At a glance.
- Ransomware attackers demand millions from French hospital.
- Whistleblower says Twitter put Indian government agent on payroll.
- Researchers say thousands have neglected to fix security camera bug.
- FBI warns of residential proxy-enabled credential stuffing operations.
Ransomware attackers demand millions from French hospital.
Bleeping Computer reports that French hospital the Center Hospitalier Sud Francilien (CHSF) experienced a ransomware attack over the weekend that disrupted services and forced the medical center to refer patients to other healthcare providers. "This attack on the computer network makes the hospital's business software, the storage systems (in particular medical imaging), and the information system relating to patient admissions inaccessible for the time being," CHSF stated. RFI adds that the English-speaking hackers are reportedly demanding $10 million to unlock the hospital’s systems. CHSF has implemented their "white plan" emergency operation to maintain as many of their services as possible, the hospital says the attack has rendered "all the hospital's business software, storage systems – particularly medical imaging – and the information system relating to patient admissions” inaccessible. The Paris prosecutor's office has opened an investigation into the incident led by the gendarme's Centre for Combating Digital Crime (C3N) division. French cybersecurity journalist Valéry Riess-Marchive says the handling by the national gendarmerie indicates a LockBit 3.0 infection, as that service handles Rangar Locker and LockBit attacks, and that the size of the hospital is in line with Ragnar Locker’s typical targets.
Stephan Chenette, Co-Founder and CTO of AttackIQ, regards this incident as a wake-up call for the healthcare industry:
“The healthcare industry is one of the largest targets for cyber-criminals due to protected health information (PHI) being extremely profitable on dark web marketplaces because it usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come. Additionally, The Center Hospitalier Sud Francilien is now forced to operate with reduced IT operations, causing the hospital to transfer patients with serious injuries or illness to other medical centers and creating further delays for patients.
"This cyberattack serves as the latest reminder that organizations simply don't exercise their defenses enough, and healthcare organizations in particular should be evaluating their existing security controls to uncover gaps before an attacker finds them. We continue to see basic security protection failures resulting in data loss for companies both large and small. This trend is disturbing as the cost of recovering from a breach is far more expensive than conducting proactive testing to validate that the security products and services, which you have already purchased and implemented, are working correctly. Consequently, these types of failures can often be easily avoided.
"To best defend against ransomware attacks, it’s important to understand the common tactics, techniques, and procedures used by the adversary. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors. Organizations that manage sensitive health information must adopt a threat-informed cyber-defense strategy tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK® framework, to measure an organization's cybersecurity readiness for the attacks that are sure to come. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, argues that such attacks are more than mere inconveniences. They pose a risk to health and life. “Incidents like this are direct evidence that cybersecurity risks are not limited to service disruption inconveniences or simple monetary loss," he writes. "Attacks on healthcare providers or other critical infrastructure can have real consequences to the health and wellness of our communities, and the situation is no longer simply theoretical. Doing cybersecurity effectively is extremely hard, but we should both demand our critical infrastructure providers adopt the cultural approaches necessary as well as support them as well as we can to help accomplish cybersecurity resiliency that in the end benefit us all. Too many times these institutions are among the most vulnerable."
Whistleblower says Twitter put Indian government agent on payroll.
Former Twitter security chief Peiter “Mudge” Zatko yesterday released a statement claiming that the social media giant’s user data protections are plagued by “extreme, egregious deficiencies.” Among the many allegations, Mudge says the Indian government forced Twitter to hire a government agent, giving the individual access to sensitive user data. "The company did not in fact disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll," Mudge’s complaint read. Reuters notes that Twitter is already engaged in a legal challenge against the Indian government alleging abuse of power by government officials who ordered the company to remove content from the platform. The National Security Division of the US Justice Department and the Senate Select Committee on Intelligence are investigating the whistleblower’s claims.
Daniel Thanos, VP at Arctic Wolf Labs, seconds Mudge's whistleblowing. He sees the security issues as being of a piece with what they seen in other social media plaforms:
"Mudge is a highly trusted and respected leader in the cybersecurity community and his comments should not be taken lightly. This situation showcases a similar pattern that we’ve seen with other social media companies that are going through their security, privacy, and infowar reckonings. Unfortunately, there have been way too many instances where social media companies suppress these types of issues and not address them transparently. All of these events have proven that self-policing isn’t going to work anymore. These social media entities are behaving as publishers now, which requires a high level of public trust. With that, comes certain security and transparency responsibilities that are clearly not being met.
"Twitter has the same insider threats as many other companies. Since they have become a vital source of information, they must make sure their internal security controls maintain the highest level of security and privacy. This is absolutely fundamental due to the trust their users are placing in them. Recent events have shown us that they are obviously not rising to the occasion. It is vitality important that CISOs have a reporting and governance relationship that is not compromised by internal stakeholders. The interference and deception being alleged here by the management should give everyone great concern.
"On the issue of the platform being used by bots, adversarial groups, and others for purposes of information/hybrid warfare, that is already established fact. Anyone that is remotely informed on these issues can see they have a serious bot and abuse problem – that one could reasonably infer is not adequately being addressed nor the scope of which is being fully understood. Mudge was hired to do a job by the previous CEO on this issue and on the insider threat problem, but the patterns of interference that many transformational CISOs face seem to have all been exhibited here. Anyone that cares about the mission we are on as a security community will want to see Mudge prevail and bring the disinfectant of light to this situation for the good for the entire industry."
Researchers say thousands have neglected to fix security camera bug.
A vulnerability impacting more than 80,000 security cameras from Hikvision was discovered by researchers last year, and Hikvision addressed the issue by releasing a firmware update in September 2021. However, Singaporean cybersecurity firm CYFIRMA says tens of thousands of systems used by 2,300 organizations across one hundred countries are still at risk because they have not yet installed the update. Bleeping Computer notes that there have already been two known exploits of the bug, one last October and another in February, and CYFIRMA’s research shows that cybercriminals on Russian-speaking hacking forums often sell network entrance points that rely on vulnerable Hikvision cameras. Most of the vulnerable endpoints are located in the US and China, and CYFIRMA’s white paper notes they could pose a threat to national security. "From an External Threat Landscape Management (ETLM) analogy, cybercriminals from countries that may not have a cordial relation with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare," CYFIRMA explains.
We heard from Paul Bischoff, privacy advocate with Comparitech, who pointed out that IoT devices can be tricky to secure:
“IoT devices like cameras aren't always as easy or straightforward to secure as an app on your phone. Updates are not automatic; users need to manually download and install them, and many users might never get the message. Furthermore, IoT devices might not give users any indication that they're unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences. Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan. From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further attacks through the camera's network. In this case, the problem is exacerbated by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many users don't change these default passwords.”
And Chris Hauk, consumer privacy champion at Pixel Privacy, wrote, “Exploits like those being used to take over Hikvision cameras rely on users not setting strong passwords or using the default passwords out of the box. Users should always update their cameras and other IoT devices with the latest firmware, set a secure password, and in corporate cases, keep their IoT devices isolated from their main network.”
FBI warns of residential proxy-enabled credential stuffing operations.
The US Federal Bureau of Investigation (FBI) last week issued a Private Industry Notification on the Bureau's Internet Crime Complaint Center (IC3)warning of a surge in cybercriminal activity in which hackers use residential proxies to carry out large-scale credential stuffing attacks. "Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries – to include media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders," the advisory read. Bleeping Computer explains that credential stuffing attacks are typically easily detected because illicit IP addresses are added to blocklists, but the use of residential proxies allows threat actors to obfuscate the actual IP address. The FBI is urging system administrators to take necessary precautions to protect against credential stuffing. Recommendations include encouraging multi-factor authentication, comparing widely available leaked credentials to customer accounts to force password resets, using fingerprinting checks to ensure the account’s owner is attempting to log in, and identifying and monitoring default user agent strings used by credential stuffing attack tools.
Gunnar Peterson, CISO of Forter, commented on the ways in which this campaign shows an unusual level of sophistication. “Attackers are reaching a new level of sophistication well beyond what passwords and even MFA can handle alone," he wrote. "This is because the attacks target the access control and identity provisioning layers to bypass protections that surround company data and accounts. When an attacker can leverage a password, account profile reset, or MFA prompt for malicious purposes, the company's protective layer falls away. This means that technologies like fingerprinting and account takeover monitoring are more important than they have ever been.”
Ralph Pisani, President of Exabeam thinks the castle keys tend to be left out, for anyone to use:
"Credentials are supposed to be the castle's front gates - they are the new perimeter, but SOCs still fail to detect credential-based attacks. As a result, the cybersecurity industry must rethink its strategy to analyze how credentials are used and stop intrusions before they become more significant issues like the ones discussed in the recent FBI warning.
"Proper education, feedback loops, visibility, and effective technical capabilities are the keys to identifying and responding to attacks caused by compromised credentials. The most effective defender capability is the development of a baseline for normal employee behavior, specifically to assist organizations with identifying the use of compromised credentials for initial access and later maintaining network access. If you can establish normal behavior first, only then can abnormalities be known - a great asset in uncovering unknowingly compromised accounts."
And Neil Jones, director of cybersecurity evangelism at Egnyte, enumerates the ways he recommends organizations defend themselves against credential-stuffing attacks:
"The recent privacy industry notification by the U.S. FBI is a stark reminder that organizations and their website users still have a lot to learn about effective password safety. For as long as I can remember, easily-guessed passwords such as 123456, qwerty and password have dominated the global listing of most commonly-used passwords, and they are undoubtedly in use in most corporate settings. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization's remote access solution to view corporate users' ID details or to email systems to impersonate your legitimate employees. Key components of an effective password management program that reduces the probability of credential stuffing attacks include:
- "Use of multi-factor authentication (MFA), which recent reports indicate only 89% of mid-sized organizations utilize to access all of their services.
- "Employee education about the significance of password safety, social engineering awareness, and spear-phishing avoidance.
- "Establishment of mandatory password rotations, including forcing employees to change their passwords and passphrases on a routine basis.
- "Re-visiting your company's account lockout requirements, to ensure that users' access is immediately disabled after a minimum number of failed login attempts.
- "Reminding users that they should limit access to personal websites on their business devices, and never re-use business credentials on personal websites.”