Information Technology

Security researchers at JFrog worked with biotechnology company 23andMe to address a vulnerability with Yamale, a tool written by the company and used by over 200 repositories.CVE-2021-38305 allows attackers to bypass existing protections and run arbitrary Python code by manipulating the schema file provided as input to Yamale, according to the JFrog security research team. A 23andMe spokesperson told ZDNet that 23andMe Security was notified of a workaround to a patch made to Yamale, the open-source library created by the company to verify that YAML files are in the right format and have all the correct fields. In a blog post and in interviews with ZDNet, JFrog’s senior director of security research Shachar Menashe said the vulnerability is “extremely severe if the prerequisites for the attack exist, due to the fact that the impact is the highest (remote code execution) and exploitation is trivial and stable (command injection).” The blog highlights the cases where the team believes the vulnerability would be most exploitable. “The JFrog security research team is currently conducting a scan of the entire PyPI database in order to improve the landscape of open source Python code. By automatically detecting vulnerabilities and disclosing them, our goal is to help mitigate vulnerabilities that threaten customer systems and national infrastructure,” Menashe said. “The finding was discovered using our automated vulnerability detection technology; these are the same types of code scanners that found the malicious PyPI packages that we disclosed in July. We are running our scanners on the entire PyPI database and performing responsible disclosures on all found vulnerabilities, after we verify them. Since Yamale is available through PyPI, it was scanned as part of this effort. 23andMe actually wrote Yamale for use as an internal tool.”

Yamale is a popular schema validator for YAML that’s used widely. An attacker that can control the contents of the schema file that’s supplied to Yamale can provide a seemingly valid schema file that will cause arbitrary Python code to run, Menashe explained. Menashe noted the underlying issue is that through Python reflection, an attacker can “claw back” any needed builtin and run arbitrary code.In the blog post, JFrog researchers said an attacker needs to be able to specify the contents of the schema file in order to inject Python code, but noted that this can be exploited remotely if some piece of vendor code allows an attacker to do that. The most likely exploitation, the security company said, would involve vulnerabilities triggered through command line parameters via a separate parameter injection issue. JFrog Security CTO Asaf Karas added that because YAML is so popular, compatible, and widely used, it’s often the target of attacks. “This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process. We recommend sanitizing any input going to eval() extensively and – preferably – replacing eval() calls with more specific APIs required for your task,” Karas said.The company lauded Yamale’s maintainers for validating and fixing the issue “in record time” and for “responsibly creating a CVE for the issue after the fixed version was available.”The 23andMe spokesperson said the original patch was intended to cover a vulnerability for users parsing untrusted YAML schema. “YAML files have remained unaffected and are parsed with a safe loader. 23andMe is actively working on a solution. In the meantime, we will add a note on the project readme that more explicitly states that YAML schemas should always come from a trusted source,” the spokesperson said. “This tool is not implemented in any 23andMe company processes and doesn’t affect the customer experience or customer data in any way. We are grateful for the white hat hackers who alerted our team and invite others to join our recently established Bug Bounty Program,” the company added.  More

At the VMworld conference this week, VMware is rolling out a series of security advancements that cover multi-cloud, applications and the workspace. For stronger, flexible cloud-to-cloud security, VMware is introducing the industry-first elastic application security edge (EASE, pronounced as “easy”). EASE is a set of data plane services for networking, security and observability — delivered with a unique scale-out distributed architecture that allows an EASE environment to grow and shrink as app needs change. In other words, as you expand your application up and down with more traffic, VMware can expand the infrastructure so services like the firewall or load balancer also get bigger or smaller to meet the needs of the application.”This is a big departure from the way things have historically been done,” Ambika Kapur, VP of Product Marketing for VMware’s Networking and Advanced Security Business Unit, said to ZDNet. “When you look at public cloud environments, we now have the ability to auto-scale applications to meet the workload. But when you look at services that protect and connect these applications — networking, security, observability — they’re rigid.” Kapur said that EASE illustrates VMware’s approach to security: Rather than compete with the many vendors and solutions that already exist, the company is searching for gaps in innovation and trying to fill them with simple-to-use solutions. “The big thing we’ve been asking ourselves is, if the world we live and work in has changed so dramatically, how do we expect traditional security solutions to be appropriate for this world?” she said. Along with securing cloud-to-cloud workloads, VMware is also introducing new ways to harden the workload itself. It’s integrating a version of VMware Carbon Black into vSphere and VMware cloud, making it easy and intuitive to use. It offers next-gen anti-virus, workload inventory and lifecycle management, EDR for workloads and threat intelligence. Within the network, VMware has a three-step process to ensure workloads in the VMware cloud are secure. That includes segmentation of traffic, signature-based analytics, as well as new non-signature based, tapless traffic analysis. VMware’s micro-segmentation capabilities include advanced east-west controls. 

As east-west traffic increases, VMware’s 20 TB internal scale-out firewall keeps it secure. It’s also helped customers reduce firewall rules by up to 90% making security more manageable.
VMware
In terms of securing applications, VMware’s new Tanzu Service Mesh gives developers the ability to understand API behavior, even across multi-cloud environments, for better DevSecOps. This capability comes as a result of VMware’s Mesh7 acquisition. Additionally, CloudHealth Secure State now delivers Kubernetes Security Posture Management to provide deep visibility into misconfiguration vulnerabilities across both Kubernetes clusters and connected public cloud resources.To secure devices, VMware is updating Workspace ONE with a compliance engine that examines thousands of posture checks on device, OS and apps. This will allow for remediation to a desired state with minimal impact on the end-user experience. Additionally, VMware Carbon Black integrates with Workspace ONE and is now optimized for Horizon VDI environments.VMware is also working with Intel to create a direct link between the Intel vPro platform and VMware Workspace ONE. This will enable automated out-of-band maintenance that keeps PCs up to date on the latest security patches and infosec policies, no matter where they are located or the state of the operating system.

More VMWare More

You’d hope that even though ransomware is a lucrative criminal enterprise, there might be some targets that are kept off the list for ethical reasons. 

This is not so with FIN12, a big game hunting ransomware group of which one in five of the group’s victims is within the healthcare sector.  The deployment of ransomware is popular and prolific cybercriminal activity, with potential destructive impacts outweighing other forms of crime such as straight data theft, cryptojacking, and insider threats.  This year alone, ransomware has been used to wreak havoc in high-profile cases such as the widespread Microsoft Exchange Server hacking spree, the Colonial Pipeline attack that caused fuel shortages in the US, and the disruption of supply chains due to the compromise of systems belonging to global meatpacker JBS USA.  Research conducted by KELA in August on the initial access broker (IAB) space found that healthcare-related ads offering access were few and far between, and so you would hope this sector — alongside funeral services, charities, and critical services — might be sectioned off by ransomware groups.  However, there was another case this year that shows this is not always the case: the fall of Ireland’s Health Service Executive (HSE) to ransomware, a security incident that caused disruption for weeks to critical care services.  If a ransomware outbreak restricts access to key medical records, appointment details, treatment notes, and patient data, this can lead to delays and in the worst scenarios, death, according to research conducted by The Ponemon Institute and Censinet. 

On Thursday, Mandiant said that FIN12 — upgraded from UNC1878 by the cybersecurity firm — is a financially driven group that targets organizations with average annual revenue of over $6 billion. Almost all of the threat group’s victims generate a revenue of at least $300 million. “This number could be inflated by a few extreme outliers and collection bias; however, FIN12 generally appears to target larger organizations than the average ransomware affiliate,” the researchers say.Speaking to ZDNet, Joshua Shilko, Principal Analyst at Mandiant said the group has earned itself a place in the “top tier of big game hunters” — the operations which focus on the targets most likely to offer the biggest financial rewards in ransom payments.”By all measures, FIN12 has been the most prolific ransomware actor that we track who is focused on high-value targets,” Shilko said. “The average annual revenue for FIN12 victims was in the multi-billions. FIN12 is also our most frequently observed ransomware deployment actor.”Active since at least 2018, FIN12 used to focus on North America but over the past year has expanded its victim range to Europe and the Asia Pacific region. Mandiant says that FIN12 intrusions now make up close to 20% of incidents the firm’s response team has worked on since September last year.
Mandiant
Threat actors will often purchase initial access to a target system to cut out the legwork of finding working credentials, VPN access, or a software vulnerability ripe for exploit. Mandiant believes with “high confidence” that the group relies on others for initial access. Zach Riddle, Senior Analyst at Mandiant told us: “Actors providing initial access to ransomware operators typically receive payment in the form of a percentage of the ransom after a victim has paid, though actors may also purchase access to victims’ networks for a set price. While the percentage paid for initial access can likely vary based on several factors, we have seen evidence that FIN12 has paid up to 30-35% of a ransom payment to a suspected initial access provider.”The cybercriminals seem to have no moral compass, either, with 20% of its victims belonging to the healthcare sector. Many ransomware-as-a-service (RaaS) outfits do not allow hospitals to be targeted, but as a result, Mandiant says that it may be cheaper for FIN12 to buy initial access due to low demand elsewhere.  However, this might not explain FIN12’s willingness to target healthcare. “We do not believe that others refusing to target healthcare has a direct correlation to FIN12’s willingness to target this industry,” commented Riddle. “FIN12 may perceive that there is a higher willingness for hospitals to quickly pay ransoms to recover critical systems rather than spend weeks negotiating with actors and/or remediating the issue. Ultimately, the criticality of the services they provide not only likely results in a higher chance that FIN12 will receive a payment from the victim, but also a quicker payment process.”FIN12 is closely linked to Trickbot, a botnet operation that offers cybercriminals modular options including means of exploit and persistence. Despite having its infrastructure disrupted by Microsoft, the threat actors have recently returned with campaigns against legal and insurance companies in North America. The group’s main goal is to deploy Ryuk ransomware. Ryuk is a prolific and dangerous variant of malware, containing not only the typical functions of ransomware — the ability to encrypt systems to allow operators to demand payment in return for a decryption key  — but also new worm-like capabilities to spread and infect additional systems. Mandiant suspects that FIN12 is of Russian-speaking origin, with all currently identified Ryuk ransomware operators speaking this language. In addition, other malware used by FIN12, dubbed Grimagent — and, so far, remaining unconnected to any other threat group — contains files and components in Russian.FIN12’s average time-to-ransom is just under four days, with its speed increasing year-over-year. In some cases, a successful ransomware campaign was managed in just two-and-a-half days.  “While it is possible that they will test out other backdoors or even sponsor the development of private tools in the future, they seemingly have settled into a pattern of disguising their beacon activity using malleable C2 profiles and obfuscating their common payloads with a range of in-memory loaders,” Shilko said. “Notably, actors also sometimes make changes based on public reporting and it would not be surprising if the group made changes based on our reporting; however, we anticipate that these changes would largely focus on limiting detection rather than rethinking their larger playbook.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Twitch has announced that it reset all stream keys as it seeks to address the massive data breach that was revealed yesterday. A hacker leaked the entirety of Twitch’s source code alongside a 128GB trove of data that included creator payouts going back to 2019, proprietary SDKs and internal AWS services used by Twitch, as well as all of the company’s internal cybersecurity red teaming tools. While much of the press attention initially focused on the eye-popping revenues brought in by certain Twitch streamers, concern over the privacy and security of all Twitch streamers began to grow later in the day. Experts warned that all Twitch streamers needed to take immediate actions to protect their bank accounts and themselves from a potential wave of attacks by opportunistic cybercriminals. Late on Wednesday evening, Twitch announced that it was resetting all stream keys, directing streamers to this website for new stream keys. “Depending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream. Twitch Studio, Streamlabs, Xbox, PlayStation, and Twitch Mobile App users should not need to take any action for your new key to work,” Twitch explained. “OBS users who have connected their Twitch account should also not need to take any action. OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS. For all others, please refer to specific setup instructions for your software of choice.”

Twitch emailed the statement to all streamers, according to multiple experts. In an earlier statement, the company said it learned that the breach originated from a Twitch server configuration change error that left data exposed to the internet. Twitch added that it was still trying to understand the scope of the breach as it continues to investigate the incident. “We understand that this situation raises concerns, and we want to address some of those here while our investigation continues. At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed,” Twitch claimed. But experts have laid out a litany of problems facing those connected to the gaming platform, which has an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.Quentin Rhoads-Herrera, a director at CRITICALSTART, told ZDNet that Malware authors could potentially use Twitch’s code being released to infect the user base of Twitch by possibly finding flaws in the applications code. “Now that the data has been released, there isn’t much Twitch can do. They should try and prevent it from being put up on platforms like GitHub, BitBucket, or other popular code/file-sharing platforms. Still, the data is already out and will be shared forever through many different channels,” Rhoads-Herrera said. “What they can do is evaluate exactly what was stolen, reset user passwords that were compromised, and determine the risk to their IP (especially from what was stolen of Vapor which is supposedly going to compete with Steam) and how it will impact their business overall. The largest risk to Amazon’s Twitch is the data that is now freely available to their competitors. As a result of this event, Twitch might lose some user following and trust they may have had in their users. The biggest impact is the leaked data that is unique to their intellectual property that could be leveraged by competitors.”The hacker behind the attack said that what was released yesterday was only the first section of the stolen data.  More

Remote working has become far more commonplace over the past year. Still, even as some employees start returning to the office, businesses must be aware that there should be limitations to staff using their own laptops and other devices inside a corporate environment. Bring Your Own Device (BYOD) brings many benefits. Still, the National Cyber Security Centre (NCSC) has detailed certain situations where it should never be considered due to the potential cybersecurity risks it could cause. “You cannot do all your organisation’s functions securely with just BYOD, no matter how well your solution may be configured,” say new guidelines from the NCSC.

ZDNet Recommends

“If you’ve given BYOD users admin access to company resources, revoke that access immediately,” NCSC said.See also: A winning strategy for cybersecurity (ZDNet special report).If a personal device gets compromised by cybercriminals, they could use that admin access to gain access to critical systems and functions via the use of legitimate administration tools. That could allow cyberattackers to steal data and lay the foundations for ransomware attacks and other malware campaigns. “Existing BYOD deployments need review. Potentially, you need to undo some of those quick fixes and start afresh,” the agency said.

BYOD is the idea of allowing employees to use their personally owned devices for work. It can be a complex topic as we increasingly use personal devices for everything from answering emails to managing critical services and hardware. While businesses also issue the same or similar devices, a personal device is configured differently from a corporate device, making things more complicated and leading to additional security risks.When the COVID-19 pandemic first started, and many organisations and their employees suddenly had to adapt to working from home; the main concern was just ensuring that people could continue to do their jobs – in some cases, with employees using their own laptops in order to do so. But if businesses haven’t done so already, it’s time to think about what can and can’t be done with BYOD devices in order to ensure that employees are productive but are also secure.  “This ‘just make it work’ mentality is entirely understandable, but the time has come to deal with those wounds,” the NCSC said.See also: Ransomware attackers targeted this company. Then defenders discovered something curious.The level of access and trust BYOD devices have depends on the organisation and the user’s role. Still, some things all businesses need to consider when making this decision are what employees need to do, what employees need from a device, and what needs to be done in order to ensure the security and privacy of corporate data on their personal device.  It’s a complex issue, but NCSC advises that in order to get the best results, organisations shouldn’t rush into any decisions. More on cybersecurity: More

French transportation giant Transdev has denied that any of its information was stolen by a ransomware group after cybercriminals claimed to have 200GB of data and threatened to leak it on Sunday, October 10. 

The LockBit ransomware group listed Transdev on its leak site next to a timer set to expire at 1:00 on Sunday. But Transdev — which calls itself the “largest private provider of multiple modes of transport in North America” — said the data being hawked by Lockbit was from one of their clients. “We are aware that a cybercriminal group has made a threat to publish data, which they allege belongs to Transdev. However, we believe the data referenced by the criminal group likely belongs to a Transdev Client which was the subject of a cyber event in mid-September,” a Transdev spokesperson told ZDNet. “We have been conducting an investigation into this event with the assistance of third-party digital forensic specialists. The event involving the client’s data was limited to the client’s network, which communicates with Transdev’s corporate environment only through very strict firewall rules and is protected by our security monitoring and defense systems. At this time, there is no indication that any Transdev Corporate data or data related to any other client was subject to access and/or exfiltration.”Transdev currently operates in 18 countries, with dozens of cities, counties, airports, companies and universities contracting with them to run their transportation systems. Transdev manages 200 million passenger trips annually and brings in more than $1 billion in annual revenue, according to their website.Transdev has about 15,000 employees in the US alone and runs six different modes of transportation in the US, including buses, shuttles, school buses, paratransit, streetcars, microtransit and autonomous vehicles. 

The attack comes one day after US Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for US railroad and airport operators in a bid to protect critical infrastructure from ransomware groups and nation-state attackers. Despite warnings and threats from US lawmakers, ransomware groups and cybercriminals have shown no fear in attacking companies and organizations managing transportation systems.In a statement on Friday, US President Joe Biden said that the White House plans to convene a 30-country meeting this month to address cybersecurity.”The Federal government needs the partnership of every American and every American company” to address cybersecurity, Biden said. “We must lock our digital doors — by encrypting our data and using multifactor authentication, for example — and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy.” More

Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity regulations for US railroad and airport operators on Wednesday. First reported by Reuters, the rules mandate that operators disclose any hacks, create cyberattack recovery programs and name a chief cyber official. The Transportation Security Administration will manage the regulations, Mayorkas added. He said the regulations would go into effect by the end of the year. “Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security. The last year and a half has powerfully demonstrated what’s at stake,” Mayorkas said, according to Reuters. In April, the New York City’s Metropolitan Transportation Authority — one of the largest transportation systems in the world — was hacked by a group based in China. While the attack did not cause any damage and no riders were put at risk, city officials raised alarms in a report because the attackers could have reached critical systems and may have left backdoors in the system. In 2020, the Southeastern Pennsylvania Transportation Authority was hit with ransomware, and earlier this year, ferry services to Cape Cod were also disrupted by a ransomware attack. The new rules apply to railroad operators, rail transit companies, US airport operators, passenger aircraft operators and all-cargo aircraft operators. There are also lower-level transportation organizations that will be encouraged to follow the rules as well. 

The rules come days after the Washington Post revealed many of the specific emergency regulations for pipeline operators that were issued this summer after the attack on the Colonial Pipeline. 

more coverage

Ben Miller, a vice president at cybersecurity firm Dragos, said the company has been working with pipeline customers as they adjust to a changing regulatory environment. “We encourage public-private collaboration and not moving too quickly. Reliability and safety are paramount, and the industry and their facilities are not cookie-cutter. We run the risk of making too many assumptions, ultimately slowing down progress and security of these important systems and environments,” Miller said. The rules drew mixed responses from experts who questioned whether any organizations could live up to the stringent new regulations. “The security requirements laid out in the newly public TSA Security Directive are definitely ambitious. Most organizations we work with today can’t meet these requirements, nor likely can most federal government agencies,” said Jake Williams, CTO of BreachQuest. “The DNS monitoring requirements alone are far beyond what most organizations today are capable of. While effective in detecting intrusions, effort applied to implementing this sort of requirement will almost certainly distract from more important and achievable goals like foundational IT/OT network segmentation and monitoring.”Chris Grove, a Product Evangelist at Nozomi Networks and an expert in industrial cybersecurity, said the directorate follows the suit of many other attempts to secure operational technologies by “providing a blend of prevention, detection and resiliency.” But he noted that when the recommendations overlap with operational technology, they don’t actually apply. “Even patching systems, MFA, allows OT operators a way out. In other areas, it doesn’t, like weekly virus scanning of OT systems. The Directorate is high-level and non-specific enough that it doesn’t appear to be directed at pipelines, but more about OT or critical infrastructure in general,” Grove explained.”Many operators, particularly those that pursued NERC-CIP, will be well positioned, probably superseding the requirements in the directive. On page 9, part 3, to break storage and identity stores between IT and OT is a huge challenge for converged environments. Also, on page 9, C.1.a mandates prompt removal from the network and disabling of drives any infected equipment, something that’s not always possible in an OT environment. To put this directive in context, it would have had no impact on the Colonial Pipeline incident, as the operator had security at a higher level than what the directive aims for.”Former US Defense Department cybersecurity advisor Padraic O’Reilly added that the days of voluntary guidance being sufficient in critical infrastructure are coming to an end. He noted that some organizations, like the New York City’s Metropolitan Transportation Authority, will be fine with the new mandates because they have already tried to implement the voluntary guidelines. “But we know that isn’t true across the board, and pushback from private industry, when they hold assets that impact the public good, hearken back to the killing of the 2012 cybersecurity act,” O’Reilly told ZDNet. “Even then, in a much simpler threat landscape, Cyber Command and the NSA tried to explain the importance of ‘minimum security standards.’ But the issue became partisan, and that is really too bad on matters that concern national security.”O’Reilly noted that there is likely to be more industry wrangling over specific requirements but honed in on the section titled, “Security Directive (SD) Pipeline-2021-02” — which focuses on the key elements of hardening pipeline OT and IT against many current exploits. The section also effectively announces an end to some voluntary guidelines for the industry. According to O’Reilly, the timelines to submit (7, 30, and 180 days) statements all “seem reasonable even if they require quick action”, and requiring documentation of compliance is another good measure included in the document.”There will likely be industry pushback because the comment period was brief, and there are some unique considerations with respect to patching and other practices where Operational Technology is concerned. But even there, TSA has been careful to allow for a risk-based approach to patching OT, which is quite reasonable,” O’Reilly added. “The most important aspect of the directive is that cyber resiliency is no longer voluntary. Arguably allowing pipeline standards to be voluntary was a mistake. It is beyond dispute that the critical infrastructure sectors (such as finance and electrical) that are regulated generally have much better security practices in place. Where the public good is concerned, there is a clear need for oversight, and only the Federal Government can do this effectively. We can ill afford another attack like the one that hit Colonial.”  More

Cybersecurity experts have uncovered a new COVID-19 vaccination scam involving hackers tricking victims into providing their personal information under the assumption that cybercriminals can hack into European Union hospitals and falsify vaccination records.DarkOwl, the cybersecurity firm that uncovered the scam, notes that the EU Digital COVID Certificate program and most EU hospitals have stringent cybersecurity measures in place to protect user data. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

But hackers that are allegedly part of a gang called Xgroup are offering to add non-vaccinated people to the national COVID-19 vaccine registers that feed into the EU database, asking victims for a trove of personal data under the guise of theoretically adding it to the EU Digital COVID Certificate program. DarkOwl’s lead analysts said they believe the culprits behind the scam are based in the US. “This is very likely a scheme to steal people’s information and money. Scammers are always willing to prey on the vaccination-hesitant and those who desire a record of vaccination without actually getting the vaccine,” DarkOwl CEO Mark Turnage told ZDNet. “The offer has been circulated across multiple darknet forums and discussion groups. The cyber criminals also host a dedicated hidden service promoting their services. This very well could be a scam and they do not have the skills or access to actually hack any EU hospitals’ vaccination databases. Nevertheless, the idea is novel and it not out of the realm of possibility that hospitals are vulnerable to such record alterations.”Turnage said Xgroup is a relatively new brand without any known direct attributions to cyberattacks. The group does market itself as being able to “ruin someone’s life” through hacking social media accounts and financial accounts. Researchers with DarkOwl said the group has also posted “recruitment” advertisements across malware and “hacking” forums for personnel with penetration testing and criminal hacking experience.

While the scam is focused mostly on pilfering information from vaccine-hesitant victims, Turnage noted that ransomware as a service gangs have demonstrated they can easily exploit hospital information systems for their extortion agendas. Significant parts of the healthcare system in Ireland were brought down by a ransomware group this summer. “Therefore, we must consider the remote possibility that this is a legitimate offer on the darknet. Hospitals in the EU should be aware of this possibility and mitigate with increased security and auditing of logs accordingly,” Turnage said, adding some advice to those considering turning to the darknet for fake COVID-19 vaccination verifications. “Don’t be foolish enough to pay anyone money for fake vaccination records (digital, paper certificate, or otherwise).”In their report on the scam, DarkOwl researchers said Xgroup is offering to hack into EU-based local hospital digital vaccination records on behalf of their darknet customers. Victims submit payment along with their personal information which is supposedly added to their local hospital’s vaccination records database. “This information is then theoretically accessible by the EU Digital Certificate application as each issuing body (e.g. hospital, test center, or health authority) has its own digital signature key that communicates with the program,” the researchers wrote. “The cost for the vaccination record addition is $600 USD paid via Bitcoin.”According to DarkOwl, Xgroup hosts a dedicated V3 hidden service on Tor where they advertise their solutions widely. The researchers could find no proof that the group can follow through with their claims after tracking them since July. The offers only apply to EU citizens because the US does not have a nationwide COVID-19 vaccine record system, but DarkOwl noticed that the service being offered by the cybercriminals uses US mailing address formats and lists the price in US dollars. Since COVID-19 emerged, scammers have used it as a way to trick people into sending them money and information in exchange for fraudulent cures or protection schemes. Cybercriminals are now offering fake COVID-19 vaccination cards widely, and The Daily Beast reported this week that US Customs and Border Protection officials in Chicago managed to seize multiple shipments of fake vaccine cards that originated in China.In August, researchers with Check Point found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100. Fake PCR COVID-19 tests are also sold widely, and Check Point Research’s study found groups advertising the fake vaccine verifications in forums with more than 450,000 people.  DarkOwl was previously involved in a multi-organization effort to ensure the safe and secure transportation, storage, and distribution of the Pfizer, Moderna, AstraZeneca, and Johnson & Johnson vaccines in the United States and abroad. More