Eliana Willis

Online pharmacy company Ravkoo and Fertility Centers of Illinois (FCI) have both informed thousands of current and former patients of data breaches involving troves of their sensitive information. The HIPAA Journal said 79,943 current and former patients were sent breach notification letters informing them that passport numbers, Social Security numbers, financial account information, payment card information, treatment information, treating physicians, medical billing/claims information, prescription/medication information and Medicare/Medicaid identification information was leaked. The breach also involved significantly more patient information related to treatment and health insurance coverage as well as some employee information. FCI said it “became aware of suspicious activity on its internal systems” on February 1 and determined that patient information was involved by August. The company did not respond to requests for comment about the delay in informing victims but said in the notice that they are offering one year of free credit monitoring and identity theft protection services. FCI wasn’t the only healthcare institution dealing with a breach. Internet pharmacy service Ravkoo also notified customers of a data breach involving their information. In a letter sent to New Hampshire Attorney General Gordon McDonald, the Florida-based Ravkoo said hackers tried to infiltrate their AWS hosted cloud prescription portal on September 27. The incident exposed the prescription and healthcare information of 105,000 people, including nearly 400 in Maine. After hiring a cybersecurity firm, CEO Alpesh Patel said the company was told on October 27 that names, mail addresses, phone numbers, prescriptions and medical information were exposed. 

Breach notification letters were sent out January 3 and the FBI was notified, according to a notice on the Ravkoo website. Victims are being provided with one year of free online identity monitoring service from Kroll Information Assurance. In September, the hacker behind the attack on Ravkoo told The Intercept’s infosec director Micah Lee that Ravkoo was “hilariously easy” to hack and that they had access to hundreds of thousands of prescriptions filed with the company since 2020. According to what the hacker told The Intercept, Ravkoo’s site had “a hidden admin panel that every user can log in to and view all the data.”Multiple fertility clinics reported data breaches in 2021, including Quest-owned ReproSource and Georgia-based Reproductive Biology Associates as well as its affiliate My Egg Bank North America. Jake Williams, CTO at BreachQuest, explained that it is not uncommon for medical organizations to store patient data outside of their electronic health record system and said it sounds like that’s what happened in the FCI case. The theft of administrative accounts and other high privilege accounts give hackers access to widespread data and often act as a single point of failure, according to nVisium’s Ben Pick. More

Security researchers from JFrog said on Thursday that they discovered a critical JNDI-based vulnerability in the H2 database console exploiting a root cause similar to Log4Shell. The CVE hasn’t been posted by NIST but will be assigned CVE-2021-42392. In a blog post, the company said that CVE-2021-42392 should not be as widespread as Log4Shell even though it is a critical issue with a similar root cause. JFrog explained that the Java Naming and Directory Interface (JNDI) is an API that provides naming and directory functionality for Java applications. H2 is a widely-used open-source Java SQL database used for various projects ranging from web platforms like Spring Boot to IoT platforms like ThingWorks. The researchers noted that com.h2database:h2 package is “part of the top 50 most popular Maven packages, with almost 7,000 artifact dependencies.”Shachar Menashe, senior director of JFrog security research, told ZDNet that similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization’s systems. The security company said CVE-2021-42392 for the H2 database console is the first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading. 

more Log4j

“To the best of our knowledge, CVE-2021-42392 is the first JNDI-related unauthenticated RCE vulnerability to be published since Log4Shell, but we suspect it won’t be the last,” the researchers wrote. “One of our key takeaways from the Log4Shell vulnerability incident was that due to the widespread usage of JNDI, there are bound to be more packages that are affected by the same root cause as Log4Shell – accepting arbitrary JNDI lookup URLs. Thus, we’ve adjusted our automated vulnerability detection framework to take into consideration the javax.naming.Context.lookup function as a dangerous function (sink) and unleashed the framework onto the Maven repository to hopefully find issues similar to Log4Shell.”

The H2 database package was one of the first they validated and they reported it to H2 maintainers who immediately fixed it in a new release, creating a critical GitHub advisory.According to JFrog, several code paths in the H2 database framework pass unfiltered in attacker-controlled URLs to the javax.naming.Context.lookup function, which they said allows for remote codebase loading. Of all the attack vectors of the issue, the most severe is through the H2 console.”This feature can impact those running an H2 database console exposed to the network and we recommend updating your H2 database to version 2.0.206 immediately. Note that the H2 database is used by many 3rd-party frameworks, including Spring Boot, Play Framework and JHipster,” Menashe said. “While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly.”The report notes that because the H2 database is used by so many artifacts, it is difficult for them to quantify how many vulnerable deployments of the H2 console exist in the wild. JFrog also explained several other attack vectors using the same vulnerability. JFrog suggested users upgrade their H2 database to the latest version. They noted that they have seen a number of developer tools “relying on the H2 database and specifically exposing the H2 console.””If you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately,” the company said. “Network administrators can scan their local subnets for open instances of the H2 console with nmap. Any returned servers are highly likely to be exploitable.”According to the researchers, version 2.0.206 is similar to Log4j 2.17.0 because it fixes the issue by limiting JNDI URLs to use the (local) java protocol only, which denies any remote LDAP/RMI queries.JFrog also provided several mitigation options for those who cannot upgrade H2. Matthew Warner, CTO at Blumira, told ZDNet that according to OSINT, there are likely under 100 impacted servers on the internet because the H2 Database Console must be purposefully exposed to the internet by changing the configuration to not only listen on localhost. “While this vulnerability also utilizes remote JNDI class loading, it requires access that is not available with the default configuration of the H2 Database,” Warner said. BreachQuest CTO Jake Williams said widespread exploitation is unlikely because this vulnerability is in an application as opposed to a library like log4j, meaning vulnerable systems should be much easier to discover and remediate. In a default configuration, the vulnerability can only be triggered from the same machine the database console is running on meaning exploitation is extremely conditional. “It’s unlikely that this will cause widespread damage, though vulnerability managers should be ready to patch other newly discovered JNDI vulnerabilities as they are disclosed,” Williams said. “It’s clear that this vulnerability won’t be the last one discovered that’s related to log4j.”Others, like NTT Application Security’s Ray Kelly, said that while exploitation was unlikely, using a mashup of SQL and JNDI to exploit an RCE vulnerability “is quite creative and excellent example on how a single issue can be abused multiple ways.”The research is also worthwhile because even though log4j had specific coding flaws resulting in Log4Shell, the broader idea of a lack of validation on JNDI lookups leading to vulnerabilities is a general attack pathway which is likely to exist elsewhere and, given the log4j vulnerabilities weren’t discovered sooner, likely hasn’t been the subject of directed scrutiny, according to Bugcrowd CTO Casey Ellis. “This is a classic example of ‘research clustering’ which is a phenomenon Bugcrowd has observed many times before and one we predicted after the initial publication of Log4Shell,” Ellis said. “Some research teams have opted to capitalize on a sense of panic to get their message out there, while the JFrog folks seem to have taken great care to get their message across, but not cause undue work for already overloaded security teams.” More

Research from cybersecurity company Avanan has shown that hackers are increasingly using Google Docs’ productivity features to slip malicious content past spam filters and security tools. 

Avanan’s Jeremy Fuchs said that in December, the company saw cyberattackers using the comment feature in Google Docs and Google Slides to leverage attacks against Outlook users.”In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Fuchs wrote in a blog post. The technique has long been used by cybercriminals and Google even released fixes for the issue in 2020. But Avanan included images showing researchers testing the flaw with Google Docs and Google Slides using a malicious link that was added to a comment. “We primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts,” Fuchs added, noting that the email feature in Google Docs makes it difficult for scanners to stop the attack because the email comes directly from Google. 
Avanan
Google is on most Allow Lists, Fuchs explained, and most users trust emails coming from Google. Anti-spam features are also helpless against the attack because the email doesn’t use the hacker’s email address, only their display name. No one would know whether the comment came from someone within their company or from somewhere else. “Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document — just mentioning the person in the comment is enough,” Fuchs said. 

The company noted that last year, they reported another Google Docs exploit that also allowed hackers to easily deliver malicious phishing websites to end-users.Avanan suggested users check multiple times before clicking on any links in a Google Doc comment sent to you. A number of cybersecurity experts reiterated that this kind of attack has been used for many years by cyberattackers because of how successful it is. Shawn Smith, director of infrastructure at nVisium, noted that the attack is not significantly different from many other methods of phishing. “Users should always be wary of links in emails — even emails from legitimate senders — due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an ‘exploit’ per se, and more so a case of a lack of spam prevention,” Smith said. “In addition to checking links, users should also be hovering over links before clicking to confirm that the embedded hyperlink is sending them where they expect — and not to a completely different site than the link indicates.” More

Two counties in New Mexico and Arkansas are dealing with ransomware attacks affecting government services, according to officials from both states. On Wednesday evening, New Mexico’s Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos and Tijeras — officially reported that it was hit with a ransomware attack that began between midnight and 5:30 a.m. on January 5.

County officials have taken the affected systems offline and cut network connections but most county building are now closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. The county said it is working with its vendors to respond to the incident. Bernalillo County spokesman Tom Thorpe told KOB4 that he was unaware of a specific ransom demand issued by the attackers. Bernalillo County communications director Tia Bland said in a statement to KOAT, “Accounting and technology staff are doing a thorough assessment to figure out what the impact is.”Arkansas’ Crawford County is also dealing with a ransomware attack that began right before the new year.

Crawford County Judge Dennis Gilstrap told Arkansas’ news outlets last week that a ransomware attack was discovered at the County Assessors office on December 27, forcing them to shut down the office’s servers. Gilstrap said IT workers with the county contacted their cybersecurity provider, Apprentice, for guidance on how to deal with the attack. “Basically we had to shut down everything from the servers on, but we got it stopped,” Gilstrap told TalkBusiness. “Last I heard, the (County Clerk’s office) could not issue marriage licenses. I guess it was good that it happened during a slow period (between Christmas and New Year), if there can be anything good said about it.”Crawford County public defender Ryan Norris added in an interview with the outlet that the clerk’s office was not able to pull up jury lists, calling it a “mess.” By Tuesday, Gilstrap said operations were back to normal at both the assessor office and tax collector office. But he told both TalkBusiness and 5News that it will take weeks before they know whether personal information was accessed by the attackers. Also: Government data breach in Rhode Island leads to AG investigationRansomware expert Brett Callow told ZDNet that while fewer local governments fell victim to ransomware attacks in 2021 than in either of the previous two years — 77 versus 113 in both 2020 and 2019 — that can hardly be seen as a win.”The fact that a local government was hit so early into the New Year isn’t at all surprising, given that they fall victim to ransomware attacks at a rate of about 1.5/week,” Callow said.  “One is one too many, and 77 is far too many. This is especially true as far more incidents now involve data exfiltration, making it more likely that a ransomware attack on a local government will result in sensitive information leaking online.”Shared Assessments’s Nasser Fattah said attacks will continue to occur due to the lack of resources and the use of stale technologies, which “collectively make municipalities an attractive target.” YouAttest CEO Garret Grajek noted that recent research from the Palo Alto Networks Cortex Xpanse team showed that hackers are scanning within 15 minutes of a known vulnerability, while most companies are not patching and updating for 12 hours.”No company, county or organization is too obscure or too off-the-beaten path for the attackers,” Grajek said. “To the hackers, the sites are simply targets of opportunity.”   More

Blockchain data platform Chainalysis has released a new report on cryptocurrency crime trends, finding that $14 billion in cryptocurrency was sent to illicit addresses in 2021, nearly double the figure seen in 2020. 

Chainalysis data shows that about $2.2 billion was outright stolen from DeFi protocols in 2021. As of 2022, Chainalysis estimated that illicit addresses currently hold at least $10 billion worth of cryptocurrency, with most held by wallets implicated in cryptocurrency theft, darknet markets and scams.Digging deeper into the figures, Chainalysis researchers found that cybercriminals brought in 82% more in revenue from scamming last year, raking in $7.8 billion in cryptocurrency from victims. Within that $7.8 billion, Chainalysis discovered $2.8 billion that came from a scam they call “rug pulls.” In these scams, developers create seemingly legitimate cryptocurrency projects before stealing investor money and disappearing. The $2.8 billion doesn’t even take into account the user losses associated with the plummeting value of fake DeFi tokens and only counts the investor funding that was taken. Almost all of the $2.8 billion stolen in 2021 came from Thodex, a fraudulent centralized exchange that tanked when the CEO stopped users from withdrawing funds and disappeared. Chainalysis tracked several other DeFi projects that ended up being rug pulls. “We believe rug pulls are common in DeFi for two related reasons. One is the hype around the space. DeFi transaction volume grew 912% in 2021, and the incredible returns on decentralized tokens like Shiba Inu have many excited to speculate on DeFi tokens,” Chainalysis said. “At the same time, it’s very easy for those with the right technical skills to create new DeFi tokens and get them listed on exchanges, even without a code audit. Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens.”  Another big chunk of illicit cryptocurrency activity came from outright theft, which grew 516% in 2021 compared to the previous year. 

Chainalysis found that about $2.2 billion of the $3.2 billion worth of cryptocurrency stolen in 2021 came from DeFi protocols. The startling numbers far exceed the figures seen in 2020, when about $162 million in cryptocurrency was taken from DeFi platforms. That represents a 1,330% year over year increase for 2021. Chainalysis said many of the headline-grabbing attacks on DeFi exchanges over the last year “can be traced back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds.” “We’ve also seen significant growth in the usage of DeFi protocols for laundering illicit funds, a practice we saw scattered examples of in 2020 and that became more prevalent in 2021. DeFi protocols saw the most growth by far in usage for money laundering at 1,964%,” Chainalysis explained. “In the longer term, the industry may also need to take more drastic steps to prevent tokens associated with potentially fraudulent or unsafe projects from being listed on major exchanges.”The attack on DeFi protocol Grim Finance at the end of December capped a whirlwind year for DeFi hacks. A week before the attack on Grim Finance, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.In November, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. Other attacks have involved platforms like Liquid, EasyFi, bZx, and many others. Chainalysis noted that cryptocurrency transactions involving illicit addresses represented just 0.15% of all cryptocurrency transaction volume in 2021, but the company added that the $14 billion figure is likely to increase as they find more addresses tied to criminal activity. The 2020 figures grew from 0.34% to 0.62% of all cryptocurrency transactions after Chainalysis continued to dig. “Cryptocurrency usage is growing faster than ever before. Across all cryptocurrencies tracked by Chainalysis, total transaction volume grew to $15.8 trillion in 2021, up 567% from 2020’s totals. Given that roaring adoption, it’s no surprise that more cybercriminals are using cryptocurrency. But the fact that the increase was just 79% — nearly an order of magnitude lower than overall adoption — might be the biggest surprise of all,” the report said, explaining that “illicit activity’s share of cryptocurrency transaction volume has never been lower.”The report adds that law enforcement has been able to increase its foothold in the cryptocurrency world in recent months. Chainalysis, which works with a number of law enforcement and government agencies, noted that the IRS Criminal Investigations announced that it seized over $3.5 billion worth of cryptocurrency in 2021 — all from non-tax investigations. More

Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what can go wrong in the complicated modern software supply chain.

more Log4j

The challenge with the Log4j flaw (also known as Log4Shell) is not only that admins need to patch the flaw — which got a ‘critical’ rating of 10 out of 10 — but that IT folk can’t easily discover whether a product or system is affected by the vulnerability in the component. Google has calculated that approximately 17,000 Java packages in the Maven Central repository – the most significant Java package repository – were found to contain the vulnerable log4j-core library as a direct or transitive dependency. And now security firm JFrog has found more by identifying additional packages containing the Log4j vulnerability that would not be detected through dependency scanning — that is, packages containing vulnerable Log4j code within the artefact itself.It found that overall, direct inclusion of Log4j code in artefacts is not as common as the use of Log4j through dependencies. However, it still adds up to hundreds of packages – around 400 – which directly include Log4j code, opening these packages to Log4j vulnerabilities. “In more than half of all cases (~65%), Log4j code is included as classes directly (i.e. direct inclusion / shading), in contrast to including complete Log4j .jar files (i.e. fat jar), which is typically how it is presented in the remainder of cases. These numbers indicate that tools looking for complete .jar files only will miss most of the cases where Log4j is included directly,” it said.The bug is a reminder why Microsoft and Google are ploughing dollars into projects that bolster the security of open source software projects, which are the backbone today’s internet infrastructure. Previous research shows that the vast majority of software flaws are found in software libraries or dependencies.  

The severity of the bug means admins could be well-served by investigating all Java applications that may include Log4j code. Microsoft has released scanning tools to detect vulnerable WIndows and Linux systems, applications and devices, and JFrog offers one more option.  JFrog emphasizes its scanning reaches the add-on code rather than just the fact a version of the software library is present. “The reason that scanning the full dependencies list may miss instances of included Log4j code is because dependencies only specify external packages needed to build or run the current artefact. If the vulnerable code is inserted directly into the codebase, it is not a dependency. Therefore, for more precise detection of vulnerable Log4j code, we need to inspect the code itself,” the company notes in a blogpost. The research highlights how vulnerable today’s IT systems are to attacks on the software supply chain.The importance of the Java programming language can’t be underestimated. It remains one the world’s most widely-used languages and is the go-to language for enterprise, and includes in its ecosystem projects like Microsoft’s implementation of OpenJDK. Microsoft uses Java in Azure, SQL Server, Yammer, Minecraft, and LinkedIn. More

A highly organised and stealthy cyber-criminal operation is stealing millions of dollars from financial organisations in attacks that have been active for at least two years. The campaign has been detailed by researchers at Israeli cybersecurity company Sygnia, who have dubbed the organised financial theft operation behind the attacks as ‘Elephant Beetle’. 

ZDNet Recommends

These attacks are predominantly focused on financial organisations in Latin America, although researchers warned that the campaign could shift towards targets in other parts of the world. Researchers note that one of the breaches they uncovered when analysing Elephant Beetle campaigns was against the Latin American arm of an undisclosed US-based company. SEE: A winning strategy for cybersecurity (ZDNet special report) Elephant Beetle campaigns take place over a long period, with those behind the attacks taking time to examine the financial systems of compromised victims in order to create fraudulent transactions hidden among regular activity, which adds up to millions of dollars being stolen.  The entry point of the attacks is a focus on legacy Java applications running on Linux-based machines and web servers. The legacy nature of these systems means they’re likely to contain unpatched vulnerabilities that can be exploited. Among these vulnerabilities are Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326), and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963). 

In each case, the initial payload is a simple obfuscated web shell-enabling remote code execution, or a series of exploitations running different commands on the target machine. In total, the threat group uses an arsenal of over 80 unique tools and scripts to conduct the campaigns and identify additional security flaws while remaining undetected. To help stay under the radar, the attackers stick to smaller transactions that don’t look suspicious on an individual basis, but when all the transactions against victims are added together, millions of dollars are being stolen. If an attempt at a transaction is detected and blocked, the attackers will lay low while remaining on the network for a few months, only to resume activity again once they feel the coast is clear. “Elephant Beetle is a significant threat due to its highly organised nature and the stealthy pattern with which it intelligently learns victims’ internal financial systems and operations,” said Arie Zilberstein, VP of incident response at Sygnia “Even after initial detection, our experts have found that Elephant Beetle is able to lay low, but remain deeply embedded in a compromised organization’s infrastructures, enabling it to reactivate and continue stealing funds at any moment,” he added. Analysis of incidents involving Elephant Beetle – along with phrases and keywords used in code, including ‘Elephante’ – suggests that the cyber criminals behind the attacks are Spanish-speaking. Researchers also note that many of the command and control servers used by Elephant Beetle appear to be located in Mexico. In addition to this, Sygnia’s incident response team notes that the tools and techniques deployed by Elephant Beetle strongly resemble what cybersecurity company Mandiant tracks as FIN13, a cyber-criminal group focused on Mexico. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse It’s strongly believed Elephant Beetle is still actively compromising targets, but there are steps that organisations can take to avoid falling victim. Key to this is applying patches and security updates to prevent attackers from exploiting known vulnerabilities in order to gain a foothold in networks. If legacy applications can’t be patched, they should be isolated from the rest of the network when possible. “Particularly in the wake of widespread vulnerabilities like Log4j that are dominating the industry conversation, organizations need to be apprised of this latest threat group and ensure their systems are prepared to prevent an attack,” said Zilberstein. MORE ON CYBERSECURITY More