Trending cyber news

Thousands Affected by Ransomware Attack on Hawaii Company

(TNS) — About 4,500 customers of a Honolulu payroll processing company were potentially affected by a ransomware attack that exposed Social Security numbers, dates of birth, the full names of clients and bank account information.

In mid-February, Hawaii Payroll Services LLC discovered its servers and databases had been breached by an unauthorized user.

The prohibited access of the servers maintaining company information happened from Feb. 15 to 16, likely by someone “able to gain access to Hawaii Payroll’s systems through a compromised client account and execute a privilege escalation attack that enabled the intruder to disable and remove security software and encrypt all data residing in Hawaii Payroll’s servers,” according to the company.

In response, the company said it suspended all remote client access and asked its third-party vendor that handles information technology operations to evaluate the extent of the intrusion.

Letters were sent in late May to people potentially affected by the attack, but some have been returned unopened, and Hawaii Payroll Services is still trying to gain access to many of the files it was locked out of, said company owner Michelle Wells-Nagamine in an interview with the Honolulu Star-Advertiser.

There have been no reports, so far, that the data is available on the dark web or has been used inappropriately, she said, and some of the encryption information has been released.

“It is an impact for sure, but we have to deal with IT, ” Wells-Nagamine said. “We got everything put back in for this year, and we marched forward. That’s all I can do.”

The company retained “expert forensic assistance ” to further investigate and remediate the situation and to suggest security improvements, according to Wells-Nagamine.

Founded in July 2003, Hawaii Payroll Services is a domestic limited liability company, according to the state Department of Commerce and Consumer Affairs. It provides payroll processing, 401 (k) reporting and payroll tax filing.

The company serves more than 120 local companies, including Rainforest at Kilohana Square, Diamond Bakery, Yummy’s BBQ and Jean’s Warehouse.

Wells-Nagamine filed a police report and a complaint with the Federal Bureau of Investigation’s Honolulu field office. Notifications to state regulators and credit reporting agencies are ongoing.

The Honolulu Police Department’s Financial Crimes Detail has opened a first-degree unauthorized computer access investigation. No arrests have been made in the case, according to HPD spokeswoman Michelle Yu. The FBI did not immediately reply to a request for an update on the complaint reported by Wells-Nagamine.

Last year proved a boon for Internet criminals as more Americans worked remotely, participated in distance learning or used online resources due to the COVID-19 pandemic. Nationally, Internet crimes increased about 40%, from 467,361 complaints that cost Americans about $3.5 billion in 2019 to 791,790 complaints and $4.2 billion in losses in 2020, according to the U.S. Department of Justice.

Last year the FBI’s Internet Crime Complaint Center received 2,474 ransomware reports which accounted for over $29.1 million in losses. Ransomware is a type of malware that encrypts data on a computer making it unusable, according to the FBI.

The dollar figure does not include estimates of lost business, time, wages, files or equipment, or any third-party remediation services acquired by a victim, according to the FBI. In some instances, victims do not report losses to the federal government, generating an artificially low overall ransomware loss rate.

Whoever initiates the attack holds the data hostage until a ransom payment or some other arrangement in exchange for access to the encrypted information is reached. According to the Justice Department, in some cases cyber criminals have pressured victims by threatening to destroy their data or make it public.

Trucking giant Forward Air reports ransomware data breach

Trucking giant Forward Air has disclosed a data breach after a ransomware attack that allowed threat actors to access employees’ personal information.

In December 2020, Forward Air suffered a ransomeware data breach by what was believed to be a new cybercrime gang known as Hades. This attack caused Forward Air to shut down its network, which led to business disruption and the inability to release freight for transport.

An SEC filing by Forward Air states that the company lost $7.5 million of less than load (LTL) freight revenue “primarily because of the Company’s need to temporarily suspend its electronic data interfaces with its customers.”

Researchers later revealed that this attack conducted by the member Evil group cybercrime gang, who routinely perform attacks under different ransomware names, such as Hades, to evade US sanctions.

At the time, BleepingComputer was contacted by multiple Forward Air employees concerned that the attack exposed their personal information.

As part of the attack, the threat actors created a Twitter account that they claimed would be used to leak data stolen from Forward Air .However no data has been ever seen leaked by the threat actors.

Forward Air discloses a data breach

Fast forward almost a year, and Forward Air is now disclosing that current and the ransomware attack exposed former employees’ data.

“On December 15, 2020, Forward Air learned of suspicious activity occurring within certain company computer systems. Forward Air immediately launched an investigation to determine the nature and scope of the incident,” reads a data breach notification sent to Forward Air employees.

“The investigation determined that certain Forward Air systems were accessible in November and early December 2020, and that certain data, which may have included your personal information, was potentially viewed or taken by an unknown actor.”

The information that the Evil Corp threat actors potentially accessed includes employees’ names, addresses, date of births, Social Security numbers, driver’s license numbers, passport numbers, or bank account numbers.

While Forward Air states that there is no indication that the data has been misused, they are offering affected people a free one-year membership to the myTrueIdentity credit monitoring service.

As there is no way to determine if a threat actor has used stolen data, even if they promise not to after a ransom payment, all affected employees should assume that their data has been compromised.

This means that they should monitor their credit reports, bank statements, and be on the lookout for targeted phishing attacks.

To avoid cyberattacks, companies need to think like hackers

Companies are spending more than ever on cybersecurity but, despite a plethora of new security systems, they continue to be vulnerable to attacks, which are not only becoming more numerous but are also taking a greater financial and business toll on organizations.

This is happening, I believe, because companies are approaching cybersecurity in the wrong way.

Even though logic suggests that the more a company spends on cybersecurity systems the better protected it will be, there is no corelation between the two. What’s more: Increased cybersecurity spending often has the unintended effect of providing a false sense of security.

To truly protect themselves, organizations need to get past the belief that the more money they spend, and the more security systems they implement, the better protected they will be. True security comes from looking at IT systems as hackers would and implementing heavy protection at the most vulnerable points of these systems – the points most attractive to infiltrators. By considering the tactics hackers are most likely to use, organizations can protect their most important assets.

For many organizations, this requires an adjustment of perspective along with a reconsideration of what “security” means to them. These steps are crucial

1. Analyze and prioritize digital assets

The best defense starts with an analysis of an organization’s assets and the potential costs of an attack from a business perspective. For example, an attack that would take an organization off-line for several hours while a site is is restored from backups (and while customers complain about a lack of access on social media) is an attack that organizations need to put a great deal of effort into preventing. Meanwhile, an attack that compromises servers containing unused or old applications is less of a worry.

If an organization has limited resources, it’s clear where those resources should be allocated. Therefore, decisions about which assets should be protected first and foremost must be based on their importance and value to the business. These are decisions that an organizations’ leaders – and not just their IT teams – need to make.

2. Think like hackers

Understanding a hacker’s psychology is essential. Hackers seek out the highest quality assets that will provide the lowest level of resistance. If they find an “obvious” misconfiguration on a server that contains customer data or intellectual property, that is the server they will attack – and likely be successful.

To prevent attacks, organizations need to put the lion’s share of their security efforts, resources and budget into protecting that server and creating more barriers to accessing it. Attacking a server with several defense layers is more work, so hackers are more likely to concentrate on an easier target. The priority for the organization must be to set up defenses for key assets, so that hackers direct their attention elsewhere

3. Constant review and adjustment

A vulnerability of the “spend to defend” attitude is the tendency to believe that the security system that the organization has spent so much on is taking care of the problem. But threats are constantly evolving, and many existing security systems have not been tested to check if they can beat them.

Many cyber security plans do not take into account the fact that modifications should be made and changes implemented often. A good security plan needs to be constantly reviewed and updated. Most organizations plan and execute a long-term plan, and do not build-in the agility and flexibility that is needed for the updates that should be made on a continuous basis. That must change.

The details and minutiae of cyberattacks and their remedies can be eye-glazing – and given the size and reach of today’s IT systems, it’s impossible for even the most competent security teams to cover every breach target. Throwing money at the problem won’t solve it; to protect themselves, companies need to spend wisely, maximizing the efficiency of their cybersecurity investments to ensure that their key assets are as well protected as possible.

Proper password security falling short despite increase in online presence

While 92 percent of people know that using the same password or a variation is a risk, 65 percent still re-use password across accounts, drastically increasing the risks to their sensitive information, a LastPass report revealed.

While consumers have a solid understanding of proper password security and the actions necessary to minimize risk, they still pick and choose which information they apply that knowledge to, according to the report.

Spending more time online, yet lacking proper password security

Strong cybersecurity habits are more important than ever this year, given the sheer volume of time individuals have spent online in the last 18 months and the corresponding spike in cyber-attacks. Yet the survey revealed that despite 71 percent of people working wholly or partly remote and 70 percent spending more time online for personal entertainment during the pandemic, people were still exhibiting poor password behaviour.

Most data breaches – a staggering 85 percent – involved a human element through phishing or human error according to the 2021 Data Breach Investigations Report, and the need for proper password security remains critical as attacks rise.

There’s a lot of awareness, but not enough action

Most users are creating passwords that leverage personal information that has ties to possible public data, like a birthday or home address. Seventy-nine percent of respondents agreed that compromised passwords are concerning, but over half rely on their memory to keep track of passwords.

Eighty-three percent of respondents would not know whether their information was compromised on the dark web showcasing the many blind spots and overall apathy when it comes to password management.

COVID-19 has expanded our digital lives

The pandemic has greatly expanded our digital lives over the past year, with 91 percent of respondents reporting that they’ve created at least one new account this year and 90 percent indicating that they have up to 50 online/application accounts.

Support behind personal and work behavior overlap

Over the past year, 47 percent of respondents did not change their online security habits while working remotely and 44 percent admitted to sharing sensitive information and passwords for professional accounts while working remote.

Meaning almost half of employees engage in risky password behavior while working remotely, which is causing IT admins to rethink security strategies in a hybrid work environment.

Meaning almost half of employees engage in risky password behavior while while working remotely, which is causing IT admins to rethink security strategies in a hybrid work environment.

Consumers are selective in what they protect

Coupled with the cognitive dissonance in consumer awareness of the need for security versus action, the report also found that the type of information being protected impacts consumers’ likeliness to use good password practices.

While 68 percent of respondents would create stronger passwords for financial accounts, only 32 percent noted they would create strong passwords for work-related accounts.

Our latest report showcases the impact of the COVID-19 pandemic amid the increased time we spent online – which has in turn, increased our vulnerability to potential hackers,” said Dan DiMichele, VP of Product Management for Lastpass.

“As we continue to grow our online presence, we need more robust protection for our online information. One way to combat this is by investing in a password manager which can be used to store your personal and digital information safely. As a business or IT lead, adding an additional layer of security, including multi-factor authentication or single sign-on options, will help to ensure that your employees are the only ones accessing you’re their information.”

Cybercrooks fleece Rs 9.18 crore from hapless targets so far in this year

Cyber police said sharing ATM card credentials and one-time passwords was among the most common cause of the fraud, followed by fraudulent business offers, fake insurance and gift-related frauds.

Pune: There was a sharp rise in the amount lost by victims of cybercrime this year when compared to last year, as per the city cyber police.

Till the first week of September, 42 cases were registered with the cyber police in which the complainants reported total losses of Rs9.18 crore. In 2020, 46 cases were registered, but the amount lost was nearly two-thirds lower at Rs3.2 crore, as per data available with the police.

Cyber police said sharing ATM card credentials and one-time passwords was among the most common cause of the fraud, followed by fraudulent business offers, fake insurance and gift-related frauds.

Deputy commissioner of police (cyber) Bhagyashri Navatake said most cybercrime can be avoided if people exercised more caution while using netbanking or Uniform Payments Interface (UPI) applications.

Cyber police inspector D S Hake said the rise in the amount lost can be attributed to the increased usage of smartphones. “While looking at their screens, people are more prone to clicking on links to unsafe websites. Secondly, people also share ATM card or bank credentials with strangers without giving it a second thought,” Hake said.

In most cases, Hake said, the victims trust the digital/virtual identity presented by the crook posing as a friend or an acquaintance. “They share their bank account credentials, UPI application details or debit/credit card information, assuming they were interacting with a friend or relative. In many cases, people fall prey to online business deals and transfer money to the suspect’s account without background checks,” he further said.

“This year, most victims have fallen prey to gift baits and lost a whopping Rs4.42 crore, while last year, people lost a total of Rs1.83 crore after sharing their debit/credit card credentials,” Hake said.

“Similarly, people have also fallen prey to herbal oil fraud cases — crooks floating fake business schemes — and lost Rs1.27 crore to fraudsters,” he said.

Police have received over 350 complaints of sextortion this year, though the collective amount extorted by the crooks was just Rs 84,000.

A New APT hacker group spying on hotels and governments worldwide

A new advanced persistent threat (APT) has been behind a string of attacks against hotels across the world, along with governments, international organizations, engineering companies, and law firms.

Slovak cybersecurity firm ESET codenamed the cyber espionage group Famoussparrow, which it said has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala.

Attacks mounted by the group involve exploiting known vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the Proxylogon remote code execution vulnerability in Microsoft Exchange Server that came to light in March 2021, making it the latest threat actor to have had access to the exploit before details of the flaw became public.

According to ESET, intrusion exploiting the flaws commenced on March 3, resulting in the deployment of several malicious artifacts, including two bespoke versions of Mimikatz credential stealer, a NetBIOS scanner named Nbtscan, and a loader for a custom implant dubbed SparrowDoor.

Installed by leveraging a technique called DLL search order hijacking, SparrowDoor functions as a utility to burrow into new corners of the target’s internal network that hackers also gained access to execute arbitrary commands as well as amass and exfiltrate sensitive information to a remote command-and-control (C2) server under their control.

While ESET didn’t attribute the FamousSparrow group to a specific country, it did find similarities between its techniques and those of Sparklinggoblin, an offshoot of the China-linked Winnti Group, and DRB control, which also overlaps with malware previously identified with Winnti and Emissary Panda campaigns.

“This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” ESET researchers Tahseen Bin Taj and Matthieu Faou said.

65% of users still re-use passwords across accounts: Report

According to a report by LogMeIn, consumers have a solid understanding of proper password security and the actions necessary to minimise risk, but they still pick and choose re-used information.

New Delhi, While 92 per cent of people know that using the same password or a variation is a risk, 65 per cent still re-use passwords across accounts, drastically increasing the risks to their sensitive information, a report said.

According to a report by LogMeIn, consumers have a solid understanding of proper password security and the actions necessary to minimise risk, but they still pick and choose re-used information.

“Strong cybersecurity more important than ever this year, given the sheer volume of time individuals have spent online in the last 18 months and the corresponding spike in cyber-attacks,” the company said in a statement.

“Yet the survey revealed that despite 71 per cent of people working wholly or partly remote and 70 per cent spending more time online for personal entertainment during the pandemic, people were still exhibiting poor password behaviour,” it added.

Most data breaches — a staggering 85 per cent — involved a human element through phishing or human error, according to the 2021 Data breach investigation report and the need for password security remains critical as attacks rise.

According to the survey, over the past year, 47 per cent of respondents did not change their online security habits while working remotely and 44 per cent admitted to sharing sensitive information and passwords for professional accounts while working remotely.

Meaning almost half of employees engage in risky password behaviour while working remotely, which is causing IT admins to rethink security strategies in a hybrid work environment.

The survey, which included over 3,500 working professionals globally, including India, indicated that 68 per cent of respondents would create stronger passwords for financial accounts, only 32 per cent noted they would create strong passwords for work-related accounts.

Data breach at Texas behavioral health center affects more than 24,000

A data breach at Texas behavioral health provider Texoma Community Center affected more than 24,000 people and highlights how timelines for breach notification may lag behind security events—even when the most sensitive information is compromised.

Texoma is a nonprofit that specializes in delivering mental health and substance abuse services. The public posted on its website last week says the organization “became aware of suspicious activity relating to several employee email accounts that were sending unauthorized messages,” on October 20 of last year and “immediately launched an investigation.” However, it took nearly 10 months for the center to notify stakeholders, including health authorities, of the breach.

With the help of unspecified outside forensics specialists, the organization discovered “that an unauthorized actor accessed several employee email accounts between September 24, 2020 and December 1, 2020”—suggesting that the compromise continued for more than a month after suspicious activity was noticed.

It wasn’t until July 15 of this year that the organization “identified the individuals potentially impacted by this incident after a thorough manual review” of the compromised email accounts, according to the disclosure. The level of compromise varies by individual, but an extensive list of information, some of it incredibly sensitive, was exposed as part of the hack, including:

“date of birth, medical history, treatment or diagnosis, health information, health insurance information including policy and/or subscriber information, insurance application and/or claims information, birth certificate, marriage certificate, digital signature, facial photograph, email address and password, unique biometric data, vehicle identification number, username and password, military identification number, and for a smaller number of individual may include Social Security number, driver’s license number, financial account information, and credit or debit card number.

Healthcare providers are generally required to notify people affected by breaches of protected health information within 60 day under U.S. Department of Health and Human Services’ Breach Notification rules. However, HHS guidence makes it clear that the clock for notification starts ticking “the date the breach was discovered by the covered entity,” unless delay is requested by law enforcement.

Texoma Community Center’s notification did not reference working with law enforcement to respond to the breach, and the organization did not respond to The Record’s inquiry about the timeline of its investigation and notification processes. HHS declined to comment on the specific incident.

Under HHS rules, covered entities that suffer breaches of health information affecting more than 500 people are also supposed to notify local media and the agency.

HHS publicly released data about those reports. The agency’s database shows Texoma Community Center reported a “Hacking/IT Incident” involving email that affected 24,030 people on August 16th of this year.

The Texoma Community Center is notifying those affected for whom it has addresses by mail, per the website notice, and operating a hotline for patients to call for information about their status. The organization also shared resources related to preventing or limiting the impact of identity theft, including credit freezes.

The healthcare sector has long been the target of digital attackers, including ransomware seeking profit and state actore seeking intelligence. The Texoma Community Center breach highlights how this epidemic of digital attacks affects smaller service providers who may not always have easy access to expertise or resources to quickly contain, investigate, and disclose when sensitive information is compromised.