At a glance.
- Ransomware trends in 2021.
- Data breach at the Dallas, Texas, public schools.
- Cities as targets of ransomware.
- Incentivizing CSAM development.
- What privacy laws look like in a federal system.
- Data compromise at the United Nations.
- REvil's reappearance?
- Update on the Howard University ransomware incident.
Ransomware trends for 2021 so far.
Cybersecurity firm Blackfog has released its Global Ransomware Report for August. Some highlights:
- Of the twenty-one ransomware attacks reported, 44% occurred in the US, followed by 11% in the UK.
- Government, education, and services industries have been the hardest hit this year, with healthcare highly targeted in August.
- The average ransom payout for the quarter is $135,576, a 38% decrease from Q1/21.
- The REvil ransomware group saw the most action, followed by Conti and Darkside.
- The last quarter has seen a decrease in remote desktop protocol attacks, with an increase in email phishing operations.
School data breach.
The Dallas Independent School District, located in the US state of Texas, has disclosed a “data security incident” in which student, alumni, parent, and employee info might have been exposed. “At this time, it appears the affected information has been contained and that none of it has been shared or sold. However, we cannot be 100 percent certain until additional forensic analysis is completed,” the public announcement reads.
Holding cities for ransom.
The Washington Post examines the recent surge in cyberattacks plaguing the networks of US city and county municipalities. Over the past few years, more than four hundred ransomware attacks have disrupted the operations of indispensable services like police departments and school districts. Costing cities millions of dollars in recovery, the problem has been exacerbated by the fact that municipal IT departments are typically underfunded and understaffed. “The money just isn’t there and even if the money is there, the people aren’t,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, explains.The wave of attacks has been further buoyed by a rise in ransomware-as-a-service operations, making it possible for anyone with a computer and basic skills to be the next threat actor.
Purandar Das, Co-founder and the chief security evangelist from Sotero, wrote about the seeming defenselessness of so many municipalities:
“The recent escalation of ransomware attacks are leaving organizations defenseless. The attacks and more importantly the hostage taking of systems and information have been a long time coming. Based on early attacks of phishing and infecting a system or two or stealing credentials these attacks have been gaining sophistication for a long time. Coupling the technical maturity along with the revelation that organizations will pay dearly to restore operational status as well keep data confidential, the attackers are sitting on a gold mine. Crypto currency has made it laughably easy to collect ransom and stay undetected. Some lessons that are obvious from the current wave of attacks:
- "The existing mechanism for preventing criminals from gaining access to networks don’t work. There are too many access points and too many integrations.
- "Leaving data unencrypted within networks is a non-starter.
- "Patching vulnerabilities across the technology stack is a difficult if not impossible to do for many if not most organizations.
"So what do organizations do?
- "Adopt a detect, prevent and protect framework that works within the existing technology stack.
- "Detect malicious behavior within the network assuming that the malicious actors have already gained access
- "Prevent such efforts from wreaking havoc
- "Above all, protect data through encryption at all times.”
UK incentivizes child safety tech.
While Apple has decided to table its plans to scan devices for child sexual exploitation material (CSAM) amidst pushback from privacy advocates, TechCrunch reports that the UK government is planning to put half a million dollars towards the creation of CSAM-detection technology. The Home Office and the Department for Digital, Media, Culture and Sport are launching a “Tech Safety Challenge Fund” intended to offer up to £425,000 to five organizations to work on child safety solutions for end-to-end (E2E) encrypted messaging platforms like WhatsApp. Responding to concerns that E2E tech has put a virtual blindfold on law enforcement, the initiative is intended to enhance safety while maintaining user privacy. In response to allegations that the tech could allow governments to spy on innocent users, Home Secretary Priti Patel states that these “hyperbolic accusations” are misguided. “It is about keeping the most vulnerable among us safe and preventing truly evil crimes.” While the Home Office hasn’t directly endorsed Apple’s controversial CSAM tools, Patel did describe the tech giant’s plans as a good “first step.”
Smart tech and user privacy.
The New York Times' Wirecutter takes a look at how the lack of comprehensive US data protection legislation impacts the smart tech industry. Amie Stepanovich, executive director at the Silicon Flatirons Center at Colorado Law, explains, “Historically, in the US we have a bunch of disparate federal [and state] laws. [These] either look at specific types of data, like credit data or health information, or look at specific populations like children, and regulate within those realms.” In other words, unless they’re operating in a state with its own privacy law, smart tech companies are free to do whatever they choose with the user data they collect. Which begs the question, what kinds of data do these digital products collect? Finishing up its “What Does the Internet Know About Me?” series, Avast concludes that the short answer is essentially everything. However, there are signs of a shift toward transparency, as many companies are using clearer privacy policies that make it easier for users to understand exactly what data they’re sharing.
UN networks compromised with stolen credentials.
The United Nations has sustained a cyberattack by unknown actors. Bloomberg reports that, earlier this year, stolen employee credentials, probably purchased online in a criminal forum, were used to gain access to UN networks.
Trevor Morgan, product manager with comforte AG, wrote about the simplicity of the attack, and how social engineering can obviate the need for malware:
“The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.
"Quite simply, we can’t take cybersecurity and data protection seriously enough, at the personal level, at the organizational level, and at the national/international level.
"For enterprises and other organizations, emphasizing a culture of data security from top down (embraced by leaders and workers alike) goes a long way toward heading off human error and mistakes which could lead to stolen credentials and subsequent breaches. Also, expanding the toolkit of preventative data protection methods is an absolute necessity. Let’s face it—traditional protections just aren’t working, mostly because they focus on the borders around sensitive data and access through those borders. The solution is actually quite simple: protect the data itself! Data-centric methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while retaining data format, making this approach ideal for organizations that want to work with protected data within their workflows without de-protecting that data.
"No matter who gets hold of the data, it remains protected and cannot be leveraged. We should all be united in a commitment to a world-wide culture of better data security, bolstered by data-centric protection in case the worst-case scenario occurs and threat actors actually access highly sensitive information.”
REvil's return? Further comment.
Since yesterday's discussion of signs that the REvil ransomware operation may be returning, we heard from Chad Anderson, senior security researcher for DomainTools, who offered some comment about the threat whose enduring name is Legion:
“This goes to show that whether rebranding or simply taking a vacation, these ransomware groups keep coming back. Although much of REvil’s notable features — such as booting into safe mode to avoid EDR or multi-threaded encryption — that made it so dangerous to begin with, have moved on to other, more popular affiliate programs such as LockBit and BlackMatter, REvil continues to be a serious threat to organizations and its return should not be dismissed.”
More lessons drawn from the Howard University ransomware incident.
Howard University continues its recovery from the ransomware attack it detected last Friday. Students are attending classes that meet in person, but online instruction remains suspended. Ric Longenecker, CISO at Open Systems offered some suggestions for other organizations facing a ransomware threat:
“Howard University became the latest victim of a ransomware attack. This should come as no surprise, as ransomware attacks are the No. 1 cybersecurity threat for universities. These organizations are particularly attractive to bad actors given the wealth of data that schools have – including medical information, social security numbers, addresses, and banking and credit card information. Although Howard University has done a great job with its response, this still highlights the need for higher education institutions to step up their cybersecurity efforts. These organizations can overcome, prevent and combat cyberattacks by leveraging a managed detection and response (MDR) provider. An experienced MDR provider can identify threats and contain them quickly and efficiently before they spread and impact students, faculty and parents.”