Avantia Threat Update
US NAVY SEALS PLATOONS BEEF UP CYBER CAPABILITY

This Past Week: US Military boosts Cyber Capability in Tier 1 Special Forces; ACSC Alert - Exim Email Server vulnerabilities; The Future of Passwords; US Law Enforcement rejects widespread facial recognition scanning; Belgian Parliament hit by Cyber attack; Double extortion ransomware attacks increase as cyber criminal gangs use new tactics; Fake COVID-19 vaccine website steals info from visitors; Older broadband routers have significant cyber security flaws and MAJOR breaches in AUSTRALIA; SWITZERLAND; UNITED KINGDOM CANADA & UNITED STATES OF AMERICA.
US Navy Seals pivot from Counter Terrorism to Global Threats by boosting Cyber capability.
Ten years after they found and killed Osama bin Laden, U.S. Navy SEALs are undergoing a major transition to improve leadership and expand their commando capabilities to better battle threats from global powers like China and Russia. The new plan cuts the number of SEAL platoons by as much as 30% and increases their size to make the teams more lethal and able to counter sophisticated maritime and undersea adversaries. And there will be a new, intensive screening process for the Navy’s elite warriors, to get higher-quality leaders after scandals that rocked the force and involved charges of murder, sexual assault and drug use. Rear Adm. H. Wyman Howard III, top commander for the SEALs, laid out his plans : He said the Navy’s special operations forces have been focused on counterterrorism operations but now must begin to evolve beyond those missions. For the past two decades, many have been fighting in the deserts of Iraq and mountains of Afghanistan. Now they are focused on going back to sea. That decision reflects the broader Pentagon strategy to prioritize China and Russia, which are rapidly growing their militaries and trying to expand their influence around the globe. U.S. defence leaders believe that two decades of war against militants and extremists have drained resources, causing America to lose ground against Moscow and Beijing. The counterterrorism fight had its benefits, allowing the SEALs to sharpen their skills in developing intelligence networks and finding and hitting targets, said Howard, who heads Naval Special Warfare Command, which includes the SEALs and the special warfare combatant-craft crewmen. “Many of these things are transferable, but now we need to put pressure on ourselves to operate against peer threats.” As a result, Howard is adding personnel to the SEAL platoons to beef up capabilities in cyber and electronic warfare and unmanned systems, honing their skills to collect intelligence and deceive and defeat the enemy. “We are putting pressure on ourselves to evolve and understand our gaps in capability and what our true survivability is against these threats” posed by global competitors, he said.

Alert status HIGH
Multiple high severity vulnerabilities have been discovered within the Exim mail server. The most severe of these vulnerabilities allows remote code execution which could enable a malicious cyber actor to take full control of the vulnerable system. A full list of the vulnerabilities and additional information is available from the related Exim security advisory. At this time the ACSC has not identified any active exploitation of these vulnerabilities. The ACSC has assessed that there is a significant number of Exim mail servers deployed within Australia. Any future successful exploitation of vulnerable Exim servers would have a significant impact to Australian systems and networks.
Mitigation The ACSC strongly recommends that Australian organisations:
1. Review their systems and networks for the presence of vulnerable instances of the Exim mail server;
2. Apply the appropriate patch as identified by the Exim project in the Exim security advisory.
Avantia Cyber Security is a registered partner of Australian Cyber Security Centre (ACSC)
Are Passwords dying?
World Password Day was created by Intel in 2013 to raise awareness of the need for strong passwords, but many experts now use the occasion to urge organizations to replace passwords with other, more secure authentication methods. World Password Day is observed every year on the first Thursday of May, and in 2021 that is today, May 6. Passwords are often compromised in data breaches, putting users at risk. On the other hand, passwords — either guessed or stolen — are also often leveraged to carry out an attack and breach an organization’s systems. That is why many experts believe it’s time to stop using them for authentication, or at least use them in combination with other mechanisms that provide better security. Several cybersecurity professionals have shared thoughts for World Password Day, including on the future of passwords and better alternatives.
Francois Lasnier, Vice President, Access Management solutions, Thales: “With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network. As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access. Instead, companies should rollout access management solutions such as passwordless authentication which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience. No single solution is enough though, so organisations should also be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorisation to access data. This strategy, based on the principle, “Never Trust, Always Verify”, views trust as a vulnerability and requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they want access.”
Baber Amin, COO, Veridium: “Have passwords, get hacked! Passwords and other static knowledge-based verification methods are archaic, but for now it is hard to get rid of them completely. The goal that all organizations should be going for is reducing their password related threat surface or footprint with a passwordless approach combined with biometrics and device+user behavior, and bio-mechanic analysis approach. The goal is creating a strong binding between a user, their behaviour and the user agent in order to create an enhanced security and user experience.”
Mike Puglia, Chief Strategy Officer, Kaseya: “Cybercriminals love password dumpers because they make it easier to propagate ransomware, steal data and gain entry for long-term access. They can now attempt logins against all major cloud and SaaS sites, especially since almost every company has some employee accounts on Google, Microsoft or Amazon. Access to targets supporting 95% of the world’s organizations are a click away from any location. The next five years will bring password plus MFA for all logins, with password-only being the exception. It’s already happening with consumer accounts – banks, phones, even gaming systems — and now we are seeing it roll out across all business applications. Though MFA cannot stop 100% of attacks, it raises the effort and costs required for adversaries to be successful. It is the only way we start to lower the number of breaches.”
Benoit Grange, Chief Technology Evangelist, OneSpan: “Passwords are a problem. Passwords are inconvenient and riskier than other authentication options available today because they can be guessed, stolen, or cracked. While we won't see passwords go completely away anytime soon, a passwordless approach could be the answer to many user friction and security challenges. A recent VISA survey found consumers are ready to leave the password behind. Seventy percent of consumers believe that biometrics are always more comfortable as they do not involve memorizing passwords. With a plethora of other data pointing to a continuing upward trend in biometric usage, new risk-based multifactor authentication with fingerprint, face, or iris recognition could be the solution that will finally free us from the burden of endless passwords, opening the doors to a brighter, passwordless future.”
Ralph Pisani, President, Exabeam: “World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance. The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft. Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioural analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behaviour indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.”
Patrick McBride, Chief Marketing Officer, Beyond Identity: “Passwords are completely compromised. So much so that we recommend they be placed in a vulnerability class of their own. Since there is no CVE designation designed for this purpose, we recommend a new “Ubiquitous” CVE designation and drafted a U-CVE for passwords. We are not a certified numbering authority in the CVE program, but believe passwords are uniquely qualified for a modified “Ubiquitous” designation. Instead of “reminding” (nice euphemism for “forcing”) users to create longer, stronger passwords, to not reuse passwords across applications, and to change their passwords frequently, technology vendors need to think of passwords as a core vulnerability - one that cannot be easily patched. These ubiquitous vulnerabilities can be fixed with modern identity management architectures and the implementation of strong authentication methods.”
Saryu Nayyar, CEO, Gurucul: “Passwords are the bane of the security team's existence. Users use weak passwords, reuse the same passwords, refuse to change passwords, or simply forget them and need help resetting passwords. I thought self-service password reset options would have alleviated the help desk from resetting user passwords. However, it still turns out 20% to 50% of all IT help desk tickets are still for password resets (according to The Gartner Group). We actually have the technology to eliminate passwords altogether, but that would require companies indulge in passwordless authentication. Really, the best option for enterprises going forward is continuous behavioral based authentication. [...] This is how organizations can make the authentication process more secure and frictionless for users.”
Neil Jones, cybersecurity evangelist, Egnyte: “To commemorate World Password Day, we’d like to remind you about practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
· Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”
US Law enforcement agencies say No to widespread facial recognition.
Across the U.S. have used facial recognition technology to solve homicides and bust human traffickers, but concern about its accuracy and the growing pervasiveness of video surveillance is leading some state lawmakers to hit the pause button.At least seven states and nearly two dozen cities have limited government use of the technology amid fears over civil rights violations, racial bias and invasion of privacy. Debate over additional bans, limits and reporting requirements has been underway in about 20 state capitals this legislative session, according to data compiled by the Electronic Privacy Information Center. Lawmakers say they want to give themselves time to evaluate how and why the technology is being used. “I think people are just freaked out, and rightfully so, about this technology,” said Freddy Martinez, director of Lucy Parson, s Labs, a Chicago non-profit that specializes in citizens’ digital rights. “It’s one of those rare issues that’s seen bipartisan support, in that nobody wants to be tracked everywhere they go, especially when you don’t have a choice.” The issue caught fire in statehouses after law enforcement applied facial recognition technology to images taken from street cameras during last year’s racial justice demonstrations — and in some cases used those to make arrests. Complaints about false identifications prompted Amazon, Microsoft and IBM to pause sales of their software to police, though most departments hire lesser-known firms that specialize in police contracts. Wrongful arrests of Black men have gained attention in Detroit and New Jersey after the technology was blamed for mistaking their images for those of others. The American Civil Liberties Union began raising questions about the technology years ago, citing studies that found higher error rates for facial recognition software used to identify people of colour. Concerns also have grown because of increasing awareness of the Chinese government’s extensive video surveillance system, especially as it’s been employed in a region home to one of China’s largely Muslim ethnic minority populations. In March, the ACLU sued Clearview AI, a company that provides facial recognition services to law enforcement and private companies, contending it illegally stockpiled images of 3 billion people scraped from internet sites without their knowledge or permission. For many, news of that stockpile, first reported by The New York Times, raised concerns that the type of surveillance seen in China could happen in the U.S. and other countries. Cities that passed bans — including Boston; Minneapolis; San Francisco; Oakland, California; and Portland, Oregon — listed concerns about police using the technology secretly among their reasons. Hoan Ton-That, CEO of Clearview AI, said his company collects only publicly available photos from the open internet that are accessible “from any computer anywhere in the world.” He said its database cannot be used for surveillance. Ton-That said that, as a person of mixed race, it is important to him that the technology is not biased. “Unlike other facial recognition technologies that have misidentified people of colour, an independent study has indicated that Clearview AI has no racial bias,” he said in a statement. “We know of no instance where Clearview AI’s technology has resulted in a wrongful arrest.” But the pushback against the technology has continued. Last year, New York imposed a two-year moratorium on use of the technology in schools after an upstate district adopted facial recognition as part of its security plans and was sued. A state ACLU executive called it “flawed and racially-biased” technology that didn’t belong in schools. That came on the heels of the nation’s first ban on government use of the technology, in San Francisco in 2019, and a state-wide three-year moratorium on police departments using facial recognition from videos shot with body cameras that California imposed later that year. No such restrictions exist at the federal level. Variants of facial recognition technology were used, including by ordinary people, to help identify those who took part in the deadly insurrection at the U.S. Capitol on Jan. 6. Police also used it at some protests last year staged against coronavirus-related mask mandates, and some activists have used it to identify police officers engaged in misconduct. This February, Virginia lawmakers passed one of the most restrictive bans of them all. It prohibits local law enforcement agencies and campus police departments — though not state police — from purchasing or using facial recognition technology unless expressly authorized by the state legislature. Police groups are pushing for the prohibitions to be revisited. “It’s fear-mongering politics at its worst,” said Jonathan Thompson, CEO and executive director of the National Sheriffs’ Association. He said facial recognition technology is just one tool used by police agencies — and not to the extent politicians suggest. “I’ve never heard of anybody sitting around a computer monitor searching for people all day, every day. It doesn’t work that way,” he said. “Agencies have rules. They have governance of how and who has access to these databases. They have to have a legitimate, rational reason for doing it.” Thompson’s association produced a report detailing example after example of the technology being used for good to snag drug dealers, to solve murders and missing persons cases, and to identify and rescue human trafficking victims. Most often, a face is compared against a database of known subjects. The vast majority of images are criminal mugshots, he said, not driver’s license photos or random pictures of individuals. A new Massachusetts law tries to strike a balance between civilian and police concerns. It allows police to benefit from the technology while adding protections that could prevent false arrests. In Ohio, Republican Attorney General Dave Yost headed off a restrictive law on facial recognition data — at least so far — by conducting his own investigation into the state’s images database in response to a Georgetown University Law Center report that found immigration officials were applying the technology to driver’s license photos in some states. Yost’s review found local, state and federal authorities didn’t use driver’s license or other photos “to conduct mass surveillance, broad dragnets, political targeting or other illegitimate uses.” Martinez, of the Lucy Parsons Lab, said he’s not reassured. “I really do think this is one of these tools, let’s say, science shouldn’t be using. It’s uniquely bad in ways other technologies are not,” he said. “People nationally want police to do their jobs, but there are certain lines we don’t let them cross. This crosses that line.”
Belgiun Parliament under attack
The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions said Tuesday that its network was under cyberattack, with connections to several customers disrupted. Belnet said in a statement the attack “is still in progress and takes place in successive waves. Our teams are working hard to mitigate them.” The company has around 200 customers. Two hours later it said “the effect of the attack seems to be diminishing,” but provided no other details. Belgian media reported that online services for coronavirus vaccination centre’s were partly disrupted and that prosecutors’ offices in Brussels had experienced problems. Belnet Director Dirk Haex told broadcaster VRT “this is the first time that we’ve faced such a gigantic attack. It is tough to counter an attack like this.” The company has been in operation since 1993. “Everything reached a crescendo around noon,” Haex said, insisting that no information was stolen. “The point of such an attack is to disable the system, not to steal information.” Haex said it was too early to say who could be behind the attack.
Millions of older broadband routers have these security flaws, warn researchers
A new investigation has found that older routers, which aren't regularly upgraded, present some serious security vulnerabilities. Millions of households in the UK are using old broadband routers that could fall prey to hackers, according to a new investigation carried out by consumer watchdog Which? in collaboration with security researchers. After surveying more than 6,000 adults, Which? identified 13 older routers that are still commonly used by consumers across the country, and sent them to security specialists from technology consultancy Red Maple Technologies. Nine of the devices, it was found, did not meet modern security standards. Up to 7.5 million users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for malicious actors to spy on people as they browse, or to direct them to spam websites. One major issue concerns the lack of upgrades that older routers receive. Some of the models that respondents reported using haven't been updated since 2018, and even in some cases since 2016. The devices highlighted for their lack of updates included Sky's SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk's HG523a, HG635, and HG533. Most of the providers, when they were contacted by Which?, said that they regularly monitor the devices for threats and update them if needed. Virgin dismissed the research, saying that 90% of its customers are using later-generation routers. TalkTalk told ZDNet that it had nothing to add to the release. The researchers also found a local network vulnerability with EE's Brightbox 2, which could let a hacker take full control of the device. An EE spokesperson told ZDNet: "We take the security of our products and services very seriously. As detailed in the report, this is very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. (…) We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update." In addition, BT Group – which owns EE – told Which? that older routers still receive security patches if problems are found. Red Maple's researchers found that old devices from BT have been recently updated, and so did routers from Plusnet. The consumer watchdog advised that consumers who are still using one of the router models that are no longer being updated ask their providers for a new device as soon as possible. This, however, is by no means a given: while Virgin Media says that it gives free upgrades for customers with older routers, the policy is not always as clear with other providers. "It doesn't hurt to ask," said Hollie Hennessy, senior researcher at Which?. "While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old." For consumers whose contracts are expiring soon, Hennessy suggested asking for a new router as a condition to stick with a given provider – and consider switching if the request is not met. On top of being denied regular updates, many older routers were also found to come with weak default passwords, which can be easily guessed by hackers and grant an outsider access. This was the case of the same TalkTalk and Sky routers, as well as the Virgin Media Super Hub 2 and the Vodafone HHG2500. The first thing to do, for consumers who own one of these models, is to change the password to a stronger one, as opposed to the default password provided, said Which?. The organization, in fact, is calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords as part of a new legislation that was proposed last month. As part of an effort to make devices "secure by design", the UK's department for Digital, Culture, Media and Sport has announced a new law that will stop manufacturers from using default passwords such as "password" or "admin", to better protect consumers from cyberattacks. The future law would also make it mandatory to tell customers how long their new product will receive security updates for. In addition, manufacturers would have to provide a public point of contact to make it easier to report security vulnerabilities in the products. In a similar vein, Which? called for more transparency from internet service providers. The organization said that providers should be more upfront about how long routers will be receiving firmware and security updates, and should actively upgrade customers who are at risk. Only Sky, Virgin Media and Vodafone appear to have a web page dedicated to letting researchers submit the vulnerabilities that they found in the companies' products, according to Which?.
US Justice Department seizes fake COVID-19 vaccine website stealing info from visitors
“Freevaccinecovax.org” was being used for fraud, phishing attacks, and/or deployment of malware, according to The U.S. Attorney’s Office. A fake COVID-19 vaccine website stealing visitors' data has been shut down by the Justice Department, according to the U.S. Attorney's Office for the District of Maryland. From cancelled conferences to disrupted supply chains, not a corner of the global economy is immune to the spread of COVID-19. The people behind "freevaccinecovax.org" made the website look like it for a biotechnology company working on the vaccine for COVID-19, but it actually was being used by cybercriminals for "fraud, phishing attacks, and/or deployment of malware." The site now has a large banner saying it has been seized by the federal government. "This is the ninth fraudulent website seeking to illegally profit from the COVID-19 pandemic that we have seized," Acting U.S. Attorney Jonathan Lenzner said in a statement. Lenzner noted that the website is one of thousands that have popped up since the pandemic began in early 2020. Cybercriminals have leveraged the fear and interest around COVID-19 to propagate a variety of scams or efforts to spread malware. Lenzner added that the government is "providing the vaccine free of charge to people living in the United States" and that no one should ever click on anything offering the vaccine for sale. The affidavit filed in court by the Justice Department says the scam was initially uncovered by the HSI Intellectual Property Rights Center and the HSI Cyber Crimes Center. The website was allegedly created from an IP address in Strasbourg, Germany but was registered in Russia, according to the Justice Department. It was created on April 27 and the site's homepage featured the logos of a number of well-known healthcare organizations like the World Health Organization, Pfizer, and the United Nations High Commissioner for Refugees. The website asked visitors to enter their location and then automatically downloaded a PDF file that users could fill out and upload. It is unclear how many people visited the site and filled out the PDF. Eric Howes, principal lab researcher at cybersecurity firm KnowBe4 said both the domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people's misery. A bogus vaccine website offers bad actors a wide range of potential social engineering schemes, Howes explained, including offers for free access to vaccine supplies to bogus investment schemes. "COVID-19 has been the gift that keeps on giving for fraud artists over the past year," Howes said. "While authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet. Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?"
Ransomware: There's been a big rise in double extortion attacks as gangs try out new tricks
More and more ransomware gangs are adopting tactics around threatening to publish stolen data in an effort to force victims to pay. There's been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they don't pay the ransom for the decryption key required to restore their network. The idea behind these 'double extortion' ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail, and paying the ransom. Even then, there's no guarantee that the cyber criminals behind the ransomware attack will delete the stolen data – they could exploit it down the line, or sell it onto other crooks on dark web forums. These attacks have become extremely successful – and lucrative – for cyber criminals and cybersecurity researchers at ZeroFox have tracked the activity of over two dozen dark web leak sites associated with ransomware attacks over the past year, as more and more cyber-criminal groups move towards this form of extortion. The ransomware gangs that are most successful with double extortion attacks are those that first adopted it in their attacks, such as Revil, Maze, Netwalker, and DoppelPaymer, but others have followed in their footsteps and are finding plenty of success in 2021. Groups like Conti and Egregor have become most prolific over the course of this year – with the report pointing out how the latter group has allegedly gained success by recruiting members of other ransomware gangs, including Maze, which supposedly shut down in November last year. The recruitment of authors of other ransomware operations indicates how this particular type of malware has developed into a competitive market. Much like legitimate software companies, groups want to hire the best people to ensure that their product is as successful as possible – unfortunately, in this case, success comes at the cost of innocent victims who find their networks have been encrypted by a ransomware attack. But it isn't just threats to leak data now, as the report points out how some ransomware groups are launching Distributed Denial of Service (DDoS) attacks against victims, overwhelming what remains of the network with traffic to the extent that it isn't usable – and leveraging that as an additional method of forcing the victim to pay up. Ultimately, double extortion techniques have become so common amongst ransomware gangs because the attacks work and many organisations are unfortunately giving into ransom demands as cyber criminals in this space get more persistent and more aggressive. For organisations, the best way to avoid having to make a decision over paying cyber criminals in the hope they don't publish their stolen data online is for their network to be secure enough to prevent cyber criminals from being able to get in to start with. Cybersecurity procedures that can stop cyber criminals from infiltrating the network in the first place include applying security patches as soon as possible, so attackers can't exploit known vulnerabilities and deploying two-factor authentication across all users, so that if attackers do breach an account, it's difficult for them to move laterally around the network.
_________________________________________________________________________
THREAT FOCUS: United States – Metropolitan Police Department of the District of Columbia
Exploit: Ransomware
Metropolitan Police Department of the District of Columbia: Law Enforcement Agency
Risk to Business: 1.717= Severe The Babuk Locker ransomware gang snatched data from the DC Metropolitan Police. The sample the cybercrime group posted, included 576 pages of personnel files including full names, Social Security numbers, phone numbers, financial and housing records, job histories and polygraph assessments for current and former officers. That data was briefly visible on the gang’s site, but taken down after a short period. No word on whether the gang was paid or the exact contents of the stolen files. In total, the Babuk Locker gang claims it downloaded more than 250 GB of data from DC Police servers.
Individual Risk: 2.166= Severe - Current and former employees of the Metro Police may be in danger for spear phishing, identity theft or blackmail and should remain alert for fraud attempts.
Customers Impacted: Unknown
How It Could Affect Your Business: Data theft like this is the bread and butter of cybercrime. This data is especially desirable because it contains information about law enforcement. When storing this kind of information, ensuring that you’re using multifactor authentication is essential as is antiphishing security to guard against ransomware.
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: United States – Illinois Office of the Attorney General
Exploit: Ransomware
Illinois Office of the Attorney General: State Government Agency
Risk to Business: 1.807= Severe - The DopplePaymer ransomware gang has leaked a large collection of files from the Illinois Office of the Attorney General after the agency declined to pay the ransom that they gang demanded. The cybercriminals released information from court cases orchestrated by the Illinois OAG, including some private documents that do not appear in public records. the data also contains personally identifiable information about state prisoners, notes of their grievances, and case information.
Risk to Individuals: 2.177= Severe - In the documents posted so far there is some personal data for prisoners, but the full extent of the breach is not clear. formerly incarcerated people may be at risk of blackmail or spear phishing.
Customers Impacted: Unknown
How it Could Affect Your Business More than 50% of businesses were impacted by ransomware in the last 12 months. by taking sensible precautions like antiphishing software, secure identity and access management and updated security awareness training, companies can avoid this menace.
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: United States – Pennsylvania Department of Health
Exploit: Third Party Data Breach
Pennsylvania Department of Health: State Government Agency
Risk to Business: 1.803 = Severe - The Pennsylvania Department of Health received an unpleasant shock when it learned that the third-party firm it had employed to process contact tracing data had made data handling mistakes, potentially opening thousands of residents of the Keystone State up to trouble. The contractor, Atlanta-based Insight Global reported that several employees violated security protocols to create unauthorized documents outside of the secure data system that the state’s contract required using the data collected.
Individual Risk: 2.277 = Severe - Some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and COVID-19 diagnoses and exposure status. They did not include financial account information, addresses or Social Security numbers. A daytime hotline is available for anyone concerned they might have been involved at 855-535-1787. Free credit monitoring and identity protection services will be offered.
Customers Impacted: 72,000
How it Could Affect Your Business: No business is an island. That’s why it pays to take precautions against potential intrusions and data theft that results from a service provider’s cybersecurity failure. AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: United States – Wyoming Department of Health
https://www.infosecurity-magazine.com/news/data-breach-impacts-1-in-4/
Exploit: Unsecured Data
Wyoming Department of Health: State Government Agency
Risk to Business: 2.303 = Severe - Wyoming’s Department of Health (WDH) has announced the accidental exposure of personal health information belonging to more than a quarter of the state’s population on GitHub.com. The data breach occurred when an estimated 53 files containing laboratory test results were mishandled by a worker. Data in the leaked files included test results for flu and COVID-19 performed for Wyoming. One file containing breath alcohol test results was also exposed.
Individual Risk: 2.676 = Severe - Along with the test results were patients’ names, ID numbers, addresses, dates of birth and dates of when tests had been carried out. WDH has begun the process of notifying impacted individuals and victims will be offered a year of free identity theft protection.
Customers Impacted: 164,021 Wyoming residents and others
How it Could Affect Your Business: Taking care of business includes taking care of training to prevent slip-ups like this that will ultimately cost the state million after remediation and fines.
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: Canada – The Resort Municipality of Whistler
Exploit: Ransomware
The Resort Municipality of Whistler: Municipal Government
Risk to Business: 1.867 = Severe - The Resort Municipality of Whistler (RMOW) has temporarily suspended all online and some in-person services in the wake of a ransomware attack purportedly carried out by an unnamed new ransomware gang. The group leaked some data on it’s unfinished dark web site and claims to have stolen 800 GB of data. RMOW states that they are currently working with cybersecurity experts and the Royal Canadian Mounted Police (RCMP) to investigate further.
Individual Impact: No sensitive personal or financial information was confirmed as compromised in this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware has been an increasingly popular tool for cybercriminals to use against targets in the education sector. Preventing it from hitting systems is just as important as protecting data .
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: United Kingdom – Merseyrail
Exploit: Ransomware
Merseyrail: Train Operator
Risk to Business: 1.672 = Severe - Merseyrail, a UK rail network that provides train service through 68 stations in the Liverpool area, has been hit with a suspected ransomware attack. Reporters have been contacted by the LockBit ransomware gang claiming responsibility. The gang supposedly accessed the rail company’s systems through a compromised administrator email account. The cybercriminals claim to have personal information about the railway’s employees and business data. The incident is under investigation.
Individual Impact: No sensitive personal or financial information was announced as compromised in this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware, especially targeted ransomware, is the weapon of choice for cybercrime, and ransoms have been skyrocketing as criminals grow more brazen about disrupting business operations and holding them hostage until they’re paid.
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
THREAT FOCUS: Switzerland – Swiss Cloud
https://securityaffairs.co/wordpress/117433/cyber-crime/swiss-cloud-ransomware-attack.html
Exploit: Ransomware
Swiss Cloud: Cloud Hosting Provider
Risk to Business: 2.217 = Severe - Cloud hosting provider Swiss Cloud was hit by a ransomware attack that brought down the company’s server infrastructure. The company is currently working to restore operations from its backups with the help of experts from HPE and Microsoft. The impacted servers are expected to be restored by next week. The disruption has impacted server availability for more than 6,500 customers.
Individual Impact: No sensitive personal or financial information was announced as compromised in this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware is the modern cybercriminal’s weapon of choice. Make sure your clients are taking every possible precaution, because 61% of organizations worldwide experienced a damaging ransomware incident in 2020 .
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711
THREAT FOCUS: Australia – UnitingCare Queensland
https://www.zdnet.com/article/unitingcare-queensland-security-incident-takes-some-systems-offline/
Exploit: Hacking
UnitingCare Queensland: Healthcare Support Services
Risk to Business: 2.112 = Severe - UnitingCare Queensland has confirmed it has been impacted by a cybersecurity incident that has caused some of its systems to become inaccessible as remediation efforts begin. The organization supplies eldercare, disability support, in-home health care and crisis response services. The company does not expect significant disruptions in care as a result of the incident which is under investigation.
Individual Impact: No sensitive personal or financial information was announced as compromised in this incident, but the investigation is ongoing.
Customers Impacted: Unknown
How it Could Affect Your Business: Malware and ransomware have been the plague of increasingly beleaguered healthcare targets. Every organization in the sector should step up phishing resistance training to reduce the chance of falling prey to an attack.
AVANTIA CYBER SECURITY to the Rescue: Make sure that everyone on your cyber security team is up to date on today’s threats and ready to respond when disaster calls. For more information and advice call Avantia on +61 7 30109711.
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for the above incidents are calculated using a formula that considers a wide range of factors related to the assessed breach.
_________________________________________________________________________
POSTSCRIPT
Although every industry has been impacted by cyberattacks during the unprecedented wave of cybercrime in 2020, the healthcare sector really experienced a disproportionate share. That wasn’t good news in the middle of a global pandemic that was driving already challenged healthcare organizations to the brink and beyond in the worst health crisis in generations. Cybercriminals saw an opportunity and they took it – confirmed data breaches in the healthcare industry increased by 58% in 2020. Now industry experts are wrestling with a thorny question: are healthcare cyberattacks a legitimate public health crisis? No one disputes that cyberattacks against hospitals, health systems, research facilities, pharmaceutical manufacturers and even temperature-controlled transportation were incredibly disruptive to the COVID-19 pandemic response around the world. Experts estimate that the healthcare sector alone lost $25 billion alone last year and an estimated 27% of all cyberattacks in 2020 targeted healthcare organizations. That’s not including pharmaceutical companies, research facilities, testing laboratories, equipment manufacturers, technology providers, insurance companies and myriad other healthcare-related businesses.
This onslaught led to huge problems exactly when hospitals and clinics couldn’t stand to have anything else go wrong. Unfortunately, according to researchers at Blackberry, healthcare sector businesses are the most likely to pay ransoms, making them extremely attractive targets. The information gained in healthcare data breaches is also exceptionally desirable and valuable. During the race to develop a COVID-19 vaccine, the pressure was on pharmaceutical companies, with three major contenders breached in one week at the peak of the pressure. Two specific outcomes for healthcare-related cyberattacks have made an especially strong case for healthcare cybercrime constituting a public health crisis.
Ransomware
Ransomware attacks against every target soared in 2020, and healthcare was no exception. Attacks against healthcare organizations dramatically increased in Q4 2020, with a month-over-month increase of about 45% in early November. That followed an alarming 71% spike in October. Researchers noted that on average, businesses and organizations faced an average of 440 ransomware attacks per week in October 2020 – and by the end of November 2020 that number climbed to 626 — nearly 90 attacks every single day.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) didn’t wait to make a pronouncement about the status of ransomware attacks on healthcare targets. CISA, FBI and HHS joined together in a rare joint warning the healthcare sector on October 28, 2020, to be on high alert for a new flood of attacks and continuing pressure, including potential activity by nation-state threat actors. Private security experts agree that it was the right call. At the time, the alert specifically called out TrickBot ransomware, but the suggested precautions would offer healthcare organizations strong protection against most other types of ransomware as well.
Care Continuum Impacts
The most feared result of potential cyberattacks against healthcare targets is a disruption in care. Many hospital systems experienced IT outages as a result of cyberattacks that caused serious problems. In some cases, hospitals were forced to resort to old-fashioned written records during these outages, or they experienced an inability to access important test results, scans, x-rays and other important patient information. Universal Health Services (UHS), a nationwide hospital and health facility operator in the US, experienced a massive IT network outage in late September 2020. The company was forced to disconnected its IT system after identifying a malware attack. The outage lasted for eight days in the middle of a pandemic wave, creating more stress for already overburdened medical; staffers in its facilities. In hundreds of UHS healthcare facilities across the US, healthcare workers were forced to resort to cumbersome downtime protocols and paper records during the outage.
It wasn’t just hospitals who have felt the pinch. Just last week, scores of US hospitals were impacted by a security breach at a specialist provider of equipment for cancer treatments. Supply chain and third-party risk has been a nightmare for every industry in the last 12 months. Swedish oncology and radiology system provider Elekta’s announcement of a data security incident, purported to be ransomware, was a heavy blow to 42 hospitals that were reliant on its first-generation cloud-based storage system. This led to an inability for providers to access the precise notes and details of radiotherapy treatments for patients. Yale New Haven Health in Connecticut was forced to take its radiation equipment offline for over a week, resulting in many of the hospital’s cancer patients being transferred to other providers with little notice. Care disruptions are an unfortunate reality for many hospitals, and that makes cybercrime like this a public health emergency.
Strengthen Protection Now to Avoid Disaster Later
It is essential that your clients in the healthcare sector and related industries take this escalation of threat very seriously. By putting strong, sensible protections in place, especially against phishing, you and your clients can have peace of mind knowing that you’ve put powerful protection in place to keep systems and data safe.
Secure identity and access management is a must-have. If your clients can only afford to add or upgrade one solution this year make it secure identity and access management with Passly. They’ll get a tremendous bang for the buck with 99% protection against password-based cybercrime thanks to multifactor authentication ( which also makes a phished password useless) and more essential tools to keep bad guys out and data in.
Fight phishing to fight ransomware. Over 90% of employees in a recent survey were unable to identify a sophisticated phishing attack. The best way to stop ransomware is to stop phishing attacks from reaching an employee inbox. The best way to do that is to add Graphus to your security plan. It spots and stops 40% more phishing email than competitors.
Create a strong security culture. Mishandling of data and improper access caused 21% of healthcare breaches in 2020. Sloppy cybersecurity practices are a slippery slope to disaster. Security awareness training that includes phishing resistance can reduce the chance of an organization suffering a damaging cybersecurity incident like data mishandling or phishing by up to 70%. Choose a solution like BullPhish ID to provide that training, featuring customizable content to reflect real industry threats delivered through a portal that makes training painless for everyone
Is Cybercrime a Public Health Menace?
Healthcare organizations worldwide have seen an onslaught of cyberattacks in the last 12 months as cybercriminals seek to profit from an overburdened yet essential resource. In the midst of the global pandemic, heartless cybercriminals chose to slam healthcare and healthcare-related organizations with ransomware, phishing, hacking and other dangerous and disruptive cyberattacks. That means that cybercrime isn’t just an expensive inconvenience – it’s a public health menace.
Ransomware incidents had a huge impact on the healthcare sector in 2020 – attacks against healthcare organizations have jumped about 45% since early November. Many of those attacks didn’t just snatch data from hospitals. Some ransomware attacks caused significant patient care disruptions, forcing staffers to rely on old-fashioned pencil and paper records in the midst of the world’s worst health crisis in generations.
Data breaches at healthcare organizations have also soared by an estimated 55% in 2020, with huge spikes in Q4. These breaches affected more than 26 million people. That’s a big contributor to the flood of personally identifiable information that made its way to the dark web last year, increasing every company’s risk for dangers like a credential compromise.
Protect your business from the increased risk of ransomware and credential compromise that healthcare and even healthcare-adjacent businesses are facing today
OUR PARTNERS - Click picture to see.
DISCLAIMER* Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.
*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.