Search This Blog

Showing posts with label COVID-19. Show all posts

Ransomware Groups are Escalating Their Attacks on Healthcare Organizations

 

Ransomware groups have shown no signs of declining their attacks on hospitals, apparently intensifying attacks on healthcare institutions as countries all over the world cope with a new wave of COVID-19 virus. 

Two healthcare institutions in California and Arizona have begun sending out breach notification letters to thousands of people after both disclosed that sensitive information — including social security numbers, treatment information, and diagnosis data —, was obtained during recent hacks. 

LifeLong Medical Care, a California health facility, is mailing letters to about 115 000 people informing them of a ransomware attack on November 24, 2020. The letter does not specify which ransomware gang was responsible. Still, it does state that Netgain, a third-party vendor that offers services to LifeLong Medical Care, "discovered anomalous network activity" only then concluded that it was a ransomware assault by February 25, 2021. 

Netgain and LifeLong Medical Care finished their investigation by August 9, 2021. They discovered that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment, and diagnosis information were accessed and/or obtained during the assaults. 

Credit monitoring services, fraud alerts, or security freezes on credit files, credit reports, and stay attentive when it comes to "financial account statements, credit reports, and explanation of benefits statements for fraudulent or unusual behavior," as per LifeLong Medical Care. 

For further information, anyone with questions can call (855) 851-1278, which is a toll-free number. 

After being struck by a ransomware assault that revealed confidential patient information, Arizona-based Desert Wells Family Medicine was compelled to issue a similar letter to 35 000 patients. 

On May 21, Desert Wells Family Medicine learned it had been hit by ransomware and promptly engaged an incident response team to assist with the recovery. The incident was also reported to law enforcement. 

According to the healthcare institution, the ransomware gang "corrupted the data and patient electronic health records in Desert Wells' possession before May 21". After the malicious actors accessed the healthcare facility's database and backups, it was unrecoverable. 

Desert Wells Family Medicine stated in its letter, "This information in the involved patient electronic health records may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information." 

The organization stated that it is presently reconstructing its patient electronic health record system and will provide free credit monitoring and identity theft prevention services to victims. 

"Patients should also check statements from their healthcare providers or health insurers and contact them right away if they notice any medical services they did not get," the letter continued. 

These recent assaults, according to Sascha Fahrbach, a cybersecurity evangelist at Fudo Security, indicate that the healthcare business, with its precious personal information, remains an enticing and profitable target for hackers and insiders. 

"There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data," Fahrbach added. 

"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk." 

After the Hive ransomware knocked down a hospital system in Ohio and West Virginia last month, the FBI issued a notice two weeks ago, adding that the gang frequently corrupts backups as well.

Hive has targeted at least 28 companies so far, including Memorial Health System, which was struck by ransomware on August 15.

Millions Of Indonesians Personal Information Leaked Over a Data Breach

 

In their COVID-19 test-and-trace application, Indonesia investigated a probable security vulnerability that left 1.3 million individuals' data and health status exposed. 

On Friday 3rd of September, following a week-long cyber-attack, PeduliLindungi became the country's second COVID-19 tracking app following eHAC to suffer a data breach. The PeduliLindungi leak has not been identified yet, but the eHAC violation has impacted 1.3 million users. These 2 data breaches occurred in succession within a week. 

The eHAC Data Breach 

According to a Health Ministery official, the government is suspecting its partner as the likely source of infringement in the eHAC app ( electronic health alert card), which has been disabled since July 02. 

The EHAC is a necessary prerequisite for travelers entering Indonesia, which was launched this year. It maintains the records of the health condition of users, personal information, contact information, COVID-19 test results, and many others. 

Researchers from the vpnMentor encryption provider who perform a web mapping operation have discovered a breach to detect unauthorized data stores with confidential material. 

On 22nd July, researchers informed Indonesia's Emergency Response Team and have revealed their conclusions. The Ministry of Communications and Information Technology published a statement on August 31, more than one month after the disclosure, which stated that the data violation would be investigated according to the Electronic Systems and Transactions Regulations of the country. 

Anas Ma'ruf, a health ministry official said, "The eHAC from the old version is different from the eHAC system that is a part of the new app”. "Right now, we're investigating this suspected breach". 

PeduliLindungi Leak

A data search function on the PeduliLindungi-application enables anybody to search for personal data and information on COVID-19 vaccination for Indonesians, including that from the president, Damar Juniarto, a privacy rights activist who also is the vice president of regional government relations at technology firm Gojek, as per a Twitter thread. 

Zurich-based cybersecurity analyst Marc Ruef has shared a screenshot with the President of a compromised COVID-19 vaccination certificate, as it includes his national identity number. However, Ruef did not specifically mention whether PeduliLindungi's data was disclosed. All this explicates that personal identification data and confidential information is scattered everywhere. 

While the Government admitted the breach of the eHAC data and presented a plan of action for the analysis and restoration of flaws, PeduliLindungi has been exonerated. 

The Ministery of Communications and Information Technology of the state, called Kominfo, states that the data on the president's NIK and vaccination records did not originate in the database of PeduliLindungi.

Experts claim such data violations highlight the inadequate cyber security architecture in Indonesia. In May, the officials also conducted a survey on the alleged violation by the state insurer of the country of social security data.

ShadowPad Malware is Being Sold Privately to Chinese Espionage

 

Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

38 Million Records Exposed Due to Microsoft Misconfiguration

 

According to experts, some 38 million records from over a thousand web apps that use Microsoft's Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records. 

Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. While the data breaches have already been fixed, they demonstrate how a single incorrect configuration setting in a widely used platform can have far-reaching repercussions.  

Customers can use the Power Apps services to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private. 

In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look. According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. 

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report. “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before.” 

 On Monday, a Microsoft representative defended the product's security, noting that the firm worked directly with affected users to ensure that their data remained private and that consumers were notified if their data was made publicly available. “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs," a Microsoft spokesperson said in a statement.

Over 92% of Pharmaceutical Firms are Prone to Cyber Attacks, New Report Highlights

 

Reposify, the leading external attack surface management platform published its Pharmaceutical Industry Attack Surface Exposures Report analyzing the security status of the world’s leading pharmaceutical firms and their 900-plus branches.

Data analysts at Reposify examined the data covering a two-week period in March 2021 and discovered that 92% of the pharmaceutical companies had at least one exposed database with potential data breach, while 46% had an unmasked Server Message Block (SMB) service. 

SMB is a communication protocol that allows networks within the same system to share files. It also offers an authenticated inter-process communication mechanism. The last time when SMB services were exploited was the infamous 2017 WannaCry cyberattack, targeting 80 NHS trusts across England. 

The Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) issued an early warning in the response that attackers were leveraging password spraying campaigns in order to target pharmaceutical companies, research firms, and other health care organizations involved in the COVID-19 response. 

Last year, threat actors targeted 53% of pharmaceuticals or biotech companies, including the European Medicines Agency, which led to a breach of Pfizer and BioNTech COVID-19 vaccine data. The average cost of a pharmaceutical industry breach stood at $5.06m in 2020, a sum 1.3 times higher than the global average. 

“The pharmaceutical sector is one of the largest contributors to the global economy and human welfare. But pharmaceutical companies are struggling to protect their distributed network perimeter from increased cyber-attacks coming from well-funded and well-organized hacking groups on the hunt to steal and hold valuable, confidential data for ransom or other nefarious acts,” said Uzi Krieger, CEO of Reposify. 

“COVID-19 is still ravaging parts of the world, variants are spiking, and the safety of clinical research, manufacturing and supply chains have never been so important to humanity, and yet, pharmaceutical companies remain ill prepared and unsecured, spiraling the industry into red level vulnerability to external attacks, “ Krieger added. 

Luckily, of all security flaws uncovered, 72% were categorized in a low-risk category. However, 15% were classified as critical, 7% were high-risk, and 6% were medium risk. The median number of high-severity risks for each firm was 269, while the median of critical flaws per company was 125. These risks were linked to vulnerable software (38%), improper access controls (33%), and potential DDoS (23%), among others.

Healthcare Vendor Practicefirst Reveals It Suffered Cyberattack In 2020, No Data Lost

 

Practicefirst, a New York-based practice management vendor said that a cyberattack on healthcare that happened last year might have exposed personally identifiable information (PII) of patients and staff. Practicefirst said in a statement that the company hasn't found any fraud or misuse of the information yet, the hacker also assured the vendor that the information was not leaked to anyone and all data was destroyed. Practicefirst is one of the leading organizations in coding, credentialing, medical billing, practice management solutions, and bookkeeping. The vendor found about the issue last year in December, it closed down all its systems, informed the authorities, and changed passwords. 

The attacker tried to install ransomware and was able to retrieve files stored in vendor's systems which contained employees' and patients' PII. The data, which was later destroyed, contained names, addresses, driver's license numbers, social security numbers, tax id numbers, and email ids. Besides this, medical information, lab and treatment data, diagnosis, employee usernames and passwords, health insurance information, and financial information were also exposed. Practicefirst said, "we immediately reported the incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices." 

"We worked with a leading privacy and security firm to aid in our investigation and response and will report this Incident to relevant government agencies. We also implemented additional security protocols designed to protect our network, email environment, and systems," it said in a statement. The affected users were informed about the incident and the vendor also started a helpline for providing assistance to the users. "In other data breach news, University Medical Center of Southern Nevada recently announced that it faced a ransomware attack at the hands of the infamous REvil hacker group, responsible for a number of high-profile attacks."

"In addition, Aultman Health Foundation in Ohio announced that a now-terminated employee had been inappropriately accessing patient EHRs for over a decade. The employee continuously committed HIPAA violations and accessed over 7,000 patient records," reports HealthITSecurity. As of now, no further information about the attack has been revealed. However, it is evident that cyberattacks on the healthcare industry have become a major threat.

Attackers Pummelled the Gaming Industry During the Pandemic

 

According to Akamai, a content delivery network (CDN), the gaming business has seen more cyberattacks than any other industry during the COVID-19 pandemic. Between 2019 and 2020, web application attacks against gaming organizations increased by 340 %, and by as high as 415 % between 2018 and 2020. “In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report. 

Cybercriminals frequently used Discord to coordinate their operations and discuss best practices on various techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS), according to the company. SQLi assaults were the most common, accounting for 59% of all attacks, followed by LFI attacks, which accounted for nearly a quarter of all attacks, and XSS attacks, which accounted for only 8%. 

“Criminals are relentless, and we have the data to show it,” Steve Ragan, Akamai security researcher and author of the report, was quoted as saying in a press release. “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.” 

Credential-stuffing attacks increased by 224% in 2019 compared to the previous year. Surprisingly, distributed denial-of-service (DDoS) attacks decreased by approximately 20% within the same period. Each day, millions of these attacks target the industry, with a peak of 76 million attacks in April, 101 million in October, and 157 million in December 2020, according to Akamai. 

Credential stuffing is a type of automated account takeover attack in which threat actors utilize bots to bombard websites with login attempts based on stolen or leaked credentials. They can then proceed to exploit the victims' personal data once they find the perfect mix of "old" credentials and a new website. 

Last year, these attacks grew so frequent that bulk lists of login names and passwords could be purchased for as little as $5 per million records on dark web marketplaces. Poor cyber-hygiene practices such as reusing the same passwords across many online accounts and employing easy-to-guess passwords could be blamed for the increase in attacks. 

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steve Ragan.

Fearing Data Breach, BBMP Shuts Down COVID-19 Test Data Collection Portal

 

The Bruhat Bengaluru Mahanagara Palike (BBMP) has shut down its COVID-19 test data collection portal after a possible data breach, which allows hackers to access the health information of citizens. The incident was flagged by the Free Software Movement of India after they showed how the data could be easily accessed just with the phone numbers.

BBMP was collecting the health records of the citizens for its Public Health Activities, Surveillance, and Tracking (PHAST) portal which included name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), the sample collected and received date, sample type, hospital name (if the patient is hospitalized) and status of symptoms. 

The Free Software Movement of India has requested the local authorities to not only conduct a security audit but to also take action against the software company for its complacency in designing software without any security. 

Kiran Chandra, general secretary of the Free Software Movement of India wrote about the breach to BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P and said it was not hard for a data broker to harness these details by writing an automated script. 

“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by ‘Reasonable security practices and procedures. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” the letter read. 

However, BBMP Chief Commissioner Gaurav Gupta clarified on Friday that no data has been leaked from the portal. “While one could enter the phone number provided at the time of Covid-19 testing to get details including test result among others, the portal will now seek an OTP before allowing access to the information. The updated version of the portal would be made available soon,” he said on Friday. 

Unfortunately, this is the second instance when the data of COVID-19 patients has been compromised. In November last year, a Bengaluru resident accidentally discovered a massive loophole in the Karnataka government’s website where people could check their COVID-19 results. At the time, resident Shashi Kumar put out a series of tweets explaining how sensitive information could be obtained just with the SRF number issued at the time of testing.

Workings of US Firms Disturbed Due to Covid Surge in Banglore

 

To say that Bengaluru’s epidemic is huge is an understatement. Bengaluru has more than 65 percent of all active cases recorded in Karnataka in a virulent second wave where the test positivity rate in the State is touching new highs. On May 7, Bengaluru recorded 346 deaths due to COVID-19, according to a bulletin released by the Karnataka government. 

Health experts have warned that the situation could be more threatening in the coming weeks, with one model predicting as many as 1,018,879 deaths by the end of July, quadrupling from the current official count of 230,168. A model prepared by government advisers suggests the wave could peak in the coming days, but the group's projections have been changing and were wrong last month. 

As a result, US firms like Goldman Sachs Group Inc. and UBS Group AG have come under intense strain. These firms played critical roles in everything from risk management to customer service and compliance. A growing number of employees are either sick or scrambling to find critical medical supplies such as oxygen for relatives or friends.

An employee at UBS said their bank has nearly 8,000 workers but due to Covid-19, many are absent. As a result, work is being shipped to centers such as Poland. The Swiss bank's workers in India handle trade settlement, transaction reporting, investment banking support, and wealth management. Many of the tasks require same-day or next-day turnarounds.

Standard Chartered Plc issued a statement last week that nearly 800 of its 20,000 employees in India were infected. As many as 25% of employees in some teams at UBS are absent, said an executive at the firm who spoke on condition of anonymity for fear of losing his job.

For now, back-office units are managing part-time workers or asking employees to perform multiple roles and re-assigning staff to make up for those who are absent. They are scheduling overtime, deferring low-priority projects, and conducting pandemic continuity planning exercises for multiple locations should the virus wave intensify. 

Similarly, thousands of Goldman employees are working from home, doing high-end business tasks such as risk modeling, accounting compliance, and app building. A representative for the bank said workflows can be absorbed by the wider team if needed and there's been no material impact so far.

Covid-19 has led to Increase in Cyberattacks Against Banks and Insurers

 

According to recent studies, the coronavirus pandemic and working from home (WFH) provisions are triggering a "huge" increase in attacks against financial institutions. The COVID Crime Index 2021 survey, published on Wednesday by BAE Systems Applied Intelligence, looked at how the remote working paradigm is affecting the banking and insurance industries.

Cybersecurity analysts expected that every 11 seconds in 2021, a cyberattack will occur. It's almost twice as frequent as it was in 2019 (every 19 seconds), and four times as frequent as it was five years earlier (every 40 seconds in 2016). Cybercrime is estimated to cost the global economy $6.1 trillion a year, making it the world's third-largest economy, behind only the United States and China. 

The situation is ripe for manipulation, given that the current pandemic has a greater portion of the population operating from home — and all of the associated disruptions. The harried, rushed, exhausted, and depressed employee has become the weapon of choice, and the humble home router has become the surface attack. It's no surprise that over 4,000 malicious COVID pages appeared on the internet within months of the pandemic's first lockdown.

The gradual transition to WFH models is being loosened in certain places as the pandemic appears to have a global effect, but many organizations are preferring to either continue encouraging workers to operate remotely or follow hybrid working practices. For the near future, HSBC and JP Morgan, for example, would encourage thousands of their workers to work from home. 

Security has also proved to be difficult. According to a survey by BAE Systems, 74 percent of banks and insurers have seen an increase in cyberattacks since the pandemic began, and "criminal behavior" reported by financial institutions has increased by about a third (29 percent). The study is focused on two surveys of 902 financial services companies, as well as fieldwork in both the US and UK markets in March 2021. 

According to the survey, 42% of banks and insurers agree that working from home has rendered their companies "less safe," and 44% believe that remote models have caused visibility issues through established networks. Many businesses have been forced to cut expenses anywhere they can, and when it comes to cybersecurity, average risk, anti-fraud, and cybersecurity budgets have been slashed by 26%, contributing to 37% of businesses saying their consumers are now more vulnerable to cybercrime and fraud. 

According to the survey, 56 percent of UK and US banks have suffered such casualties, with the average expense of online illegal activities approaching $720,000 since the pandemic.

Hackers Have Access to Domino’s India 13TB of Internal Data

 

Popular pizza outlet Domino's India appears to have succumbed to a cyber assault. As per Alon Gal co-founder of an Israeli cybercrime intelligence, the hackers have access to Domino's India 13TB of internal information which incorporates employee details of more than 250 employees across verticals like IT, Legal, Finance, Marketing, Operations, and so on. The hackers guarantee to have all client details and 18 crore other details which incorporate clients' names, phone numbers, email IDs, delivery address, payment details including more than 10 lakh credit card details used to purchase on Domino’s India app. 

Further, the hackers are meaning to sell the whole information to a single buyer. As indicated by Alon Gal, the hackers are searching for $550,000 (around Rs 4 crores) for the whole database. The hackers likewise have plans to construct a search portal to enable querying the data. The sale is clearly occurring on the dark web and likely on a site frequented by cyber scammers. For now, Domino's India has neither affirmed nor rejected that information of its consumers has been stolen or leaked from its servers. 

“Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards,” Gal claimed in a tweet. “Plenty of large-scale Indian breaches lately, this is worrying,” he added. 

It is particularly worrying as India has been a victim of several large-scale cyber breaches lately. As indicated by Computer Emergency Response Team (CERT-IN) information, during the Covid-19 pandemic digital assaults on India grew by almost 300% last year, developing to 11,58,208 out of 2020 contrasted with 3,94,499 out of 2019.

Independent cybersecurity researcher Rajshekhar Rajaharia revealed to IANS that he had cautioned about this conceivable hack to the CERT-in on March 5. “I had alerted CERT-in about a possible Domino’s Pizza India hack where the threat actor got data access with details like 200 million orders and personal data of the users too. The hacker, however, did not provide any sample,” Rajaharia said. 

There have been a string of hacking incidents including Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox, and others. Gal recently claimed that the personal information of almost 533 million (53.3 crore) Facebook clients, including 61 lakh Indians, was leaked online after a hacker posted the details on a digital forum.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Turkey Dog Activity Continues to use COVID Lures

 

A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that keep on utilizing the "free internet" lures. These current campaigns use lure pages that guarantee cash payments of thousands of Turkish Lira, implying to be attached to the Turkish government. For instance, as indicated by Google Translate, a page states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another highlights a picture of Turkish Minister of Health Dr. Fahrettin Koca's and guarantees 1,000 lira for "everybody applying!" 

A portion of the lure pages, use whos.amung.us scripts for tracking purposes. RiskIQ's Internet Intelligence Graph, utilizes unique identifiers associated with these scripts to associate numerous Turkey Dog domains. For example, a RiskIQ crawl of pandemidesteklerim[.]com noticed the whos.amung.us ID loaded on the page, which was seen on 431 hosts since April 26, 2020. They additionally found a Google Analytics tracking ID associated with 52 Turkey Dog domains since October 25, 2020. 

In May 2020, threat researcher BushidoToken created a blog pulling together multiple indicators, some showing up as early as April 2020, from researchers following Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal client credentials to access bank accounts. Profoundly beguiling, they can overlay over other applications (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive information across the gadget. 

RiskIQ regularly crawls malignant app circulation URLs dependent on different internal and external feeds, they can directly notice the lure pages utilized by noxious Android applications. The mobile application landscape is likely overflowing with Turkey Dog mobile applications. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk" yields 90 outcomes from as many unique Turkey Dog URLs. Every one of the 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Large numbers of them can likewise record audio, perform full-screen overlays to introduce a bogus login page for harvesting banking credentials, and download additional software packages.

After a year, cybercriminals keep on utilizing the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for quite a long time, likely guaranteeing a huge gathering of victims and isolating them from their banking login credentials and other sensitive information.

Malwarebytes Report Confirms the Change in Tactics of Cybercriminals During Covid-19

 

Malwarebytes, an American security firm announced the findings of its annual ‘State of Malware’ report, this report explored the working methodology of employees and cybercriminals. Work from home was the new normal during the Covid-19 pandemic wherein many companies altered their working methodology and started working remotely.

The notable change was in the working methodology of the threat actors, they were more focused on gathering intelligence, and exploiting and preying upon fears with targeted and sophisticated assaults. Last year, threat actors targeted many high-profile firms and popular personalities which included hacking the accounts of famous personalities such as Barack Obama, Jeff Bezos, and Elon Musk; attacking FireEye and SolarWinds via supply chain and the Marriott hotel which recorded theft of the records of 5.2 million guests.

Marcin Kleczynski, CEO of Malwarebytes stated, “this past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough’.”

“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before”, he further added.

Last year, Malwarebytes observed an overall drop of 24 percent of Windows detections across businesses and an 11 percent drop for clients. In total, there was a 12 percent drop in Windows detections across the board. However, Mac detections for businesses surged to 31 percent, 2020 also witnessed the growth of Android malware called FakeAdsBlock, which produced an alarming number of non-stop ads, accounting for 80,654 detections.

HiddenAds was discovered to be the most common mobile adware application, this trojan attacks users with ads, and nearly 704,418 malicious activities were reported with an increase of nearly 150 percent year-over-year.

Dutch Police Confiscated 2 Men for Stealing And Selling COVID-19 Patients Data

 

On Friday, 22 January, the Dutch police, and the Public Prosecution Service received warnings from the GGD that personal details from GGD applications are being made available for sale on Telegram. The Central Netherlands Police Cyber Crime Unit soon launched an investigation. This probe led the team to two GGD call center workers. Consequently, both were hunted down by the police. The offenders were both in Amsterdam on Saturday night, where they were detained and taken to jail. This involves a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. Men's homes have been searched and their computers have been confiscated. “Stealing and selling or reselling personal data is a serious crime," the Dutch police stated. 

The two are among a wider number of individuals believed to have access to classified information and to have it sold to third parties, and further arrests have not been ruled out, police said in a statement. The selling of personal information through health board networks has been investigated by Broadcaster RTL, and it was disclosed to the association of GGD Health Board earlier this month. RTL states that the offer is not just for names, addresses, and mobile and confidential BSN numbers but much more. 

The arrests followed an investigation by RTL broadcaster, which uncovered online advertisements for Dutch citizen info, marketed on instant messaging apps such as Telegram, Snapchat, and Wickr. The advertising consisted of images of computer screens containing the details of one or more Dutch people. The broadcaster claimed that they had monitored the screengrabs of two IT systems used by the Dutch Municipal Health Service (GGD), namely CoronIT, which includes specifications of Dutch people taking the COVID-19 exam, and HPzone Light, one of the DDG's contact-tracing systems. 

“Some accounts are offering to look for information about a specific person,” RTL said. “That costs between €30 and €50 and will get you someone’s name, email address, phone number, and BSN number.” Other accounts provide wider data sets containing thousands of names or unique characteristics, such as individuals living in Amsterdam or over 50s. 

According to a broadcaster, the two perpetrators operated in DDG contact centers, where they had access to COVID-19 official Dutch government networks and databases. The identities of the two defendants, which were expected to appear before the court on 26th January, have not been released: in compliance with Dutch law. 

"Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure stated in an interview.

Ryuk Ransomware: What Can We Learn From DCH Cyberattack?

Hackers have profited a lot from the Covid-19 pandemic by targeting health institutions, let us look back and learn from these attacks. For a very long time, cybercriminals have been attacking healthcare institutions, one fine example is the "DCH ransomware" attack. E Hacking News in this article analysis the events of the DCH ransomware incident, and how Alabama healthcare dealt with the attack.  

About the attack
Alabama's DCH health system was hit by a ransomware attack in October 2019. The attack forced DHS to shut down its 3 state units named- Fayette Medical Center, Northport Medical Center, and Tuscaloosa’s DCH Regional Medical Center. Because of the attack, the computer systems in the 3 hospitals stopped working and the hospital staff couldn't access important files and patient records. DCH took applied emergency measures to deal with the crisis, the hospitals took in critical patients, whereas non-critical cases were transferred off to other health institutions, and only admitted after 10 days.  

About DCH Ransomware 
Hackers attacked DCH systems using a strain of Ryuk ransomware, the malware used by Wizard Spider, a Russian hacking group. Ryuk uses malicious social engineering techniques and uses phishing attacks to trick users into opening false links. Once opened, the malware deploys itself with the target device. When Ryuk is successfully deployed, it gets into the system codes and stops the device from functioning. It is followed by encryption and the last step is demanding ransom.  

Aftermaths of the Ransomware Attack 
DCH couldn't continue it's healthcare services for 10 days due to the partial disruption caused by the ransomware. Four patients filed a lawsuit against DCH for violating "information privacy law" and affecting their medical treatment during the ransomware attack. The lawsuit stated, "because of the ransomware attack, plaintiffs and class members had their medical care and treatment, as well as their daily lives, disrupted." "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment."

Security Analysis: The Rise of Cybercrime Underworld and Hacking Groups

During the Covid-19 pandemic, educational institutions, health agencies, and other significant organizations have suffered the most from cyberattacks. As if this was not enough, a massive wave of cyberattacks have risen against these institutions,  a new hacking group has emerged which uses modern techniques to attack its targets. The troublesome part is that these hackers are using an operational structure that is not very uncommon in the hacking underworld. Known as "Egregor," the hacking group has attacked more than 130 targets in recent months. 

The victims include logistics companies, schools, health agencies, the manufacturing industry, and financial agencies. The working of Egregor is similar to other ransomware, i.e. keeping hold of the data until the client pays the ransom money. There is but one minor change, Egregor's methods reveal the present structure of the hacking economy.  Instead of depending solely on lone wolfs (hackers) that orchestrate massive data breaches, or dark web platforms abundant with Russian threat actors, the hackers today work as a kind of unified group/team which acknowledges innovations and changes in the hacking industry. 

In other words, one can say that is a replica of Silicon Valley, but one that thrives on exploiting agencies for profit rather than building interactivity. Cybersecurity expert Jason Passwaters, CEO, Intel 471, says that there exist hackers which were active a long time ago and are still in the hacking game. They offer the same services as they used to back in the time, but the only change is now these hackers rely on each other, rather than working solely. Cybersecurity experts suggest that there might be up to 12 hackers involved in a data breach or a commodity cyberattack. The Egregor group isn't the only one. 

Hacking groups like Thanos, Conti, and SunCrypt that use similar malware strains, have also started operating in a cooperative way.  Cyberscoop reports, "it’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool that helped accelerate what’s known now as an affiliate model. The FBI has identified a Russian man, Evgeniy Bogachev, as “slavik,” and has listed him on the bureau’s list of most wanted fugitives. Bogachev’s Zeus malware is responsible for financial losses of more than $100 million, the FBI says, even as the creator has posed in ostentatious outfits in social media pictures." 

Hackers Demand Ransom After Major Cyber-Attack on the Antwerp Laboratory


Algemeen Medisch Laboratorium bvba, (AML) in the Antwerp district of Hoboken was attacked by hackers; the laboratory manages about 3,000 Covid-19 tests daily, which is about 5% of the nation's total. The cyberattacks amid the outbreak of Coronavirus have rampantly increased over the past year and this attack was nothing new but yet another addition to the newly surfaced theme of malware and ransomware attacks in the context of 'COVID-19'. 
 
Hackers attacked the laboratory website by installing ransomware into it, it brought the website to a standstill. As we have seen in the past as well in the case of ransomware attacks - the hackers are demanding a ransom before releasing the website from confinement. 
 
ICT manager Maarten Vanheusden has said, “that after detailed analysis by our security teams, it was decided to disengage the network as a safety measure and by this way we can see what exactly is infected”. He also said by this time there is no information of data being stolen and that they are taking all the precautionary measures. Furthermore, the origins of the attack remain unknown as of now. The traces linked back the hackers to China, Russia, and Iran.  
 
AML is the largest private lab in the country which is dealing with the COVID-19 problem. There is no clarity regarding the purpose of the attack, speculations could not exactly suggest that whether the hackers attacked the laboratory merely for ransom or they have other plans as well as data theft. The case is being handled by the federal Computer Crimes Unit after the lab reported the attack to the Antwerp prosecutor`s office. 
 
This is the second time in December that hackers have attacked the sites related to the Covid-19 pandemic. European Medicines Agency (EMA) was targeted in a cyber-attack; EMA is responsible for assessing and approving vaccines for the European Union. German biotech firm BioNTech said, “that the agency was attacked and some documents which were related to the regulatory submission for Pfizer and BioNTech’s Covid-19 vaccine had been unlawfully accessed". 
 
Hackers are targeting many healthcare and medical organizations especially during this Covid-19 outbreak for demanding ransom as well as to obtain the classified information related to the vaccines.

Active Cypher: Great Deal of Orchestration of Our Intelligence in AI into Existing Systems

 
Active Cypher: The company is built upon a socially responsible fabric, that provides information security for individuals and corporations in an increasingly complex digital age. The guest speaker for the interview was Mr. Michael Quinn, CEO, and Mr. Caspian Tavallali, COO Active Cypher. Active Cypher’s Ransom Data Guard utilizes a combination of Active Cypher’s proprietary encryption orchestration, smart AI, and advanced endpoint protection. 
 
Please tell us about your company Active Cypher? 
 

I am Michael Quinn, CEO of Active Cypher. We are a data protection company; we have an ethos within a company that the data needs to be able to protect itself wherever it is created. We have built a product line that offers those capabilities of protection against ransomware attacks through protecting data at the file level in the server environment and in the cloud. What our product allows us to do is be crypto agile. We can work with numerous encryption schemes. Once we are installed we basically back out of the situation and allow the client to run and trust their own data. 

 
Your company talked about game-changing software “Ransom Data Guard” that will protect organizations against ransomware threats. Please describe more about it. 
 
What we developed is a capability where understanding what ransomware has to do in order to take control of the device in a user environment. We built a product just before the Covid-19 and work from home culture started and we realized that people are using shared environments on the same device at home. So we basically allow the organization to encrypt the data down to the device level and protect it. The ransomware protection that we provide basically allows us to manage the files in such a way that they are not accessible to external sources like ransomware. We put this product along with our cloud fortress product to make sure that we were meeting compliance regulations. What we found after working with the law firms is we allow the companies to meet compliance through this capability if the product was ransomed or even if it was exfiltrated because we encrypt the data so the actual data itself is useless. On the ransomware side, the beauty of it is we allow a lot of flexibility in how the data can be stored and used. 
 
Besides ransomware protection, what are the other solutions Active Cypher provides? 
 
We do a great deal of orchestration of our intelligence in AI into existing systems, we integrate into Microsoft tools as well as we have APIs that can write to any of the tools that are out there. We don’t bring in to replace anything or add to anybody’s burden, we integrate into it with our information.  
 
Let’s say somebody opens a doc. file or they load up a doc. file which has an exploit. How do you handle that? 

If somebody uploads an exploit or malware and when it’s opened, because of the process we use to interrogate the document for its integrity, we will stop any process that is trying to intervene with the environment and we’ll put a warning out. What will happen is you’ll get an alert from us, let’s say you open up a “wannacry” as an example, you will get a screenshot saying “your device has been ransomed.” The reality is you can still open all your files. What we do is, with our cloud fortress product, we do a real-time backup. 
 
At a time when hospitals and medical institutions are struggling with Covid-19, how has Active Cypher protected them from ransomware threats? 

In most of the hospitals and medical environments, their IT staff lacked the sophistication to understand what was happening. Earlier, the attackers were not really trying to damage the data, they were trying to ransom it and return it. Now what the attackers are doing is, that they are actually getting into the environment and not going after the data because most of the hospitals have upgraded their capabilities along with using our products. Now, the hackers are attacking the IoT (internet of things) at the device level, which is more life-threatening. What we have done to help healthcare institutions is basically putting a “Data Guard” which is the stand-alone ransomware product on devices. 
 
How do you handle the GDPR (General Data Protection Regulation) and Privacy requirements when it’s the home environment? 

With “Data Guard,” the way the product is designed, it can be installed on a consumer device. In that environment it allows people to protect what they have like personal data or business data that they have on their device is protected. And that’s the simplicity of Data Guard, is the fact that it protects your device and the files on it and ensures that ransomware can’t launch successfully.  
 
With cyberattacks rising, is there any advice you can give to our readers on cybersecurity? 

Everybody has to be aware, you don’t have to be afraid. With the stress of work, particularly with this remote work environment, the user has to be more diligent. So, ease of use and awareness are probably the keys to maintaining good data hygiene.

British Drug maker AstraZeneca Working to Deploy the Covid-19 Vaccine Targeted by Suspected North Korean Hackers

 


There is no denying the fact that cyberattacks against health bodies, vaccine scientists and drug makers have risen to an extreme length during the Coronavirus pandemic as state-backed and criminal hacking groups scramble to acquire the most recent research conducted as well as the data about the outbreak.

Yet another example has come across in the recent times, as a British drug maker company races to deploy its vaccine for the Corona virus and a couple of suspected North Korean hackers attempted to break into its systems. 

According to sources, the hacking endeavored to focus on a "broad set of people" including staff working on the COVID research.

The Reuters report that, by posing like recruiters on the networking site LinkedIn and WhatsApp the hackers approached the staff of AstraZeneca with fake job offers and later sent documents which appeared to be job descriptions that were bound with malevolent code intended to access a victim's computer. 

The source, who basically spoke on the condition of anonymity to examine non-public data, said the tools and the methods utilized in the attacks demonstrated that they were important for a continuous hacking campaign that US authorities and cybersecurity researchers have 'attributed' to North Korea. 

The campaign was previously been centered around defence companies and media organizations however pivoted to Coronavirus related targets as of late, as per three people who have investigated the attacks. 

Microsoft said for the current month alone it had observed two North Korean hacking groups target vaccine developers in multiple countries, including by "sending messages with fabricated job descriptions" Microsoft however didn't name any of the targeted organizations.

The North Korean mission to the United Nations in Geneva though didn't react to a request put forth for their comment. Pyongyang has likewise denied carrying out the previously mentioned cyberattacks.

It has no direct line of contact for foreign media. AstraZeneca, which has arisen as one of the top three Coronavirus antibody developers, also declined to comment. 

As North Korea has been accused consistently by the US prosecutors for a portion of the world's 'most audacious and damaging cyberattacks’, including the hack and leak of emails from Sony Pictures in 2014, the 2016 theft of $81 million from the Central Bank of Bangladesh, and releasing the Wannacry ransomware virus in 2017. 

Pyongyang has consequently portrayed the allegations against it as attempts by Washington to malign its image. 

Reuters however has recently reported that hackers from Iran, China and Russia likewise have attempted to break into leading drug makers and even the World Health Organization this year, yet Tehran, Beijing and Moscow have all denied the allegations.