Skip Navigation

Critical Infrastructure News

White House defends NSA, thanks Microsoft, Facebook for countering North Korean hackers

A top White House official on Tuesday personally thanked Microsoft and Facebook for helping counter North Korean hackers and said the National Security Agency was “not at all” at fault for this year’s infamous WannaCry ransomware incident.

Thomas Bossert, the president’s homeland security adviser, mentioned the two companies by name in a press conference on North Korea’s connections to WannaCry.

The Trump administration publicly attributed WannaCry to North Korea for the first time yesterday.

Security researchers have said the hackers behind the ransomware outbreak in May amplified its effects by using computer code from a leaked NSA hacking tool known as EternalBlue.

The briefing followed the publication Monday night of an editorial by Bossert in the Wall Street Journal that was the first time the Trump administration attributed the WannaCry outbreak to North Korea. Bossert broadly cited “evidence” without describing it outright.

Statements shared by Facebook and Microsoft with CyberScoop imply that the companies’ efforts against North Korean hackers came last week and were not directly related to WannaCry. Instead, they appear to have been more broadly focused on inhibiting North Korea’s ongoing cyber-espionage operations.

A Facebook spokesperson said the social network had moved to disable a number of accounts that it linked back to the predominant hacking group associated with North Korea, which is known to the security research community as the Lazarus Group. Facebook said the hackers were using these profiles to communicate with one another while also targeting specific individuals.

120 million households exposed in massive database leak

Information on more than 120 million American households was sitting in a massive database found left exposed on the web earlier this month, Forbes has been told. It included an extraordinary range of personal details on residents, including addresses, ethnicity, interests and hobbies, income, right down to what kind of mortgage the house was under and how many children lived at the property. In total, there were 248 different data fields for each household, according to the researcher who uncovered the leak data this week.

While there were no names exposed, Chris Vickery, a cybersecurity researcher from UpGuard, told Forbes it was simple to determine who the data was linked to, either by looking at the details or by crosschecking with previous leaks. He found the data was sitting in an Amazon Web Services storage “bucket,” left open to anyone with an account, which are free to obtain.

As long as they knew the right URL to visit, an Amazon Web Services user could retrieve all the data, which was left online by marketing analytics company Alteryx. It was apparent that the firm had purchased the information from Experian, as part of a dataset called ConsumerView, on top of which Alteryx provides marketing and analytics services.

78% of Providers Report Healthcare Ransomware, Malware Attacks

Email is the most likely cause for a data breach, according to recent research, with 78 percent of providers reporting that they experienced a healthcare ransomware or malware attack in the past 12 months.

Eighty-seven percent of respondents said they also expect email-related security threats to increase or significantly increase in the future, found the Mimecast survey that was conducted by HIMSS Analytics.

Respondents consisted of IT professionals at a variety of healthcare providers, who were responsible for

Forty-three percent of large provider organizations reported at least 16 malware and/or ransomware attacks, pushing that demographic into the most affected from such email security issues.

The majority of those surveyed – 93 percent – said email is mission critical to their organization, with 43 percent saying that it was mission critical and downtime could not be afforded.

"This study confirms that no healthcare provider is immune to this growing threat of email-related cyberattacks,” HIMSS Analytics Senior Director Bryan Fiekers said in a statement. “While the results show that larger providers are being hit harder, especially with ransomware, these same organizations are also the ones leading the charge in defining industry best practices to address these threats.”

Preventing malware and/or ransomware attacks, training employees about how to be diligent when it comes to cybersecurity, and securing email were the top cyber resilience strategies listed by respondents.

Approximately one-third of surveyed providers – 28 percent – reported that protecting the organization against new threats was the main challenge. Training employees to spot security risks (22 percent) and staffing (19 percent) were the next top challenges.

Eighty-eight percent of respondents said they perform cybersecurity assessments at least yearly, with 43 percent reporting that they do conduct the assessments at least once per year. Sixteen percent said they perform cybersecurity assessments quarterly, while 18 percent said they do so monthly.

Two-thirds of providers that perform cybersecurity assessments stated that email is always included in the assessment. Nearly one-third said that email is sometimes included, while 2.5 percent stated that email is never included in the assessment or that they did not know if it was.

Large organizations were more likely to include email in their cybersecurity assessment though, with 74 percent of larger facilities reporting that it is always included. Fifty-nine percent of intermediate-sized entities said the same, with 68 percent of small organizations reporting that email was always included.

The survey indicated that larger organizations also experienced more ransomware or malware attacks in the past 12 months. Sixty-three percent of large facilities experienced both malware and ransomware in the last year, 24 percent of intermediate organizations had both types of attacks, and 22 percent of small organizations did.

Respondents were also asked to rank how concerned they were over potential threats, with one being not concerned and seven being very concerned. Eighty-three percent of those surveyed said they were very concerned over ransomware email threats, followed by impersonation/business email compromise/CEO fraud (65 percent), targeted attacks/spear phishing (64 percent), and malware (58 percent).

“This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices,” Mimecast Healthcare Cyber Resilience Strategist David Hood said in a statement. “It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Healthcare email security was also brought under scrutiny in a recent survey from the National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and Agari.  

The report analyzed Domain-based Message Authentication, Reporting & Conformance (DMARC), finding that 98 percent of top healthcare providers have not implemented the email authentication standard that aims to eliminate phishing emails.

The survey found that 57 percent of emails that are allegedly from the healthcare industry are fraudulent or unauthenticated, and that 92 percent of healthcare domains have been targeted by fraudulent email.

“The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members,” said Aetna CSO Jim Routh, who is also NH-ISAC Chairman.

Jail

How a hack almost sprung a prisoner out of jail

We’re all hopefully familiar with the notion that criminals can phish details from unsuspecting computer users by creating copycat websites.

To make a phishing page appear more legitimate a scammer might create a domain with a similar looking URL – for instance, appIe.com rather than apple.com (hint: if you didn’t notice, the first “appIe” had a capital “i” in its name rather than an “l”.)

But would it surprise you to hear that similar devious URL trickery could also potentially help a hacker spring one of his buddies from prison?

Last week, Konrad Voits from Ann Arbor, Michigan, pleaded guilty to breaking into the computer systems of Washtenaw County in an attempt to – ultimately – extract an inmate from the prison system.

The 27-year-old hacker’s plan hinged upon the creation of a website called ewashtenavv.org (note the two “v”s at the end), designed to look like the genuine website for Washentaw County,
ewashtenaw.org.

In early 2017, Voits sent emails to County employees claiming to be a “Daniel Greene” and requesting help with court records. He also phoned employees posing as actual members of the County’s IT staff, in an attempt to trick workers into visiting the bogus website in order to “upgrade the County’s jail system”, but which would actually result in the installation of malicious code.

Unfortunately, some staff fell for Voits’s trick, and malware was installed on the County network.

With that bridgehead in place, Voits was able to gain full access to the County’s systems, including the passwords, usernames and personal information of 1600 employees, but also – most interestingly – the XJail software it used to monitor and track jail inmates.

With the login credentials to the prison management system in his hands, Voits attempted to change the records of one prisoner to arrange their early release.

It’s at this point that the County’s luck changed. Employees at Washtenaw County Jail spotted that something strange was afoot, alerted the FBI, and no prisoners managed to be released early as a result of the hack.

TIO

PayPal Says 1.6 Million Customer Details Stolen in Breach at Canadian Subsidiary

PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers.

The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash.

On November 10, PayPal suspended the operations of TIO's network. The company admitted that a security breach took place, but did not provide any other details.

In a press release published in a late Friday afternoon news dump, PayPal provided more details about the incident.

A review of TIO’s network has identified a potential compromise of personally identifiable information for approximately 1.6 million customers. The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.

PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers. The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details.

As data breach laws impose, PayPal has now started notifying customers and is offering free credit monitoring memberships. TIO users can also visit the TIO Networks website for more details.