Search This Blog

Showing posts with label COVID-19. Show all posts

NCSC Urges Customers to Stay Aware About Scams On E-commerce Platforms


National Cyber Security Centre (NCSC) made a final request to customers prior to the busiest weekend before Christmas, to be aware of fraud and data theft attacks. The GCHQ agency requested customers to secure their devices, be informed about unsolicited messages, and reduce the size of information they input into online shopping websites and e-commerce websites. As per the banking body of UK Finance, around €22 bn was spent online on Christmas shopping last year because of the Covid-19 pandemic. 

Currently, with the rise of the Omicron variant, 2021 probably experienced a similar pattern, risking more customers vulnerable online. The attacks may come in many forms, it may include phishing emails having fake shipping details, and fake warnings about hacked accounts or fake gift cards which require the user to share personal details in order to use the offers. Customers may also be contacted through social media messages and emails having "unbelievable" offers for popular discount gift items, like electronics. Once the customer falls for these tricks, he loses his money along with banking details and personal information, which is stolen by the hackers. 

As per NCSC, the urge to buy last moment presents during a festival may be a reason that customers fall victim to such attacks easily. In order to be safe, users can follow some practical steps like having a strong password on websites before placing an order. It is advised to use strong, unique passwords with two-factor authentication for every account, especially banking, email and payment services. Online customers are also advised to avoid unsolicited notifications, particularly messages linked to suspicious websites, and platforms that depend on payment with a credit card. 

Lastly, customers should log in as guests while making a purchase to avoid revealing too much personal information. As per NCSC, "if you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone."

Consumers Warned of Rising Delivery Text Scams


Consumers are being advised to be wary of delivery scam texts while purchasing online for Christmas and Boxing Day sales. 

New research from cybersecurity firm Proofpoint shows that delivery 'smishing' scams are on the rise during the busiest shopping season of the year, according to UK Finance. So far in Q4, more than half (55.94%) of all reported smishing text messages impersonated parcel and package delivery firms. In Q4 2020, only 16.37 percent of smishing efforts were made. 

In comparison to Q4 2020, Proofpoint saw a considerable decrease in different types of smishing frauds in Q4 2021. Text scams mimicking financial institutions and banks, for example, accounted for 11.73 percent of all smishing attacks in 2021, compared to 44.57 percent in 2020. 

The information comes from Proofpoint's operation of the NCSC's 7726 text message system. Customers can use this method to report suspicious texts. 

Delivery smishing scams typically begin with a fraudster sending a bogus text message to the recipient alerting them that the courier was unable to make a delivery and demanding a charge or other information to rearrange. The consumer will be directed to a fake package delivery company's website, where they will be asked to provide personal and financial information. 

Following the significant development in online shopping during COVID-19, this form of scam has become increasingly common. Over two-thirds (67.4%) of all UK texts were reported as spam to the NCSC's 7726 text messaging system in the 30 days to mid-July 2021, according to Proofpoint. 

Which? revealed a very clever smishing fraud involving an extremely convincing DPD fake website in a recent investigation. 

Katy Worobec, managing director of economic crime at UK Finance, commented: “Scrooge-like criminals are using the festive season to try to trick people out of their cash. Whether you’re shopping online or waiting for deliveries over the festive period, it’s important to be on the lookout for scams. Don’t let fraudsters steal your Christmas – always follow the advice of the Take Five to Stop Fraud campaign and stop and think before parting with your information or money.” 

Steve Bradford, senior vice president EMEA at SailPoint, stated: “The sharp rise in text message scams – or smishing, which has increased tenfold compared to last year, should be a stark warning to the public. With parcel delivery scam texts expected to spike this Christmas, it’s clear cyber-criminals are using every opportunity available to target victims using new methods. This comes as more businesses use SMS to engage with customers, to accommodate the digital-first mindset that now characterizes many consumers. But this also opens the doors to threat actors able to masquerade as popular websites or customer service support."

“Consumers must be extra vigilant and refrain from clicking any links in text messages that they’re unsure about. It’s also crucial they are keeping their data, identities, and banking information safe – for example, by not taking pictures of their credit card and financial information, since photos often get stored in the cloud, which risks potential exposure to malicious actors.”

Brazil's Ministry of Health has been Subjected to a Second Cyberattack in Less than a Week


Brazil's Ministry of Health has been subjected to a second cyberattack in less than a week, compromising a number of internal systems, including the platform that stores COVID-19 vaccination data. The announcement came three days after the department had suffered its first big ransomware attack, from which it was still recuperating. On Monday evening, health minister Marcelo Queiroga confirmed the second attack, saying the latest incident, which occurred in the early hours of the same day, was smaller than the first.

The initial cyberattack, which was discovered on Friday, rendered all Ministry of Health websites inaccessible. According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, 50TB of data was extracted and then erased from the MoH's systems. Queiroga later stated that the department has a backup of the data that was allegedly obtained during the cyberattack. 

According to the Federal Police, which is investigating the issue, the first attack exposed data on COVID-19 case notifications as well as the broader national vaccination programme, in addition to ConecteSUS. 

According to Queiroga, the department is currently attempting to restore the systems as soon as possible. However, he stated that the second attack meant that ConecteSUS, the platform that issues COVID-19 vaccination certificates, will not be accessible as scheduled. Queiroga stated that while the attempt was unsuccessful and no data was lost, the second incident "caused turmoil" and "got in the way" of restoring systems. The minister did not say when the impacted systems would be operational again. 

The governmental confirmation of the second cyberattack was followed by a statement issued by the Ministry of Health stating that Datasus, the department's IT function, performed a preventive systems maintenance exercise on Monday, resulting in systems being temporarily unavailable. Because of the second attack, civil servants were sent home on Monday because it was impossible to access the health ministry's core systems, such as the platforms that create COVID-19 pandemic reports. 

The Brazilian government's Institutional Security Office (GSI) issued a statement confirming new attacks on cloud-based systems managed by government agencies had taken place. It did not, however, disclose which departments or services were targeted. It went on to say that teams are being instructed to keep evidence and that best practices for incident management are being followed. 

An attack on the Brazilian Health Regulatory Agency (Anvisa) occurred in September; the hack targeted the healthcare declaration for travelers, which is required for visitors entering Brazil through airports. The attack occurred shortly after the cancellation of a World Cup qualification match between Brazil and Argentina, which Anvisa called off after four Argentine players were accused of violating COVID-19 travel guidelines.

UK's Failure to Address Cybersecurity Issue Can "Wreak Havoc"


Britain's long-term risk planning is running short on power, meaning the nation is exposed to cyber threats from external threats, according to the latest HoL (house of lord) report. The report titled "Preparing for extreme risks: Building a resilient society," was released by the Select Committee on Risk Assessment and Risk Planning (upper chamber) with 85 expert witnesses after the interview. 

According to the HoL report, "the Committee was formed amid the global upheaval of the COVID-19 pandemic. Whilst the Committee never intended to undertake a COVID-19 inquiry, the pandemic has taught us daily lessons about the need for better resilience. The whole of society currently is engaged in a fight against the virus." The report concludes that the government is spending a lot of time responding to emergencies and crises, ignoring the type of long-term plans which would have prepared the UK for the Covid-19 pandemic. The UK's failure to handle the Covid-19 outbreak was evident and clear. 

Besides this, the research analyzing the risk assessment process discovered that the current machinery doesn't have the proper task force to determine and address future problems and threats. But, the pandemic isn't the only risk that the UK is facing. Critical space weather incidents could affect smart technology, most of the users are dependent on it. It includes internet, GPS, power supplies, and communication systems. A cybersecurity attack on UK's national infrastructure can have major repercussions. An AXA report released earlier this year said cybersecurity is the second biggest global problem, after climate change. 

It was listed as the number one business risk in the coming decade by North American and UK survey respondents to WEF (World Economic Forum) report released in 2020. "We consider that generalized resilience is the right response to the threat of increasingly unpredictable risk. The Government’s risk management system should change from attempting to forecast and mitigate discrete risks, towards a more holistic system of preparedness. Reframing risk management through the lens of resilience would produce a risk management system that ties all sectors of society together," reports HoL.

Cybercriminals Exploit Omicron as an Enticement to Steal University Credentials


Researchers at Proofpoint have discovered an uptick in email threats aimed mostly at North American institutions and aiming to steal university login credentials. COVID-19 themes, such as testing data and the new Omicron variant, are frequently used by threats. Proofpoint observed COVID-19 themes affecting educational institutions throughout the pandemic, but persistent, targeted credential theft attacks against universities began in October 2021. Following the disclosure of the new Omicron variant in late November, threat actors began using it in credential theft campaigns. 

According to Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, fraudsters frequently use news events to dupe their victims. “If there’s a significant event, be it a pandemic or a Super Bowl, it will be used as bait for phishing,” Callow said. 

According to Selena Larson, a senior threat intelligence analyst at Proofpoint and co-author of the blog post, the wave of phishing assaults mentioning the Delta, and now the Omicron, variations was extremely specific in its targeting of universities. She projected that the attacks will rise in the coming two months as colleges conduct more campus testing in response to both holiday travel and the emergence of the Omicron variation. 

The phishing emails utilized in these attacks contain either malicious attachments or URLs to pages designed to capture university account credentials. Although Proofpoint has identified several campaigns that use generic Office 365 login gateways, these counterfeit landing pages often replicate a university's official login portal. The threat actors behind some of these campaigns attempted to steal multifactor authentication (MFA) credentials by impersonating MFA providers such as Duo. An attacker can circumvent the second layer of security designed to keep out threat actors who already have access to a victim's credentials by stealing MFA tokens. 

Although a majority of the mails in these campaigns are transmitted through spoofed senders, Proofpoint has also detected threat actors using actual, compromised university accounts to send Covid-19 related threats. Attackers are most likely stealing credentials from colleges and sending the same threats to other universities via compromised mails. 

 To avoid becoming a victim of these or other email-based threats, university students should carefully check the email addresses of messages they receive, avoid clicking on any links in suspicious emails, and refrain from logging into their school's online portal after clicking on links in emails that appear to have originated from their university or college, said the researchers.

Ransomware Groups are Escalating Their Attacks on Healthcare Organizations


Ransomware groups have shown no signs of declining their attacks on hospitals, apparently intensifying attacks on healthcare institutions as countries all over the world cope with a new wave of COVID-19 virus. 

Two healthcare institutions in California and Arizona have begun sending out breach notification letters to thousands of people after both disclosed that sensitive information — including social security numbers, treatment information, and diagnosis data —, was obtained during recent hacks. 

LifeLong Medical Care, a California health facility, is mailing letters to about 115 000 people informing them of a ransomware attack on November 24, 2020. The letter does not specify which ransomware gang was responsible. Still, it does state that Netgain, a third-party vendor that offers services to LifeLong Medical Care, "discovered anomalous network activity" only then concluded that it was a ransomware assault by February 25, 2021. 

Netgain and LifeLong Medical Care finished their investigation by August 9, 2021. They discovered that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment, and diagnosis information were accessed and/or obtained during the assaults. 

Credit monitoring services, fraud alerts, or security freezes on credit files, credit reports, and stay attentive when it comes to "financial account statements, credit reports, and explanation of benefits statements for fraudulent or unusual behavior," as per LifeLong Medical Care. 

For further information, anyone with questions can call (855) 851-1278, which is a toll-free number. 

After being struck by a ransomware assault that revealed confidential patient information, Arizona-based Desert Wells Family Medicine was compelled to issue a similar letter to 35 000 patients. 

On May 21, Desert Wells Family Medicine learned it had been hit by ransomware and promptly engaged an incident response team to assist with the recovery. The incident was also reported to law enforcement. 

According to the healthcare institution, the ransomware gang "corrupted the data and patient electronic health records in Desert Wells' possession before May 21". After the malicious actors accessed the healthcare facility's database and backups, it was unrecoverable. 

Desert Wells Family Medicine stated in its letter, "This information in the involved patient electronic health records may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information." 

The organization stated that it is presently reconstructing its patient electronic health record system and will provide free credit monitoring and identity theft prevention services to victims. 

"Patients should also check statements from their healthcare providers or health insurers and contact them right away if they notice any medical services they did not get," the letter continued. 

These recent assaults, according to Sascha Fahrbach, a cybersecurity evangelist at Fudo Security, indicate that the healthcare business, with its precious personal information, remains an enticing and profitable target for hackers and insiders. 

"There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data," Fahrbach added. 

"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk." 

After the Hive ransomware knocked down a hospital system in Ohio and West Virginia last month, the FBI issued a notice two weeks ago, adding that the gang frequently corrupts backups as well.

Hive has targeted at least 28 companies so far, including Memorial Health System, which was struck by ransomware on August 15.

Millions Of Indonesians Personal Information Leaked Over a Data Breach


In their COVID-19 test-and-trace application, Indonesia investigated a probable security vulnerability that left 1.3 million individuals' data and health status exposed. 

On Friday 3rd of September, following a week-long cyber-attack, PeduliLindungi became the country's second COVID-19 tracking app following eHAC to suffer a data breach. The PeduliLindungi leak has not been identified yet, but the eHAC violation has impacted 1.3 million users. These 2 data breaches occurred in succession within a week. 

The eHAC Data Breach 

According to a Health Ministery official, the government is suspecting its partner as the likely source of infringement in the eHAC app ( electronic health alert card), which has been disabled since July 02. 

The EHAC is a necessary prerequisite for travelers entering Indonesia, which was launched this year. It maintains the records of the health condition of users, personal information, contact information, COVID-19 test results, and many others. 

Researchers from the vpnMentor encryption provider who perform a web mapping operation have discovered a breach to detect unauthorized data stores with confidential material. 

On 22nd July, researchers informed Indonesia's Emergency Response Team and have revealed their conclusions. The Ministry of Communications and Information Technology published a statement on August 31, more than one month after the disclosure, which stated that the data violation would be investigated according to the Electronic Systems and Transactions Regulations of the country. 

Anas Ma'ruf, a health ministry official said, "The eHAC from the old version is different from the eHAC system that is a part of the new app”. "Right now, we're investigating this suspected breach". 

PeduliLindungi Leak

A data search function on the PeduliLindungi-application enables anybody to search for personal data and information on COVID-19 vaccination for Indonesians, including that from the president, Damar Juniarto, a privacy rights activist who also is the vice president of regional government relations at technology firm Gojek, as per a Twitter thread. 

Zurich-based cybersecurity analyst Marc Ruef has shared a screenshot with the President of a compromised COVID-19 vaccination certificate, as it includes his national identity number. However, Ruef did not specifically mention whether PeduliLindungi's data was disclosed. All this explicates that personal identification data and confidential information is scattered everywhere. 

While the Government admitted the breach of the eHAC data and presented a plan of action for the analysis and restoration of flaws, PeduliLindungi has been exonerated. 

The Ministery of Communications and Information Technology of the state, called Kominfo, states that the data on the president's NIK and vaccination records did not originate in the database of PeduliLindungi.

Experts claim such data violations highlight the inadequate cyber security architecture in Indonesia. In May, the officials also conducted a survey on the alleged violation by the state insurer of the country of social security data.

ShadowPad Malware is Being Sold Privately to Chinese Espionage


Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

38 Million Records Exposed Due to Microsoft Misconfiguration


According to experts, some 38 million records from over a thousand web apps that use Microsoft's Power Apps portals platform were left accessible online. Data from COVID-19 contact tracing operations, vaccine registrations, and employee databases, including home addresses, phone numbers, social security numbers, and vaccination status, is believed to have been included in the records. 

Major corporations and organizations were impacted by the incident, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. While the data breaches have already been fixed, they demonstrate how a single incorrect configuration setting in a widely used platform can have far-reaching repercussions.  

Customers can use the Power Apps services to easily create their own web and mobile apps. It provides developers with application programming interfaces (APIs) to use with the data they collect. Upguard discovered, however, that accessing those APIs makes data received through Power Apps Portals public by default, necessitating manual reconfiguration to keep the information private. 

In May, researchers from the security firm Upguard began investigating the problem. They discovered that data from several Power Apps portals, which was intended to be secret, was accessible to anyone who knew where to look. According to Upguard, on June 24th, it provided a vulnerability report to the Microsoft Security Resource Center, which included links to Power Apps portal accounts with sensitive data exposed and methods to discover APIs that allowed anonymous data access. 

“The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated,” the researchers wrote in the report. “Multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as a data security concern before.” 

 On Monday, a Microsoft representative defended the product's security, noting that the firm worked directly with affected users to ensure that their data remained private and that consumers were notified if their data was made publicly available. “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs," a Microsoft spokesperson said in a statement.

Over 92% of Pharmaceutical Firms are Prone to Cyber Attacks, New Report Highlights


Reposify, the leading external attack surface management platform published its Pharmaceutical Industry Attack Surface Exposures Report analyzing the security status of the world’s leading pharmaceutical firms and their 900-plus branches.

Data analysts at Reposify examined the data covering a two-week period in March 2021 and discovered that 92% of the pharmaceutical companies had at least one exposed database with potential data breach, while 46% had an unmasked Server Message Block (SMB) service. 

SMB is a communication protocol that allows networks within the same system to share files. It also offers an authenticated inter-process communication mechanism. The last time when SMB services were exploited was the infamous 2017 WannaCry cyberattack, targeting 80 NHS trusts across England. 

The Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) issued an early warning in the response that attackers were leveraging password spraying campaigns in order to target pharmaceutical companies, research firms, and other health care organizations involved in the COVID-19 response. 

Last year, threat actors targeted 53% of pharmaceuticals or biotech companies, including the European Medicines Agency, which led to a breach of Pfizer and BioNTech COVID-19 vaccine data. The average cost of a pharmaceutical industry breach stood at $5.06m in 2020, a sum 1.3 times higher than the global average. 

“The pharmaceutical sector is one of the largest contributors to the global economy and human welfare. But pharmaceutical companies are struggling to protect their distributed network perimeter from increased cyber-attacks coming from well-funded and well-organized hacking groups on the hunt to steal and hold valuable, confidential data for ransom or other nefarious acts,” said Uzi Krieger, CEO of Reposify. 

“COVID-19 is still ravaging parts of the world, variants are spiking, and the safety of clinical research, manufacturing and supply chains have never been so important to humanity, and yet, pharmaceutical companies remain ill prepared and unsecured, spiraling the industry into red level vulnerability to external attacks, “ Krieger added. 

Luckily, of all security flaws uncovered, 72% were categorized in a low-risk category. However, 15% were classified as critical, 7% were high-risk, and 6% were medium risk. The median number of high-severity risks for each firm was 269, while the median of critical flaws per company was 125. These risks were linked to vulnerable software (38%), improper access controls (33%), and potential DDoS (23%), among others.

Healthcare Vendor Practicefirst Reveals It Suffered Cyberattack In 2020, No Data Lost


Practicefirst, a New York-based practice management vendor said that a cyberattack on healthcare that happened last year might have exposed personally identifiable information (PII) of patients and staff. Practicefirst said in a statement that the company hasn't found any fraud or misuse of the information yet, the hacker also assured the vendor that the information was not leaked to anyone and all data was destroyed. Practicefirst is one of the leading organizations in coding, credentialing, medical billing, practice management solutions, and bookkeeping. The vendor found about the issue last year in December, it closed down all its systems, informed the authorities, and changed passwords. 

The attacker tried to install ransomware and was able to retrieve files stored in vendor's systems which contained employees' and patients' PII. The data, which was later destroyed, contained names, addresses, driver's license numbers, social security numbers, tax id numbers, and email ids. Besides this, medical information, lab and treatment data, diagnosis, employee usernames and passwords, health insurance information, and financial information were also exposed. Practicefirst said, "we immediately reported the incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices." 

"We worked with a leading privacy and security firm to aid in our investigation and response and will report this Incident to relevant government agencies. We also implemented additional security protocols designed to protect our network, email environment, and systems," it said in a statement. The affected users were informed about the incident and the vendor also started a helpline for providing assistance to the users. "In other data breach news, University Medical Center of Southern Nevada recently announced that it faced a ransomware attack at the hands of the infamous REvil hacker group, responsible for a number of high-profile attacks."

"In addition, Aultman Health Foundation in Ohio announced that a now-terminated employee had been inappropriately accessing patient EHRs for over a decade. The employee continuously committed HIPAA violations and accessed over 7,000 patient records," reports HealthITSecurity. As of now, no further information about the attack has been revealed. However, it is evident that cyberattacks on the healthcare industry have become a major threat.

Attackers Pummelled the Gaming Industry During the Pandemic


According to Akamai, a content delivery network (CDN), the gaming business has seen more cyberattacks than any other industry during the COVID-19 pandemic. Between 2019 and 2020, web application attacks against gaming organizations increased by 340 %, and by as high as 415 % between 2018 and 2020. “In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report. 

Cybercriminals frequently used Discord to coordinate their operations and discuss best practices on various techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS), according to the company. SQLi assaults were the most common, accounting for 59% of all attacks, followed by LFI attacks, which accounted for nearly a quarter of all attacks, and XSS attacks, which accounted for only 8%. 

“Criminals are relentless, and we have the data to show it,” Steve Ragan, Akamai security researcher and author of the report, was quoted as saying in a press release. “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.” 

Credential-stuffing attacks increased by 224% in 2019 compared to the previous year. Surprisingly, distributed denial-of-service (DDoS) attacks decreased by approximately 20% within the same period. Each day, millions of these attacks target the industry, with a peak of 76 million attacks in April, 101 million in October, and 157 million in December 2020, according to Akamai. 

Credential stuffing is a type of automated account takeover attack in which threat actors utilize bots to bombard websites with login attempts based on stolen or leaked credentials. They can then proceed to exploit the victims' personal data once they find the perfect mix of "old" credentials and a new website. 

Last year, these attacks grew so frequent that bulk lists of login names and passwords could be purchased for as little as $5 per million records on dark web marketplaces. Poor cyber-hygiene practices such as reusing the same passwords across many online accounts and employing easy-to-guess passwords could be blamed for the increase in attacks. 

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steve Ragan.

Fearing Data Breach, BBMP Shuts Down COVID-19 Test Data Collection Portal


The Bruhat Bengaluru Mahanagara Palike (BBMP) has shut down its COVID-19 test data collection portal after a possible data breach, which allows hackers to access the health information of citizens. The incident was flagged by the Free Software Movement of India after they showed how the data could be easily accessed just with the phone numbers.

BBMP was collecting the health records of the citizens for its Public Health Activities, Surveillance, and Tracking (PHAST) portal which included name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), the sample collected and received date, sample type, hospital name (if the patient is hospitalized) and status of symptoms. 

The Free Software Movement of India has requested the local authorities to not only conduct a security audit but to also take action against the software company for its complacency in designing software without any security. 

Kiran Chandra, general secretary of the Free Software Movement of India wrote about the breach to BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P and said it was not hard for a data broker to harness these details by writing an automated script. 

“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by ‘Reasonable security practices and procedures. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” the letter read. 

However, BBMP Chief Commissioner Gaurav Gupta clarified on Friday that no data has been leaked from the portal. “While one could enter the phone number provided at the time of Covid-19 testing to get details including test result among others, the portal will now seek an OTP before allowing access to the information. The updated version of the portal would be made available soon,” he said on Friday. 

Unfortunately, this is the second instance when the data of COVID-19 patients has been compromised. In November last year, a Bengaluru resident accidentally discovered a massive loophole in the Karnataka government’s website where people could check their COVID-19 results. At the time, resident Shashi Kumar put out a series of tweets explaining how sensitive information could be obtained just with the SRF number issued at the time of testing.

Workings of US Firms Disturbed Due to Covid Surge in Banglore


To say that Bengaluru’s epidemic is huge is an understatement. Bengaluru has more than 65 percent of all active cases recorded in Karnataka in a virulent second wave where the test positivity rate in the State is touching new highs. On May 7, Bengaluru recorded 346 deaths due to COVID-19, according to a bulletin released by the Karnataka government. 

Health experts have warned that the situation could be more threatening in the coming weeks, with one model predicting as many as 1,018,879 deaths by the end of July, quadrupling from the current official count of 230,168. A model prepared by government advisers suggests the wave could peak in the coming days, but the group's projections have been changing and were wrong last month. 

As a result, US firms like Goldman Sachs Group Inc. and UBS Group AG have come under intense strain. These firms played critical roles in everything from risk management to customer service and compliance. A growing number of employees are either sick or scrambling to find critical medical supplies such as oxygen for relatives or friends.

An employee at UBS said their bank has nearly 8,000 workers but due to Covid-19, many are absent. As a result, work is being shipped to centers such as Poland. The Swiss bank's workers in India handle trade settlement, transaction reporting, investment banking support, and wealth management. Many of the tasks require same-day or next-day turnarounds.

Standard Chartered Plc issued a statement last week that nearly 800 of its 20,000 employees in India were infected. As many as 25% of employees in some teams at UBS are absent, said an executive at the firm who spoke on condition of anonymity for fear of losing his job.

For now, back-office units are managing part-time workers or asking employees to perform multiple roles and re-assigning staff to make up for those who are absent. They are scheduling overtime, deferring low-priority projects, and conducting pandemic continuity planning exercises for multiple locations should the virus wave intensify. 

Similarly, thousands of Goldman employees are working from home, doing high-end business tasks such as risk modeling, accounting compliance, and app building. A representative for the bank said workflows can be absorbed by the wider team if needed and there's been no material impact so far.

Covid-19 has led to Increase in Cyberattacks Against Banks and Insurers


According to recent studies, the coronavirus pandemic and working from home (WFH) provisions are triggering a "huge" increase in attacks against financial institutions. The COVID Crime Index 2021 survey, published on Wednesday by BAE Systems Applied Intelligence, looked at how the remote working paradigm is affecting the banking and insurance industries.

Cybersecurity analysts expected that every 11 seconds in 2021, a cyberattack will occur. It's almost twice as frequent as it was in 2019 (every 19 seconds), and four times as frequent as it was five years earlier (every 40 seconds in 2016). Cybercrime is estimated to cost the global economy $6.1 trillion a year, making it the world's third-largest economy, behind only the United States and China. 

The situation is ripe for manipulation, given that the current pandemic has a greater portion of the population operating from home — and all of the associated disruptions. The harried, rushed, exhausted, and depressed employee has become the weapon of choice, and the humble home router has become the surface attack. It's no surprise that over 4,000 malicious COVID pages appeared on the internet within months of the pandemic's first lockdown.

The gradual transition to WFH models is being loosened in certain places as the pandemic appears to have a global effect, but many organizations are preferring to either continue encouraging workers to operate remotely or follow hybrid working practices. For the near future, HSBC and JP Morgan, for example, would encourage thousands of their workers to work from home. 

Security has also proved to be difficult. According to a survey by BAE Systems, 74 percent of banks and insurers have seen an increase in cyberattacks since the pandemic began, and "criminal behavior" reported by financial institutions has increased by about a third (29 percent). The study is focused on two surveys of 902 financial services companies, as well as fieldwork in both the US and UK markets in March 2021. 

According to the survey, 42% of banks and insurers agree that working from home has rendered their companies "less safe," and 44% believe that remote models have caused visibility issues through established networks. Many businesses have been forced to cut expenses anywhere they can, and when it comes to cybersecurity, average risk, anti-fraud, and cybersecurity budgets have been slashed by 26%, contributing to 37% of businesses saying their consumers are now more vulnerable to cybercrime and fraud. 

According to the survey, 56 percent of UK and US banks have suffered such casualties, with the average expense of online illegal activities approaching $720,000 since the pandemic.

Hackers Have Access to Domino’s India 13TB of Internal Data


Popular pizza outlet Domino's India appears to have succumbed to a cyber assault. As per Alon Gal co-founder of an Israeli cybercrime intelligence, the hackers have access to Domino's India 13TB of internal information which incorporates employee details of more than 250 employees across verticals like IT, Legal, Finance, Marketing, Operations, and so on. The hackers guarantee to have all client details and 18 crore other details which incorporate clients' names, phone numbers, email IDs, delivery address, payment details including more than 10 lakh credit card details used to purchase on Domino’s India app. 

Further, the hackers are meaning to sell the whole information to a single buyer. As indicated by Alon Gal, the hackers are searching for $550,000 (around Rs 4 crores) for the whole database. The hackers likewise have plans to construct a search portal to enable querying the data. The sale is clearly occurring on the dark web and likely on a site frequented by cyber scammers. For now, Domino's India has neither affirmed nor rejected that information of its consumers has been stolen or leaked from its servers. 

“Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards,” Gal claimed in a tweet. “Plenty of large-scale Indian breaches lately, this is worrying,” he added. 

It is particularly worrying as India has been a victim of several large-scale cyber breaches lately. As indicated by Computer Emergency Response Team (CERT-IN) information, during the Covid-19 pandemic digital assaults on India grew by almost 300% last year, developing to 11,58,208 out of 2020 contrasted with 3,94,499 out of 2019.

Independent cybersecurity researcher Rajshekhar Rajaharia revealed to IANS that he had cautioned about this conceivable hack to the CERT-in on March 5. “I had alerted CERT-in about a possible Domino’s Pizza India hack where the threat actor got data access with details like 200 million orders and personal data of the users too. The hacker, however, did not provide any sample,” Rajaharia said. 

There have been a string of hacking incidents including Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox, and others. Gal recently claimed that the personal information of almost 533 million (53.3 crore) Facebook clients, including 61 lakh Indians, was leaked online after a hacker posted the details on a digital forum.

Hacker Hacks Underground Covid Vaccine Market On Dark Web


In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Turkey Dog Activity Continues to use COVID Lures


A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that keep on utilizing the "free internet" lures. These current campaigns use lure pages that guarantee cash payments of thousands of Turkish Lira, implying to be attached to the Turkish government. For instance, as indicated by Google Translate, a page states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another highlights a picture of Turkish Minister of Health Dr. Fahrettin Koca's and guarantees 1,000 lira for "everybody applying!" 

A portion of the lure pages, use scripts for tracking purposes. RiskIQ's Internet Intelligence Graph, utilizes unique identifiers associated with these scripts to associate numerous Turkey Dog domains. For example, a RiskIQ crawl of pandemidesteklerim[.]com noticed the ID loaded on the page, which was seen on 431 hosts since April 26, 2020. They additionally found a Google Analytics tracking ID associated with 52 Turkey Dog domains since October 25, 2020. 

In May 2020, threat researcher BushidoToken created a blog pulling together multiple indicators, some showing up as early as April 2020, from researchers following Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal client credentials to access bank accounts. Profoundly beguiling, they can overlay over other applications (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive information across the gadget. 

RiskIQ regularly crawls malignant app circulation URLs dependent on different internal and external feeds, they can directly notice the lure pages utilized by noxious Android applications. The mobile application landscape is likely overflowing with Turkey Dog mobile applications. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk" yields 90 outcomes from as many unique Turkey Dog URLs. Every one of the 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Large numbers of them can likewise record audio, perform full-screen overlays to introduce a bogus login page for harvesting banking credentials, and download additional software packages.

After a year, cybercriminals keep on utilizing the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for quite a long time, likely guaranteeing a huge gathering of victims and isolating them from their banking login credentials and other sensitive information.

Malwarebytes Report Confirms the Change in Tactics of Cybercriminals During Covid-19


Malwarebytes, an American security firm announced the findings of its annual ‘State of Malware’ report, this report explored the working methodology of employees and cybercriminals. Work from home was the new normal during the Covid-19 pandemic wherein many companies altered their working methodology and started working remotely.

The notable change was in the working methodology of the threat actors, they were more focused on gathering intelligence, and exploiting and preying upon fears with targeted and sophisticated assaults. Last year, threat actors targeted many high-profile firms and popular personalities which included hacking the accounts of famous personalities such as Barack Obama, Jeff Bezos, and Elon Musk; attacking FireEye and SolarWinds via supply chain and the Marriott hotel which recorded theft of the records of 5.2 million guests.

Marcin Kleczynski, CEO of Malwarebytes stated, “this past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough’.”

“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before”, he further added.

Last year, Malwarebytes observed an overall drop of 24 percent of Windows detections across businesses and an 11 percent drop for clients. In total, there was a 12 percent drop in Windows detections across the board. However, Mac detections for businesses surged to 31 percent, 2020 also witnessed the growth of Android malware called FakeAdsBlock, which produced an alarming number of non-stop ads, accounting for 80,654 detections.

HiddenAds was discovered to be the most common mobile adware application, this trojan attacks users with ads, and nearly 704,418 malicious activities were reported with an increase of nearly 150 percent year-over-year.

Dutch Police Confiscated 2 Men for Stealing And Selling COVID-19 Patients Data


On Friday, 22 January, the Dutch police, and the Public Prosecution Service received warnings from the GGD that personal details from GGD applications are being made available for sale on Telegram. The Central Netherlands Police Cyber Crime Unit soon launched an investigation. This probe led the team to two GGD call center workers. Consequently, both were hunted down by the police. The offenders were both in Amsterdam on Saturday night, where they were detained and taken to jail. This involves a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. Men's homes have been searched and their computers have been confiscated. “Stealing and selling or reselling personal data is a serious crime," the Dutch police stated. 

The two are among a wider number of individuals believed to have access to classified information and to have it sold to third parties, and further arrests have not been ruled out, police said in a statement. The selling of personal information through health board networks has been investigated by Broadcaster RTL, and it was disclosed to the association of GGD Health Board earlier this month. RTL states that the offer is not just for names, addresses, and mobile and confidential BSN numbers but much more. 

The arrests followed an investigation by RTL broadcaster, which uncovered online advertisements for Dutch citizen info, marketed on instant messaging apps such as Telegram, Snapchat, and Wickr. The advertising consisted of images of computer screens containing the details of one or more Dutch people. The broadcaster claimed that they had monitored the screengrabs of two IT systems used by the Dutch Municipal Health Service (GGD), namely CoronIT, which includes specifications of Dutch people taking the COVID-19 exam, and HPzone Light, one of the DDG's contact-tracing systems. 

“Some accounts are offering to look for information about a specific person,” RTL said. “That costs between €30 and €50 and will get you someone’s name, email address, phone number, and BSN number.” Other accounts provide wider data sets containing thousands of names or unique characteristics, such as individuals living in Amsterdam or over 50s. 

According to a broadcaster, the two perpetrators operated in DDG contact centers, where they had access to COVID-19 official Dutch government networks and databases. The identities of the two defendants, which were expected to appear before the court on 26th January, have not been released: in compliance with Dutch law. 

"Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure stated in an interview.