More Signal. Less Noise.
Ransomware and universities. More fallout from the Accellion compromise. Back to paper records. Virginia's privacy law. Reaction to Clubhouse privacy issues.
By the CyberWire staff
At a glance.
- Ransomware as a threat to universities.
- More breaches traced to Accellion FTA.
- Cybercrime temporarily drives hospital back to paper records.
- The Commonwealth of Virginia proceeds with privacy legislation.
- Security industry reaction to Clubhouse privacy issues.
Pandemic puts target on the back of higher education.
BlueVoyant has released its Cybersecurity in Higher Education report, in which the security firm offers a risk analysis of more than twenty-seven hundred universities in over forty countries. The unprecedented repercussions of the pandemic have pushed the field to rely heavily on remote teaching technologies, and cybercriminals are taking advantage of the ever-increasing attack surface. According to BlueVoyant’s findings, ransomware attacks against universities increased 100% in 2020 over 2019, making it the top cyber threat these institutions faced last year. The report also found that a ransomware attack costs a university an average of $447,000, an expense that is heightened, the Daily Swig notes, when institutions are already suffering revenue losses due to decreased enrollment amidst the pandemic. Credential lists from universities are an especially hot commodity on the dark web, and universities are seeing an average of ten thousand brute force attacks per week. Higher ed is also seeing an increase in big game hunting, a tactic previously reserved for more lucrative industries. As two-thirds of the schools surveyed were lacking in email security protocols and more than three-quarters had unsecured remote desktop ports, it’s clear they are not prepared for this surge in attacks. BlueVoyant advises university administrators institute multifactor authentication, require stronger passwords, and implement more intense monitoring of email accounts and networks.
Bryan Embrey, Director, Product Marketing, Zentry Security commented on why universities are attractive to ransomware gangs. “The sharp rise in ransomware attacks on universities is not surprising given the number of students and faculty studying and working remotely," he said. "Implementing zero-trust solutions that offer multi-factor authentication, single sign-on, and managed and monitored access to IT infrastructure can significantly reduce potential credential stealing as well as data loss and exfiltration. Educating students, faculty, and staff to the dangers of phishing and malware will also go a long way to raising universities’ security profiles.”
Chris Clements, Vice President, Solutions Architecture, at Cerberus Sentinel, also sent comments:
"Universities really are just about perfect target for ransomware gangs. Their historically open nature and departmental autonomy can lead to networks that are easy for cybercriminals to navigate and IT fragmentation that misses basic security precautions like patching and centralized backup. Combine this with high revenues and you have a situation where attackers are more likely to find easier ways of gaining initial access, and that the potential payout if they are successful can be very lucrative.
"To protect themselves, universities must adopt a culture of security that requires a change of mindset in many areas. First, there needs to be a recognition that certain security baselines must be met regardless of the project or department and that all systems and applications require ongoing care and feeding to remain secure. Secondly, IT and especially IT security, must embrace the attitude of efficient service delivery to enable the organization to accomplish their goals with as little friction as is possible. For security to be effective, at some level it has to be easy. Building out light touch processes bolstered by secure defaults can go a long way to drastically improving educational organizations adherence to the needed best practices to ensuring a secure technology environment."
Accellion breach claims more victims.
Transport for NSW (TfNSW), the agency responsible for public transportation in New South Wales, Australia, is the latest organization to disclose that it was impacted by the data breach of California-based file sharing company Accellion, reports iTnews. The agency announced that TfNSW data were stolen before the Accellion breach was contained, but was not able to specify exactly what data were exposed. TfNSW is conducting an investigation in conjunction with Cyber Security NSW to determine the extent of the breach. According to chief cybersecurity officer Tony Chapman, multiple NSW agencies had been using Accellion’s file transfer service, New South Wales health agency NSW health has already stated they were also impacted in the breach.
Bombardier has also been affected by a "third-party file-sharing" service compromise. The company doesn't identify Accellion, but consensus is that that's the third-party involved. While much of the media attention has gone to an apparent compromise of aircraft design files, Bombardier itself in its disclosure made particular mention of the possibility that some employee and customer personally identifiable information may have been compromised. Trevor Morgan, product manager with comforte AG, sent comments via email:
“The fallout from the Accellion-centered breach continues, purportedly this time with Bombardier. The takeaways should be pretty clear to people keeping score. Always keep software up-to-date or replace it with next-generation software that’s supported by the vendor. If you think you’re safe from breaches like this, then it’s probably time you really reconsider your data security strategy and methods. Complacency is your worst enemy. And if you’re still depending on security methods that protect borders and perimeters, it’s probably time to think from a more data-centric perspective. If the data is the valuable part, protect the data and not the walls around it. That’s the data-centric approach in a nutshell.”
Data breach forces Illinois hospital to depend on paper processes.
Becker’s Hospital Review reports that Illinois hospital St. Margaret’s Health–Spring Valley has added its name to the growing list of US healthcare providers who have been hit in the wave of pandemic-era data breaches. In response, the hospital shut down much of its network, redirecting many of its services to neighboring hospitals and depending on telephone and fax for communication. Vice president of quality and community services Linda Burt stated, “Our computer systems periodically undergo updates that require the system to be shut down. So we just implemented all of our paper processes." While the investigation is still unfolding, there is no evidence that patient data were impacted.
Virginia’s new privacy law ("CDPA") follows in CCPA’s footsteps.
The California Consumer Protection Act (CCPA) will have a new east coast cousin in the form of the Consumer Data Protection Act (CDPA), reports AdExchanger. The bill was passed by the Virginia house of representatives and senate last week and is expected to soon be signed into law by the governor, making it the second comprehensive privacy regulation in the US. More stringent than the CCPA, the CDPA is an opt-in law and requires clear consumer consent much like the EU’s General Data Protection Regulation (GDPR). While the CPDA does not set a specific revenue threshold for businesses (which the CPA does), the new law is more restrictive in how it defines the word “consumer,” applying it only to Virginia residents who are not acting in a commercial or employment capacity. It’s also worth noting that Virginia’s bill is only enforceable by the attorney general, while the CCPA allows for a private right of action. While businesses that have educated themselves on the CCPA and GDPR should be prepared for the new law, founder of privacy compliance firm Ethyca Cillian Kieran told AdExchanger “it’s important to recognize that each state has nuances...there is no one-size-fits-all solution.”
More industry reaction to Clubhouse's privacy issues.
ESET has a useful overview of the privacy issues that have come to light with respect to Clubhouse. It's not unheard of for a newly popular app to be caught on the hop by security or privacy challenges it hadn't anticipated any more than it expected sudden explosive growth. Compare the experience of Zoom as it saw wide adoption as lockdown responses to the COVID-19 pandemic became common early last year. In the case of Clubhouse, a company representative confirmed that a user wrote a script to pull audio feeds from "multiple rooms" and make them available elsewhere. Clubhouse permanently banned that user and said it had put safeguards in place to prevent a recurrence, but ESET sensibly recommends that everyone be reticent about sharing personal information in Clubhouse (and not only there).
Saryu Nayyar, CEO at Gurucul, sees gaps in authentication and encryption. “The data leakage from audio chat app Clubhouse appears to hinge on a lack of proper authentication and a lack of end-to-end encryption," she said, and went on to say, "Add in the challenge of relying on 3rd party infrastructure and potentially their security as well, and it is easy to understand how something like this can happen. To be secure and private, applications must have their security baked in from the start. It needs to be embedded at every level, from the communications protocols up through the user interface. Unfortunately, cybersecurity is an afterthought for many developers and many organizations rely on their security stack to take over when expedited development takes precedence over secure coding practices.”
David Stewart, CEO of Approov, also commented on the limitations of user authentication: "The Clubhouse data spillage incident looks like yet another example of security based purely on authenticating the user. As we have seen over and over again, you can't keep scripts and bots out of your business unless you know what you are communicating with as well as who. It is therefore essential to authenticate both the user and the mobile app before granting access to your platform."
Amnesty International: Hackers attacking Vietnam dissidents (News4Jax) Amnesty International says it has found that a hacking group known as Ocean Lotus has been staging more spyware attacks on Vietnamese human rights activists in the latest blow to freedom of speech in the communist-ruled country.
Vietnamese activists targeted by notorious hacking group (Amnesty International) Amnesty Tech investigation reveals hacking group Ocean Lotus is behind spyware attacks against Vietnamese human rights activists
Exploitation of Accellion File Transfer Appliance (CISA) This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States. These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[
Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet (Register) And what may be CAD drawing of a military radar antenna
Bombardier Statement on Cybersecurity Breach (Bombardier) Bombardier Statement on Cybersecurity Breach
MINEBRIDGE Remote-access Trojan (RAT) 2021 (Zscaler) Threat actors distributing the MINEBRIDGE RAT in-the-wild have returned in 2021 with new and updated tactics, techniques, and procedures (TTPs).
Virginia’s New Privacy Law Takes Aim at Larger Business Entities (Lexology) Virginia’s new consumer privacy bill, expected to be signed into law as soon as April 2021, will elevate the Commonwealth’s approach to data privacy…
Cloud and Threat Report (Netskope) Download the latest Netskope Threat Labs Report for new cybersecurity research that highlights cloud threats, usage, and security trends.
3 Security Flaws in Smart Devices & IoT That Need Fixing (Dark Reading) The scope and danger of unsecured, Internet-connected hardware will only continue to deepen.
Ransomware threats to watch for in 2021 include crimeware-as-a-service (TechRepublic) BlackBerry researchers see more double-extortion ransomware attacks, attackers demanding ransom from healthcare patients, and rising bitcoin prices driving the growth of ransomware.
Everything You Need to Know About Evolving Threat of Ransomware (The Hacker News) Ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down.
New NetMotion Survey Reveals Only 12% of Enterprises Worldwide Have Fully Embraced SASE (NetMotion Software) NetMotion announces the findings of its inaugural Secure Access Service Edge (SASE) global survey, revealing that pandemic-driven remote work has not led to wholesale SASE and SDP adoption.
U.S. municipalities are the perfect target for cybercriminals in 2021 (Help Net Security) Lax remote work security protocols enable cybercriminals to increasingly target municipalities using ransomware and other malicious actions.
Telework Exposes U.S. Government Employees to Increasing Credential-theft Mobile Attacks (PR Newswire) Lookout Inc., the leader in mobile security, today released its Government Threat Report, which examines the most prominent mobile threats...
CybelAngel Reveals How Cybercriminals Target Healthcare Sector (BusinessWire) CybelAngel published in-depth original research revealing how cybercriminals plan healthcare-related fraud, ransomware and other attacks.
Illinois hospital reverts to paper records, diverts imaging services after cyberattack (Becker"s Hospital Review) St. Margaret’s Health–Spring Valley (Ill.) has shut down its computer network in response to a cyberattack Feb. 21, Shaw Local News Tribune reports.
Huawei chief criticises academic’s ‘false attack’ over 5G security risks (The Irish Times) Chinese telecoms firm tells senior Irish officials academic freedom is a ‘two-way street’
Unethical Stalkerware Apps Offer Parents Tools to Spy on their Children (PR Newswire) Avast (LSE:AVST), a global leader in digital security and privacy products, and member of the Coalition Against Stalkerware, carried out an...
Officials confirm cyber attack on Clearfield County computer system (WTAJ) Officials from Clearfield County reported Tuesday that a recent cyber event may have impacted the security of personal information for certain individuals asso…
FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group (ZDNet) FireEye: Hackers breached companies running FTA servers, stole private files, and are now publishing data on the Clop ransomware leak site.
Turkey Dog Continues to Target Turkish Speakers with RAT Trojans via COVID Lures (RiskIQ) Shortly after the COVID-19 pandemic began, there was a spike in threat infrastructure using the crisis to bait, deceive, and social engineer victims. Reports of threat campaigns attempting to fool Turkish-speaking users into downloading Android apps containing the Cerberus and Anubis banking trojans surfaced. Today, new RiskIQ data shows these attacks have not stopped, shedding light on the full extent of these campaigns.
Turkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers (RiskIQ) Since at least April 2020, campaigns distributing the malicious android applications Cerberus and Anubis have been targeting Turkish speakers with lures exploiting the COVID-19 pandemic.