers were unable to compromise their data, all information regarding appointments, patients, and payments was completely erased.
Individual Risk: 2.428 = Severe Sensitive information of individuals was not accessed, only deleted. However, none of the unrecoverable data was salvaged and the office closure will force patients to seek treatment elsewhere, even those with imminent health concerns.
Customers Impacted: Undetermined
Effect On Customers: This security incident is a perfect example of how devastating a ransomware attack can be for small businesses and their customers. Hackers are capable of wiping out infrastructure and important records, causing business owners to rebuild from the ground-up. As such, company managers must begin assessing cybersecurity threats and working with MSPs to protect themselves from compromises going forward.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Secaucus High School – USA*
Exploit: Malware Secaucus High School: New Jersey high school Risk to Small Business: 2.333 = Severe: Two high school freshmen were arrested for disabling their school’s Wi-Fi system to avoid taking tests. The students used a private company to execute the hack, resulting in them being charged with computer criminal activity and conspiracy to commit computer criminal activity. Although the systems are back up and running, it remains to be seen how the students will be disciplined by the school district.
Individual Risk: 2.482 = Severe: None.
Customers Impacted: 2
Effect on Customers: Hacks are being commoditized, with packaged products capable of bringing down systems and stealing information becoming readily available on the Dark Web. Smaller organizations must learn to recognize such trends and protect their members, customers, and staff by investing in security providers that host solutions enabling them to understand the inner workings of online, underground marketplaces.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach
THREAT FOCUS: BC Pension Corporation – CANADA*
Exploit: Missing microfiche BC Pension Corporation: One of the largest pension plan administration agents in Canada Risk to Small Business: 2 = Severe: Members of the BC College Pension Plan are receiving notifications that their information may be at risk after a box went missing during an office move from last year. Contents of the container included microfiche with personal information of members who worked from 1982 to 1997, and the breach was discovered in October 2018. Although the corporation has declared this as a low risk security incident, FIPA argues that it is a high-risk attack. Along with negative publicity, the BC Pension Plan Corporation will face backlash from members and may spearhead the case for implementing mandatory data breach reporting requirements in British Columbia.
Individual Risk: 2.428 = Severe: Some of the information includes names, social insurance numbers and dates of birth. Although there is currently no indication of an attack, plan members should investigate identity and credit reports to see if they were affected. In the words of one of the affected members, West Kelowna resident Pamela Stevens, "the information is out there, and there are people that wait around for these things to happen to get people and to use their cards and information to misuse it."
Customers Impacted: Around 8,000
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Unity Housing – CANADA*
Exploit: Data leak Unity Housing: Ottawa community housing agency
Risk to Small Business: 2 = Severe: Thousands of personal files related to Unity Housing were released to Ontario’s police watchdog and have been sitting in an exposed court exhibit for weeks. A USB key storing the files was initially delivered in lieu of a manslaughter trial, but most of the information was completely irrelevant to the case. The company maintains that it was unaware of the breach, and that no one accessed the data except for the defence council. Although it is unlikely that the compromised data was manipulated for malicious reasons, it draws attention to the agency and may make homeowners question the safety of their data.
Individual Risk: 2.428 = Severe: Since the USB key was only accessed by government officials and lawyers, it is unlikely that it was accessed nefariously. Therefore, individual risk is limited.
Customers Impacted: To be determined
Effect On Customers: When a data leak reaches news headlines, the security and care of the responsible company is put under question. To avoid similar incidents from occurring in the future, businesses must protect the personal information of customers and employees by establishing a “need-to-know” basis. Additionally, they must understand whether leaked information is being used by hackers, which can be done by working with security suites that monitor their primary marketplaces on the Dark Web.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Bayer Pharmaceuticals – GERMANY*
Exploit: Malware attack Bayer: German multinational pharmaceutical and life sciences company
Risk to Small Business: 2 = Severe: In a statement this past Thursday, Bayer revealed that infectious software was discovered on its systems back in early 2018. Before removing the malware in March, the company proceeded to “spy” on the hackers to identify the responsible party. Without any further details on their incident response methodology or further information on what Bayer means by “spy” ID Agent recommends always contacting an Incident Response Team if a compromise has been identified. Allowing an unknown third party to continue accessing data is generally inadvisable. The drug maker announced that there is no evidence of data theft, and they have traced the source of the hack to a group known as Winnti.
Individual Risk: 2.428 = Severe: No individuals are at risk
Customers Impacted: N/A
Effect On Customers: The era of industrial espionage is here, and small businesses should be taking notice. Hackers are setting their sights towards technology and intellectual property, given its tremendous value and sometimes limited security. Phishing campaigns are the most frequent of all attack vectors, followed by infection via custom malware.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Saolta University Healthcare Group – IRELAND*
Exploit: Scam Saolta: Umbrella hospital group composed of 6 sites across Western Ireland Risk to Small Business: 2.333 = Severe: Patients of one of the hospitals in the Saolta network, University Hospital Galway (UHG) are receiving letters from an organization calling itself the Anglo American Lottery. The scam informs them that they have won a prize in the “hospital sick patient lottery draw” and will be admitted to a ward. Along with soliciting DOBs and other personal details, the scheme offers a fake website and phone number. Patients of UHG are filing complaints and have voiced their concerns to the Data Protection Commission, and it remains to be seen how Saolta will be penalized.
Individual Risk: 2.714 = Moderate Risk: Given that hackers were able to send personalized letters to the home addresses of patients, it’s clear that an exposure of information has already occurred. Anyone who has received or responded to the letter must immediately enlist in identity protection and reach out to Saolta to receive reparations.
Customers Impacted: To be determined
Effect On Customers: As you can imagine, patients/customers are not happy when they realize that hackers are using their information collected from a company to orchestrate scams. With the rapidly growing ecosystem of cybersecurity awareness and vigilance, companies who fall short must face the consequences of customer attrition, news headlines, and hefty penalties.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: United Kingdom Universities – UNITED KINGDOM*
Exploit: Password spraying UK Universities: Universities across the UK that agreed to participate in a Jisc initiative Risk to Small Business: 2 = Severe: Ethical hackers from Jisc, the company that provides internet services to UK universities and research centers, were able to access personal data of students and staff, financial systems, and research networks in less than 2 hours. The penetration testing was conducted in over 50 universities, with some being tested multiple times. Out of the simulated attacks, spear phishing proved to be one of the most effective.
Individual Risk: 2.571 = Moderate: None
Customers Impacted: N/A
Effect On Customers: The academic sector is under attack by opportunistic hackers looking to sell research and student information on the Dark Web to the highest bidders. Given the sensitivity of such information, it is likely that future regulations will address such gaps and set minimum requirements for cybersecurity. Sensitive research fuels everything from military operations to economic growth, which should make educational organizations acknowledge and protect such information through data security.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
POSTSCRIPT*
University of Connecticut’s Health Centre’s $5M data breach Class Action Lawsuit*
The University of Connecticut Health Centre has been served a class action lawsuit over a data breach that resulted in the exposure of 326,000 current and former patients. Yoselin Martinez and others are seeking $5M in damages, alleging that the university not only took months to report the breach, but could have done more to prevent it. Martinez claims that her bank account has been defrauded and overdrawn due to the information that was compromised during the breach. The attack was discovered in December of last year, when an unauthorized party was able to access an employee’s email account and compromise names, DOBs, addresses, medical information, and SSNs. With the public eye scrutinizing organizational efforts to protect their customers and employees, small businesses must catch on early and begin working with MSPs to bolster new cybersecurity initiatives.
*Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions