Information Technology

Education software provider Finalsite said on Monday that no data was stolen during a ransomware attack that started on January 4. Finalsite provides website services to thousands of public schools across the US and the attack took place at a particularly inopportune time. As schools braced for snow days and potential COVID-19 disruptions on Friday, officials found their websites and email systems out of commission, making it more difficult to communicate changes with parents. “Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data, etc.,” the company said on January 7. On Sunday, the company said that all client websites are back online.Finalsite CEO Jon Moser told reporters on Monday that the company has hired data privacy attorneys at Mullen Coughlin LLC and cyber forensic investigators at Charles River Associates to help with the recovery process. Moser explained that they now know which ransomware group conducted the attack and have “achieved containment of threat actor activity.” They know how the ransomware group got in and said they “have found no evidence that client data has been viewed, compromised or extracted.”The company said it primarily holds “publicly-facing information found on school and district websites” but some customers use the company’s directories or messages/eNotify modules that may contain demographic data ranging from names to email addresses and phone numbers. “Some clients use Finalsite payment integrations with third-party organizations. These payments are processed through a secure third party. Finalsite does not transmit or store any credit card data,” the company said. “Finalsite does not store academic records, social security numbers, or any other confidential information. Again, Finalsite has no evidence that any data was compromised as a result of this incident.”

The company told ZDNet it is unable to share which ransomware group was responsible for the attack. A spokesperson for the company also took issue with reports on social media that schools were unhappy with how Finalsite dealt with the outages. One Reddit user said a number of school districts complained that they were unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol.  “The impact of this outage is far greater than the attention it has received,” the user wrote.Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on Finalsite.  More

Grass Valley, California has announced an extensive data breach involving the Social Security numbers and more of all city employees and vendors — as well as anyone who had their information given to the local police department. The city said in a notice that Social Security numbers, driver’s license numbers, and health insurance information was leaked for all Grass Valley employees, former employees, spouses, dependents, and vendors. 

Anyone whose information was provided to the Grass Valley Police Department had their names, Social Security numbers, driver’s license numbers, financial account information, payment card information, health insurance information, passport numbers, and more lost in the breach.The same goes for anyone who filled out a loan application at the Grass Valley Community Development Department. The city government said the breach began in 2021 on April 13 and files were transferred out of the city’s network until July 1. By December, the city said it had a better understanding of the scope of information lost in the breach and began sending breach notification letters to victims on January 7. Only those who had their Social Security number or driver’s license number leaked are being given access to one year of free credit monitoring and identity theft protection. The city later released an update to the notice, telling victims that the city is unable to verify whether a person’s information was lost in the massive breach.  

“We have learned that some individuals are calling the phone number provided to inquire ‘has my identity been affected?’ The call center is unable to ‘look up names’ specifically. Rather, we ask that if you fall into one of these categories that you specify to the call center the category in which you fall, and ask to have them provide you with a use-code to enroll in Experian’s IdentityWorksSM credit monitoring service,” the city explained. Grass Valley is located near Sacramento and has a population of around 13,000 people.  More

Officials with the US Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that they have not seen the exploitation of Log4Shell result in significant intrusions since the vulnerability came to light in December.CISA director Jen Easterly and executive assistant director for cybersecurity Eric Goldstein fielded questions from reporters during a briefing on Monday, telling attendees that outside of an attack on the Belgian Defense Ministry, they have not seen any damaging incidents that resulted directly from the exploitation of the Log4j vulnerability. 

more Log4j

“At this time, we have not seen the use of Log4Shell resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert. Everybody remembers the Equifax breach that was revealed in September of 2017 was a result of an open-source software vulnerability discovered in March of that year,” Easterly said. “It may also be due in part to the urgent actions taken by defenders and many organizations to rapidly mitigate the most easily exploitable devices, such as those accessible directly from the internet,” Easterly added. “We do expect Log4Shell to be used in intrusions well into the future.” Easterly added that they could not confirm multiple reports from cybersecurity companies that ransomware groups were leveraging the Log4j vulnerabilities for attacks. Goldstein noted that even though they have not seen any significant attacks, there has been widespread scanning and exploitation of Log4Shell by cybercriminals who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.He added that CISA has not seen any confirmed compromises related to federal agencies or critical infrastructure organizations. According to Goldstein, CISA is “not seeing destructive attacks or attacks attributed to advanced persistent threats.”

Easterly touted the agency’s efforts to deal with the Log4j crisis, explaining that their catalog of the more than 2,800 products affected by Log4j got hundreds of thousands of views and their Log4j scanner was downloaded nearly 4,000 times. Even though CISA has not seen a confirmed attack resulting from Log4j, cybersecurity companies are reporting millions of attempts to exploit the vulnerability. Cybersecurity firm NETSCOUT told ZDNet that the number of Log4j exploits it has blocked is approaching eight digits, and it recently blocked five million in a single day. ClearDATA founder Chris Bowen said his company has witnessed over 2.1 million security events specifically related to Log4j. “Of those, roughly 268,000 are considered with high confidence to be valid threat events,” Bowen explained. “When combined with TOR metrics, this number increases to 365,247 attacks prevented before execution.” More

An Indian threat group’s inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT).

ZDNet Recommends

Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities. In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences. On January 7, the Malwarebytes team said it was able to delve into the advanced persistent threat (APT) group’s activities after Patchwork managed to infect its own systems with its own RAT creation, “resulting in captured keystrokes and screenshots of their own computer and virtual machines.” According to the cybersecurity researchers, Patchwork typically relies on spear-phishing attacks, with tailored emails sent to specific targets. These emails aim to drop RTF files containing the BADNEWS RAT, of which a new variant has now been found. The latest version of this malware, dubbed Ragnatela, was compiled in November 2021. The Trojan is capable of capturing screenshots, keylogging, listing OS processes and machine files, uploading malware, and executing additional payloads.  After examining Patchwork’s systems, the team ascertained that Ragnatela is stored in malicious RTF files as OLE objects, often crafted to be official communication from Pakistani authorities. An exploit for a known Microsoft Equation Editor vulnerability is used to execute the RAT. 

Based on the attacker’s control panels, Malwarebytes was able to name the Pakistani government’s Ministry of Defense, the National Defense University of Islamabad, the Faculty of Bio-Sciences (FBS) at UVAS University, the HEJ Research Institute at the University of Karachi, and the molecular medicine department at SHU University as organizations infiltrated by Patchwork.  Patchwork managed to infect its own development machine with Ragnatela, and so the researchers were also able to see them make use of VirtualBox and VMware virtual machines (VMs) to conduct malware testing.  “Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet,” Malwarebytes said. “On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.” This is the first time the group has been connected to attacks against the biomedical research community, which may suggest a pivot in Patchwork’s priority targets.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A cybercrime group has been mailing out USB thumb drives in the hope that recipients will plug them into their PCs and install ransomware on their networks, according to the FBI. The USB drives contain so-called ‘BadUSB’ attacks. They were sent in the mail through the United States Postal Service and United Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon. 

ZDNet Recommends

BadUSB exploits the USB standard’s versatility and allows an attacker to reprogram a USB drive to, for example, emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseWhile BadUSB attacks aren’t common, cyber criminals in 2020 posted BadUSB drives to targets in the post with a message claiming to be from BestBuy that urged recipients to insert a malicious USB thumb drive into a computer in order view products that could be redeemed from a supposed gift card. That attack was attributed to the FIN7 group, which is also believed to be behind this attack.According to The Record, the FBI warned that the new BadUSB attacks were shipped on LILYGO-branded devices. The mail was delivered in packages to organizations in the transport and insurance sectors from August, while defense industry targets have received the packages since November. The USB drives were configured to register as a keyboard device after being plugged in. They then injected keystrokes into the target PC to install malware. Numerous attack tools were installed that allowed for exploitation of PCs, lateral movement across a network, and installation of additional malware.   

The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil. BlackMatter is believed to be a rebrand of the DarkSide ransomware group, which appeared to close its business after attacking US fuel distributor Colonial Pipeline in May. This attack prompted discussions between the Biden Administration and the Kremlin over attacks on critical infrastructure.  More

Researchers have forged a “clear” link between the Abcbot botnet and a well-established cryptojacking cybercriminal group.First discovered In July 2021 by Netlab 360, the Abcbot botnet began as a simple scanner that used basic credential stuffing attacks and known vulnerability exploits to compromise vulnerable Linux systems. 

However, the developers quickly updated their creation to include self-update mechanisms, exploit kits, worm functionality, and a total of nine distributed denial-of-service (DDoS) attack functions. These findings were a starting point for Cado Security, which published a further analysis of the botnet in December. By this stage, Abcbot botnet was also able to detect and kill Docker image-based cryptocurrency miners and malware already present on a target server, as well as disable cloud monitors including Aliyun Alibaba Cloud Assistant and Tencent monitoring components. Trend Micro said that once a deep clean of compromised servers has taken place, new, malicious user profiles are added with high levels of privilege, and failsafes were deployed to stop them from being modified or removed.  While past examples of the botnet’s activity revealed a clean-up before it deployed its own cryptocurrency mining malware, on Monday, a new analysis published by Cado Security suggests the malware may be shifting back to more traditional routes: namely, a return to DDoS attacks as a focus.  According to the cybersecurity researchers, there is now an established link between the botnet and Xanthe, a cryptojacking campaign documented by Cisco Talos in December 2020.

Talos uncovered Xanthe after the group targeted a Docker-based honeypot with a Monero cryptocurrency miner, XMRig. At the time, Xanthe focused on hijacking computational resources of vulnerable servers to generate cryptocurrency and used bash scripts to eradicate competitor malware, as well as to maintain persistence.  After comparing the Abcbot botnet and Xanthe samples, Cado Security found code and feature similarities.  A VirusTotal graph based on known Indicators of Compromise (IoCs), stylistic choices, and unique strings then revealed four hosts that overlapped in infrastructure and delivered both Abcbot botnet and Xanthe malware campaigns.  However, the samples also revealed recent changes in functionality, including commented-out mining components, that suggest mining may “no longer [be] an objective” of Abcbot. “Based on this analysis, we believe that the same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” the researchers said. “We suspect this won’t be the last malware campaign we analyze from this actor.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Scheduling platform FlexBooker apologized this week for a data breach that involved the sensitive information of 3.7 million users. In a statement, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. “We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”The spokesperson said the data was “limited to names, email addresses, and phone numbers” and a website notifying customers of the breach says the same thing. But Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  

Reporters from Bleeping Computer said the group behind the attack, Uawrongteam, leaked information from FlexBooker and two other companies on a hacking forum. They tied the breach to a DDoS attack that FlexBooker reported on December 23. In their log of the attack, FlexBooker said the attack caused widespread outages of their core application functionality and required help from AWS to solve. “We have been informed that this should not have been possible, but before they were able to assist technically, they had to ensure that all our security practices were correct. They have completed this step, and this has now gone to their leadership team who have approved dedicating technical resources to this immediately,” FlexBooker said of the assistance from AWS on December 24. “We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.”The issue was resolved about eight hours later. Shared Assessments’ Nasser Fattah said he has seen instances where DDoS attacks are sometimes launched as a distraction to disrupt vital business services while the adversary’s primary goal is to gain access and exfiltrate sensitive information. “We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack,” Fattah said. “And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.” More

Education technology company FinalSite is still in the process of recovering from a devastating ransomware attack that crippled many of the services they provide to thousands of schools across the world this week. 

In an update on Friday morning, the company said the “vast majority” of its sites are back up and running on the front end, but many systems are still facing a variety of issues.They urged their customers — which include thousands of schools across 115 different countries — to limit “software usage to critical information updates for your front-end” until they have confirmed that all functionality is working fully. “Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data etc.,” the company said. While some front end systems are back, FinalSite said some styling may be missing, and users may not be able to access the admin side of their site. Many users will continue to see 503 errors, according to FinalSite. The company first informed customers of issues on January 4 and said its engineers have been working around the clock to resolve the issue. By Thursday, the company admitted that it was suffering from a ransomware attack.”We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” they wrote in a message to customers. 

“In the ensuing time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore backup systems and bring our network back to full performance, in a safe and secure manner. Third-party forensic specialists are assisting us in bringing things back slowly and carefully to ensure the environment is safe and stable.”One Reddit user said about 2,200 school websites hosted by Finalsite began to go down on January 4.  “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” the user wrote. “The impact of this outage is far greater than the attention it has received.”A FinalSite spokesperson later told TechCrunch that about 5,000 of their 8,000 customers were affected by the ransomware incident. Local news outlets across the US reported school districts having issues with their websites. Another school administrator contacted Bleeping Computer to report that their website was down, forcing them to contact parents about the outage. They were told that there is no timetable for services to return to normal.Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on FinalSite. Former FBI analyst Crane Hassold likened the attack to the ransomware incident that affected Kaseya and said it illustrated the domino effect ransomware can have on other companies.”When a company that provides solutions for other companies gets hit with ransomware, similar to what we saw with Kaseya last summer, the resulting impact can be exponentially devastating,” said Hassold, who now serves as director of threat intelligence at Abnormal Security. “In the current environment, when COVID is peaking again, and many schools are switching to temporary remote learning, this attack couldn’t have come at a worse time.” More