Information Technology

There is rising demand for the services of Initial Access Brokers (IABs) and access credentials in cloud-based cyberattacks. 

On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.  Over this year, the cloud security firm’s team has observed a number of trends of note in the cloud space, including increased demand for IABs.  Initial Access Brokers, as documented by KELA, are individuals or groups which have managed to secure access to a target system. Access may have been obtained through weak, broken, or stolen credentials; an insider, or by way of a vulnerability. The average price of network access, as analyzed by the team, is currently $5,400, while the median price is $1,000, depending on the level of access obtained and the target organization.  Ransomware groups have taken an interest in IABs, and alongside these groups, other threat actors focused on exploiting cloud services are also attempting to recruit IABs for their own ends.  Lacework says that over the past few months, administrator credentials obtained by IABs appear to have become a popular resource for attackers. In addition, the scanning and probing of storage buckets, online databases, login platforms, and orchestration systems continue to increase. 

“What started as one-off marketplace postings continues to escalate as criminals begin to understand and operationalize the utility of access to cloud services above and beyond cryptocurrency mining,” the team says.  The report also explores the latest TeamTNT criminal operation activities against cloud services. The TeamTNT botnet, first spotted back in 2020, is known to install cryptocurrency-mining malware on vulnerable containers. TeamTNT is hunting for exposed Docker APIs to deploy malicious Docker images, and in numerous cases, public Docker repositories are being taken over through compromised accounts to host malware. Another tactic of note is the exploitation of canary tokens. The team suspects that the legitimate canarytokens.org service, used to alert users when a resource has been accessed, has also been abused to notify ransomware operators of malware execution on a victim’s system.  Additional points of interest include honeypot data collected by the firm, which suggests SSH, SQL, Docker, and Redis services are most commonly targeted. Tor is often employed when AWS environments are targeted; the zgrab scanner is employed to probe Docker APIs for weaknesses; and when it comes to Redis, the command line interface INFO command is most commonly used to harvest data concerning target systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are now targeting their victim’s internet connection to quietly generate illicit revenue following a malware infection. 

On Tuesday, researchers from Cisco Talos said “proxyware” is becoming noticed in the cybercrime ecosystem and, as a result, is being twisted for illegal purposes.  Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs.  Other apps will allow users to ‘host’ a hotspot internet connection, providing them with cash every time a user connects to it.  It is this format, provided by legitimate services including Honeygain, PacketStream, and Nanowire, which is being used to generate passive income on behalf of cyberattackers and malware developers.  According to the researchers, proxyware is being abused in the same way as legitimate cryptocurrency mining software: quietly installed — either as a side component or as a main payload — and with efforts taken to try and stop a victim from noticing its presence, such as through resource use control and obfuscation.  In cases documented by Cisco Talos, proxyware is included in multi-stage attacks. An attack chain begins with a legitimate software program bundled together with a Trojanized installer containing malicious code.

When the software is installed, the malware is also executed. One campaign has utilized a legitimate, signed Honeygain package which was patched to also drop separate, malicious files containing an XMRig cryptocurrency miner and to redirect the victim to a landing page connected to Honeygain referral codes.  Once the victim signs up for an account, this referral earns revenue for an attacker — all the while a cryptocurrency miner is also stealing computer resources.  However, this isn’t the only method used to generate cash. In a separate campaign, a malware family was identified that tries to install Honeygain on a victim’s PC and registers the software under an attacker’s account, and so any earnings are sent to the fraudster.  “While Honeygain limits the number of devices operating under a single account, there is nothing to stop an attacker from registering multiple Honeygain accounts to scale their operation based on the number of infected systems under their control,” the researchers say.  Another variant exploited multiple avenues, bundling not only proxyware software, but also a cryptocurrency miner and information stealer for the theft of credentials and other valuable data.  “This is a recent trend, but the potential to grow is enormous,” Cisco Talos says. “We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Comparitech has released a new study on the number of ransomware attacks affecting schools, colleges and universities since 2018, finding the most amount of attacks in the country’s most populous states like Texas, New York, California and Louisiana. Researchers Rebecca Moody and George Moody found that there have been a total of at least 222 ransomware attacks affecting 3,880 schools and colleges since 2018. They estimated that these attacks cost educational institutions billions in downtime and in ransom payments as ransomware groups targeted bigger school systems throughout the COVID-19 pandemic. In 2020 alone, Comparitech researchers tracked 77 individual ransomware attacks that affected more than 1,740 schools and colleges, “potentially impacting 1.36 million students,” according to their data.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts. 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total,” the researchers explained. “This is an average of nearly $960,000. Ransom requests varied from $5,000 to $40 million. Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000. Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million.”According to the data collected by Comparitech, Texas suffered the most attacks with 19 since 2018 affecting 439 schools serving more than 300,000 students. California was second with 18 attacks affecting 288 schools, followed by New York, which saw 16 attacks impacting 138 schools, and North Carolina, which dealt with 10 attacks targeting 87 schools. Louisiana, Connecticut, Illinois, Missouri and Mississippi also saw a high number of ransomware attacks affecting their educational institutions. 

For 2021, Texas has led the way with 4 ransomware attacks, followed by Mississippi, California, Missouri and New York, which all had three from January to June this year.In 2020, the 77 ransomware attacks tracked by Comparitech led to an average of seven days of downtime and more than 55 days recovering from the attack.”Nevada had the highest number of impacted students in 2020 with 328,991 students affected by one single breach. Hackers targeted Clark County School District, which is the fifth-largest school district in the US with 374 individual schools. As the county didn’t pay the requested ransom, the hackers (Maze) dumped student records,” the report found. “The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed. Due to its larger number of attacks, Texas also had a high number of students affected–245,460 in total. This was closely followed by Virginia (195,408) and Maryland (115,038).”The report lists dozens of attacks on school districts — Somerset Independent School District, Union Community School District, Athens Independent School District and Affton School District to name a few — as well as attacks on university systems or colleges like The University of California San Francisco, which paid $1.14 million to NetWalker hackers, Imperial Valley College which paid Sodinokibi hackers $55,068 and The University of Utah, which paid a ransom of $457,000. There have already been at least 39 reported ransomware attacks on educational institutions this year, and these figures do not include the Kaseya attack, which affected a number of universities tangentially.  More

Microsoft has warned Office 365 customers that they’re being targeted by a widespread phishing campaign aimed at nabbing usernames and passwords. The ongoing phishing campaign is using multiple links; clicking on them results in a series of redirections that lead victims to a Google reCAPTCHA page that leads to a bogus login page where Office 365 credentials are stolen.  

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

This particular attack relies on the email sales and marketing tool called ‘open redirects’, which has been abused in the past to redirect a visitor to a trustworthy destination to a malicious site. Google doesn’t rate open redirects for Google URLs as a security vulnerability, but it does display a ‘redirect notice’ in the browser. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackMicrosoft warns this feature is being used by the phishing attackers. “However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent,” the Microsoft 365 Defender Threat Intelligence Team warns. This attack’s trick relies on the advice for users to hover over a link in an email to check the destination before clicking.

“Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect links using a legitimate service, users see a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers abuse this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites,” Microsoft warns. “Users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it,” it said. Microsoft has found over 350 unique phishing domains used in this campaign, including free email domains, compromised domains, and domains automatically created by the attacker’s domain generation algorithm. The email subject headers were tailored to the tool the attacker was impersonating, such as a calendar alert for a Zoom meeting, an Office 365 spam notification, or a notice about the widely used but ill-advised password expiry policy. While open redirects aren’t new, Microsoft hopped on the issue after noticing a phishing campaign in August that relied on spoofed Microsoft URLs. 

ZDNet Recommends

The Google reCaptcha verification adds to the apparent legitimacy of the site since it is generally used by websites to confirm the user is not a bot. However, in this case, the user has been redirected to a page that looks like a class Microsoft login page and eventually leads to a legitimate page from Sophos, which does provide a service to detect this style of phishing attack.  SEE: The Privacy Paradox: How can businesses use personal data while also protecting user privacy?”If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.”Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.”Google’s word on the matter of open redirects is that this is not a security vulnerability, though it admits it can be used to trigger other vulnerabilities. However, Google disputes the idea that hovering over a link in an app to see a destination URL is a useful phishing awareness tip. “Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.”Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.” More

Singapore is offering payouts of up to $5,000 for white hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government’s efforts to involve the community in assessing its ICT infrastructure. The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. It also runs bug bounty and vulnerability disclosure programmes, the latter of which is available to the public to report potential security holes. “The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government,” GovTech said in a statement Tuesday. 

The government CIO office said the bug bounty programmes were “seasonal”, focusing on five to 10 critical and “high-profile” systems during each run. The new rewards scheme, though, would be ongoing and “continuously test” a wider range of critical ICT systems needed to deliver essential digital services, it said.Depending on the severity of vulnerabilities uncovered, between $250 and $5,000 would be offered to hackers that are approved to participate in the rewards programme. In addition, a special bounty of up to $150,000 could be awarded for vulnerabilities identified to potentially cause “exceptional impact” on selected systems and data. Details outlining such vulnerabilities would be provided to registered hackers and would apply only to selected government systems. According to GovTech, the special bounty would be measured against global crowdsourced vulnerability programmes, such as those run by technology vendors such as Google and Microsoft. 

The new rewards scheme would initially encompass three public-sector systems, namely, SingPass and CorpPass; member e-services under the Manpower Ministry and Central Provident Fund Board; and WorkPass Integrated System 2, which is operated by the Manpower Ministry. The programme will also be extended to include more critical ICT systems progressively, GovTech said. Only hackers who meet a set of criteria will be permitted to participate in the rewards scheme, with checks to be conducted by bug bounty operator, HackerOne. Once approved, participants would have to conduct security assessments through a designated virtual private network gateway provided by HackerOne, and their access withdrawn if they breached the permitted rules of engagement. GovTech’s assistant chief executive for governance and cybersecurity, Lim Bee Kwan, said the government agency first adopted crowdsourced vulnerability discovery programmes in 2018. Since then, it had worked with more than 1,000 hackers to identified 500 valid vulnerabilities. “The new Vulnerability Rewards Programme will allow the government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation,” Lim said. As of August 2021, the Singapore government had run four bug bounties–each lasting two to three weeks–covering 33 systems. More than $100,000 had been dished out to participants.  The public vulnerability disclosure programme was launched in October 2019 and has led to more than 900 reported vulnerabilities, as of March 2021, involving 59 government agencies. Of those, at least 400 were valid bugs that have since been plugged. A report last month revealed that half of vulnerabilities uncovered in 2020 via the Singapore government’s bug bounty and public disclosure programmes were valid. The public sector recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”, according to the report by the Smart Nation and Digital Government Office. Some 1,560 SingPass accounts, needed to access e-government services, were involved in a 2014 security breach where users received notifications that their passwords had been reset, despite not requesting to do so. The government then blamed the incident on the likely use of weak passwords or malware that could have been installed on the affected users’ personal devices. Two-factor authentication (2FA) was introduced the following year as part of efforts to strengthen security on the e-government platform. RELATED COVERAGE More

Image: Getty Images
People aged under 18 living in China will now only be allowed to play online games for three hours per week.The new mandate will see minors only be allowed to play one hour of online games on Fridays, Saturdays, Sundays, and on official holidays, according to state media outlet Xinhua. The one hour of online game time for these days will also only be allowed from 8pm to 9pm. The ban, issued by China’s National Press and Publication Administration (NAAP) on Monday evening, is aimed at preventing minors from becoming addicted to online gaming, the report said. In issuing the ban, the gaming regulator reportedly called for online game providers to implement real-name registration and logins, saying online game providers should not allow minors to play online games if they fail to register and log in using their real identifications. The NAAP also reportedly told Xinhua it would increase the frequency of its inspections on online gaming companies to ensure they implement time limit and anti-addiction systems. Prior to the latest measures, Tencent at the start of the month had already announced further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 had their playing time limited to one hour on regular days and two hours on public holidays.

The expanded gaming ban is the latest among a flurry of moves China has made as part of its local crackdown on tech. In the area of online child protection alone, Beijing prosecutors have launched a civil public lawsuit against WeChat, accusing the company of not complying with laws focused on protecting minors, while the Cyberspace Administration of China passed a special action last month banning people under the age of 16 from appearing in content within online live-streaming and video platforms. Beyond online child protection, the Chinese government has pushed through new personal data protection laws, punished 43 apps for illegally transferring user data, and ordered local food delivery platforms to provide riders with minimum wages. It has also removed Didi from Chinese app stores and placed it under cybersecurity review, slapped Alibaba with a record 18.2 billion yuan fine, and put Tencent on notice for collecting more user data than deemed necessary when offering services.Related Coverage More

Data from Japanese tech giant Fujitsu is being sold on the dark web by a group called Marketo, but the company said the information “appears related to customers” and not their own systems.On August 26, Marketo wrote on its leak site that it had 4 GB of stolen data and was selling it. They provided samples of the data and claimed they had confidential customer information, company data, budget data, reports and other company documents including information on projects.Initially, the group’s leak site said it had 280 bids on the data but now, the leak site shows 70 bids for the data, including one bid today. A screenshot of the leak site.
Etay Maor
A Fujitsu spokesperson downplayed the incident and told ZDNet that there was no indication it was connected to a situation in May when hackers stole data from Japanese government entities through Fujitsu’s ProjectWEB platform.”We are aware that information has been uploaded to dark web auction site ‘Marketo’ that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown,” a Fujitsu spokesperson told ZDNet.  “Because this includes information that appears related to customers, we will refrain from commenting on the details. I assume that you may recall the last event of Project WEB on May, but there is no indication that this includes information leaked from ProjectWEB, and we believe that this matter is unrelated.”Cybersecurity experts like Cato Networks senior director of security strategy Etay Maor questioned the number of bids on the data, noting that the Marketo group controls the website and could easily change the number as a way to put pressure on buyers.

But Ivan Righi, cyber threat intelligence analyst with Digital Shadows, said Marketo is known to be a reputable source.Righi said the legitimacy of the data stolen cannot be confirmed but noted that previous data leakages by the group have been proven to be genuine. “Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB ‘evidence package,’ which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack,” Righi said. He explained that while Marketo is not a ransomware group, it operates similar to ransomware threat actors. “The group infiltrates companies, steals their data, and then threatens to expose that data if a ransom payment is not made. If a company does not respond to the threat actor’s ransom demand, they are eventually posted on the Marketo data leak site,” Righi told ZDNet. “Once a company is posted on the Marketo site, an evidence package is usually provided with some data stolen from the attack. The group will then continue to threaten the companies and expose data periodically, if the ransom is not paid. While the group does have an auction section on their website, not all victims are available in this section, and Fujitsu has not been put up for auction publicly at the time of writing. It is unknown where the 70 bids purportedly came from, but it is possible that these bids may originate from closed auctions.”Digital Shadows wrote a report about the group in July, noting that it was created in April 2021 and often markets its stolen data through a Twitter profile by the name of @Mannus Gott.The account has taunted Fujitsu in recent days, writing on Sunday, “Oh, the sweet, sweet irony. One of the largest IT services provider couldn’t find themselves an adequate protection.”The gang has repeatedly claimed it is not a ransomware group and instead an “informational marketplace.” They contacted multiple news outlets in May to tout their work. “The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an ‘Attacking’ section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries,” Digital Shadows Photon Research Team wrote.”Victims are provided a link to a separate chat to conduct negotiations. Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth.” 
Digital Shadows
In the past, the group has gone so far as to send samples of stolen data to a company’s competitors, clients and partners as a way to shame victims into paying for their data back. The group has listed dozens of companies on their leak site, including Puma recently, and generally leaks one each week, mostly selling data from organizations in the US and Europe. At least seven industrial goods and services companies have been hit alongside organizations in the healthcare and technology sectors.  More

Researchers with vpnMentor have uncovered a data breach involving the COVID-19 test and trace app created by the Indonesian government for those traveling into the country. The ‘test and trace app’ — named electronic Health Alert Card or eHAC — was created in 2021 by the Indonesian Ministry of Health but the vpnMentor team, lead by Noam Rotem and Ran Locar, said it did not have the proper data privacy protocols and exposed the sensitive data of more than one million people through an open server. The app was built to hold the test results of those traveling into the country to make sure they were not carrying COVID-19 and is a mandatory requirement for anyone flying into Indonesia from another country. Both foreigners and Indonesian citizens must download the app, even those traveling domestically within the country. The eHAC app keeps track of a person’s health status, personal information, contact information, COVID-19 test results and other data.

Rotem and Locar said their team discovered the exposed database “as part of a broader effort to reduce the number of data leaks from websites and apps around the world.” “Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols in place by the app’s developers. Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings,” the vpnMentor research team said. “After a couple of days with no reply from the ministry, we contacted Indonesia’s Computer Emergency Response Team agency and, eventually, Google — eHAC’s hosting provider. By early August, we had not received a reply from any of the concerned parties. We tried to reach out to additional governmental agencies, one of them being the BSSN (Badan Siber dan Sandi Negara), which was established to carry out activities in the field of cyber security. We contacted them on August 22nd and they replied on the same day. Two days later, on August 24, the server was taken down.” 

The Indonesian Ministry of Health and Foreign Ministry did not respond to requests for comment from ZDNet. In their report, the researchers explain that the people who created eHAC used an “unsecured Elasticsearch database to store over 1.4 million records from approximately 1.3 million eHAC users.”On top of the leak of sensitive user data, the researchers found that all of the infrastructure around eHAC was exposed, including private information about local Indonesian hospitals as well as government officials who used the app. The data involved in the leak includes user IDs — which ranged from passports to national Indonesian ID numbers — as well as COVID-19 test results and data, hospital IDs, addresses, phone numbers, URN ID number and URN hospital ID number. For Indonesians, their full names, numbers, dates of birth, citizenship, jobs and photos were included in the leaked data. 

The researchers also found data from 226 hospitals and clinics across Indonesia as well as the name of the person responsible for testing each traveller, the doctors who ran the test, information about how many tests were done each day and data on what kinds of travelers were allowed at the hospital. The leaked database even had personal information for a traveler’s parents or next of kin as well as their hotel details and other information about when the eHAC account was created. Even eHAC staff members had their names, ID numbers, account names, email addresses and passwords leaked. “Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” the researchers said. “The massive amount of data collected and exposed for each individual using eHAC left them incredibly vulnerable to a wide range of attacks and scams. With access to a person’s passport information, date of birth, travel history, and more, hackers could target them in complex (and simple) schemes to steal their identity, track them down, scam them in person, and defraud them of thousands of dollars. Furthermore, if this data wasn’t sufficient, hackers could use it to target a victim in phishing campaigns over email, text, or phone calls.” 

The vpnMentor research team uses “large-scale web scanners” as a way to search for unsecured data stores containing information that shouldn’t be exposed.”Our team was able to access this database because it was completely unsecured and unencrypted. eHAC was using an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers added. “However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time. Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial business.” The report notes that with all of the data, it would be easy for hackers to pose as health officials and conduct any number of scams on any of the 1.3 million people whose information was leaked. Hackers could have also changed data in the eHAC platform, potentially hampering the country’s COVID-19 response. The researchers noted that they were wary of testing any of these potential attacks out of fear of disrupting the country’s efforts to contain COVID-19, which may already be damaged by the government’s haphazard management of the database.The vpnMentor team added that if there was a hack or ransomware attack involving the database, it could have led to the kind of distrust, misinformation and conspiracy theories that have gained a foothold in dozens of countries. “If the Indonesian people learned the government had exposed over 1 million people to attack and fraud via an app built to combat the virus, they may be reluctant to engage in broader efforts to contain it — including vaccine drives,” the researchers said. “Bad actors would undoubtedly exploit the leak for their gain, jumping on any frustration, fear, or confusion, creating mistruths and exaggerating the leak’s impact beyond all reasonable proportion. All of these outcomes could significantly slow down Indonesia’s fight against Coronavirus (and misinformation in general) while forcing them to use considerable time and resources to fix their own mess. The result is further pain, suffering, and potential loss of life for the people of Indonesia.”The researchers said the designers of the eHAC system needed to secure the servers, implement proper access rules and made sure to never leave the system, which did not require authentication, open to the internet. They urged those who may think their information was affected to contact the Indonesian Ministry of Health directly to figure out what next steps may need to be taken. eHAC is far from the only COVID-19 related app to face similar problems. Since the beginning of the pandemic, the emergence of contact tracing apps has caused worry among researchers who have repeatedly shown how faulty these tools can be. Just last week, Microsoft faced significant backlash after their Power Apps were found to have exposed 38 million records online, including contact tracing records. In May, the personal health information belonging to tens of thousands of Pennsylvanians was exposed following a data breach at a Department of Health vendor. The Department of Health accused a vendor of exposing the data of 72,000 people by willfully disregarding security protocols.  More