New North Korea-linked malware strain puts FBI and DHS under alert Electricfish malware is used to forge covert pathways out of infected Windows PCs.
Insider threats are a common problem for companies now increasingly reliant on computers and electronic systems, with the risk of intellectual property theft a constant worry.
For one locomotive manufacturer in Chicago, a software engineer handed the keys to the kingdom became the ultimate example of how much data can be stolen by a single individual -- and where it may end up.
According to newly unsealed federal indictment charges revealed by the US Department of Justice (DoJ) on Thursday, Xudong "William" Yao is currently in hiding after allegedly stealing a vast array of information belonging to his former employer.
See also: Today in thoughtcrime: UK bill makes clicking on 'terrorism' links worth a jail term
The unnamed locomotive manufacturer hired Yao in 2014. US prosecutors say that within two weeks of starting his new job, Yao downloaded over 3,000 electronic files containing "proprietary and trade secret information relating to the system that operates the manufacturer's locomotives."
This was not the end of the matter. Over the course of the next six months, the software engineer allegedly continued to download and steal more files containing corporate and intellectual property.
Notably, this included nine complete copies of the company's control system source code and the technical blueprints which described how the source code worked in depth.
While Yao pilfered the US company's trade secrets, the engineer also reportedly accepted a job with a business in China that specializes in automotive telematics.
TechRepublic: Wannacry ransomware attack: Industry experts offer their tips for prevention
In February 2015, Yao was fired for reasons which were not related to theft by the US locomotive firm. In July 2015, following his dismissal, Yao made copies of the stolen data, traveled to China, and began working for his new employer. The engineer then traveled to Chicago with the stolen intellectual property in his possession before once again returning to China.
Since his last known movements, the engineer has not been traced, but US law enforcement believes Yao is on the run in the country. A federal warrant was issued in 2017 but the engineer is yet to be apprehended.
Yao is charged with nine counts of theft of trade secrets. If found and convicted, the software engineer faces up to 10 years in prison.
CNET: The best antivirus protection of 2019 for Windows 10
Earlier this month, a 64-year-old electrical engineer was found guilty of conspiring to smuggle military-grade semiconductor chips to China. The engineer and co-conspirators posed as customers to gain access to custom processors, and the physical products were then shipped to a Chinese company. The processors are used by clients including the US Air Force and DARPA.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Fraud Management & Cybercrime , Ransomware
Attackers Demand Bitcoin Ransom After Encrypting Data(asokan_akshaya) • July 11, 2019A new ransomware strain called eCh0raix is targeting enterprise storage devices sold by QNAP Network by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali.
See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
The ransomware is targeting QNAP's line of enterprise-grade network attached storage devices that are used for file storage and backup because these devices aren't coupled with anti-virus software, Anomali says in a blog.
The file-locking malware first surfaced in late June, when victims reported ransom demands on the BleepingComputer forum thread. The website forum identified the affected storage devices as the QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and the QNAP TS 253B.
The infected systems were not fully patched, and others reported detections of failed login attempts, according to posts on the BleepingComputer forum as well as the Anomali blog.
QNAP is a Taiwan-based storage service company that focuses on network area storage file sharing, virtualization and surveillance applications. In the U.S., the company is believed to have 19,000 publicly facing QNAP devices, which could be susceptible to this particular strain of ransomware, the Anomali researchers note.
QNAP could not be immediately reached for comment.
This is the second time this year that malware has been discovered on QNAP's NAS devices. In February, the company issued a security alert stating that an unknown strain of malware was disabling software updates within its devices, leaving them vulnerable to further attacks.
The new eCh0raix ransomware was written and compiled using the Go programming language, and its source code is composed of a miniscule 400 lines, according to the Anomali research.
The ransomware has been designed to carry out targeted attacks by encrypting file extensions on a network area storage device using AES encryption and by appending the ".encrypt" extension, Anomali reports.
The eCh0raix ransomware has a low detection rate in anti-virus products, the researchers note.
"It is not common for these devices to run anti-virus products, and currently the samples are only detected by two to three products on VirusTotal, which allows the ransomware to run uninhibited," the researchers write in their blog.
In addition, the analysis of the hard-coded encryption keys of the malware samples revealed that the same decryptor would not work for all victims, the blog notes.
Those who were attacked were notified that their data was locked and were directed to make a ransom payment in bitcoin and not to meddle or tamper with the code.
In addition, the researchers examined the command-and-control server associated with the ransomware and noted that the malware checks the location of the infected NAS devices for IP addresses in Belarus, Ukraine or Russia and will then exit without further incident if a match is found.
"This technique is common amongst threat actors, particularly when they do not wish to infect users in their home country," according to the Anomali blog.
To protect against these types of attacks, the researchers recommend that organizations restrict external access to QNAP storage devices, ensure the devices are updated with security patches and use strong credentials.
Ransomware attacks are on the rise, with attackers increasingly targeting government agencies that seem ill-prepared to cope (see: More US Cities Battered by Ransomware).
In several recent cases, including one ransomware attack that hit Lake City, Florida, it appears that these municipal governments did not have adequate backup to help recover once critical files were locked. This resulted in some communities opting to pay a ransom to get the decryption key (see: Second Florida City Pays Up Following Ransomware Attack).
Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
Researchers Find Skimmers Designed to Skim Payment Data in 17,000 Domains(@Ferguson_Writes) • July 11, 2019A cybercriminal gang associated with the umbrella organization known as Magecart has been inserting malicious JavaScript into unsecured Amazon Web Service S3 buckets to skim payment data, according to research published by RiskIQ Thursday.
See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
Security researchers have been tracking this latest development since at least May. So far, they've identified about 17,000 domains infected with JavaScript skimmers - also referred to as JavaScript sniffers or JS sniffers, RiskIQ reports. This malicious code is proficient at sweeping up payment card data that includes name, card number, expiration date and CVV information, researchers say.
Once a gang finds a misconfigured Amazon S3 bucket without proper password protection and authentication, it can read or write content to them without much difficulty, according to RiskIQ.
In addition, this particular group is going beyond targeting e-commerce and other online shopping sites. The RiskIQ analysis found that many of the unsecured S3 buckets belonged to companies listed in the Alexa Top 2000 list of popular websites.
RiskIQ is working with Amazon Web Services in an attempt to contact the owners of these unsecured databases to help secure the buckets and remove the malicious code, says Yonathan Klijnsma, a threat researcher at RiskIQ who's been tracking Magecart and skimmer attacks over the last several months.
"The approach is broad, and unlike past Magecart attacks, there is no filtering to e-commerce only, so the impact could have been so much bigger than just an e-commerce skimming breach," Klijnsma tells Information Security Media Group. "We've seen the skimmers end up on very popular websites but not on a payment page, which means it did not skim any data."
Most of these JS-sniffer or skimmer attacks are associated with an umbrella organization known as Magecart, which comprises 12 cybercriminal "families" that have been extremely active over the last year to 18 months (see: E-Commerce JavaScript Sniffer Attacks Proliferate: Report).
Klijnsma calls the new gang that RiskIQ discovered "Magecart Group 13." But he says there are likely more than 13 gangs operating under the same umbrella and using many of the same malicious tools, which are bought for relatively little money on dark net forums.
Most recently, Magecart-associated groups has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites Mypillow.com and Amerisleep.com, according to an earlier analysis by security firm Group-IB and RiskIQ.
Other suspected victims of Magecart-style attacks include British Airways, Ticketmaster and Newegg.
Earlier this week, Britain's privacy watchdog issued a "notice of intent" that it plans to fine British Airways about $230 million for violating the EU's General Data Protection Regulation. That violation of the law is believed to be tied to the Magecart attack (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
In this latest attack, the Magecart-associated gang is using what RiskIQ calls a "spray and pray" technique.
By scanning the internet for as many unsecured Amazon S3 buckets as they can find, the cybercriminal gang is attempting to inject the skimmers within as many domains as possible. This is done by looking for JavaScript files. The gang then downloads these files and adds their skimming code to the bottom, while overwriting the script on the bucket, according to RiskIQ.
The one drawback for the attackers is that the malicious JavaScript only works on webpages that contain payment forms using JavaScript, and not every unsecured database houses this type of code, according to RiskIQ. But because there are so many unsecured S3 buckets, if only a small percentage have JavaScript payment forms, they could yield a financial windfall for hackers, Klijnsma says.
What's not yet clear is if the gang is selling its stolen payment card information on dark net forums or using it make fraudulent charges, Klijnsma says.
"We estimate the yield of websites that are producing actual payment data to be very low compared to the number of sites they compromised," Klijnsma says. "We do not have any actual profit amounts on this campaign. However, groups always factor in the opportunity cost before performing campaigns. The sheer volume of websites they accessed probably made the campaign lucrative."
The RiskIQ research on this latest Magecart attack only focused on Amazon Web Services and the company's cloud-based databases. It's possible that the same group is targeting companies that use the other two big cloud services - Microsoft Azure and Google Cloud Platform - but Klijnsma and his team have not yet seen evidence of that.
One reason why Amazon Web Service is such a tempting target is its sheer size. An analysis by Synergy Research of the top cloud services during the fourth quarter of 2018 found that AWS is larger than its next four closest competitors combined and that it controlled well over 30 percent of the infrastructure-as-a-service market during those three months.
Misconfigured or unsecured Amazon S3 buckets are part of a much larger security issue. In the past two weeks, for example, researchers with UpGuard located an unsecured Amazon database owned by IT services firm Attunity that left at least 1 TB of data, including files from companies such as Netflix, TD Bank and Ford, exposed to the internet (see: UpGuard: Unsecured Amazon S3 Buckets Exposed 1 TB of Data).
In the case of the Attunity-owned database, it's not clear if anyone managed to access the data. And while it's up to Amazon's customers to secure these cloud-based databases, the Magecart attacks show what a daunting task this can turn into, even with AWS' help in trying to locate customers who have been breached.
"While it is up to the customers to configure their S3 buckets, our partnering with Amazon is mostly for remediation outreach as these are their customers," Klijnsma says. "For us to reach out to every organization in the list is nearly impossible."
HIPAA/HITECH , Incident & Breach Response , Legislation & Litigation
Agreement Follows Proposed $74 Million Settlement of Class Action Lawsuit(HealthInfoSec) • July 11, 2019Health insurer Premera Blue Cross has signed a $10 million HIPAA settlement with the attorneys general of 30 states in the wake of a data breach that exposed personal information on more than 10.4 million individuals nationwide.
See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
The settlement tied to a 2014 breach disclosed in 2015 was announced Thursday by Connecticut Attorney General William Tong.
The coalition of 30 state attorneys general, led by Washington State Attorney General Bob Ferguson, investigated Seattle-based Premera's cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for nearly a year, Tong said in a statement.
Under the settlement, the insurer is required to implement specific data security controls intended to safeguard PHI. That includes annually reviewing its security practices and providing data security reports to the attorneys general.
Premera's $10 million payment to the states is in addition to a proposed $74 million class action lawsuit settlement, which was filed in June.
"Premera was repeatedly warned by cybersecurity experts about deficiencies in its security program, yet the company failed to fix its practices," Tong said in the statement.
The multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington.
Under the settlement, Premera must:
Ensure its data security program protects personal health information as required by law; Regularly assess and update its security measures; Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington state attorney general's office; Hire a CISO experienced in data security and HIPAA compliance who will be responsible for implementing, maintaining and monitoring the company's security program; Hold regular meetings between the CISO and Premera's executive management. The CISO must meet with Premera's CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.Premera did not immediately respond to a request for comment.
Application Security , Next-Generation Technologies & Secure Development , Security Operations
The new #1 cyber threat - attacks on the applications that power your business...• July 11, 2019In today's hyper-connected organizations, you depend on externally facing web, mobile, and API-based applications to connect with customers, partners, suppliers, and employees. These strategically important applications support business processes and enable you to create an extended, efficient digital ecosystem.
Unfortunately, these same applications have become primary targets for two vastly different, but equally dangerous, types of cyberattacks. Successful application breaches can lead to financial fraud, stolen IP, and business disruption.
Cequence Security recently completed two separate research projects with Ponemon Institute and Osterman Research, which provide insights into these attacks and defense strategies at nearly 900 organizations across the US.
Watch this OnDemand webinar and learn:
What the two cyberattacks are and how they're dangerous; How they're impacting your peers; What you can do to protect your hyper-connected organization.The relationship between American Medical Collection Agency and its clients affected by the company's data breach will be closely examined as breach-related lawsuits progress, says attorney Paul Hales, a HIPAA specialist. That's because plaintiffs will attempt to win settlements from AMCA's deep-pocket laboratory company clients, he says.
AMCA's parent company - Retrieval-Masters Credit Bureau - filed a petition for bankruptcy protection in a New York federal court in June just weeks after the public disclosure of the data breach, which affected the protected health information of more than 20 million individuals. Those victims included millions of patients of AMCA's largest clients, including medical testing laboratories Quest Diagnostics and LabCorp.
In its bankruptcy court filing, AMCA says it faced "a cascade of events that ultimately has resulted in the [company's] need to seek relief under Chapter 11." That includes Quest Diagnostics, LabCorp and other clients ending their business relationships with AMCA in the aftermath of the breach.
But those factors, and AMCA's bankruptcy filing, will not necessarily get Quest Diagnostics, LabCorp and other AMCA clients off the hook in the many class action lawsuits filed against AMCA and the labs in the aftermath of the breach, says Hales, who is not involved in the case.
"A key legal issue is whether AMCA acted as an 'agent' under federal common law. ... That's incorporated in the HIPAA enforcement [regulations]," Hales explains in an interview with Information Security Media Group.
To determine whether a business associate acted as an "agent" of a HIPAA covered entity, federal regulators look at "the level of control over a business associate that a covered entity is able to have, as established under a contract, such as a business associate agreement, and whether that control is used or not," he says.
"Lawyers like to use boilerplate language that gives maximum control to their clients. And that's usually good, except in a HIPAA situation it can have a very bad outcome" if there is a data breach involving a business associate, he says.
AMCA is a HIPAA business associate, and court filings suggest it may have committed HIPAA violations, such as failure to conduct a risk analysis, review system activity and detect malicious software, Hales says. Although patients cannot sue based solely on HIPAA violations, failure to comply with HIPAA can be used as a standard in other types of lawsuits alleging negligence caused harm, he contends.
Attorneys representing individuals impacted by the AMCA breach will look at the level of control Quest Diagnostics, LabCorp and other clients had over AMCA's data security and other practices that potentially established the collection agency as an "agent," Hales says.
Plaintiffs' attorneys will want to go after the labs served by AMCA because of their financial resources, the attorney says. "AMCA is really the small fish. The deep pockets are with the laboratory companies and their parents."
In this in-depth interview (see audio link below photo), Hales also discusses:
What to expect next in the many class action lawsuit petitions that have been filed in federal courts across the country against AMCA and its large medical testing laboratory clients; Why AMCA's compliance with federal regulations other than HIPAA also potentially will be a key issue; The growing risks of medical identity theft and fraud following a health data breach.Hales is a private practice health information security and privacy attorney. He's also an attorney and principal health information consultant with ET&C Group LLC, an international HIPAA compliance consulting practice based in St. Louis.