Category: Cybersecurity Attacks

The Cybersecurity Attacks section covers in-depth analysis and reports on recent cyber attacks targeting various industries. From ransomware incidents to advanced persistent threats (APTs) and distributed denial-of-service (DDoS) attacks, this section provides detailed accounts of how these attacks occurred, their impact, and the methods used by threat actors. It serves as a crucial resource for understanding the latest attack vectors and mitigation strategies to protect against similar threats.

Coverware Report Reveals Increased Average Ransomware Payment of $41,198 for Q3 of 2019

Ransomware is still one of the biggest cybersecurity threats experienced by healthcare organizations. Attacks have gone up not to mention the ransom demands.

The latest analysis by Coveware, a company providing ransomware remediation and incident response, showed that the average ransom payment increased by 13% and stands at $41,198 in the third quarter of 2019. This value is six times the December 2018 average. Plenty of organizations have paid considerably more. The threat actors that make use of the Ryuk ransomware for their attacks ask for ransom demand in hundred thousand dollars. From the second and third quarters of 2019, Ryuk ransom payments reached $267,742 to $377,026. Attackers typically ask large enterprises to pay more than 1 million dollars t ransom payments.

Though no sector is free of ransomware attacks, certain industries often have a greater likelihood of paying ransom demands. The statistics of the most attacked sectors are:

1. professional services -18.3%
2. public sector – 13.3%
3. medical care – 12.8%
4. software solutions – 11.7%
5. merchants – 8.3%

There is also an increase in attacks on managed service providers (MSPs). These attacks frequently demand far more effort from the threat actors, but the prospective rewards are great. A good campaign against an MSP enables attackers to access systems and client data. The attackers target MSPs and big companies using the ransomware variants called Sodinokibi and Globelmposter. Some also use the ransomware variants Netwalker, Snatch and Hidden Tear.

Even if Coveware didn’t diclose specifically the number of clients that have paid ransom, CEO Bill Siegel of Coveware admits that the number hits hundreds.

Cybercriminals employ various strategies to propagate malware and launch ransomware attacks. As per Coveware’s report, there’s an apparent change in the execution of attacks, which are now much more sophisticated. When cybercriminals began attacking with ransomware, most attacks were automated and random. Today, attacks are more centered on businesses and use techniques that involve nation-state threat actors.

The clients of Covewarewere experience attacks that primarily use stolen RDP credentials (50.6%), phishing (39%) and software vulnerability exploitation (8.1%).

Surely, ransomware creators would prefer that the victims are able to recover their files, or else they would not get paid. Nevertheless, ransom payment does not assure file recovery. Coveware’s figures indicate that 98% of clients paying ransom obtained legit decryption keys, however data recovery was typically just around 94%.

The attackers employing Rapid and Dharma ransomware variants usually don’t give legit keys for decrypting files after paying the ransom. Mr. Dec ransomware’s encryption code is badly written so decryptors only permit 30% data recovery.

Paying the ransom is actually not necessary since free decryptors are available through the No More Ransom project. However the accessible decryptors don’t work when the ransomware variants used are Phobos (19.9%), and Ryuk (22.2%), Sodinokibi (21.1%) and Phobos (19.9%).

File recovery is likewise achievable when there are backups. Nonetheless, in many cases, backups aren’t updated and are corrupted, so file recovery is not possible. Backups could likewise be encrypted.

Phishing Attack Impacted Thousands of TennCare and Florida Blue Members

Other healthcare companies have affirmed that they were affected by the Magellan Health National Imaging Associates data breach. Magellan Health NIA provides managed pharmacy and radiology benefits services for a number of HIPAA-covered entities as a business associate.

Last month, Geisinger Health Plan based in Danville, PA said that the breach impacted 5,848 of its members. Recently, Florida Blue (a health insurance firm) and TennCare (the Medicaid program in Tennessee), made the same press releases. 56,226 members of Presbyterian Health Plan in Albuquerque, NM were also affected by the breach.

Magellan Health NIA encountered the phishing attack on May 28, 2019, but only became aware of the incident on July 5, 2019 when the attacker used the compromised email account to send a lot of spam email messages. The affected email account was secured upon discovery.

An internal investigation of the breach confirmed that a person from outside the United States accessed the mailbox several times. The intent of the attacker is likely just to send spam email using the email account. The investigators found no evidence of access or theft of protected health information (PHI), however, the possibility can’t be ruled out.

Magellan Health NIA informed TennCare about the breach on September 11, which was one day after the discovery of the breach impact by Magellan Health. Magellan Health NIA sent breach notifications to Geisinger Health Plan on September 24, and Florida Blue on September 25.

Florida Blue has no announcement yet about the exact number of its affected members, but it mentioned that the PHI of less than 1% of 5 million members were exposed. The compromised information only included name, birth date, health plan name, healthcare provider’s name, member ID number, medication name, code of imaging procedures done, benefit authorization details, and authorization number. Florida Blue is offering credit monitoring services for free to its affected members.

TennCare announced that the breach impacted 43,847 people. The potentially compromised data included members’ names, ID numbers, health plan data, healthcare providers’ names, names of drugs, and Social Security numbers. TennCare also offered credit monitoring services as a preventative measure against data misuse.

The Cost Due to Healthcare Data Breaches in the Industry May Reach $4 Billion in 2019

A recent survey was conducted to find out the cost associated with healthcare industry data breaches, the scope of the healthcare sector under attack, and what percentage of the attacks succeed.

The Black Book Market Research conducted a survey on 2,876 security experts at 733 companies from Q4, 2018 to, Q3, 2019. Respondents shared their opinions on cybersecurity to know the vulnerabilities and security issues and find out why a lot of these cyberattacks succeed.

According to 96% of surveyed IT experts, cybercriminals are moving faster than medical companies, which is not surprising considering that 93% of healthcare companies claimed having encountered a data breach since quarter 3 of 2016. The report stated that 57% of companies had encountered over five data breaches during that period of time. Over 50 percent of the data breaches that healthcare organizations reported were caused by hacks and external threat actor attacks.

The healthcare sector is the target of attacks since hospitals and insurance companies keep massive amounts of sensitive and important information and there are usually security vulnerabilities that may be quickly exploited. Because the risk of attack is really high, the industry stays remarkably prone to data breaches.

There is a considerable cost associated with these healthcare sector attacks. Based on the report, the expenditure due to data breaches at hospitals in 2019 was $423 for every record. The report forecasts that, according to the present volume of data breaches, the cost to the healthcare industry is going to reach $4 billion by the end of the year. Seeing the present trends and the yearly growth in healthcare data breaches, that number is very likely to be significantly higher in 2020.

The survey highlighted that a major reason why the healthcare sector is vulnerable is budget limitations. Legacy systems and equipment remain extensively used in the healthcare sector, however, the cost of updating those systems is hard to rationalize when the cash does not grow with revenue.

Overall, money invested in cybersecurity for 2020 is designed to be increased to about 6% of total IT funds at hospital systems, however, smaller practices had a cut down in investment in cybersecurity, particularly at medical organizations where just 1% of the 2020 IT funds will be invested on cybersecurity. 90% of hospital reps surveyed stated their cybersecurity finances had no change from 2016.

Purchases of cybersecurity solutions are mostly bought blindly. One-third of surveyed hospital professionals stated they selected cybersecurity solutions without having a lot of insight or discernment. 92% of decisions on security product or services since 2016 were made by C-level executives without involving department administrators and consumers in the purchasing decision. Merely 4% of companies stated they had a guiding committee to help assess the effect of funds in cybersecurity.

A lot of healthcare companies are also working without a accountable security manager. Just 21% mentioned they had a committed security officer and only 6% reported that individual was the Chief Information Security Officer. At physician groups with over 10 clinicians, only 1.5% said they had a committed CISO. This is partly due to a lack of competent staff. 21% of healthcare companies claimed they had to outsource the work and are utilizing cyber security-as-a-service as a temporary solution.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”

California Wildfire-Themed BEC Attack Identified

It’s usual for phishers to use natural catastrophes as a lure to get ‘donations’ to line their pouches instead of helping the sufferers and the California wildfires are no exception. A lot of people have lost their lives in the fires and the death toll is likely to increase further as hundreds of people are still unaccounted for.

Entire towns such as Paradise have been completely devastated by the wildfires and hundreds of people have lost their homes. Numerous are suffering, have nowhere to reside, and have lost everything. As expected many people desire to donate money to assist the sufferers rebuild their lives. The attackers are using the sympathy of others to deceive companies.

A California wildfire phishing cheat was recently noticed by Agari that tries to capitalize on the tragedy. Nevertheless, contrary to several similar phishing campaigns that depend on huge volumes of electronic mails, this campaign is much more targeted.

The scammer is carrying out a business electronic mail compromise attack using the electronic mail account – or a deceived account – of the CEO of a firm. The first phase of the scam involves a rapid electronic mail to a worker questioning if they are available to assist. When a response is received, a second electronic mail is sent asking the worker to make a purchase of 4 Google Play gift cards, each of $500.

The CEO asks if there is a local store where the cards can be bought and asks the worker to make the purchase ASAP and to scratch off the reverse side, get the codes, and email them back. The electronic mail claims the CEO requires the cards to send to customers who have been caught up in the wildfires to provide help.

While the selected method of sending help is doubtful, to say the least, and the electronic mails have grammatical and spelling mistakes, the use of the CEO’s electronic mail account may persuade workers to go ahead as ordered. These cheats work because workers do not want to ask their CEO and desire to reply swiftly. Even though a request may be strange, the reasoning behind the request seems perfectly genuine.

Although this might seem like an obvious fraud, at least worthy of a call or text to the CEO to confirm its validity, some workers will no doubt not question the request. Each one that does as trained will cost the company $2,000.

This kind of cheat is common. They are often associated with wire transfer requests. In the rush to reply to the CEO’s request, a transfer is made, which might be for tens of thousands of dollars. The worker replies to the message through electronic mail saying the transfer has been made, the scammer erases the electronic mail, and the fake transfer is often not detected until after the scammer has used money mules to withdraw the money from the account.

Access to the CEO’s electronic mail account can be obtained in several ways, even though a spear phishing attack is common. Spam filtering solutions can assist to decrease the possibility for the first attack to take place and two-factor verification controls can avoid account access if identifications are stolen.

Staff training is vital to increase awareness of the danger of BEC attacks. Policies must also be applied that need all transfer requests sent through electronic mail, and any out-of-bounds requests, to be confirmed over the phone or through a text before a transfer is made.

Q3 2018 Healthcare Data Breaches Report Released

A Q3 2018 healthcare data breach report from Protenus demonstrates there has been a substantial decrease in healthcare data breaches compared to the preceding quarter. In Q2, 142 healthcare companies reported data breaches compared to 117 in Q3.

However, because of some big breaches in Q3, the total number of disclosed records was considerably higher. Between July and September, the health records of 4,390,512 patients were disclosed, impermissibly disclosed, or thieved compared to 3,143,642 healthcare records in Q2. Each quarter in 2018, the number of disclosed records has increased considerably.

The large increase in disclosed records in Q3 is partly because of a huge data breach at UnityPoint Health that was disclosed in July. In that single breach, more records were disclosed than in the 110 healthcare data breaches in Q1, 2018. The breach was a phishing attack that saw a number of UnityPoint Health electronic mail accounts undermined. Those accounts had the PHI of 1.4 million patients. The biggest healthcare data breach in August was a hacking occurrence at a healthcare supplier that led to the disclosure of 502,416 records. The biggest breach in September was reported by a health plan and affected 26,942 plan members.

Hacking and other IT occurrences comprised of 51.28% of all data breaches in Q3. The second largest cause of breaches was insider occurrences (23.08%), after that loss/theft occurrences (10.26%). The reason of 15.38% of breaches in Q3 is not clear.

Hacks and IT occurrences also led to the maximum number of exposed/stolen healthcare records – 86% of all breached records in Q3. 3,649,149 records were undermined in the 60 occurrences pertained to hacks and IT occurrences. There were 8 reported ransomware/malware attacks and 10 occurrences involving phishing. It was not possible to decide the precise reason of 18 ‘hacking’ occurrences.

Q3 saw a surge in insider breaches. Insider breaches were divided into two types: insider flaws and insider crime. Insider crime contains impermissible disclosures of PHI, workers spying on medical records, and theft of healthcare records by workers. Insider breaches led to the thievery, exposure, or impermissible revelation of 680,117 patient records.

19 occurrences were categorized as insider flaws and affected 389,428 patients. There were 8 verified cases of insider crime that affected 290,689 patients – which is a major surge from the 70,562 patients affected by insider wrongdoing occurrences in Q2, and the 4,597 patients affected by similar occurrences in Q1.

In Q3, 19% of breaches involved paper records and 81% involved electronic medical records.

Healthcare suppliers suffered the most breaches in Q3 (74% of breaches), followed by health plans (11%) and business allies (11%). 23% of the quarter’s breaches had some business associate participation.

The report discloses that healthcare companies and their suppliers are sluggish to identify breaches. In one instance, it took a healthcare supplier 15 years to find out that a worker had been spying on healthcare records. In those 15 years, the worker illegally accessed the records of thousands of patients.

The average time to identify a breach was 402 days and the median time was 51 days. The average time to inform breaches was 71 days and the median time was 57.5 days.

Florida was the state worst affected by healthcare data breaches in Q3 with 11 incidents, followed by California on 10 and Texas on 9.

U.S. Treasury Probing $700,000 Loss to Phishing Scam

In July 2018, the Washington D.C. government fell for an electronic mail cheat that led to wire transfers totaling approximately $700,000 being sent to a scammer’s account.

The scammer mimicked a seller used by the city and demanded unsettled bills for construction work be paid. The seller had been hired to work on a design and build the project on a permanent supportive lodging facility.

The electronic mails demanded the payment method be altered from check to bank transfer, and particulars of a Bank of America account was specified where the payments needed to be directed. Three separate payments were made adding up $690,912.75.

The account details provided were for an account managed by the scammer. By the time the cheat was exposed, the money had already been drawn from the account and might not be recovered. As per a Washington Post inquiry, the scammer had mimicked the company Winmar Construction.

The electronic mails were transmitted from a domain that had been listed by the scammer that imitated that of the construction company. The domain was same except two letters which had been transferred. The scammer then generated an electronic mail address using that domain which was utilized to request payment of the bills.

As per the Washington Post, before this cheat, the D.C. government was targeted with several phishing electronic mails, even though Mike Rupert, a representative for the city’s chief technology officer, said those phishing attacks were not fruitful and were not linked to the wire transfer cheat.

These cheats are usual. They frequently involve an electronic mail account compromise which lets the scammers identify sellers and get details of remaining payments. David Umansky, a spokesman for the city’s chief financial officer stated the Washington Post that the attacker had gotten the information required to pull off the scam from the seller’s system and that D.C. officers failed to identify the fake domain and electronic mail.

After noticing the fake wire transfers, the D.C. government got in touch with law enforcement and steps have been taken to trace the scammers. Extra safety controls have now been implemented to avoid similar cheats from succeeding in the future, including the requirement for extra confirmation to take place to verify the genuineness of any request to alter bank information or payment methods.

The U.S Treasury Division has now started an inquiry into the breach, as bank scam is a central offense. That inquiry is continuing.

Cofense Expands 24/7 Global Phishing Defense

Cofense has declared that it has expanded its 24/7 Phishing Defense Facility to deliver even greater help to clients beyond business hours and make sure that phishing dangers are identified in the shortest possible time.

The Cofense Phishing Defense Center (PDC) was introduced to ease the load on IT safety teams by letting them offload some of the load of searching through electronic mails informed by their end users and analyzing those electronic mails to identify the actual threats.

When workers report doubtful electronic mails – through Cofense Reporter for example – the electronic mails are transmitted to Cofense Triage for scrutiny. The malware and danger experts in the Cofense PDC team carry out an in-depth study of the reported dangers and send complete information back to clients’ incident responders that let them take action to alleviate the threat. The quicker a threat can be identified, the lower the possibility of a worker reacting to the danger.

The Phishing Defense Service saves companies a substantial amount of time and effort and lets dangers to be identified and alleviated much more quickly. With the volume of phishing dangers rising, occurrence responders can easily get caught up identifying dangers in the hundreds of electronic mails that are informed as ‘suspicious’ by their workers. Data from Cofense indicates that usually, just 10%-15% of reported electronic mails are malevolent, however, all messages must be tested and evaluated.

The Cofense PDC team already works round-the-clock to evaluate active phishing dangers, nevertheless, the growth of the facility makes sure that irrespective of the time of day or night, new dangers are recognized in the shortest possible time frame. This is particularly vital for firms that have offices in several countries and time zones. Those businesses must not have to wait until business hours for dangers to be identified. They need to be identified day or night.

“Since threat actors do not sleep, neither should your defense capabilities,” clarified Josh Nicholson, Senior VP of Professional Services at Cofense. “Our improved, round-the-clock phishing defense facility puts clients at ease by offering expert analysis and reaction for any informed doubtful electronic mail, any day, any time, in a matter of minutes.”

The expansion will make sure that malware experts are always on hand to evaluate informed phishing attempts and assist clients to alleviate new phishing attempts much more quickly.

United States Leads the World as Primary Host of Malware C2 Infrastructure

The United States is home to the maximum proportion of malware command and control (C2) infrastructure – 35% of the international total, as per fresh research circulated by phishing defense and threat intelligence company Cofense.  27% of network Indicators of Compromise (IoCs) from phishing-borne malware are also either situated in or proxied through the United States. Cofense data indicate that Russia is in the second position with 11%, followed by the Netherlands and Germany with 5% each and Canada with 3%.

C2 infrastructure is utilized by hackers to communicate with malware-infected hosts and deliver orders, download new malware modules, and exfiltrate data. Cofense clarified that simply because the C2 infrastructure is hosted in the United States doesn’t necessarily imply that more attacks are being carried out on U.S inhabitants than in other nations. It is usual for attackers to host their C2 infrastructure outside their own country to make it tougher for the agencies to identify their actions. C2 infrastructure is also usually situated in nations that don’t have a repatriation contract with the host nation.

Threat actors are more concerned with locating somewhere to find their C2 infrastructure to minimize risk instead of locating it in a particular country. Cofense notices that “C2 infrastructure is extremely prejudiced toward compromised hosts, showing a high occurrence of host compromises inside the United States.” That obviously makes perfect sense, since there are more possible hosts to compromise in the United States than in other nations.

“Some companies will obstruct any links coming from nations known for the origination of malevolent activity that they don’t do business with,” clarified Darrel Rendell, the principal intelligence expert at Cofense. That would make hosting C2 infrastructure in the United States beneficial, as links between malware and those servers would be less likely to raise red flags.

In a latest blog post, Cofense provides instances of the distribution of C2 infrastructure using two usual banking Trojans: TrickBot and Geodo. Both banking Trojans are widely used in attacks on Western nations, and attacks have risen in frequency in 2018. The two Trojans are conspicuously different because they belong to different malware families and are used by different threat actors.

In both instances, the infrastructure is growing and the C2 sites are highly different, even though data demonstrate very different distributions of C2 infrastructure for each malware variation. TrickBot’s main site for its C2 infrastructure is Russia, followed by the U.S. Geodo on the other hand mainly uses the U.S, followed by the Germany, France and the United Kingdom, with next to nothing situated in Russia.

Cofense notices that although the differences between the two seem odd at first glance, their dissemination makes sense. Geodo utilizes genuine web servers as a reverse proxy, which then transmits traffic via actual servers to hosts on concealed C2 infrastructure. TrickBot, in contrast, utilizes for-purpose Virtual Private Servers (VPSs) to host its infrastructure. Its C2 might be mainly in the east, but it is mainly used to attack the west and much of its C2 infrastructure is in nations that lack a repatriation contract with the United States. That said, some infrastructure is in the U.S and European nations, which might be an attempt to make its infrastructure tougher to profile.

Cofense clarifies that the widespread and widely distributed C2 infrastructure will not only assist to make sure these two threats remain active for longer but also that using geolocation to distinguish genuine and malevolent traffic might not be particularly effective.

Anthem Data Breach Settlement of $16 Million Agreed with OCR

The biggest ever healthcare data breach in the United States has attracted the biggest ever penalty for noncompliance with HIPAA Laws. The Anthem data breach settlement of $16 million overshadows the earlier maximum HIPAA penalty of $5.55 million and reflects not only the harshness of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen but also the level of noncompliance with HIPAA Laws.

The Division of Health and Human Services’ Office for Civil Rights (OCR), the leading enforcer of HIPAA Laws, started a HIPAA compliance analysis of Anthem in February 2015 when news of the huge cyberattack was reported in the mass media. The inquiry was begun a complete month before Anthem informed OCR of the breach.

Anthem found the cyberattack in late January 2015. Anthem probed the breach, helped by the cybersecurity company Mandiant, and found the attackers initially gained access to its systems in December 2014. Entrance to its systems remained possible until January 2015 during which time the data of 78.8 million plan members was thieved.

The attack began with spear phishing electronic mails transmitted to one of its associates, the reply to which permitted the attackers to gain a footing in the network. From there they studied its systems and stole its data warehouse, thieving highly confidential information of its plan members, including names, employment details, email addresses, addresses, and Social Security numbers.

OCR’s compliance analysis exposed a number of areas where Anthem Inc., has failed to completely abide by HIPAA Laws. OCR declared that Anthem had failed to carry out a complete risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u) (1) (ii) (A).

OCR also decided that inadequate policies and procedures had been applied to study records of information system activity in breach of 45 C.F.R. § 164.308(a) (1) (ii) (D), and there was a failure to limit access to its systems and data to approved people – a breach of 45 C.F.R. § 164.312(a).

HIPAA requires all protected units to avoid the illegal accessing of ePHI – 45 C.F.R. § 164.502(a) – which Anthem had failed to do.

Anthem selected to resolve the case and pay a considerable fine with no admission of liability. A robust corrective action plan has also been approved to tackle HIPAA failures and make sure safety is improved.

“Unluckily, Anthem failed to apply proper measures for identifying hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that big health care units are attractive targets for hackers, which is why they are expected to have strong password policies and to check and react to safety occurrences in a timely manner or risk implementation by OCR.” The size of the HIPAA fine reflects the scale of the break. “The biggest health data break in U.S. history completely merits the biggest HIPAA settlement in history,” said Severino.

Necurs Botnet Now Dispersing Marap Malware

The Necurs botnet is being utilized to transmit huge quantities of spam electronic mails having Marap malware. Marap malware is presently being utilized for reconnaissance and learning about sufferers. The aim seems to be the creation of a system of infected users that can be targeted in future attacks.

The malware generates an exclusive impression for each infected appliance, contacts its C2 server, and transmits information concerning the sufferer’s system to the attackers including username, operating system, language, country, IP address, domain name, hostname, installed anti-virus software, and details of Microsoft Outlook OST files.

The malware has some basic anti-analysis characteristics and can find when it has been installed on a virtual machine and contains measures to obstruct debugging and sandboxing.

Marap malware is modular and can easily be updated with additional modules post-infection to provide increased functionality. It helps as a malware dropper that can be used to provide many different payloads, even though it is presently unclear what those payloads will be.

The malspam campaign was discovered by safety scientists at Proofpoint who say it involves millions of emails. Marap malware is delivered using a range of different electronic mail attachments, with Microsoft Excel Web Query files (IQY) preferred. The messages have iqy files as attachments, or they are incorporated in PDF files and password-protected ZIP files. Standard Microsoft Word documents with malevolent macros are also being transmitted.

The spam campaign includes a range of different electronic mail subjects and messages including sales requests, important banking documents, invoices, and simple electronic mails just containing malevolent PDF files and ZIP file attachments.

Proofpoint notes that there has been a surge in these flexible malware variations in recent months as threat actors move away from ransomware and ‘noisy’ malware that are easy to notice. In its place, downloaders, for example, Marap malware gives attackers the flexibility to introduce a variety of different attacks and carry out a recce to identify systems that deserve a more significant compromise.

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

BleedingBit Vulnerabilities Affect Millions of Wireless Access Points

Armis Labs has found two vulnerabilities in Texas Instruments’ Bluetooth Low Energy (BLE) chips that are used in wireless access points produced by Cisco, Meraki, and Aruba. The affected wireless access points are used by hundreds of thousands of companies all over the world.

Cisco, Meraki, and Aruba provide no less than 70% of business wireless access points, which places all of those companies at risk. It is not yet known precisely how many appliances are vulnerable and have the BleedingBit vulnerabilities, even though Armis Labs doubts millions of appliances might be affected.

If theBleedingBit vulnerabilities are abused, attackers would be able to take complete control of the access points without any requirement for verification. The access points could be deactivated, data could be interrupted, malware fitted, or the attackers might use the vulnerabilities to gain access to company systems served by the access points and access any appliance in the neighborhood of the AP.

TwoBleedingBit vulnerabilities have been found. CVE-2018-16986 lets memory corruption in the BLE stack, through which complete control of the AP might be gained. To abuse the vulnerability, an attacker would need to be within the limit of the AP and BLEwould need to be turned on. No knowledge of the appliance would be needed and there are no other preconditions to abuse the vulnerability.

An attacker would need to send particularly created packets to the AP containing code which is run in the next phase of the attack. The second phase involves sending an overflow packet to trigger a vital memory overflow which lets the attacker run the earlier sent code.

The vulnerability has been verified to affect Cisco Aironet Access Points 1800i, 1810, 1815i,1815m, 1815w, 4800 and the Cisco 1540 Aironet Series Outdoor Access Point. Meraki MR30H, MR33, MR42E, MR53E, and MR74 Access Points are also affected.

The second of the BleedingBit vulnerabilities – CVE-2018-7080 – is existing in the over-the-air firmware download (OAD) feature of Texas instruments’ chips utilized in ArubaSeries 300 Wi-Fi Access Points. The vulnerability is a development backdoor tool that has not been detached. If abused, the vulnerability would let a new and completely different variety of firmware to be installed, letting the attacker gain complete control of the appliance.

Armis Labs says that abuse of the BleedingBit vulnerabilities would not be spotted by usual AV solutions and would be unlikely to raise any red flags. The attacker might move laterally between network parts, interrupt traffic, install malware, interfere with operating systems, and hijack a wide variety of appliances unnoticed.

Cisco has already repaired its affected appliances, and Meraki has published help on how users can make modifications to BLE settings to avoid misuse of the vulnerabilities. Misuse of CVE-2018-7080 can be obstructed by deactivating OAD functionality.  Texas Instruments has now rectified the fault in BLE-STACK v2.2.2.

Zero-Day VirtualBox Vulnerability and Exploit Published

Particulars of a zero-day VirtualBox vulnerability have been published online together with a step by step activity.

The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian safety scientist, Sergey Zelenyuk, instead of being disclosed to Oracle to permit the bug to be repaired. The decision was affected by an earlier vulnerability that he found in VirtualBox that was disclosed to Oracle but took the company 15 months to repair.

Zelenyuk described the decision to go public with the vulnerability and exploit was because of frustration with Oracle and the bug revelation and bug bounty procedure – “I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The purpose is my disagreement with current state of infosec, particularly of safety research and bug bounty,” wrote Zelenyuk.

The vulnerability is a series of bugs that can be abused to allow malevolent code to dodge the virtual machine and perform on the original operating system. The exploit activates a buffer surplus situation using packet descriptors which allow malevolent code to be run in kernel ring 3, which is used for most user programs. It is possible to merge the exploit with kernel privilege growth bugs to gain access to kernel ring 0.

As per Zelenyuk, the exploit is 100% dependable and works irrespective of the host or original operating system and affects all VirtualBox releases.

The vulnerability is specifically disturbing for malware scientists as VirtualBox is a popular selection for studying and reverse engineering malware in a secure atmosphere. If malware authors were to insert the exploit into their malware, it would be possible to flee the VM and infect the safety researcher’s machine.

It remains to be seen how swiftly VirtualBox will be repaired. With the vulnerability and abuse now in the public domain, it is possible that Oracle will not wait 15 months to create a repair.

WordPress GDPR Compliance Plugin Vulnerability Being Actively Abused

Websites with the WordPress GDPR Compliance plugin fitted are being hijacked by hackers. A vulnerability in the plugin is being abused, allowing attackers to change site settings and record new user accounts with admin rights.

The vulnerability can be distantly abused by unauthorized users, a lot of whom have automated misuse of the vulnerability to hijack as many sites as possible prior to the vulnerability is rectified.

The vulnerability was found by safety scientists at Defiant, who noted that in a number of attacks, after abusing the vulnerability the attackers have rectified the vulnerability. Defiant’s scientists propose that this method makes sure other hackers are banned from hijacking compromised sites. In some instances, after access to a vulnerabile site is gained, a PHP webshell is uploaded to give the attackers complete control of the website. Some attackers have added in backdoors via the WP-Cron schedule. This technique of attack makes sure the persistence of the backdoor.

Compromised websites can be utilized for phishing and other cheats, or the sites might have exploited kits uploaded to silently downloaded malware onto visitors’ appliances. An examination of compromised websites has not exposed any payload at this phase. Defiant scientists propose that the initial goal is to compromise as many sites as possible before the
vulnerability weakness is rectified. Compromised sites might be sold or the attackers could be biding their time before the attack stage is launched.

After WordPress became aware that the WordPress GDPR Compliance plugin vulnerability was being actively abused in the wild, the plugin was removed from the official WordPress store and the developer was informed. A new type of the plugin has now been released and the plugin has been revitalized on the official WordPress store.

Any website proprietor that has the WordPress GDPR Compliance plugin installed should make sure it is updated to version 1.4.3, which was released on November 7, 2018. Site proprietors must also check their sites for any indication of illegal modifications and checks must be carried out to see if any new admin accounts have been produced.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

Marriott Announces 500 Million-Record Breach of Starwood Hotel Guests’ Files

The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group.

Marriott identified the data breach on September 8, 2018, after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party computer forensics experts were called in to assist with the investigation, which confirmed that the Starwood network was first gained in 2014. It is currently unclear howthe hacker breached security defenses and gained access to the network.

The hacker had encrypted data on the network which hampered efforts to investigate the breach and determine what data had been accessed. It took until November 19, 2018 for Marriott to decrypt the data and determine what the files contained.Only then was Marriott able to confirm that the database contained information on previous Starwood Hotels guests.

Analyzing such a huge database to determine which customers have had their information compromised has naturally taken some time. Marriott is still in the process of deduplicating the database to determine the exact number of guests impacted.

Marriott believes up to 500 million individuals who had previously made a reservation at Starwood Hotels and Resorts have been affected. They also include individuals who made reservations at Sheraton Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St.Regis, Westin Hotels & Resorts, Aloft Hotels, The Luxury Collection,Tribute Portfolio, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.

The types of data present in the stolen database include the names of guests, mailing addresses, email addresses, and other information. Around 327 million past guests may also have had the following information stolen: SPG account information, birth date, gender, reservation date, arrival date, departuredate, their communication preferences, and potentially, their passport number.

Marriott has not yet confirmed whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, but the two bits of information that would allow the data to be decrypted may also have been stolen.

The data breach, which occurred two years before Marriott acquired the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is currently working with leading security firms to improve security and prevent any further data breaches.

Marriott is in the process of notifying all affected individuals by email. All breach victims have been offered free enrolment in WebWatcher for one year. WebWatcher monitors the Internet for instances of user information being shared and issues alerts. U.S. guests are also being offered fraud consultation services and reimbursement coverage. Since email addresses have been stolen, breach victims have been warned to be alert for phishing attacks that attempt to obtain sensitive information. All official communications are coming from the starwoodhotels@email-marriott.com, although care should still be taken with any emails that appear to have been sent from that email address as sender field could be spoofed.