The 2019 Cyber News Review started in April 2019 and provides a weekly review of Cyber Security news.

4/18/2019

Chinese hackers strike US universities in bid for military technology

Accenture’s iDefense team has confirmed cyberattacks against at least 27 universities worldwide. “It is believed that the threat actors behind the campaign have utilized phishing tactics in an attempt to compromise university networks, often by posing as partner universities and institutions.”

GCSE coursework lost in cyber attack on Bridport school

A teacher in England opened an email that appeared to come from another teacher at a school nearby. The email contained ransomware that spread to the school’s network, the article states that the coursework of at least 11 students has been lost. The ransomware infection locked all of the files on the teacher’s computer then used worm capabilities to spread into the school’s network infecting other machines. This displays the importance of layered security or defense-in-depth approach.

Microsoft loses control over Windows Tiles subdomain

Windows 8 and Windows 10 have a feature called live tiles, this feature allows RSS based news and updates from websites to be delivered to the tiles in the start menu. The subdomain that Microsoft set up to allow websites to show live updates inside the start menu has been taken over by the security researcher Hanno Böck. “We won’t keep the host registered permanently. There’s a decent amount of traffic reaching this host and running up costs,” the researcher said. “Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks,” he warned.

5/3/2019

Scott County Schools victim of $3.7 million CEO Fraud Phishing Scam

Scott County Schools in Georgetown Kentucky got an email from a fraudster pretending to be a known vendor. The fraudster told the school they did not pay their invoice and tricked the school into paying the money to the fraudster’s bank account. The money is gone and the school is going to attempt to get the money back with their cyber fraud insurance, cyber fraud insurance is usually provided to protect unauthorized use of computer systems and may not cover this social engineering attack.

D-Link camera vulnerability allows attackers to tap into the video stream

Vulnerabilities found in the D-Link DCS-2132L cloud surveillance camera allow attackers to remotely view video streams and manipulate the device’s firmware. The camera communicates through the cloud to D-Link servers then to users’ smartphones. Network traffic of video streams has been found to be unencrypted and susceptible to a man in the middle attack. This shows us how important end to end encryption is, especially when using services in the cloud.

Dell laptops and computers vulnerable to remote hijacks

A vulnerability in the Dell SupportAssist application allows a remote attack, in this attack, a hacker can execute code with remote privileges. If the hacker can trick the victim to go to a malicious web page, JavaScript code can trick the Dell SupportAssist application into downloading and running files. Dell was quick to release a patch for this vulnerability but the software comes pre-installed on Dell computers.

5/10/2019

Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

Baltimore City has been hit with Ransomware for the second time in just over a year, the ransomware has worm capabilities and has been spreading to different systems on their network. City Hall personnel were told to shut down all of their computers to prevent them from getting the infection, multiple city services are temporarily shut down due to the incident. “A similar ransomware attack hit the Baltimore City’s phone system in March last year, shutting down automated dispatches for 911 and 311 calls for more than 15 hours.”

Microsoft SharePoint servers are under attack

“Hacker groups are attacking Microsoft SharePoint servers to exploit a recently patched vulnerability and gain access to corporate and government networks, according to recent security advisories sent out by Canadian and Saudi Arabian cyber-security agencies.” Code has been published to exploit this vulnerability but it does not work out of the box, this means less skilled hackers will not be able to use it easily. The advice to defend against this is to patch SharePoint servers and keep them behind a firewall.

Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies

Hackers claim to have breached three leading antivirus companies, there is no indication of what antivirus companies are affected. “The collective extracted sensitive source code from antivirus software, AI, and security plugins belonging to the three companies.” With this information an attacker would be able to get past the antivirus layer, having extensive knowledge of how a product works is the best way to get past it.

5/17/2019

UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability

Microsoft has released a patch for a vulnerability in its Remote Desktop service, this vulnerability could allow an attacker to run malicious code on a system without authenticating. This vulnerability is so bad that Microsoft has sent security patches to Windows XP machines that are no longer supported/getting regular updates.

Paterson Public Schools Notified of Breach, Threatens with Civil Case

Paterson Public Schools has been notified about a breach where a hacker claims to have access to systems and over 20,000 accounts. The hacker provided some proof with screenshots of outlook inboxes of two district employees. The school district issued a password reset for all accounts and enabled two-factor authentication in response to the attack.

More Attacks against Computer Automatic Update Systems

Another supply chain attack, this time it is the ASUS live update software that has been infected. The hackers got their malicious code into the ASUS tool so the infection would be delivered to users when they use this tool to update. This is very evil because updating is one of the ways we stay secure! This attack was discovered by Kaspersky and it is called Operation Shadowhammer, the attack also targeted six other companies.

Six days later, Baltimore government is still recovering from ransomware attack

Baltimore is still working to recover from the ransomware breach email, phones and computers are still unusable. “Mayor Jack Young said the city will not pay the ransom, even though it could be the less expensive option.”

5/24/2019

Ohio school sends students home because of Trickbot malware infection

School was canceled on Monday in an Ohio school district due to a malware infection. The school’s treasury office was targeted and infected, this led to the malware spreading over the school’s network. The malware is called Trickbot, this malware used to be a banking Trojan but has evolved over the years into a malware swiss army knife. Trickbot has been observed as the first step in many ransomware infections. When a computer is infected with Trickbot, the malware talks back to the hacker’s command and control server, the hacker can see what the computer is vulnerable to and send more malware to target the vulnerabilities.

What Colorado learned from treating a cyberattack like a disaster

“The Colorado Department of Transportation joined the ranks of dozens of other U.S. government entities affected by the SamSam ransomware virus when it was infected with the malware in February 2018” The state refused to pay the ransom and spent about $1.5 million to remediate the infection- Colorado declared a statewide emergency to bring in resources from the National Guard and other states to help with the remediation. The malware got into the network through a new server that was exposed to the internet with default security settings, the server was infected within 48 hours. Hackers scan the internet 24/7 looking for servers fully exposed, that is why it is important to harden servers and keep them behind a firewall.

Account Hijacking Forum OGusers Hacked

A hacker run website used for illegal hacking activities such as hijacking online accounts and sim swapping attacks has been compromised, the database of user accounts and the website source code has been posted on another site. “Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

5/31/2019

POS Malware Found at 102 Checkers Restaurant Locations

POS stands for point of sale, the machines used to accept payment methods such as credit cards. POS malware is a malicious program that gets installed on a POS system and collects credit card information, this information is logged on the machine and sent to a malicious actor. Checkers and Rally’s announced Wednesday that they found POS malware at 102 of their locations across 20 states. Customers that used credit cards at these locations could have their cardholder name, payment card number, card verification code and expiration date exposed to malicious actors. This information is usually collected and sold on the dark web.

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

“Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.” This campaign is being carried out by an APT style Chinese hacking group, they have already infected 50,000 servers. The attack uses the brute-forcing technique after finding publically accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner. The group obtains administrator privileges before executing sequences of SQL commands to download a malicious payload from a remote server. This attack relies on weak username and password combinations for MS-SQL and PHPMyAdmin servers.

6/21/2019

SIM swap horror story: I’ve lost decades of data and Google won’t lift a finger

A hacker called T-Mobile and ordered a sim card for a Zdnet employees phone, T-Mobile sent the hacker the sim card! This type of attack is called Sim Swapping, the hacker took over the victim’s main cell phone number and used it to compromise all of his accounts.

Protect your online identity now: Fight hackers with these 5 security safeguards

This article goes over 5 steps that can be used to help prevent Sim Swapping attacks. Sim Swapping is where a bad guy gets a sim card with your phone number and uses it to take over your number. This will usually deactivate your phone’s sim card making your phone unable to make calls or use the mobile network.

Florida City to Pay $600,000 to Hackers After Ransomware Attack

Florida City just paid 65 bitcoin ($600,000) to get their data decrypted. This attack started with a police officer opening a malicious email. When you pay the bad guys to get the decryption keys they are starting to offer support to help convert your money into bitcoin and support for running the decryption program.

6/28/2019

AWS S3 server leaks data from Fortune 100 companies: Ford, Netflix, TD Bank

When data is stored in the cloud, it has to be protected with layered security, some organizations feel they are protected when a vendor stores their data for them, but this is not always the case. Attunity, an Israeli IT firm that provides data management, warehousing, and replication services for the world’s biggest companies, has exposed some of its customers’ data after it left three Amazon S3 buckets exposed on the internet without a password. The data included some of Attunity’s own operations, but also data from some of its customers — Fortune 100 companies like Ford, Netflix, and TD Bank.

DHS cyber director warns of surge in Iranian “wiper” hack attacks

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is warning of increased cyber threats from Iran due to current tensions with the US. Iranian actors are using “wiper” attacks where they cause destruction by deleting data. There have been allegations of Iranian-backed wiper attacks in the past—the most infamous of which is Shamoon, a family of malware that first emerged in an attack against Saudi Aramco in August of 2012.

7/12/2019

Apple Watch’s Walkie-Talkie app goes radio silent due to vulnerability

“Apple’s shut down its Watch Walkie-Talkie app after somebody reported a bug that could have allowed an eavesdropper to surreptitiously listen in on somebody else’s iPhone, the company told Tech Crunch on Wednesday evening.”  Apple had a similar issue in January where eavesdropping was possible through a FaceTime call before the call was answered.

New Malware Replaced Legit Android Apps With Fake Ones On 25 Million Devices

This Android malware was delivered through 3^rd party app stores, you are usually safe using the default Google play store. Some countries cannot connect to Google’s services so they have to rely on other app stores to deliver apps to their mobile devices. This malware has been named “Agent Smith” and it takes advantage of Android vulnerabilities to install a malicious version of an app on a mobile device, the app then functions the way it is supposed to with added malicious capabilities.

Google Home Silently Captures Recordings of Domestic Violence and More

“Google is under fire after a report found that Google Home and Google Assistant records user audio, even when no wake-up word is used.”

7/26/2019

Ellucian systems compromised at 62 universities, Education Dept. says

Hackers have compromised Ellucians Banner platform and compromised information systems at 62 universities. The attack exploited a security flaw that allowed hackers to generate masses of fake student accounts and potentially access sensitive data. Ellucian released a patch in May that will close the security hole. This is an example of a supply chain attack.

Bradford man arrested over Lancaster University hacking spree

A British man has been arrested on suspicion of breaking into Lancaster University systems and stealing records belonging to students. Lancaster University deemed the incident “a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data.” Fake invoices in phishing emails have also been sent to some students, which may indicate that the ransacking of university data was the first stepping stone into what could have become financial theft.

Ransomware Attack Caused Power Outages in the Biggest South African City

Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city’s power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa’s financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network.

8/2/2019

The Technical Side of the Capital One AWS Security Breach

“On July 19th, 2019 Capital One got the red flag that every modern company hopes to avoid – their data had been breached. Over 106 million people affected. 140,000 Social Security numbers. 80,000 bank account numbers. 1,000,000 Social Insurance Numbers.” The hacker compromised a server in AWS (Amazon web services cloud) through a firewall misconfiguration, the hacker got onto the server with an account that had permissions to access 700+ AWS buckets. The hacker then copied all data from the buckets in the cloud took a copy.

Louisiana declares state of emergency in response to ransomware attack

“This Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency in response to ransomware attacks on three public school districts.” The technology supervisor received an alert on his phone at 4 am on a Sunday about unusually high bandwidth usage, shortly after they found ransomware on their servers. The Principal said “anything and everything housed solely on the School District’s servers” was lost, including 17 years of his own personal documents”.

Google Ransomware Map

This link leads to a Google map with ransomware attacks noted by location, you can even click on the locations to pull up the article that explains the ransomware attack.

8/9/2019

Malware attacks on infrastructure and state-run facilities shot up 200% in 2019

Malware attacks are up in 2019; “IBM said 50 percent of the malware attacks were in the manufacturing, oil and gas, and education sectors. Most of the destructive attacks observed by the team have taken place in Europe, the US, and the Middle East.” This article states that cybercriminals are primarily leveraging phishing emails and password-guessing attacks.

Data Breach Exposes Personal Info for 53,000 Illinois Students

“The personal information of nearly 53,000 students and 3,100 educators in Naperville District 203 and Indian Prairie District 204 was exposed following a data breach at a company that handles the districts’ K-8 academic assessments.” The vendor that was responsible for the breach was Pearson, a compromise of their AIMSweb software was what lead to the breach.  

District 303, 304 student information exposed in data breach

“ST. CHARLES – Students in Geneva Community Unit School District 304 and St. Charles Community Unit School District 303 had personal information exposed in a data breach.” This breach was also caused by Pearson’s AIMSweb, this article even states that the districts no longer use AIMSweb.

8/16/2019

700,000 Choice Hotels records leaked in data breach, ransom demanded

The Choice hotel brand had a database publicly available on the internet with no password, leaving a total of 5.6 million records exposed. The hackers copied the data and have demanded .4 Bitcoin (about $4,000) for the return of the data. The database belonged to a vendor that was not named. The data contained guest’s names, email addresses, and phone numbers, the data is not extremely sensitive but can be used in targeted phishing campaigns that lead to bigger attacks.

Energy Sector Phish Swims Past Microsoft Email Security via Google Drive

This is an example of how hackers get past security controls, in this instance, they do not put their malicious link in an email because it will get blocked. Instead, they share a Google doc with you, the link to the Google doc is not malicious so it will not be blocked by email security. Inside the Google doc the hacker places the malicious link. Most users trust Google docs so they will fall for this trick. The attacks will continue to evolve showing us the importance of user security awareness and education.

Canon DSLR Cameras Can Be Hacked With Ransomware Remotely

Ransomware is getting so popular it is moving to more devices, this article explains how a researcher installed ransomware on a Canon DSLR camera. This attack is possible over USB and Wi-Fi. There is a video in this article that shows the researcher installing the ransomware over Wi-Fi.

8/23/2019

22 Texas towns hit by coordinated ransomware attack

22 Texas towns have been compromised in a coordinated ransomware attack that appears to have been pulled off by one single threat actor. “Borger, Texas and Keene, Texas have announced that they were affected by the attack. The city of Borger says it is unable to access birth and death certificates or take utility payments, and NPR reports that Keene is unable to process utility payments.” The mayor of Keene told NPR that the hacker has asked for $2.5 million to unlock the files, he said they will not be paying the ransom. Some of the Texas towns have shut off all of their computer systems as a response to the attack.

Nampa School District victim of cyber attack

The Nampa school district in Idaho has been hit with a malware attack, the school’s network and systems have been down for several days. They have instructed their teachers and administrators to go back to using pen and paper or their own devices until the attack is remediated. The school will remain in session without the network and systems until they can restore them.

Quick thinking by Portland Public Schools stops $2.9m BEC scam

“Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.” A fraudster contacted them pretending to be a construction contractor they were working with, the fraudster asked for payments to be made of $2.9 million into a fake account. The employee from the school approved the payments and sent the $2.9 million. The school caught on and worked with the bank to freeze the fraudulent funds before it was too late.

8/30/2019

Microsoft: Using multi-factor authentication blocks 99.9% of account hacks

Microsoft is reporting that using MFA will block 99.9% of attacks, this information is very interesting considering the rise in account compromises. The article talks about the many ways hackers get passwords such as credential stuffing, phishing, keystroke logging, local discovery, extortion, password guessing and brute forcing.

Cyber Security: Lake County Govt forced to shut down servers after ransomware attack

More Ransomware, this time it is Lake County Illinois that got hit. The attack has forced them to shut down their email and several other internal applications.

Rockville Centre pays almost $100G to hackers after ransomware attack, officials say

“The Rockville Centre school district paid almost $100,000 to restore its data after being hacked with a ransomware virus that encrypted files on the system’s server until payment was made to unlock the information, officials said Friday.”

Warning to Android users as PDF app used by 100 million ‘contained malware’

A popular Android app called CamScanner has been identified as malicious, the app does everything it is advertised to do but also has malicious code that does bad things in the background. It is important to audit your apps and remove what you no longer need. We cannot see the code behind the application so it is difficult to tell when an app is doing something malicious.

Trojans, ransomware dominate 2018–2019 education threat landscape

This article talks about hackers targeting the education field, the reasons include smaller budgets, old equipment and the use of personal devices. The article explains how the threats will get worse as time goes on.

9/6/2019

Rash of ransomware continues with 13 new victims—most of them schools

More information on how schools are becoming a popular target for ransomware. “According to Armor’s data, schools have become the second-largest pool of ransomware victims—slightly behind local governments and closely followed by healthcare organizations.” Below are recent ransomware infections.

• Lake County, Indiana
• Rockville Center School District in Rockville Center, New York
• Moses Lake School District in Moses Lake, Washington  (the attack apparently occured in July but was only reported as ransomware this month
• Mineola Public Schools in Mineola, New York
• The Stevens Institute of Technology in Hoboken, New Jersey
• New Kent County Public Schools in New Kent, Virginia
• Nampa Idaho School District, Nampa, Idaho
• Middletown School District, Middletown, Connecticut
• Wolcott Public Schools, Wolcott, Connecticut
• Wallingford School District, Wallingford, Connecticut
• New Haven Public Schools, New Haven, Connecticut
• The Watertown Daily Times in Watertown, New York
• Hospice of San Joaquin, San Joaquin, California

Ransomware Attack: District Suddenly Cancels School and Childcare for Thousands

The Flagstaff, Arizona, school district called off school due to a ransomware attack. This school was also affected by the AIMSweb 1.0 data breach last month as well. No information on how they got infected.

Ransomware gang wanted $5.3 million from US city, but they only offered $400,000

A ransomware gang infected New Bedford, Massachusetts with ransomware and demanded $5.3 million for the decryption keys. New Bedford Mayor Jon Mitchell offered the hackers $400,000 and they did not accept the offer, New Bedford then started the process of restoring from backups and other systems that did not get infected. The ransomware attack only affected 4% of their network, this infection happened back in July and they kept it quiet until now.

Selling your car? Clear your personal data first.

Now that cars have built-in WiFi, Bluetooth, Navigation and other technical features it is important to wipe your data before selling the car. Here are some types of data you want to remove from the electronic system before selling or donating your car:

• Phone contacts and an address book may have been downloaded when you synced your phone with your vehicle.
• Mobile apps’ log-in information, or data that’s gathered and stored on mobile apps, may be stored in the car.
• Digital content like music may be stored on a built-in hard drive.
• Location data like addresses or the routes you take to home, work, and favorite places may be stored in your navigation system.
• Garage door codes for your home or office may be on your system.

9/13/2049

Seems Phishy: Back to School Lures Target University Students and Staff

Proofpoint has identified an uptick in college-themed targeted phishing emails when school starts back up for the year. A typical medium volume phishing campaign sends thousands or tens of thousands of emails a day! The email templates observed have been made to look like library and student portal logins. The fraudulent web pages are made up to look identical to the pages that the colleges use, the best way to identify the fake pages is by observing the URL to see if it is the correct school URL.

COBALT DICKENS Goes Back to School…Again

COBALT DICKENS is a name assigned to a threat group that targets colleges. 9 members of this group have recently been caught: ”In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian associates for compromising hundreds of universities to steal intellectual property and benefit financially.” The group was caught sending phishing emails to college libraries with SSL certificates to make the web pages look legitimate.

Who’ll benefit from the Regis University cyberattack? The Denver school’s cybersecurity students.

Regis University teaches students what to do in the event of a cyber-attack, they were victims of an attack themselves. They will use their attack as a case study in classrooms to teach students what they did to remediate the breach. With cyber-attacks becoming more common, experience in remediating them is very valuable. “Shari Plantz-Masters, dean of Regis’s College of Computer and Information Sciences, said the university plans to hold an invitational conference when the situation is resolved to talk about what they learned and help prepare others.”

The Two College Kids Who Nearly Hacked into President Trump’s Tax Returns

“Two twenty-somethings in Pennsylvania pleaded guilty to charges after attempting to hack their way into the IRS to get President Trump’s tax returns.” The students made a false FASFA application in the name of someone in Trump’s family, they then used the IRS tool to electronically pull records to try and pull trumps tax returns. They ran into a problem where an account already existed for Donald Trump. They then GUESSED the security questions and got into the existing account. “Although the Department of Justice says the attempt “ultimately failed,” it is not clear why. We simply know the students got close to getting their hands on the President’s taxes.”

9/20/2019

Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

“Two widely used Adblocker Google Chrome extensions, posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently.” Web browser extensions have become a popular vector for malicious attacks, both of these extensions had over 800,000 users each. Google has removed both of the malicious extensions from the Chrome Web Store.

Two arrested in $10 million tech support scheme that ‘preyed on the elderly’

Two suspects have been arrested for running a massive tech support scam, this scam has made over $10 million in profit by defrauding more than 7,500 victims, most of which were elderly. This scam would trick users into calling fake tech support that would charge them for unneeded tech services.  “In 2018, tech support schemes generated over 142,000 consumer complaints with the US Federal Trade Commission.”

Advanced hackers are infecting IT providers in hopes of hitting their customers

Hackers have proven that they will do anything to compromise our networks, even if that means compromising third-party IT vendors to create a path to their customers networks. “A previously undocumented attack group with advanced hacking skills has compromised 11 IT service providers” This is another example of a supply chain attack, the coordinated Ransomware attacks in Texas were believed to also come from IT service providers.

9/27/2019

DoorDash Breach Exposes 4.9 Million Users’ Personal Data

Door Dash is a food delivery service, they are like GrubHub and will deliver food from restaurants without delivery service. Today they announced a breach that affects almost 5 million people, including its customers, delivery workers, and merchants as well.

The type of data accessed by the unknown attacker(s) include both personal and financial data, as shown below:

• Profile information of all 4.9 million affected users — This data includes their names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords.
• Financial information of some consumers — The company said the hackers also managed to get their hands on the last four digits of payment cards for some of its consumers but assured that full payment card numbers or a CVV were not accessed.
• Financial information of some Dashers and merchants — Not just consumers, but some Dashers and merchants also had the last four digits of their bank account number accessed by the hackers.
• Information of 100,000 Dashers — The attackers were also able to access driver’s license numbers for 100,000 Dashers.

Russian national confesses to biggest bank hack in US history

This person hacked Chase bank in 2014 and stole hundreds of millions of dollars along with data from more than 80 million JPmorgan clients. “Andrei Tyurin, 35, whose last name is also spelled Tiurin, also pleaded guilty to hacks against other US financial institutions, brokerage firms, and other companies. In all, he pleaded guilty in federal court to computer intrusion, wire fraud, bank fraud, and illegal online gambling as part of a securities-fraud scheme carried out by co-conspirators.”

MyPayrollHR CEO Arrested, Admits to $70M Fraud

Earlier this month more than 1,000 companies saw one or two paychecks worth of funds deducted from their bank accounts. The CEO of their cloud payroll provider took the money from customers, on Monday he was arrested and confessed that the act was a final desperate gasp of a financial shell game that earned him $70 million over several years. “Michael T. Mann, the 49-year-old CEO of Clifton Park, NY-based MyPayrollHR, was arrested this week and charged with bank fraud. In court filings, FBI investigators said Mann admitted under questioning that in early September — on the eve of a big payroll day — he diverted to his own bank account some $35 million in funds sent by his clients to cover their employee payroll deposits and tax withholdings.”

10/4/2019

Over 500 US schools were hit by ransomware in 2019

“In the first nine months of the year, ransomware infections have hit over 500 US schools, according to a report published last week by cyber-security firm Armor. In total, the company said it found and tracked ransomware infections at 54 educational organizations like school districts and colleges, accounting for disruptions at over 500 schools.”

Senate Passes Bill Aimed At Combating Ransomware Attacks

New legislation has been approved by the senate that will help local cities and schools respond to ransomware attacks. “The proposed law, the “DHS Cyber Hunt and Incident Response Teams Act,” authorizes the Department of Homeland Security (DHS) to invest in and develop “incident response teams” to help organizations battle ransomware attacks.  Part of that means that the DHS would create teams to protect state and local entities from cyber threats and restore infrastructure that has been affected by ransomware attacks.”

Microsoft: MFA bypass attacks are so rare we don’t have good statistics on them

MFA Works! There are no good statistics on attacks that were successful past MFA because the attacks rarely work. MFA provides a second factor of authentication on top of the password. The attackers have not evolved past MFA safeguards because it is not used everywhere, they will just attack the victims that do not use MFA because they are easier targets.

10/11/2019

Ransomware gang uses iTunes zero-day

The applications iCloud and iTunes for the Windows operating system have a Zero-Day exploit that has been used to deliver ransomware to systems. A zero-day exploit is a vulnerability that the vendor does not yet know about. Apple has released a patch for this vulnerability this week. If anyone is using iCloud or iTunes on a Windows computer, update both applications as soon as possible!

Beware of Fake Amazon AWS Suspension Emails for Unpaid Bills

This is a common phishing attack, you get an email from a vendor stating that you have not paid your bill. This sparks our curiosity and makes us want to click the link to see what bill we have not paid. Do not click the link!!! Instead, log into the legitimate website for this vendor that you always use or pick up the phone and give them a call. See the top ways to spot a phishing email for more information on avoiding these scams.

University of Texas First Ever to Offer Cybersecurity Certification in Healthcare

“The healthcare industry takes the lion’s share of ransomware attacks and the reasons are: the value of healthcare data; little attention on tech upgrades; and the rising complexity of healthcare ops. Nonetheless, the cybersecurity industry talent crisis isn’t new to us.” In a field as complex as Cybersecurity, industry-focused education is a great idea. Working in healthcare requires not only a strong knowledge of systems and networks but also compliance to deal with HIPAA and other challenges the industry brings.

10/18/2019

Phishy text message tries to steal your cellphone account

Hackers use social engineering in many ways, in this scam, they are sending phishing messages by mobile text message. The scam works the same as a phishing email, they send you to a fake webpage and try to steal your username and password. “Messages sent via SMS unexceptionably use a brief and direct style that makes it much easier to get the spelling and grammar right.” Be on the lookout for these malicious text messages.

Doctors Quitting Due to Ransomware Attacks

Ransomware attacks are getting so bad at hospitals doctors are starting to quit or retire early. With the loss of medical records, they are having a difficult time doing their job. In Michigan a clinic has completely closed due to a ransomware attack, they had their files and backup systems encrypted.

Food writer Jack Monroe loses at least £5,000 in SIM-swap fraud

“British food writer and activist Jack Monroe has had her bank account drained by hijackers, despite using two-factor authentication (2FA) to protect accounts.” The 2FA was text message-based and what led to the bank account compromise. Using an app or hardware token for your second factor is much more secure than a text message.

10/25/2019

Vietnamese student behind Android adware strain that infected millions

The researchers at ESET have tracked down a person behind a recent wave of Android adware. The person behind the mobile adware is a university student from Vietnam. 42 apps were found on the Android app store, all of the apps contained adware that ESET has named Ashas. Some of the apps started off as legitimate apps with no adware, the student then decided to add the adware. ESET contacted the Google play security team and they removed the apps right away. The apps may still be available on third-party app stores.

No personal data stolen in college cyber attack

An investigation into hackers attacking Swindon College’s network revealed that no personal data had been stolen. The college worked with the National Crime Agency over the last month and determined no data was extracted.

Apple Removes 17 Malicious iOS Apps From App Store

Researchers have uncovered 17 apps on Apple’s official App Store infected with malware. Apple has since removed the apps from the App Store – but a “significant” number of iOS users could have installed them, researchers said. All of the malicious apps were published by the developer: AppAspect Technologies Pvt. Ltd.

11/1/2019

Beware! This Android Malware Can’t Be Removed Even After Factory Reset

The team at Malwarebytes has identified a new malware strain that has affected around 45,000 Android devices.  This malware is mostly obtained by third-party app stores, once the malware is installed it displays frequent pop-up notifications. The interesting thing about this malware is that it has been observed to survive a factory reset on the mobile phone. Sticking to your mobile phones stock app store is much more secure than downloading apps from third-party app stores.

New Google Chrome Security Alert: Update Your Browsers As ‘High Severity’ Zero-Day Exploit Confirmed

If you use Google Chrome, update it ASAP, Google’s security team has reported a new Zero-Day exploit that affects the Chrome browser on Windows, Mac, and Linux. The vulnerability could allow an attacker to take control of a device.

Indian nuke plant’s network reportedly hit by malware tied to N. Korea

A domain controller at a Nuclear Power Plant in India has been compromised, attribution of the attack points to North Korea. The report shows that the reactor controls have not been affected and the attack may have been after technical information about the plant. The plant officials have stated that the control systems are air-gapped from the rest of the network and not affected. This plant is India’s largest and has had reports of multiple safety issues. “There have been over 70 shutdowns since the reactors went active in 2013. And on October 19, the plant’s second reactor was shut down due to a fault in the reactor’s steam generation, according to KKNPP officials. The shutdown was not related to the malware attack, officials asserted.”

MESSAGETAP: Who’s Reading Your Text Messages?

APT41 is a code name for a Chinese nation-state hacking group. Recent malware from APT41 called MESSAGETAP has been observed to steal SMS text messages from the servers they pass through when they are sent from phone to phone. The malware steals the contents of the text message, the IMSI sim card number, and the source and destination phone number. The text messages are able to be read because they are sent in cleartext. If you use an encrypted SMS service like iMessage, the contents of the message would not be immediately readable.

11/8/2019

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a vulnerability in the Ring Doorbell. This vulnerability gives an attackers access to your Wi-Fi password allowing them to get on your internal network. The vulnerability stems from the setup process of the Ring Doorbell, you have to provide the doorbell your Wi-Fi password to set it up. The attackers send multiple messages to the doorbell over the air that makes the doorbell think it has to be set up again. When the user sets up the doorbell the attacker performs a man in the middle attack and steals the password provided to the Ring doorbell.  

Apple Mail on macOS leaves parts of encrypted emails in plaintext

Apple assistant Siri has been busted reading text from emails in a database called snippets.db. Apple stores encrypted emails in this database in plain text, this means they can be read and are not encrypted while stored in the file. Siri does this to provide the user with more features but by doing this significantly decreases security. This is happening on macOS the laptop and desktop operating system. See the article for instructions to turn this feature off.

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks

A new study has shown a rise in fatal heart attacks in hospitals that are remediating ransomware. “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

11/15/2019

US Govt Recommends Vendor System Configs To Block Malware Attacks

“The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) today reminded users and system administrators to properly configure their systems to defend against malware that can exploit improper configurations.” The recommendations are setting up systems to vendor recommended configurations, applying security patches, installing anti-malware solutions, and using firewalls.

Officials warn about the dangers of using public USB charging stations

“Travelers are advised to avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware, the Los Angeles District Attorney said in a security alert published last week.” Security researchers have recently started installing malicious hardware in phone chargers, it is a best practice to use your charger and your charger only. The attack where a hacker uses a phone charging cable to deliver a malicious payload has been labeled “Juice jacking”.

Two Arrested for Stealing $550,000 in Cryptocurrency Using Sim Swapping

“Starting with the country’s first-ever conviction for ‘SIM Swapping’ this February, U.S. Department of Justice has since then announced charges against several individuals for involving in the scheme to siphon millions of dollars in cryptocurrency from victims.” Cybercriminals from Massachusetts have been charged with stealing $550,000 in cryptocurrency from at least 10 victims using sim swapping attacks. Sim swapping is where an attacker tricks your mobile phone provider to get a sim card activated with your number, this can then be used to reset passwords for your accounts.

11/22/2019

Schools Under Cyber Siege Need a Path to Resilience

More education institutions are getting hit with ransomware making them the second-largest victims in all sectors. More technology is getting introduced into schools for instruction, without the resources to properly manage and secure the equipment. “As endpoint and environmental complexities increase, and risk alongside them, it’s no surprise that 68 percent of education IT leaders in the U.S. list cybersecurity as their top priority. In tandem, several state governments, including Louisiana, Texas and North Dakota, have stepped up their efforts to safeguard schools against cyberattacks with various measures such as cyber policy mandates, cyber commission formation and state IT department oversight for schools.”

Louisiana was hit by Ryuk, triggering another cyber-emergency

“On November 18, a ransomware attack caused Louisiana’s Office of Technology Services to shut down parts of its network, including the systems of several major state agencies.” Some of the services have been brought back online but some are still in the process of being restored. Since they had backups in place and a plan to restore services, they are not paying the ransom and will hopefully be back up and running in the days to come.

US student was allegedly building a custom Gentoo Linux distro for ISIS

A 20-year-old student from Chicago has been arrested and charged for providing material support to ISIS. “According to court documents, the suspect allegedly created a Python script to automate saving ISIS multimedia from official social media channels, so other members could re-post it on their own accounts, and help spread the terrorist group’s propaganda.” This student was also in the process of creating a secure Linux operating system that could be used by the terrorist group and their supporters. This operating system would be difficult for law enforcement to penetrate allowing for ISIS supporters to keep their operations anonymous. “If found guilty for providing material support to ISIS, Osadzinski faces up to 20 years in prison.”

12/6/2019

Livingston School District in New Jersey Hit With Ransomware

“Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.” The school’s servers were encrypted and down causing them to initiate an investigation with a third-party security company. They are unsure if any data has been stolen at this point. “Just this past Thursday, the operators of the Maze Ransomware publicly released 10% of the data that was stolen from Allied Universal after they did not pay the ransom. They state that they will release the rest of the data if an increased ransom payment is not made.”

Ransomware attack hits major US data center provider

One of the largest data centers in the US has been hit with Ransomware, customers that use their cloud services have been impacted and are reporting availability issues. “Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network,” CyrusOne told ZDNet. This is the same strain of Ransomware that hit 20 local governments in Texas back in June.

AT&T, Verizon Subscribers Exposed as Mobile Bills Turn Up on the Open Web

A contractor working with Sprint made a mistake and exposed hundreds of thousands of phone bills for AT&T, Verizon, and T-Mobile customers. The information was on an Amazon Web Services bucket that was not properly secured. “According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers.” Some of the records included bank statements, usernames, passwords, and online pins.

12/3/2019

Yet another school district hit by ransomware, this time in Illinois

60 miles west of Chicago, Sycamore Community School District 427 has been hit with Ransomware. “Sycamore Community’s incident is the latest in a string of ransomware attacks against K-12 schools and higher education institutions in which hackers lock-up systems and data and demand bitcoin payment for returned access. According to data collected by Scoop News Group, at least 48 school districts and colleges have been infected by ransomware so far this year.”

Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

A new variant of Ransomware called Snatch has the ability to restart the computer into Safe Mode. This will allow it to bypass some antivirus products and other host-based security tools. “What makes Snatch different and dangerous from others is that in addition to ransomware, it’s also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations.”

Linked? Pensacola Naval Shootings and a Ransomware Attack Hours Later

The FBI is looking for a link in the Pensacola Naval Shootings and a Ransomware Attack Hours Later on the City of Pensacola. Security researcher and data scientist Kenneth Geers mentions that increased news coverage for specific events sometimes leads to increases in cyber-attacks. “Malware is super dynamic, it is changing all the time, but it is a reflection of human affairs.  Everyone is connected for everything, to everything online. That’s where the good guys are and the bad guys are—everybody.”

12/20/2019

VISA Alerts North America Regarding POS Malware Attacks On Gas Pumps

“VISA has recently issued a cybersecurity alert for the residents of North America. VISA has noticed a wave of POS malware attacks at various fuel dispensing systems in the region. They suspect an increase in these attacks precisely targeting fuel dispenser merchants.” Visa recommends the following to protect POS systems:

• Protect remote access with safe passwords and restricting unnecessary access
• Monitor network traffic
• Enable EMV technology
• Apply network segmentation to prevent malware spreading

It is important to monitor your card statements to watch out for fraudulent charges, setting up a text or email alert for each transaction is a good way to continuously audit.

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

Hackers are increasing their tactics to get victims to pay up with Ransomware attacks. “Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up.” This is interesting because most Ransomware attacks this year reported that no data was exfiltrated. It looks like the bad guys will begin by exfiltrating sensitive data to use as leverage to get victims to pay.

Ransomware-seized New Orleans declares state of emergency

The city of New Orleans has been hit with Ransomware, they have declared a state of emergency to get federal help. Sophos reported on this attack and shared the following to protect against Ransomware:

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lockdown RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate-limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.