Information Technology

More than half of the connected medical devices in hospitals pose security threats due to critical vulnerabilities that could potentially compromise patient care. 

According to the 2022 State of Healthcare IoT Device Security Report from Cynerio, 53% of internet-connected medical devices analyzed were found to have a known vulnerability, while one-third of bedside devices were identified to have a critical risk. Cynerio analyzed over 10 million medical devices at more than 300 global hospitals and medical facilities.    The report warns that if these medical devices were to be accessed by hackers, it would impact service availability, data confidentiality, and even patient safety.  “Healthcare is a top target for cyberattacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care,” said Daniel Brodie, the CTO, and co-founder, Cynerio, in a statement. “Hospitals and health systems don’t need more data — they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death.”  Out of all the medical devices, the report found that infusion (IV) pumps are the most common device with some type of vulnerability at 73%, especially since they make up 38% of a hospital’s IoT. If attackers were to hack into an IV pump, it would directly affect the patients since the pumps are connected. Some of the causes of these vulnerabilities result from relatively simple things, such as outdated programs. For example, the report found that most medical IoT devices were running older Windows versions, specifically, older than Windows 10. In addition, default passwords that are the same throughout an organization are common risks, especially since these weak default credentials secure about 21% of devices. Healthcare has become the number one target for cybercriminals in recent years, primarily due to outdated systems and not enough cybersecurity protocols. More than 93% of healthcare organizations experienced some type of data breach between 2016-2019. 

Just last month, Maryland’s Department of Health experienced a ransomware attack that affected the department for weeks. The attack left the department scrambling since it could not release COVID-19 case rates amid the Omicron surge, and the number of COVID-19 deaths were not reported in the state for almost all of December.  Cynerio notes that the solution to mitigating these vulnerabilities to reduce ransomware attacks is network segmentation. By dividing up a hospital’s network, more than 90% of critical risks in medical devices would be addressed. More

The US government has urged organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems. The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new ‘CISA Insights’ document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA’s response to this week’s cyberattacks on Ukraine’s systems and websites, which the country’s officials have blamed on hackers linked to Russian intelligence services. Ukraine officials also told media that dozens of systems in at least two government agencies were wiped during an attack last week. The use of destructive malware is reminiscent of NotPetya in 2017, which was effectively ransomware that lacked a recovery mechanism. It hit several global businesses, most notably shipping giant Maersk which needed to overhaul 45,000 desktops and 4,000 servers, although the actual target was probably businesses in Ukraine. Many NotPetya victims were infected through a hacked update for a Ukrainian software accounting package.”The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure,” CISA notes in the Insights document. Prior to the latest cyberattacks on Ukraine, CISA published an advisory aimed primarily at US critical infrastructure operators detailing recent Russian state-sponsored hacker tactics, techniques, and attacks on enterprise systems such as VPNs, Microsoft Exchange, VMware, Oracle software. It also spotlighted destructive attacks on operational technology (OT)/industrial control systems (ICS) networks in the US and Ukraine.  The new CISA document stresses that “senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise.” It added “If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.”

Microsoft on Saturday said it had found destructive malware on dozens of systems at government, non-profit and IT organizations, all located in Ukraine. The malware displays a ransom demand but this is just a ruse, as it overwrites the Windows Master Boot Records (MBR) and lacks a recovery mechanism, according to Microsoft.   Multi-factor authentication is central to CISA’s recommendations. It should be used by all organizations for network and systems that require privileged or admin access. The other is patching systems with available updates. Also, organizations should disable all non-essential ports and protocols, implement controls for using cloud services, and conduct vulnerability scanning. CISA also recommends preparing a crisis-response team, developing response plans and nominating key personal, and practicing incident response. To build resilience to destructive malware, CISA urges everyone to test backup procedures, ensure backups are isolated from network connections, and ensure that critical data can be rapidly restored. Organizations with ICS or OT systems should endure critical functions remain operable in a network outage.     More

A rise in cheap, easy-to-use malware means it’s easier than ever for cyber criminals to steal cryptocurrency. Cryptocurrency has long been a popular target for organised cyber criminals, whether they’re stealing it outright from cryptocurrency exchanges, or demanding it as an extortion payment in ransomware attacks. But the growing value of cryptocurrency means it has quickly become a key target for cyber criminals and they’re increasingly launching attacks which aim to steal cryptocurrency from the wallets of individual users. Research by Chainalysis warns that cryptocurrency users are increasingly under threat from malware including information stealers, clippers – which allow attackers to replace text the user has copied, redirecting cryptocurrency to their own wallets – and trojans, all of which can be purchased for what’s described as “relatively little money” on cyber criminal forums. For example, a form of info stealer malware called Redline is advertised on Russian cyber crime forums at $150 for a month’s subscription or $800 for ‘lifetime’ access. For a cyber criminal looking to steal cryptocurrency, it’s sadly highly likely they’ll make back the money paid for the malware within a handful of attacks. The illicit service also provides users with a tool which allows attackers to encrypt the malware so it’s more difficult for anti-virus software to detect, increasingly the likelihood of attacks successfully stealing cryptocurrency from compromised victims. “The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency,” warns the report. 

Overall, the malware families in the report have received 5,974 transfers from victims in 2021, up from 5,449 in 2020 – although that’s down significantly on 2019 which saw more that 7,000 transfers.SEE: A winning strategy for cybersecurity (ZDNet special report)But Redline is just one example of malware being designed to steal cryptocurrency and there’s a growing market in this space. Of the incidents tracked, Crypobot, an infostealer was the most prolific theft of cryptocurrency wallets and account credentials, stealing almost half a million dollars in cryptocurrency in 2021.  In addition to this, success in stealing cryptocurrency from users could easily push more ambitious cyber criminals to target organisations and even cryptocurrency exchanges, meaning that the threat of cyber criminals targeting crypto wallets and credentials is something organisations need to consider. “The cybersecurity industry has been dealing with malware for years, but the usage of these malicious programs to steal cryptocurrency means cybersecurity teams need new tools in their toolbox,” says the blog post. “Likewise, cryptocurrency compliance teams already well-versed in blockchain analysis must educate themselves on malware in order to ensure these threat actors aren’t taking advantage of their platforms to launder stolen cryptocurrency,” it said. MORE ON CYBERSECURITY More

A vulnerability in Multichain systems has led to the theft of at least $3 million, reports suggest. 

Multichain, previously known as Anyswap, is a cross-blockchain router protocol designed to allow users to swap and exchange digital tokens across chains while reducing fees and streamlining the overall process. However, chaos now reigns in the ecosystem due to a cybersecurity incident caused by a vulnerability in the network, as first reported by Vice.  Dedaub reported the vulnerability to Multichain. The company said in a blog post dated January 17 that the critical flaw impacted WETH, PERI, OMT, WBNB, MATIC, and AVAX swaps, but assured users at the time that “all assets on both V2 Bridge and V3 Router are safe [and] all cross-chain transactions can be done safely as usual.” In the same breath, the company urged users to log in to their accounts and remove any approvals relating to these tokens as quickly as possible or funds could be at risk.  Technical details of the vulnerability are yet to be disclosed.  On Wednesday, Multichain said that users who had not revoked WETH approval had been exploited. 

“Please do not transfer any of these six tokens to your accounts before revoking, otherwise, your wallets are in danger still,” the organization said. “The hack is contained for now. However, users still have to revoke the approvals for those six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) to avoid a future attack.” The messaging has caused confusion and despite the approval issue and lost funds, Multichain says that bridging can take place “as usual.” Losses were originally estimated to be in the range of $1.4 million. Co-founder of ZenGo Tal Be’ery said on Wednesday that the total stolen amount has likely surpassed $3 million.  One of the victims who lost approximately $1 million in tokens attempted to negotiate with a thief who posted an on-chain ‘ransom’ note. In an update Thursday morning, Be’ery noted that negotiation has now taken place, with the attacker returning the funds – minus a $150,000 “tip.” Dedaub will be publishing an advisory on the vulnerability in the future.In related news this week, cryptocurrency exchange crypto.com CEO Kris Marszalek said that a cyberattack that occurred last week impacted 400 users. The company has not disclosed how much was stolen but did say that clients were reimbursed on the same day.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A romance scammer in the United Kingdom has been jailed after trying to con 670 people. 

According to the UK’s National Crime Agency (NCA), Osagie Aigbonohan, originally from Lagos, Nigeria, used a range of fake names, dating apps, and social media networks to find and connect with potential victims who were looking for a relationship. The 41-year-old’s aliases included “Tony Eden.” While masquerading as Tony, Aigbonohan targeted a woman and built up a relationship over a period of ten months before begging her for money to help him with an incident relating to an overseas business.  The woman was told that a machinery accident at work – and the subsequent need to pay for worker funerals – had rinsed his bank account, and he needed to hire drill equipment to resume operations. This led to fraudulent transfers of £9,500 ($13,000) to various accounts held under fake identities, which eventually made their way into Aigbonohan’s personal account.  In another case, a woman who was terminally ill became a victim. “Aigbonohan continued to pursue her even after she had passed away,” the NCA says.  The crime agency estimates that at least 670 people were targeted by the romance scammer, at least eight people sent him money, and in total, approximately £20,000 ($27,200) was fraudulently obtained. 

Following an NCA investigation, Aigbonohan was arrested in July last year and was charged with fraud and money laundering. It was also discovered that Aigbonohan had overstayed his visa, was staying in the UK illegally, and was using a counterfeit driver’s license.  Southwark Crown Court has now sentenced Aigbonohan to 28 months behind bars.  “Romance fraud is a particularly callous offense, involving exploitation of an individual’s emotional needs and caring qualities, to extract money from them,” commented James Lewis of the Crown Prosecution Service (CPS). “People should be particularly vigilant over the coming month as we head towards Valentine’s Day and more people seek a partner.” UK Finance estimates that between January and November 2021, UK residents lost £18.5 million ($25.2 million) to romance scams, an increase of 12% year-over-year. In the same year, the FBI estimates that $133 million has been fraudulently taken from victims in the United States.  In other NCA news, a 32-year-old man from Nottingham was jailed earlier this month after admitting to the use of Remote Access Trojans (RATs) to spy on both children and adults. Sensitive and explicit material was also stolen from handsets infected by the malware.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has warned of a new scam tactic targeting users of Google’s search platform, some of whom have unwittingly assumed advertisements containing fake bank hotlines to be legitimate. Victims of these scams have already lost more than S$495,000 ($367,775) since December 2021. Singapore Police Force (SPF) said these phishing ads would pop up on Google when users searched for a bank’s contact number with the intention of seeking advice for various reasons. These ads would show up amongst the first few search results and contain fake contact details for the bank, the police said in its advisory note released Wednesday. Unwitting victims who called these numbers would speak with someone impersonating as a bank employee, who then would proceed to alert them of issues with their bank account, credit or debit cards, or loans. Victims would be instructed to temporarily transfer funds to bank accounts provided by the impersonator, in order to resolve the issue or make payments for outstanding loans. 

Some victims would receive SMS messages with headers spoofing the bank’s Sender ID, so these would appear as legitimate communications from the bank. The messages would either contain instructions to reset the victim’s bank account as part of Singapore’s efforts to combat scam or state that the victim had to transfer money for early loan settlement. “Victims would only realise that they had been scammed when they contacted the bank via the authentic hotline to verify the new bank account number or when the bank contacted them to verify the reason for the large sum of money transferred,” SPF said.Since last month, at least 15 victims had lost more than S$495,000 ($367,775) to these scams, according to the police. Its latest advisory follows a spate of phishing SMS scams that affected at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million. Some S$2.7 million alone was lost over the recent three-day Christmas weekend and several victims reportedly lost their life savings. The bank has since promised to make full restitution of losses to all victims of the scams. 

Industry regulator Monetary Authority of Singapore (MAS) on Wednesday also introduced additional security measures that banks would have to implement, in light of the OCBC scams. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens. Banks also would have to set up dedicated and “well-resourced” customer assistance teams to deal with customer feedback on potential fraud cases. MAS said the new measures, which should be deployed within two weeks, aimed to strengthen the security of digital banking. “MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” it said.RELATED COVERAGE More

Matt Damon
Image: Crypto.com
Cryto.com CEO Kris Marszalek told Bloomberg on Wednesday that the attack earlier this week hit 400 users. For what Marszalek said was a period of 13 to 14 hours, Crypto.com paused its users’ ability to withdraw funds and subsequently asked its users to reset two-factor authentication. The company informed its users they would need to sign back into their accounts and reset their two-factor authentication. Marszalek said Crypto.com’s 200 security professionals had created a “very robust” infrastructure and stated it had defence-in-depth. “There are multiple layers, and in this particular incident, some of these layers were breached,” he said. “Which resulted in about 400 accounts having unauthorised transactions.” Marszalek added the impacted users had their funds fully reimbursed on the same day, and while he would not be drawn to put a figure on the amount of funds taken, he said the company was working on a postmortem that would appear on its blog in the next few days.

“In any case, one has to remember that given the scale of the business, these numbers are not particularly material.” While Marszalek did not put a number on it, PeckShield did, claiming around $15 million was being washed through a coin tumbler. The CEO also said in other sections of the interview that he expected increasing use cases, such as blockchain gaming, to increase the number of cryptocurrency users to over one billion this year. He added the company was looking at potentially purchasing blockchain gaming companies. Related Coverage More

Where cybersecurity is concerned, governments and businesses often tout the importance of “shared responsibility”, with consumers urged to also practise good cyber hygiene to help stave off attacks and protect their own assets. A recent spate of online scams in Singapore, however, reveals that blame will be placed on individuals when possible and demonstrates that regulations sometimes are the only way to shake organisations out of complacency. People, process, and technology. How often has this trinity been preached as the three fundamentals of any successful digital adoption and the holistic approach to ensure good security posture? Which of the three, though, bears greater weight? Does technology play the biggest role in cybersecurity? Or are processes the most critical component of this equation?  When it comes to blame, it appears that significant onus is placed on consumers to safeguard their personal data and bear the consequences should they fall for online scams.  A recent series of online scams involving at least 469 customers of OCBC Bank resulted in losses of more than SG$8.5 million ($6.32 million), with S$2.7 million scammed over the recent three-day Christmas weekend alone. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. 

In these cases, which first surfaced December 1 last year, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).  Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.  In its statement released December 30, OCBC made clear that customers were “the first line of defence” against such scams and that once funds were moved from their account, the possibility of recovery was “very low”. The bank said it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages. 

Upset over how the breach was handled, affected OCBC customers expressed frustration over the lengthy time they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked to stem the leaks. Several noted a lack of urgency amongst OCBC’s customer agents when told about the security breach.   In his interview with local media platform Mothership, the 43-year-old male victim added that the bank staff he corresponded with did not even appear to be aware of the ongoing scams. Noting that his account was breached on December 20, he questioned whether OCBC had done enough to alert its own staff and customers of the growing security risks when the attacks had been escalating since early-December.  Inundated with the bad press that followed, OCBC on Wednesday said all customers affected by the scams would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if this applied to all customers or whether they would receive the entire amount they lost. OCBC probably sees this $8.5 million writeoff as a necessary cost in crisis management, but it will likely take much more before the bank is able to regain the trust of its customers and brand reputation. It also faces possible repercussions from industry regulator Monetary Authority of Singapore (MAS), which said it would “consider appropriate supervisory actions” after the bank conducted a “thorough” investigation to identify and plug deficiencies in its processes.  Meanwhile, MAS on Wednesday introduced several measures that banks would have to implement as a result of the phishing scams. These include the removal of hyperlinks from email or SMS messages sent to consumers, a 12-hour delay in activating mobile software tokens, and setting up a dedicated and “well-resourced” customer assistance team to deal with customer feedback on potential fraud cases. Noting that these new measures aimed to strengthen the security of digital banking in Singapore, MAS added that financial institutions should implement further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer’s contact details. More permanent solutions also are in the works to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders, MAS said.  Stronger regulatory hand needed for businesses to take security seriously These steps, in my view, are a long time coming.  Too many organisations, including banks, for far too long have adopted bad business practices that put customers at risk of security attacks. They also have been increasingly heavy-handed in the amount of personal data they demand from customers in return for access to services, including critical services. More importantly, as the number of cyber attacks and breaches continues to grow, businesses still lack a proper plan to help them more quickly respond to security incidents and stem any potential data leak.  OCBC clearly did not have a cybersecurity incident framework in place. If it did, it would have been able to better handle calls from frantic customers alerting them of the scams and more swiftly block affected accounts to stop further fraudulent transactions from taking place.   There are further questions about why the bank’s SMS header was so easily spoofed and whether it took any prior measures to prevent, or even to investigate, the phishing scams when these first surfaced.  Local law enforcements had published multiple advisory notes, including one as early as last April and another in November, about fake SMS messages with spoofed SMS headers of banks.  Did OCBC heed these alerts? Or did the bank deem it okay to ignore them since the advisory notes served as warning for consumers to take the necessary measures and be “the first line of defence”?

Shouldn’t OCBC have been the very first line of defence instead in this case? In a January 17 reply to reports on the SMS phishing scams, IMDA’s director of communications and marketing Foo Wen Dee said a pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard. Doing so with SMS Sender ID protection registry would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked.  Foo wrote: “The success of this measure, however, requires organisations such as banks to participate in the pilot, which would include registering the SMS Sender IDs they wish to protect and choosing the approved SMS aggregators that are allowed to send SMSes on the banks’ behalf. “When the registry was initiated, some banks signed up for the registry. Other organisations such as Lazada and SingPost also signed up. We urge more businesses that use SMS Sender IDs to do so,” she said. She added that IMDA was working with telcos in Singapore to roll out other measures, including blocking commonly spoofed numbers. It’s interesting that Foo chose not to list examples of banks that participated in the pilot, when she did for organisations in other sectors.  So, did OCBC put its SMS Sender ID in the registry? And if it did, did it do so before or only after the phishing scams surfaced in December? And why was it the only bank hit, and hit so severely, by the onslaught of attacks?  These are questions that cannot afford to go unanswered, especially as Singapore is about to push its digital banking regime into full gear. The four successful bidders of the country’s digital bank licences are expected to begin operations from early-2022.  Scarred by the numerous reports of life savings wiped clean from bank accounts, with blame put on the victims, how many will rush to sign up for services offered by digital banks? If scammers are able to find holes in the systems and processes of established traditional banks such as OCBC, what more can they do with banks that run entirely on online infrastructures? Furthermore, several victims of the OCBC scams were not from vulnerable groups that were less tech-savvy and more susceptible to cyber scams. They were young, presumably already familiar with consuming online services, and professionals from both the financial and IT industries.  If even they were fooled by the cyber scammers, what hope is there for others less accustomed to digital banking services? Consumer trust plays a key role in driving adoption and, if left unaddressed following the latest series of events, may put a spanner on Singapore’s hopes of a thriving digital banking era. On a flip side, it could actually result in a new competitive advantage for new digital players, now that the trusted relationship between incumbent banks and customers may have somewhat eroded. While it remains to be seen how the industry will recover from the OCBC saga, what has become clear is the need for stronger regulations to shake companies out of inertia.  For one, MAS’ inclusion of incident response as some of the measures banks must adopt is a positive step forward.  A ZDNet report I published last week discussed the importance of cybersecurity incident response in bolstering cyber resilience and network availability. As mentioned previously, a robust incident response plan could have helped OCBC stem funds from leaking further and saved its customers, as well as the bank, from losing S$8.5 million.  There should be clear guidelines, and mandates if necessary, that ensure businesses and banks respond within a stipulated time when customers call their hotline about a potential security breach. Failure to meet this should result in financial penalties or the inability of breached organisations from renouncing liability.  Companies also should be required to release an incident report, following its investigation into the service breach, that highlights the cause of the breach and remediation steps taken to plug the security holes, if any. Where necessary, this report should include additional measures customers may need to take to better protect their personal data with the organisation. For instance, it has been two months since DBS suffered its most serious service disruption last November, during which its customers could not log into or access the bank’s online and mobile services for the bulk of two days. Few details were offered about the cause then.  Does it plan to release a report detailing its review of the incident soon? Has it at least submitted its findings to MAS? If not, how then will DBS customers be certain the bank’s processes and systems did not trigger the service disruption, and that their data and accounts are adequately secured? In addition, the implementation of security measures deemed critical to combat growing threats, such as registering and protecting SMS Sender IDs, should be mandated and enforced, rather than left as optional.  If MAS can release guidelines disallowing the marketing of crypto services to safeguard consumers against trading “on impulse”, then surely it can do the same to mandate the adoption of steps critical to protect people’s life savings? While concerns that over-regulating can stifle innovation are valid, laws and rules are necessary when there is blatant failure, on the part of businesses, to do what is required in their customers’ interest.  Yes, cybersecurity is a shared responsibility, but it doesn’t mean companies get to throw their arms up at first chance and say, “we told you so”, when customers make a mistake and fall for–to use a term breached organisations commonly point to–“increasingly sophisticated”, online scams. Equal efforts also should be made to immediately address and contain the impact of security incidents, regardless of how the breach happened. Assume breach position does not mean businesses get to skip due diligence. And the next time someone mentions the tradeoff between convenience and security, remind them about the bank accounts that were drained of life savings over one link in an SMS message.   RELATED COVERAGE More