Cybersecurity News & Trends

/0 Comments/in /by

SonicWall hits industry news with the unveiling of the Boundless 2022 global virtual partner experience, hosted by a legendary celebrity duo – learn more. In general news, Microsoft discloses hackers are using device registration to attack enterprises, and they’re also going after your Instagram accounts. In addition, the talent gap in cybersecurity is widening, SBA announced $3 million in grants for small business cybersecurity development, and cybersecurity is broken (but Dark Reading has ideas how to fix it).

Industry News

Register Now for Boundless 2022 – The Global Virtual Partner Experience

Reinforcing ongoing commitment to its partners and customers, SonicWall unveiled Boundless 2022, a virtual international marquee partner event, Feb. 23 & 24. Boundless 2022 will allow attending partners to hear first-hand about SonicWall’s technology vision product investments and gain a deeper understanding of the company’s customer commitment from SonicWall executives. It will also include an appearance from a legendary celebrity duo.

Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing

The Hacker News: Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim’s network to propagate spam emails further and widen the infection pool. The tech giant said the attacks manifested through accounts not secured using multi-factor authentication (MFA). Without MFA, attackers could take advantage of the target’s bring-your-own-device (BYOD) policy to introduce their own rogue devices using the pilfered credentials.

Hackers Hijacking Instagram Accounts Of Companies And Influencers, Demanding Ransom

ZDNet: Hackers are hijacking the Instagram accounts of companies and influencers with huge followings in a new phishing campaign identified by Secureworks. In October, the cybersecurity company said it discovered the effort, finding hackers taking over prominent accounts and demanding a ransom. The people behind the attack start by sending a message pretending to be Instagram, notifying Instagram users of a purported instance of copyright infringement. A link in the message takes victims to a website controlled by hackers. From there, the user is asked to enter their Instagram login information, giving the attackers full access to their accounts.

Cybersecurity Is Broken

Dark Reading: One significant development in the threat landscape is the corporatization of hacking. As with any burgeoning industry, hacking groups have implemented more organization to their structure to scale up. Plus, malware has gotten “smarter,” variants proliferate, and attackers take advantage of the distributed workforce. But the biggest impediments to better cybersecurity, say the authors, is that we stop conceptualizing cybersecurity as a wall and cease our reactive approach for tamping down attacks. Instead, companies need a security stack; efficiently layered to disrupt as many attack methods as possible.

The Widening Cybersecurity Talent Gap

Forbes: Over the past few years, one issue has remained prevalent and will continue to be as we head into 2022: a cybersecurity workforce shortage and talent gap. This is becoming a more recognizable problem as companies come to grips with the reality of cyberattacks, crime and the havoc they’re bringing on their victims. But, unfortunately, these aren’t just big names covered by the media; they’re businesses next door that might’ve already become a statistic of cybercrime.

SBA Announces $3 Million in Grants for Small Business Development

Small Business Trends: The Small Business Administration (SBA) has announced $3 million in new funding for state governments to assist emerging small businesses in developing their cyber security infrastructure. The new funding will help create a safer cyber environment for small businesses by giving them the proper training and tools to help make them less prone to potentially crippling cyberattacks. The funding is part of the Cybersecurity for Small Business Pilot Program, offered through the Office of Entrepreneurial Development.

APTs Quiet Ahead of Beijing Games, But Financially Motivated Hackers Are Lurking

Cyberscoop: State-sponsored hacking groups have been uncharacteristically quiet, leading up to the Olympics next month in Beijing. Researchers say there’s one big reason why: No one wants to get on the wrong side of China. Advanced persistent threat (APT) groups from Iran and Russia, while unlikely to attack China or the games, probably will use the event as a chance to spy on countries considered adversarial, researchers say. Potential avenues for surveillance include unique mobile SIM cards offered to foreign athletes to avoid the Chinese firewall and the MY2022 Olympic Games app all attendees must install.

Hackers Steal $80 Million In Cryptocurrency From The Qubit Defi Platform

The Verge: Qubit Finance, a decentralized finance (Defi) platform, has become the latest victim of a high-value theft, with hackers stealing around $80 million in cryptocurrency on Thursday. The value of cryptocurrency stolen makes this the largest hack of 2022 so far. Qubit Finance acknowledged the hack in an incident report published through Medium. According to the report, the hack occurred at around 5 PM ET on the evening of January 27th. Qubit provides a service known as a “bridge” between different blockchains, effectively meaning that deposits made in one cryptocurrency can be withdrawn in another. For example, Qubit Finance operates a bridge between Ethereum and the Binance Smart Chain (BSC) network.

Despite Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected

ProPublica: Companies leave data exposed online with little or no security, says Pompompurin, a pseudonymous hacker who posted millions of stolen records. The hacker then cited the attacks on RaidForums, a discussion board popular with cybercriminals seeking personal data. Pompompurin told ProPublica that he often doesn’t need to do much hacking to get his hands on sensitive personal data. Many times, it’s left in cloud storage folders available to anyone with internet access. Pompompurin said he scans the web for such unguarded material and then leaks it on RaidForums “because I can and it’s fun.”

Ransomware Hackers Have a New Tactic: They Call You Directly

NBC News: Wayne didn’t know his son’s school district had been hacked — its files stolen and computers locked up and held for ransom — until last fall when the hackers started emailing him directly with garbled threats. “We hold control on the network several months, so we had a ton of time to carefully study, exfiltrate the data and prepare attack,” said one of the three emails he received. If his son’s district, the Allen Independent School District in the Dallas suburbs, didn’t pay up, all its files, including information on him and his son, “would be released in the dark market.” It was a credible threat. Ransomware hackers frequently leak files of organizations that don’t meet their demands and have littered the dark web with school children’s personal information.

In Case You Missed It

Oracle MySQL Server InnoDB Memcached Vulnerability

/in /by

Overview:

  MySQL is a popular open-source implementation of a relational database that supports the Structured Query Language (SQL) for querying and updating stored data. Communication with the database occurs using the MySQL protocol. As with other database implementations, MySQL supports a number of database storage engines, with InnoDB as the default backend.

  A buffer overflow vulnerability has been reported in Oracle MySQL. The vulnerability exists in the InnoDB memcached plugin component.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted packet to the vulnerable server. Successful exploitation will allow an attacker to execute arbitrary code in the context of the application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-2429.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C).

  Base score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.4 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A heap buffer overflow vulnerability exists in MySQL InnoDB-memcached plugin when it is handling the incoming get command. This is performed in the innodb_get() function. When there was “@@store_name” notation inside a get command, the vulnerable function will execute the code branch to switch tables. During the implementation, it will retrieve the schema (db_schema) and table (db_table) information using the supplied store_name, and build the table_name by following format string (depending on Windows platform or not):

  %s\%s

  or

  %s/%s

  For the above example, when the memcached server received a get command as “get @@aaa”, the table_name will be built as “ts1\tab1”. Then, this table_name will be copied into a heap buffer with fixed size of 16384. If there were multiple “@@store_name” notations in one get command, all generated table_name will be copied into this buffer in order. However, the vulnerable function failed to validate the total length of these table_name strings and this could result in the said heap buffer overflowed.

  Memcached Get Data

Triggering the Problem:

  • The target host must have a vulnerable version of the affected product installed and running.
  • The target product must have the InnoDB-memcached plugin enabled.
  • The attacker must have the means to deliver crafted packets to the target service.

Triggering Conditions:

  The attacker sends a malicious Memcached get request to the target server. The vulnerability is triggered when the server processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Memcache, over port 11211/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3109 MySQL InnoDB Memcached Plugin DoS

Remediation Details:

  Listed actions that may be taken in order to mitigate or eliminate the risks associated with this vulnerability.
    • Limit access to the database to allow trusted users only.
    • Restrict remote connections to trusted hosts only.
    • Filter attack traffic using the signature above.
    • Upgrade the vulnerable product to a non-vulnerable version.
  The vendor, Oracle, has released the following advisory regarding this vulnerability
  Vendor Advisory

Unpacking the U.S. Cybersecurity Executive Order

/0 Comments/in , /by

Amid the 2021 wave of frequent, high-profile ransomware attacks on U.S. organizations, the White House issued its “Executive Order on Improving the Nation’s Cybersecurity.” Section 3 of the order states:

The federal government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

There are several important implications in this section that will have lasting impact on the cybersecurity industry as a whole.

Zero Trust Architecture

The Zero Trust cybersecurity model implements the elusive concept of “never trust, always verify.” While the concept has been around for longer than most practitioners realize, the recent uptick in cybercrime and the responding push by various security analysts and vendors has put the idea back in the spotlight.

The executive order directs government agencies to move towards a Zero Trust model, but the effects will be much further reaching. As government agencies rush to implement Zero Trust, enterprises working with these agencies are expected to follow suit to protect both the government and their own infrastructure. This will accelerate the already-in-progress shift to Zero Trust security.

Unfortunately, malicious actors don’t discriminate between federal agencies and the private sector. Whether your organization is a small business trying to get off the ground or an established one with millions of dollars’ worth of federal government contracts, it’s essential for it to follow the best practices and implement Zero Trust Network Access (ZTNA).

A Move Towards the Cloud

I remember when as-a-service cloud solutions were first introduced. Most vendors had two sets of offerings — one in the cloud and another in the form of an appliance for government agencies that were cloud averse. Those days are long gone: Today many cloud providers have their own government-sanctioned, FedRamp-compliant cloud solutions.

This executive order is asking the federal government to embrace and implement cloud XaaS solutions, be it SaaS, IaaS or PaaS. Due to federal regulations, government agencies were the last holdouts to cloud transformation, and this order is removing that hurdle.

Whether your organization is using cloud services like AWS, Azure or Google Cloud, or is running its own private cloud, it is important to plan and implement security guard rails in your architecture from the beginning.

Centralized Management

Note that the order is asking for a centralized and streamlined access to analytics. While this is not directly mandated in the order, this screams cloud delivered management services. After all, what better way to centralize and streamline access to a resource than by putting it on the cloud? However, there are many pitfalls associated with this approach.

IT Supply Chain: A Word of Caution

The recent pandemic has shown how interconnected the global supply chain really is. We are seeing delays and increased costs in everything from electronic chips to bicycle parts. Security admins should also consider the interdependencies of security in their IT supply chain.

Recent high-profile attacks like that on SolarWinds reiterated the old adage that any system is only as strong as its weakest link. Many multinational enterprises were impacted because they were using SolarWinds’ technology. Malicious actors infiltrated the supply chain of SolarWinds and inserted a backdoor into their product. When customers downloaded the Trojan Horse installation packages from SolarWinds, it gave hackers access to the partners’ environment. This was a sophisticated attack: the cybercriminals even randomized their code in order to bypass the traditional scanners looking for known indicators of compromise (IOC).

Unfortunately, one of the downsides of moving to the cloud is the dependency on other vendors’ infrastructure and security practices. This issue becomes even more relevant as the cloud infrastructure becomes more complex and interconnected.

Security admins would be wise to audit their partner infrastructure, especially XaaS ones, to ensure that they are not inadvertently integrating with a vulnerable environment.

Cybersecurity News & Trends

/0 Comments/in /by

In industry news, a new business survey explores why employees violate cybersecurity policies designed to keep their businesses safe. Also, there’s a lot of reporting on how the US power grid has improved, but experts say they still need stronger cybersecurity. In other news, the International Red Cross organization suffered a breach, Crypto.com says hackers stole more than $30 million in Bitcoin and Ethereum, cryptocurrency values take a sharp dive as Russia explores a complete ban on crypto mining and trading, and the CISA is urging US organizations to prepare for data-wiping attacks similar with what hit Ukraine last week.

Industry News

Research: Why Employees Violate Cybersecurity Policies

Harvard Business Review: Many organizations have focused their security investments on technological solutions in the face of increasingly common (and costly) cyberattacks. However, as many consultants and experts know, attackers also rely on some insider (an employee or other member) knowingly or unknowingly allowing a bad actor into secure areas. What is behind these acts that can tear down even the most advanced security solutions? HBR published a recent study that suggests that most intentional policy breaches stem not from some malicious desire to cause harm but rather from the perception that following the rules would impede employees’ ability to get their work done effectively. Therefore, under heat for productivity, employees are more likely to violate security policies on days when they are more stressed out. The study they cite suggests that high-stress levels can reduce people’s tolerance for following rules that seem to get in the way of doing their jobs. In light of these findings, the authors suggest how organizations should rethink their approach to cybersecurity and implement policies that address the fundamental, underlying factors creating vulnerabilities.

Biden’s Cybersecurity Policies Praised Despite the Persistence Of Ransomware

NBC News: From Russian cyberespionage to attacks on crucial supply chains, the Biden administration has had no shortage of cybersecurity challenges to face. While ransomware was a rapidly escalating problem before Biden took office, it became undeniable last year. Hackers, often operating with seeming impunity within Russia, extorted US hospitals and schools, a major oil pipeline company and the country’s largest beef distributor. Experts say a year later, the Biden administration has done a decent job with cybersecurity policy, filling crucial roles and hardening the country’s infrastructure cybersecurity. But they also warn that ransomware hackers will likely continue to target Americans and that Congress hasn’t helped the country’s security as much as it could.

US Power Grids Need Stronger Cybersecurity

Bloomberg: According to the country’s top energy regulator, the US power grids need to boost their cyber defenses to find hackers faster to keep them from gaining control over operations. According to a notice issued Thursday, the Federal Energy Regulatory Commission is proposing to develop standards to monitor devices or equipment on bulk power systems. The proposed standards would seek to find hackers lurking within networks instead of current efforts that use a perimeter defense that focuses on trying to keep attackers out of sensitive networks. A massive breach using software from Texas-based SolarWinds Corp. in 2020 is one example of how attackers can bypass such defenses through trusted vendors.

Indonesia C.Bank Says Ransomware Attack Did Not Impact Services

Reuters: Indonesia’s central bank said on Thursday that it had been attacked last month by ransomware, but the risk from the attack had been mitigated and did not affect its public services.

Albuquerque Public Schools (APS) Resolves Effect of Ransomware Attack

APS News: The cyberattack that forced a two-day cancellation of classes last week at Albuquerque Public Schools was the victim of a ransomware event in which there was some extortion demand. But APS officials are not saying what was demanded nor whether they negotiated with the attackers.

International Red Cross: Supply Chain Data Breach Hit 500K People

InfoSecurity: The International Committee of the Red Cross (ICRC) has revealed a significant data breach that compromised the personal details of over 515,000 “highly vulnerable” victims. The data was stolen from a Swiss contractor that stores the information on behalf of the global humanitarian organization headquartered in Geneva.

Data Breach Customer Relations: What NOT To Do

InformationWeek: Some companies try to keep a data breach relatively quiet by following only the minimum legal requirements and hoping it will blow over. From experience, say experts, it’s much more likely to blow up than blow over. This article looks at some “bad behaviors” that managers may want to avoid.

Top 3 Small-Business Cyber Threats That Many Businesses Still Haven’t Heard Of

Inc Magazine: A study released Wednesday from the San Diego-based CyberCatch, a cybersecurity platform provider focusing on small and mid-size businesses, reveals that more than 30 percent of US small businesses have weak points that bad actors can exploit. Moreover, fraudsters tend to set their sights on small businesses since smaller companies usually have weaker security safeguards than those at larger companies. Some of the vulnerabilities that the survey named as “unknown” to small businesses include “spoofing,” “clickjacking,” and “sniffing.”

Crypto.Com Says Hackers Stole More Than $30 Million In Bitcoin And Ethereum

CBS News: The cryptocurrency exchange Crypto.com, known for its viral commercial starring Matt Damon as well as its recent $700 million deal to rename the Staples Center in Los Angeles as Crypto.com Arena, said the hackers managed to bypass its two-factor authentication system and withdraw the funds from 483 customer accounts, according to a statement the Singapore-based crypto exchange posted Thursday on its corporate blog.

Crypto-Exposed Stocks Sink Amid Bitcoin’s Decline, Broader Market Rout

CoinDesk: Stock declines come as prices for Bitcoin have dropped almost 11% in the past 24 hours, trading below $40,000 for the first time in months. Crypto watchers note that as bitcoins, in general, are getting hammered, crypto miners are seeing their revenues fall sharply. They also point out the double-whammy as Bloomberg, and other outlets reported that Russia’s central bank is proposing a complete ban on crypto mining and trading.

CISA Urges US Orgs to Prepare For Data-Wiping Cyberattacks

Bleeping Computer: US organizations are getting another warning to strengthen their cybersecurity defenses. This time, the CISA is concerned about recent data-wiping attacks that targeted Ukrainian government agencies and corporate entities. Several major entities suffered coordinated cyberattacks where hackers defaced websites and distributed data-wiping malware that corrupted data and rendered Windows devices inoperable. Sources believe that the attackers likely conducted the website defacements using a vulnerability in the OctoberCMS platform. Ukrainian authorities are also investigating what role Log4j vulnerabilities and stolen credentials may have played in the attacks. The message: update your security and keep a watchful eye on all activity.

In Case You Missed It

Traces of an Android malware yet again lead to a Github repository

/in /by

SonicWall Threats Research team identified yet another Github repository that might have been used to create and release an Android malware in the wild, this time its AndroRAT.

Specifics for the sample that was identified in the wild:

  • MD5: f1d83d43b21478c349f2ee515aef4271
  • Application Name: Google Service Framework
  • Package Name: com.IiIiIiIi.IiIiIiIiIiIiiIIIIiIiI

 

Using this repository a malicious app can be configured with the following options:

 

We created a test app using this repository and compared the code of both the applications. The code looks identical:

The application identified was created with the following options as can be seen from the config class:

 

The application requests for a number of permissions, some of them are capable of accessing sensitive user information:

  • Receive_boot_completed
  • Wake_lock
  • Camera
  • Read_external_storage
  • Write_external_storage
  • Read_sms
  • Access_fine_location
  • Access_coarse_location
  • Read_call_log
  • Record_audio
  • System_alert_window

 

This gives a taste of the components in this malware. The  application contains a multitude of malicious functionalities and is capable of accepting commands from the attacker, some of them are listed below:

  • exit
  • camList
  • takepic
  • shell
  • getClipData
  • deviceInfo
  • help
  • clear
  • getSimDetails
  • getIP
  • vibrate
  • getSMS
  • getLocation
  • startAudio
  • stopAudio
  • startVideo
  • stopVideo
  • getCallLogs
  • getMACAddress

Commands are visible in the code as shown:

 

We configured a test AndroRAT sample to understand how this malware works further. Configuring and listening for incoming connections quickly gave a shell once the malware was executed on the infected device:

 

Commands can now be executed on the infected device:

For instance, running ‘deviceInfo’ gave us details of the infected device:

 

Overall this threat is a potent spyware and Remote Access Tool  (RAT). Though its features are limited, considerable personally identifiable information (PII) can be extracted from an infected device. The fact that this RAT is freely available on Github is a cause of concern.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androrat.PN

 

Indicators of Compromise:

  • f1d83d43b21478c349f2ee515aef4271

 

 

Grafana plugins Directory Traversal Vulnerability

/in /by

Grafana is a multi-platform, open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

Directory Traversal Vulnerability
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to directory traversal. A directory traversal attack (also known as path traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences.

CVE-2021-43798 | Grafana plugins Directory Traversal Vulnerability
Directory traversal vulnerability exists in Grafana allowing access to local files. The vulnerable URL path  . The plugin_id can be the default plugin that comes pre-installed with Grafana, for example:

  • alertlist
  • annolist
  • barchart
  • bargauge
  • candlestick
  • cloudwatch
  • dashlist
  • Elasticsearch

The vulnerability is due to insufficient sanitization of user input for plugin assets. This that allows the reading of arbitrary files from the filesystem. A remote, unauthenticated attacker can exploit this vulnerability by sending a request to a valid plugin asset directory with dot-dot sections to request arbitrary paths. Successful exploitation results in the disclosure of arbitrary file contents from the target server.

Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, leading to the disclosure sensitive information . the following exploits disclose sensitive information .

The following versions are vulnerable:

    • Grafana versions 8.0.0-beta1 through 8.3.0

Grafana has patched the vulnerability vendor advisory is available here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15728:Grafana plugins Directory Traversal

Threat Graph

Cybersecurity News & Trends

/0 Comments/in /by

In today’s installment, SonicWall is still picking up outlets from last year’s Threat Reports. There was also a friendly nudge from Australia on our new line-up of Gen-7 NGFWs. Industry news shows that there’s no break for cybersecurity. Ukraine was hit today with a massive cyber-attack that took down almost the entire network of government websites. A ransomware attack on school districts in Albuquerque, NM, resulted in the cancellation of classes for 75,000 students. In two reports, we found that SMEs (small to medium-sized businesses) are not taking the risk of cyberattacks seriously. FSB, the Russian intelligence bureau, arrested most or all the REvil ransomware gang members. Ending with this eye-opener: Norton 360 is now shipping a program that allows customers to make money from cryptomining.

SonicWall in the News

SonicWall Answers the Call with New NGFWs

ARN-IDG (Australia): Filling an urgent need for greater cybersecurity, SonicWall gets 17 new Gen-7 firewalls ready in less than 18 months. With 70% of full-time workers working remotely in hybrid multi-cloud environments, there has been an unprecedented surge of malware and ransomware – and everyone is more vulnerable than ever.

Why File-borne Malware has Become the Weapon of Choice for Attackers

SC Media: The latest numbers on hidden malware are out, and there’s good news to report. The number of new malicious file attacks was down in 2020 for the first time in five years, and the decline continued for most of 2021. SonicWall Capture Labs recorded 2.5 billion malware attempts in the first six months of 2021, down from 3.2 billion at this time last year — a decrease of 22%. That’s a significant improvement from where we stood in 2018, when malware attacks peaked at 10.5 billion.

Top 5 Trends for Endpoint Security in 2022

Venture Beat: 2021 is the worst year on record for ransomware attacks, with schools, colleges, universities, and hospitals being among the most attacked organizations globally. Bad actors prioritize them first because they have the smallest cybersecurity budgets and weakest defense. In the first six months of 2021, global ransomware volume reached a record 304.7 million attempted attacks, surpassing the 304.6 million attempted attacks throughout all of 2020, according to the 2021 SonicWall Cyber Threat Report, Mid-Year Update.

Cybercrime Will Increase — And 9 Other Obvious Cybersecurity Predictions for 2022

HashOut: Last year, SonicWall reported that ransomware increased from 78.3 million attacks in Q3 2020 to 190.4 million attacks in Q3 2021. According to their report, at the end of Q3 2021, the year was “the most costly and dangerous year on record” regarding ransomware attacks. Suppose 2022 is anything like last year, and cybercriminals continue to profit on the backs of companies lacking solid defenses. In that case, it’s all but guaranteed this upward trend in ransomware will continue.

Industry News

Ukraine Hit with ‘Massive’ Cyber-attack on Government Websites

The Guardian: First to report the massive cyberattack today, the Guardian says that Russian-based attackers have repeatedly targeted Ukraine since 2014. Still, many observers note that this attack has a more ominous feel. The websites of several government departments, including the ministry of foreign affairs and the education ministry, were knocked out. Hackers left a message on the foreign ministry website, according to reports. It said: “Ukrainians! All information about you has become public. Be afraid and expect worse. It’s your past, present and future.” The message reproduced the Ukrainian flag and map crossed out. It mentioned the Ukrainian insurgent army, or UPA, which fought against the Soviet Union during the second world war. There was also a reference to “historical land.” The Guardian also reports that Ukrainian officials say it is too early to conclude that this attack is in any way related to the stalemated security talks between Moscow and the US and its allies this week. Nearly all major news organizations posted follow-up stories.

A Cyberattack in Albuquerque Forces Schools to Cancel Classes

NPR: When the superintendent of Albuquerque Public Schools announced earlier this week that a cyberattack would lead to the cancellation of classes for around 75,000 students, he noted that the district’s technology department had been fending off attacks “for the last few weeks.” Albuquerque is not alone, as five school districts in the state have suffered major cyberattacks in the past two years, including one district that’s still wrestling with a cyberattack that hit just after Christmas. But it’s the first reporting of a cyberattack that required cancellation of classes, made all the more disruptive as schools try to keep in-person learning going during the pandemic.

Norwegian Media Company Amedia Suffered a Serious Cyber Attack That Left Newspapers Unprinted

Norwegian media company Amedia suffered a cyberattack that shut down its computer systems, preventing printing newspapers. According to the company, the incident also affected its advertising and subscription systems, preventing advertisers from ordering new ads and subscribers from enrolling or canceling their subscriptions. The company also said that the incident forced it to shut down systems administered by Amedia Teknologi.

Cyber-Attacks on SMEs: Risk Transference as Crucial as Risk Prevention

InfoSecurity: It’s a common misconception among small to medium enterprises (SMBs) that large businesses, with their sizable financial assets, are the sole target for ransomware attacks. But SMBs ought to note that the US Department of Homeland Security reports that upwards of 70% of ransomware attacks are aimed at small and medium-sized companies. And yet, a surprising number of small business owners do not seriously see themselves at risk. A recent study shows that 63% of small business owners think they are immune to a cyber-attack. Technically, however, they are anything but invulnerable as most businesses operate on connected data and cloud operations. The more connectivity the business uses, the greater their vulnerability to various cyber-attacks, from ransomware to social engineering and data breaches. So, the question is not if, but when, your small business will be subject to a cyber-attack.

Docs Refused to Pay the Cyber Attack Ransom — and Suffered

Medscape: Ransomware attacks are driving some small practices out of business. After a ransomware attack, Michigan-based Brookside ENT and Hearing Center, a two-physician practice, closed its doors in 2019. However, several large practices have also been attacked by ransomware, including Imperial Health in Louisiana in 2019, which may have compromised more than 110,000 records. The practice didn’t pay the ransom and had access to their backup files and the resources to rebuild their computer systems and stay in business. The author is offering the same advice that security managers make to all SMEs: take the threats and risks seriously and then act on a secure or backup systems plan.

REvil Ransomware Gang Arrested in Russia

BBC News: Authorities in Russia say they have dismantled the ransomware crime group REvil and charged several of its members. The United States had offered a reward of up to $10m (£7.3m) for information leading to the gang members following ransomware attacks. However, Russia’s intelligence bureau FSB said the group had “ceased to exist.” The agency said it had acted after being provided with information about the REvil gang by the US. Still, it does not appear that Russia will extradite gang members to the US.

What the Russian Crackdown on REvil Means for Ransomware

Wall Street Journal: The FSB operation is one of the first major publicly disclosed Russian law-enforcement actions against cybercriminal gangs. “It’s very surprising that the Russians started to play ball in the ransomware fight,” said Alexandru Cosoi, chief security strategist at cybersecurity company Bitdefender Inc., which tracks REvil activity. In September, Bitdefender released a tool to decrypt data locked up by REvil malware. The scale of the FSB’s operation may signal a more permanent end to REvil, said Raj Samani, a chief scientist at McAfee Corp. However, analysts say it is too early to tell whether this will discourage other gangs from launching attacks.

Google Disrupts Glupteba Cryptojacking Botnet With Removal of Hosted Ads, Documents and Accounts

CPO: Glupteba, a botnet used for cryptojacking, has taken a significant blow from Google, whose free cloud-based services it relied on to propagate. The company has identified and removed thousands of accounts, hosted files and ad accounts used to spread malicious files. Glupteba has been operating for months and is believed to have compromised thousands of people per day at its peak. The cryptojacking botnet spread via Google advertisements promising software cracks and phishing emails linking to malicious files hosted with Google Docs. Google cautions that though the Glupteba botnet’s operations have been disrupted, it is not out of commission.

Norton 360 Antivirus Users Introduced to Cryptomining

Krebs: Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program that lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor. For example, Avira antivirus — with a base of 500 million users worldwide — was recently bought by the same company that owns Norton 360.

In Case You Missed It

Linux-based ransomware found targeting VMWare ESXi Servers

/in /by

The Sonicwall Capture Labs threat research team has come across a linux variant of a ransomware early on this week. Avoslocker is another ransomware-as-a-service (RaaS) selling their ready-made ransomware to affiliates to carry out ransomware attacks. This linux variant was specifically made to target VMWare ESXi servers that more and more companies are switching their servers on to for easier management. It is a very valuable target for cybercriminals since one ESXi server can host multiple virtual machines and therefore host many critical services for a company.

Infection Cycle:

This variant comes as an ELF executable file. Upon manually running it, the user is presented with the following use options.

Once installed, Avoslocker will run the following command to power off all running virtual machines within an ESXi host.

esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’

It appends “.avoslinux” extension to all encrypted files.

It also leaves a ransom note reminding victims to avoid shutting down their system to prevent any files being permanently damaged.

They provide a link to a website only accessible via a tor browser for further details on how to pay and retrieve encrypted files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Avoslocker.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability
ASPY  285 Malformed-File exe.MP_228

CVE-2022-21882 Win32k Elevation of Privilege Vulnerability
ASPY  286 Malformed-File exe.MP_229

CVE-2022-21887 Win32k Elevation of Privilege Vulnerability
ASPY  287 Malformed-File exe.MP_230

CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY  288 Malformed-File exe.MP_231

CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 8535 Server Application Code Execution 28

CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability
ASPY 289 Malformed-File dll.MP_7

CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 280:Malformed-File exe.MP_226

CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 281:Malformed-File exe.MP_227

Adobe Coverage
CVE-2021-45067 Acrobat Reader Buffer Overflow Vulnerability
ASPY 282:Malformed-File pdf.MP_520

CVE-2021-44714 Acrobat Reader Security feature bypass
ASPY 283:Malformed-File pdf.MP_521

CVE-2021-44707 Acrobat Reader Buffer Overflow Vulnerability
ASPY 284:Malformed-File pdf.MP_522

The following vulnerabilities do not have exploits in the wild :
CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36976 Libarchive Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21836 Windows Certificate Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21876 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21911 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
There are no known exploits in the wild.
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.

Cybersecurity News & Trends

/0 Comments/in /by

Happy New Year! December is always a time for a bit of retrospect. So, while taking stock of the previous year’s cybersecurity news, editors turned to reliable sources like SonicWall’s 2021 Cyber Threat reports to punctuate a scary year. In industry news, the former Uber security chief faces new charges in his attempted cover-up of a massive breach, the Discord hack is a big loss for NFT buyers and now we’re rethinking cybersecurity jobs.

SonicWall in the News

Breaches and Ransomware: A Look Back at 2021

The New Stack: Cyberattacks reached such a crescendo last year that network security vendor SonicWall even decided to name 2021 “the year of ransomware.” If you think that this is a bit of sensationalism, the company’s numbers appear to back it up. Using data gathered from more than 1 million security sensors in nearly 200 countries, SonicWall calculated an average of 1,748 ransomware attempts per customer by the end of September, along with a 33% rise in IoT malware. This added up to a whopping 495 million ransomware attempts by the end of September. And the researchers ultimately predicted 219 million more ransomware attempts for the last three months of 2021. So, by New Year’s Eve, the total number of 2021 ransomware attacks could reach 714 million.

Ransomware Attackers’ New Tactic: Double Extortion

SecurityIntelligence: SonicWall logged 470 million ransomware attacks through the third quarter of the year. That’s a 148% year-over-year increase. That company detected 190.4 million attacks in Q3 2021 alone, a figure which nearly overtook the 195.7 million ransomware attacks seen in the first three quarters of 2020. Looking ahead, the firm estimated that ransomware totals would reach 714 million attack attempts by the end of December, making 2021 the most prolific year on record.

6 Ways to Minimize Ransomware Damage

Security Boulevard: Ransomware is more pervasive than ever, and the number of attacks is mindboggling. With help from ransomware-as-a-service (RaaS), cybercriminals and organized “bad actors” continue to wreak havoc. Cybersecurity vendor SonicWall recorded more than 495 million ransomware attack attempts globally by the end of Q3 2021, a 148% increase from 2020. Despite efforts by enterprises to secure their IT infrastructure, the U.K. has seen a 233% increase in such attacks.

What Is Cybersecurity?

ToolBox: The primary purpose of ransomware is to extort money. SonicWall’s 2021 cyber threat report shows a 151% increase in ransomware attacks in the first half of 2021 compared to 2020. In fact, in March 2021, Taiwan-based PC manufacturer Acer faced a $50 million ransomware demand from a cybercrime group called REvil.

It Takes A Village To Fight Ransomware

Forbes: Ransomware is top of mind for every cybersecurity expert these days and for good reason. SonicWall reports (via Infosecurity Magazine) that between 2019 and 2020, ransomware attacks in North America increased by 158%. The FBI dealt with 20% more reports of ransomware attacks in 2020 over 2019, with collective costs of the attacks increasing more than 200% from the previous year.

Top 5 Trends for Endpoint Security in 2022

VentureBeat: 2021 is the worst year on record for ransomware attacks, with schools, colleges, universities, and hospitals being among the most attacked organizations globally. Bad actors prioritize them first because they have the smallest cybersecurity budgets and weakest defense. In the first six months of 2021, global ransomware volume reached a record 304.7 million attempted attacks, surpassing the 304.6 million attempted attacks throughout 2020, according to their Mid Year Update: 2021 Cyber Threat Report.

Your Security and Multi-Factor Resolutions

The Gazette: Looking forward into 2022, there are no signs that cybersecurity incidents will be slowing down any time soon. A mid-year Cyber Threat report update produced by SonicWall in July predicted a total of roughly 714 million attempted ransomware attacks in 2021. If these numbers are accurate, that means ransomware saw a 134% increase over the previous year.

Cyber Super-heroes Prepare for Battle

Red: In this case, the bad guys – cybercriminals – appear to be winning. Ransomware attacks have risen 62% worldwide since 2019 and by nearly 160% in North America, according to a 2021 SonicWall Cyber Threat Report. Last year’s attack on Colonial Pipeline was among those, which crippled energy infrastructure that delivers about 45% of fuel for the East Coast. As for the good guys: There aren’t enough of them.

Industry News

Prosecutors file additional charges against former Uber security chief over 2016 data breach ‘cover up’

The Daily Swig: Additional charges have been added to the indictment against a former Uber chief security officer over his alleged involvement in the cover-up of a hack against the ride-hailing app in 2016. Wire fraud has joined the list of charges pending against Joseph Sullivan, 52, of Palo Alto, CA, for his alleged concealment of a 2016 attack that exposed 57 million users and 600,000 driver records. The latest charges – handed down in a superseding indictment returned by a federal grand jury – add to previous charges of obstruction of justice and ‘misprision of a felony.

Thousands of Schools Impacted After IT Provider Hit by Ransomware

Info Security: A leading provider of school website infrastructure has been hit by a ransomware attack, potentially disrupting thousands of global customers. Finalsite claims to serve over 8000 schools worldwide, offering content management, communications, mobile and enrollment software. A message posted by the firm on Twitter yesterday apologized for the “prolonged outage” customers have been forced to endure due to the attack.

Florida health care system Breached, exposing 1.3 million people

CNN: Hackers breached the computer networks of a southeast Florida health care system in October and may have accessed sensitive personal and financial information on over 1.3 million people, the health care system announced this week. Social Security numbers, patient medical history, and bank account information were exposed. According to a notice the health care provider filed with the Office of the Maine Attorney General, Broward Health has a network of over 30 health care facilities serving patients across roughly two million-person Broward County, Florida.

Flexbooker breach exposes 3.7 million users

Engadget: A group of hackers is trading a database of stolen information from FlexBooker, a cloud-based tool for scheduling appointments containing sensitive customer data. According to BleepingComputer, the company suffered a security breach just before the holidays and sent notifications to customers in an email. The company revealed that its Amazon AWS servers were compromised on December 23rd. It also admitted that its system data storage was accessed and downloaded.

Kronos outage latest: Attackers crippled back-up access

The Stack: The attackers who crippled widely used applications from global HR software company Kronos disabled the company’s “ability to communicate with our back-up environments.” Owners UKG has also confirmed that the company is restoring customer data after regaining access to its back-ups. Multiple Kronos platforms have been unavailable since December 11. The outage has left millions of users at tens of thousands of customers unable to check pay, arrange rotas, or request paid leave.

Counties in New Mexico, Arkansas begin 2022 with ransomware attacks

ZDNet: According to officials from both states, two counties in New Mexico and Arkansas are dealing with ransomware attacks affecting government services. On Wednesday evening, New Mexico’s Bernalillo County; which covers the state’s most populous cities of Albuquerque, Los Ranchos and Tijeras; officially reported that hackers began their attack between midnight and 5:30 a.m. on January 5. County officials have taken the affected systems offline and cut network connections, but most county buildings are now closed to the public. Emergency services are still available, and 911 is still operating, but a Sheriff’s Office customer service window was closed.

Portugal Media Giant Impresa Crippled by Ransomware Attack

Threat Post: Media giant Impresa, the largest television station and newspaper in Portugal, was crippled by a ransomware attack just hours into 2022. The suspected ransomware gang behind the attack goes by the name Lapsus$. The episode included Impresa-owned website Expresso newspaper and television station SIC. Both remain offline Tuesday morning as the media giant continued its recovery from a New Year’s weekend attack. Impacted is the server infrastructure critical to Impresa’s operations. Additionally compromised is one of Impresa’s verified Twitter accounts, which was hijacked and used to taunt the company publicly.

Discord Hacking Is the Newest Threat For NFT Buyers

The Verge: Two NFT projects fell victim to the same attack just in time for Christmas. Both projects were about to distribute rewards to their community members: Monkey Kingdom through an NFT presale on the 21st and Fractal through a token airdrop. Then, disaster struck. Posts appeared in each project’s official “announcements” channel claiming that a surprising mint would reward community members with a limited edition NFT. Hundreds jumped at the chance, but a costly surprise was waiting for those who followed the links and connected their crypto wallets. Rather than receiving an NFT, wallets were being drained of the Solana cryptocurrency, which both projects used for purchases. Within one hour, a Twitter post, first from Monkey Kingdom and then from Fractal, informed followers that their Discord servers had been hacked; news of the NFT mints was bogus, the links a phishing fraud. In the case of Fractal, the scammers got away with about $150,000 worth of cryptocurrency. For Monkey Kingdom, the estimated total was reported to be $1.3 million.

Cybersecurity training isn’t working. And hacking attacks are only getting worse

ZDNet: Cyberattacks are growing, and much more needs to be done to educate businesses and users about risks to prevent widespread damage and disruption resulting from cyber incidents. Attacks against utilities and infrastructure providers, production facilities and hospitals have demonstrated genuine consequences for businesses, government, and individuals. Disruptions can lead to interruptions in manufacturing, distribution, and services that can last for days, weeks and even months. Yet, despite the well-documented risks posed by attackers, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.

Poland’s Watergate: Ruling party leader admits country has Pegasus hacking software

Politico: Jarosław Kaczyński, chairman of Poland’s ruling Law and Justice (PiS) party and the country’s de facto leader, confirmed that the government has the Pegasus hacking software system but denied they used it against opposition politicians in the 2019 parliamentary election campaign. “It would be bad if the Polish services did not have this type of tool,” Kaczyński said in an interview with the right-wing Sieci weekly, published Friday. This is the first time a high-level PiS politician has confirmed that the government has the software. However, party and government officials have downplayed or rejected such a possibility. Last month, Kaczyński denied knowing anything about the malware.

Don’t copy-paste commands from webpages — you can get hacked

Bleeping Computer: Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. Recently, Gabriel Friedlander, founder of security awareness training platform Wizer, demonstrated an obvious yet surprising hack that’ll make you cautious of ever doing it again! Friedlander warns a webpage could covertly replace the contents of what goes on your clipboard, and what ends up being copied to your clipboard would be vastly different from what you had intended to copy. Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.

Going Back to Basics to Fix Our Broken Approach to Cybersecurity

CPO Magazine: The past year has been marked by a seemingly unending stream of major companies and organizations coming forward to admit they were the victim of a data breach or malware attack. When cybersecurity measures are working well, the end-users are never even aware of them. But when the word “ransomware” suddenly becomes a household term, you know something is seriously broken with our approach to cybersecurity.

Rethinking Cybersecurity Jobs as a Vocation Instead of a Profession

Dark Reading: Are cybersecurity jobs a profession or a vocation? When we consider the current workforce shortage in cybersecurity, our existing assumptions about the nature of cybersecurity jobs may be exacerbating the shortfall. For this reason, we may need to consider new ways of thinking about jobs within the cybersecurity field. For example, within the cybersecurity industry, the prevailing mindset is that security practitioners are professionals. Thus, a direct consequence of this mindset is that a college degree is required for many cybersecurity jobs. However, many cybersecurity practitioners argue that a college degree isn’t needed to do most jobs in cybersecurity, and strict adherence to this requirement disqualifies many deserving candidates. But removing the requirement for a college degree raises the question: Are these actually professional jobs, or should they be recast as vocational jobs?

In Case You Missed It