North Korean Maui Ransomware Actively Targeting U.S. Healthcare Organizations

Posted on

As seen on thehackernews.com by Ravie Lakshmanan on July 7, 2022

In a new joint cybersecurity advisory, U.S. cybersecurity and intelligence agencies have warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the authorities noted.

The alert comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury.

Cybersecurity firm Stairwell, whose findings formed the basis of the advisory, said the lesser-known ransomware family stands out because of a lack of several key features commonly associated with ransomware-as-a-service (RaaS) groups.

This includes the absence of “embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers,” security researcher Silas Cutler said in a technical overview of the ransomware.

Instead, analysis of Maui samples suggests that the malware is designed for manual execution by a remote actor via a command-line interface, using it to target specific files on the infected machine for encryption.

Besides encrypting target files with AES 128-bit encryption with a unique key, each of these keys is, in turn, encrypted with RSA using a key pair generated the first time when Maui is executed. As a third layer of security, the RSA keys are encrypted using a hard-coded RSA public key that’s unique to each campaign.

What sets Maui apart from other traditional ransomware offerings is also the fact that it’s not offered as a service to other affiliates for use in return for a share of monetary profits.

In some instances, the ransomware incidents are said to have disrupted health services for extended periods of time. The initial infection vector used to conduct the intrusions is unknown as yet.

It’s worth noting that the campaign is predicated on the willingness of healthcare entities to pay ransoms to quickly recover from an attack and ensure uninterrupted access to critical services. It’s the latest indication of how North Korean adversaries are adapting their tactics to illegally generate a constant stream of revenue for the cash-strapped nation.

CyberSecurity

According to the Sophos’ State of Ransomware in Healthcare 2022 report, 61% of healthcare organizations surveyed opted to settle compared with the global average of 46%, with only 2% of those that paid the ransom in 2021 getting their complete data back.

That said, the use of a manually operated ransomware family by an APT group also raises the possibility that the operation could be a diversionary tactic designed to act as a cover for other malicious motives, as recently observed in the case of Bronze Starlight.

“Nation state-sponsored ransomware attacks have become typical international acts of aggression,” Peter Martini, co-founder of iboss, said in a statement. “Unfortunately, North Korea specifically has shown it is very willing to indiscriminately target various industries, including healthcare, to secure untraceable cryptocurrency that is funding its nuclear weapons program.”

QR Code Phishing Scams Target Users and Enterprise Organizations

Posted on

As seen on securitymagazine.com by Rob Corso July 7th, 2022

Quick response (QR) codes have become an integral part of daily life, with retail, marketing and other enterprise applications. However, they also represent potential security risks.

Restaurants use QR codes to direct patrons to online menus. Businesses are using them for marketing or advertising by connecting customers to discounts, new product releases, returns or refunds and more. QR codes are even making appearances in Super Bowl commercials.

Just point your smartphone at the code, scan it with your camera and click on the URL that pops up to be redirected to the designated landing page. “It’s so easy, a caveman can do it.” But that’s also part of the problem.

Phishing attacks increased 29% globally to a record 873.9 million attacks in 2021. Additionally, there were 316,747 total phishing attacks in December 2021 — the highest monthly total ever recorded. The same report reveals the overall number of phishing attacks has tripled since early 2020.

And now, cybercriminals are incorporating QR code scams into phishing strategies.

How criminals commit QR code phishing attacks 

QR code phishing occurs when a bad actor uses a QR code as a means to trick people into sharing personal or financial information. In Texas, bad actors put stickers with fraudulent QR codes on parking meters to fool drivers into thinking they can pay for metered parking through a “Quick Pay Parking” site. Really, it’s just a setup to steal their credit card information. Scammers in China have placed fake parking tickets on illegally parked cars and direct them to scan QR codes to pay the fine.

E-banking customers in Germany were sent emails containing malicious QR codes designed to access their banking credentials. In the Netherlands, criminals manipulated legitimate QR codes in ING Bank’s mobile banking app to scam users. The FBI revealed this is becoming more common, with cybercriminals targeting both physical and digital QR codes.

Ultimately, whether physical or digital, these scams all share a common goal: to deceive users into offering up personal information. But there are several ways organizations can avoid falling victim to one of these scams.

1. Advise employees to think before they scan

The bad actor is banking on employees scanning the QR code and clicking on the URL without hesitating. That’s how employees get into trouble and put their company at risk.

If an employee receives an email with a QR code, they should check the provided link before diving in headfirst. Make sure the URL lines up with the company or organization it supposedly represents. Be on the lookout for links with spelling or grammatical errors.

If the employee has any doubts, they should report the suspicious email to the company’s security department. It may be nothing at all, but it’s better to be safe than sorry.

2. Provide regular cybersecurity education

The “human element” is involved in 82% of breaches — that’s why cybersecurity training and education are so paramount.

Monthly newsletters that outline the latest trends and tactics performed by cybercriminals and regular training sessions that expose employees to bad actors’ strategies are all helpful tools.

Mistakes happen, but security teams can minimize the risk with preparation.

3. Make MFA mandatory

Multi-factor authentication (MFA) isn’t 100% infallible, but it’s still an absolute must for protecting credentials in the event of a breach.

If a bad actor gets a hold of an employee’s email and password, this safeguard will at least prevent them from automatically gaining access. Even the most basic security measures can mean the difference between leaving the company exposed and thwarting an attack.

Be vigilant about QR codes

QR codes are a simple method of getting users from point A to point B. But their charm is also what makes them a bad actor’s best friend.

As cybercriminals look to further exploit this new attack vector, organizations must remain steadfast and alert and frequently remind employees to keep an eye out for QR codes that appear out of the ordinary.

Russia, backed by ransomware gangs, actively targeting US, FBI director says

Posted on

The FBI is laser focused on preventing a destructive attack, FBI Director Christopher Wray said. The agency, meanwhile, helped to disrupt a 2021 Iran-backed attack against Boston Children’s Hospital.

As seen on cybersecuritydive.com by David Jones on 6/2/22

Dive Brief:

  • As the Ukraine war grinds on, the FBI has seen Russia take steps to launch potentially destructive attacks against U.S. and overseas targets, spurring the agency to warn potential targets and disrupt attacks, FBI Director Christopher Wray said. Wray, speaking Wednesday at the Boston Conference on Cyber Security, said the Russia-based ransomware gangs have engaged in cyber activity in support of the Russian government. 
  • But China has closely watched events since the start of the Ukraine war, Wray said, and is by far the largest nation-state threat to the U.S. China’s efforts to dominate global technology has come, in part, from stealing research and proprietary secrets from U.S. companies. 
  • Other nation-state adversaries have actively targeted the U.S. too, Wray said. The FBI helped disrupt an Iran-sponsored attack on Boston Children’s Hospital in 2021, calling it one of the most despicable cyberattacks he’s seen.

Dive Insight:

The speech comes at an urgent time for the FBI and other federal agencies looking to prevent a potentially catastrophic act of retaliation by Russia-linked threat actors since the invasion of Ukraine in February

The FBI, working in concert with the Cybersecurity and Information Security Agency, the National Security Agency and foreign allies, has repeatedly warned industries about potential malicious cyber activity against critical infrastructure sites, including energy, utilities and water. 

Wray reminded the conference that Russia was behind the 2017 NotPetya attacks, which started out as an attack that appeared to be criminal in nature, but rapidly spread across Europe, hit the U.S., Australia and even some organizations inside Russia.

“Now in Ukraine, we see them again, launching disruptive attacks using tools like wiper malware,” Wray said. “And we’re watching for their cyber activities to become more destructive as the war keeps going poorly for them.”

The agency was part of an April operation to disrupt Cyclops Blink, a state-backed botnet that was used by the Sandworm threat actor to infect thousands of devices worldwide. The botnet had been used to infect WatchGuard firewall appliances and Asus routers. 

More recently, security researchers disclosed the development of destructive custom-made malware that could sabotage major industrial sites. Researchers said the malware, dubbed Pipedream or Incontroller, has not been officially attributed to any particular state actor. Wray did not especially mention the industrial malware during his address.

For the FBI, the conference was another opportunity to admonish listeners about the need for public-private information sharing. During a brief question and answer session, Wray reminded conference attendees and virtual participants about the need for U.S. companies to come forward with any potential cyberthreats or extortion demands. 

The FBI is capable of disrupting operations, Wray said, and in some cases tracing and recovering ransom payments if information is gathered early. 

Beyond reaction, FBI cyber efforts can aid attack deterrence too. Wray did not provide much detail on the plot against the hospital, but said the agency got a report from an intelligence partner of an impending attack. Agents from the FBI Boston field office quickly notified hospital officials, who confirmed the incident to Cybersecurity Dive. 

“Thanks to the FBI and our Boston Children’s Hospital staff working so closely together, we proactively thwarted the threat to our network,” hospital spokesperson Sarah Tanner said via email.

The value of cyber insurance for small businesses

Posted on

insurance-policy-freepik1170x658v4.jpg

As seen on securitymagazine.com on 5/31 by Linda Comerford

Businesses of all sizes face the daily threat of falling victim to cyberattacks. While it’s often more common to hear stories about the major corporations suffering from data breaches, small businesses can be easy targets to hackers.

What happens after a cyberattack?

Companies that are victims of cyberattacks need to ensure they understand how to respond properly to the incident. It’s important to take action right away to help minimize the damage, including these steps:

Containing and assessing the breach

Determining what servers were compromised in the cyberattack helps to contain them as quickly as possible. It’s vital to keep any other servers and devices from becoming infected or breached, and it also helps preserve critical evidence for assessing what happened and who was responsible. Contain the breach by disconnecting the internet, disabling remote access and maintaining any firewall settings. If there are any pending security patches or updates, install them immediately. Passwords should also be changed with a global password reset, and ensure all employees create new, strong passwords for each of their accounts.

Once the breach has been contained, it’s important to determine the cause to try to prevent another attack from happening in the future. Determine who had access to the affected servers and what network connections were active at the time of the incident. Checking security data logs through antivirus protection software or email and firewall providers may help pinpoint where the breach was initiated. It’s also important to identify who was affected by the breach and to educate employees on the company’s security protocols. These steps are vital to help avoid becoming a victim of another data breach.

Utilize the data breach response plan and contact the insurance carrier

A data breach response plan helps businesses respond appropriately to a cyberattack by providing the proper procedures to take in a straightforward, documented manner. It should establish a baseline with existing security policies, which can be used as a framework for the plan. Elements of the policy generally include information on how to protect confidential data, instructions for the secure use of personal and company devices, how to detect malicious email scams or viruses, and more. These factors are all vital in helping to avoid a data breach in the first place.

Secondly, the plan should include information about what defines a data breach requiring a response, a designated response team, and the types of messaging and communication methods to be employed.

If the business has a cyber insurance policy, the carrier should be contacted as soon as possible to get the claims process started. The claims professionals are able to connect insureds with vetted vendors who are experienced in handling privacy breach incidents. By notifying right away, it can ensure that costs can be reviewed for approval by the carrier, avoiding issues with misinterpretation of what the cyber policy provides coverage for.

What does cyber insurance cover?

In this day, many, if not all, businesses utilize computers and other devices connected to the internet to complete daily tasks. While these devices certainly make doing business faster and easier, using computers and the internet brings an inherent cyber risk that can threaten a company’s entire operation.

However, many businesses may not realize they need cyber insurance or may not understand exactly what it covers – one survey found that 91% of small business owners do not have cyber insurance for this very reason. It’s common for small businesses to think their other policies – property, liability, business interruption – cover cyber-related incidents. Still, often those policies do not explicitly include or exclude cyber, leaving coverage in a grey area. The best way an organization can protect itself is to have a cyber insurance policy, especially considering any organization, from large corporations to mom and pop hardware stores and school districts, can be regularly hit by cyberattacks.

Cyber insurance, or cyber liability insurance, often provides coverage for certain losses incurred from data breaches and can help protect companies from a range of cyberattacks. The extent of cyber liability coverage will vary depending on the industry, the type of business and its specific needs. At a minimum, cyber insurance helps companies comply with state regulations that require a business to notify customers of a data breach involving personally identifiable information (PII).

Research shows that the cost of a data breach for a company with fewer than 500 employees has increased from $2.35 million in 2020 to $2.98 million in 2021. A typical cyber insurance policy looks to cover the following costs:

  • Data breach investigation
  • Data, systems and websites restoration
  • Ransomware payments and remediation
  • Income loss for business interruption
  • Expenses and income loss should a supplier experience a cyberattack
  • Restoring reputation and customer relationships
  • Cyber incident response, including legal fees, notifying affected individuals, public relations and more
  • Regulatory fines imposed by governmental agencies
  • Media liability for lawsuits involving libel, defamation, slander, copyright infringement, violation of privacy, plagiarism, etc.
  • Misdirected payment assistance resulting from a compromised business email account

How Does Cyber Insurance Benefit Small Businesses?

Small businesses are often a target for cybersecurity attacks. However, many business owners may believe that their information is not worth stealing or simply that “it won’t happen to me.” Smaller organizations should keep in mind that they still hold data many cybercriminals are after, such as employee and customer information, bank and credit card data and more. Any company that relies on technology such as email, keeps records filed electronically, and uses computers, phones and/or tablets, could benefit from a cyber insurance policy.

Cybercriminals also know that many small businesses lack the resources larger corporations have in place to protect their sensitive data. Cyber insurance often comes with complimentary services to help protect a small business from falling victim to a data breach. These services include having access to counsel from cybersecurity experts, cybersecurity education and training for employees, and scanning systems for potential vulnerabilities. In other words, a cyber insurance policy can provide many levels of protection that a small business needs to reduce its chances of suffering a breach.

Small business owners should be aware that the premiums on a cyber insurance policy designed to support their business’s unique risks and budget will cost a fraction of the amount the company could spend recovering from a cyberattack. Maintaining cyber insurance will help keep the business operational after an attack, and it also demonstrates to their customers that their well-being and privacy are top of mind.

Cyber insurance will not stop a data breach from occurring. However, a cyber policy provides the peace of mind small business owners need that a cyberattack will not result in the closing of their doors permanently.

The 20 most common passwords leaked on the dark web

Posted on

As seen on securitymagazine.com by Maria Henriquez on April 29. 2022

Data breaches are at an all-time high. According to the Identity Theft Resource Center’s (ITRC) 2021 Annual Data Breach Report, there were 1,862 data breaches in 2021 — a 68% increase over breaches in 2020. And, new year-over-year results indicate a fast start to data breaches in 2022, as more than 90% of data breaches are cyberattack-related. 

When data breaches happen, emails and passwords associated with online accounts are also commonly leaked, leaving consumers at risk of phishing scams or identity theft.  According to Lookout, on average, 80% of consumers have had their email leaked on the dark web.

Here is the company’s list of the top 20 passwords found on the dark web, due to data breaches: 

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. qwerty123
  11. 1q2w3e
  12. 1234567890
  13. DEFAULT
  14. 0
  15. Abc123
  16. 654321
  17. 123321
  18. Qwertyuiop
  19. Iloveyou
  20. 666666

Do you spot your password on this list? The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should consider using the longest password or passphrase permissible (8–64 characters). Try different variations of a passphrase and avoid common phrases, famous quotations, and song lyrics.

BlackCat/ALPHV ransomware breaches 60+ organizations

Posted on

As seen on securitymagazine.com by Maria Henriquez on April 25, 2022

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) has compromised at least 60 entities worldwide, according to a new report by the Federal Bureau of Investigation (FBI), which details detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV.

BlackCat is the first ransomware group to successfully breach organizations using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.

In addition, BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. According to the FBI, once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise; steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored; and, leverages Windows scripting to deploy ransomware and to compromise additional hosts.

Black-Cat affiliated threat groups typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

The FBI recommends organizations:

  1. Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  2. Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  3. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  4. Use multi-factor authentication where possible.

Insider risk: Are you monitoring employees working outside your network?

Posted on

As seen on securitymagazine.com on April 29, 2022 by Jay Godse

Every employee is hired to do a job, but every employee also represents a potential risk to their company. In the past year, 68% of employers have noted an increase in insider attacks. The top attacks include fraud, monetary gain and IP theft and cost companies millions of dollars.  

One major reason for an increase in insider risk in the past year is remote work. Not only are people outside of their manager’s physical view, they are often working outside of their company’s network. Companies need a new approach to ensure they have the insights to help stop insider attacks. 

The Shift to Remote Work Creates Blind Spots 

With millions of people now working from home, the concept of work has changed forever. Weekly one-on-one meetings are now on Zoom, and there’s little water-cooler chatter. This means that managers may have a harder time identifying employees that may pose a threat to the company, and employees may feel less loyal to their employer. From small acts of theft such as sharing customer contacts with a competitor, to crimes such as embezzlement, remote work can make it easier for managers to miss signals that someone may be likely to act out. 

In addition to remote management, employees also have more technical freedom. For years it was the norm for employees to be logged into a computer from an office. When in the office, employees are automatically connected to the company’s network. This gives the company the ability to easily monitor the activity on each computer in a centralized way. CIOs can ensure that passwords are updated and sensitive files are not accessed by anyone who isn’t allowed to use them. HR managers are able to check email accounts and chat conversations to ensure no one is being harassed. And there is a trail of information should any employee decide to commit theft or fraud — from keystrokes to website visits — all of the information would be owned by the company. 

As the pandemic shifted millions of jobs to the home office, CIOs found that their computer networks became more difficult to maintain. There are costs and inherent security risks in VPN and other remote access, and so many companies have allowed employees to work each day on a computer that is not tied into the network. 

This creates a huge number of endpoint blind spots for companies. Individuals may log into specific company platforms, which can be traceable, but are also able to do whatever else they want on their computer with little or no oversight. Creating any kind of case would require some serious investigative work, including physically obtaining the computer from the remote employee.  

Bringing Remote Workers Closer 

The combination of physical distance from the office as well as working outside of the network makes it too easy for employees and other insiders to be emboldened. At the same time, many people have dealt with a variety of stressors over the past two years, from the pandemic to adjusting to a work-from-home environment. Without the ability to meet in person, managers need a new way to ensure employee well-being and raise red flags if employees appear to be a risk to the company. 

Update management training: For example, managers should receive updated training to help them make better connections with remote employees, help them to successfully onboard new employees and look for changes in behavior or signs that someone is unhappy.  

Create risk best practices: Everyone in the company should be made aware of insider risk and be given information about how to report potential risks to the correct people in the organization. 

Invest in remote insider risk technology: Especially important, companies need to invest in technology that provides the insight that is missing outside of the network. Insider risk technology that works at the endpoint or device level ensures that there are no more blind spots, and companies have the ability to monitor and identify possible issues. Predicting risk is a multi-faceted challenge. For example, for emails to be a marker of risk, the count, the timing, the attachment types, the recipients, the content sentiment all play together to attribute an action as risk. It’s not a manual task and hence unique solutions are required. What’s more, insider risk technology built for remote work can help companies that are victims of an attack — enabling them to quickly and easily build a case. 

Insider risk has changed considerably with the rise of remote work, and it’s important for companies to change, as well. With updated communication, management, and technology in place, companies can stop insider risk and embrace the positives of remote work. 

A 3-step approach to cyber defense: Before, during and after a ransomware attack

Posted on

incident-response-freepik1170x658v6.jpg

As seen on securitymagazine.com on May 3, 2022 by Andy Stone

It was not too long ago when ransomware attacks were at the bottom of everyone’s radar. Today, cyberattacks — specifically ransomware attacks — dominate headlines as they’ve become more sophisticated, direr and more frequent. What warranted less than 10 minutes on the agenda in the C-suite is now arguably among the most pressing issues that organizations face around the world. 

As we’ve seen with the cyberattacks on the Colonial Pipeline, Springhill Medical Center and JBS Foods, the effects of cybercrime go beyond a hefty price tag. Oftentimes, lives and livelihoods are also at stake. Although organizations have recognized the clear risks that cyberattacks pose, there is still a gap in understanding the security measures that need to be in place to mitigate these attacks in the first place as well as what to do when they happen — because they will happen.

In my own experience, formulating a before, during and after approach is key to organizational sanity and survival in a world increasingly dominated by ransomware attacks. In this article, I’ll walk you through the template I use to assess each phase of my ransomware mitigation plan. 

Before: Beware Business as Usual

For organizations that have never experienced a cyberattack, the preparation phase often can fall behind. Yet preparation is paramount to mitigate the growing risks of a ransomware attack in today’s digital world. Companywide buy-in is the first step to bolstering defenses and ensuring a quick response when faced with an attack. When implementing preventative measures, here are the five core areas to keep top of mind:

●    IT hygiene: Once threat actors gain access to an environment, they look to exploit key systems and sensitive data. Performing good data hygiene and having a well-defined patch management program are crucial to preventing breaches. Often, by the time a vendor releases a patch, cybercriminals have already been made aware of a vulnerability. Given this tight timeframe, critical patches should be made within 24 hours, while other levels of criticality range in the timeframe expected, but should be made no more than 30 days later.

●    Multi-factor authentication: It has been said that employees are the weakest link in cybersecurity as poor password management practices can create vulnerabilities. With multi-factor authentication, an added layer of security protects against issues that arise when the same password is used across multiple accounts.

●    Admin credential vaulting: In addition to poor password management practices, improperly secured shared resources can create vulnerabilities. Vaulting credentials and admin credentials provide extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login.

●    Consistent logging: Security and access logs are crucial before and after an attack. They provide critical indicators of compromise to help identify a potential adversary before an attack is launched. Additionally, a good logging solution can help identify the source of an attack and provide required proof of compliance to regulatory agencies. However, it’s not enough to just maintain security logs, they need to be protected as well.

●    Fast analytics: Quick, real-time analytics leveraging security logs will help spot suspicious behavior and send timely alerts on potential attacks. Implementing a fast analytic platform across three vectors: the endpoint, the network and the end user, can help you spot indicators of compromise and allow threat hunters to eradicate threats before an attack is launched and data is compromised.

●    Critical employee training: Set clear Internet and email policies and issue relevant end-user awareness training for employees across the organization. Follow up-to measure efficacy and use that information to identify weak spots where additional training may be needed. However, it’s critical to understand that employee education isn’t enough. Executive management and boards must also be trained via tabletop exercises on how events will unfold and how to respond during a cyber attack.

During: As the Attack Unfolds

An organization’s exact business continuity and disaster recovery plan will depend on its business and the specific breach, however, there are steps that should be taken across the board regardless of industry or sector. As an attack plays out, the organization’s business continuity and disaster recovery plan will need to be put into action. At this point, containing the attack and locking down the environment is the first step. Isolate impacted systems on the network without fully shutting down systems or turning off the power as this could reduce the ability to forensically analyze those devices later. In addition, here are four other steps you should take:

  1. Put your backup communications plan into action: If your email systems are down, continue communications within your organization using your backup communications plan. Use this method to inform leaders and internal stakeholders of the attack.
  2. Mobilize your emergency response team: This team will look different depending on your organization, but each person on the team should have clear marching orders. This team may include legal counsel, forensic experts, corporate communications and other key players.
  3. Initiate your external communications plan: Get in contact with authorities, cyber insurance providers, regulators, media and other critical partners to inform them of the situation. The plan should also include notifications to affected customers and businesses. Be sure to have a clear statement drafted that details the situation and your subsequent plan of action.    
  4. Start the forensic process: Triage impacted devices for forensic review. The sooner your team can identify what type of attack was launched and its severity, the sooner your team can apply patches. 

After: Steps to Recovery

There’s only one thing that matters after an attack, and that’s SPEED. While having the proper precautions in place to prevent an attack and respond to an attack are essential, it’s equally as critical that organizations plan for recovery. As part of a solid disaster recovery plan, organizations should have a recovery environment that has been staged, tested and ready to go, providing a tried-and-true way to get back online right after an event. Once an attack has run its course, you may be faced with a choice to pay a ransom. Whether you decide to pay or not, at this point, you’re also working to minimize damage and get back online as quickly as possible.

Of note, in many cases, an organization will not be able to reuse production devices that may have been implicated in an attack. As a result, having a clear line of sight into an additional recovery kit should also be planned. 

Based on your response plan, you’ll need to prioritize which systems should be recovered and restored first. There will be a number of application dependencies that will need to be worked through. As you continue the forensic process, it will be important to work in tandem with the proper authorities, including regulatory agencies and authorities. As you begin the restoration process, make sure to do so in an offline environment that allows teams to identify and eradicate any persistent malware infections.

Throughout the whole recovery process, communication will be key. Be sure to consistently communicate progress each step of the way to all affected parties. This includes but is not limited to employees, customers, investors and business partners. It’s also important to keep any affected service providers or suppliers in the loop and ensure they take the necessary steps to prevent another breach.  

Looking ahead

It’s almost naïve to think that your organization won’t be affected by a cyberattack or breach at some point. Cybercriminals will undoubtedly continue to innovate and evolve, and we can expect ransomware to get even more creative and capable of even greater damage. Although we can’t predict the next big ransomware attack, we can certainly prepare ourselves by continuing to evolve our cybersecurity strategy. 

Social networks most likely to be imitated by criminal groups

Posted on

As seen on securitymagazine.com by Maria Henriquez on 4/20/22

Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups, according to new research from Check Point.

The Brand Phishing Report for Q1 2022 highlights the brands that criminals most frequently imitated in their attempts to steal individuals’ personal information or payment credentials during January, February and March 2022.

So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of the rankings.

It represents a dramatic 44% uplift from the previous quarter when LinkedIn was in the fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has fallen to the second position and accounted for 14% of all phishing attempts during the quarter.

The report highlights an emerging trend toward threat actors targeting social networks, even more than shipping companies and technology giants like Google, Microsoft and Apple. 

Below are the top brands ranked by their overall appearance in brand phishing attempts:

  1. LinkedIn (relating to 52% of all phishing attacks globally)
  2. DHL (14%)
  3. Google (7%)
  4. Microsoft (6%)
  5. FedEx (6%)
  6. WhatsApp (4%)
  7. Amazon (2%)
  8. Maersk (1%)
  9. AliExpress (0.8%)
  10. Apple (0.8%)

Security leaders are not surprised that threat actors are targeting social media networks now. “It makes sense for attackers to use LinkedIn as a hook for socially engineered phishing attacks, as it is generally accepted as a usable, professional platform,” says Hank Schless, Senior Manager, Security Solutions at Lookout. “However, it’s not that different from any other social platform where an attacker can create a fake but convincing profile and message one of your employees with a malicious link or attachment.”

With LinkedIn moving up the list of platforms used in phishing-related attacks, Schless suggests organizations update their acceptable use policies (AUPs) to protect employees and mitigate the risk of web-based attacks.

“Cloud-based web proxies such as secure web gateways (SWGs) that are fed by rich threat intelligence datasets can help organizations build dynamic AUPs and protect enterprise data,” Schless says. “SWG is a critical solution to have in the modern enterprise security arsenal as it acts as a way to block accidental access to malicious sites, and can also be a safe tunnel to protect users from modern web-based threats such as ransomware, other malware, and phishing attacks.” 

Electric vehicles are taking over. Hackers are waiting

Posted on

As seen on securitymagazine.com by Robert Nawy on 4/20/22

Electric vehicles (EV) are a vital part of the present (and future) state of the U.S. auto market. After decades of hope and hype, the rapid adoption of electric vehicles is finally upon us. In 2011, there were only 16,000 battery and plug-in hybrid electric vehicles on the road. In mid-2021, that number had grown to over 2 million vehicles. In fact, auto executives expect over 50% of U.S. vehicles to be all-electric by 2030. 

The Bipartisan Infrastructure Deal includes $7.5 billion to plan and build a robust network of EV charging stations, a sizeable down payment toward developing a nationwide system. But of what of the extensive and complicated network needed to service those electric vehicles?

It took decades for a hodgepodge network of gas stations to crisscross the nation, with policies and procedures created by individual oil companies before proper government oversight or planning ensued. A state or nationwide electric vehicle charging network will require thorough planning and significant investment. Despite lofty goals, projected EV usage increases and plans to keep them rolling along America’s highways, one crucial challenge remains woefully undiscussed: EV charging station cybersecurity.

Last month, a 19-year-old tech security specialist used TeslaMate, a third-party software app, to successfully hack into 25 Tesla vehicles in more than a dozen countries. It was the first reported incident of a third-party app being used to hack and obtain access to vehicle data and controls, a clear indication of the risks associated with EVs.

Tesla is hypervigilant about cybersecurity, yet hackers still found a way to compromise their systems. As electric vehicles become an even larger portion of the automobile market, a disturbing cyber threat is the installation of potentially unprotected EV charging stations across the country. Without a heavy emphasis on cybersecurity, these stations could become a hacker superhighway.

Electric vehicles adoption to increase

In a nutshell, EV charging infrastructure is a device (or set of devices) that waits for another device to connect and begin communicating without a 3rd party firewall or other cybersecurity devices to act as a shield — all those technologies must be built into the charging station itself. As seen with MS Windows, a third party is often necessary to secure technologies like this as the tech itself tends to lack proper cyber protection.

The complexity and rapid adoption of EV charging stations/technologies make them especially vulnerable to attacks as certain security measures may be overlooked. Electric vehicle charging stations appear highly vulnerable to hackers. Last year, the U.S.-based Colonial Pipeline fell victim to a foreign-fronted cyberattack due to a single compromised password. This one vulnerability halted fuel supply processes in the Eastern U.S. and cost the company $4.4 million in ransom. Now, think of a hack that could cripple EV charging stations across California. More open doors provide more opportunities for hackers to break into and potentially control sophisticated EVs.

The demand for electric vehicles is rising dramatically. According to Gartner, EV charging stations are expected to increase from 1.6 million units in 2021 to 2.1 million units this year. It also predicted that electric cars (battery-electric and plug-in hybrid) shipping would rise to 6 million in 2022, a 50% increase over 2021. Furthermore, at COP26 in November 2021, the Zero Emission Vehicle Transition Council announced that vehicle manufacturers will commit to selling only zero-emission vehicles by 2040 and earlier in leading markets.

One incentive to boost EV adoption essentially rolls out the red carpet for hackers. Today, EV drivers can save or earn money by giving the power stored in their battery back to the grid or supplementing their home or office’s electric needs. Unfortunately, this connectivity opens doors to cyberattacks from data breaches. 

The best way for cybersecurity leaders to protect charging stations from security breaches is to consistently monitor for cyberattacks — both known and unknown. For instance, utilities use technology like IPKeys Cyber Partners’ evolving VSOC (Vehicle Security Operations Center) platform. This software enables cybersecurity for the post-production phase. It is critical to ensure the security of connected vehicles and the smart mobility ecosystem, allowing companies to monitor their entire infrastructure and vehicles in real-time, utilizing automotive-specific analytics to detect cyber threats.

Automotive cybersecurity is still a relatively new domain, developing quickly to keep up with the fast-paced technological developments in the industry and the increasing number of cyber incidents. Unfortunately, traditional automotive safety regulations and security standards do not sufficiently cover the cyber threats related to modern-day connected vehicles.

EV charging infrastructure is as vulnerable to suffering from cyber threats as any other connected device. Still, the complexity and quick evolution of the technology and connected devices put this technology, especially, at risk. They will require the same type of monitoring and protection to ensure they do not open doors for cybercriminals to walk through, whether on the device itself or through a third-party app. As the use of electric vehicles grows and EV charging stations are installed across the country, it’s imperative that we focus on advanced cybersecurity measures to keep drivers safe and secure the critical data our vehicles contain.