Ransomware attack at Singapore eye clinic potentially breaches 73,000 patients’ data

A ransomware attack at a Singapore eye clinic has potentially exposed the personal data of more than 73,000 patients.

The security incident at Eye & Retina Surgeons (ERS) happened on August 6, confirmed Singapore’s Ministry of Health India statement.

ERS also notified police, the Personal Data Protection Commission, and Singapore’s Computer Emergency Response Team.

It has not yet been confirmed how many people had their information compromised or what type of datasets may have been accessed.

Government steps in

In light of the incident, the government has instructed ERS to work with the country’s federal cybersecurity agency to take mitigation actions and implement stronger cyber defenses.

“The government takes a serious view of any cyber-attack, illegal access of data, or action that compromises the integrity, confidentiality, and availability of data and IT systems in Singapore,” the statement read.

It also cited laws mandating that licensed medical organizations must implement “adequate safeguards” to protect healthcare records against accidental or unlawful loss, modification or destruction, or unauthorized access, disclosure, copying, use or modification.

They must also “periodically monitor and evaluate such safeguards in place to ensure that they are effective and being complied with by the persons involved in handling medical records”.

It added: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data.”

Law of the land

Singapore’s data breaches , enacted in 2021, states that “notifiable” breaches must be reported to the data protection office.

For a breach to be notifiable, it must either cause significant harm to those individuals whose information has been exposed, and/or amount to more than 500 individuals.

An organization must notify the Cybersecurity Commissioner as soon as possible, no later than three calendar days. Penalties could include a fine of up to 10% of an organization’s annual turnover or SGD 1 million ($742,000), whichever is highest.

How to protect yourself and your company from backdoor attacks ??

A backdoor is any method that allows somebody — hackers, governments, IT people, etc. — to remotely access your device without your permission or knowledge.

Any malware that provides hackers access to your device can be considered a backdoor — this includes rootkits, trojans, spyware, cryptojackers, keyloggers, worms, and even ransomware.

How Do Backdoor Attacks Work?

In a backdoor attack, hackers first find a weak point or a compromised application in your device to exploit — this could be a vulnerability in an application, an open port on your network, an account with a weak password, or a piece of malware that was installed on your device.
  • Open ports.
  • Weak passwords.
  • Out-of-date software.
  • Weak firewalls.
Exploits are targeted attacks that take advantage of software vulnerabilities (usually in web-facing software like browsers, Adobe Flash, Java, etc.) in order to provide hackers access to your system

Examples of Backdoor Attacks :-

DoublePulsar cryptojacker. In 2017, security researchers discovered that the DoublePulsar backdoor malware (which was originally developed by the NSA, the US’s National Security Agency) was being used to monitor Windows PCs, installing a cryptojacker on computers with sufficient memory and CPU power

PoisonTap. PoisonTap is a backdoor malware that allows hackers to access almost any website that you’ve logged into (including sites that are secured with two-factor authentication).

Best Ways to Prevent Backdoor Attacks

Use an Antivirus

Always use advanced software that can detect and prevent a wide range of malware, including trojans, cryptojackers, spyware, and rootkits. An antivirus will detect backdoor viruses and eliminate them before they can infect your computer

Download with Care

Backdoors are often bundled with seemingly legitimate free software, files, and applications. When downloading any file from the internet, check to see if you’re only getting the file you wanted, or if there are some nasty hitchhikers coming along for the ride

Use a Firewall

Firewalls are essential for anti-backdoor protection — they monitor all incoming and outgoing traffic on your device. If someone outside of your approved network is trying to get into your device, the firewall will block them out, and if an app on your device is trying to send data out to an unknown network location, the firewall will block that app, too.

Use a Password Manager

Advanced password managers like Dashlane can even enhance your password vault’s security using biometric login or 2FA tools like TOTP generators and USB tokens.

French government visa website hit by cyber-attack that exposed applicants’ personal data

The personal data of visa applicants hoping to visit or emigrate to France has been exposed in a cyber-attack targeting the French government’s ‘France-Visas’ website.

France’s Ministry of Foreign Affairs and Ministry of the Interior, which jointly manage the site, said the attack took place on August 10 and was “quickly neutralized”, according to a Google translation of a French-language government press released published on Friday (September 3).

The compromised data comprises details entered during visa applications, including email addresses, first and last names, dates of birth, nationalities, and passport numbers or identity card numbers.

No financial or ‘sensitive’ data (as defined by the GDPR) was compromised, said the government ministries.

The press release did not disclose how many individuals are impacted or a range of dates within which visa applications were compromised.

The statement intimates that the stolen data would not be sufficient for the attackers to access government services under the guise of victims.

David Sygula, senior cybersecurity analyst at Paris-headquartered infosec firm CybelAngel, told The Daily Swig: “Such data is highly valuable like any PII for malicious purposes. Depending on the country and the freshness of data, one record can typically be sold for around 10, to several dozen euros on illicit sites (Dark Web).

“The data in question can be used for impersonation to carry out several types of fraud, such as opening a bank account or other malicious activities related to immigration (think human trafficking).”

The French government ministries said they immediately implemented measures to secure france-visas.gouv.fr and prevent further attacks.

Affected individuals have been notified of the data breach and been given recommendations for protecting their personal data and online identities, said the statement.

The French data protection regulator – the Commission nationale de l’informatique et des libertés (CNIL) – has been notified and a judicial investigation is underway, reads the press release.

David Sygula of CybelAngel said: “The mere successes of the attack – although contained – is a way of attacking France as a country and institution. It may ‘give faith’ to other groups and harm France’s overall reputation regarding cyber exposure.”

The number of visas issued by the French government fell by nearly 80% between 2019, when 3.5 million visas were granted, and 2020, as the Covid-19 pandemic decimated international travel, SchengenVisaInfo.com has previously reported.

Statics of cyber attacks…

Exclusive Ransomware Poll: 80% of Victims Don’t Pay Up

As ransomware attacks continue to grow in volume and sophistication – and not to mention profile, thanks to attacks like the one on Colonial pipeline– organizations are becoming more aware of the risk. However, strategies for addressing ransomware turn out to be quite varied.

A full 80 percent said that they didn’t pay the ransom. The top reason cited, accounting for 42 percent of responses, is that that paying the ransom doesn’t guarantee a decryption key.

What is the situation of ransomeware :-

When asked which vital defenses organizations should have in place to protect against ransomware attacks, organization cited backups of critical data (24 percent), user-awareness training (18 percent) and endpoint/device protection (15 percent) as the top “must-haves.”

Meanwhile, 19 percent said budget constraints (having no money for deploying or upgrading defensive platforms) were an issue; while 18 percent said a lack of patching and legacy equipment was a top challenge.

Meanwhile though, a national survey of 200 respondents from Group Salus found that just 15 percent of small- and medium-sized business (SMB) executives (defined as leading companies with revenues up to $100 million per year) see ransomware as a top threat  that will result in financial outlay.

This is despite close to 40 percent of the companies experiencing a cyberattack of any kind, with nearly half, 45 percent, reporting they lost customer data and 27 percent saying they lost a significant amount of money because of the attack. The average cost of an attack was $200,000.

The Group survey also found that 30 percent of the SMB executives most feared losing irreplaceable data in a cyber-incident and 25 percent are most concerned about losing customers permanently because of a loss of trust in their organizations. Yet, ransomware was not top of mind.

“Couple this with research that shows ransomware attacks have increased more than 50 percent since 2019 and small business executives who believe they won’t have to pay, one way or another, for a cyber-breach are not being realistic,” said Group Salus CEO Larry Lafferty, in a media statement.

Personal details of 8,700 French visa applicants exposed by hackers

The government said that the attack was ‘quickly neutralised’ but that individuals’ names, dates of birth, passport and identity card numbers had been exposed

A cyber-attack has compromised the data of around 8,700 people applying for visas to visit or move to France via the France-Visas website. 

The Ministry of Foreign Affairs and the Ministry of the Interior – who jointly manage France-Visas – announced on Friday (August 3) that the cyber-attack had targeted a section of the site, which receives approximately 1.5 million applications per month. 

The ministries said in a statement that the attack had “been quickly neutralised,” although certain personal details – including names, passport and identity card numbers, nationalities and birth dates – had been leaked. 

A spokesperson for the Ministry of Foreign Affairs told The Connexion that no details of the nationalities affected or other information about the applicants could be given out to the press.

Not all of the people affected will have had all of these details exposed during the attack.

“This data could be subject to misuse, although its potential is limited due to the fact that it does not contain bank details or sensitive personal data from a GDPR [data protection] perspective,” the ministries added. 

“No one will be able to begin any administrative processes in the name of the person whose details have been hacked, whether on France-Visas or on any other French government website.”

Those whose details were revealed have been sent messages “containing safety recommendations and precautionary measures.”

The Ministry of Foreign Affairs worked with the Ministry of the Interior to “secure the platform” and prevent “events of this type from happening again.” 

Trending cyber news to read the more cyber attacks click to this link…

The French information science commission, Cnil, was informed about the attack and a judicial investigation is currently underway.

#data breaches increases rate per year

‘1 in 3 Indian PC home users at high risk of cyber attack risk’

Nearly one third (28.22 per cent) of PC home users in India are at high risk of cyber attacks, according to a report by digital security  and privacy provider Avast.

Avast’s latest Global PC Risk Report also looked into the possibility of users facing aadvanced’ threats — defined as more sophisticated or threats never seen before, designed to bypass common protection technologies included in security software, such as signatures, heuristics, emulators, URL filtering, and email scanning.

For this type of threat, Indian home users have a 5.78 per cent risk ratio, which is higher than the global average.

Home users around the world have a 29.39 per cent chance of encountering any type of PC malware, which represents an increase of around 5 per cent compared to the previous year.

Geographies with more conflictive socio-political situations, such as the Middle East, Asia, Africa, and Eastern Europe, seem to be facing more risk in the online world as well.

“The risk ratio has increased worldwide for all malware attacks, and we can see that India is no exception. In the pandemic, the internet has been kind of a ‘life saver’ for many, empowering them to stay connected with loved ones during the lockdown, to attend virtual workout sessions, get togethers, classes, and work remotely,” said Michal Salat, Director of Threat Intelligence at Avast, in a statement.

“But cybercriminals have also taken notice of this, and so we have seen a variety of tailored campaigns taking advantage of increased online activities, such as Covid-19 related attacks, sextortion campaigns, spyware, and ransomware,” Salat added.

Microsoft says Chinese hackers behind July 2021 SolarWinds zero-day attacks

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with “high confidence” to a threat actor operating out of China.

In mid-July, the Texas-based company remedied a remote code execution flaw (CVE-2011) that was rooted in Serv-U’s implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.

“The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration,” Microsoft Offensive Research and Security Engineering team said in a a detailed write up describing the exploit.

“An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported,” the researchers added.

While Microsoft linker the attacks to DEV-0322, a China-based collective citing “observed victimology, tactics, and procedures,” the company has now revealed that the remote, pre-auth vulnerability stemmed from the manner the Serv-U process handled access violations without terminating the process, thereby making it simple to pull off stealthy, reliable exploitation attempts.

“The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context,” the researchers said. “This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages.”

“Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation,” the researchers added.

ASLR refers to a protection mechanism that’s used to increase the difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory.

Microsoft, which disclosed the attack to SolarWinds, said it recommended recommended enabling  ASLR compatibility for all binaries loaded in the Serv-U process. “ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,” the researchers said.

If anything, the revelations highlight the variety of techniques and tools used by threat actors to breach corporate networks, including piggybacking on legitimate software.

Back in December 2020, Microsoft disclosed that a seperate espionage group may have been taking advantage of the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on infected systems. Cybersecurity firm Secureworks connected the intrusions to a China-linked threat actor called Spiral.

Attackers Sell Your Internet Bandwidth for Passive Income

According to researchers, a method involving the abuse of proxyware has been gaining traction in the cybercrime landscape.

Selling internet bandwidth

The  attackers are now internet-sharing via proxyware platforms such as Honeygain and Nanowire to make illegal bucks. 

  • These platforms allow users to share a small percentage of internet bandwidth in exchange for nominal charges.
  • Attackers were also observed installing digital currency miners and info-stealers to earn additional revenue.
  • Researchers have spotted a malware family dropping a patched version of the Honeygain client, info-stealer, and XMRig miner. Later, it was found to be delivering Nanowire clients.
  • Ideally, platforms such as Honeygain have limitations on the number of devices for a single account. However, attackers can always register numerous accounts to increase their operational capabilities.

How does it work?

The business model of commercializing extra bandwidth is very lurcative and at the same time, it is getting traction among attackers as well. 

  • In a typical attack campaign, the attacker quietly installs a malicious code bundled with a genuine proxyware client software on the victim’s devices. 
  • The malware family then attempts to install the proxyware on the victim’s PC. 
  • In the next stage, it registers the software under an account created by attackers to provide a referral bonus to the attackers.
  • Upon activation, the proxyware client starts selling the victim’s bandwidth without their awareness. 

Ending note

The concept of proxyware services may be the beginning of a new category of threats, similar to cryptojacking.

Hackers take down child pornography sites : –

Hacktivist group Anonymous has briefly taken offline 40 sites it claims traded in images of child sexual abuse.

As part of the action it published the names of 1,500 people who it says used a site known as “Lolita City”.

The attacks were carried out as part of Operation Darknet which targeted abuse groups that swapped images via the Tor network.

Experts condemned the attacks saying they could have scuppered ongoing investigations or tainted evidence.

The Tor network tries to aid anonymity by routing web browsing queries through a series of servers scattered around the net. This makes it harder to trace users and monitor what they are seeing.

Many protestors, in nations such as Egypt and Syria, use Tor to hide their location from authorities.

One innovation, recently added to Tor, is the ability to create a “darknet” – a network that works in a similar way to the web but can be seen only by Tor users.

In early October, Anonymous hackers noticed that one site hosted on this Tor darknet contained links to images of child sex abuse.

Anonymous members removed the links but they were soon re-posted. It knocked the site offline with a denial of service attack and worked out which firm was hosting the links.

In a document detailing its actions, Anonymous said it ordered the firm to remove the illegal content. It claimed the the demand was refused, so it broke into the firm’s network and shut down a series of computers hosting the abuse images.

It vowed to continue the attacks until the images and other content was removed.

The firm accused of hosting the content has yet to respond to a request for comment on the attacks.

Christian Sjoberg, boss of image analysis firm NetClean which helps police forces categorise images of abuse, said while removing images was laudable, hackers should think carefully about what they have done.

“It could be dangerous,” he said, “because if its a big host the police will definitely know about it.”

“If you think of these images as evidence of a crime that’s published on the internet then the picture gets a bit more complicated,” he said.

Graham Cluley, senior technology consultant at security firm Sophos, said the attacks were misguided.


“Take-downs of illegal websites and sharing networks should be done by the authorities, not net vigilantes,” he said.

The attacks could have put an existing investigation at risk, stopped the police from gathering evidence they need to prosecute, or made it difficult to argue that evidence has not been corrupted, said Mr Cluley.

“The Anonymous hackers may feel they have done the right thing, but they may actually have inadvertently put more children at risk through their actions,” he said.

Instagram vulnerability nets researcher $30k after exposing users’ private content

An ethical hacker has landed a $30,000 bug bounty payout after finding a security vulnerability in Instagram that potentially exposed users’ private content to nefarious actors.

Indian bug hunter Mayur Fartade claimed the prize from Facebook’s bug bounty program for an exploit that revealed victims’ private and archived posts, stories, video reels, and IGTVs (long-form, immersive videos).

The exploit, which did not require victims to accept the attacker as a follower, involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints, explained Fartade in a blog post.

The response duly returned display and image URLs, and like, comment, and save counts, among other details.

The vulnerable endpoints also exposed the URLs of Facebook pages linked to Instagram accounts.

Timeline

Fartade reported a vulnerable GraphQL endpoint on April 16 and the second vulnerable endpoint on April 23.

An initial fix implemented on April 29 was only partial, according to Fartade.

However, a spokesperson for Facebook told The Daily Swig: “This issue has now been resolved, and we have not discovered any evidence of abuse.”

Previous Facebook payouts

Fartade’s escapades are the latest in a string of hefty Facebook payouts to be documented by bug hunters.

This includes a $55,000 reward for the potential potential compromise of Facebook internal networks  via vulnerabilities in a third-party application, and $30,000 prizes for a three bug- exploit of Facebook and Oculus accounts, and creating hidden posts on Facebook pages without authorization.

And, earlier this month, an ethical hacker earned $3,000 after Android’s lock screen  during a Messenger Rooms video chat to access users’ private Facebook content.

Design a site like this with WordPress.com
Get started