The 2019 Cyber News Review started in April 2019 and provides a weekly review of Cyber Security news.<\/p>\n\n\n\n
4\/18\/2019<\/strong><\/p>\n\n\n\n Chinese hackers strike US universities in bid\nfor military technology<\/a><\/p>\n\n\n\n Accenture\u2019s iDefense team has confirmed cyberattacks against at least 27 universities worldwide. \u201cIt is believed that the threat actors behind the campaign have utilized phishing tactics in an attempt to compromise university networks, often by posing as partner universities and institutions.\u201d <\/p>\n\n\n\n GCSE coursework lost in cyber attack on\nBridport school<\/a><\/p>\n\n\n\n A teacher in England opened an email that appeared to come from another teacher at a school nearby. The email contained ransomware that spread to the school’s network, the article states that the coursework of at least 11 students has been lost. The ransomware infection locked all of the files on the teacher’s computer then used worm capabilities to spread into the school’s network infecting other machines. This displays the importance of layered security or defense-in-depth approach.<\/p>\n\n\n\n Microsoft loses control over Windows Tiles\nsubdomain<\/a><\/p>\n\n\n\n Windows 8 and Windows 10 have a feature called live tiles, this feature allows RSS based news and updates from websites to be delivered to the tiles in the start menu. The subdomain that Microsoft set up to allow websites to show live updates inside the start menu has been taken over by the security researcher Hanno B\u00f6ck. “We won’t keep the host registered permanently. There’s a decent amount of traffic reaching this host and running up costs,” the researcher said. “Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks,” he warned. <\/p>\n\n\n\n 5\/3\/2019<\/strong><\/p>\n\n\n\n Scott County Schools victim of $3.7 million\nCEO Fraud Phishing Scam<\/a><\/p>\n\n\n\n Scott County Schools in Georgetown Kentucky got an email from a fraudster pretending to be a known vendor. The fraudster told the school they did not pay their invoice and tricked the school into paying the money to the fraudster’s bank account. The money is gone and the school is going to attempt to get the money back with their cyber fraud insurance, cyber fraud insurance is usually provided to protect unauthorized use of computer systems and may not cover this social engineering attack.<\/p>\n\n\n\n D-Link camera vulnerability allows attackers\nto tap into the video stream<\/a><\/p>\n\n\n\n Vulnerabilities found in the D-Link DCS-2132L cloud surveillance camera allow attackers to remotely view video streams and manipulate the device’s firmware. The camera communicates through the cloud to D-Link servers then to users’ smartphones. Network traffic of video streams has been found to be unencrypted and susceptible to a man in the middle attack<\/a>. This shows us how important end to end encryption is, especially when using services in the cloud.<\/p>\n\n\n\n Dell laptops and computers vulnerable to\nremote hijacks<\/a><\/p>\n\n\n\n A vulnerability in the Dell SupportAssist application allows a remote attack, in this attack, a hacker can execute code with remote privileges. If the hacker can trick the victim to go to a malicious web page, JavaScript code can trick the Dell SupportAssist application into downloading and running files. Dell was quick to release a patch for this vulnerability but the software comes pre-installed on Dell computers.<\/p>\n\n\n\n 5\/10\/2019<\/strong><\/p>\n\n\n\n Baltimore City Shuts Down Most of Its Servers\nAfter Ransomware Attack<\/a><\/p>\n\n\n\n Baltimore City has been\nhit with Ransomware for the second time in just over a year, the ransomware has\nworm capabilities and has been spreading to different systems on their network.\nCity Hall personnel were told to shut down all of their computers to prevent\nthem from getting the infection, multiple city services are temporarily shut\ndown due to the incident. \u201cA similar ransomware attack hit the Baltimore City’s\nphone system in March last year, shutting down automated dispatches for 911 and\n311 calls for more than 15 hours.\u201d<\/p>\n\n\n\n Microsoft SharePoint servers are under attack<\/a><\/p>\n\n\n\n \u201cHacker groups are\nattacking Microsoft SharePoint servers to exploit a recently patched vulnerability\nand gain access to corporate and government networks, according to recent\nsecurity advisories sent out by Canadian and Saudi Arabian cyber-security\nagencies.\u201d Code has been published to exploit this vulnerability but it does\nnot work out of the box, this means less skilled hackers will not be able to\nuse it easily. The advice to defend against this is to patch SharePoint servers\nand keep them behind a firewall. <\/p>\n\n\n\n Top-Tier Russian Hacking Collective Claims\nBreaches of Three Major Anti-Virus Companies<\/a><\/p>\n\n\n\n Hackers claim to have breached three leading antivirus companies, there is no indication of what antivirus companies are affected. \u201cThe collective extracted sensitive source code from antivirus software, AI, and security plugins belonging to the three companies.\u201d With this information an attacker would be able to get past the antivirus layer, having extensive knowledge of how a product works is the best way to get past it.<\/p>\n\n\n\n 5\/17\/2019<\/strong><\/p>\n\n\n\n UPDATE NOW! Critical, remote, \u2018wormable\u2019\nWindows vulnerability<\/a><\/p>\n\n\n\n Microsoft has released a patch for a vulnerability in its Remote Desktop service, this vulnerability could allow an attacker to run malicious code on a system without authenticating. This vulnerability is so bad that Microsoft has sent security patches to Windows XP machines that are no longer supported\/getting regular updates.<\/p>\n\n\n\n Paterson Public Schools Notified of Breach,\nThreatens with Civil Case<\/a><\/p>\n\n\n\n Paterson Public Schools has been notified about a breach where a hacker claims to have access to systems and over 20,000 accounts. The hacker provided some proof with screenshots of outlook inboxes of two district employees. The school district issued a password reset for all accounts and enabled two-factor authentication in response to the attack. <\/p>\n\n\n\n More Attacks against Computer Automatic Update\nSystems<\/a><\/p>\n\n\n\n Another supply chain\nattack, this time it is the ASUS live update software that has been infected.\nThe hackers got their malicious code into the ASUS tool so the infection would\nbe delivered to users when they use this tool to update. This is very evil\nbecause updating is one of the ways we stay secure! This attack was discovered\nby Kaspersky and it is called Operation Shadowhammer, the attack also targeted\nsix other companies.<\/p>\n\n\n\n Six days later, Baltimore government is still\nrecovering from ransomware attack<\/a><\/p>\n\n\n\n Baltimore is still working to recover from the ransomware breach email, phones and computers are still unusable. \u201cMayor Jack Young said the city will not pay the ransom, even though it could be the less expensive option.\u201d<\/p>\n\n\n\n 5\/24\/2019<\/p>\n\n\n\n Ohio school sends students home because of\nTrickbot malware infection<\/a><\/p>\n\n\n\n School was canceled on Monday in an Ohio school district due to a malware infection. The school’s treasury office was targeted and infected, this led to the malware spreading over the school’s network. The malware is called Trickbot, this malware used to be a banking Trojan but has evolved over the years into a malware swiss army knife. Trickbot has been observed as the first step in many ransomware infections. When a computer is infected with Trickbot, the malware talks back to the hacker’s command and control server, the hacker can see what the computer is vulnerable to and send more malware to target the vulnerabilities. <\/p>\n\n\n\n What Colorado learned from treating a\ncyberattack like a disaster<\/a><\/p>\n\n\n\n \u201cThe Colorado Department of Transportation joined the ranks of dozens of other U.S. government entities affected by the SamSam ransomware virus when it was infected with the malware in February 2018\u201d The state refused to pay the ransom and spent about $1.5 million to remediate the infection- Colorado declared a statewide emergency to bring in resources from the National Guard and other states to help with the remediation. The malware got into the network through a new server that was exposed to the internet with default security settings, the server was infected within 48 hours. Hackers scan the internet 24\/7 looking for servers fully exposed, that is why it is important to harden servers and keep them behind a firewall.<\/p>\n\n\n\n Account Hijacking Forum OGusers Hacked<\/a><\/p>\n\n\n\n A hacker run website used for illegal hacking activities such as hijacking online accounts and sim swapping attacks has been compromised, the database of user accounts and the website source code has been posted on another site. \u201cAlso, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.\u201d <\/p>\n\n\n\n 5\/31\/2019<\/strong><\/p>\n\n\n\n POS Malware Found at 102 Checkers Restaurant\nLocations<\/a><\/p>\n\n\n\n POS stands for point of\nsale, the machines used to accept payment methods such as credit cards. POS\nmalware is a malicious program that gets installed on a POS system and collects\ncredit card information, this information is logged on the machine and sent to\na malicious actor. Checkers and Rally\u2019s announced Wednesday that they found POS\nmalware at 102 of their locations across 20 states. Customers that used credit\ncards at these locations could have their cardholder name, payment card number,\ncard verification code and expiration date exposed to malicious actors. This\ninformation is usually collected and sold on the dark web.<\/p>\n\n\n\n Hackers Infect 50,000 MS-SQL and PHPMyAdmin\nServers with Rootkit Malware<\/a><\/p>\n\n\n\n \u201cCyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.\u201d This campaign is being carried out by an APT style Chinese hacking group, they have already infected 50,000 servers. The attack uses the brute-forcing technique after finding publically accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner. The group obtains administrator privileges before executing sequences of SQL commands to download a malicious payload from a remote server. This attack relies on weak username and password combinations for MS-SQL and PHPMyAdmin servers.<\/p>\n\n\n\n 6\/21\/2019<\/strong><\/p>\n\n\n\n SIM swap horror story: I’ve lost decades of\ndata and Google won’t lift a finger<\/a><\/p>\n\n\n\n A hacker called T-Mobile and ordered a sim card for a Zdnet employees phone, T-Mobile sent the hacker the sim card! This type of attack is called Sim Swapping, the hacker took over the victim’s main cell phone number and used it to compromise all of his accounts.<\/p>\n\n\n\n Protect your online identity now: Fight\nhackers with these 5 security safeguards<\/a><\/p>\n\n\n\n This article goes over 5 steps that can be used to help prevent Sim Swapping attacks. Sim Swapping is where a bad guy gets a sim card with your phone number and uses it to take over your number. This will usually deactivate your phone’s sim card making your phone unable to make calls or use the mobile network. <\/p>\n\n\n\n Florida City to Pay $600,000 to Hackers After\nRansomware Attack<\/a><\/p>\n\n\n\n Florida City just paid 65 bitcoin ($600,000) to get their data decrypted. This attack started with a police officer opening a malicious email. When you pay the bad guys to get the decryption keys they are starting to offer support to help convert your money into bitcoin and support for running the decryption program.<\/p>\n\n\n\n 6\/28\/2019<\/strong><\/p>\n\n\n\n AWS S3 server leaks data from Fortune 100\ncompanies: Ford, Netflix, TD Bank<\/a><\/p>\n\n\n\n When data is stored in the cloud, it has to be protected with layered security, some organizations feel they are protected when a vendor stores their data for them, but this is not always the case. Attunity, an Israeli IT firm that provides data management, warehousing, and replication services for the world’s biggest companies, has exposed some of its customers’ data after it left three Amazon S3 buckets exposed on the internet without a password. The data included some of Attunity’s own operations, but also data from some of its customers — Fortune 100 companies like Ford, Netflix, and TD Bank.<\/p>\n\n\n\n DHS cyber director warns of surge in Iranian\n\u201cwiper\u201d hack attacks<\/a><\/p>\n\n\n\n The Department of\nHomeland Security’s Cybersecurity and Infrastructure Security Agency is warning\nof increased cyber threats from Iran due to current tensions with the US.\nIranian actors are using \u201cwiper\u201d attacks where they cause destruction by\ndeleting data. There have been allegations of Iranian-backed wiper attacks in\nthe past\u2014the most infamous of which is Shamoon, a family of malware that first\nemerged in an attack against Saudi Aramco in August of 2012.<\/p>\n\n\n\n 7\/12\/2019<\/strong><\/p>\n\n\n\n Apple Watch\u2019s Walkie-Talkie app goes radio\nsilent due to vulnerability<\/a><\/p>\n\n\n\n \u201cApple\u2019s shut down its\nWatch Walkie-Talkie app after somebody reported a bug that could have allowed\nan eavesdropper to surreptitiously listen in on somebody else\u2019s iPhone, the company\ntold Tech Crunch<\/a> on Wednesday evening.\u201d Apple had a similar issue in\nJanuary where eavesdropping was possible through a FaceTime call before the\ncall was answered.<\/p>\n\n\n\n New Malware Replaced Legit Android Apps With\nFake Ones On 25 Million Devices<\/a><\/p>\n\n\n\n This Android malware was\ndelivered through 3rd<\/sup> party app stores, you are usually safe using\nthe default Google play store. Some countries cannot connect to Google\u2019s\nservices so they have to rely on other app stores to deliver apps to their\nmobile devices. This malware has been named \u201cAgent Smith\u201d and it takes\nadvantage of Android vulnerabilities to install a malicious version of an app\non a mobile device, the app then functions the way it is supposed to with added\nmalicious capabilities. <\/p>\n\n\n\n Google Home Silently Captures Recordings of\nDomestic Violence and More<\/a><\/p>\n\n\n\n \u201cGoogle is under fire after a report found that Google Home and Google Assistant records user audio, even when no wake-up word is used.\u201d <\/p>\n\n\n\n 7\/26\/2019<\/strong><\/p>\n\n\n\n Ellucian systems compromised at 62\nuniversities, Education Dept. says<\/a><\/p>\n\n\n\n Hackers have compromised Ellucians Banner platform and compromised information systems at 62 universities. The attack exploited a security flaw that allowed hackers to generate masses of fake student accounts and potentially access sensitive data. Ellucian released a patch in May that will close the security hole. This is an example of a supply chain attack. <\/p>\n\n\n\n Bradford man arrested over Lancaster\nUniversity hacking spree<\/a><\/p>\n\n\n\n A British man has been\narrested on suspicion of breaking into Lancaster University systems and\nstealing records belonging to students. Lancaster University deemed the\nincident “a sophisticated and malicious phishing attack which has resulted\nin breaches of student and applicant data.” Fake invoices in phishing\nemails have also been sent to some students, which may indicate that the ransacking\nof university data was the first stepping stone into what could have become\nfinancial theft.<\/p>\n\n\n\n Ransomware Attack Caused Power Outages in the\nBiggest South African City<\/a><\/p>\n\n\n\n Yesterday, some\nresidents of Johannesburg, the largest city in South Africa, were left without\nelectricity after the city’s power company got attacked by a ransomware virus.\nCity Power, the company responsible for powering South Africa’s financial\ncapital Johannesburg, confirmed Thursday on Twitter that it had been hit by a\nRansomware virus that had encrypted all of its databases, applications, and\nnetwork.<\/p>\n\n\n\n 8\/2\/2019<\/strong><\/p>\n\n\n\n The Technical Side of the Capital One AWS\nSecurity Breach<\/a><\/p>\n\n\n\n \u201cOn July 19th, 2019 Capital One got the red flag that every modern company hopes to avoid – their data had been breached. Over 106 million people affected. 140,000 Social Security numbers. 80,000 bank account numbers. 1,000,000 Social Insurance Numbers.\u201d The hacker compromised a server in AWS (Amazon web services cloud) through a firewall misconfiguration, the hacker got onto the server with an account that had permissions to access 700+ AWS buckets. The hacker then copied all data from the buckets in the cloud took a copy.<\/p>\n\n\n\n Louisiana declares state of emergency in\nresponse to ransomware attack<\/a><\/p>\n\n\n\n \u201cThis Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency in response to ransomware attacks on three public school districts.\u201d The technology supervisor received an alert on his phone at 4 am on a Sunday about unusually high bandwidth usage, shortly after they found ransomware on their servers. The Principal said \u201canything and everything housed solely on the School District’s servers” was lost, including 17 years of his own personal documents\u201d. <\/p>\n\n\n\n Google Ransomware Map<\/a><\/p>\n\n\n\n This link leads to a\nGoogle map with ransomware attacks noted by location, you can even click on the\nlocations to pull up the article that explains the ransomware attack.<\/p>\n\n\n\n 8\/9\/2019<\/strong><\/p>\n\n\n\n Malware attacks on infrastructure and\nstate-run facilities shot up 200% in 2019<\/a><\/p>\n\n\n\n Malware attacks are up in 2019; \u201cIBM said 50 percent of the malware attacks were in the manufacturing, oil and gas, and education sectors. Most of the destructive attacks observed by the team have taken place in Europe, the US, and the Middle East.\u201d This article states that cybercriminals are primarily leveraging phishing emails and password-guessing attacks.<\/p>\n\n\n\n Data Breach Exposes Personal Info for 53,000\nIllinois Students<\/a><\/p>\n\n\n\n \u201cThe personal\ninformation of nearly 53,000 students and 3,100 educators in Naperville\nDistrict 203 and Indian Prairie District 204 was exposed following a data\nbreach at a company that handles the districts\u2019 K-8 academic assessments.\u201d The\nvendor that was responsible for the breach was Pearson, a compromise of their\nAIMSweb software was what lead to the breach. <\/p>\n\n\n\n District 303, 304 student information exposed\nin data breach<\/a><\/p>\n\n\n\n \u201cST. CHARLES \u2013 Students in Geneva Community Unit School District 304 and St. Charles Community Unit School District 303 had personal information exposed in a data breach.\u201d This breach was also caused by Pearson\u2019s AIMSweb, this article even states that the districts no longer use AIMSweb.<\/p>\n\n\n\n 8\/16\/2019<\/strong><\/p>\n\n\n\n 700,000 Choice Hotels records leaked in data\nbreach, ransom demanded<\/a><\/p>\n\n\n\n The Choice hotel brand had a database publicly available on the internet with no password, leaving a total of 5.6 million records exposed. The hackers copied the data and have demanded .4 Bitcoin (about $4,000) for the return of the data. The database belonged to a vendor that was not named. The data contained guest’s names, email addresses, and phone numbers, the data is not extremely sensitive but can be used in targeted phishing campaigns that lead to bigger attacks.<\/p>\n\n\n\n Energy Sector Phish Swims Past Microsoft Email\nSecurity via Google Drive<\/a><\/p>\n\n\n\n This is an example of how hackers get past security controls, in this instance, they do not put their malicious link in an email because it will get blocked. Instead, they share a Google doc with you, the link to the Google doc is not malicious so it will not be blocked by email security. Inside the Google doc the hacker places the malicious link. Most users trust Google docs so they will fall for this trick. The attacks will continue to evolve showing us the importance of user security awareness and education.<\/p>\n\n\n\n Canon DSLR Cameras Can Be Hacked With\nRansomware Remotely<\/a><\/p>\n\n\n\n Ransomware is getting so popular it is moving to more devices, this article explains how a researcher installed ransomware on a Canon DSLR camera. This attack is possible over USB and Wi-Fi. There is a video in this article that shows the researcher installing the ransomware over Wi-Fi. <\/p>\n\n\n\n 8\/23\/2019<\/strong><\/p>\n\n\n\n 22 Texas towns hit by coordinated ransomware\nattack<\/a><\/p>\n\n\n\n 22 Texas towns have been\ncompromised in a coordinated ransomware attack that appears to have been pulled\noff by one single threat actor. \u201cBorger, Texas and Keene, Texas have announced\nthat they were affected by the attack. The city of Borger says it is unable to access\nbirth and death certificates or take utility payments, and NPR reports that\nKeene is unable to process utility payments.\u201d The mayor of Keene told NPR that\nthe hacker has asked for $2.5 million to unlock the files, he said they will\nnot be paying the ransom. Some of the Texas towns have shut off all of their\ncomputer systems as a response to the attack.<\/p>\n\n\n\n Nampa School District victim of cyber attack<\/a><\/p>\n\n\n\n The Nampa school district in Idaho has been hit with a malware attack, the school’s network and systems have been down for several days. They have instructed their teachers and administrators to go back to using pen and paper or their own devices until the attack is remediated. The school will remain in session without the network and systems until they can restore them. <\/p>\n\n\n\n Quick thinking by Portland Public Schools stops\n$2.9m BEC scam<\/a><\/p>\n\n\n\n \u201cEmployees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.\u201d A fraudster contacted them pretending to be a construction contractor they were working with, the fraudster asked for payments to be made of $2.9 million into a fake account. The employee from the school approved the payments and sent the $2.9 million. The school caught on and worked with the bank to freeze the fraudulent funds before it was too late.<\/p>\n\n\n\n 8\/30\/2019<\/strong><\/p>\n\n\n\n Microsoft: Using multi-factor authentication\nblocks 99.9% of account hacks<\/a><\/p>\n\n\n\n Microsoft is reporting\nthat using MFA will block 99.9% of attacks, this information is very\ninteresting considering the rise in account compromises. The article talks\nabout the many ways hackers get passwords such as credential stuffing,\nphishing, keystroke logging, local discovery, extortion, password guessing and brute\nforcing. <\/p>\n\n\n\n Cyber Security: Lake County Govt forced to\nshut down servers after ransomware attack<\/a><\/p>\n\n\n\n More Ransomware, this time it is Lake County Illinois that got hit. The attack has forced them to shut down their email and several other internal applications.<\/p>\n\n\n\n Rockville Centre pays almost $100G to hackers\nafter ransomware attack, officials say<\/a><\/p>\n\n\n\n \u201cThe Rockville Centre school district paid almost $100,000 to restore its data after being hacked with a ransomware virus that encrypted files on the system\u2019s server until payment was made to unlock the information, officials said Friday.\u201d <\/p>\n\n\n\n Warning to Android users as PDF app used by\n100 million \u2018contained malware\u2019<\/a><\/p>\n\n\n\n A popular Android app\ncalled CamScanner has been identified as malicious, the app does everything it\nis advertised to do but also has malicious code that does bad things in the\nbackground. It is important to audit your apps and remove what you no longer\nneed. We cannot see the code behind the application so it is difficult to tell\nwhen an app is doing something malicious. <\/p>\n\n\n\n Trojans, ransomware dominate 2018\u20132019\neducation threat landscape<\/a><\/p>\n\n\n\n This article talks about hackers targeting the education field, the reasons include smaller budgets, old equipment and the use of personal devices. The article explains how the threats will get worse as time goes on.<\/p>\n\n\n\n 9\/6\/2019<\/p>\n\n\n\n Rash of ransomware continues with 13 new\nvictims\u2014most of them schools<\/a><\/p>\n\n\n\n More information on how\nschools are becoming a popular target for ransomware. \u201cAccording to Armor’s\ndata, schools have become the second-largest pool of ransomware\nvictims\u2014slightly behind local governments and closely followed by healthcare\norganizations.\u201d Below are recent ransomware infections.<\/p>\n\n\n\n Ransomware Attack: District Suddenly Cancels\nSchool and Childcare for Thousands<\/a><\/p>\n\n\n\n The Flagstaff, Arizona, school district called off school due to a ransomware attack. This school was also affected by the AIMSweb 1.0 data breach last month as well. No information on how they got infected.<\/p>\n\n\n\n Ransomware gang wanted $5.3 million from US\ncity, but they only offered $400,000<\/a><\/p>\n\n\n\n A ransomware gang\ninfected New Bedford, Massachusetts with ransomware and demanded $5.3 million\nfor the decryption keys. New Bedford Mayor Jon Mitchell offered the hackers\n$400,000 and they did not accept the offer, New Bedford then started the\nprocess of restoring from backups and other systems that did not get infected.\nThe ransomware attack only affected 4% of their network, this infection\nhappened back in July and they kept it quiet until now. <\/p>\n\n\n\n Selling your car? Clear your personal data\nfirst.<\/a><\/p>\n\n\n\n Now that cars have built-in WiFi, Bluetooth, Navigation and other technical features it is important to wipe your data before selling the car. Here are some types of data you want to remove from the electronic system before selling or donating your car:<\/p>\n\n\n\n 9\/13\/2049<\/strong><\/p>\n\n\n\n Seems Phishy: Back to School Lures Target\nUniversity Students and Staff<\/a><\/p>\n\n\n\n Proofpoint has identified an uptick in college-themed targeted phishing emails when school starts back up for the year. A typical medium volume phishing campaign sends thousands or tens of thousands of emails a day! The email templates observed have been made to look like library and student portal logins. The fraudulent web pages are made up to look identical to the pages that the colleges use, the best way to identify the fake pages is by observing the URL to see if it is the correct school URL.<\/p>\n\n\n\n COBALT DICKENS Goes Back to School\u2026Again<\/a><\/p>\n\n\n\n COBALT DICKENS is a name\nassigned to a threat group that targets colleges. 9 members of this group have\nrecently been caught: \u201dIn March 2018, the U.S. Department of Justice <\/em>indicted<\/em><\/a> the Mabna Institute and\nnine Iranian associates for compromising hundreds of universities to steal\nintellectual property and benefit financially.\u201d <\/em>The group was caught sending\nphishing emails to college libraries with SSL certificates to make the web\npages look legitimate. <\/p>\n\n\n\n Who\u2019ll benefit from the Regis University\ncyberattack? The Denver school\u2019s cybersecurity students.<\/a><\/p>\n\n\n\n Regis University teaches students what to do in the event of a cyber-attack, they were victims of an attack themselves. They will use their attack as a case study in classrooms to teach students what they did to remediate the breach. With cyber-attacks becoming more common, experience in remediating them is very valuable. \u201cShari Plantz-Masters, dean of Regis\u2019s College of Computer and Information Sciences, said the university plans to hold an invitational conference when the situation is resolved to talk about what they learned and help prepare others<\/em>.\u201d<\/p>\n\n\n\n The Two College Kids Who Nearly Hacked into\nPresident Trump’s Tax Returns<\/a><\/p>\n\n\n\n \u201cTwo\ntwenty-somethings in Pennsylvania pleaded guilty to charges after attempting to\nhack their way into the IRS to get President Trump’s tax returns<\/em>.\u201d The\nstudents made a false FASFA application in the name of someone in Trump\u2019s\nfamily, they then used the IRS tool to electronically pull records to try and\npull trumps tax returns. They ran into a problem where an account already\nexisted for Donald Trump. They then GUESSED the security questions and got into\nthe existing account. \u201cAlthough the Department of Justice says the attempt\n“ultimately failed,” it is not clear why. We simply know the students\ngot close to getting their hands on the President’s taxes.\u201d<\/em><\/p>\n\n\n\n 9\/20\/2019<\/strong><\/p>\n\n\n\n Two Widely Used Ad Blocker Extensions for\nChrome Caught in Ad Fraud Scheme<\/a><\/p>\n\n\n\n \u201cTwo widely used\nAdblocker Google Chrome extensions, posing as the original \u2014 AdBlock and uBlock\nOrigin \u2014 extensions on Chrome Web Store, have been caught stuffing cookies in\nthe web browser of millions of users to generate affiliate income from referral\nschemes fraudulently.\u201d Web browser extensions have become a popular vector for\nmalicious attacks, both of these extensions had over 800,000 users each. Google\nhas removed both of the malicious extensions from the Chrome Web Store. <\/p>\n\n\n\n Two arrested in $10 million tech support\nscheme that ‘preyed on the elderly’<\/a><\/p>\n\n\n\n Two suspects have been\narrested for running a massive tech support scam, this scam has made over $10\nmillion in profit by defrauding more than 7,500 victims, most of which were\nelderly. This scam would trick users into calling fake tech support that would\ncharge them for unneeded tech services. \u201cIn 2018, tech support schemes\ngenerated over 142,000 consumer complaints with the US Federal Trade\nCommission.\u201d<\/p>\n\n\n\n Advanced hackers are infecting IT providers in\nhopes of hitting their customers<\/a><\/p>\n\n\n\n Hackers have proven that they will do anything to compromise our networks, even if that means compromising third-party IT vendors to create a path to their customers networks. \u201cA previously undocumented attack group with advanced hacking skills has compromised 11 IT service providers\u201d This is another example of a supply chain attack, the coordinated Ransomware attacks in Texas were believed to also come from IT service providers. <\/p>\n\n\n\n 9\/27\/2019<\/strong><\/p>\n\n\n\n DoorDash Breach Exposes 4.9 Million Users’\nPersonal Data<\/a><\/p>\n\n\n\n Door Dash is a food\ndelivery service, they are like GrubHub and will deliver food from restaurants\nwithout delivery service. Today they announced a breach that affects almost 5\nmillion people, including its customers, delivery workers, and merchants as\nwell.<\/p>\n\n\n\n The type of data\naccessed by the unknown attacker(s) include both personal and financial data,\nas shown below:<\/p>\n\n\n\n Russian national confesses to biggest bank\nhack in US history<\/a><\/p>\n\n\n\n This person hacked Chase\nbank in 2014 and stole hundreds of millions of dollars along with data from\nmore than 80 million JPmorgan clients. \u201cAndrei Tyurin, 35, whose last name is\nalso spelled Tiurin, also pleaded guilty to hacks against other US financial\ninstitutions, brokerage firms, and other companies. In all, he pleaded guilty\nin federal court to computer intrusion, wire fraud, bank fraud, and illegal\nonline gambling as part of a securities-fraud scheme carried out by\nco-conspirators.\u201d <\/p>\n\n\n\n MyPayrollHR CEO Arrested, Admits to $70M Fraud<\/a><\/p>\n\n\n\n Earlier this month more\nthan 1,000 companies saw one or two paychecks worth of funds deducted from\ntheir bank accounts. The CEO of their cloud payroll provider took the money\nfrom customers, on Monday he was arrested and confessed that the act was a\nfinal desperate gasp of a financial shell game that earned him $70 million over\nseveral years. \u201cMichael T. Mann, the 49-year-old CEO of Clifton Park, NY-based\nMyPayrollHR, was arrested this week and charged with bank fraud. In court\nfilings, FBI investigators said Mann admitted under questioning that in early\nSeptember \u2014 on the eve of a big payroll day \u2014 he diverted to his own bank\naccount some $35 million in funds sent by his clients to cover their employee\npayroll deposits and tax withholdings.\u201d<\/p>\n\n\n\n 10\/4\/2019<\/strong><\/p>\n\n\n\n Over 500 US schools were hit by ransomware in\n2019<\/a><\/p>\n\n\n\n \u201cIn the first nine\nmonths of the year, ransomware infections have hit over 500 US schools,\naccording to a report published last week by cyber-security firm Armor. In\ntotal, the company said it found and tracked ransomware infections at 54\neducational organizations like school districts and colleges, accounting for\ndisruptions at over 500 schools.\u201d<\/p>\n\n\n\n Senate Passes Bill Aimed At Combating\nRansomware Attacks<\/a><\/p>\n\n\n\n New legislation has been\napproved by the senate that will help local cities and schools respond to\nransomware attacks. \u201cThe proposed law, the \u201cDHS Cyber Hunt and Incident\nResponse Teams Act,\u201d authorizes the Department of Homeland Security (DHS) to\ninvest in and develop \u201cincident response teams\u201d to help organizations battle\nransomware attacks. Part of that means that the DHS would create teams to\nprotect state and local entities from cyber threats and restore infrastructure\nthat has been affected by ransomware attacks.\u201d<\/p>\n\n\n\n Microsoft: MFA bypass attacks are so rare we\ndon’t have good statistics on them<\/a><\/p>\n\n\n\n MFA Works! There are no\ngood statistics on attacks that were successful past MFA because the attacks\nrarely work. MFA provides a second factor of authentication on top of the\npassword. The attackers have not evolved past MFA safeguards because it is not\nused everywhere, they will just attack the victims that do not use MFA because\nthey are easier targets.<\/p>\n\n\n\n 10\/11\/2019<\/strong><\/p>\n\n\n\n Ransomware gang uses iTunes zero-day<\/a><\/p>\n\n\n\n The applications\niCloud<\/strong> and iTunes<\/strong> for the Windows operating system <\/strong>have a\nZero-Day exploit that has been used to deliver ransomware to systems. A\nzero-day exploit is a vulnerability that the vendor does not yet know about.\nApple has released a patch for this vulnerability this week. If anyone is using\niCloud or iTunes on a Windows computer, update both applications as soon as\npossible!<\/p>\n\n\n\n Beware of Fake Amazon AWS Suspension Emails\nfor Unpaid Bills<\/a><\/p>\n\n\n\n This is a common\nphishing attack, you get an email from a vendor stating that you have not paid\nyour bill. This sparks our curiosity and makes us want to click the link to see\nwhat bill we have not paid. Do not click the link!!! Instead, log into the legitimate\nwebsite for this vendor that you always use or pick up the phone and give them\na call. See the top ways to spot a phishing email<\/a> for more information on\navoiding these scams.<\/p>\n\n\n\n University of Texas First Ever to Offer\nCybersecurity Certification in Healthcare<\/a><\/p>\n\n\n\n \u201cThe healthcare industry takes the lion\u2019s share of ransomware attacks and the reasons are: the value of healthcare data; little attention on tech upgrades; and the rising complexity of healthcare ops. Nonetheless, the cybersecurity industry talent crisis isn\u2019t new to us.\u201d In a field as complex as Cybersecurity, industry-focused education is a great idea. Working in healthcare requires not only a strong knowledge of systems and networks but also compliance to deal with HIPAA and other challenges the industry brings. <\/p>\n\n\n\n 10\/18\/2019<\/strong><\/p>\n\n\n\n Phishy text message tries to steal your\ncellphone account<\/a><\/p>\n\n\n\n Hackers use social\nengineering in many ways, in this scam, they are sending phishing messages by\nmobile text message. The scam works the same as a phishing email, they send you\nto a fake webpage and try to steal your username and password. \u201cMessages sent\nvia SMS unexceptionably use a brief and direct style that makes it much easier\nto get the spelling and grammar right.\u201d Be on the lookout for these malicious\ntext messages.<\/p>\n\n\n\n Doctors Quitting Due to Ransomware Attacks<\/a><\/p>\n\n\n\n Ransomware attacks are\ngetting so bad at hospitals doctors are starting to quit or retire early. With\nthe loss of medical records, they are having a difficult time doing their job.\nIn Michigan a clinic has completely closed due to a ransomware attack, they had\ntheir files and backup systems encrypted. <\/p>\n\n\n\n Food writer Jack Monroe loses at least \u00a35,000\nin SIM-swap fraud<\/a><\/p>\n\n\n\n \u201cBritish food writer and activist Jack Monroe has had her bank account drained by hijackers, despite using two-factor authentication (2FA) to protect accounts.\u201d The 2FA was text message-based and what led to the bank account compromise. Using an app or hardware token for your second factor is much more secure than a text message. <\/p>\n\n\n\n 10\/25\/2019<\/strong><\/p>\n\n\n\n Vietnamese student behind Android adware\nstrain that infected millions<\/a><\/p>\n\n\n\n The researchers at ESET have tracked down a person behind a recent wave of Android adware. The person behind the mobile adware is a university student from Vietnam. 42 apps were found on the Android app store, all of the apps contained adware that ESET has named Ashas. Some of the apps started off as legitimate apps with no adware, the student then decided to add the adware. ESET contacted the Google play security team and they removed the apps right away. The apps may still be available on third-party app stores. <\/p>\n\n\n\n No personal data stolen in college cyber\nattack<\/a><\/p>\n\n\n\n An investigation into hackers attacking Swindon College\u2019s network revealed that no personal data had been stolen. The college worked with the National Crime Agency over the last month and determined no data was extracted.<\/p>\n\n\n\n Apple Removes 17 Malicious iOS Apps From App\nStore<\/a><\/p>\n\n\n\n Researchers have\nuncovered 17 apps on Apple\u2019s official App Store infected with malware. Apple\nhas since removed the apps from the App Store \u2013 but a \u201csignificant\u201d number of\niOS users could have installed them, researchers said. All of the malicious\napps were published by the developer: AppAspect Technologies Pvt. Ltd. <\/p>\n\n\n\n 11\/1\/2019<\/strong><\/p>\n\n\n\n Beware! This Android Malware Can\u2019t Be Removed\nEven After Factory Reset<\/a><\/p>\n\n\n\n The team at Malwarebytes has identified a new malware strain that has affected around 45,000 Android devices. This malware is mostly obtained by third-party app stores, once the malware is installed it displays frequent pop-up notifications. The interesting thing about this malware is that it has been observed to survive a factory reset on the mobile phone. Sticking to your mobile phones stock app store is much more secure than downloading apps from third-party app stores.<\/p>\n\n\n\n New Google Chrome Security Alert: Update Your\nBrowsers As \u2018High Severity\u2019 Zero-Day Exploit Confirmed<\/a><\/p>\n\n\n\n If you use Google Chrome, update it ASAP, Google\u2019s security team has reported a new Zero-Day exploit that affects the Chrome browser on Windows, Mac, and Linux. The vulnerability could allow an attacker to take control of a device.<\/p>\n\n\n\n Indian nuke plant\u2019s network reportedly hit by\nmalware tied to N. Korea<\/a><\/p>\n\n\n\n A domain controller at a Nuclear Power Plant in India has been compromised, attribution of the attack points to North Korea. The report shows that the reactor controls have not been affected and the attack may have been after technical information about the plant. The plant officials have stated that the control systems are air-gapped from the rest of the network and not affected. This plant is India\u2019s largest and has had reports of multiple safety issues. \u201cThere have been over 70 shutdowns since the reactors went active in 2013. And on October 19, the plant’s second reactor was shut down due to a fault in the reactor’s steam generation, according to KKNPP officials. The shutdown was not related to the malware attack, officials asserted.\u201d<\/p>\n\n\n\n MESSAGETAP: Who\u2019s Reading Your Text Messages?<\/a> <\/p>\n\n\n\n APT41 is a code name for a Chinese nation-state hacking group. Recent malware from APT41 called MESSAGETAP has been observed to steal SMS text messages from the servers they pass through when they are sent from phone to phone. The malware steals the contents of the text message, the IMSI sim card number, and the source and destination phone number. The text messages are able to be read because they are sent in cleartext. If you use an encrypted SMS service like iMessage, the contents of the message would not be immediately readable.<\/p>\n\n\n\n\n
\n
\n