Avantia Threat Update
University is out - so is their data!
This week JISC, a UK government-funded agency that provides cyber-security for universities and colleges registers more than 850 attacks across the UK in 2017/18, aimed at almost 190 universities and colleges, found that often staff and students could be responsible while ongoing implications for SingHealth's specialist outpatient clinics and polyclinics breaches earlier in the year come home to roost.
While searching 24/7/365 for user credentials on the Dark Web, our US partner collects statistics on a wide variety of variables related to the data unearthed. Trends seen have been kept in house…until now. Introducing the newest addition to our weekly ‘Compromised Data Breach and Threat Update’.
Stolen Data found on the Dark Web this week:
Top Source Hits: New ID Theft Forums (8,534) identified
Top PII New Compromises: Clear Text Passwords (8,460) listed.
(Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used neutralise anonymous data can be considered PII.)
In Other News:
Millions of mobile devices are vulnerable to Bluetooth exploits, with a almost half of the devices being Android phones running older versions of the operating system. This vulnerability can be used to facilitate ‘Airborne’ attacks, which allow Bluetooth devices to broadcasts malware to other devices in close proximity. This is significant because BlueBorne, a malware exploiting this vulnerability, does not need to pair with a device to infect it… in fact the target device does not even need to be in discoverable mode.
Search and Destroy Researchers have noticed an increased presence of malware that assesses the target device before delivering the full payload. This is useful for the attacker because they can now target specific computers. Customising the payload delivered by the malware can lead to some very tailored and hard-to-detect exploits. As of now these ‘scouting’ tactics are far from the standard, but it is likely we will continue to see these methods increase .
Safari Browsers Thwart Data Tracking
New privacy features in Apple's Safari browser seek to make it tougher for companies such as Facebook to track you.
Companies have long used cookies to remember your past visits. This can be helpful for saving sign-in details and preferences. But now they're also being used to profile you in order to fine-tune advertising to your tastes and interests.
Cookie use goes beyond visiting a particular website. As other sites embed Facebook "like" and "share" buttons, for instance, Facebook's servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.
Safari used to wait 24 hours from your last visit to a service before blocking that service's cookies on third-party sites. That effectively exempted Facebook, Google and other services that people visited daily. Now, Safari will either block the cookie automatically or prompt you for permission. Apple says Safari will still be able to remember sign-in details and other preferences, though some websites have had to adjust their coding.
Browsers typically reveal seemingly innocuous information about your device, such as the operating system used and fonts installed. Websites use this to make minor adjustments in formatting so that pages display properly. Browsers have historically made a lot of information available, largely because it seemed harmless. Now it's clear that all this data, taken together, can be used to uniquely identify you. Safari will now hide many of those specifics so that you will look no different from the rest. It's like a system that digitally blurs someone's image, . "You can tell it's a person and not a dog, but you can't recognise a person's face," he said. For instance, Safari will reveal only the fonts that ship with the machine, not any custom fonts installed.
When visiting a website, the browser usually sends the web address for the page you were just on. This address can be quite detailed and reveal the specific product you were exploring at an e-commerce site, for instance. Now, Safari will just pass on the main domain name for that site.
Some ad companies have sought to bypass restrictions on third-party cookies — that is, identifiers left by advertisers — by using a trick that routed them through a series of websites. That could make a third-party cookie look like it belonged to a site you're visiting. Safari will now try to catch that.
Threat Focus: Universities in the United Kingdom & Ireland
Universities and further education colleges in Northern Ireland released their latest report this week showing suffered 16 serious cyber-attacks in 2017/18. That was a rise from three such attacks in 2016/17.
The figures come from the Joint Information Systems Committee (JISC), a UK Government-funded agency that provides cyber-security for universities and colleges. They record the number of distributed denial of service (DdOS) attacks, which can disable an organisation's website or server. A Distributed denial-of-Service (DdoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet hijacked network) flooding the targeted system with traffic but do not include incidents such as phishing frauds or attempts to use "malware" or "ransomware".
A spokesperson from JISC said that the large increase in attacks against Northern Ireland was "mostly due to a recurring attack against one member over a one-week period". However, JISC - formerly known as the Joint Information Systems Committee - did not provide details of which local university or college was involved in that incident.
There were more than 850 attacks across the UK in 2017/18, aimed at almost 190 universities and colleges. This was up from fewer than 600 attacks on about 140 institutions in the previous year. It examined the timing of the 850 attacks in 2017-18, and found a "clear pattern" of attacks being concentrated during term times and during the working day.
A JISC spokesperson said that DdOS attacks could be "catastrophic" if not tackled quickly.
"Imagine the chaos if there were no email, no finance systems, no access to learning resources or the virtual learning environment," they said.
Threat Focus: Singapore Health System “its sick”.
Singapore has suffered its "most serious" data breach, compromising personal data of 1.5 million healthcare patients including that of its Prime Minister Lee Hsien Loong. The affected users are patients of SingHealth, which is the country's largest group of healthcare institutons comprising 42 clinical specialties, four public hospitals, five speciality centres, nine polyclinics, as well as three community hospitals.
Non-medical personal details of 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018, had been accessed and copied. The stolen data included patients' name, national identification number, address, gender, race, and date of birth. In addition, outpatient medical data of some 160,000 patients were compromised, though, the records were not modified or deleted, said the Ministry of Health and Ministry of Communications and Information (MCI), in a joint statement.
"No other patient records, such as diagnosis, test results or doctors' notes, were breached [and] we have not found evidence of a similar breach in the other public healthcare IT systems," they said.
The first sign of unusual activities was detected on July 4, 2018, by the Integrated Health Information Systems (IHiS), which is the public healthcare sector's technology agency and responsible for running local public healthcare institutions' IT systems. The agency "acted immediately" to stop the illegal activities and implemented "additional cybersecurity precautions", whilst carrying out further investigation on the incident. Six days later, on July 10, IHiS informed the Health Ministry and Cybersecurity agency of Singapore (CSA) after confirming it had suffered a cyberattack. However, while the attack was detected on July 4, it was later established that data "was exfiltrated" from June 27. A police report was filed on July 12 and investigations were ongoing.
In the statement, CSA and IHiS described the attack as "deliberate, targeted, and well-planned". "It was not the work of casual hackers or criminal gangs. The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines," they said.
No further data was compromised following the discovery on July 4 and IHiS had deployed further measures to tighten the security of SingHealth's IT systems, including temporarily separating internet access from workstations, resetting user and systems accounts, and installing additional system monitoring controls.
CSA said hackers had gained control through breaching a frontend workstation, from which they then were able to obtain privileged account credentials (Username/Password Login) to gain access to SingHealth's database.
Government's increasing industry collaboration and research efforts suggest Singapore needs a cybersecurity strategy that goes beyond limiting internet access, as two universities also fall prey to APT attacks. (An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity which usually targets either private organizations, states or both for business or political motives.)
Meanwhile, cybersecurity vendors have warned that the compromised data may find its way on the Dark Web.
Paul Ducklin, Sophos' senior technologist, said: "The data stolen in this breach is an identity thief's goldmine. It's a startling reminder to all Singaporeans that there is no such thing as 'cyberattackers would never care about little old me'... Anyone affected in this breach has no choice but to assume that their personal information will end up for sale on the Dark Web, ready for active abuse by cybercrooks."
"On the Dark Web, such data can fetch a high price," Kleinman said, adding that each entry could be sold for $50 to $100 higher than stolen credit card data. Citing data from IBM’s Ponemon Institute, he noted that a lost or stolen healthcare record could fetch US$408. He said it could take months after an attack before the first set of compromised data made its way on the black market to be sold, then used.
"While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software such as those used to manage implantable pacemakers," With an extremely heterogeneous environment, systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cybersecurity effectiveness.
And while a malware might have been used in that initial attack on the workstation, it would take more than having the right malware detection tools to solve the problem. Singapore Prime Minister Lee said: "We cannot go back to paper records and files. We have to go forward to build a secure and Smarter Nation "
Your Best Bet Is to Vet. Two thirds of organizations sampled across sectors experienced a software supply chain attack in the last 12 months (Crowdstrike). The increase in supply chain attacks can be linked to many things, but one of the most significant factors is the fact that cyber security is becoming a priority for organizations across the board. This pushes cyber criminals to try and find new ways to infiltrate their target. These attacks often utilize compromised credentials (Usernames & Passwords) and are widespread, attacking an organisation with legitimate software packages to make the attack difficult to detect. One way that businesses can prevent supply chain attacks is better supplier vetting. If an organization can effectively vet their suppliers and hold them to the same cybersecurity standards that they hold themselves, then the chance of an attacker being able to infiltrate the network is significantly reduced. With the right tools and knowledge, supply chain attacks can be made less dangerous or avoided entirely.
Consider this: When you think about Cyber Security think about the ones you care the most about – your family. If you have children or young adults using Smartphones, Tablets or Laptops consider their vulnerability. Do you want to put their digital selves in the hands of pedophiles, scammers and cyber criminals. The purchase of children’s digital credentials (username/password) is big business on the Dark Web. Check out our inexpensive Individual or Family monitoring service – it’s a ‘no brainer’ for your peace of mind. CLICK HERE FOR PRICING
Disclaimer: Avantia Corporate Services Pty Ltd provides the content in this publication for general information only and has compiled the content from number of sources believed to be reliable. No warranty, implied or otherwise, is given as to its accuracy or fitness for use, no validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.