Information Technology

This weekend, the Broward Health hospital system notified more than 1.3 million patients and staff members that their personal information was involved in a data breach that started on October 15. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a statement on Saturday, the Florida hospital system said that in addition to names, addresses and phone numbers, Social Security numbers, bank account information and medical history data was included in the breach.  Insurance account information, driver’s license numbers, email addresses and treatments received were also included. The hospital system said it waited months to notify victims because the Department of Justice told them to hold off on sending out breach notification letters. “On October 15, 2021, an intruder gained entry to the Broward Health network through the office of a third-party medical provider permitted to access the system to provide healthcare services. Broward Health discovered the intrusion on October 19, 2021, and promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation,” the hospital explained.”Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted. The DOJ requested the Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”The hospital system did not say how many people were involved, but in their submission to the Maine Attorney General’s office, they said 1,357,879 people were affected. The hospital is offering 24 months of identity theft protection services, implemented multifactor authentication for all users of its systems and “minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network.”

The notice warned that people who had their information exposed are now vulnerable to medical identity theft, which is when someone uses a person’s name and information to get medical services or fraudulently bill for medical services. The hospital urged those affected to monitor their benefits statements and financial accounts. Joseph Carson, chief security scientist at ThycoticCentrify, said countries where healthcare is extremely expensive, are the leading targets for cybercriminals to steal and monetize personal health information.  In many instances, personal health information is much more valuable than stolen credit card information, Carson added, noting that it can be sold for up to $500 or more on the dark web because it can easily be abused for fake medical claims, fake prescriptions or fake identities.  “Personal health information can also be used for extortion or blackmail targeting victims who do not want sensitive information disclosed or even to abuse insurance claims and tax refunds,” Carson said. “Unfortunately, for medical records, you cannot change your medical history. Once stolen or disclosed, it is public knowledge, whereas a credit card you can change and get back on track quickly.” More

In 2021, thousands of new cybersecurity incidents have been recorded — and while cryptocurrency theft and data loss are now commonplace, this year stands out due to several high-profile incidents involving ransomware, supply chain attacks, and the exploitation of critical vulnerabilities.The Identity Theft Research Center (ITRC) has reported an increase of 17% in the number of recorded data breaches during 2021 in comparison to 2020. However, an entrenched lack of transparency around the disclosure of security incidents continues to persist — and so this may be a low ball estimation. According to IBM, the average cost of a data breach has now reached over $4 million, while Mimecast estimates that the average ransomware demand levied against US companies is well over $6 million. The world record for the largest payout, made by an insurance company this year, now stands at $40 million.  Read on: This is the perfect ransomware victim, according to cybercriminals | Enterprise data breach cost reached record high during COVID-19 pandemic |Experts have warned that the security issue could persist for years with the recent emergence and rapid exploitation of the Log4j vulnerability. That goes for data leaks, breaches, and theft, too, which are unlikely to decline in number in the near future. Here are some of the most notable security incidents, cyberattacks, and data breaches over 2021. 

ZDNet Recommends

January:Livecoin: Following an alleged hack in December, cryptocurrency exchange Livecoin slammed its doors shut and exited the market in January. The Russian trading post claimed that threat actors were able to break in and tamper with cryptocurrency exchange rate values, leading to irreparable financial damage. Microsoft Exchange Server: One of the most damaging cybersecurity incidents this year was the widespread compromise of Microsoft Exchange servers caused by a set of zero-day vulnerabilities known collectively as ProxyLogon. The Redmond giant became aware of the flaws in January and released emergency patches in March; however, the Hafnium state-sponsored threat group was joined by others for months after in attacks against unpatched systems. Tens of thousands of organizations are believed to have been compromised. MeetMindful: The data of over two million users of the dating app was reportedly stolen and leaked by a hacking group. The information leaked included everything from full names to Facebook account tokens. February:SITA: An IT supplier for aviation services around the world, SITA, said a security incident involving SITA Passenger Service System servers led to the exposure of personal, identifiable information belonging to airline passengers. Airlines involved in the data breach were then required to reach out to their customers. ATFS: A ransomware attack against payment processor ATFS forced multiple US cities to send out data breach notifications. The cybercriminal group which claimed responsibility, Cuba, claimed to have stolen a wide range of financial information on their leak site.  March:Mimecast: Due to the Solarwinds supply chain attack disclosed in December 2020, Mimecast found itself as a recipient of a malicious software update that compromised the firm’s systems. Mimecast said that its production grid environment had been compromised, leading to the exposure and theft of source code repositories. In addition, Mimecast-issued certificates and some customer server connection datasets were also caught in the breach. Tether: Tether faced an extortion demand from cyberattackers who threatened to leak documents online that would “harm the Bitcoin ecosystem.” The demand, of approximately $24 million or 500 Bitcoin (BTC), was met with deaf ears as the blockchain organization refused to pay. CNA Financial: CNA Financial employees were left unable to access corporate resources and were locked out following a ransomware attack which also involved the theft of company data. The company reportedly paid a $40 million ransom.April:Facebook: A data dump of information belonging to over 550 million Facebook users was published online. Facebook IDs, names, dates of birth, genders, locations, and relationship statuses were included in the logs, of which Facebook — now known as Meta — said was collected via scraping in 2019.May: Colonial Pipeline: If there was ever an example of how a cyberattack can impact the physical world, the cyberattack experienced by Colonial Pipeline is it. The fuel pipeline operator was struck by ransomware, courtesy of DarkSide, leading to fuel delivery disruption and panic buying across the United States. The company paid a ransom, but the damage was already done. Omiai: The Japanese dating app said unauthorized entry may have led to the exposure of data belonging to 1.7 million users.June:Volkswagen, Audi: The automakers disclosed a data breach impacting over 3.3 million customers and some prospective buyers, the majority of which were based in the United States. A finger was pointed at an associated vendor as the cause of the breach, believed to be responsible for exposing this data in an unsecured manner at “some point” between August 2019 and May 2021.JBS USA: The international meatpacking giant suffered a ransomware attack, attributed to the REvil ransomware group, which had such a disastrous impact on operations that the company chose to pay an $11 million ransom in return for a decryption key to restore access to its systems. July:UC San Diego Health: UC San Diego Health said employee email accounts were compromised by threat actors, leading to a wider incident in which patient, student, and employee data potentially including medical records, claims information, prescriptions, treatments, Social Security numbers, and more were exposed. Guntrader.uk: The UK trading website for shotguns, rifles, and shooting equipment said that records belonging to roughly 100,000 gun owners, including their names and addresses, had been published online. As gun ownership and supply are strictly controlled in the UK, this leak has caused serious privacy and personal safety concerns. Kaseya: A vulnerability in a platform developed by IT services provider Kaseya was exploited in order to hit an estimated 800 – 1500 customers, including MSPs. August:T-Mobile: T-Mobile experienced a yet-another data breach in August. According to reports, the names, addresses, Social Security numbers, driver’s licenses, IMEI and IMSI numbers, and ID information of customers were compromised. It is possible that approximately 50 million existing and prospective customers were impacted. A 21-year-old took responsibility for the hack and claimed to have stolen roughly 106GB of data from the telecoms giant. Poly Network: Blockchain organization Poly Network disclosed an Ethereum smart contract hack used to steal in excess of $600 million in various cryptocurrencies.Liquid: Over $97 million in cryptocurrency was stolen from the Japanese cryptocurrency exchange.September:Cream Finance: Decentralized finance (DeFi) organization Cream Finance reported a loss of $34 million after a vulnerability was exploited in the project’s market system.AP-HP: Paris’ public hospital system, AP-HP, was targeted by cyberattackers who managed to swipe the PII of individuals who took COVID-19 tests in 2020. Debt-IN Consultants: The South African debt recovery firm said a cyberattack had resulted in a “significant” incident impacting client and employee information. PII, including names, contact details, salary and employment records, and debts owed, are suspected of being involved. October:Coinbase: Coinbase sent out a letter to roughly 6,000 users after detecting a “third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform.” Cryptocurrency was taken without permission from some user accounts. Neiman Marcus: In October, Neiman Marcus made a data breach that occurred in May 2020 public. The intrusion was only detected in September 2021 and included the exposure and potential theft of over 3.1 million payment cards belonging to customers, although most are believed to be invalid or expired.  Argentina: A hacker claimed to have compromised the Argentinian government’s National Registry of Persons, thereby stealing the data of 45 million residents. The government has denied the report. November:Panasonic: The Japanese tech giant revealed a cyberattack had taken place  — a data breach occurring from June 22 to November 3, with discovery on November 11 — and admitted that information had been accessed on a file server. Squid Game: The operators of a cryptocurrency jumping on the popularity of the Netflix show Squid Game (although not officially associated) crashed the value of the SQUID token in what appears to be an exit scam. The value plummeted from a peak of $2,850 to $0.003028 overnight, losing investors millions of dollars. An anti-dumping mechanism ensured that investors could not sell their tokens — and could only watch in horror as the value of the coin was destroyed. Robinhood: Robinhood disclosed a data breach impacting roughly five million users of the trading app. Email addresses, names, phone numbers, and more were accessed via a customer support system. December:Bitmart: In December, Bitmart said a security breach permitted cyberattackers to steal roughly $150 million in cryptocurrency and has caused total losses, including damages, to reach $200 million.Log4j: A zero-day vulnerability in the Log4j Java library, a remote code execution (RCE) flaw, is now being actively exploited in the wild. The bug is known as Log4Shell and is now being weaponized by botnets, including Mirai. Kronos: Kronos, an HR platform, became a victim of a ransomware attack. Some users of Kronos Private Cloud are now facing an outage that may last weeks — and just ahead of Christmas, too.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases next year, cybersecurity researchers have warned. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original — singular — victim or may choose to cherry-pick from the most valuable potential targets. This can save cybercriminals time and money, as one successful attack can open the door to potentially thousands of victims at once.  A ransomware attack levied against Kaseya in 2021 highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya’s VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya’s customer base.  However, it was only a small number of businesses that were impacted in this case. One of the most powerful examples in recent years is the SolarWinds breach, in which a malicious software update was deployed to roughly 18,000 clients.  The attackers behind the intrusion then selected a handful of high-profile customers to compromise further, including numerous US government agencies, Microsoft, and FireEye.   In an analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex — but the attack methods often chosen are not.

Supply chain attacks can be conducted through the exploitation of software vulnerabilities; malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors. But what can we expect from supply chain security in 2022? Low barriers to entrySpeaking to ZDNet, Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion — which is a “highly replicable” attack method.  “It’s a no-brainer to use if the actor’s goal is to affect as many organizations as possible,” Turunen commented. “Add a cryptominer to a dependency confusion attack, and not only does a company need to worry about the effects this has on their software ecosystem, but the actor has now monetized it.” Brian Fox, the CTO of the enterprise software company, added that the majority of threat actors are copycats today, and “fad” attacks — or, the ‘attack of the day’ conducted by fast-acting threat actors — are going to increase the number of supply chain intrusions next year. Read on: Technology and the Global Supply Chain | Supply chain security is actually worse than we think | 91% of IT leaders affected by supply chain disruption: survey |Increasing attacks while redefining the perimeterIn a world of Internet of Things (IoT) devices, old security models, working from home stipulations, hybrid cloud/on-prem setups, and complicated digital supply chains are no longer suitable. According to Sumo Logic’s CSO George Gerchow, enterprise players are “still struggling” with the concept of not having a defined defense perimeter. While also pressing ahead with digital transformation projects, they are failing to account for the expanded attack surface new apps and services can create. “CISOs and IT security teams still don’t have a seat at the table, and security is still being bolted on as the last step in the process. In the next year, the leadership teams at organizations will start to wake up to this. Management boards are becoming more security conscious due to the hype around ransomware and extortion, which forces them to care about security problems.” Companies now increasingly reliant on components, platforms, and services provided at different levels of a supply chain will also have to wake up to this reality, and as a result, security will need to be checked — and reinforced — including outside of a businesses’ own networks. Ransomware incidents will increaseRansomware is now one of the most lucrative aspects of the cybercriminal world, with high illicit payments made and due to the extortion tactics used, including permanent encryption and the threat of sensitive information being released.  With a record blackmail payment made in 2021 of $40 million, ransomware will likely begin to make more of an appearance in supply chain attacks.  However, these take planning, knowledge, and some skill — and so Splunk security strategist Ryan Kovar believes that cybercriminals on the road to becoming “professional” will likely be the ones to combine ransomware and supply chain attack vectors.  “Through attacking the supply chain, attackers can hold an organization’s data for ransom, and research indicates that two-thirds of ransomware attacks are enacted by low-level grifters who bought ransomware tools off the Dark Web,” Kovar says. “With the ongoing supply chain crisis leaving supply lines more vulnerable than ever, organizations must prepare themselves for the inevitability of ransomware attacks to their supply chains.” Technical debt will have to be paid As enterprise organizations begin to analyze the digital supply chain for weak spots, they will also have to deal with their levels of “technical debt” — described by Stuart Taylor, Senior Director at Forcepoint X-Labs, as the difference between “the ‘price’ a technical project should cost in order to be future-proofed and secure, and the ‘price’ an organization is prepared to pay in reality.” Forcepoint expects to see a “significant” rise in copycat attacks against the supply chain next year, and so organizations are urged to conduct frequent code reviews and to keep security in mind during every step in the development and deployment process. Taylor commented:”Software still in use can’t be left to languish, with updates and patching ignored. That couldn’t be an easier way in for attackers to gain a foothold. None of these are small undertakings in themselves but compared to the destruction that software supply chain malware can cause, it’s something no organization can afford to ignore.” SBOMsThe lack of transparency surrounding the components, software, and security posture of players within a supply chain also continues to be a problem for today’s vendors. In light of recent, debilitating attacks such as Solarwinds, Gary Robinson, CSO at Uleska, believes that over the next 12 months, more companies will require a security-orientated Bill of Materials (SBOMs), potentially as part of due diligence in future supply chain business agreements.  SBOMs are software and component inventories designed to enforce open transparency around software use in the enterprise. They may include supplier lists, licenses, and security auditing assurances.  “Organizations will also move to Continual Security Assurance where suppliers will be required to provide up-to-date security reports,” Robinson predicts. “No longer will a security report from six months ago satisfy security concerns of an update delivered yesterday. This gap in security directly relates to the company’s own security assurance, and suppliers will need to catch up.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Rhode Island Attorney General Peter Neronha told The Providence Journal on Thursday that he is going to open an investigation into a data breach involving the Rhode Island Public Transit Authority (RIPTA). This comes after outrage grew this week over the agency’s handling of the incident.  Neronha’s office told the news outlet that they are receiving a high number of calls about the incident, prompting them to look into what happened. 

On December 21, RIPTA sent out a notice saying that August 5 was when it first identified a “security incident.” RIPTA eventually discovered that data was exfiltrated from their systems between August 3 and August 5. The files contained information about RIPTA health plans and included Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers, and claims information.The US Department of Health and Human Services breach website indicates that 5,015 people were affected.Earlier this week, the ACLU of Rhode Island asked RIPTA to explain why the personal information of people with no connection to the agency was included in the data breach.Local ACLU chapter executive director Steven Brown says his chapter has received complaints from people who got letters from RIPTA notifying them that their personal data, including personal health care information, was accessed in a security breach of RIPTA’s computer systems. “According to the letter, the breach was identified on August 5th, but it was purportedly not until October 28th — over two and a half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals,” Brown wrote. 

The letters reveal that the number of victims listed on the US Department of Health and Human Services website (5,015) does not match the number in the breach notices sent to victims: 17,378 people.”Worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency,” Brown added.The ACLU also said that RIPTA was not being transparent about the breach, noting that RIPTA’s public statements about the incident are very different than the letters being sent to victims. RIPTA’s initial statement implied that those affected were only the beneficiaries of RIPTA health plans. “Based on the complaints we have received, this is extremely misleading and seriously downplays the extensive nature of the breach. Most importantly, it ignores, and fails to address, a host of questions regarding how the information that was hacked was in RIPTA’s hands in the first place,” Brown wrote.RIPTA senior executive Courtney Marciano told ZDNet that the state’s previous health insurance provider sent the files that included the sensitive information of those not working for RIPTA.Marciano added that RIPTA only mailed out notification letters to individuals whose personal information was contained in the files (which are from a provider who administered a plan that is no longer active) and accessed by the hackers. The Providence Journal noted that RIPTA previously used UnitedHealthcare but now uses Blue Cross/Blue Shield of Rhode Island. “Upon discovering this incident, RIPTA worked diligently to verify all individuals (both internal RIPTA employees, as well as individuals outside of the agency) whose personal information was in the files that were accessed or infiltrated by an unauthorized party. After the analysis was complete, RIPTA searched its records and identified address information for those individuals,” Marciano said. “This process was time and labor-intensive, but RIPTA wanted to be certain what information was involved and to whom it pertained. No passenger information was compromised.”The situation caused even more outrage when Rep. Edith Ajello told The Providence Journal that her information was involved in the breach despite her never having been on a RIPTA bus in “almost a decade.” Ajello explained that when she pressed RIPTA to explain why her information was involved, she was told that UnitedHealthcare sent RIPTA “all state employees’ health claims.” This allegedly forced the agency to effectively sort through the entire batch to figure out which claims were from RIPTA employees.The Attorney General will now investigate whether RIPTA violated Rhode Island’s Identity Theft Protection Act of 2015, which gives government agencies 45 days to report a breach. It took RIPTA more than two months to notify victims.  More

T-Mobile has confirmed a data breach that was caused in part by SIM swapping attacks, according to a statement from the company.The T-Mo Report, a blog tracking T-Mobile, obtained internal reports showing that some data was leaked from a subset of customers. 

Some individuals had their customer proprietary network information (CPNI) leaked, which includes information about a customer’s plan, the number of lines, the phone numbers, the billing account, and more. Others had their SIMs swapped. Some were victims of both the CPNI leak and the SIM swaps.When pressed for comment by ZDNet, T-Mobile refused to go into detail about the attack and would not say how many customers were affected in the incident.”Our people and processes worked as designed to protect our customers from this type of attempted fraud that unfortunately occurs all too frequently in our industry,” a T-Mobile representative said in response to questions from ZDNet. The company told CNET and Bleeping Computer that it sent notices to “a small number of customers” who were dealing with SIM swapping attacks, calling the attacks “a common industry-wide occurrence.”

A T-Mobile representative tweeted to say the company “is taking immediate steps to help protect all individuals who may be at risk from this cyberattack.” The company experienced a massive data breach in August that exposed sensitive information from over 50 million current, former, and prospective customers. This included names, addresses, social security numbers, driver’s licenses, and ID information. T-Mobile users have long criticized the carrier for its lackluster support for SIM swapping victims. The company has repeatedly announced SIM swapping attacks and data breaches since 2018.  More

Newly-formed cryptocurrency platform Saitama announced Wednesday that its smart wallet, SaitaMask, has passed an audit. It received certification from blockchain cryptocurrency auditing firm CertiK, declaring that SaitaMask is “issue free and hacker resistant.”

Passing the audit will make it easier for the six-month-old crypto platform “to apply for, and be listed on, additional exchanges,” making its $SAITAMA tokens more accessible. Currently, there are about 300,000 token holders with a market cap of $4 billion, the company said in its press release. Saitama noted that its SaitaMask smart wallet is designed to be a “one stop shop” for its users who can link their choice of payment system to buy, sell, and transfer any crypto coin without having to leave its mobile app, which will be available for download in January. To give its users the ability to be more in control of their assets, the company said it plans to make SaitaMask “a hub connecting users to multiple tools helping them analyze and make investment choices.” Among the tools is an “Edutainment platform” to educate users about finance and investing, Saitama said.Launched on May 31, Saitama’s $SAITAMA token is built on the Ethereum blockchain ERC-20, the standard that’s used for all smart contracts on the Ethereum blockchain to administer tokens. The company said that the ERC-20 network incorporates “smart coding” that benefits loyal token holders with “rewards to protect against big wallet holders (whales) from trying to manipulate the price in their favor or from dumping tokens by selling out.”This is a busy time for New York-based CertiK, which is working with PeckShield to help crypto exchange platform Binance provide comprehensive security audits when reviewing project tokens that get listed on the exchange. Dubbed “Project Shield,” CertiK and PeckShield are providing the latest level of protection designed to safeguard Binance users and provide them access to secure projects. More

Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week. 

Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again. On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users’ accounts.”While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised,” wrote Gabor Angyal, VP of engineering at LastPass. On Wednesday, the company expanded Angyal’s original statement, explaining that it recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. The company’s initial findings led it to believe that these alerts were triggered in response to attempted “credential stuffing” activity. Angyal’s Wednesday statement said, “Out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.” Angyal noted that at “no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).”

LastPass VP of product management Dan DeMichele sent out a notice to multiple outlets with the same information that was shared in the updated statement from Angyal. Some online were not assuaged by the statement, noting the qualifiers used that prompted more questions. Craig Lurey, CTO of password manager Keeper, said that what is so concerning about credential stuffing attacks is that attackers prey on a highly-prevalent problem among consumers right now: breach fatigue. “With a slew of breaches and alerts throughout 2021, consumers have become apathetic to compromised accounts. In fact, a recent survey from the Identity Theft Resource Center revealed that 16% of breach victims take absolutely no action to re-secure their accounts,” Lurey said. “In their minds, the ‘data is already out there,’ the hacked organization will take care of it, they don’t know what to do, or, ironically, they dismiss the notification as a scam. This apathy is what cybercriminals thrive on and is why we can expect to see a rise in credential stuffing alerts.”Due to the concerns over master passwords, Perimeter 81 CEO Amit Bareket suggested using biometric authentication or MFA for master passwords with managers like LastPass. Parent company LogMeIn announced just two weeks ago that it is spinning off LastPass into its own company.  More

Cybersecurity company CrowdStrike has discovered an attempt by a China-based group to infiltrate an academic institution through the Log4j vulnerability. 

more Log4j

CrowdStrike called the group “Aquatic Panda” and said it is an “intrusion adversary with a dual mission of intelligence collection and industrial espionage” that has operated since at least May 2020. The group’s exact intent is unknown because the attack was disrupted. CrowdStrike told ZDNet, however, that Aquatic Panda is known to maintain persistence in environments to gain access to intellectual property and other industrial trade secrets.”Aquatic Panda operations have primarily focused on entities in the telecommunications, technology, and government sectors,” CrowdStrike explained in a report.According to CrowdStrike, their system uncovered “suspicious activity stemming from a Tomcat process running under a vulnerable VMWare Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion.”After watching the group operate and examining the telemetry available, CrowdStrike said it believes that a modified version of the Log4j exploit was likely used during the course of the threat actor’s operations.The team at CrowdStrike discovered that Aquatic Panda used a public GitHub project from Dec.13, 2021 in order to gain access to the vulnerable instance of VMWare Horizon. 

“Aquatic Panda continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. OverWatch threat hunters also observed an attempt to discover and stop a third-party endpoint detection and response (EDR) service,” the company explained.”Throughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.”CrowdStrike officials told ZDNet that they are seeing various threat actors both inside and outside of China leveraging the Log4J vulnerability, with adversaries ranging from advanced threat actors to eCrime actors. “In the end, the viability of this exploit is well-proven with a substantial attack surface still present. We will continue to see threat actors making use of this vulnerability until all recommended mitigations are put into place,” CrowdStrike said in an interview.Last week, the US, UK, Australia and other countries issued a Log4j advisory in response to “active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors.” Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations. CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world”We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” Easterly said. “These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.”  More