Eliana Willis

One of the largest insurance companies in the United States, CNA Financial, reportedly agreed to a $40 million payment to restore access to its systems following a ransomware attack. 

According to Bloomberg, the $40 million payment — which is $10 million more than the highest attempted demand of $30 million in 2020, already double the highest attempted extortion figure of 2019 at $15 million — was paid out two weeks after ransomware crippled CNA Financial’s networks. People close to the matter said during the cyberattack, employees were locked out of the company’s systems and confidential data was stolen.  CNA said that a “sophisticated cybersecurity attack” was detected on March 21 that caused “network disruption and impacted certain CNA systems.”  In an update on May 12, the insurance giant said that third party cyberforensics experts were investigating the incident, in which the ransomware group appears to have conducted all of its activities prior to March 21 and have not accessed the CNA environment since.  Ransomware groups may perform reconnaissance and lurk in a network to quietly exfiltrate information before encryption begins in order to perform a double-extortion attack, in which companies that refuse to pay in order to decrypt their systems are then faced with the prospect of sensitive data being published online. The company has remained tight-lipped concerning what information was stolen, but did say that “we do not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”

CNA has since restored its systems and is fully operational.  In a statement, a CNA spokesperson said that the insurance firm will not be commenting on the ransom, adding that CNA “followed all laws, regulations, and published guidance” while handling the cyberattack.  Furthermore, the company consulted with the FBI and Office of Foreign Assets Control (OFAC). This may not be enough to placate US lawmakers or law enforcement as the practice of paying cyberattackers is not encouraged — and only serves to keep ransomware deployment a lucrative business.  Colonial Pipeline, a crucial provider of fuel to close to half of the East Coast, has confirmed a $4.4 million payout to the DarkSide ransomware group following a debilitating attack that interrupted fuel supplies for close to a week across the United States. Colonial Pipeline CEO Joseph Blount said that paying up was the “right thing to do for the country.” In related news this week, cyber insurance provider AXA also became the target of a ransomware group, known as Avaddon. Operations in Thailand, Malaysia, Hong Kong, and the Philippines were disrupted and the cybercriminals claim to have stolen 3TB in data including customer medical reports, claim records, bank account document scans, ID cards, and other datasets. The information has not been published at the time of writing.The ransomware attack took place just days after AXA announced the discontinuation of support for ransomware extortion claims in France.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Department of Home Affairs has brushed aside industry concerns that the Security of Critical Infrastructure Act (SoCI Act) duplicates obligations found in the Telecommunications Sector Security Reforms (TSSR). As far as the department is concerned, rather than overlapping regimes, there would be “one continuum” of regulation where the Telecommunications Act is paramount, but parts of the SoCI Act would be “activated” to fill in gaps. “The explanatory memorandum for the Security of Critical Infrastructure Act amendments very clearly states that, where primary legislation exists that regulates the activities of a critical infrastructure sector, that primary legislation remains operant,” Home Affairs deputy secretary for national resilience and cybersecurity Marc Ablong told the Parliamentary Joint Committee on Intelligence and Security on Thursday. “To the degree that we need to look at amendments to that act — minor in nature — to ensure that it is consistent with the positive security obligations that are set out in the [SoCI] Bill, we would do that to the Telco Act.” Two such gaps in the Telco Act that Ablong identified were the ability of government to assist companies facing a significant cyber attack and the enhanced cybersecurity obligations. “We don’t consider them to be rival regulatory regimes but parts of the one continuum that starts with companies very much recognising that they have a unique position as telcos. To the degree that the existing regulatory regime set out in part 14 can suffice, it will suffice,” he said. “To the degree that it can’t suffice, that’s when the Security of Critical Infrastructure Act amendments will apply. But we don’t intend this to come as any surprise to the industry.”

One area where the TSSR is ambiguous is its requirement for carriage service providers to “do their best” to protect telecommunication networks and facilities, and both telcos and the department believe it needs clarification. “We’d suggest that a higher standard than just doing your best might be required,” Ablong said. “To the degree that the language in the TSSR says, ‘Do your best,’ we might replace it with, ‘You are required to meet standard X,’ whatever the standard is that we and the industry come to a common view on in the co-design process.”How the positive security obligation looks for each sector will be a co-design process with industry of looking at primary legislation and working out what needs to be added, the deputy secretary said. “The obligation for the telco sector would be different to that for the banking sector, for instance,” Ablong said. “The process of co-designing with industry and providing them with information about, ‘Here are the threats we think your industry will face over the foreseeable future; this is where we think your primary legislation requires you, or obliges you, to meet a certain security requirement; and this is what more we think you could add to your ability to meet an obligation under the Critical Infrastructure Act,’ is very much a co-design process.”In the end, Ablong said the solution could be to replace the “Do their best” wording with a standard, whether it is the Essential Eight from the ACSC, or a standard from NIST or the UK’s National Cyber Security Centre. “Ultimately, in the conversations that we have been having with industry … the first question is: To what standard do you hold yourself as an industry? Then you would ask: What are the measures that you’re using to assure yourself that, against the risks which we’ve talked about, you are able to deal with those risks?,” he said. “If somebody says to me, ‘I use the NIST standards’ and another industry says, ‘I use the NCSC standards from the UK’, both of those are suitably robust that, for most intents and purposes, we would probably say, ‘That’s good enough’.” Earlier in the day, Telstra and Optus raised concerns that the Critical Infrastructure Centre needed to provide more proactive advice to telcos, rather than just responding to alerts from telcos when changes to services, systems, or equipment could have a “material adverse effect” on their ability to meet TSSR obligations.”Currently we get really good and detailed advice, but it has to be triggered by us putting in a notification or providing a briefing, and then that advice will come back,” Telstra national cybersecurity principal Jennifer Stockwell said. “It will be very detailed and will help us to understand the risk for that particular project, but it would be very helpful to have more upfront, because then, when I’m working day to day with our network engineers and operational staff, I can provide them with the guardrails to start with, and that really helps decision-making and speeds up projects.” In December, Optus revealed it was responsible for over half of TSSR notifications. “Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said at the time. “The time for the resolution of these notifications has varied between 30 days to eight months.” On Thursday, Telstra regulatory principal John Laughlin said Australia’s largest telco took a different approach. “We have deliberately taken an approach where we notify on mitigated risk,” he said. “We only lodge a notification after all the systems and controls are in place, where we still believe that there’s a material adverse effect to our ability to meet the security obligation.” Stockwell added that Telstra only notifies on the end solution. “The unmitigated risk is a risk that is not going to be realised, provided we have the adequate mitigating controls in place,” she said. “It’s really important to mention that early engagement with the critical infrastructure centre and the ability to have that early engagement is critical to inform those controls so that we put all the appropriate mitigations in place, taking into account the full understanding of the threat landscape.” Whether through bad preparation or obfuscation, Laughlin was unable to provide the committee with the number of notifications Telstra had provided, except to say it was “substantially less” than Optus. The differences in notification thresholds is one of the reasons Home Affairs wants to have a “conversation” with telcos in the co-design phase to see if the government and private sector have different views on risk. “If they have been thinking about it purely from the perspective of, for instance, somebody’s ability to cut the trunk cables and therefore their inability to provide a service to a portion of Australia, we would be equally concerned about the ability of somebody to hack in or intercept communications carried over their networks, but if they don’t consider that to be a material risk, then they’re not going to notify us or report about those sorts of things,” Ablong said. The deputy secretary added the Critical Infrastructure Bill was necessary in light of the recent Colonial Pipeline incident. “The critical infrastructure amendments … very much cover what is required in order for Australia to have greater assurance that the sorts of things that we saw with the Colonial Pipeline, for instance, in the United States are less likely to happen here, that we have taken all necessary measures to protect our critical infrastructure and for the entities involved in those sectors of the economy that might be considered critical infrastructure to have protected themselves.” On the other side of the fence is the Communications Alliance, which has put forward a proposal to either repeal the TSSR notification obligations or exempt telcos that fall under the Critical Infrastructure Bill. “We would very much prefer the certainty that comes with repealing provisions that could create duplication, as opposed to relying on the goodwill and best endeavours of agencies over time to avoid that through positive decisions of their own,” Comms Alliance CEO John Stanton said. “Time moves on, people move on, and it would be preferable from our point of view if the requirements and obligations were clear and in legislation rather than subject to executive decision-making.” Related Coverage More

Image: Getty Images/iStockphoto
The Australian Communications and Media Authority (ACMA) has issued formal notices to a trio of telcos after finding each had failed to validate customer details when moving between carriers. Medion Mobile, which powers Aldi Mobile and is owned by Lenovo, was caught out on 53 occasions, Telstra was found to have breached its obligations 52 times, and Optus was pinged for one violation. “Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address and date of birth,” ACMA chair Nerida O’Loughlin said. “We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.” ACMA said those who experienced mobile number fraud typically lost more than AU$10,000, and struggle to “regain control of their identities for long periods of time”. Since new rules on validating customer information came into effect early last year, the regulator said some telcos have reported the practice has stopped. ACMA said if a person believes they have fallen victim to such an attack, to contact their telco and bank, change passwords, report the act to the police, Scamwatch, and the Australian Cyber Security Centre.

As usual with telco rule breaches, the ACMA warned further violations could see a AU$250,000 fine per breach. Earlier in the week, Lycamobile paid a AU$600,000 fine levelled at it, after ACMA found what it called “prolonged and large-scale customer data failures, which could have put people in danger”. In its investigation, ACMA found 245,902 instances where the telco failed to pass on information to Telstra so it could maintain the Integrated Public Numbers Database (IPND) used by emergency services when responding to 000 calls, as well as the Emergency Alert Service. ACMA said there were 5,671 instances where Lycamobile did not upload data to the IPND for “between three days and nine years” after gaining a customer. It also did not upload complete and accurate information for 240,231 customers, with over 210,000 customers being listed as connected in the IPND when they were disconnected. Related Coverage More

Palo Alto Networks published better-than-expected third quarter financial results on Thursday and raised its outlook for the fiscal year. Non-GAAP net income for the quarter was $139.5 million, or $1.38 per diluted share. Revenue grew 24 percent year-over-year to $1.1 billion.Analysts were expecting earnings of $1.28 per share on revenue of $1.06 billion. “The work-from-home shift earlier in the year and recent cybersecurity issues have increased the focus on security,” chairman and CEO Nikesh Arora said in a statement. “Coupled with good execution, this has driven great strength across our business with Q3 billings growth accelerating to 27% year over year. In particular, we saw a number of customers make large commitments to Palo Alto Networks across our three major platforms. We are pleased to be raising our guidance for fiscal year 2021 as we see these trends continuing into our fiscal fourth quarter, bolstering our confidence in our pipeline.”Billings for the quarter reached $1.3 billion. Deferred revenue grew 30 percent year-over-year to $4.4 billion. For the fiscal fourth quarter 2021, the company expects total revenue in the range of $1.165 billion to $1.175 billion, representing year-over-year growth of between 23 percent and 24 percent.For the fiscal year 2021, the company now expects total revenue in the range of $4.20 billion to $4.21 billion, representing year-over-year growth between 23 percent and 24 percent.

Tech Earnings More

Three healthcare institutions in Canada, Ireland and New Zealand are in the midst of security incidents this week, highlighting the perilous cybersecurity landscape within some of the world’s most important organizations. 

ZDNet Recommends

Ireland’s Department of Health was attacked twice in the last week, eventually shutting down their entire IT system after a ransomware attack last Thursday. The same group also hit the Health Service Executive with a ransomware attack. Chief Operations Officer of the Health Service Executive Anne O’Connor told The Journal that the office had been hit by the Conti ransomware.  According to RTÉ and the BBC, dozens of outpatient services were cancelled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. Irish Foreign Minister Simon Coveney called it a “very serious attack” while Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”The leaders of the Irish government met on Monday and said the National Cyber Security Centre had brought in Europol, private sector cybersecurity experts and hundreds of others to help solve the ransomware attack. The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams are going through all 2,000 different IT systems one by one “Those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen. These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data,” the government statement said. “The significant disruption to health services is to be condemned, especially at this time. Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused.”

Emergency services are still operating in the country but are now busy because of the IT outage. Many radiology appointments are cancelled, according to a government statement, and there are now delays in COVID-19 test result reporting as well as delays with issuing birth, death or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals have all been affected by the attack, according to The Journal. Dublin’s Rotunda Hospital, The National Maternity Hospital, St Columcille’s Hospital, Children’s Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group have all reported varying levels of IT outages. Health Minister Stephen Donnelly added this week that the HSE payment system was downed by the attack and that the 146,000 people working in the healthcare industry will face issues with full payment. On Thursday, the Financial Times reported that the people behind the ransomware attack were demanding $20 million to restore the system and had already started leaking private information about patients online. Irish Prime Minister Micheál Martin previously told the BBC that the government would not pay the ransom. New Zealand is facing a similar issue, with IT services for their healthcare system reporting a cybersecurity incident that completely knocked out the entire system. Clinical services at hospitals in Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui have all been affected by the attack. Even the landline phone services are down, and the government has said some outpatient appointments may need to be cancelled. More than 30 elective surgeries were cancelled in recent days due to the outage. In addition to the attacks on the Irish and New Zealand healthcare systems, Canadian insurer Guard.me, one of the world’s largest insurance carriers, is still dealing with a downed website following “suspicious activity was directed at the guard.me website.” The site is still down, with a lengthy message explaining that they took down their website as a cautionary measure. Guard.me provides students who study abroad with health coverage internationally and the company has already sent out a letter to students informing them of the attack, according to Bleeping Computer.  The letter admits that the “suspicious activity” they caught was actually someone gaining access to a database that contained the dates of birth, genders, phone numbers, email addresses, mailing addresses, passwords of students. Cybersecurity expert Mathieu Gorge, CEO of Ireland-based VigiTrust, said ransomware gangs and other cybercriminals have proven repeatedly through attacks on healthcare systems during the pandemic that they have little regard for human life or privacy.  

“What’s most worrying about this is that it has established a trend that you can attack critical infrastructure anywhere and everywhere,” Gorge said. “And these aren’t necessarily sophisticated attacks by nation-states; they are relatively low-skill attacks with huge consequences exploiting attack surfaces which frankly should be better protected.”Saryu Nayyar, CEO of cybersecurity company Gurucul, said ransomware gangs have now perfected the art of monetizing every aspect of an attack. On top of the ransoms they make from attacks, medical records, she said, hold highly sensitive personal data that can be used to socially engineer money from fragile patients who are not cyber savvy like the elderly, not to mention the obvious identity theft.”The fact that the Irish government will not give in to the attacker’s demands is a sign that they are confident they have backups to sufficiently restore their systems and data. But the cybercriminals will likely publicize their stash of sensitive patient health data just because they can and they’re evil,” Nayyar added.  “Usually, the ransom price is determined by the amount of cybersecurity insurance the victim organization has. Perhaps the Irish government doesn’t have cybersecurity insurance, but in this case it doesn’t matter since Conti is known to operate on the basis of ‘double extortion’ attacks, so the data would be made public anyway.”Zerto vice president of product marketing Caroline Seymour noted that even when organizations have backups or recovery systems, they can be days or weeks old, leading to inevitable gaps and data loss that can be highly disruptive as well as add significantly to the overall recovery cost. Many other experts noted that the rush to digitize hospital services across the world has left almost every country vulnerable to ransomware operators eager to hold critical arms of governments hostage. 

With the millions of dollars being made through ransomware, the gangs behind them have become more methodical and are now run like businesses with scalable campaigns, according to Hank Schless, senior manager at Lookout.”Historically, it was far more likely that attackers would try to brute force their way into the infrastructure and exploit any weak points in its defenses,” Schless explained. “Every day, hundreds if not thousands of users connect to corporate infrastructure from unmanaged devices and networks. They also expect to have seamless access to a mix of on-premises and cloud-based services in order to get their jobs done. Since this all takes place outside the safety of the traditional perimeter, it could open countless backdoors into your infrastructure.” More

Researchers have highlighted tactics used by fraudsters today in voice-based phishing campaigns. 

Phishing attempts involve fraudulent messages sent over email, social media networks, SMS, and other text-based platforms. They may appear to be from your bank, popular online services — such as PayPal or Amazon — or they may attempt to lure in victims with promises of tax rebates and competition prizes. These messages often contain malicious attachments designed to deploy malware, or they may try to direct victims to fake websites.  So-called “vishing” is a subset of phishing techniques that combines ‘voice’ and ‘phishing’. Victims may be cold-called or emails could contain phone numbers, voice notes, and messages — but the overall goal is the same: to swipe your personal data.  Scam artists can employ “spray and pray” techniques in campaigns and blast out thousands of emails in one go, and now, voice over internet protocol (VoIP) technology has allowed fraudsters to do the same, all while spoofing their caller IDs and identities.  In separate case studies published by Armorblox on Thursday, the team highlighted two Amazon vishing attacks intent on stealing customer credit card details — and how the use of voice messages can bypass existing spam filters.  The first example vishing attempt, tracked to roughly 9,000 email inboxes, was sent from a Gmail account and contained the subject line: “Invoice:ID,” followed by an invoice number and content containing color markers used by Amazon. 

This email says that an order for a television and gaming console had been placed — a purchase worth hundreds of dollars — and urges the recipient to contact them using a phone number if there are any errors. 
Armorblox
Armorblox called the ‘payload’ phone number and a person on the other end of the line answered, pretending to be from Amazon customer service. The scammer requested the order number, customer name, and credit card details before cutting the call and blocking the number.  According to the researchers, the use of a zero in “AMAZ0N TEAM” helped the message bypass existing spam filters, including Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). A spam level of “1” was assigned to the email, which means that the message was not considered fraudulent. In the second example, which reached roughly 4,000 inboxes and was also able to circumvent EOP and MSDO, fraudsters impersonated Amazon via a spoofed email address — “no-reply@amzeinfo[.]com” — and used the subject line, “A shipment with goods is being delivered.” The email contained an order number, a payment amount of $556.42, and another phone number ‘payload’ for customers to make return requests. However, in this case, the researchers found that the scam appeared to have been shut down as the phone number was not in service. As the emails did not contain malicious attachments or links, this allowed the fraudsters to bypass spam filters. In both cases, the fraudsters used a combination of social engineering, brand impersonation, and emotive triggers — the apparent loss of hundreds of dollars — to induce victims into calling them. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf.  As many of us remain at home due to the pandemic and we’ve come to rely more heavily on online shopping, fraudsters will continue to try and exploit these trends. In August, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning of an increase in vishing attacks against the private sector.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More