US and allies accuse China of global hacking spree
The United States and its allies accused China on Monday of a global cyberespionage campaign, mustering an unusually broad coalition of countries to publicly call out Beijing for hacking.
The United States was joined by NATO, the European Union, Britain, Australia, Japan, New Zealand and Canada in condemning the spying, which U.S. Secretary of State Antony Blinken said posed "a major threat to our economic and national security."
Simultaneously, the U.S. Department of Justice charged four Chinese nationals - three security officials and one contract hacker - with targeting dozens of companies, universities and government agencies in the United States and abroad.
While Washington and its close allies such as the United Kingdom and Canada held the Chinese state directly responsible for the hacking, others were more circumspect.
The campaign targeted trade secrets in industries including aviation, defense, education, government, health care, biopharmaceutical and maritime industries, the Justice Department said.
Washington sanctions Russia's cybersecurity industry in wake of Kaseya ransomware attack
The United States on Friday took a new stab at Russia's cybersecurity industry, restricting trade with four information technology firms and two other entities over "aggressive and harmful" activities - including digital espionage - that Washington blames on the Russian government.
A Commerce Department posting said the six entities were sanctioned by the U.S. Treasury Department in April, which targeted companies in the technology sector that support Russian intelligence services. Their addition to the Commerce Department's blacklist means U.S. companies cannot sell to them without licenses, which are seldom granted.
They come as the United States is responding to a drumbeat of digital intrusions blamed on Russian government-backed spies and a spate of increasingly disruptive ransomware outbreaks blamed on Russian cybercriminals.
The United States adds entities to the Commerce Department's trade blacklist that it says pose a risk to U.S. national security or foreign policy interests.
Up to 1,500 businesses infected in one of the worst ransomware attacks ever
Cybersecurity teams are working feverishly to stem the impact of the single biggest global ransomware attack on record. As many as 1,500 businesses around the world have been infected by highly destructive malware that first struck software maker Kaseya. The malware, in turn, used that access to fell Kaseya’s customers.
The attack struck on Friday afternoon in the lead-up to the three-day Independence Day holiday weekend in the US. Hackers affiliated with REvil, a private ransomware-as-a-service (RaaS) group believed to be affiliated with Russia, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. The REvil affiliates then used their control of Kaseya’s infrastructure to push a malicious software update to customers, who are primarily small-to-midsize businesses.
According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.
Mr. Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. Less than a month ago, he pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
Cybersecurity for State Leaders brings cyber trainings to Massachusetts
On Tuesday, June 29th, Cybersecurity for State Leaders, a nationwide initiative led by the National Cybersecurity Center and supported by Google, will host a high-level cybersecurity briefing for state elected and appointed leaders and their staff. The briefing will educate state officials on the threat environment and arm them with best practices on how to avoid cyber attacks.
“The threat posed to all levels of government by cyber attacks continues to increase year after year,” said Governor Charlie Baker. “Equipping government employees with the training and knowledge to assist in the fight against bad actors remains one of the best ways to improve the Commonwealth’s cybersecurity.”
“End point user cybersecurity training is a vital component in improving the overall cybersecurity posture of state government,” said Secretary of Technology Services and Security Curtis M. Wood. “I thank the National Cybersecurity Center, Google, and our partners in the Legislature for their collaboration in providing this important training to the Commonwealth.”
The briefing will also feature remarks by famed cybersecurity executive, Investor on ABC’s Shark Tank and founder and CEO of the Herjavec Group, Robert Herjavec, Chief People Hacker from IBM’s X-Force Red Team and Career White Hat Hacker Stephanie Carruthers, and senior experts and researchers from Google, Microsoft, and more.
Register for the ON DEMAND Cybersecurity for State Leaders Training here at https://cyberforstateleaders.org/register-for-training/.
For more information on Cybersecurity for State Leaders, visit https://cyberforstateleaders.org/.
Electronic Arts hacked and source code stolen
Hackers have stolen valuable information from major game publisher Electronic Arts (EA), the company said.
The attackers claimed to have downloaded source code for games such as FIFA 21 and for the proprietary Frostbite game engine used as the base for many other high-profile games.
News of the hack was first reported by news site Vice, which said some 780GB of data was stolen. EA said no player data had been stolen in the breach.
The firm is one of the largest games companies in the world. It counts major series such as Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall among the titles it develops or publishes - as well as a vast array of annual sports games.
Electronic Arts has tightened security since the incident and is “actively working with law-enforcement officials and other experts as part of this ongoing criminal investigation,” the company said.
Mass. Steamship Authority Hit by Ransomware Attack; Ferries Delayed
A ransomware attack on the Steamship Authority of Massachusetts hampered operations Wednesday morning. The largest ferry service to the islands of Martha's Vineyard and Nantucket, the Steamship Authority issued a statement warning that traveling customers may be delayed as a result.
"The Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority was the target of a ransomware attack early Wednesday, June 2, 2021," the company said. "The Authority continues to work internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack."
The company said there was no impact to the safety of vessel operations, saying the issue was not affecting radar or GPS functionality. "Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process," the company said. "The Authority continues to work internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack."
U.S. meat supply hit by suspected Russian ransomware attack on JBS, world's top meat processor
A ransomware attack on the world’s largest meat processing company disrupted production around the world just weeks after a similar incident shut down a U.S. oil pipeline.
Brazil’s JBS SA, however, said late Tuesday that it had made “significant progress” in dealing with the cyberattack and expects the “vast majority” of its plants to be operating on Wednesday.
“Our systems are coming back online and we are not sparing any resources to fight this threat,” Andre Nogueira, CEO of JBS USA, said in a statement.
Earlier, the White House said JBS had notified the U.S. of a ransom demand from a criminal organization likely based in Russia. White House principal deputy press secretary Karine Jean-Pierre said the White House and the Department of Agriculture have been in touch with the company several times this week.
Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption could be minimal assuming JBS recovers in the next few days. Meat processers are used to dealing with delays because of a host of factors, including industrial accidents and power outages, and they make up lost production with extra shifts, he said.
CNA Financial paid $40 Million in ransom after March cyberattack
CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to people with knowledge of the attack.
The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren’t authorized to discuss the matter publicly.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
Ransomware attacks -- and particularly payments -- are rarely disclosed so it’s difficult to know what the biggest ransoms have been. The average payment in 2020 was $312,493, according to Palo Alto Networks, a 171% increase over the previous year. The $40 million payment is bigger than any previously disclosed payments to hackers, according to three people familiar with ransomware negotiations.
Cybersecurity firms may have inadvertently aided hackers in Colonial Pipeline attack
On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.
But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”
“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”
DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.
Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.
The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out.
DC Police victim of massive data leak by ransomware gang
The police department in the nation’s capital has suffered a massive leak of internal information after refusing to meet the blackmail demands of Russian-speaking ransomware syndicate. Experts say it’s the worst known ransomware attack ever to hit a U.S. police department.
The gang, known as the Babuk group, released thousands of the Metropolitan Police Department’s sensitive documents on the dark web Thursday. A review by The Associated Press found hundreds of police officer disciplinary files and intelligence reports that include feeds from other agencies, including the FBI and Secret Service.
Some of the documents include security information from other law enforcement agencies related to President Joe Biden’s inauguration, including a reference to a “source embedded” with a militia group.
The police department did not immediately return a request for comment, but has previously said some officers’ personal information was stolen.
The department has not said whether it made the offer. Any negotiations would reflect the complexity of the ransomware problem, with police finding themselves forced to consider making payments to criminal gangs. The FBI, which is assisting in this case, discourages ransomware payments.
The group revealed the attack last month, threatening then to leak the identities of confidential informants. The data release revealed Thursday is massive and it was not immediately clear if it included informants’ names.
Updated - Colonial Pipeline victim of ransomware attack
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Colonial Pipeline said Wednesday "it initiated the restart" of operations after having to shut off the conduit following a cyberattack last week.
The pipeline was set to resume operations around 5 p.m. ET, but the company said "it will take several days for the product delivery supply chain to return to normal." Colonial Pipeline Co. had to shut it down Saturday following a ransomware attack.
Top U.S. fuel pipeline operator Colonial Pipeline has shut its entire network after a ransomware attack, the company said in a statement on Friday.
Colonial's network supplies fuel from U.S refiners on the Gulf Coast to the populous eastern and southern United States. The company transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles of pipelines. The company says it transports 45 percent of East Coast fuel supply.
"We have since determined that this incident involves ransomware," Colonial Pipeline said. "In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems."
The private cybersecurity firm FireEye said it's been hired to manage the incident response investigation.
In response to the scale and scope of the incident, the US government has relaxed rules on fuel being transported by road, allowing drivers in 18 states to work extra or more flexible hours when transporting refined petroleum products.
The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues, officials said Saturday. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown, experts said.
Homeland Security Secretary backs call for mandatory disclosure of ransomware payments
The Department of Homeland Security will work with a private-sector think tank to implement a report of recommendations for slowing the scourge of ransomware, including one that would require victims to report when they give in and make a payment, according to DHS Secretary Alejandro Mayorkas.
The report reflects the work of a ransomware task force convened by the Silicon Valley-based Institute for Security and Technology that included 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, academic institutions, cybersecurity insurers and international organizations, according to the document.
“The task force's report provides a vision for what we can do to better address this urgent problem,” Mayorkas said. “DHS looks forward to working closely with the task force to turn its recommendations into action.”
Last year saw an exponential increase in the number and size of ransomware payments entities—often schools, hospitals and other critical service providers and local governments—made to hackers who encrypt or threaten to publicly release their data unless they’re paid not to.
Jen Ellis, a task force member and vice president of cybersecurity firm Rapid 7, stressed the importance of the recommendation to mandate the disclosure of payments so that law enforcement can have a better understanding of the threat and to discourage ransom payment. She said the information would be anonymized to prevent organizations from being “re-victimized.”
Biden prepping cybersecurity executive order in response to SolarWinds attack
President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December.
The order, which is still being drafted, lays out a series of new requirements for companies that do business with the government. The initiative includes plans for more systematic investigations of cyber events and standards for software development. The idea is to use the federal contracting process to force changes that will eventually trickle down to the rest of the private sector.
"So essentially, federal government procurement allows us to say, 'If you're doing business with the federal government, here's a set of things you need to comply with in order to do business with us,'" said Anne Neuberger, the deputy national security adviser for cyber and emerging technology at the White House.
The SolarWinds attack, believed to be perpetrated by Russian hackers, was discovered last year. The hackers exploited software from the IT group SolarWinds, which helped them gain access to as many as 18,000 customers. A smaller number of the customers' systems, however, were compromised by follow-on activity.
As a result, nine federal agencies and 100 private-sector groups were compromised during the months-long operation.
D.C. Police Department Victim Of Apparent Ransomware Attack
Potentially sensitive information from the Washington, D.C., police department was allegedly breached by a ransomware attack from a group seeking a payout.
A group called Babuk claimed to be behind the attack. Babuk is known for ransomware attacks, which hold victims’ data hostage until they pay a ransom, often in Bitcoin. On a post made on its website, the group threatened to release information pulled from the department's systems if they were not paid an undisclosed amount. The group also hit the Houston Rockets N.B.A. team this month.
In their post to the dark web, Babuk’s cybercriminals claimed they had downloaded 250 gigabytes of data and threatened to leak it if their ransom demands were not met in three days. They also threatened to release information about police informants to criminal gangs, and to continue attacking “the state sector,” including the F.B.I. and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The information already released appeared to include chief’s reports, lists of arrests and lists of persons of interest.
Targeting an organization like the Metropolitan Police Department makes sense, says Rob Pritchard, founder of CyberSecurityExpert.com, as police can't tolerate a long outage and are more likely to pay to take back control of their data and systems.
If the police department did pay to regain control of its data, it may mean other law enforcement agencies could become similar targets, Pritchard said.
"Expect more local police groups to be targeted," he said.
Biden administration kicks off 100-day effort on to beef up cybersecurity of nation's power grid
The Biden administration kicked off a 100-day effort on Tuesday to beef up cybersecurity in the nation's power grid, calling for industry leaders to install technologies that could thwart attacks on the electricity supply.
The plan, a joint effort between the Energy Department and the Cybersecurity and Infrastructure Security Agency, focuses on helping operators in the electricity industry modernize their security systems and implement new technologies to detect and mitigate threats.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Secretary of Energy Jennifer M. Granholm said in a statement. “It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
Recent attacks on SolarWinds and Microsoft Exchange software, both of which ensnared the electric industry, have renewed the urgency to modernize and secure America's electric grid. Some owners and operators still rely on decades-old equipment that was not designed with modern cybersecurity risks in mind.
The new initiative follows criticism from some industry members that funding for grid security was snubbed in Biden's recent infrastructure package.
Remote work software compromised by China in yet another hack on U.S.
China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.
The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices. The company announced Tuesday how users can check to see if they were affected but said the software update to prevent the risk to users won’t go out until May. There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.
The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, activated its strictest emergency powers Tuesday evening, mandating that every civilian government agency scan to see if they were affected by the hack and to take actions to fix it. Though it is historically rare for it to do so, it is the second time in seven weeks the agency has issued an emergency directive after the Exchange hack.
Defense Department kicks off pilot program to root out digital weaknesses in defense industry
The Pentagon’s Cyber Crime Center and bug bounty vendor HackerOne today launched an effort to share vulnerability data and boost digital hygiene within the defense industrial base, a frequent target for hackers that has been rocked by a number of high-profile breaches over the years. The Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot — started in collaboration with the Defense Counterintelligence and Security Agency — will invite security researchers to hunt for vulnerabilities in more than 100 DIB assets across several different organizations.
The 12-month program aims to apply the lessons learned from the existing 28,000 reports made through the Pentagon’s Vulnerability Disclosure Program, which was established in 2016, to vendors and contractors within the DIB. The pilot program’s structure was informed by the Carnegie Mellon University’s Software Engineering Institute, which conducted a feasibility study ahead of the initiative.
“To have a comprehensive view of where you're most vulnerable in order to protect against evolving threats, you need to remain open to vulnerability findings at all times. It's a best practice and a regulatory expectation,” HackerOne Co-founder Michiel Prins said in a statement. “With the DIB VDP, learnings from this best-in-class program can be extended to many of the government's most vital suppliers.”
Broward County Public Schools, sixth largest U.S. school district, targeted by massive ransomware
Broward County Public Schools, the sixth largest school district in the United States, said Thursday it had been the target of a massive ransomware attack. This comes just weeks after a high-profile attack on the Buffalo Public Schools as well as a water treatment facility in Oldsmar, Florida.
The hackers were able to encrypt some of the Fort Lauderdale-based district's data in March and initially demanded a $40 million cryptocurrency payment or they would erase the files and publish the personal information of students and employees online. Broward said Thursday it made no extortion payment and that no personal information had been published online. The district added that it is working with cybersecurity experts to shore up its computer systems and restore affected systems.
Screenshots of negotiations between Broward County Public Schools and the hackers show that at one point the school district offered $500,000 to restore the data, according to WPTV, an NBC-affiliated television station.
The attack briefly shutdown the district’s computer system in early March, but classes were not disrupted.
Ransomware attacks on the rise in the trucking industry
Bitdefender, a cybersecurity research organization and anti-malware developer, reports ransomware attacks were up 715% year over year in the first half of 2020 — and truck fleets were among the victims.
“Just about every month there was a transportation-related company that had experienced some form of ransomware or cyberattack,” says Sharon Reynolds, chief information security officer (CISO) of Omnitracs, a trucking fleet intelligence platform.
Advances in telematics, an interdisciplinary field that encompasses telecommunications, vehicular technologies, electrical engineering, and computer science, has seen the trucking industry become increasingly interconnected, bringing with it a sharp increase in the number of mobile phone applications that connect with trucks and the software-as-a-service (SaaS) offerings that power backend systems.
But Reynolds points to basic email messages as one of the most widely exploited tools when it comes to launching malware, particularly ransomware – the malware that encrypts computer files until someone pays a ransom. “Right now, it feels like transportation is definitely being targeted. These groups have figured out that distraction to the supply chain is a cause for concern,” Reynolds says. Truck fleets aren’t necessarily more vulnerable. It’s just appears to be this sector’s turn.”
As for fleets that have questioned whether having a security leader or other cyber support is worth the investment?
“It might be time to re-evaluate that,” she says.
Chinese cyber-attack on Microsoft morphs into global crisis
A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.
Some of the initial infections appear to have been the result of automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant. Investigators will be looking for infections that led to hackers taking the next step and stealing data -- such as e-mail archives -– and searching them for any valuable information later, he said.
“If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.
HAFNIUM targeting Exchange Servers with 0-day exploits
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
More details from Microsoft can be viewed at these links.
Big chains look to monetize data gained through vaccine distribution
Chains such as CVS Health Corp., Walmart Inc. and Walgreens-Boots Alliance, Inc. are collecting data from millions of customers as they sign up for shots, enrolling them in patient systems and having recipients register customer profiles.
The retailers say they are using the information to promote their stores and services, tailor marketing and keep in touch with consumers. The companies also say the information is critical in streamlining vaccinations and improving record-keeping, while ensuring only qualified people are receiving shots.
CVS executives say they plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them. The company said about eight million people who received coronavirus tests from the chain hadn’t filled a prescription at a CVS in the previous year, signaling that Covid-19 services promise to bring in new customers. A CVS spokesman declined to comment on the chain’s use for marketing purposes of medical information gleaned through the vaccine process.
Massachusetts-based payroll/HR giant hit by ransomware
Prism HR, a Hopkinton, Massachusetts-based company that sells human resources software to more than 80,000 small businesses, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services.
The company handles everything from human sources and payroll processing to health insurances and tax forms for hundreds of “professional employer organizations” (PEOs) that serve more than two million employees. The company processes more than $80 billion payroll payments annually on behalf of PEOs and their clients. Countless small businesses turn to PEOs in part because they simplify compliance with various state payroll taxes, and because PEOs are the easiest way for small businesses to pool their resources and obtain more favorable health insurance rates for their employees.
PrismHR has not yet responded to requests for comment. In a template email it suggested PEO partners share with their customers, Prism explained “the outage may extend throughout today and possibly later, with potential impact on payroll processing”.
The company has yet to reveal the exact nature of the service disruptions, but their actions so far align with industry standard recommendations for responding to a ransomware outbreak.
Ransomware renders any files it touches unreadable unless and until a victim pays for a digital key needed to unlock the encryption on them. Worse, it has become almost a best practice among ransomware criminal groups to steal as much data as possible from the victim organization prior to unleashing the ransom malware within a target environment.
PrismHR said in a statement to its PEO customers that while its investigation and response to the incident is ongoing, the company “is not aware of any sensitive data being breached or compromised.”
Senate Intel Committee to conduct open hearing on SolarWinds Hack
The Senate Intelligence Committee on Tuesday will hold the first public congressional hearing on the SolarWinds hack. The panel previously received a closed-door briefing about the incident from the NSA, the FBI, CISA and ODNI, and held an informal session with FireEye CEO Kevin Mandia, whose company discovered the compromise.
The hearing will take place today, Tuesday, February 23rd at 2:30PM ET.
New strain of malware discovered on 30,000 Macs
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
The malware, dubbed Silver Sparrow, forces infected Macs to check a control server once an hour to see if there are any new commands the malware should run or binaries to execute. Researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Curiously, the malware contains a mechanism to completely remove itself, a capability typically reserved for high-stealth operations. There are no signs as of yet that the self-destruct feature has been used, raising the question of why the mechanism exists.
The malware has been found in 153 countries with detections concentrated in Germany, France, the UK, Canada, and the United States.
“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”
Red Canary, the security firm that discovered the malware, has provided indicators of compromise in a blog post report located on its website.
Social media companies crack down on hijacked accounts
Twitter, Instagram, TikTok, and Facebook all took steps last week to crack down on users involved in trafficking hijacked accounts across their platforms. The coordinated action has seized hundreds of accounts the companies say have played a major role in facilitating the trade and often lucrative resale of compromised, highly sought-after usernames.
The wave of account bans centered around OGUsers, a forum that caters to thousands of people selling access to hijacked social media and other online accounts. Particularly prized by this community are short usernames, which can often be resold for thousands of dollars to those looking to claim a choice vanity name.
Facebook said it seized hundreds of accounts — mainly on Instagram — that have been stolen from legitimate users through a variety of intimidation and harassment tactics, including hacking, coercion, extortion, sextortion, SIM swapping, and swatting.
Two bitcoin wallets seized from one of OGUsers’ most notorious traffickers, a Canadian by the name of Noah Hawkins, recorded in excess of 6,700 transactions totaling more than 243 bitcoins — or roughly $8.5 million by today’s valuation (~$35,000 per coin). Beam would have earned roughly $425,000 in commissions on those sales.
As a reminder, any accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available. Usually, this is a mobile app that generates a one-time code, but some sites like Twitter and Facebook now support even more robust options — such as physical security keys.
Hackers target Florida town’s water supply
Hackers remotely accessed the water treatment plant of a small Florida city last week and briefly changed the levels of lye in the drinking water, in the kind of critical infrastructure intrusion that cybersecurity experts have long warned about.
The attack in Oldsmar, a city of 15,000 people in the Tampa Bay area, was caught before it could inflict harm, Sheriff Bob Gualtieri of Pinellas County said at a news conference on Monday. He said the level of sodium hydroxide — the main ingredient in drain cleaner — was changed from 100 parts per million to 11,100 parts per million, dangerous levels that could have badly sickened residents if it had reached their homes.
The authorities said the plot unfolded last Friday morning, when an employee noticed that someone was controlling his computer. He initially dismissed it because the city has software that allows supervisors to access computers remotely. But about five and a half hours later, the employee saw that different programs were opening and that the level of lye changed.
In a tweet, Senator Marco Rubio, Republican of Florida, said the attempt to poison the water supply should be treated as a “matter of national security.”
No suspects have been identified in the Oldsmar attack, and it was unclear on Monday whether the hackers were in the United States or abroad. The F.B.I. and the U.S. Secret Service have been notified.
The process of attributing the attack could take months — or longer.
Video game and digital entertainment studios remain prime targets for ransomware attacks
Another video game studio has revealed they were the victim of a ransomware attack. CD Projekt S.A., creator of AAA digital products including The Witcher 3 and Cyberpunk 2077, said on Tuesday that the perpetrators of the attack were threatening to sell or leak proprietary source code and share internal documents with their “contacts in gaming journalism”. The attack comes after several high-profile stories alleging an unhealthy work culture within CD Projekt S.A and the company’s demands on its staff. The ransom note left by the attackers alludes to these allegations.
The attackers have also dumped or threatened to dump “documents related to accounting, administration, legal, HR, investor relations and more.”
“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” CD Projekt Red wrote in response. It added that although some devices in its network have been encrypted, “our backups remain intact,” and it has secured its IT infrastructure and started restoring data.
This follows a similar ransomware attack in November against Capcom, a Japanese multi-national studio responsible for a number of multi-million-selling game franchises including Resident Evil and Street Fighter.
Microsoft Warns of Windows Win32k Privilege Escalation
Microsoft has released a security advisory to address an escalation of privileges vulnerability, CVE-2021-1732, in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.
January 28th is International Data Privacy Day
Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action and stay aware and informed about how their personal information is being used, collected or shared in our digital society.
Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is observed annually on Jan. 28. On Jan. 27, 2014, the 113th U.S. Congress adopted S. Res. 337, a non-binding resolution expressing support for the designation of Jan. 28 as “National Data Privacy Day.”
The National Cyber Security Alliance (NCSA) officially leads the Data Privacy Day campaign and is advised by a distinguished advisory committee of privacy professionals to help the campaign align with the most current privacy issues in a thoughtful and meaningful way.
This year’s Data Privacy Day spotlights the value of information and how to “Own Your Privacy” and “Respect Privacy”.
You can learn more about Data Privacy Day at the Mass Cyber Center or at the additional resources listed below.
Changes to Apple App Store could benefit privacy advocates
Apple has updated the terms of their App Store to require software developers to include so-called “privacy labels” which list the types of data collected by an app in an easily scannable format. The labels, which resemble a nutrition marker on food packaging, were implemented in December of last year.
Apple’s privacy labels are the latest attempt by tech developers to make understanding security terms of service easier for the average consumer to understand. The locked or unlocked padlock icon in internet browsers for instance, long a basic indicator of a site’s overall security, is an earlier iteration of this trend. It remains to be seen whether Apple’s new labels will demonstrably influence the choices its user’s make. “After they read it or look at it, does it change how they use the app or stop them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy.
After researching dozens of apps with a focus on their privacy labels and use of a user’s data, the New York Times discovered that apps that appear identical in function can vastly differ in how they handle our information. The comparison of two popular encrypted messaging apps, WhatsApp and Signal, proved to illuminate this point. Though both apps basic functionality is to allow users to communicate with each other over voice and text privately, how each app handled a user’s data was radically different. WhatsApp, for instance, shares a group chat’s name and group profile photos with its parent company, Facebook. Signal, on the other hand, developed a complex chat system that encrypts the entirety of a group conversation, including the people participating in the chat, and their avatars, effectively blocking Signal from access to this information entirely.
“In some instances it’s more difficult to not collect data,” Moxie Marlinspike, the founder of Signal, said. “We have gone to greater lengths to design and build technology that doesn’t have access.”
Ms. Nguyen, the researcher, said a lot had to happen for the privacy labels to succeed. Other than behavioral change, she said, companies have to be honest about describing their data collection. Most important, people have to be able to understand the information.
“I can’t imagine my mother would ever stop to look at a label and say, ‘Let me look at the data linked to me and the data not linked to me,’” she said. “What does that even mean?”
Related MassGov Stories:
Apple pushes out emergency patches for iOS and iPad OS platforms
Apple on Tuesday dropped emergency security patches for its flagship iOS and iPad OS platforms alongside a warning that hackers may already be exploiting three different security vulnerabilities.
The patches - contained in iOS 14.4 and iPadOS 14.4 - are currently being pushed to mobile users via the automatic updating mechanism.
Apple did not provide technical details of the vulnerabilities or the in-the-wild attacks, except to identify the flaws in the Kernel and in WebKit, the open-source web browser engine used in Safari, Mail, AppStore and a range of MacOS and iOS apps.
Apple has promised additional information is forthcoming.
Barebones details for the vulnerabilities, released by Apple, are listed below.
CVE-2021-1782 (Kernel) -- Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited. Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). Anonymously reported.
CVE-2021-1871 and CVE-2021-1870 (WebKit) -- Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). Reported by anonymous researchers.
North Korean hackers use social media to target security researchers
Google has issued a warning that it has uncovered an “ongoing” state-backed hacking campaign run by North Korea targeting cyber security researchers.
The Silicon Valley search giant said its threat analysis team found that cyber attackers posing as researchers had created numerous fake social media profiles on platforms such as Twitter and LinkedIn. After establishing communication with an actual researcher, the attackers would ask the target to work together on cyber vulnerability research and then share collaboration tools containing malicious code to install malware on the researcher’s systems.
Of particular concern is Google’s claim that, in some cases, the attackers were able to create a backdoor to the victim’s computer even when their systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
Google attributed the latest campaign to “a government-backed entity based in North Korea” — one of the biggest state sponsors of hacking alongside Russia, Iran and China. The Wall Street Journal has previously reported on accusations against North Korea of carrying out cyber attacks to steal coronavirus vaccine-related research and data.
Belying perceptions of the country as a technological backwater, its hackers have a record of major cyber disruptions including hacking Sony Pictures in 2014 and the WannaCry malware attack in 2017. In 2019 a UN sanctions report estimated that $2bn had been raised for Kim Jong Un’s weapons programme via North Korean cyber actors.
Popular dating app fined $11.7 million under European law
The world’s most popular gay dating app, Grindr, has been fined 100 million Kroner, or roughly $11.7 million US dollars, by the Norwegian Data Protection Authority for illegally disclosing private details about its users to advertising companies.
The Norwegian agency said the app had transmitted users’ precise locations, user-tracking codes and the app’s name to at least five advertising companies, essentially tagging individuals as L.G.B.T.Q. without obtaining their explicit consent, in violation of European data protection law.
“We’re trying to make these apps and services understand that this approach — not informing users, not gaining a valid consent to share their data — is completely unacceptable,” said Tobias Judin, head of the Norwegian Data Protection Authority’s international department.
The fine comes one year after European nonprofit groups lodged complaints against Grindr and its advertising partners with data protection regulators. In tests last January, The New York Times found that the Android version of the Grindr app was sharing location information that was so precise, it pinpointed reporters on the side of the building they were sitting on.
Privacy experts say the ruling could have widespread repercussions beyond dating apps.
Related MassGov Stories:
Internet outage hits East Coast causing issues for Verizon, Zoom, and remote learning
Reports of widespread outages and connectivity issues across the East Coast for several premier online services abounded Tuesday morning.
Users reportedly have had issues loading or navigating sites and apps critical to remote work and study, such as Gmail, Slack and Zoom. Downdetector, which tracks reports of outages, showed widespread issues with Verizon, Google, Zoom, YouTube, Slack, Amazon Web Services and others Tuesday just before noon.
Verizon’s Fios internet service has received widespread complaints of connectivity issues. The company’s customer support team said on Twitter Tuesday that a fiber had been cut in Brooklyn, which could possibly account for some of the issues. The support account on Twitter quickly became inundated with customers asking why their internet was slow and their connectivity intermittent.
Amazon Web Services’ status page showed its service, which provides computing power to large swaths of the Internet, was experiencing an issue with an “external provider”. On its status page, it said that it is “investigating connectivity issues with an internet provider, mainly affecting the East Coast of the United States, outside of the AWS Network.” Slack and Google said there were no issues with their own services.
The outage has disrupted school districts’ online teaching programs, bringing the virtual school day to a standstill.
The exact cause of the outages remains unclear.
Intelligence analysts reportedly use U.S. smartphone location data without warrants
An unclassified memo obtained by the New York Times alleges that a military arm of the U.S. intelligence community buys commercially available databases containing location data from smartphones apps and searches it for American’s past movements and does so without a warrant.
Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.
Such data is typically drawn from smartphone apps such as weather, games and other apps that get user permission to access a phone’s GPS location. A robust commercial market exists for such data for advertising and other commercial purposes.
The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker — and does not believe it needs a warrant to do so.
The Wall Street Journal revealed last year that U.S. government agencies were also buying access to that data from commercial brokers without a warrant, raising questions about whether those agencies were adequately safeguarding the privacy and civil liberties of Americans. In particular, it found, two agencies in the Department of Homeland Security — Immigration and Customs Enforcement, and Customs and Border Protection — have used the data in patrolling the border and investigating immigrants who were later arrested.
President orders sweeping assessment of SolarWinds hack
Senator Mark Warner, Democrat of Virginia, who will become the chairman of the Senate Intelligence Committee, said President Biden was ordering a broad new intelligence assessment on Russia, and, in particular, a better understanding of the SolarWinds hacking.
Evidence amassed thus far suggests the perpetrators used their covert access chiefly to conduct espionage – an act all nations, the United States included, engage in. This would therefore limit the administration’s options for retaliation.
“SolarWinds is one of the most sophisticated and deep hacks we’ve faced, and the president needs the best information he can get to not only lead the remediation of the penetration, but to understand how to prevent it in the future, and what actions might deter Russia going forward,” Mr. Warner said.
President Biden’s order for the investigation of the SolarWinds hack – named for the Texas software company whose widely used IT monitoring and management tools were one way the hackers gained access – comes as intelligence officials have concluded that more than a thousand Russian software engineers were most likely involved in it, according to people involved in the investigation. This suggests the intrusion was a far larger, and stealthier, operation than first known. The intruders were active for a full nine months before cybersecurity firm FireEye and Microsoft Corporation alerted the government.
Can exercise equipment be a security risk?
White House personnel and cyber experts are weighing in on the potential security risks of President Biden’s Peloton exercise bike.
The Peloton, an indoor stationary exercise bike, integrates with a proprietary social media network allowing users to livestream their workouts or take on-demand classes with online instructors. The equipment’s online and social media features, which utilize built-in cameras and microphones to allow users to see and hear one another if they choose, are the potential areas of concern.
Consensus amongst security experts seems to point toward the President keeping the Peloton as part of his workout routine – though the bike itself may bear little resemblance to the off-the-assembly-line version after the Secret Service and the National Security Agency are finished with it. (There have been news reports that Michelle Obama has a modified Peloton, but her spokeswoman would not confirm them.)
Mr. Biden would not be the first occupant of the White House whose technological preferences clashed with the cybersecurity needs of being president. President Trump continued to prefer private calls to friends on his personal iPhone, while President Obama insisted on continued use of his BlackBerry. Security experts eventually found ways to accommodate both men’s preferences.
“Presidential security is always about balancing presidential needs and desires and the relative security risk of any single thing,” said Garrett Graff, the director of the cybersecurity initiative at the Aspen Institute, a research organization. “The threat is real, but it is presumably a manageable risk given enough thought and preparation.”
CISA releases new community cybersecurity resources
The Cybersecurity and Infrastructure Security Agency (CISA) has released two new personal/community cybersecurity and cyber-hygiene resources.
The Personal Security Considerations Fact Sheet encourages critical infrastructure owners and their personnel to remain vigilant and report suspicious behavior that individuals may exhibit in order to thwart an attack. It also contains several easily implementable security measures that can mitigate threats to personal safety.
The Houses of Worship Security Self-Assessment Tool provides the faith-based community with an easy to use assessment tool that produces a formatted report with resources which can be used to identify and address your facility’s security concerns.
Visit CISA’s page on Hometown Security for additional tools and resources to support community security and resilience.
Malwarebytes becomes fourth major security firm targeted by SolarWinds hackers
The creator of a popular anti-virus software, Malwarebytes, said on Tuesday that some of its emails were breached by the same hackers who used the software company SolarWinds to hack into a series of U.S. government agencies. This makes Malwarebytes the fourth major security firm, after Microsoft, FireEye, and CrowdStrike, to be targeted by this same group.
Malwarebytes said the intrusion is unrelated to the SolarWinds supply chain incident since the company doesn't use any of SolarWinds software in its internal network but rather that hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 and Microsoft Azure environments. The company confirmed the hackers were able to gain access to a “limited subset of internal company emails” but found no evidence of unauthorized access or compromise of its production environments.
Mandiant, a cybersecurity research firm, recently released a report alleging the perpetrators behind the SolarWinds supply chain attack leveraged four separate techniques to bypass identity and access management protections and laterally move from victims’ on-premise networks to their cloud-based Microsoft 365 accounts.
Growing "Big Tech" fears leads to boom in adoption of encrypted messaging
Millions of new users are making the jump to encrypted messaging apps in the wake of last week’s Capitol Hill riots. Growing anxiety surrounding the world’s largest tech companies and their control over user’s personal data has led to tens of millions of downloads of Signal and Telegram, two WhatsApp-competitors. Both are chat apps that offer end-to-end encryption outside of Big Tech’s grasp. Encrypted messaging apps can offer more security, privacy and features than plain text messaging—but their encryption methods and data collection vary.
Signal, which utilizes end-to-end encryption, estimates that it has gained over forty million new users in under a week. Telegram, which offers some encrypted messaging options but is largely popular for its group-based chat rooms, has also gained new users numbering in the tens of millions.
The rise of Telegram and Signal is sure to reignite the debate over encryption, which helps protect the privacy of people’s digital communications but can stymie the authorities in criminal investigations because conversations are hidden.
FBI investigation of SolarWinds hack widens to include project-management software from JetBrains
The FBI is investigating whether the hackers behind a series of intrusions at U.S. federal agencies and companies also broke into project-management software created by the company JetBrains to breach its customers. JetBrains, a privately held Czech-based company whose chief executive, Maxim Shafirov, is a Russian national, produces software called TeamCity that is used by tens of thousands of customers to construct other software.
Reporting suggests that US officials are looking at a scenario where Russian hackers breached JetBrains and then launched attacks on its customers, one of which was SolarWinds.
The company responded Thursday with a published statement denying reports from both the New York Times and the Wall Street Journal claiming that JetBrains is under investigation for possibly being involved in the SolarWinds hack that impacted thousands of companies across the globe. Safirov confirmed from St. Petersburg, Russia, where JetBrains has offices, that SolarWinds is amongst JetBrains’ many customers.
SolarWinds revealed last month that someone with access to its system for developing network-management software had inserted back doors into two updates of its flagship Orion products. Dozens of SolarWinds customers, including at least a half-dozen U.S. agencies, were then exploited by the same hackers. U.S. intelligence agencies said Tuesday that Russia was likely behind the damaging spree, though Russian officials denied it.
“We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”
Vulnerabilities in TeamCity have been publicly reported and rated “critical” in the past, as is true with most big software.
SolarWinds hires former cyber security chief Chris Krebs to help navigate post-hack fallout
SolarWinds, the embattled network software firm, has hired former US government cyber security chief Chris Krebs to assist the company in navigating the fallout of what is quickly proving to be one of the most intrusive cyber attacks in our nation’s history. Krebs will spearhead the company’s crisis response efforts alongside his new business partner Alex Stamos, a Stanford University professor and Facebook’s former security chief.
Investigations on the full scale and scope of the campaign continue, but some experts have reported that it may stretch back years and remain ongoing. US intelligence officials confirmed this week that they had identified “fewer than 10” federal agencies that had been compromised, including the Commerce, Energy, and Justice departments. The electronic filing system used by the federal courts was also compromised, the US judiciary said on Thursday.
Speaking to the Financial Times, Krebs said there was “zero question” amongst the intelligence community that the SVR, Russia’s foreign intelligence service, was responsible for the attack.
Krebs, who has extensive experience in risk management and national and infrastructure security, oversaw the Cybersecurity & Infrastructure Security Agency until his ousting in November for challenging claims that the US presidential election had been widely compromised by fraud and foreign interference.
DHS confirms state-sponsored cyberattack on public sector IT-service providers
SolarWinds, a major provider of network management systems (NMS), is said to be the victim of a highly sophisticated, state-sponsored cyberattack. The attackers, believed to be operating under the auspices of the Russian Federation’s Foreign Intelligence Service, were able to successfully deploy a malware-infected update to the company’s Orion Network Performance Monitor.
SolarWinds ubiquity in the field of NMS may turn out to be problematic - the company has more than 300,000 customers worldwide, including more than 400 of the US Fortune 500 companies and is utilized across five branches of the US military and the Departments of Defense, State and Justice, as well as the Office of the President. Intrusions have already been detected at the US Treasury Department as well the US Department of Commerce's National Telecommunications and Information Administration (NTIA). Though not officially confirmed, major US publications have cited sources claiming that multiple other government agencies have been impacted in the attack.
Late Sunday night, following confirmation of the successful attack on the Commerce Department, the cybersecurity arm of the Department of Homeland Security issued an Emergency Directive calling on "all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."
Sources speaking with the Washington Post linked the intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).
ALERT: Commonwealth Employees Targeted by Phishing Campaign
As many of you are aware, the Commonwealth has recently been the target of an aggressive phishing and smishing campaign. The malicious actors are using free e-mail services, such as g-mail, to create fake e-mail accounts designed to impersonate Commonwealth Leadership and are using social engineering tactics to elicit a sense of urgency. In addition to e-mail, the scammers have started using text messages as another way to phish our community. This technique, often referred to as smishing or SMS phishing, is a text-message based variation of traditional phishing scams, and a growing cyber threat. This particular campaign does not contain any links or malicious documents, but rather requests that the user purchase a gift card on behalf of the executive.
The EOTSS Messaging and Security Teams are aware of the situation and are working to block incoming messages. However, we ask that you remain vigilant. If you receive an e-mail or a text message requesting you to purchase a gift card, to pay by gift card, or to wire money – for any reason – that’s a sure sign of scam. Any correspondence, whether e-mail or SMS-based, imploring (or even threatening) the need for an immediate response, should be treated with healthy skepticism.
Remember to pay attention to key warning signs:
- False sense of urgency
- External e-mail address as either the sender or the reply-to address
- Misspellings and Typos
- Consider the purpose; is this someone you’d typically correspond with?
- Be wary of suspicious attachments and links
As always, suspicious messages or phishing e-mails can be reported to the EOTSS End User Service Desk or your local Agency IT Support via the contact information below.
EOTSS End User Service Desk (844) 435-7629
24x7x365 support for Commonwealth end users
CommonHelp IT Service Desk (866) 888-2808
for agency/Secretariat IT help desks and support personnel
We appreciate your continued cooperation. Please do not hesitate to reach out with any questions or concerns.
Commonwealth Chief Information Security Officer
Executive Office of Technology Services and Security
Ransomware Activity Targeting the Healthcare and Public Health Sector (CISA Alert AA20-302A)
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
It is suspected that the attacks are being launched by Eastern European hackers that targeted U.S. hospitals, media reported Wednesday. Experts said the likely group behind the attacks was known as Wizard Spider or UNC 1878. They warned that such attacks can disrupt hospital operations and lead to loss of life. Federal authorities said the recent attacks include incidents in Oregon, California, and New York.
CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.
October is National Cybersecurity Awareness Month
October is National Cybersecurity Month (NCSAM), a time for us to focus on how cybersecurity affects all Americans and to remind us of our shared responsibility. NCSAM is a collaborative effort between the U.S. Department of Homeland Security (DHS) and its public and private partners, including the National Cyber Security Alliance, to raise awareness about the importance of cybersecurity and individual cyber hygiene.
Now in it's 17th year, Cybersecurity Awareness Month has grown exponentially, reaching consumers across the nation.
For more information on Commonwealth sponsored events throughout the month, please visit the MassCyberCenter webpage.
Tyler Technologies Ransomware
Tyler Technologies, the nation’s largest provider of software and technology services for the public sector, has reportedly been the victim of a ransomware attack. Notably, the company is responsible for the development of software used to display state and local election results.
Though initially hesitant to discuss the exact nature of the disruption, Tyler Technologies released the following public statement Wednesday afternoon:
“Based on the evidence available to-date, all indications are that the impact of this incident is limited to our internal corporate network and phone systems, and that there has been no impact on software we host for our clients. Our hosted environment is separate and segregated from our internal corporate environment.”
The company, based out of Plano, Texas, employs some 5,300 employees and brought in a reported annual revenue of more than $1 billion for fiscal year 2019. It sells a broad range of services to state and local governments, including appraisal and tax software, integrated software for courts and justice agencies, enterprise financial software systems, public safety software, records/document management software solutions and transportation software solutions for schools.
By Tuesday, Tyler Technologies’ normal landing page was replaced with notice saying the site was offline. At the time of the original change, the message contained no further details regarding the breach. Tyler’s Chief Information Officer Matt Bieri provided a statement to popular security blog KrebsOnSecurity only after markets that day closed, stating
“Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem. We have since engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We are implementing enhanced monitoring systems, and we have notified law enforcement.”
Tyler Technologies has thus far declined to state how the intrusion might be affecting its customers. Several IT staffers affiliated with state and local governments throughout the nation have reported interruptions of various natures, with one anonymously stating that the outage has disrupted the ability of people to pay their water bills or court payments.
Depending on how long it takes for Tyler Technologies to recover from this incident, it could have a broad impact on the ability of many states and localities to process payments for services or provide various government resources online.
Bipartisan Digital Identity Legislation introduced in Congress
A draft bipartisan bill designed to modernize the country’s lagging digital identity infrastructure has been introduced in Congress.
The Improving Digital Identity Act of 2020 would help to bolster secure methods of validating identities in government agencies' digital infrastructure. In its current form, the bill would utilize a three-pronged approach:
- It would establish a task force to bring together key federal agencies with state and local government representatives to develop secure methods for government agencies to validate identity attributes to protect the privacy and security of individuals and support reliable, interoperable digital identity verification tools in the public and private sectors.
- It would direct the National Institute of Standards and Technology (NIST) to create a new framework of standards to guide government agencies when providing digital identity verification services – placing an emphasis on privacy and security.
- It would establish a grant program within the Department of Homeland Security to allow states to upgrade the systems they use to issue drivers’ licenses and other types of identity credentials, and to support the development of secure, interoperable state systems that enable digital identity verification in accordance with the framework developed by NIST.
Bill to improve the federal government's use of IoT devices reaches House floor
After languishing in Congressional limbo for nearly a year and a half, the IoT (Internet of Things) Cybersecurity Improvement Act (H.R. 1668) will finally reach the House floor.
The bill would task NIST (the National Institute of Standards and Technology) with the development of standards for agencies’ use of IoT devices and their handling of vulnerabilities in those devices.
The Internet of Things describes the network of physical objects—"things"—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
NIST is one of the nation's oldest physical science laboratories, tasked with promoting "promote innovation and industrial competitiveness".
Third annual CISA National Cybersecurity Summit begins on Wednesday
Subject matter and discussion dates for the Third Annual National Cybersecurity Summit have been announced.
The event, in its third year, brings together infrastructure stakeholders from around the world and provides a forum for meaningful conversations and collaboration on cybersecurity.
The 2020 Cybersummit will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7. Each series will have a different theme that focuses on CISA’s mission to “Defend Today, Secure Tomorrow,” with presentations from targeted leaders across government, academia, and industry.
This year’s themes are:
- Sept 16: Key Cyber Insights
- Sept 23: Leading the Digital Transformation
- Sept 30: Diversity in Cybersecurity
- Oct 7: Defending our Democracy
The event is facilitated by the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency within the US government with its operational component under Department of Homeland Security (DHS) oversight.
Spyware Labeled ‘TikTok Pro’ Exploits Fears of US Ban
Researchers have discovered a new Android spyware campaign pushing a “Pro” version of the TikTok app that is exploiting fears that the popular social media app is on the cusp of being banned in the United States. The malware can take over basic device functions as well as uses a phishing tactic to steal victims’ Facebook credentials.
Malicious actors urge users via SMS and WhatsApp messages to download the spyware version of the application, called TikTok Pro, from a specific web address, said Zscaler CISO and VP of security Shivang Desai in a report published Tuesday.
Desai warned Android users not to trust unknown links received in SMS or other messages and to only install apps from official stores like Google Play.
How a Teenager Hacked One of the Largest Social Media Platforms in America
After months of digital reconnaissance, 17-year-old Florida resident Graham Ivan Clark managed to convince a Twitter employee he was co-worker. Prosecutors say this ultimately allowed him to hack the accounts of numerous high profile people including former President Barrack Obama and Tesla CEO Elon Musk.
Despite what you may have recently seen on your Twitter feed recently, dozens of notable, high-profile Americans including former President Barrack Obama, Tesla CEO Elon Musk, and Amazon CEO Jeff Bezos are not in fact, giving away tens of thousands of dollars in cryptocurrency to random Americans.
The tweets were allegedly sent by 17-year-old Florida native Graham Ivan Clark. After months of digital reconnaissance, the high school aged hacker was able to convince an employee of Twitter, one of the world's largest social media platforms, that he was a co-worker who worked in the company's IT department.
He was charged with compromising more than 100 social media accounts and scamming both the Twitter account holders, and the approximately 400 people from whom Mr. Clark allegedly received money in a scam. Two others were also charged—Mason Sheppard, of Bognor Regis, U.K., and Nima Fazeli, 22, of Orlando, Fla.—in connection with the hack.
Cyber Actor Spoofing COVID-19 Loan Relief Webpage
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently warned that a ‘malicious cyber actor’ is targeting the Small Business Administration (SBA) webpage used to generate loans to businesses during the COVID-19 pandemic.
“The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.”
CISA reminds users to remain vigilant and exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
Twitter Says It Was The Victim Of A 'Coordinated Social Engineering Attack'
Barack Obama, Joe Biden, Elon Musk, Apple and others appear to be part of a widespread hacking operation affecting several major companies and highly-visible individuals. Impacted users appeared to be offering to double any bitcoin set to them.
Twitter acted quickly by locking down accounts, compromised or not.
As Twitter investigates what appears to be the largest and most coordinated hack in Twitter's history, the company has vowed to examine what "other malicious activity" the hackers may have committed. The company admits that internal tools were compromised and likely used in the attack, which may explain how malicious actors gained access to the accounts that presumably have enhanced security protections.
"We all feel terrible this happened", said Jack Dorsey, Twitter CEO. "We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened."
Hacking attacks on hospitals for patient data increase during coronavirus pandemic
During "normal" times, hospitals are often targeted with 80% of medical practices reporting that they have been victims of cyberattacks, according to a national survey. The situation has only gotten worse during the COVID-19 pandemic. Between March and April, IBM saw a 6,000% increase in spam attacks on information technology systems, leveraging COVID-19, many of them at health care facilities, outlines Wendi Whitmore, a cybersecurity expert and vice president of IBM X-Force, a commercial security research team. She goes on to describe the situation as a continuous “cat and mouse” game between criminals and institutions.
Electronic health records are often the target, and according to the FBI, can “be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft.” Health record theft also is more difficult to detect, taking almost twice as long to recognize as normal identity theft, the report found.
Colin Zick, a partner and co-chair of the privacy and data security practice at Foley Hoag, has some practice advice for patients. Zick requests his medical file periodically to be sure he has access to his own records if they were ever permanently lost. And he said if he saw a provider acting carelessly with his data – such as not using two-factor authentication – he would offer them some free advice.
Apple’s next iPhone update adds new privacy protections — and you won’t be able to miss them
The next version of iOS for iPhones will give new visual notifications when apps are accessing the device’s microphone, camera, clipboard, or other sensitive data.
DDoS Activity Targeting State of Minnesota Resources
A cyberattack temporarily disabled certain Minnesota systems and websites last week. The cyberattack comes amid protests over the police killing of George Floyd last week.
“Keeping our communications systems secure during times of crisis is critical to protecting the Minnesotans that we serve, and we work to meet the challenging and evolving threat to those systems every day. At this time, these attacks have not successfully disrupted the state services that Minnesotans depend upon, and MNIT is working in close coordination with partners at the Department of Public Safety and with the federal government to share intelligence and stay proactive on cyber threats."
Nationwide Unemployment Scam Targets Massachusetts Claimants
Criminal enterprises in possession of stolen personal information from earlier national data breaches have been attempting to file large amounts of illegitimate unemployment claims through the Massachusetts Department of Unemployment Assistance (DUA) system. This is part of a national unemployment fraud scheme.
The Department of Unemployment Assistance (DUA) has begun implementing additional identity verification measures that will temporarily delay the payment timeframe for many unemployment claims in Massachusetts.
For more information, please visit https://www.mass.gov/info-details/report-unemployment-benefits-fraud.
Be aware of a recent increase in scam blackmail emails
Reports of Bitcoin blackmail scams have taken a big jump in the last few weeks. The emails say they hacked into your computer and recorded you visiting inappropriate websites. They threaten to tell others, unless you pay into their Bitcoin account. To complicate matters, they claim to know one of your password - and they include it in the message to prove it.
These e-mails are fake and are a scam. You are likely receiving one because your account and password were involved in a recent data breach. You should take precautions to update the password associated with that account, and others as well.
Students create a bot that tells you when a grocery delivery slot opens up
Having a hard time getting a time slot for grocery delivery? A computer science student at Georgetown University created a simple computer program that automatically notifies you when an Amazon Fresh or Whole Foods delivery slot opens up, letting you place your order. But, he's not the only one. Another developer had their website shut down after getting a cease-and-desist order from Instacart for claiming the site could automatically hunt for delivery slots.
Face ID doesn’t work when you’re wearing a mask—Apple’s about to address that
This week, Apple released the third beta of iOS 13.5, the next major feature release for its mobile operating system. Among other things, the release introduces new Face ID behavior when users are wearing protective masks.
U.S. senators to introduce privacy bill for COVID-19 contact tracing
A group of U.S. senators said they would introduce legislation to address consumer privacy concerns surrounding technology companies’ building contact tracing apps to fight the coronavirus outbreak.
The bill would allow technology companies to develop “platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”
Apple says 'no evidence' iPhone mail flaw used against customers
The default Mail app on Apple's iPhones may be vulnerable to sophisticated email hacks, according to a report Wednesday from The Wall Street Journal.
The vulnerability, which was detected by cybersecurity firm ZecOps, reportedly lets hackers install malicious software on an iPhone by sending a specially crafted email, the Journal reported.
Apple acknowledged the vulnerability existed in its software for email on iPhones and iPads and said the company had developed a fix that will be introduced in a forthcoming update. The company also indicated it has found “no evidence” a flaw in its email app has been used against customers, and that it believes the flaw does “not pose an immediate risk to our users”.
Google moves to open up its Healthcare API to making it easier to share health info
As of Monday, health care providers can build new systems using the new Google Healthcare API to translate and convert data stored in different types of systems, from imaging systems to medical records software. It also said it will offer a range of other services to help health care organizations during the Covid-19 pandemic.
500,000 Hacked Zoom Accounts Given Away For Free On The Dark Web
More bad news for Zoom...
The good news? This wasn't a hack on Zoom but rather a case of users repurposing passwords. This is a great reminder to use a unique password for each account. Sites such as have i been pwned can also be helpful in seeing if your accounts have been involved in a data breach.
Is 5G Cell Phone Technology Linked to the Cause of Coronavirus?
FEMA has started a webpage to discuss this and other COVID-19 rumors. Do your part to the stop the spread of disinformation by doing three easy things:
- Don’t believe the rumors.
- Don’t pass them along.
- Go to trusted sources of information to get the facts about the federal (COVID-19) response.
Apple and Google Team Up to ‘Contact Trace’ the Coronavirus
The technology giants said they would embed a feature in iPhones and Android devices to enable people to track the virus. With the tool, infected people would notify a public health app that they have the coronavirus, which would then alert phones that had recently come into proximity with that infected person’s device.
Be Alert: Phone scammers are taking advantage of the coronavirus pandemic
The FCC has received reports of scam and hoax text message campaigns and scam robocalls offering free home testing kits, promoting bogus cures, selling health insurance, and preying on virus-related fears. Coronavirus scam audio samples can be found on the FCC website. If you think you've been a victim of a coronavirus scam, contact law enforcement immediately.
A Must For Millions, Zoom Has A Dark Side — And An FBI Warning
Teams, WebEx, GoToMeeting, Zoom....If you are working from home, collaboration tools are a must. As we all adapt to a new normal, so are cyber criminals. In the midst of a world-wide pandemic, a new technique entitled "zoom-bombing" has been getting national attention (NPR).
Instagram Draws Surge in Offers of Coronavirus Masks With Potential Risks
As more medical experts recommend wearing masks in public, it's no surprise that social media sites are struggling to keep up with ads and users claiming to sell medical masks. Social Media Researchers found at least 10,450 accounts on Instagram that have popped up in the past few months selling masks, some of which appear to be scams and most of which aren’t vetted for safety or price concerns. Always remember to validate companies before making a purchase. If it seems too good to be true, it likely is. Note: A subscription is required to read the complete WSJ article. However, the complete report is available for free.
Scammers are creating Netflix lookalikes to target people staying at home, study finds
While it is not surprising that the pandemic has resulted in Netflix’s subscriber growth, the brand has been used as part of various web-based fraud schemes. The cybersecurity firm, Check Point recently reported an increase in fake steaming services spinning up. The complete article can be found on USAToday.
Coronavirus surveillance poses long-term privacy threat, U.N. expert warns
From facial recognition to phone tracking, governments are turning to technology to trace Covid-19 infections and keep tabs on the population as they enforce lockdowns and quarantines. China, South Korea and Israel are among the countries rolling out such technologies and experts say the effects could long outlast the current crisis.
Boston, MA 02108