At a glance.
- Cybercriminals bully virtual educators in the schoolyard.
- The persistence of hospital ransomware attacks.
- Egregor gains criminal marketshare.
- A new approach to skimming personal data from PayPal users.
Schoolyard bullies.
As the pandemic has compelled many schools to rely on virtual instruction, suffering a cyberattack is no longer an inconvenience, it’s a brick wall, especially when, as the Washington Post reports, districts like Fairfax County Public Schools in the US commonwealth of Virginia are already struggling to make sure students don’t slip through the cracks. Alabama’s Huntsville City Schools (HCS) was forced to halt all instruction on Monday when administrators discovered the district’s network had been hit with a ransomware attack, reports AL.com. The Baltimore Sun reports that Baltimore County Public Schools in Maryland will be resuming classes tomorrow after a ransomware attack shut down the system for several days, but it is still unclear exactly what data were compromised or whether staff will be able to access necessary teaching tools. As cybersecurity researcher Armis reports, the sheer number of constituents relying on a school’s network for virtual learning increases its vulnerability, especially when, as in several of the districts Armis monitored, constituents are using the school’s network on unauthorized machines like gaming consoles or point-of-sale devices.
Hospital ransomware attacks persist.
Cybercriminals continue to target US hospitals at a time when their resources are already strained due to the pandemic, reports the New York Times. As the CyberWire previously noted, the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, and Department of Health and Human Services warned in October that US hospitals should be prepared for a wave of ransomware attacks. The onslaught continues, as the Daily Beast reports that ransomware attackers stole patient data from leading fertility clinic US Fertility, and WHDH reports that the University of Vermont Medical Center is still dealing with the repercussions of the ransomware attack it suffered back in October. President Donald Trump’s firing of CISA director Christopher Krebs last week over voting disputes is likely to slow down an organized federal response. The attacks appear to be the work of Russian threat actors using Ryuk ransomware via TrickBot, and although government officials have not publicly speculated on the attackers’ motives, cybersecurity experts like Alex Holden of Hold Security say it is likely revenge. In late September the Pentagon's Cyber Command targeted TrickBot’s systems in an attempt to prevent election tampering, and Holden likens the hospital attacks to "a wounded animal lashing out."
Egregor climbs the ladder.
The Egregor ransomware group is emerging as a leading cybercriminal operation, reports Infosecurity Magazine. While fifteen attacks were traced to the group in September, their victim count increased to a staggering fifty-one in October, including bookseller Barnes and Noble and game developers Ubisoft and Crytek. Egregor’s success is due in part to built-in anti-analysis measures like code obfuscation, and following in the footsteps of its successor Maze, the threat actors post stolen data on the dark web to pressure victims into paying up.
Bogus PayPal forms populated with stolen order information.
BleepingComputer reports on a new approach some Magecart groups are taking to card skimming. They're using compromised e-commerce sites and convincing simulacra of PayPal forms to steal user data. Ameet Naik, security evangelist at PerimeterX, sent us comments on the scam, along with some advice for businesses:
“Fake checkout forms have long been used by digital skimmers to steal credit card numbers. However, this approach can sometimes arouse suspicion because the transaction always fails, cluing savvy shoppers to the fact that something might be amiss. Attackers have been trying creative ways to solve this problem to increase their success rates. Pre-filling the form is one way to make consumers lower their guards. Another way is to modify third-party scripts on the payment form. For example, earlier this year, PerimeterX researchers uncovered Magecart attacks on Braintree, a PayPal service, that used modified versions of the payment script to actually complete the transaction successfully, leaving consumers with no signs that the website was infected.
"Businesses must continue to monitor the client side of their websites for suspicious activity such as fake checkout page injections and communication with suspicious domains. Consumers should stay alert for checkout or payment pages that fail or look different and notify their card issuer immediately of any suspicious activity.”