Minimum Security Standards Required for IoT Devices by Internet of Things Improvement Act

The Internet of Things Improvement Act has been introduced by co-chairs of the Senate Cybersecurity Caucus, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT). This act requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has also been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

It has been predicted by Ericcson that there will be 18 billion IoT devices in use by 2022. What’s more, IDC predicts IoT spending will hit$1.2 trillion in the same year. With growing numbers of IoT devices, the concern about the security risk posed by the devices also grows.

Sen. Warner wants to ensure that a basic standard for security is achieved before any IoT device is allowed to connect to a government network. He also wants to make use of the purchasing power of the U.S. government in order to help establish minimum standards of security for IoT devices.

IoT devices are currently entering the market with scant cybersecurity protections. Often when cybersecurity measures are integrated into IoT devices it is as an afterthought. The majority of IoT devices have not been designed with security as a priority. This is largely as a result of the market encouraging device manufacturers to prioritize convenience and cost over security.

NIST are called by the bill to issue recommendations for IoT device manufacturers on secure development, configuration management, identity management and patching throughout the life-cycle of the devices. It will also be required for NIST to work alongside cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to make sure flaws are ironed-out when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to make guidelines available for every agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

It will also be required for any IoT device used by the federal government to meet the security standards set by NIST. Additionally, contractors and vendors that provide IoT devices to the government will be asked to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is vital that IoT devices do not give hackers an opportunity to break into government networks. Without these minimum security standards, the government will be open to attack and critical national security information will be in a vulnerable state.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

Healthcare Employees Are Vulnerable to Phishing Attacks, According to Study

The healthcare industry is being heavily targeted by cybercriminals and phishing is one of the most common methods they are using to gain access to healthcare networks and, as a result, sensitive data. The number of successful phishing attacks on healthcare institutions is a serious cause for concern.

OCR identified email as being the main location of breached ePHI at HIMSS19, and the highest risk of data breaches come from phishing attacks.

Is the high number of successful phishing attacks mostly down to the healthcare industry being targeted more than other industry sectors? Or is it as a result of healthcare employees being more susceptible to phishing attacks? A recently published study has provided us with some answers.

A study has recently been conducted by Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team to determine the susceptibility of healthcare employees to phishing attacks.

To conduct the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used vendor solutions or custom-developed tools to send simulated phishing emails to their employees.

The researchers analyzed the data collected from the simulated phishing emails sent to healthcare employees between August 2011 and April 2018. The data set included 95 simulated phishing campaigns which resulted in 2,971,945 simulated phishing emails being sent.

422,062 of these emails (14.2%) were clicked by the employees. The institutional click rate median ranged between 7.4% and 16.7% per campaign. In one of its campaigns, an institutions had a median click rate of 30.7%. Overall, 1 in 7 emails attracted a click across all institutions and all campaigns.

The emails were divided into three categories: Office-related, IT-related and personal. IT-related emails (e.g. password resets, security alerts) turned out to be the most successful, with an institutional click rate median of 18.6%.

No significant association between the year that campaigns were conducted and click rates was found by the researchers. However, they did discover that repeated phishing simulations reduced the chances of employees falling for a later phishing email.

Institutions that ran between 6 and 10 simulated phishing campaigns lowered the odds of a click on a phishing email by 0.511. When more than 10 campaigns were conducted, the odds were reduced by 0.335.

The researchers indicated that the healthcare systems are uniquely vulnerable to phishing attacks, mostly as a result of a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also named as a factor that makes healthcare institutions vulnerable to phishing attacks.

From the high click rates, the researchers concluded that phishing is a major cybersecurity risk in healthcare.

Three particular tactics were suggested by the researchers to counter the threat from phishing:

  1. Prevent emails from being delivered to employees through the use of spam filtering technology
  2.  Implement multi-factor authentication to decrease the value of credentials
  3. Improve security awareness through cybersecurity training and phishing simulations.

The report ‘Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions’ was published on JAMA Network Open on March 8, 2019. DOI:10.1001/jamanetworkopen.2019.0393.

25% of Healthcare Organizations Have Suffered a Mobile Security Breach in Past Year

It has been indicated by the Verizon Mobile Security Index 2019 report that 25% of healthcare organizations have experienced a security breach which involved a mobile device in the past 12 months.

Despite all businesses facing similar risks from mobile devices, it appears that healthcare organizations are addressing risks better than most other industry sectors. Out of the eight industry sectors that were surveyed, healthcare experienced the second lowest number of mobile security incidents, just behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably in the past couple of years. Since 2017, 35% of surveyed healthcare organizations claimed they had experienced a mobile security breach in the past 12 months.

Although the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon argue that may not necessarily be what is happening. A suggested explanation is that healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

Out of all the healthcare organizations surveyed, 85% believed that their security defenses were effective. What’s more, 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as 25% of healthcare organizations have suffered a breach involving a mobile device and 80% of those entities were made aware of the breach from a third party.

As mobile devices are used regularly to access or store ePHI, a security incident could easily result in a breach of ePHI. 67% of all healthcare mobile security incidents were considered major breaches. From those breaches, 40% had significant lasting repercussions and, in 40% of cases, it was said to be difficult and expensive to remediate the situation.

67% of mobile device security incidents involved other devices being compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said it resulted in the loss of data. 40% of healthcare organizations that suffered such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised due to a mobile security breach.

The main security risks were seen to be related to how devices were used by employees. 53% of respondents claimed personal use of mobile devices posed a major security risk and 53% said user error was also a significant problem.

Out of all the healthcare organizations that were surveyed, 65% were less confident about their ability to protect mobile devices than other IT systems. Verizon claims that this could be partly explained by the lack of effective security measures in place. An example of this can be seen with just 27% of healthcare organizations using a private mobile network and only 22% having unified endpoint management (UEM) in place.

It was also confirmed from the survey that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said in order to get tasks completed, they sacrificed security. This percentage was only at 32% last year. 81% admitted to using mobile devices to connect to public Wi-Fi, despite the fact that in many cases doing so violates their company’s mobile device security policy.

Hospitals at High Risk of Suffering Devastating Cyberattack, According to Moody’s

The following four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks, a new Moody’s Investors Service Report has revealed.

Those four sectors were discovered to have high risk of being exposed to cyberattacks. The four sectors are all heavily reliant on technology for daily operations, distribution of content, and customer engagement. An ever-increasing digitalization and interconnectedness within each sector and across different sectors means the risk of cyberattacks is also increasing.

In Moody’s report, they assessed vulnerability to a cyberattack and the impact such an attack could have on crucial businesses operations, reputation damage and disclosure of data. Cybersecurity measures that had been deployed to protect the company against cyberattacks were not taken into account for the report, unless mitigants had been applied consistently across each sector (e.g. supply chain diversity). In total, 35 broad industry sectors were assessed for the report and each were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were all placed in the medium-risk category. Hospitals were rated at high-risk, with the main reasons being the sensitive and essential nature of data used by hospitals, the increasing number of vulnerabilities introduced due to connected medical devices, the value of healthcare data to hackers, and the estimated time it would take to recover from an attack as well as the disruption to the business during the mitigation of an attack.

A successful cyberattack can prove costly to mitigate. Entities which have been breached must increase investment in technology and infrastructure,  pay higher insurance premiums, cover the cost of regulatory fines and litigation, increase R&D spending. What’s more these attacks can have serious reputational effects, such as higher customer churn rates and a creditworthiness reduction.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” stated Derek Vadala, Moody’s Managing Director. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

As the financial impact of a cyberattack can be substantial and long-lasting, it is vital for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to assign to mitigating threats and recovering from cyberattacks, they are still not immune to attack. Even with these resources, they can still suffer a significant financial impact, particularly when you consider the fact that many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors have the potential to be catastrophic. This ultimately could have an impact on the ability of breached entities to pay back debts. The four high-risk industry sectors mentioned above hold a combined $11.7 trillion in rated debt.

Not only do they result in considerable financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would also likely have a number of ripple effects and a far-reaching impact on other industry sectors.

New Federal Data Privacy Act Proposed by Nevada Senator

A new bill (the Data Privacy Act) has recently been introduced by Nevada Senator Catherine Cortez Masto, (D-NV). This bill calls for improved privacy protections for consumers, greater accountability and transparency for data collection practices, and the prohibition of discriminatory data practices.

It is currently a requirement for HIPAA-covered entities to obtain consent from patients before using or disclosing their health information for reasons other than the payment for healthcare, provision of healthcare, or for healthcare operations. With this being said, companies not bound by HIPAA Rules do not have the same restrictions in place.

A number of states are considering introducing or have already introduced laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, patchwork of state laws are currently the main providers of protection. As a result of this, privacy protections can vary greatly depending on where the consumer lives.

The bill, The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, calls for data privacy protections similar to that in place for GDPR to be introduced to limit the collection of personal data, to protect data that is collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, it will see consumers being given more of a say about the types of information that are collected, how this information is used, and with who the information is shared with.

The Data Privacy Act will also call for companies to provide consumers with an option of opting in or out of the collection and sharing of sensitive data, such as genetic information, location data and biometric data.

Consumers have a right to be told what information will be collected, how  the company plans to use the information, and with whom the information will be shared. The company must also create a process that allows consumers to check the accuracy of their data, to request a copy of any information that has been collected, and to be provided with the option of transferring or deleting their data without any negative effects.

Restrictions will also be implemented in terms of the data that can be collected. It will only be permitted for companies to collect data if there is a legitimate business reason for doing so. Additionally, individuals whose data is collected must not be exposed to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on information they give such as sex, gender, sexual orientation, race, nationality, religious belief, or political affiliation.

It would also be necessary for any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that clearly explains how their data will be used.

Furthermore, any business with annual revenues in excess of $25 million will also be required to appoint a Privacy Officer. His/her responsibilities will include tasks such as training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and financial penalties will be issued to companies who are found not to be in compliance.

The intention of the Data Privacy Act is to improve privacy protections for consumers without placing any unnecessary burden on small businesses.

In a statement released in relation to the new ACT, Senator Cortez Masto said “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

Definition of Personal Information that Requires Breach Notifications Expanded by New Jersey

A bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach occurring has been unanimously passed by the New Jersey Assembly.

Up to now it has been required by New Jersey breach notification laws that businesses and public entities must send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that enables access to the account.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act will see an expansion of the definition of personal information to include usernames and email addresses along with a password or answers to security questions that would allow accounts to be accessed.

This bill (A-3245) was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. A bill which was almost identical (S-52) was passed by the Senate and Assembly in 2018, however it was not signed by the state governor at the time, Chris Christie. It is expected that current state governor Phil Murphy will sign the bill.

The bill closes a gap in current laws which would enable businesses to avoid notifying consumers of breaches of their online information. If online accounts are accessed or compromised, criminals can gain access to a variety of sensitive information that can be used for identity theft and fraud. Consumers have the right to be made aware if an online account can be accessed by someone else as a result of a data breach so they can take steps to secure their accounts.

Once the new bill is passed, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if more than 500,000 individuals have been affected or if the cost of providing notices would cost in excess $250,000. In such events, breach victims should be emailed promptly, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must use a different means to deliver notices. An example of such a method could be providing a notice that is clearly visible when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

A fine of up to $10,000 can be placed on any business or public entity found to have willfully violated state data breach notification laws and up to $20,000 for any subsequent offenses after the first. Furthermore, for individuals who have suffered ascertainable losses as a result of a data breach, there is now also a private right of action available.

Facebook’s Health Data Sharing Practices Investigated by New York State Departments

Sensitive health data is collected by Facebook from third party apps, even if the user has not logged in via Facebook or doesn’t even own a Facebook account according to a recent analysis of Facebook’s data collection practices.

Private information such as heart rate data, blood pressure measurements, menstrual cycle data, and other health metrics are handed over to Facebook, often without the user’s knowing or any specific disclosure that data provided by users or collected directly by apps are shared with the social media platform.

The Wall Street Journal recently conducted an investigation which tested various health-related apps. Although it was known that some of those apps send data to Facebook about when they are used, just how much data sharing that was occurring was not well understood. It was revealed by the report that 11 popular smartphone apps have been handing over sensitive data to Facebook without any apparent consent obtained from users.

On one particular app, Flo Period & Ovulation Tracker, dates of a user’s last period are shared with Facebook and the predicted date when the user is ovulating. Similarly, the Instant Heart Rate: HR Monitor App in the Apple iOS store was discovered to send users’ heart rate information to Facebook right after it is recorded. Neither of these apps or any others that were found to be sharing sensitive data with Facebook appeared to offer users a way of opting out of having their data shared.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook have a method of matching the information with a particular Facebook user and use the data to target specific ads.

The WSJ made contact with Facebook in relation to the report and received a reply confirming that some of the apps cited in the report appeared to be violating its business terms and that the social media platform does not authorize app developers to share “health, financial information or other categories of sensitive information,” and that the responsibility lies with the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson also spoke to Reuters, saying “we also take steps to detect and remove data that should not be shared with us.”

Investigation of Facebook Instructed by New York Governor

New York State Governor Andrew M. Cuomo issued a press release on Friday, February 22, 2019, stating that he has instructed the Department of Financial Services and the Department of State to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged breaches of Facebook’s own business terms and privacy violations.

Cuomo also said that if WSJ’s findings are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to ensure companies are held responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without the clear consent of users.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been spotted that misuses Google Translate to make the phishing webpage seem to be an official login page for Google.

The phishing emails in the campaign are similar to several other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body almost identical to the messages sent by Google when a user’s Google account has been accessed from an unknown device or place.  The messages contain the Google logo and the text, “A user has just signed in to your Google Account from a new Windows appliance. We are transmitting you this electronic mail to confirm that it is you.”

Below the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that has a spoofed Google login box. If identifications are entered, they will be sent to the scammer.  

The electronic mails are sent from a Hotmail account – – which is the first warning sign that the electronic mail notification is a fraud. On desktop browsers, the URL that users are directed to is obviously not official. A further indication that this is a fraud.

Nevertheless, the scam will not be so clear to any user on a mobile appliance. If the button in the electronic mail is clicked, the user will be directed to a phishing webpage that is served through Google Translate. The visible part of the URL in the address bar begins with, which makes the URL seem genuine. The use of Google Translate may be adequate to see the electronic mails bypass mobile safety defenses and the evidently official Google domain is likely to fool a lot of users into thinking the webpage is genuine.

If the user enters their Google identifications in the login box, an electronic mail is generated which transmits the identifications to the attacker. The user is then redirected to a bogus Facebook login page where the attackers also try to get the user’s Facebook login identifications.

The second attempt to phish for login identifications is easier to identify as fake as an old login box for Facebook is used. However, but at that point, the user’s Google account will already have been compromised.

The scam was recognized by Larry Cashdollar at Akamai.

IDenticard PremiSys Access Control System Vulnerabilities Found

ICS-CERT has issued a warning in relation to three high severity weaknesses in the IDenticard PremiSys access control system. All varieties of PremiSys software before version 4.1 are affected by the flaws.

If the weaknesses are effectively targeted it might result in full access being obtained to the system with administrative rights, theft of confidential information included in backups, and access being gained to details. The weaknesses might be targeted from a distant place and require a low level of expertise to abuse. Details of the weaknesses have been publicly disclosed.

The maximum severity weakness CVE-2019-3906 is related to hard-coded identifications which allow complete admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain complete access to the system with administrative rights. The weakness has been given a CVSS v3 base score of 8.8.

User identifications and other confidential data saved in the system are encrypted; nevertheless, a weak method of encryption has been applied which could probably be cracked resulting in the disclosure and theft of information. The weakness (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; nevertheless, the password needed to unlock the standbys is hard-coded and cannot be altered. There is a chance a hacker could get access to the backup files and view/steal information. The weakness (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the faults.

IDenticard has tackled the hard-coded identifications weakness (CVE-2019-3906). Users must run an update to bring the software up to date with type 4.1 to tackle the weakness. IDenticard is presently developing a solution for the other two faults. A software update tackling those weaknesses is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises limiting and checking access to Port 9003/TCP, placing the system behind a firewall and making sure the access control system can’t be logged onto the Internet. If distant access is possible, secure methods must be used for access, including an up-to-date VPN.

Office 365 Phishing Campaign Uses SharePoint Partnership Request as Bait

A solitary Office 365 username/password blend can provide a hacker access to a huge quantity of confidential information. The information detailed in electronic mails can be of big value to rivals, identity thieves, and other fraudsters.

Office 365 identifications also give hackers access to cloud storage sources that can have extremely confidential business information and compromised accounts can be utilized to disperse malware and carry out additional phishing campaigns on a company’s workers and business associates.  

With the possible returns for a fruitful phishing attack so high, and a high proportion of companies using Office 365 (56% of all organizations internationally in 2018) it is no surprise that hackers are conducting targeted attacks on companies that use Office 365.

Office 365 Phishing Campaign Utilizes SharePoint Collaboration Request as Lire

A fresh report from Kaspersky Lab has emphasized an Office 365 phishing campaign that has confirmed to be highly effective. The campaign was first known in August 2018 and is still active. Kaspersky Lab approximates that as many as 10% of all companies using Office 365 have been targeted with the hack.

The campaign has been dubbed PhishPoint because it uses a SharePoint partnership request to lure workers into disclosing their Office 365 identifications. The electronic mails are reliable, the hyperlink seems to be genuine, the method used to get Office 365 login information is unlikely to stimulate doubt, and the campaign is able to sidestep Office 365 anti-phishing safeguards.

Electronic mails are transmitted to Office 365 users requesting partnership. The electronic mails have a genuine link to OneDrive for Business, which guides users to a document having an “Access Document” link at the bottom. As the hyperlink guides the user to a genuine document in OneDrive for Business, it is not recognized as a phishing electronic mail by Office 365.

If the user clicks the link he/she will be redirected to an Office 365 login page on a website managed by the attacker. The login page appears identical to the genuine login page utilized by Microsoft; however, any identifications entered on the site will be captured by the attacker.

Safeguarding Against Office 365 Phishing Attacks

Safeguarding against Office 365 phishing campaigns needs a defense in depth approach. Microsoft’s Advanced Threat Protection must be implemented to obstruct phishing electronic mails and avoid them from reaching inboxes, even though this campaign demonstrates that APT controls are not always effective. A better choice is to use a spam filtering/anti-phishing solution that looks deeper than the URL and examines the page/document where users are directed.

Endpoint safety solutions offer an additional safeguard against phishing attacks and web filters can be used to avoid users from visiting phishing websites. However, these technical solutions are not dependable.

New cheats are continuously being developed by cybercriminals that bypass anti-phishing defenses. Workers, therefore, need to be trained on how to identify phishing electronic mails and must be taught cybersecurity best practices. Through regular training, workers can be conditioned on how to react to electronic mail threats and can be changed into a robust last line of defense.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Xvideos Sextortion Scam Threatens to Disclose Porn Viewing Habits

An xvideos sextortion cheat threatens to uncover users’ porn viewing habits to friends, family, and work partners.

The scammer announces to have recorded the user through the webcam while they viewed matter on the xvideos adult website. The electronic mail is made more credible by the addition of the user’s password in the message body.

The scammer announces to have gained access to the electronic mail receiver’s computer and installed a keylogger. The malware permitted information to be obtained from the appliance, including the websites that the user has visited. Moreover, the malware permitted access to be gained to the computer’s microphone and webcam.

The scammer announces to have recorded audio and video footage while the user visited the common adult website, xvideos. That footage was utilized to create a “double screen video” with one half of the screen displaying the webcam footage while the other displays the adult matter that was being seen at the time.

The user is told that the malware fitted on the computer permitted contacts to be harvested from Facebook, Messenger, and the user’s electronic mail account. The user is advised to make a payment of $969 in Bitcoin to avoid the video from being emailed to every contact.

The scammer proposes that proof that the video is actual can be obtained; however, requesting proof will see the video transmitted to 6 of the user’s contacts.

The Bitcoin address supplied in the electronic mail demonstrates that 11 people have made payments totaling 0.959 Bitcoin – Around $3,272 – therefore it is obvious that some people either trust the danger is actual or they are not wishing to take a chance.

These cheats are easy to create and only require a list of electronic mail addresses and passwords, which can be easily bought on underground markets and forums. The passwords used in the electronic mails are actual and come from earlier data breaks.

The passwords might be old, but they will no doubt be identified. Users who don’t practice good password hygiene might find their present password is supplied, adding to the realism of the cheat. These kinds of sextortion cheats are becoming progressively common. They are also extremely effective. A similar cheat was recognized in December which also used old passwords and had similar threats. The Bitcoin wallet used in that cheat showed over $50,000 in payments were made in a week.

Latest Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued the latest cybersecurity framework for medical devices. Medical device sellers, healthcare suppliers, and other healthcare industry stakeholders that implement the voluntary framework will be able to improve the safety of medical appliances throughout their lifecycle.

The HSCC is a union of private sector crucial healthcare infrastructure units that have associated with the government to find and mitigate dangers and exposures facing the healthcare sector. The group includes over 200 healthcare industry and government companies. Collectively they work on developing strategies to tackle present and evolving cybersecurity challenges encountered by the healthcare sector.

Over 80 companies contributed to the growth of the Medical Appliance and Health IT Joint Security Plan (JSP), which builds on commendations made by the Healthcare Industry Cybersecurity Task Force founded by the Division of Health and Human Services after the passing of the Cybersecurity Information Sharing Law of 2015.

“It is vital for medical device producers and health IT sellers to take into account the JSP’s voluntary framework and its related plans and templates all through the lifecycle of medical devices and health IT as doing so is expected to lead to better security and therefore better products for patients,” clarified HSCC.

Cybersecurity controls can be tough to incorporate into existing procedures. Companies often fail to know how vital safety controls are, and when considering how to increase cybersecurity many don’t know where to begin or have inadequate resources to dedicate to the job. The framework assists by providing direction on how to create a safety policy and procedures that ally with and integrate into present procedures.

HSCC is urging companies to commit to applying the JSP as it is thought that by doing so patient security will be enhanced.

The JSP can be adopted by companies of all sizes and stages of maturity and assists them to increase cybersecurity of medical devices by tackling main challenges. A lot of big producers have already generated similar cybersecurity programs to the JSP, therefore it is likely to be of most use for small to medium-sized firms that lack consciousness of the steps to take to improve cybersecurity and those with fewer resources to dedicate to cybersecurity.

The JSP uses safety by design rules and identifies shared responsibilities between industry stakeholders to synchronize safety standards, risk assessment methods, reporting of weaknesses, and improve information sharing between appliance producers and healthcare suppliers. The JSP covers the whole lifecycle of medical appliances, from development to deployment, management, and end of life. The JSP contains numerous recommendations including the inclusion of cybersecurity measures during the design and development of medical appliances, handling product complaints linked to cybersecurity events, alleviation of post-market weaknesses, managing safety risk, and decommissioning appliances at end of life.

The Medical Appliance and Health IT Joint Security Plan can be downloaded on this link.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

0Patch Micropatches Issued to Respond to 3 Zero-Day Windows Bug

0Patch has issued a micropatch to tackle three zero-day Windows bugs that have yet to be tackled by Microsoft, including a zero-day distant code execution vulnerability in the Windows Contacts app.

The 0Patch platform allows micropatches to be swiftly dispersed, applied, and unconcerned to/from running procedures without having to restart computers or even restart procedures. The platform is still in beta, even though checking and fine-tuning is nearly at an end. 0Patch has already issued several micropatches to tackle zero-day weaknesses in Microsoft products to assist companies temporarily alleviate vulnerabilities until a complete patch is issued.

The latest round of repairs tackles three lately found vulnerabilities in Microsoft products.

The first patch tackles a fault named AngryPolarBear which was identified by safety researcher SandboxEscaper who circulated a proof-of-concept exploit for the vulnerability in December. Although the vulnerability doesn’t allow distant code execution, an attacker might leverage the weakness to overwrite main system files, which might be utilized in DoS attacks.

The vulnerability lets a local unprivileged procedure to get a selected system file on a weak appliance overwritten in the context of a Windows Error Reporting XML file. The PoC lets the XML file to be substituted with a hard link to the selected target. An attacker will not have much influence over the matter of the XML file but might abuse the fault to corrupt the vital system file pci.sys, and thus avoid the system from booting. The patch halts the XML file from being erased.

The second patch also tackles another vulnerability identified by SandboxEscaper, which has been named readfile. A PoC exploit was also distributed in December. This vulnerability is present in the Windows Installer and might let an attacker get confidential information. The vulnerability can be abused by an unprivileged procedure and lets random files to be read – in the case of the PoC, the desktop.ini file.

The third patch tackles a vulnerability in the Windows Contacts app which, if abused, might result in distant code execution on a vulnerable appliance. The vulnerability fault was identified by ZDI researcher John Page who submitted the fault to Microsoft, which surpassed the 90-day window for delivering a repair. Microsoft has announced that it will not be delivering a repair to rectify the fault, so while micropatches are envisioned to be provisional repairs, this one is likely to be perpetual.

The vulnerability is present in the way that .Contact and .VCF contact information is saved and processed on Windows Vista to Windows 10 OSes. The vulnerability lets the formation of a contact file that has a malevolent payload in a sub-directory, which will be run when the user clicks the link in the contact file.

The Micropatches are supplied via the 0Patch platform which can be fitted free of cost. The Micropatches have been developed for Windows 10 and Windows 7 (for the second two vulnerabilities). Support at 0Patch must be contacted for patches for other susceptible Windows types.

STOP Ransomware Delivered through Software Vulnerabilities

STOP ransomware, a crypto-ransomware variation that utilizes the .rumba file extension on encoded files, is being transported through software vulnerabilities.

Software cracking programs that produce licenses for standard software programs are normally used to transport malware. The executable files frequently fit spyware and adware code during the cracking procedure and although it is known for other malware to be fitted when the programs are run, it is comparatively unusual for ransomware to be fitted.

However, one provider of cracks has included STOP ransomware to numerous software cracking programs that create license codes for Windows, Photoshop, Cubase, KMSPico, and antivirus software. The malevolent cracks are being dispersed across several sites.

The ID Ransomware facility has received 304 submissions of new STOP ransomware infections in January 2019, even though there are likely to be several more sufferers.

STOP Ransomware was first recognized in December 2017 and is repeatedly updated. A new type of the ransomware is issued nearly every month, each with a new file extension. The latest variant utilizes the .rumba extension, others include .puma, .keypass, .shadow, .pumax, .tro, and .djvu.

The ransom demands are changeable but are typically in the range of $300-$600 per infected appliance. Several different techniques are used to disperse the ransomware. Besides cracks, infections have happened as a consequence of brute force attacks, drive-by downloads from compromised websites, abuses of unpatched vulnerabilities, and spam electronic mails.

Although no free decryptor is available that can ensure recovery without paying the ransom, Michael Gillespie has created a decryptor that can be used free of charge that might allow sufferers to recover their files. Details can be found in this post.

Cryptocurrency Mining Malware Tops Most Wanted Malware List

Check Point’s Most Wanted Malware report for December 2018 demonstrates that cryptocurrency mining malware was the principal malware danger in December. The top four malware dangers in December 2018 were all cryptocurrency miners.

Continue reading “Cryptocurrency Mining Malware Tops Most Wanted Malware List”

North Carolina State AG Suggests Stricter Data Breach Notification Laws

North Caroline Attorney General Josh Stein and state agent Jason Saine have presented a bill to modernize data breach notification rules in the state and increase safeguards for state inhabitants after an increase in data breaches affecting North Carolina inhabitants were recorded all through 2017.

Continue reading “North Carolina State AG Suggests Stricter Data Breach Notification Laws”

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”