At a glance.
- Revenant REvil.
- WhatsApp offers encrypted backups.
- Hortum spyware platform in Turkey.
- Further comment on the UN data breach.
- California and Arizona healthcare providers disclose breaches.
The resurrection of REvil.
Last week we noted the servers of recently folded ransomware gang REvil, known for attacks on companies like JBS, Kenneth Cole, and most recently Kaseya, had suddenly sprung to life. While it seemed too soon to say for sure REvil was back in business, it seems where there’s smoke, there’s fire. Bleeping Computer confirms that REvil has returned, and while some experts thought REvil might undergo a rebrand, instead it seems they’ve simply restored their old servers and are operating under the same name. Victims listed on the gang’s Tor-hosted negotiation site have had their ransom payment deadlines reset, and evidence of new attacks include a new REvil ransomware sample and screenshots of data stolen from a new victim. Flashpoint adds that REvil’s frontman, formerly known as “Unknown” or UNKN,” has been replaced on underground Russian-language forum Exploit with a spokesman bearing the less creative alias “REvil”. Though some speculate that REvil’s reemergence could be connected to talks between US President Joe Biden and Russia’s Vladimir Putin and the lifting of sanctions on companies involved in the Nord Stream 2 pipeline, other experts say there’s no evidence of a link.
WhatsApp enables encrypted backups.
Messaging giant WhatsApp has made the controversial move to allow users to backup their conversations in the cloud in an encrypted format, TechCrunch reports. WhatsApp has always employed end-to-end encryption, but until now users were only able to store their conversations unencrypted, meaning intruders or law enforcement could potentially access these messages. Though WhatsApp, which considers itself at the forefront of user privacy, has declined to say whether it discussed the change with government bodies, the change is revolutionary as the platform is the first to put the brakes on what some see as a privacy violation. The Wall Street Journal sees the move as the latest blow in the ongoing battle between platforms seeking to increase user privacy and authorities who want access to the treasure trove of potential evidence. Riana Pfefferkorn of the Stanford Internet Observatory notes that the new encryption feature is not the default, meaning there will likely be many users who do not opt to turn it on. That said, WhatsApp says the feature will allow users a way to save messages without the prying eyes of Apple’s new controversial scanning system.
Ankara police and spyware.
Zero Day recounts the tale of how Turkish National Police (TNP) might have been involved in police-on-police surveillance using a spyware platform called Hortum (or “hose” in Turkish). To snoop on members of the influential Gülenist movement. The religious-political organization led by Fethullah Gülen, a Turkish imam and scholar based in the US, is considered a threat by those who fear the Gülenists are plotting an uprising against the Turkish government. Leaked emails show evidence of communications between Italian tech firm Hacking Team, creator of the spyware, and a chief inspector in the IT department of the TNP Intelligence Division, where a police chief and superintendent were arrested in 2016 under suspicion of Gülenist involvement. Though there are no clear answers, the story highlights how difficult it is to investigate the use of spyware when the authorities might be the perpetrators.
Comment on the UN data breach.
Digital Journal looks at the recent UN data breach and sees evidence, not of technically sophisticated threat operations, but rather of thoughtful use of social engineering and the resources available in the criminal-to-criminal market, particularly resources taking the form of stolen credential offered for sale.
We received comments on the incident from Neil Jones, Cybersecurity Evangelist, Egnyte, who sees a lamentable tendency on the part of potential victims to overlook reasonably prudent security measures:
"The cyberattack that breached the computer systems at the United Nations is concerning in that it hit so close to the center of global power -- but it’s a real disaster for the IT team responsible for UN's file security. This particular attack is especially concerning, because smaller nation-states have been looking to the UN for critical leadership, as they navigate the COVID-19 pandemic.
"Unfortunately, far too often methods and tools are being employed that don’t meet the security and control needs of an organization, particularly a large Non-Government Organization like the UN. Security should be viewed as way more than a checklist. The best solutions fit in a broader sense of governance but still make it easy to share files with anyone, without compromising users' security and control.
"The reality is that all content and communications are vulnerable without proper data governance, and it is imperative that organizations protect the data itself. This type of security incident occurs regularly, particularly in decentralized settings like the United Nations and the mission-critical systems they use to communicate with hundreds of global nation-states on a daily basis. If secure file collaboration tools with suspicious log-in capabilities are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and grind activities to a halt, the systems themselves would have been inaccessible to outsiders, and the valuable data would have remained protected."
Danny Lopez, CEO of Glasswall, draws lessons about the necessity for taking better care of employees, especially during on- and off-boarding:
“Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.
"Reports of a data breach at the UN are troubling, given the importance of the work being done by this organisation. There is speculation that the breach occurred due to UN credentials being traded online. Forensic analysis will most likely reveal more details in the coming days, but for now it's worth underlining the importance of good security practice.
"Organisations like the UN need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Even if all procedures and policies are well executed, then there's no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use. It's vital that organisations like the UN invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work."
And Steve Moore, chief security strategist at Exabeam, notes that compromised credentials have become a pervasive problem for organizations of all kinds and sizes:
“The United Nations' networks are home to a breadth of sensitive international relations and security data that, in the wrong hands, could put global government officials, citizens and even peace between nations at risk. The intergovernmental organization confirmed this week that its systems were compromised following credentials for internal software being found in criminal marketplaces.
"The UN is not alone. Comprised credentials are the reason for 61% of breaches today. To remediate incidents involving user credentials and respond to adversaries, organizations must move fast and consider an approach that is closely aligned with monitoring user behavior - to provide the necessary context needed to restore trust, and react in real time, to protect user accounts. This should include the ability to understand normal in your network, to detect, using behavioral characteristics, to identify when abnormal events have occurred.”
California and Arizona healthcare providers disclose patient data breaches.
California-based LifeLong Medical Care has begun notifying more than 115,000 individuals that their personal data (names, Social Security numbers, dates of birth, patient cardholder numbers, and information concerning both treatment and diagnosis) have been compromised. Another healthcare provider, Arizona-based Desert Wells Family Medicine, has recently informed 35,000 patients that their EHR data were compromised in a ransomware attack.
Sascha Fahrbach, Cybersecurity Evangelist at Fudo Security, commented that the PII held by healthcare providers continues to be valuable, and hence an attractive target for cybercriminals:
"These latest attacks show that the healthcare industry, with its valuable PII, continues to be a tempting and lucrative target for hackers and insiders. There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset, when it comes to safeguarding their data.
"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk. As seen with LifeLong Medical Care, this could expose organizations to data breaches, and the risk of costly non-compliance penalties.
"One of the key steps IT teams should take to protect their data is to evaluate the privilege access they are granting to their employees, partners and vendors, as privileged users are one of the most sought after targets by attackers. Taking a holistic approach, which includes a zero trust strategy and tools for monitoring and managing access, will greatly help mitigate these threats."