Canadian university hit by COVID-19 ransomware operation. Social networking app True leaves user data exposed. Millions of medical records left unattended.

Summary

By the CyberWire staff

At a glance.

Canadian university hit by COVID-19 ransomware operation.
Social networking app True leaves user data exposed.
Millions of medical records left unattended.

Canadian university hit by COVID-19 ransomware operation.

Threat actors attempted to infect the University of British Columbia (UBC) with ransomware by disseminating a fraudulent COVID-19 survey, reports Malwarebytes Lab. An email containing a fake questionnaire would usually signal a phishing attack, but this operation instead uses the survey as a means of delivering malware. The email directs the victim to a “mandatory” survey document saved on Box or DropBox. When opened, the document downloads a template containing a malicious macro that unleashes the ransomware. Once encryption is complete, a ransom message requesting eighty dollars appears on the victim’s desktop. There’s no indication that the threat actor is connected with any of the major cybercrime groups, and it’s unclear if UBC was the only target, but the school has stated that the email was sent to no more than one hundred employees.

Social networking app True leaves user data exposed.

True, a social networking app that promises users heightened privacy measures, states on their website that they “believe your privacy matters,” but, as TechCrunch reports, a recent security blunder indicates otherwise. Cybersecurity firm SpiderSilk’s Chief Security Officer Mossab Hussein discovered an unsecured True daily server log dashboard that appears to have been exposed since at least September. The dashboard contained unencrypted user data including contact information, private user-to-user communications, and geolocations. By creating a fake test profile, TechCrunch confirmed that the data on the dashboard was active, and Hussein proved a hacker could use it to access account login tokens to hack into the test account. True has confirmed the dashboard was unprotected and has taken it down, but did not confirm any plans to inform users or authorities.

Millions of medical records left unattended.

It’s currently National Cybersecurity Awareness Month, and in the midst of a global pandemic, this year’s focus is on protecting medical data. Unfortunately, healthcare breaches have been prevalent, and a recent exposure could impact 3.5 million US patients, reports SecurityWeek. Global vice president at security software firm New Net Technologies Dirk Schrader discovered unsecured medical records on a picture archiving and communication system (PACS) that was easily located using public search engine Shodan. The records, which included medical images like MRIs and x-rays, associated patient metadata like name, date of birth, medical concerns, and sometimes even social security numbers, could easily be obtained by any internet user without technical hacking skills. A threat actor could use the sensitive info for extortion or identity theft, or even weaponize the PACS with malware. It’s unclear whether the data have yet been misused, but as Schrader says, “It’s like these systems have been connected to the internet and just forgotten."

Selected Reading

Operation Earth Kitsune A Dance of Two New Backdoors (Trend Micro) We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers

Chinese Hackers Expanding Global Footprint Exploiting Common Vulnerabilities, Report Says (International Business Times, Singapore Edition) After the NSA published a list of 25 common vulnerabilities, cybersecurity research firm Check Point found that Chinese hackers have been exploiting them to expand globally

Cyberattacks target international conference attendees (Microsoft on the Issues) Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the Iranian threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals, including potential attendees of the upcoming Munich Security Conference and the T20 Summit in Saudi Arabia.

Microsoft detects cyberattacks from Iran-linked actor engaged in intelligence collection (Reuters) Microsoft Corp <MSFT.O> said on Wednesday that it detected and attempted to stop a series of cyberattacks from Phosphorus, which the company described as an 'Iranian actor', with the attacks aimed to target over 100 high-profile individuals.

Microsoft: Iranian attackers hacked security conference attendees (BleepingComputer) Microsoft disclosed today that Iranian state-sponsored hackers successfully hacked into the email accounts of multiple high-profile individuals and potential attendees at this year's Munich Security Conference and the Think 20 (T20) summit.

Microsoft warns that Iranian hackers are targeting the Munich Security Conference (SiliconANGLE) Microsoft warns that Iranian hackers are targeting the Munich Security Conference - SiliconANGLE

Building wave of ransomware attacks strike U.S. hospitals (Reuters) Eastern European criminals are targeting dozens of U.S. hospitals with ransomware, and federal officials on Wednesday urged healthcare facilities to beef up preparations rapidly in case they are next.

European ransomware group strikes US hospital networks, analysts warn (CyberScoop) An Eastern European cybercriminal group has conducted ransomware attacks at multiple U.S. hospitals in recent days in some of the most disruptive cyber-activity in the sector during the coronavirus pandemic, cybersecurity company FireEye said Wednesday.

Ryuk Ransomware Delivered Using Malware-as-a-Service Tool (BankInfo Security) The operators behind the Ryuk strain of malware are increasingly relying on a malware-as-a-service tool - the Buer loader - to deliver the malware, rather than

FBI warns ransomware assault threatens US healthcare system (ABC News) Federal agencies say cybercriminals are unleashing a major ransomware assault against the U.S. healthcare system

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals (KrebsOnSecurity) On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of…

Hospitals being hit in coordinated, targeted ransomware attack from Russian-speaking criminals (Washington Post) Russian-speaking cybercriminals in recent days have launched a coordinated attack targeting U.S. hospitals already stressed by the coronavirus pandemic with ransomware that analysts worry could lead to fatalities.

Ransomware Activity Targeting the Healthcare and Public Health Sector (CISA) This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

New Emotet delivery method spotted during downward detection trend (Malwarebytes Labs) Emotet got a superficial facelift this week, hiding itself within a fake request asking users to update Microsoft Word to take advantage of new features.

EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone (SecurityWeek) The results of 13 million medical exams relating to around 3.5 million U.S. patients are unprotected and available to anyone on the Internet, with more than 2 petabytes exposed.

German infectious disease agency hit again by hackers after arson attack (Reuters) Germany's Robert Koch Institute for infectious disease control was targeted again by hackers on Wednesday, days after its headquarters was damaged in an arson attack, the Interior Ministry said.

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser (FireEye) Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware.

REvil ransomware gang claims over $100 million profit in a year (BleepingComputer) REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors.

Keeping ransomware cash away from your business (Malwarebytes Labs) Ransomware gangs are in the news for donating stolen funds to charitable organisations. Is this a good thing, or ultimately a terrible idea?

A Lesson in Phishing: University Account Takeover (INKY) If your business works with any universities, you’ll want to know about the latest phishing scam involving university account takeovers. Learn how hackers are harvesting credentials from businesses and what you can do to protect your company’s interests.

Fake COVID-19 survey hides ransomware in Canadian university attack (Malwarebytes Labs) Universities are a hot target for ransomware right now. In this latest attack, a threat actor was targeting the University of British Columbia.