Information Technology

There’s been a huge rise in one particular form of phishing attack as cyber criminals look to exploit the combination of the holiday season shopping rush and the move to shopping online.
More online shopping means people are receiving more emails about the shipment and deliveries of their orders and cyber criminals are actively looking to take advantage of this with phishing emails impersonating internationally-known shipping companies. And while these campaigns predominantly target consumers, they’re also dangerous to businesses too.
Researchers at cybersecurity company Check Point say there’s been an over 440 per cent increase in shipping related phishing emails over the last month. There’s been a spike in these attacks around the world, with Europe seeing the biggest surge, followed by North America and the Asia Pacific region.
The emails are designed to look like they come from shipping companies and retailers and feature messages claiming that there’s been a “delivery issue” or urging users to “track your shipment”.
Shoppers who’ve ordered items online are likely to be concerned about any potential problems around delivery so could easily open the emails and end up falling victim to cyber criminals.
In some cases, the phishing emails – which have all the appropriate branding of the delivery firm they’re mimicking – will claim that potential victims need to make an additional payment to secure their item, directing them to a page which is used to steal their personal information, including name, address and credit card details.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

Malicious hackers can either use the stolen financial data and other personal information directly to commit fraud and raid bank accounts themselves, or alternatively they could sell the stolen details onto other cyber criminals on underground forums.
Alternatively, cyber attackers design phishing emails which ask users to click on a link to login to their account to solve an issue. This malicious link directs victims to a fake version of the delivery company’s web page which sends the email address and password to the attacker.
Once again, cyber criminals can either exploit this for themselves by raiding accounts or for harvesting personal details which they use themselves, or sell onto others to users on the dark web.
While it may first appear that this form of phishing attack is predominantly a risk to consumers, some people could have online shopping accounts tied to their corporate email addresses, and use the same passwords, something which is a very bad idea.
SEE: Identity theft protection policy (TechRepublic Premium)
That means malicious hackers could potentially use these attacks as a gateway to gaining entry to corporate networks – something that could me much more lucrative than stealing bank account information.
“These phishing campaigns are a risk to businesses as well as consumers, as people may share passwords or other credentials across both personal and work-related accounts and inadvertently give them away,” Ian Porteous, regional director for security engineering at Check Point told ZDNet.
“It only takes a few moments of inattention for a user to be tricked by these scams – especially as they play on peoples’ expectations of receiving goods they may have ordered – and given the large numbers of people still working from home, this is exactly what hackers are relying on. For them, it’s just a numbers game to try and steal as much sensitive data as they can,” he added.
In order to help protect against shipping email and other phishing attacks, users are urged to be suspicious of unexpected messages, particularly those which claim to require some sense of urgency as it’s a common psychological trick used by cyber criminals.
If users are concerned that a request could be legitimate, they shouldn’t follow links in the email, but they should visit the retailer or shipping company page directly.
READ MORE ON CYBER SECURITY More

Cyberattacks of all types are an increasingly large problem for all organisations, and as a result many are turning to cyber insurance as a means of protection against some of the effects of an incident. But what is cyber insurance, how does it work and what are some of the things that your business needs to be considering when deciding on a cyber insurance policy?What is cyber insurance?

More on privacy

Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organisations from the fallout from cyberattacks and hacking threats. Having a cyber insurance policy can help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.
“The formal definition of cyber insurance is essentially a contract between an insurer and a company to protect against losses that are related to computer- or network-based incidents,” explains Juergen Weiss, head of global financial services research and advisory at tech analyst Gartner.
SEE: Network security policy (TechRepublic Premium)
However, there are things that cyber insurance can’t protect against and an organisation will need to make sure it understands what is covered and perhaps more importantly what isn’t covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn’t something that is just shifted to the insurer.
“Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack,” says the National Cyber Security Centre in its guidance.
Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organisation that relies on technology to conduct its operations, which is pretty much every business.
Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could could attempt to break into the network and steal it.
There’s also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organisations that fall victim to attacks like this find a way out of the predicament.
What sort of attacks result in cyber insurance claims?
Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams. 
How much does cyber insurance cost?
The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.
An organisation that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.
Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields they operate in.
What does cyber insurance cover?
Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack.
“Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers,” says Mark Bagley, VP at cybersecurity company AttackIQ.
Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue.
This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now.
It is also the case that some cyber insurance companies tcover the cost of actually giving in and paying a ransom – even though that’s something that law enforcement and the information security industry doesn’t recommend, as it just encourages cyber criminals to commit more attacks.
“The insurance company looks at what the potential incident response and forensic bill might be and that’s going to be bigger in many cases as organisations aren’t prepared, so they’d actually rather pay. It’s very frustrating,” says Theresa Payton, former White House CIO for the George W. Bush administration and founder and CEO of cybersecurity company Fortalice Solutions.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure sum of money. These attacks see criminals posing as CEO, supplier, or other trusted contact and duping people into transferring payments.
As the UK’s NCSC points out, some insurance policies will cover money lost in BEC fraud – but it’s often part of a specific policy that’s directly related to BEC. It therefore may not be covered by standard cybersecurity insurance – and your organisation could be left without any aid if that’s the case.
Organisations should, therefore, make sure they know exactly what they’re signing up for when choosing a cybersecurity insurance policy – and that it covers the potential damage of the most likely cyberattacks including ransomware, phishing and DDoS attacks.
The NCSC also notes that it’s worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage – or may specifically exclude cyber-related incidents.
What isn’t covered by cyber insurance?
There are some things that could be important to organisations that don’t tend to be covered by cyber insurance and it’s vital to understand what isn’t covered, so protecting these assets can be properly managed.
“Cyber insurance is still kind of limited compared to the true amount of risk. So don’t think that all forms of cyber risk are covered by insurance,” says Jon Bateman, fellow in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
The financial damage caused by loss of intellectual property isn’t covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.
For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won’t cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.
Does cyber insurance cover major cybersecurity events?
The summer of 2017 saw two major cyberattacks spread around the world in quick succession with Wannacry ransomware attack taking down networks in May, only to be followed by the much more damaging NotPetya attack just weeks later. NotPetya knocked major organisations around the world offline, and is estimated to have cost billions in lost revenue and restoration costs as in many cases, organisations had to rebuild their networks from scratch.
It sounds like the sort of incident that would result in an insurance company paying out a cyber insurance claim because an organisation was disrupted by an incident that wasn’t their fault – especially as NotPetya was so prolific and indiscriminate in its targeting.
However, some insurance providers argued they didn’t have to pay out because NotPetya, a malware attack linked to the Russian military, classed as an “act of war” that nullified the claim. Other insurance providers did pay out claims for damage caused by NotPetya.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
It’s likely that this is going to continue to be an issue moving forward, especially as the cyber and physical realms become ever more indistinguishable from one another and insurers and their clients might not see eye to eye on what should and shouldn’t be covered.
“A major challenge for this market is how to deal with the most extreme forms of risk – major state-sponsored attacks, major catastrophic incidents across a large number of clients. Cyber-physical events that begin in cyberspace but still go out into the world with societal consequences. They’re very difficult to model and price. If a major incident was to happen it would overwhelm the capacity of cyber insurance markets,” says Bateman.
What do I need to apply for a cyber insurance policy?
Cyber insurance isn’t a silver bullet for solving your cybersecurity problems – far from it. In fact, in order to get a good deal for coverage, your business will likely need to prove that it’s responsible with cybersecurity in the first place. Insurers won’t want to take on a client that looks almost certain to be the victim of a data breach.
Insurers will want to know what cybersecurity your company has in place when applying for a policy and you’ll be expected to maintain accurate details about your cybersecurity as time moves forward – as, in many cases, policies are reassessed every 12 months, so even after acquiring cyber insurance, organisations still need to ensure they maintain proper cybersecurity procedures or risk losing the insurance down the line.
It’s also important to understand which are the systems and data that are essential to your organisation, and to understand whether the level of cover you have is adequate. That means deciding on a cyber insurance policy is a question that goes beyond IT and is a question for broader executive management, too.
“Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the interdependencies between different parts is vital to determining the extent of an incident, which may have global implications,” says NCSC.
An organisation can’t just decide it doesn’t want to invest in cybersecurity any longer because it now has a cyber insurance policy.
What is the future of cyber insurance?
As the frequency of cyberattacks continues to increase and cyber criminals get more brazen with campaigns, the way cyber insurance operates is going to evolve. As previously noted, cyber insurance providers are unlikely to want to offer policies to organisations that pay little attention to their cybersecurity.
Paying out an insurance claim is a purely reactive activity and is costly for the insurance provider. That’s why some are starting to take a more proactive approach to cybersecurity, not only there to offer a payout if things go wrong, but actively aiding clients to take a better approach to cybersecurity.
“The whole insurance industry is moving away from being a lender of last resort and payouts, to more like a risk advisor and a partner for your business operations. Insurers are now putting black boxes in your car to track driving behaviour – they want to price more accurately and ideally change your behaviour,” says Weiss.
“And the same is happening in the cyber insurance space. The want to make sure that you as a corporate adapt to the risk. It’s a mix of audit, protection and prevented loss,” he adds. More

Image: Blake Cheek
A US judge has sentenced a 22-year-old hacker to eight years in prison for engaging in DDoS extortion schemes, making fake bomb threats against companies and schools across the world, and possession of child pornography materials.

Identified as Timothy Dalton Vaughn, a resident of Winston-Salem, North Carolina, the hacker was arrested in February 2019, pleaded guilty in November of the same year, and was sentenced to 95 months in prison on Monday, following delays to his sentencing due to the COVID-19 pandemic.
Vaughn, who went online as “Hacker_R_US” and “WantedbyFeds,” was a member of Apophis Squad, a hacker group who made a splash in the first eight months of 2018 and then fizzled out of existence after a law enforcement crackdown.
The group was your typical loudmouth hacker squad that bragged about launching DDoS attacks on their Twitter account, but according to court documents, they also extorted some of their targets in private, asking for money to stop their attacks.
But while they’re not the only hacker group to engage in DDoS extortion, Apophis Squad members went off the rails in the summer of 2018, when, for no apparent reason, they escalated their online nuisance to a whole new level by beginning to make erratic bomb threats against a wide range of targets that included schools, airports, government organizations, and many private companies.
Obviously, the switch to such brazen tactics didn’t go unanswered and a law enforcement crackdown followed soon after, especially after one of their fake bomb threats forced a plane to make an emergency landing.
UK police arrested the group’s leader in August 2018, and Vaughn’s arrest followed the next February.

The group’s leader, who went online by nicknames such as “optcz1,” “DigitalCrimes,” and “7R1D3N7,” was identified as George Duke-Cohan, 19, from Hertfordshire, UK.
Duke-Cohan was linked to DDoS extortions and fake bomb threats, and the hacker was quickly trialed in the fall of 2018 to receive a three-year prison sentence in December 2018.
In the follow-up case in the US, authorities similarly linked Vaughn to a $20,000 DDoS extortion against a Long Beach company and bomb threats made against 86 school districts, where he and other co-conspirators claimed to have planted ammonium nitrate and fuel oil bombs in school buildings; rocket-propelled grenade heads under school buses; and land mines on sports fields.
During a subsequent arrest and house search, the FBI said it also found child pornography materials on Vaughn’s devices and tacked on additional charges.
Vaughn was sentenced to 95 months for the child pornography possession charge and 60 months for the other charges. The terms will be served concurrently for a sentence of 95 months (7 years and 11 months) in prison. More

2020 has been a year few of us will forget any time soon, and as businesses clamor to either stay afloat or weather the storm the COVID-19 pandemic has caused — let alone everything else that’s happened over the past 12 months — in the criminal underground, business is booming. 

Of particular interest to cyberattackers over the past few years is cryptocurrency. An alternative to traditional, bank-controlled fiat currency, cryptocurrency has evolved from the Wild West in speculative trading to something more akin to a stable financial structure, projects of which are supported by blockchain technologies, an area now being explored by tech giants including IBM, Google, and Microsoft. 
However, many blockchain and cryptocurrency-related technologies are still experimental and speculative; vulnerabilities can lead to wallets — and the crypto stored within — becoming compromised, and there are still cases of exit scams and fraudulent coin launches, known as Initial Coin Offerings (ICOs). 
Cases of data breaches, theft, and investor losses are still very much in existence. Below are the worst recorded incidents, month by month, over the course of 2020. 
January:
Poloniex: Poloniex disclosed a data breach and forced a mass password reset for users after credentials were leaked across social media. 
February:
Helix: An Ohio man was arrested for running the Helix Bitcoin mixing service. An estimated $300 million was laundered through the mixer.
Microsoft engineer theft: A software engineer was convicted of stealing over $10 million from Microsoft.
IOTA: The IOTA Foundation shut down its entire network due to a hacker exploiting a vulnerability in the IOTA wallet app.
Altsbit: The Italian cryptocurrency exchange closed following an alleged cyberattack in which the majority of user funds were stolen.
March:
Prometei: Researchers found a botnet exploiting the Microsoft Windows SMB protocol to mine for cryptocurrency.
YouTube: YouTube accounts were hacked to promote a Bill Gates-themed Ponzi cryptocurrency scam.
TechRepublic: How remote working poses security risks for your organization | How phishing attacks are exploiting Google’s own tools and services | Linux and open source: The biggest issue in 2020
April:
Lendf.me: $25 million in cryptocurrency was stolen from the Lendf.me platform.
Bisq: Over $250,000 was stolen from Bisq Bitcoin exchange users.
May:
Supercomputers: Supercomputers across Europe were hacked in order to mine for cryptocurrency.
CNET: Russian and North Korean hackers are targeting COVID-19 vaccine researchers | The best outdoor home security cameras for 2020 | Android and iPhones are all about privacy now, but startup OSOM thinks it can do better
June:
BTC-e: New Zealand law enforcement froze $90 million in BTC-e assets as part of a money laundering investigation.
CryptoCore: Researchers said that the CryptoCore hacking group has stolen at least $200 million in cryptocurrency from online exchanges. 
Coincheck: A hacker infiltrated the cryptocurrency exchange’s domain registration service, causing a pause to deposit and withdrawal services. 

July:
Twitter: High-profile Twitter profiles belonging to figures including Joe Biden, Bill Gates, and Elon Musk were compromised to tout a cryptocurrency scam.
Coinbase: Coinbase blocked an attempt by attackers to steal $280,000 in Bitcoin.
VaultAge Solutions: The CEO went into hiding after allegedly scamming investors out of $13 million.
AT&T: AT&T was dragged to court over a $1.9 million SIM hijacking and cryptocurrency theft case.
GPay Ltd: UK regulators shut down GPay for scamming cryptocurrency investors by using fake celebrity endorsements.
August:
FritzFrog: A cryptocurrency-mining botnet was discovered that compromised at least 500 enterprise and government servers. 
Ukraine arrests: Ukraine law enforcement arrested suspected members of a gang that laundered $42 million in crypto for ransomware groups.
2together: €1.2 million in cryptocurrency was stolen from the exchange.
PlusToken: Chinese police arrested over 100 people suspected of being involved in the PlusToken cryptocurrency investment scam.
Lazarus: Researchers discovered a new Lazarus campaign targeting a cryptocurrency firm through LinkedIn job adverts.
September:
KuCoin: Roughly $150 million in cryptocurrency was stolen by a cyberattacker after being stored in hot wallets.
Cryptocurrency phishing: Two Russians were charged for stealing close to $17 million in cryptocurrency-themed phishing campaigns.
Eterbase: The cryptocurrency exchange lost $5.4 million, stolen from hot wallets by unknown attackers. 
October: 
Kik: The US SEC issued Kik a $5 million penalty over an allegedly illegal securities offering. 
Harvest Finance: Hackers stole $24 million, but later returned $2.5 million. A $100,000 reward has been posted for information leading to fund recovery.
November: 
GoDaddy: GoDaddy admitted that its staff had become victim to a social engineering campaign leading to email and DNS record-based attacks against Liquid.com and NiceHash.
Akropolis: Akropolis suffered a flash loan attack and $2 million in cryptocurrency was stolen. The company later offered the hacker a ‘bug bounty payment’ in return for the stolen funds. 
Operation Egypto: US and Brazilian law enforcement seized $24 million in cryptocurrency from individuals allegedly connected to an online investor fraud scam.
Silk Road: The US Justice Department seized $1 billion in Bitcoin, said to be from the now-defunct Silk Road marketplace.

December:
As new cybersecurity incidents occur, we will update for the month of December.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity may be far from many of our minds this year, and in light of a pandemic and catastrophic economic disruption, remembering to maintain our own personal privacy and security online isn’t necessarily a priority. 

However, cyberattackers certainly haven’t given anyone a break this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks have all occurred over 2020 and the underground market shows no signs of stopping.
As a large swathe of the global population shifted to work from home models and businesses rapidly transitioned to remote operations, threat actors also pivoted. Research suggests that remote workers have become the source of up to 20% of cybersecurity incidents, ransomware is on the rise, and we are yet to learn that “123456” is not an adequate password. 
Many companies and organizations, too, have yet to practice reasonable security hygiene, and vulnerabilities pose a constant threat to corporate networks. As a result, we’ve seen a variety of cyberattacks this year, the worst of which we have documented below.
January:
Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected.
IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million. 
Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam.
Wawa: 30 million records containing customers’ details were made available for sale online. 
Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection.
Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.
February:
Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. 
Denmark’s government tax portal: The taxpayer identification numbers of 1.26 million Danish citizens were accidentally exposed.
DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records.
UK Financial Conduct Authority (FCA): The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request.
Clearview: Clearview AI’s entire client list was stolen due to a software vulnerability.
General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.
March:
T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees. 
Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. 
Whisper: The anonymous secret-sharing app exposed millions of users’ private profiles and datasets online.
UK Home Office: GDPR was breached 100 times in the handling of the Home Office’s EU Settlement Scheme.
SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million.
Virgin Media: The company exposed the data of 900,000 users through an open marketing database.
Whisper: Millions of users’ private profiles and datasets were left, exposed and online, for the world to see.
MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app.
NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm’s e-commerce store.
Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests.

April:
US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak.
Nintendo: 160,000 users were affected by a mass account hijacking campaign.
Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web.
Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system.
US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach.
May:
EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records.
Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online.
Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen.
Toll Group: The logistics giant was hit by a second ransomware attack in three months. 
Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.
Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits.
Wishbone: 40 million user records were published online by the ShinyHunters hacking group.
EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month.
June:
Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers.
University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research.
AWS: AWS mitigated a massive 2.3 Tbps DDoS attack. 
Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million.
NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor’s networks. 
Claire’s: The accessories company fell prey to a card-skimming Magecart infection.
July:
CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum.
University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen.
MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users.
SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers.
MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.
V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem.
BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments.
EDP: The energy provider confirmed a Ragnar Locker ransomware incident. Over 10TB in business records were apparently stolen.
MongoDB: A hacker attempted to ransom 23,000 MongoDB databases.
CNET: Russian and North Korean hackers are targeting COVID-19 vaccine researchers | The best outdoor home security cameras for 2020 | Android and iPhones are all about privacy now, but startup OSOM thinks it can do better
August:
Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix.
Canon: The photography giant was struck by ransomware gang Maze.
LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments.
Intel: 20GB of sensitive, corporate data belonging to Intel was published online.
The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients.
Freepik: The free photos platform disclosed a data breach impacting 8.3 million users. 
University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information.
Experian, South Africa: Experian’s South African branch disclosed a data breach impacting 24 million customers. 
Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach.
See also: Black Hat: When penetration testing earns you a felony arrest record
September:
Nevada: A Nevada school, suffering a ransomware attack, refused to pay the cybercriminals — and so student data was published online in retaliation. 
German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection.
Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked. 
NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million.
Satellites: Iranian hackers were charged for compromising US satellites. 
Cerberus: The developers of the Cerberus banking Trojan released the malware’s source code after failing to sell it privately. 
BancoEstado: The Chilean bank was forced to close down branches due to ransomware.
October: 
Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof. 
UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems.
Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack.
Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded.
Dickey’s: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online.  
Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang.
Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam.

November: 
Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems.
Vertafore: 27.7 million Texas drivers’ PII was compromised due to “human error.”
Campari: Campari was knocked offline following a ransomware attack.
$100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts. 
Mashable: A hacker published a copy of a Mashable database online.
Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems.
Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers.
TechRepublic: How remote working poses security risks for your organization | How phishing attacks are exploiting Google’s own tools and services | Linux and open source: The biggest issue in 2020
December:
As new cybersecurity incidents occur, we will update for the month of December.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Vietnamese government-backed hackers have been recently spotted deploying cryptocurrency-mining malware alongside their regular cyber-espionage toolkits, Microsoft said on Monday.
The report highlights a growing trend in the cyber-security industry where an increasing number of state-backed hacking groups are also dipping their toes into regular cybercrime operations, making it harder to distinguish financially-motivated crime from intelligence gathering operations.
APT32 joins the Monero-mining landscape
Tracked by Microsoft as Bismuth, this Vietnamese group has been active since 2012 and is more widely known under codenames like APT32 and OceanLotus.
For most of its lifetime, the group has spent it orchestrating complex hacking operations, both abroad and inside Vietnam, with the purpose of gathering information to help its government deal with political, economic, and foreign policy decisions.
But in a report published late Monday night, Microsoft says it has recently observed a change in the group’s tactics over the summer.
“In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam,” Microsoft said.
It is unclear why the group made this change, but Microsoft has two theories.

The first is that the group is using the crypto-mining malware, usually associated with cybercrime operations, to disguise some of its attacks from incident responders and trick them into believing their attacks are low-priority random intrusions.
The second is that the group is experimenting with new ways of generating revenue from systems they infected part of their regular cyber-espionage-focused operations.
Other state-sponsored groups also hacking for personal gains
This last theory also fits into a general trend seen in the cyber-security industry, where, in recent years, Chinese, Russian, Iranian, and North Korean state-sponsored hacking groups have also attacked targets for the sole purpose of generating money for personal gains, rather than cyber-espionage.
The reasons for the attacks are simple, and they have to do with impunity. These groups often operate under the direct protection of their local governments, either as contractors or intelligence agents, and they also operate from within countries that don’t have extradition treaties with the US, allowing them to carry out any attack they want and know they stand to face almost none of the consequences.
With Vietnam also lacking an extradition treaty with the US, Bismuth’s expansion into cybercrime is considered a given for a country that’s expected to be “on the edge” to become a future cybercrime hub and a major cyber-espionage player in the next decade. More

Towards the end of 2017, there was a major shift in the malware scene. As cloud-based technologies became more popular, cybercrime gangs also began targeting Docker and Kubernetes systems.

Most of these attacks followed a very simple pattern where threat actors scanned for misconfigured systems that had admin interfaces exposed online in order to take over servers and deploy cryptocurrency-mining malware.
Over the past three years, these attacks have intensified, and new malware strains and threat actors targeting Docker (and Kubernetes) are now being discovered on a regular basis.
But despite the fact that malware attacks on Docker servers are now commonplace, many web developers and infrastructure engineers have not yet learned their lesson and are still misconfiguring Docker servers, leaving them exposed to attacks.
The most common of these mistakes is leaving Docker remote administration API endpoints exposed online without authentication.
Over the past years, malware like Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT, and others, have scanned for Docker servers that left the Docker management API exposed online and then abused it to deploy malicious OS images to plant backdoors or install cryptocurrency miners.
The latest of these malware strains was discovered last week by Chinese security firm Qihoo 360. Named Blackrota, this is a simple backdoor trojan that is basically a simplified version of the CarbonStrike beacon implemented in the Go programming language.

Only a Linux version was discovered until now, and it is unclear how this malware is being used. Researchers don’t know if a Windows version also exists, if Blackrota is being used for cryptocurrency mining, or if it’s used for running a DDoS botnet on top of powerful cloud servers.
What it is known is that Blackrota relies on developers who have made a mistake and accidentally misconfigured their Docker servers.
The lesson from Blackrota and past attacks, is that Docker is not a fringe technology anymore. Threat actors are now targeting it on purpose with at-scale attacks on a near daily basis.
Companies, web developers, and engineers running Docker systems part of production systems are advised to review the official Docker documentation to make sure they have secured Docker’s remote management capabilities with proper authentication mechanisms, such as certificate-based authentication systems.
Currently, there are plenty of tutorials around to guide even the most inexperienced developers with step-by-step guides.
With Docker gaining a more prominent place in modern-day infrastructure setup, with attacks on the rise, and with the number of malware strains that target Docker systems growing by the month, it’s time that developers took Docker security seriously. More

Salesforce research shows that the customer experience that companies provide is as important as their products. To deliver the best possible customer experience, businesses must shift away from silo-design principles to a model that minimizes process friction and more resembles how living organisms grow and flourish. 

Flow by Design

Living systems are flow-based. They circulate resources throughout the organism and its environment. A small number of pioneer organizations have already proven the effectiveness of this flow by design paradigm, demonstrating that flow-based designs can be better for the customer, better for the company and better for the environment than their silo equivalents and, as a result, represent a new, more sustainable business model for the future. These companies have also shown us that innovation at scale will require the adoption of new business models and flow-based design principles. In a series of articles we’ve been introducing the seven Flow principles and describing how they are emerging as world shapers in the early decades of the new millennium. In this article we are highlighting the principle of Integration. 
So far, we have shown that everything and everyone in the post-COVID world is going to become increasingly connected, increasingly decentralized and increasingly autonomous. Employees are going to continue to work wherever they feel safe and productive, customers are going to continue to shop online and expect speedy home delivery. Students will do more of a mix of online and in-person learning, More and more services will be delivered remotely, cars will become autonomous and robot-taxis and drone delivery services will become the norm. Seniors will want to age in place and telemedicine, connected health devices and concierge services both online and in home will support them.

The future of work in the next norm will a hybrid model that is built upon a digital, highly integrated and distributed model. 
For nearly all companies a big question is beginning to loom: how should they go about managing their resources in such a new world when they’re actually designed for the exact opposite conditions? In this article we will focus on how they should go about managing their distributed employees, suggesting a new model based on the principle of Integration and on related technological advances.

The “structure” of management  
In the Old Normal, management was conventionally a matter of hierarchy, not of expertise. An individual employee was the de facto manager of the employees directly beneath them in the company’s org chart and a de facto subordinate of the employee above them in the same chart. The act or practice of Management was never called out explicitly because it was taken for granted that the primary responsibility of the “owner” of each box on the chart was the management of everyone else in it. Likewise, nowhere on that org chart would we find “Management” as a function, division or department in the same way we would Sales, or Marketing, or Finance for example.

Living systems are flow based. They circulate resources throughout the organization and its environment.In the digital economy, businesses must also be flow based. Today unfortunately, most companies are silo-based. And that’s why they’re dying. https://t.co/FxPqFysEYZ pic.twitter.com/FdLU1rmPYv
— Vala Afshar (@ValaAfshar) March 2, 2020

This hierarchy was supported and reinforced by the physical workplace. A manager, working from a private office, would oversee their direct reports working in the ranks and files of cubicles outside their door, or would figuratively oversee them from a higher floor. In meetings it was implicit but well established practice that, depending on the layout of the room, the managers would sit at the place of greatest visibility, wherever they could see and be seen by their reports most clearly. There were rules to be followed, authorization and approvals to be gained, even etiquette and behavioral norms to be observed. And of course office attire, office hours, company signage, ID badges and security, the canteen, company communications and events, all helped to establish belonging, or at least fit.  In the New Normal, however, where the employees are working from home or indeed from anywhere, and where few of the old ways of establishing, demonstrating and reinforcing hierarchy exist, the traditional command and control, direct supervision model of management that was already creaking at the joints now feels significantly outdated. And while that sounds like a good thing, none of the old ways of establishing identity or belonging exist either, which sounds less good. Meanwhile, our colleague Tiffani Bova, describing a recent Forbes Insight study on employee experience, writes that the study:

Work from home (WFH) should give employees their autonomy​, not extend the company’s authority into their private space. It should also give the company the opportunity to discontinue the use of the word “remote”. Let’s re-brand WFH to “Working From Here”. https://t.co/hpjhW7rEbW pic.twitter.com/ULlbIESqe5
— Vala Afshar (@ValaAfshar) May 26, 2020

…identified a correlation between employee experience (EX), customer experience (CX), and growth. The study found that companies that were hyper focused on enhancing their employee engagement ultimately had higher customer engagement levels and revenue growth. More specifically, these companies amassed 1.8 times more revenue growth (nearly double) than organizations that solely focused on customers. Conversely, the respondents indicated that solely focusing on customers did not correlate to higher EX or revenue.

In short, it may be more difficult than ever for management to focus on the employee experience but it’s also demonstrably more important than ever.
Orchestration – the integration of distributed, autonomous resources

So what can companies and their leadership do? Because the New Normal is still so, well, new there are no tried and true examples of distributed employee management. There are, however, analogs and precursors that might be productive. We asked ourselves if there are any other types of resources that are already Flow-based, meaning distributed, autonomous, connected and mobile, and the most compelling example we came up with was autonomous vehicles (which we have already discussed as an example of flow here and here). We then saw that for all the autonomous vehicles that are privately and individually owned there are also emerging models, like Mobility as a Service (MaaS), where they are managed as fleets. And when we looked at the way these fleets of autonomous vehicles are being managed, what we found was the world of Orchestration.

 Resource orchestration and service orchestration are already established practices in the world of software, where “the goal of orchestration is to streamline and optimize frequent, repeatable processes. Companies know that the shorter the time-to-market, the more likely they’ll achieve success. Anytime a process is repeatable, and its tasks can be automated, orchestration can be used to optimize the process in order to eliminate redundancies.”
Mulesoft, the world’s leading software integration platform, further defines the goals and the benefits of application orchestration as follows: “Application or service orchestration is the process of integrating two or more applications and/or services together to automate a process, or synchronize data in real-time. Application orchestration provides a) an approach to integration that decouples applications from each other, b) capabilities for message routing, security, transformation and reliability and c) most importantly, a way to manage and monitor your integrations centrally”.  So when we’re talking about the management of digital resources in contemporary enterprises, where we want to maintain individual resource autonomy and yet still coordinate a great many of them towards a common goal, orchestration is already a key principle. Orchestration is Integration, but critically it is not point to point or hard-wired integration which creates dependencies and inflexibility. Orchestration is dynamic integration which creates almost endless opportunities for reuse and reconfiguration.

 Fleet orchestration is a logical extension of this principle, still applying it to software but this time to software that controls physical resources, like cars, buses, and other vehicles, whose primary function is mobility — travel and transportation — rather than information processing. These vehicles are called “autonomous” because they no longer rely upon a human operator or driver and instead are controlled by this embodied software, being mostly sensor or AI based. In some ways fleet orchestration is not so new. Taxi schedulers and distribution companies have been faced with the challenges of resource allocation and journey optimization for years or even decades. In the world of MaaS, however, fleet managers will need to handle far higher volumes with mixed demand types, mixed resources types, and with far more complex requirements for integration with external entities like automotive manufacturers, mapping companies, regulatory entities, payment infrastructures as well as both individual and business customers in both on demand and scheduled settings. For example, Bestmile, a transportation software startup, has developed a Fleet Orchestration Platform which, according to the company’s website, “can manage autonomous and human-driven vehicles, supports on-demand and fixed-route systems, integrates with multiple transport modes, and provides flexible applications for travelers, drivers, and operators. Its AI-powered algorithms orchestrate fleets with ultra-efficient ride matching, dispatching and routing proven to move more people with fewer vehicles with predictable operator and passenger KPIs.”  The benefits of fleet orchestration can be enormous: “Our [Bestmile] study found that 400 shared vehicles could do the work of 2700 Chicago taxis with predictable ride times and wait times. An MIT study found that a fleet of 3,000 taxis could meet 98 percent of demand served by New York City’s 13,000 vehicles with an average wait time of 2.7 minutes. UT found that one shared autonomous vehicle could replace 10 personal autos with wait times between a few seconds and five minutes.” The question is, can this orchestration model extend to companies and the management of their own resources, human as well as digital?
Applying orchestration to human resources
John Kao, Chairman of the Institute for Large Scale Innovation, has come to a similar conclusion as we have about the need for change in organization and management paradigms:

Unfortunately, our leadership playbooks often remain largely frozen in time, originally designed for the authority and control needed to keep industrial bureaucracies functioning efficiently. But we are in the midst of a fourth industrial revolution that requires agility, rapid innovation and fluid, networked organizational designs. The commandant must give way to the orchestrator, the machine to the network. 

Corporate IT departments are already beginning to reflect this shift. In the world of Agile DevOps practices, teams are self organizing and autonomous and they apply orchestration principles to their release activities. According to Digital.ai:

With Release Orchestration, DevOps teams are able to model software delivery pipelines, coordinate automated tasks with manual work, integrate a variety of tools for building, testing, and deploying software, and use data to identify bottlenecks and areas for potential areas for improvement. 

Silo design Flow design————— —————Extraction ConnectionAccumulation DistributionIsolation IntegrationDependency AutonomyImmobility MobilityBatching ContinuityFlow based systems optimize holistic success. https://t.co/FxPqFysEYZ pic.twitter.com/WIifqDNkmA
— Vala Afshar (@ValaAfshar) March 3, 2020

And a small but increasing number of companies are applying the Agile philosophy to business functions outside of IT, including Marketing, HR, Legal and beyond, leading towards what has been called Enterprise Agility. McKinsey has described the benefits of this approach, showing that Employee Engagement, Customer Satisfaction and Operational Performance can all be improved by it in its March 2020 paper Enterprise Agility: Buzz or Business Impact?  A key feature of Agile enterprises, according to the article, is that they “can quickly redirect their people and priorities toward value-creating opportunities. A common misconception is that stability and scale must be sacrificed for speed and flexibility. Truly agile organizations combine both: a strong backbone or center provides the stability for developing and scaling dynamic capabilities.” Orchestration is the connector between the backbone and the dynamic capabilities, between the strategy and shared purpose of the organization as a whole, its customer-focused missions and its autonomous resources. Putting this into practice will not be simple, and should itself follow an agile process, starting with a very small subset of customers journeys.  A critical thing to note here is that the orchestration function is not supervisory in the traditional sense. Orchestrators are not hierarchically more senior than the teams executing the missions. They neither “own” the resources, nor the missions, nor the customers. They are flow-based, rather than silo-based, in the sense that their performance metrics are based on customer success, speed and throughput, not on the size of their budget or on the number of employees they manage  As companies become more and more data-driven, as AI takes an increasingly central role in the operations of a company, so orchestration and other related functions will become increasingly evident and important. As in the fleet orchestration example, we can expect to see Planning and Forecasting, Performance Tracking and Business intelligence become more central components of the organization’s decision making tool set along with Orchestration itself. Conclusion We have already suggested that the organization of the future may be like an autonomous car, or even a spaceship, but perhaps really it is more like a fleet of them. In this model, the future company is relatively flat, comprising a number of distributed, autonomous resources, human, digital and hybrid, that are guided by an explicit orchestration function. The job of this orchestration function will be to create “missions”, using multiple, symbiotic intelligences, that anticipate and respond to customer needs, match them with the right resource or team of resources, and then entrust the successful and timely execution of the mission to that team. 
This article was co-authored by Henry King, a business innovation and transformation strategy leader at Salesforce. Henry King is an innovation and transformation leader at Salesforce and author of Flow Design, a new design paradigm for organizations and experiences based on the principles of movement and connections. King is a former CIO with 30 years of consulting and executive experience, both in the US and internationally, with expertise in innovation, design thinking, and information technology. King also teaches innovation and design topics at the School of the Art Institute of Chicago and the Institute of Design.  More