Information Technology

A hospital system in West Virginia has suffered a data breach resulting from a phishing attack, which gave hackers access to several email accounts. Monongalia Health System — which runs Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company — said that hackers had access to several email accounts from May 10 to August 15. These accounts contained sensitive information from patients, providers, employees, and contractors. The company concluded its investigation into the incident on October 29, finding that the attack resulted from an email phishing incident.”Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor’s email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers,” the company explained. “Upon learning of this, Mon Health secured the contractor’s email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation.”The attack did not include information from their other hospitals, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital. The company claims that “the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information.”

Mon Health started sending breach notification letters to victims on December 21 and said a toll free call center was created for those with questions. Dozens of healthcare organizations have had to send out breach notification letters to patients due to cyberattacks or ransomware incidents that exposed sensitive data.  More

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas announced the expansion of the “Hack DHS” bug bounty program, noting on Twitter that it will now include vulnerabilities related to Log4J. “We opened our HackDHS bug bounty program to find and patch Log4j-related vulnerabilities in our systems,” Easterly said. “Huge thanks to the researcher community taking part in this program. Log4j is a global threat and it’s great to have some of the world’s best helping us keep orgs safe.”

more Log4j

On December 14, the Homeland Security Department announced the bug bounty program as a way to identify cybersecurity gaps and vulnerabilities in their systems. They gave “vetted” cybersecurity researchers access to “select external DHS systems” and asked them to find bugs. Secretary Alejandro Mayorkas called DHS the “federal government’s cybersecurity quarterback” and said the program “incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”  “This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity,” Mayorkas said. In the original outline of the program, DHS planned for the bug bounty effort to occur in three different phases in 2022. Once the hackers finished conducting a virtual assessment of DHS external systems, they will be invited to take part in a live, in-person hacking event.The last phase involved DHS taking the recommendations and planning for the next bug bounty programs. DHS intends to make the program something any government agency could do. 

“Hack DHS, which will leverage a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer.  Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information,” DHS explained.  “The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs. Hack DHS builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government, such as the Department of Defense’s ‘Hack the Pentagon’ program.”  This won’t be the first bug bounty program run by DHS. They ran a pilot program of the effort in 2019 after legislation was passed thanks to the bipartisan coalition behind the SECURE Technology Act. DHS explained that the law allows them to pay people chosen to evaluate DHS systems by mimicking hacker behavior. More

A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.

more Log4j

The project is a joint effort by the US’ Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). The organizations said they issued the advisory in response to “active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors.” Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations. CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world”We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” Easterly said. “These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.” Cybersecurity company Sonatype has tracked the number of total Log4j downloads since the vulnerability was discovered on Dec. 10, also noting the number of vulnerable versions of Log4j being downloaded in the last hour. Even with the massive mobilization effort around the issue, 43% of the Log4j downloads in the last hour are of vulnerable versions. 
Sonatype
Jessica Hunter, acting head of the Australian Cyber Security Centre, said malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world, prompting the need for world governments to be proactive in their efforts to patch, partner and monitor.  

The FBI’s Bryan Vorndran urged organizations attacked through the vulnerability to contact them or CISA about the issue. CISA built a Log4J web page with information, guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. NSA cybersecurity director Rob Joyce said everyone should inventory their assets so they can stay on top of patches coming out. “Start with internet exposed assets, but mitigate and update everything. Monitor and follow up. Malicious actors have been observed patching software they compromise to help retain control of the assets,” Joyce said. CISA ordered all federal civilian agencies to address the issue before Christmas and published an open sourced log4j-scanner derived from scanners created by other open source community members. The tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.”We cannot stress enough how important it is for everyone to patch this vulnerability as soon as possible. We know that malicious actors are constantly scanning for a way into systems worldwide, using the Log4j vulnerability,” said CERT NZ Director Rob Pope. “It is only through collective actions that we can effectively address these types of attacks, which is why we’re proud to be part of an international effort to keep organizations safe and secure.”  More

The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to analysis by security company NCC Group. Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dumped leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to the join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group. 

Inexplicably, Pysa leaks data from targets weeks or months after attempting to extort them. The large-scale data dump follows joint US and EU law enforcement action against some members of the REvil ransomware gang, who were behind the attack on IT vendor Kaseya.     SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifyingAlso known as Mespinoza, the Pysa gang seeks out evidence of crime among targets to use as leverage during typically multi-million dollar extortion negotiations. The FBI started tracking Pysa activity in March 2020 in ransomware attacks against government, institutions, private, and healthcare sectors. The group often employs phishing techniques for credentials to compromise Remote Desktop Protocol (RDP) connections. Pysa targets high-value finance, government and healthcare organizations, notes NCC Group. 

Across all ransomware gangs, victims from North America reached the total 154 during the month, of which 140 were US organizations, while European victims numbered 96 in November. The industrials sector was the most targeted, while attacks on the technology sector decreased 38%. NCC Group also spotlights a Russian-speaking ransomware gang called Everest Group that’s pushing new boundaries in double-extortion by not only threatening to leak files but providing their customers with access to victims’ IT infrastructure. Instead of pursuing a ransom, the group sells third-party access to the target’s network, creating a new way to monetize a compromised target. If it proves lucrative, this could become a trend next year, NCC Group warns. “In November, the group offered paid access to the IT infrastructure of their victims, as well as threatening to release stolen data if the victim refused to pay a ransom,” it notes. “While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure – but we may see copycat attacks in 2022 and beyond.” More

Gaming giant Ubisoft has confirmed a cyberattack on its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” 

Ubisoft did not respond to requests for comment about how many people were affected by the incident.”The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on your social media profiles,” the Just Dance team explained in a note on Ubisoft’s message board.  “Our investigation has not shown that any Ubisoft account information has been compromised as a result of this incident.”Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team urged players to enable two-factor authentication and to reset any passwords.Ubisoft added that it took “all the proactive measures necessary” to secure its infrastructure from future cyberattacks. 

Axios reported on Monday that Ubisoft has faced a wave of departures over the last 18 months due to low pay, organizational dysfunction, and a stream of scandals. A developer who left recently told Axios that they were contacted by a co-worker for help in fixing a game because no one left at the company knew what to do.Employees have called it the “great exodus” and explained that the loss of talent was damaging their ability to push out games. Several hundred current and former employees signed an open letter earlier this year, criticizing Ubisoft for not doing enough to address problems within the company. In October 2020, the Egregor ransomware gang said it breached the Ubisoft network and stole data, leaking about 20 MBs on its leak site. Ubisoft never commented on the breach. The company was also attacked in 2013. According to the BBC, the accounts of 58 million people were accessed.Ubisoft has sold millions of copies of Just Dance since it debuted in 2009.  More

The FBI’s cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine’s Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on December 3, warning at the time that it had seen “indications of exploitation” and urged customers to update immediately.    Zoho didn’t provide further details of the attacks at the time, which occurred after activity this year targeting previously patched flaws in ManageEngine products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI says in the new alert that advanced persistent threat (APT) actors have been exploiting CVE-2021-44515 since at least October 2021. “Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI alert said.Microsoft has previously attributed some of the earlier activity to a Chinese hacker group that was installing web shells on compromised servers to gain persistence on compromised servers. The flaws affected IT management products used by end-user organizations and managed service providers.  The FBI now says it observed APT actors compromising Desktop Central servers using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a legitimate function of Desktop Central. The attackers then downloaded post-exploitation tools, enumerated domain users and groups, conducted network reconnaissance, attempted lateral movement across the network and dumped credentials.

ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products.The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.The FBI has filled in some details about how attackers are abusing the flaw after obtaining samples that were downloaded from likely compromised ManageEngine ADSelfService Plus servers.It has seen attackers upload two variants of web shells with the filenames emsaler.zip (variant 1, late October 2021), eco-inflect.jar (variant 1, mid November 2021) and aaa.zip (variant 2, late November 2021). The webshell overrides the legitimate Desktop Central application protocol interface servlet endpoint. The webshell is also used for reconnaissance and domain enumeration. Eventually, the attackers install a remote access tool (RAT) for further intrusion, lateral movement, and credential dumping using the penetration testing tool Mimikatz, and LSASS process memory dumping. The attackers also used the Windows authentication protocol WDigest to steal credentials through an LSASS dump, signaling the attackers were using so-called ‘living off the land’ legitimate tools for nefarious purposes. Others tools in this category include Microsoft’s BITSAdmin command-line tool “to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe”, according to the FBI.   ManageEngine has strongly advised customers to update their installations to the latest build as soon as possible. More

The UK National Cyber Security Centre (NCSC) is urging company boards to start asking key questions about how prepared they are to mitigate and remediate the widespread, critical Log4Shell flaw in Java-based application error logging component Log4j.NCSC calls Log4Shell “potentially the most severe computer vulnerability in years” and called upon company boards to treat this bug with urgency. It stresses the Log4j bug – also known as Log4Shell – is a software component rather than a piece of software, which means it will be much more complicated to patch. Log4Shell is bad news today and will likely lurk in enterprise systems for years despite major efforts from the US government, big tech and open-source contributors to address flaws in the original Log4J version 2 project, its implementation in major software products, and its deployment in hundreds of millions of enterprise applications, servers and internet-facing devices. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW There are ongoing efforts via the Apache Foundation to patch the core Log4j project, as well as downstream efforts by IBM, Cisco, Oracle, VMware and others to patch products containing vulnerable versions of the Log4j component. Google has also released tools to prevent developers using vulnerable Log4j versions in new builds of open-source software. And the US government has ordered all federal agencies to patch or mitigate Log4Shell by Christmas.   The urgency is justified. State-sponsored hackers have started scoping out the bug for potential future attacks, according to Microsoft and Google, while cyber criminals are figuring out how to profit from it. Meanwhile, the Belgian Ministry of Defense confirmed an attack on its network using the Log4j bug.   Key challenges NCSC outlines include organizations finding out what services use Log4j; identifying which of these services an organizations uses; and then finding out if these services are vulnerable. CISA has already required all US federal agencies to enumerate any external-facing devices with Log4j installed. That’s no small task, especially given the number of affected products from Cisco, IBM, Oracle and VMware. Because of the component’s widespread use in other products, CISA estimates hundreds of millions of devices worldwide are exposed.”How concerned should boards be?” NCSC asks. 

Very, unless a business can afford disruptions to its operations from ransomware. While Microsoft has not found instances of the more dangerous human-operated ransomware using the vulnerability, it has seen Iranian threat actors tooling up to use it for ransomware attacks. NCSC has posed 10 questions for boards worried about the flaw:Who is leading on our response?What is our plan?How will we know if we’re being attacked and can we respond?What percentage visibility of our software/servers do we have?How are we addressing shadow IT/appliances?Do we know if key providers are covering themselves?Does anyone in our organisation develop Java code?How will people report issues they find to us?When did we last check our business continuity plans and crisis response?How are we preventing teams from burning out?Boards should also consider Log4Shell’s impact if the business needs to disclose where personal data was affected, as well as any costs linked to incident response and recovery, and damage to reputation. “Managing this risk requires strong leadership, with senior managers working in concert with technical teams to initially understand their organisation’s exposure, and then to take appropriate actions.”NCSC says Log4Shell warrants organizations creating a “tiger team” of core staff, including a leader, to address the threat. Boards should also ask ‘what’s our plan?’, and to understand how Log4j issues will be remedied. Boards should understand this will take weeks or months to remediate, not days.   Boards should know how the company is prepared to respond to a Log4Shell attack if and when it happens, and whether the company can detect if such an attack were to take place. It stresses that boards should understand what visibility its teams have of vulnerable software and servers, including IT assets that are centrally managed and unmanaged.LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE The software supply chain is another key consideration. NSCS recommends organizations have an “open and honest conversation” with software-as-a-service suppliers that may also be trying to get a grip on which of their products are affected. Java is a hugely popular programming language in enterprise IT that’s used by an estimated 12 million developers worldwide. “Java developers may have legitimately used Log4j, so it’s important to ensure that any software written is not vulnerable,” NCSC notes. As it’s previously noted, Log4j version 2 ships with Log4j version 2 (Log4j2) popular Apache frameworks including Struts2, Solr, Druid, Flink, and Swift.   Finally, after two years of supporting remote work during the pandemic, a year of professional ransomware attacks and state-sponsored attacks on the software supply chain and of the critical Exchange Server zero-day vulnerabilities, NCSC is warning that some cybersecurity teams could suffer burnout during Log4Shell remediation. This is a board-level concern.”Remediating this issue is likely to take weeks, or months for larger organisations. The combination of an ever evolving situation (and the potential for severe impacts) can lead to burnout in defenders, if they’re not supported by leadership,” NSCS stressed.    More

The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches. The 225 million new passwords become a part of HIPB’s existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don’t use them when creating a new account. Individuals can use HIPB’s Pwned Password page to see whether their passwords have been leaked in previous breaches.

ZDNet Recommends

The service helps organizations meet the NIST’s recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of “credential stuffing”, where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts. SEE: Hackers are turning to this simple technique to install their malware on PCsThe technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password to protect multiple accounts; if any of those accounts protected with the common password was breached, the person’s other accounts become vulnerable to credential stuffing. The technique became a problem a decade ago after billions of credentials were leaked online following major data breaches, giving attackers huge credential data sets to test against accounts of varying importance, ranging from online game accounts to bank accounts and employee accounts. NCA and NCCU came across the cache of stolen credentials at a compromised but unnamed cloud storage facility. 

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility,” the NCA said in a statement to HIPB. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences.”The NCA told the BBC that last year working with UK police it identified that there had been a compromise of a UK organisation’s cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber criminals. Among these files was the collection of compromised emails and passwords.NCA handed the compromised passwords to HIBP’s operator, Troy Hunt, who verified NCCU’s findings that the passwords were not in the existing Pwned Passwords data set. New passwords included in the cache he said included: flamingo228Alexei200591177700123Testsaganesq”The NCCU’s Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain,” NCA said.Organisations can download the hashed data set in SHA-1 format in a compressed 17.2GB file. It’s the first version to include a regularly updated list of compromised credentials that law enforcement, such as the FBI, discover during investigations.   Hunt stressed the passwords supplied to HIPB by the FBI and NCA are not for his service but for the community, since it can be used by anyone to meet NIST’s recommendations to mitigate credential stuffing. 

“Today’s release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version. More significantly, if we take the prevalence counts into consideration that’s 5,579,399,834 occurrences of a compromised password represented in this corpus,” explains Hunt.  More