Information Technology

A Russian-government back hacking group linked to the SolarWinds supply chain attack has developed new malware which has been used to conduct attacks against businesses and governments in North America and Europe in a campaign designed to secretly compromise networks, steal information, and lay down foundations for future attacks.  The attacks also involve the compromise of multiple cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to clients downstream from the vendors in supply chain attacks.  The wide-ranging campaign has been detailed by cybersecurity researchers at Mandiant who’ve linked it to two hacking groups they refer to as UNC3004 and UNC2652.   Mandiant associates these groups with UNC2452 – also known as Nobelium in reports by Microsoft – a hacking operation that works on behalf of the Russian Foreign Intelligence Service and behind the cyber attack against SolarWinds. However, while each of these hacking operations works out of Russia and appear to share similar goals, researchers can’t say for certain that they’re all part of one unit.  “While it is plausible that they are the same group, currently, Mandiant does not have enough evidence to make this determination with high confidence,” said the report.  The newly detailed campaigns include the use of a custom-developed malware downloader which researchers have called Ceeloader. 

Written in the C programming language, the malware decrypts shellcode payloads to be executed in the memory of the victim Windows machine, enabling the distribution of further malware. Ceeloader hides from detection with the use of large blocks of junk code which makes the malicious code undetectable to anti-virus software.   “An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the report said. SEE: A winning strategy for cybersecurity (ZDNet special report)  It isn’t clear how Ceeloader is distributed, but it provides a stealthy gateway for further malicious activity.  Other tactics which the attackers use include the abuse of the legitimate penetration testing tool Cobalt Strike to place a backdoor on the compromised system which can be used to execute commands and transfer files, as well as providing a keylogger that can be used to steal usernames and passwords.  In addition to the deployment of malware, the attackers have compromised targets via cloud services.  Like other Russia-linked hacking campaigns, these attacks also target remote desktop protocol (RDP) log-in credentials.  But no matter how the network was compromised, the organisations under attack appear to align with those targeted in previous campaigns attributed to the Russian state.  “We have seen this threat actor ultimately target government entities, consulting organisations, and NGOs in North America and Europe who directly have data of interest to the Russian government. In some cases, they first compromised technology solutions, services, and reseller companies in North America and Europe that have access to targets that are of ultimate interest to them,” Douglas Bienstock, manager of consulting at Mandiant told ZDNet.   For the attackers, targeting cloud service providers via the new and existing methods of compromise detailed by the report remains one of the key methods of compromising a wide range of organisations. By compromising the supplier, they have the potential to gain access to systems of customers.  Incidents like the SolarWinds supply chain attack attributed to the Russian state, plus cybercriminal activities like the Kaseya supply chain compromise and ransomware attack have demonstrated what a powerful tool this can be for hostile cyber campaigns – which is why cloud providers and their services remain a prominent target.  “By compromising the environment of a single cloud service provider, the threat actor may be able to access the networks of multiple organisations they are interested in that are customers of that provider. In this way, the threat actor can focus their efforts on a small number of organisations and then reap large rewards,” said Bienstock.  Mandiant researchers say they’re aware of a few dozen organisations who’ve been impacted by campaigns in 2021 and in cases where they’ve been compromised by any attackers, steps have been taken to notify them.  It’s expected that the Russia-linked hackers – and other offensive cyber operations – will continue to target organisations, supply chains, and cloud providers around the world. Mandiant has previously released advice on hardening networks against attacks, which includes enforcing multi-factor authentication across all users. 
MORE ON CYBERSECURITY More

In its latest annual Data Breach Industry Forecast released Monday, credit bureau and information services company Experian said that it has identified five areas it believes cybercriminals will find opportunities to exploit in 2022. The findings were made based on the observation that as people throughout the world become more digitally connected online than ever before, thanks in part to the global pandemic, so too is the potential for institutions, infrastructures, and personal lives to be more exposed to cybercriminals. “Big institutions remain vulnerable, despite spending millions on security, and cybercriminals have plenty of opportunities to exploit weak technologies,” the report said.

Experian identified five top data breach trends to expect in 2022: 1. Digital assets Digital assets, such as cryptocurrencies and non-fungible tokens, or NFTs, will become greater targets of attack as society accepts them as legitimate parts of the financial and technological landscape. This prediction couldn’t have come at a better time as crypto-currency exchange BitMart reported over the weekend that hackers sole about $150 million worth of tokens from its so-called “hot wallets.” Blockchain security and data analytics company PeckShield, which first noticed the breach, estimated that BitMart’s loss was closer to $200 million: $100 million on Ethereum and $96 million on Binance Smart Chain.2. Natural disasters Natural disasters will prompt people to donate more to aid organizations online, resulting in both donors and people in distress becoming more prone to phishing attempts from groups disguised as charitable organizations. To complicate things further, Experian said unreliable global supply chains will make the sourcing of emergency goods more difficult, which will provide another opportunity for online thieve to take advantage.3.  Remote workers Remote workers will be targets of data thieves who are looking to hack into businesses and institutions. The report said that because home wireless networks are more vulnerable than many business VPNs, companies will need to focus more on security compliance from their employees. “Employees will need training on matters like how to spot a phishing attempt, or how to respond to a ransomware attack,” according to the report.4. Physical infrastructure landmarks 

Physical infrastructure landmarks, such as electrical grids, dams, and transportation networks, will be greater targets by hackers, both foreign and domestic, who will attempt to steal some of the trillions of dollars Congress approved under the Biden infrastructure bill. Experian said that these bad actors will attempt to steal during the process of fund disbursement using a variety of scams from phishing to CEO fraud. “The sums are so large, and their distribution involves so many institutions and processes – from Treasury vendors to banks, to individual contractors – that hackers will be probing for weaknesses in the money supply chain,” the report said.5. Online gambling scams

As online sports betting becomes legalized in more states, phishing scams will target online gamblers, especially those who are new to online betting. And as online gambling becomes more legal, online scammers will be harder to detect. Experian predicts that common forms of thievery will include gambling using stolen credit card info, hijacking an account either through hacking or correctly guessing a password, or impersonating a legitimate online casino. Experian also noted that as cryptocurrency becomes more popular in online gambling, and more sites incorporate it for ease of use, hackers will attempt to break into digital wallets.Data breaches remain a strong threat. In a recent report by the Identity Theft Resource Center, there have been 1,291 data breaches in 2021, as of September 30, 17% more than the 1,108 breaches reported during all of 2020.”Cybercriminals have honed in on pandemic disruptions this past year so security professionals need to shore up security protocols and have data breach response plans in place – especially for ransomware – should a breach occur,” said Michael Bruemmer, global vice president of Experian Data Breach Resolution who published the report. “Businesses must increase their focus and move past simply catching up to the ‘new normal in how they operate,” he added. More

Firms in Australia’s financial market have continued to be resilient against cyber threats, with improvement rates in cyber resiliency remaining steady, the Australian Securities and Investment Commission (ASIC) reported on Monday.This finding was published in the corporate regulator’s latest report [PDF], which compiled trends from self-assessment surveys completed by financial markets firms. The report, titled Cyber resilience of firms in Australia’s financial markets: 2020–21, is an update to a similar cyber resilience report published by ASIC two years ago.In both 2020 and 2021, ASIC asked participants to reassess their cyber resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework. The NIST Framework allows firms to assess cyber resilience against five functions: Identify, protect, detect, respond, and recover, using a maturity scale of where they are now and where they intend to be in 12-18 months.In the new report, ASIC identified that cyber resiliency among firms operating within Australia’s financial market increased by 1.4% overall, but this fell short of the 14.9% improvement targeted for the period. It was also lower than the 15% improvement that was achieved between 2017 and 2019. ASIC attributed the shortfall to a combination of reasons including overly ambitious targets, a rise in the cyber threat environment, and disruptions caused by the COVID-19 pandemic, which resulted in organisations directing resources towards enabling secure remote working and ensuring products and services could be delivered to customers as supply chains were burdened with growing cyber activists. Improvement in cyber resilience preparedness between cycles (by function).
Image: ASIC
Overall, 2021 saw improvements in the management of digital assets, business environment, staff awareness and training, and protective security controls.”Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust,” ASIC commissioner Cathie Armour said.

The report said 90% of firms strengthened user and privileged access management, 88% of firms ensured users were trained and aware of cyber risks, and 86% had mature cyber incident response plans in place. Other key findings from the report included the gap between large firms and small to medium-sized enterprises (SMEs) continued to close, with an overall improvement of 3.5%. In contrast, larger firms reported a slight drop in confidence of 2.2%, ASIC said.”This comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of: Increased complexity of their business operating models [and] a significant increase in threats to critical products and services reliant on third parties and supply chains,” the corporate regulator said. ASIC also highlighted the greatest gaps between larger firms and SMEs continued to be in supply chain risk management where 40% of SMEs indicated weak supply chain risk management practices, but a majority of firms identified that this would be an ongoing priority over the next period. Investment in cyber resiliency by credit rating agencies increased during the period, ASIC said, triggered by the 2017 Equifax incident, while investment banks continued to set high targets for all NIST Framework categories.The release of the reports follows ASIC recently putting forward a recommendation for market operators and participants to simulate outages and recovery strategies to improve resiliency. It was off the back of an investigation into the Australian Securities Exchange (ASX) software issues that arose when the refresh of its trade equity platform went live in November last year, causing the exchange to pause trade.MORE FROM ASIC More

Image: Getty Images
Ride hailing app Didi announced it was preparing to leave the New York Stock Exchange in a small note released on Friday. “[Didi Global] today announced that its board of directors has authorized and supports the company to undertake the necessary procedures and file the relevant application(s) for the delisting of the company’s ADSs [American Depositary Shares] from the New York Stock Exchange, while ensuring that ADSs will be convertible into freely tradable shares of the Company on another internationally recognized stock exchange at the election of ADS holders,” it said. “The company will organize a shareholders meeting to vote on the above matter at an appropriate time in the future, following necessary procedures. “The board has also authorized the company to pursue a listing of its class A ordinary shares on the main board of the Hong Kong Stock Exchange.” Didi announced its IPO on Wall St at the end of June, and opened trading at $14. It closed on Friday at $6.07 after opening the day at $7.56 per share. In July, Didi found its app removed from app stores in China following a government edict. The Cyberspace Administration of China said at the time that Didi breached regulations governing the collection and use of personal data. It instructed the removal of the app from local app stores and Didi to rectify “existing problems” and “effectively protect” users’ personal data. The government agency did not disclose any details on what these issues were and how they violated local laws.

The move hit 25 apps operated by Didi in China. “The company expects that the app takedown may have an adverse impact on its revenue in China,” it said. Didi also confirmed a week later the authorities in China were conducting a cybersecurity review, and denied reports the company was going private. Related Coverage More

Image: Getty Images
New South Wales’ iVote online voting system failed on Saturday during the state’s local government elections, with an unknown number of voters unable to exercise their democratic rights. In a media statement released on Saturday evening, the NSW Electoral Commission (NSWEC) blamed “the increased volume of people using the iVote system”. “Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said. “At the 2019 NSW State elections 234,401 votes were cast using iVote. At close of applications at 1pm today [Saturday] 652,983 votes had been cast using the system since it opened on 22 November.” Voting is compulsory in Australia. However NSWEC said any eligible voter who “applied to use iVote” but was unable to cast their ballot would be excused from paying the AU$55 penalty. “The Electoral Commissioner may also determine, after the elections have finished, that other categories of electors should be excused for having a sufficient reason,” NSWEC said. Curiously, the state’s Local Government Act was amended earlier this year specifically to allow iVote to be used for council elections. This was directly in response to “the challenges of COVID-19”.

These elections had been postponed twice due to the pandemic, from the original date in September 2020, to September 4 this year, and then to December 4. One might wonder, therefore, why iVote couldn’t cope with traffic levels a mere three times above the previous state election. Surely it should have been clear that the pandemic might cause many, many more people to vote online? In response to ZDNet’s questions, an NSWEC spokesperson said that the iVote system was prepared based on the usage at previous state elections. “As a contingency the system was planned and tested for a capacity of 500,000 votes — double the capacity required for the 2015 and 2019 NSW State elections,” they said. “There were 283,699 users in 2015 and 234,401 users in 2019. Use of iVote is subject to strict eligibility criteria and criteria for this election were substantially the same as those previous elections. More than 671,000 votes were cast via iVote at this election.” Where possible, NSWEC had introduced additional capacity as volumes increased but could not meet demand on election day, they said. Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, isn’t surprised by the failure. Starting in 2015, she and her colleagues have found numerous flaws in iVote, problems which NSWEC has often downplayed. “Every serious investigation of iVote found serious problems,” Teague tweeted on Saturday. That even includes a review [PDF] commissioned by NSWEC itself as recently as July. “What happened today should surprise nobody,” Teague said. “[NSWEC] apologises to voters not able to vote as a result of the outage; no apology to candidates who may or may not have failed to get elected as a consequence of their supporters being excluded.” As Teague noted, local government elections often have narrow margins. “Of course the really important point is: where is the evidence of eligible voter intent in any of those 650,000 votes, when we know the system that received them had serious IT problems?” she asked. “We may simply not have enough information to determine who deserved to be elected.” ‘Sometimes people insist on shoving beans up their nose’ Australian election authorities have traditionally pushed back against criticism of their software systems. At the federal level, in March this year the Australian Electoral Commissioner Tom Rogers made it clear that external system audits are not welcome. “We work with a range of partners, including the Australian Signals Directorate, the Australian Cyber Security Centre, we’ve had our internal code audited and checked,” Rogers told a Senate committee. “And not being rude, I’m sure that Dr Teague is a wonderful person, but we’ve had sufficient checks in place to assure ourselves that that system is running smoothly.” Justin Warren, chief analyst at PivotNine, continues to be amused by this resistance — not only in electoral matters but right across government. “We keep trying to help governments to be good at computers, but they are remarkably resistant to being helped,” Warren told ZDNet. “One thing I’ve learned from consulting is that sometimes people insist on shoving beans up their nose and there’s nothing you can do to stop them. You have to wait patiently until they ask for help getting them out.” NSWEC is required by law to release a full report on the conduct of the election by May 2022. Readers may like to consider whether that’s soon enough. Related Coverage More

The Australian government has commenced work to reform the country’s electronic surveillance laws that have been labelled as overly complex, inconsistent, and incompatible with the current technology landscape. The federal government committed to reforming these laws earlier this year after a review into Australia’s intelligence community found comprehensive legislative changes were required, specifically in repealing existing powers and combining them to avoid duplication, contradictory definitions, and any further ad hoc amendments to existing laws. “In short, we conclude that the legislative framework governing electronic surveillance in Australia is no longer fit for purpose,” the review said. The review said that problems with the framework have accumulated after 40 years of continued amendments. The laws in question enable agencies to use electronic or technical means, that would normally be unlawful, to covertly listen to a person’s conversations, access a person’s electronic data, observe certain aspects of a person’s behaviour, and track a person’s movements for the purposes of preventing serious crimes and security threats. Read more: Australia’s tangle of electronic surveillance laws needs unravelling The federal government’s initial work, coming in the form of a discussion paper [PDF], has set out the guiding principles for how it will approach making these electronic surveillance law reforms.

Among these principles is that the reforms will look to develop a new single Act that better protects information and data, and ensures that law enforcement agencies have the appropriate powers to investigate serious crimes and security threats. Currently, there are three different sets of laws focusing on electronic surveillance, with the Surveillance Devices Act  (SD Act) being enacted 15 years ago, the ASIO Act and Telecommunications (Interception and Access) Act being 40 years old, and the foundations of the surveillance framework dating back to decisions made in 1949. In the discussion paper, Home Affairs said it envisions the new Act will “harmonise the existing warrant framework” to provide more consistent safeguards on the authorisation and use of electronic surveillance powers. Under the current framework, some powers such as accessing stored communications need separate warrants while other powers such as accessing telecommunications data can be authorised internally. “Despite the overlap between powers and their similar levels of intrusiveness, they are not subject to a consistent approach in terms of thresholds, purposes, safeguards, or accountability,” Home Affairs said. According to the discussion paper, the reforms will also look to modernise and streamline the laws by updating key concepts and clearly identifying the agencies that can seek access to this information, while balancing that with ensuring the laws are clear, transparent, and usable. The concepts and definitions that government will reconsider range from the definition of communications, to the distinction between content and non-content information, to the kinds of providers that hold relevant information and data, and the kinds of information that may be obtained through surveillance and tracking devices. It noted that the current definition of communications, which primarily focuses on conversations and messages, does not appropriately represent modern-day communications. “There is now a wider range of information and data passing over the telecommunications network, such as machine-to-machine signals between servers, routers, and modems that enable the network to route communications to their intended destination,” Home Affairs wrote in the discussion paper. “Whether something is a communication therefore has significant consequences for whether that information is protected. As a result, there may be gaps in the limits, controls, and safeguards that apply to this information, even where it is passing over the telecommunications network.” The discussion paper also confirmed that government would follow the review’s recommendation to not add more judicial oversight to these powers as part of the reforms. Instead, Home Affairs outlined that it would like for only the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman to continue overseeing the use of electronic surveillance by law enforcement agencies. As part of the discussion paper’s release, Home Affairs will also be seeking consultation about the reforms. It will be accepting submissions to the discussion paper until mid-February next year.  Last week, the Commonwealth Ombudsman published its report [PDF] to Home Affairs on the extent to which law enforcement agencies have complied with the SD Act. In the report, the Ombudsman found that South Australian Police had no process for destroying records as required by the SD Act. The state police agency said it would prioritise implementing a destruction regime.The Ombudsman also found the Australian Federal Police (AFP) failed to destroy protected information for over a month after they were authorised for destruction four times. There was also one instance where the AFP took five months to destroy a piece of protected information. The AFP also disclosed two instances where it collected data outside of a warrant provided under the SD Act. One of those instances entailed the AFP collecting 12 files from a device despite the warrant for collecting information from that device having already expired.The Commonwealth Ombudsman also revealed it found three instances of the Australian Criminal Intelligence Commission (ACIC) not destroying protected information as soon as practicable as required by the Act, eight instances where the agency did not destroy protected information within five years, and several instances where the ACIC certified protected information for retention after it had already been certified for destruction.Related Coverage More

The FBI has released a new notice about the Cuba ransomware, explaining that the group has attacked “49 entities in five critical infrastructure sectors” and made at least $43.9 million in ransom payments.In a notice sent out on Friday, the FBI said the group is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors while using the Hancitor malware to gain entry to Windows systems. “Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the notice explained, noting that the encrypted files have the “.cuba” extension. “Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.” The eye-popping ransom payments were dwarfed by the amount of money the group has demanded from victims, which the FBI pegged at $74 million. Once a victim is compromised, the ransomware installs and executes a CobaltStrike beacon while two executable files are downloaded. The two files allow attackers to acquire passwords and “write to the compromised system’s temporary (TMP) file.””Once the TMP file is uploaded, the ‘krots.exe’ file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com,” the FBI explained. 

“Further, Cuba ransomware actors use MimiKatz malware to steal credentials, and then use RDP to log into the compromised network host with a specific user account. Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account. One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com.”The FBI included other attack information as well as a sample ransom note and email the attackers typically include. Ransomware experts were somewhat surprised by the amount of money the group made considering their level of activity relative to other more prominent ransomware groups. Emsisoft threat analyst Brett Callow said the report illustrated how lucrative the ransomware industry is considering the Cuba ransomware group is not in their top ten list in terms of activity. His data shows 105 Cuba ransomware submissions this year compared to 653 for the Conti ransomware group. “This really highlights how much money there is to be made from ransomware. Cuba is a relatively small player and if they made $49 million, other outfits will have made considerably more,” Callow told ZDNet. “And this, of course, is why ransomware is such a difficult problem to deal with. The massive rewards mean people consider the risks worthwhile.”Since January, the group has operated a leak site, becoming one of the many ransomware groups that threatens to release stolen data if victims do not pay. The McAfee Advanced Threat Research Team released a detailed report on the group in April, noting many of the same things the FBI found in their analysis. McAfee researchers also found that while the group had been around for years, it only recently began extorting victims with its leak site. The group typically targets companies in the US, South America and Europe. McAfee said that the group has sold stolen data in some instances. “Cuba ransomware is an older ransomware that has been active for the past few years. The actors behind it recently switched to leaking the stolen data to increase its impact and revenue, much like we have seen recently with other major ransomware campaigns,” the McAfee report explained.”In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before being encrypted.”The group made waves in February when they attacked payment processor Automatic Funds Transfer Services, forcing multiple US states to send out breach notification letters. First reported by Bleeping Computer, the attack involved the theft of “financial documents, correspondence with bank employees, account movements, balance sheets and tax documents.” The incident also caused significant damage to the company’s services for weeks. Multiple states were concerned because they used the company for a variety of services that gave them access to people’s names, addresses, phone numbers, license plate numbers, VIN numbers, credit card information, paper checks and other billing details, according to Bleeping Computer. The state of California and multiple cities in Washington state were affected and sent out breach notification letters.Allan Liska, a ransomware expert with Recorded Future, said the FBI report also showed the observability problem with the ransomware landscape. “There were 28 victims published to the Cuba extortion site, but the FBI knew about at least 49 victims. We only knew about 1/2 of their victims,” Liska said.”Despite the small number of victims, the FBI claiming they made at least $43.9 million shows that ransomware continues to be extremely profitable for these threat actors. Their targets tended to be medium sized organizations and were spread around the world. I think it shows there is a lot we don’t know.” More

More than 30,000 US healthcare workers’ personal information was recently exposed due to a non-password protected database, according to security researcher Jeremiah Fowler and a team of ethical hackers with Website Planet. Fowler discovered a database run by Gale Healthcare Solutions with 170,239 exposed records that included names, emails, home addresses, photos and in some cases Social Security Numbers as well as tax documents. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Gale Healthcare Solutions is a Tampa, Florida tech company that connects healthcare workers with healthcare organizations looking to hire people for certain shifts. The company did not respond to repeated requests for comment. Fowler said the information also included forms about certain incidents, disciplines and terminations. “We only reviewed a limited sampling of documents and did not review each and every file. The files were hosted on an AWS cloud server and many of the registration documents were open and publicly accessible,” Fowler told ZDNet. “The images I saw were usually of the healthcare worker’s face or ID badge, but the url contained their full name, SSN and a number consistent with an SSN. Here is an example of how the link appeared: .com/gale-registration-documents/documents/last_name_first_name-LPN/-SSN-*********.jpeg. I called several individuals and validated only that these were real people and their information matched that in the files.” Fowler explained that he didn’t feel it was appropriate to ask victims for their SSN or ask them to validate the information due to the highly sensitive nature of SSNs. 

“These people have a hard enough job without a random stranger calling them and reading out their SSN to them. If the names, phone numbers, and locations of these individuals matched those who I called and validated, it is logical to assume that the number indicated as SSN would most likely be real,” he added. “I can only speculate that someone at Gale likely assumed this would make content management easier if the link had all needed information and could be easily indexed in a readable format and not a more secure unidentifiable internal code ID structure. They also overlooked that these URL paths and file names were not secure or private. Even if the images did not contain pictures of SSN cards an exposure in numerical text of the image name is just as much of a privacy risk and identity threat.”Fowler and other ethical hackers with Website Planet search for serious data leaks by investigating open, unprotected databases that it finds randomly, never targeting specific companies.

The 170,239 records covered medical workers, nurses, and caregivers. In a report, Fowler explained that internal email addresses, usernames, and administrative passwords were stored in plain text.Fowler and his team contacted Gale and public access to the databases was closed the same day. The company never responded to their questions. During his investigation of the database, Fowler found that multiple administrative accounts used weak passwords, noting that in a sampling of 10,000 records, “Password” appeared 2,921 times.”We could also see multiple internal Admin accounts that used very similar and easy passwords. This is the first time I have ever seen full names and a number called ‘SSN’ in the actual file name. In theory the file wouldn’t have to be opened to expose sensitive data because the file name alone contained what appeared to be PII (personally identifiable information),” Fowler added. “The Covid 19 pandemic has hit healthcare workers hard with long hours and many are physically and emotionally exhausted. Hospitals all over the United States are suffering from a shortage of healthcare workers. Any service that allows hospitals to fill their shifts is extremely important and valuable to sick patients. It is unfortunate that this incident may have exposed the data of frontline workers during an already difficult time. Healthcare workers’ private information publicly available also poses a risk of unwanted harassment, intimidation, or cyber stalking.” Fowler said it was unclear how long the database had been exposed and who else may have accessed it. Gale did not respond to requests for comment about whether they have notified any healthcare workers who may have had their sensitive information exposed. He said the company is required to notify victims as part of the Florida Information Protection Act of 2014.  More