Information Technology

Ireland’s health services were the target of a significant ransomware cyberattack last week.
Image: Getty Images
There is a risk that sensitive medical information and other patient data will be leaked in the aftermath of a serious ransomware attack against Ireland’s health services, the Irish government has warned. Condemning any public release by the attackers of stolen patient data as “utterly contemptible”, officials have urged anyone who is affected to contact the Health Service Executive (HSE) or the authorities. 

The HSE was the target of a “significant” ransomware cyberattack last week, which has caused country-wide disruptions to key healthcare and social services in hospitals and community centers.SEE: Network security policy (TechRepublic Premium)Ransomware is a form of malicious software deployed to encrypt a victim’s files, with the attacker then demanding a ransom in exchange for restoring access to the data.  The HSE is working with Ireland’s National Cyber Security Centre (NCSC), and experts have already confirmed the attack as a human-operated ransomware variant known as “Conti”. A remote-access tool called Cobalt Strike Beacon was found on the HSE’s systems, which was used by the hackers to move within the computer networks before launching the attack and demanding a ransom. Conti deploys what are known as “double extortion” attacks, in which the hackers threaten to make the stolen information public if the ransom isn’t paid. In cases such as this one, it could mean that sensitive patient health data could end up leaked online. 

The Irish government has already confirmed that it will not give in to the attacker’s demands and prime minister Micheál Martin ruled out paying any ransom.  “This attack on Ireland’s health care system and its patients was carried out by an international cyber-crime gang. It is aimed at nothing other than extorting money and those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen,” said the government in a press release. “There is a risk that the medical and other data of patients will be abused,” it added. The Garda authorities’ National Cyber Crime Bureau is investigating the exact origin of the hack together with international partners in the EU. Early reports from broadcaster RTE indicate that the gang behind the attacks is the eastern Europe-based “Wizard Spider” group. IT systems across the HSE, which were all immediately taken down as a precautionary measure to contain the attack, remain temporarily shut down. This means that some patients are seeing delays in access to care, notably as a result of very limited access to diagnostics, lab services and historical patient records. Emergency services as well as the national ambulance service are still running, and the HSE reported that vaccinations against COVID-19 and test-and-trace are operating. The most common impact of the attack is seen in radiology and laboratory systems. The HSE is working at speed to restore computer systems, which involves wiping, re-building and updating all the infected devices, before using offsite backups to restore the systems safely.  SEE: Ransomware just got very real. And it’s likely to get worseThere are up to 2,000 systems to go through and around 80,000 devices to check, all connected to an IT infrastructure that has grown over the course of 30 years. In other words, it could be some time before the situation is fully resolved, and the HSE expects disruptions to continue well into this week. “Hundreds of people are working flat out in response to this despicable cyber attack on our health system and on patients. We’re focused on getting health services and appointments for patients back on track as quickly as possible,” tweeted Stephen Donnelly, the minister for health. “Some priorities include radiation oncology, diagnostics, lab services and patient admin systems.”While it may take weeks to get all systems back, steady progress is being made, starting with services for the most urgent patients.” The country’s Department of Health (DoH) also reported an attempted cyberattack just one day before the HSE was targeted, but a combination of antivirus software and other tools deployed as part of an investigation by the NCSC enabled the attack to be stopped before it detonated. The aborted hack is believed to be part of the same campaign targeting the HSE, said the NCSC.  More

With software supply chain attacks on the rise, the UK government is proposing new rules to mitigate the threat of breaches through trusted software that’s been tampered with by cyberattackers. The Department for Digital, Culture, Media and Sport (DCMS) has put out a call for views on the new rules, which may require IT service provides and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do. 

“As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organisations,” the government said. “Recent high-profile cyber incidents where attackers have used Managed Service Providers as a means to attack companies are a stark reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security, and seemingly small players in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.”SEE: Network security policy (TechRepublic Premium)DCMS research found that only 12% of organizations vet suppliers for cybersecurity risks, and only about 5% address the vulnerabilities in their wider supply chain.The UK government is particularly concerned about the risks posed to the nation’s businesses and agencies from IT outsourcing, pointing to attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. The new rules could mean that MSPs will need to meet the UK’s Cyber Assessment Framework (CAF), putting this sector alongside cyber requirements imposed on UK critical infrastructure providers.  

The CAF aims to ensure relevant sectors have policies to protect devices and prevent unauthorised access, ensure data is protected at rest and in transit, securing backups, and cybersecurity training for staff.The UK’s National Cyber Security Center (NCSC) in February warned that supply chain attacks are on the rise, pointing specifically to attacks on software build pipelines. SEE: Ransomware just got very real. And it’s likely to get worseSoftware supply chain risks came into focus after hackers breached SolarWinds’ enterprise network monitoring software Orion to compromise key US government agencies and the nation’s top cybersecurity firms. Microsoft president Brad Smith called the attack, which the US and UK have blamed on Russian intelligence, “a moment of reckoning” for the US tech and cybersecurity sector. The US is also on high alert over software supply chain attacks, given SolarWinds’ impact on the US tech sector, and the ransomware attack on Colonial Pipeline. US president Biden last week signed an executive order that mandates federal agencies to implement multi-factor authentication within 180 days and encrypt data both at rest and in transit.   Tech companies are also facing potentially disruptive new laws in Australia via the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which would encompass cloud providers along with traditional critical infrastructure operators. Microsoft has objected to the proposed legislation because it would allow government agencies to direct a company’s response to a cyberattack and request information from it. Cisco, Salesforce and Amazon Web Services (AWS) are also lobbying against the bill.    More

The FBI says that complaints concerning online scams and investment fraud have now reached a record-breaking level.  The FBI’s Internet Crime Complaint Center (IC3) received its six millionth complaint on May 15, 2021. While it took close to seven years for the IC3 to register its first one million reports, it took only 14 months to add the latest million to file.  According to the US agency, annual complaint volumes increased by close to 70% between 2019 and 2020. The most common crimes reported were phishing scams, schemes relating to non-payment or non-delivery, and extortion attempts.  The coronavirus pandemic paved the way for new kinds of scams over 2020, many of which centered around fake vaccination appointment requests, online delivery notifications — a popular phishing method made even more so due to stay-at-home orders — and spam sent under the names of agencies such as the World Health Organization (WHO). 
FBI
IC3 says that the most money is lost through three forms of online scam: -Business email compromise (BEC): BEC scams, usually crafted through social engineering and phishing, target businesses and attempt to dupe employees into paying for non-existent services, thereby transferring money belonging to a business into an account controlled by cybercriminals.  See also: This cybersecurity threat costs business millions. And it’s the one they often forget about

-Romance, confidence scams: These can include the stereotypical scheme in which scammers will pull on the heartstrings of victims to pressure them into sending money, as well as sextortion. Recent cases reported by UK police included scammers that conducted video chats with potential ‘matches,’ asking them to perform sexual activities on camera, and then blackmailing them for money.  In January, Interpol warned of an increase in dating apps being used by fraudsters to connect to potential victims, and once trust is established, conning them into signing up for fake investment opportunities. 

-Investment fraud: These can include dump-and-dump schemes for worthless stock, as well as cryptocurrency or other investment plans that promise guaranteed returns far beyond initial investments.  “The increase in crimes reported in 2020 may have also been due in part to the pandemic driving more commerce and activities online,” the FBI says. “The latest numbers indicate 2021 may be another record year.” On May 17, the US Federal Trade Commission (FTC) warned that consumers have lost over $80 million to cryptocurrency investment scams since October 2020.  Touted by celebrities including Elon Musk, renewed interest in the cryptocurrency space has unfortunately also led to an increase of cryptocurrency-related scams.  The FTC says that close to 7,000 reports of cryptocurrency fraud were received from US consumers in the last quarter of 2020 and Q1 2021. The average loss faced was $1,900 per victim.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One of the world’s biggest cyberinsurance companies, AXA, was hit with a ransomware attack at its offices in Asia this weekend by noted ransomware gang Avaddon.In a statement to ZDNet, a spokesperson for AXA Partners said a targeted ransomware attack disrupted their IT operations in Thailand, Malaysia, Hong Kong, and the Philippines. Certain data processed by Inter Partners Asia in Thailand has been accessed, the spokesperson explained, but there was no evidence any other data was accessed.  The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted. Members of the Avaddon group wrote on its dark web site that it has already taken three terabytes of data from AXA Group and that the files include information like passports, ID cards, denied reimbursements, contracts, customer claims, payments to customers, bank account information, files from hospitals about fraud investigations and medical reports that had sensitive information about patients. The group even posted samples of the data. DomainTools researcher Chad Anderson said people behind the ransomware gang Avaddon had posted about their latest victim on a dark web page, sharing a screenshot with ZDNet of the group’s list of targets as well as timers for how long each victim has until ransom will be demanded. 
Chad Anderson
The companies on the list include AXA Group, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, Henry Oil & Gas, the Indonesian government’s airport company PT Angkasa Pura I, and Acer Finance. Both the FBI and Australian Cyber Security Centre released warning notices last week about Avaddon’s ransomware tactics. 

AXA has about three days left, according to Anderson, before Avaddon members have said they will begin leaking the company’s documents. The cyberinsurance company has been in the news recently because they pledged to stop reimbursing customers in France who had been hit by ransomware attacks and decided to pay the ransom. The decision was made after pressure from French regulators who said the insurance payouts were fueling higher ransom payments and making the crimes lucrative for the gangs behind them. “In total, since their discovery in June 2020, the Avaddon gang has published data on dozens of victims on their dark web site, following the now common double-extortion technique amongst ransomware operators,” Anderson said. “Avaddon also maintains an affiliate program where they recruit hackers from underground forums to deploy their ransomware. This most recent intrusion shows that the human operators behind these ransomware families continue to hone their skills and become continually faster at deploying on victim networks.”Cybersecurity experts said it was impossible to ignore the timing of the attack. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said Avaddon may have been targeting AXA to make an example of companies challenging their business goals. But on a deeper level, Clements said it was proof that almost all organizations are vulnerable in some way or on some level and that the scale and complexity of modern networks makes it nearly impossible to plug every potential hole. “Couple this with the fact that ransomware gang’s extortion earnings often give them higher budgets than their target teams’ defenders and it’s no wonder that ransomware is epidemic across the globe,” Clements said. Netenrich security advisor Sean Cordero added that for companies as large as AXA, it is often difficult to have sufficient visibility into the cybersecurity practices and controls across their business partners and subsidiaries.But the lessons learned from this attack, Cordero explained, may lead to better ways to collaborate for both the insured and insurer as this attack implies a weakness in risk assessment, validation, or execution. “If an insurer like AXA struggles to validate their cyber capabilities and needs — what is the chance that they may have incorrectly assessed the risks across their portfolio of cyber insurance clients?” Cordero asked. “I imagine that the professionals responsible for achieving positive returns on cybersecurity policies may have renewed discussions with assessors and underwriters in the wake of this most recent incident.” More

Android stalker and spyware detection surged by 48% over the past year, and not only do these apps invade user privacy, vendors do not appear to care about tackling vulnerabilities found in their creations.  This week, ESET researcher Lukas Stefanko released telemetry data focused on Android stalkerware detection, revealing that usage of these dubious apps began to climb in 2019 — with a five-fold increase reported in comparison to 2018 — and this trend continued in 2020, highlighting their ongoing popularity.ESET’s findings are corroborated by past research from Kaspersky, which found that stalkerware infections grew by 40% in 2019. Stalkerware is a term coined to describe the most invasive types of spyware that are often paid for, and used, by people close to home rather than unknown threat actors. 

These types of software can be covertly installed on a PC or mobile device and will track a user’s activities in a deep violation of privacy, with data gathered including their GPS location (where available), call logs, contact lists, SMS communication, social media usage, browser history, and more. Data harvested by these apps are then sent to an operator. In the case of mobile stalkerware, the operator often needs to have obtained physical access to side-load the malware, and so users tend to be close family, spouses, or parents. They may also be used by businesses to monitor employees.

While many of these apps are marketed as a way to monitor children in the interest of safety, the invasive nature of these apps is generally thought to make them unethical. Just because something is marketed as a safety net for minors does not mean it cannot be used to track a spouse, for example — and in either case, despite the age of the one being stalked, rights to privacy may be abused.  According to Stefanko, a recent analysis of stalkerware available for the Google Android mobile platform revealed many vendors tout their wares as a means to protect not only children, but also employees and women. The vendors producing them for financial gain also do not appear to care that inherent — and expansive — security vulnerabilities contained in their apps are also risking ‘users,’ and customers, in other ways.  “If nothing else, stalkerware apps encourage clearly ethically questionable behavior, leading most mobile security solutions to flag them as undesirable or harmful,” the researcher says. “However, given that these apps access, gather, store, and transmit more information than any other app their victims have installed, we were interested in how well these apps protected that amount of especially sensitive data.” In short, they didn’t. An examination of 58 Android stalkerware apps, provided by 86 vendors, revealed a total of 158 security issues (.PDF). These included the insecure transmission of sensitive data, command injection flaws, data leaks, information left on servers after accounts were deleted, and both source code and admin credentials exposure.  Not only was the victim’s data mishandled in many cases, but the bugs also impacted the security of the vendors themselves and their stalker customers.  The vulnerabilities were reported to the affected vendors, but only six developers have fixed their software, seven have made promises to patch that are yet to be kept, and 44 did not respond at all to ESET’s disclosure. “The research should serve as a warning to potential future clients of stalkerware to reconsider using software against their spouses and loved ones, since not only is it unethical, but also might result in revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud,” Stefanko commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Since the start of the 2019 financial year, Services Australia has reported a total of five eligible data breaches to the Office of the Australian Information Commissioner (OAIC).According to the agency, the five breaches reported in the financial years 2019-2020 and 2020- 2021, up until 12 April 2021, all involved human error.Revealed in response to questions taken on notice, Services Australia said 232 people have been affected by the breaches, as at 12 April.”The [eligible data breaches] occurred in the context of the agency’s many millions of customer interactions each year,” it declared. “For example, the agency had approximately 395 million customer interactions in 2019-2020.”For each eligible data breach, Services Australia said it takes appropriate remediation steps, including taking steps to notify affected customers, providing further training and education for staff, and reviewing and improving agency processes and procedures.Services Australia in March admitted it had reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran’s Affairs, in addition to its own IT shop.The ACSC reported receiving a total of 436 notifications from government entities.

Of those 20 incidents, the agency has now added that none involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breaches (NDB) Scheme.The NDB scheme came into effect in February 2018. It requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.  As detailed in the OAIC’s latest report, Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year. The Australian government accounted for 6% of the total, with 33 notifications. Services Australia said internally it completed 125 investigations into unauthorised access of information by staff in the period spanning 1 July 2020 to 28 February 2021. “Unauthorised access to information by staff is access to agency information, which could include personal information, that they have no legitimate business reason to access, including individuals accessing their own data,” Services Australia clarified.It said none of those investigations led to a referral to Commonwealth Director of Public Prosecutions. However, Services Australia said it took administrative disciplinary action in response to a number of those investigations, ranging from formal warning letters to termination of employment. “None of the investigations involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breach Scheme,” it added.Elsewhere during Senate Estimates in March, the Department of Home Affairs took on notice a handful of questions related to ransomware, such as the number of criminal investigations of ransomware attacks against Australian organisations opened by the Australian Federal Police (AFP), the number of ransomware-related investigations underway, and the number of law enforcement operations against ransomware groups initiated in foreign jurisdictions that the AFP participated in.In response, Home Affairs listed the five potential offences that can be used to penalise ransomware-related activities. It did, however, confirm at least one charge has been laid by the AFP.”In the last 12 months, the AFP charged at least one individual in Australia with criminal offences related to ransomware,” it wrote.”The AFP is unable to include comprehensive statistics because of the lack of explicit provisions against ransomware offences as outlined.”The Department of Finance, meanwhile, responded to questions asked of it during March estimates, specifically related to the shared enterprise resource planning (ERP) technology platform, GovERP.Initially unveiled as part of the 2017 Budget, AU$89.5 million across three years was allocated to consolidate and streamline back-office corporate functions in the Australian Public Service. Finance was asked how much of the funding had been spent on those external to the department.GovERP has received funding of AU$67.1 million over the two years 2019-20 and 2020-21. Of this, Finance said AU$35.5 million has been spent to date on contractors and consultants.”The program will implement a new technology in which the APS has not yet developed expertise,” Finance said. “The majority of contractors and consultants are engaged to provide specialised skills and services to support the program, many of which are small to medium enterprises, particularly with respect to ICT labour.”GovERP has been funded for a further two years as part of the 2021-22 federal Budget, but the dollar amount has been listed in official documents as not for publication due to “commercial sensitivities”.LATEST FROM CANBERRA More

Image: Getty Images
The Japanese government will reportedly introduce new regulations across 44 sectors to bolster national cyber defence, partly in response to the Colonial Pipeline hack that occurred last week. The government plans to amend various laws governing each sector through passing an all-encompassing motion and a new law requiring each sector to be conscious of national security risks, Nikkei said in a report. The sectors that are expected to see the legislative changes include telecommunications, electricity, finance, railroads, government services, and healthcare, among others. Specifically, these sectors will reportedly be required to look into issues stemming from the use of foreign equipment or services, including cloud data storage and connections to servers located overseas. The government will also reportedly monitor companies for compliance and gain the power to prevent companies from using foreign equipment if they detect any major issues. Detailed standards will likely be outlined in future government ordinances and guidelines as well.Three years ago, Japanese government agencies agreed to stop procuring equipment that could pose national security risks, such as those from Huawei and ZTE. With the latest mandate, the Japanese government now wants to extend that level of stringency to the private sector.The move comes a week after Colonial Pipeline — one of America’s largest pipeline operators that provides roughly 45% of the country’s east coast fuel — suffered a ransomware attack. Due to the cyber attack, the company had to temporarily close down its operations, freeze IT systems to isolate the infection, and pay close to $5 million to decrypt locked systems. 

During the same week of the Colonial Pipeline hack, the culprits of the ransomware attack also hit Toshiba, although the impact of the ransomware attack was primarily in Europe rather than domestically.Other countries, like the US, have already imposed similar restrictions on tech-related procurement. In the US, companies — both domestic and foreign — are required to gain licensing approval in order to purchase technology built by Huawei and ZTE or sell goods to those Chinese companies if they contain certain US technology. North of the border, Canadian telcos have also effectively blocked Huawei out of their 5G network builds by signing deals with the Chinese giant’s rivals instead. The Chinese network equipment provider is also banned in Australia and Sweden, and it has not made inroads in New Zealand after GCSB prevented Spark from using Huawei kit in November 2018.  Meanwhile, UK mobile networks have been told they cannot buy any more 5G equipment from Huawei after the end of this year, and that they must remove the Chinese networking company’s technology from their 5G networks by the end of 2027. Related Coverage More

If you have held off buying any voice assistant as you are worried about them listening to far more than they let on, then you can finally enjoy your own custom voice assistant with the level of privacy you want.Deep learning voice AI assistants are appearing in everything from kitchen appliances to twerking teddy bears. But are people comfortable with always-listening devices in their homes?

Although 80 million US households do intend to buy a smart home device, adoption of smart speakers remains low with under 50% of respondents actually owning one.But does everyone actually need the ‘world-at-your-feet’ AI generalist, internet-based voice assistant? With over one in three feeling that voice assistants are harmful for safety these devices have a lot of trust issues to overcome. Now Santa Clara, CA-based voice AI company Sensory has announced its custom voice assistant that delivers total privacy for its users. This voice assistant does not even need an internet connection.One of the first devices to use the Sensory voice assistant is a new voice-enabled Farberware microwave oven that features a custom, private voice UI. The technology uses a custom domain specific voice assistant that runs on a Linux Rockchip RK3308 and can understand over 150 commands. You can ask the microwave ‘Voice Genie’ to open the door, or cook something, specify a time to cook, reheat or defrost. All commands are processed on the device so you do not need to connect the microwave to your Wi-Fi – or to the cloud.

The Sensory NLU (Natural Language Understanding) engine looks for “intents” within a limited vocabulary domain which makes a lot of sense for custom devices. You are hardly likely to ask the microwave oven what the weather is going to be like, or ask it to check your email, or calendar — so why would a voice assistant need that extra capability? The chance of being misunderstood is less than an off-the-shelf assistant which listens for a huge range of context words that would be meaningless to any device which is waiting for the simple command to defrost a pizza.Todd Mozer, CEO at Sensory, said: “People love the convenience of mainstream voice assistants, but privacy, accuracy, complicated setup, and connectivity issues continue to be a growing concern among users. These concerns have intensified the need for custom private voice assistants”.Custom voice assistants that are trained for specific domains such as washing machines, toasters, microwave ovens, robot vacuums, and lawnmowers could perform more accurately than generalist voice assistants.Devices such as Siri, or Alexa have to search through their entire knowledge base to give you a reasonably accurate answer to whatever questions you might ask.

Sensory said that most of its customers are brands wishing to give their customers voice controlled devices, but do not want to give up their data to the cloud. If you want to own one of these voice controlled microwave ovens, the Faberware FM11 VABK microwave is available for under $250 on Amazon at the moment. Should your robot vacuum have to be connected to the cloud to work? No it shouldn’t. Once configured through the app you should be able to control it if your internet connection fails. This should be true of other voice-controlled devices that have no reason at all to connect to the internet, spewing data for anyone to collect.Expect to see more private voice assistants popping up in other household appliances very soon. More