Category Archives: Cyber Security News

An unprotected server exposed almost 2.7 million call recording for six years

  • Of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the helpline.
  • Researchers noted that the unprotected server available at nas.applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018.

A storage server containing real-time call recordings made to the 1177 Swedish Healthcare Guide helpline for health care information was found publicly available without any password protection.

The unprotected server which was left open without a password, exposed almost 2.7 million health-related call recordings that dated back to 2013.

23 vulnerabilities in the server

Lars Dobos in a blog noted that a Shodan search query revealed that the unprotected Apache HTTP Server 2.4.7 available at nas[.]applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018. Therefore, even if the server wouldn’t have been left publicly available, it would have been breached at some point in time.

What information was exposed?

Computer Sweden, who detected the open web server, listened to some of the call recordings to learn the extent of the leak and the damage to the public.

  • The call recordings included sensitive information about diseases and other ailments of callers.
  • Callers’ symptoms and the medications taken for previous treatments.
  • Children’s symptoms and social security numbers.

Dobis noted that of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the 1177 Swedish Healthcare helpline.

“The fact that the calls are recorded is in itself permitted, it may be necessary for the patient’s safety, or to be able to prove abuse, but the saved audio files should be treated with confidentiality according to the patient data law. It is also clearly the question of information that is considered as sensitive personal data according to GDPR,” the report read.

Unprotected storage server used by Medicall

The unprotected server which exposed 2.7 million call recordings was used by Medicall which is based in Hua Hin, Thailand. The call recordings that have been exposed includes calls made to Medicall which is a subcontractor to Medhelp, who receives patient calls via the 1177 Care Guide Helpline.

“We have checked this out with our IT, and what you say is completely impossible,” said Davide Nyblom, CEO at Medicall.

“This is catastrophic, it’s sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened,” said Tommy Ekström, CEO of Voice Integrate Nordic.

Russian cyberattackers are in and gone in less than 20 minutes

Russian threat actors are almost eight-times faster at taking advantage of a compromised system compared to other nation-state actors, a tribute to their operational tradecraft, according to Crowdstrike’s 2019 Global Threat report.

An analysis of what Crowdstrike calls “breakout time” shows the Russians are quicker, by a factor of eight, at moving laterally through a system and accomplishing their primary objectives then their next closest competitor, the North Koreans.

The report noted this level of accomplishment is even more impressive considering the North Korean threat teams themselves are twice as fast as the third-place Chinese crews. Iran was the fourth quickest while various cybercrime actors were fifth. Russians are typically able to do this in just under 19 minutes, compared to two and a half hours for the North Koreans and four hours eight minutes for the Chinese.

One bit of good news in this category is that overall the average breakout time across all threats in 2019 was four hours and 37 minutes, more than twice as long as the one hour and 58 minutes logged by Crowdstrike in 2017. The report credited two possible factors for this jump. An increase in the number of slower attackers and more organizations deploying next-generation endpoint security.

In order to combat effective attackers like the Russians, Crowdstrike recommends companies employee the 1-10-60 rule. This requires an intrusion be detected in under a minute, a full investigation be performed in 10 minutes and the adversary eradicated from the system within an hour.

Lockheed Martin, UCF Open $1.5 Million Cyber Lab in Orlando

Lockheed Martin and the University of Central Florida (UCF) celebrated the grand opening of a Cyber Innovation Lab on UCF’s campus that will help meet the growing local and national need for cybersecurity talent.

“This lab will serve as the campus’ primary hub for students to develop and expand their information security skills, preparing them to enter this high demand field and take on the cybersecurity threats of the future,” said UCF President Dale Whittaker. “We are grateful for Lockheed Martin’s longtime partnership and strong commitment to our students’ success.”

The National Institute of Standards and Technology estimates there are more than 13,000 unfilled cybersecurity jobs in Florida alone. That trend will continue, as the U.S. Bureau of Labor Statistics predicts jobs for information security analysts will grow 28 percent by 2026.

In 2018, Lockheed Martin donated $1.5 million to UCF to help create the Cyber Innovation Lab and encourage the next-generation of science, technology, engineering and math (STEM) talent to collaborate and solve today’s challenging cyber problems. The company’s donation will fund software and technology support to the lab, and employees will also provide cyber training and professional mentoring to engineering students.

“Having a centralized space will streamline the way we organize our meetings and practices,” said Hack@UCF President David Maria, a senior studying computer engineering.  “With this lab, we can practice for competitions, host workshops and speakers, provide cyber security tools and resources, and give our student members a sense of community and help get them ready for future careers. It’s not just a practice space. It’s a home for us.”

The 970-square-foot lab is located in UCF’s Engineering I building and will serve as a learning hub for the more than 350 students participating in cyber programs at UCF. Hack@UCF, a four-time national champion in competitions like the Collegiate Cyber Defense Competition and the U.S. Department of Energy CyberForce Competition, will also use the lab as its primary practice center.

In Orlando, Lockheed Martin employs approximately 2,500 UCF graduates, with plans to expand its cyber workforce. The company’s local Cyber Solutions business grew 400 percent over the past five years and expects that growth to continue as the nation seeks offensive and defensive cybersecurity capabilities to address the evolving cyber threats.

RUSSIA PLANS TO BRIEFLY DISCONNECT FROM THE INTERNET TO SEE WHAT HAPPENS

Russia is planning to disconnect itself from the internet as part of a planned experiment designed to protect the country from state-backed cyber attacks.

Internet service providers in the country are working with the Russian government in preparation for the test, which comes in response to a proposed new law that will see all internet traffic pass through Russian servers.

When it is passed, the Digital Economy National Program legislation requires the local internet, known as the Runet, to pass through exchange points managed by Russia’s telecommunications regulator Roskomnazor.

The test will see the Runet separated from the wider internet for a short period of time at some point before 1 April, according to local news agency RosBiznesKonsalting (RBK).

Once in force, the Digital Economy National Program will simultaneously protect Russia in the event of cyber war, while also filtering internet traffic to the country in a similar way to the ‘Great Firewall of China’.The idea of cutting Russia off from the broader internet was first proposed in 2014, after the Security Council of Russia warned of the risks of relying on other countries to provide essential parts of the country’s internet infrastructure.

By creating a self-contained system, the bill’s authors claim Russia will be immune from having its internet severed as a result of a cyber attack.

Russia has consistently been accused of being behind cyber attacks on Western countries, with the UK National Cyber Security Centre identifying a campaign in October that was allegedly carried out by the Russian military intelligence service GRU.

In response, the UK joined previous calls by Nato to take an “offensive defence” against Russian-backed cyber attacks.

“These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport,” UK Foreign Secretary Jeremy Hunt said at the time.

“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

Certain elements of the partial black out remain unresolved, according to former Kaspersky CEO Natalya Kasperskaya, who sits on the Information Security Working Group who agreed the legislation.

Issues that remain unresolved include the extent of the impact that the test will have on Russian citizens, businesses and government agencies.

Google Play announces 2019 malicious app crackdown

Google Play announced it will continue its crackdown on malicious apps into 2019 by focusing more on user privacy, developer integrity and harmful app contents and behavior.

Google said it plans to introduce additional policies for device permissions and user data throughout the year, according to a Feb. 13 blog post.

“In addition to identifying and stopping bad apps from entering the Play Store, our Google Play Protect system now scans over 50 billion apps on users’ devices each day to make sure apps installed on the device aren’t behaving in harmful ways,” Google said in the post.

“With such protection, apps from Google Play are eight times less likely to harm a user’s device than Android apps from other sources.”

Google also said it will set out to increase developer integrity. The firm said that because 80 percent of severe policy violations are conducted by repeat offenders, it will focus on better screening for those who get booted off and then create new accounts to continue uploading their malicious content.

In addition, Google said it would work to enhance its capabilities to counter adversarial behavior, and strive relentlessly to provide users with a secure and safe app store.

 

8 Cybersecurity Risks That May Impact Organizations in 2019

Aon’s 2019 Cyber Security Risk Report features eight risks that may impact organizations in the next 12 months, no matter where they are on their digital journey.

“In 2018 we witnessed that a proactive approach to cyber preparation and planning paid off for the companies that invested in it, and in 2019, we anticipate the need for advanced planning will only further accelerate,” said J. Hogg, CEO of Cyber Solutions at Aon. “Leaders must work to better insulate their companies and their processes, while simultaneously identifying the ways they can benefit from the opportunities offered through technology and digital transformation.”

Hogg continued: “Our 2019 report also shows that organizations must recognize the need to share threat intelligence across not only their own network but with others as well. While it may seem counter-intuitive when thinking about cybersecurity, collaboration within and across enterprises and industries can keep private data of companies and individuals alike safer. Working together can result in improved efforts to hunt bad actors, while also raising the bar and making all parties more prepared for the inevitable day when a disruption does happen.”

The “What’s Now and What’s Next” report focuses on eight specific risk areas that companies may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the attack surface of global business expands rapidly and sometimes in unexpected ways. In other words, thanks to the rapid enhancements and constant changes in technology, the number of touch points that cyber criminals can access within a business is growing exponentially.

The eight risks include:

  1. Technology – While technology has revolutionized the way organizations today conduct business, broader and wider-spread use of technology also brings vulnerabilities. From publishing to automotive, industries are facing new, evolving services and business models. These new opportunities however, bring with them a radically different set of risks, which organizations will need to anticipate and manage as they continue the digital transformation process.
  2. Supply Chain – Two prevailing supply chain trends will heighten cyber risks dramatically in the coming year: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT); and the other trend is companies’ growing reliance on third-party—and even fourth-party—vendors and service providers. Both trends present attackers with new openings into supply chains, and require board-level, forward-looking risk management in order to sustain reliable and viable business operations.
  3. IoT – IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don’t securely manage or even inventory all IoT devices that touch their business, which is already resulting in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the current worldwide rollouts of cellular IoT and the forthcoming transition to 5G. Effective organizational inventory and monitoring process implementation will be critical for companies in the coming year and beyond.
  4. Business Operations – Connectivity to the Internet improves operational tasks dramatically, but increased connectivity also leads to new security vulnerabilities. The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organizations need to be better aware of, and prepared for, the cyber impact of increased connectivity.
  5. Employees – Employees remain one of the most common causes of breaches. Yet employees likely do not even realize the true threat they pose to an entire organization’s cybersecurity. As technology continues to impact every job function, from the CEO to the entry-level intern, it is imperative for organizations to establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cybersecurity policies throughout the organization, and implementing effective access and data-protection controls.
  6. Mergers & Acquisitions (M&A) – Projections anticipate that M&A deal value will top $4 trillion in 2018, which would be the highest in four years. The conundrum this poses to companies acquiring other businesses is that while they may have a flawless approach to cybersecurity enterprise risk, there is no guarantee that their M&A target has the same approach in place. Dealmakers must weave specific cybersecurity strategies into their larger M&A plans if they want to ensure seamless transitions in the future.
  7. Regulatory – Increased regulation, laws, rules and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019. Regulation and compliance, however, cannot become the sole focus. Firms must balance both new regulations and evolving cyber threats, which will require vigilance on all sides.
  8. Board of Directors – Cybersecurity oversight continues to be a point of emphasis for board directors and officers, but recent history has seen an expanding personal risk raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber incident, but also proactive preparation and planning.

(ISC)2 Announces New Professional Development Institute to Train Cyber Professionals

(ISC)² has launched its Professional Development Institute (PDI) to combat the global shortage of skilled and trained cybersecurity professionals.

PDI is provided as a free portfolio of course offerings to (ISC)2 members and associates. It will help enhance their skills and abilities by providing access to rich continuing professional education (CPE) opportunities that augment the knowledge they’ve gained throughout their careers.

The multi-year strategy for PDI encompasses the addition of 18 new staff over the next two years, joining the more than 160 existing global employees of the association. These new staff will manage content development, curriculum building, quality control, communications, logistics and administration for the institute. The association will also build out a 765-square-foot video production studio in its Clearwater, Fla, headquarters to produce content for courses featuring leading cybersecurity professionals.

PDI builds on the successful 2018 pilot launch of three professional development courses provided at no additional fee to members and associates. Topics included GDPR for Security Professionals, DevSecOps and Building a Strong Culture of Security. Focus groups and member surveys provided insight into the professional development needs of security professionals and the results have and will continue to inform the evolution of PDI’s curriculum strategy. Member subject matter experts will guide the development of the course material, supported by a team of highly-qualified adult education experts and creative professionals. This will enable (ISC)to develop a robust catalogue of CPE courses and offerings with the ability to continuously refresh that catalogue based upon clearly articulated member need. In 2019 alone there will be up to 30 new courses released as part of the portfolio.

PDI courses will help (ISC)members and associates enhance their professional skills through convenient, high-quality education. Making the courses available in an easily-accessible online format will help members maintain a work-life balance.

“There has been demand from (ISC)2 members for a wide array of professional development opportunities for education and CPE purposes. There are many such opportunities within the industry, but they are not readily accessible or only available at a significant cost, so I am very excited to see that (ISC)2 is offering these development programs,” said James McQuiggan, CISSP, Product & Solutions Security Officer for Siemens Gamesa Renewable Energy, Chapter President for the (ISC)2 Central Florida Chapter and (ISC)2 Advisory Council North America member. “I had the honor and pleasure to provide guidance for the content of one of the initial courses and shared my experience and expertise in its development because I agree with the focus on practical application of security principles. Many of us who are (ISC)2 certification holders need opportunities like PDI to stay educated and up to speed on the latest threats, techniques and tools.”

Ransomware attackers exploit old plug-in flaw to infect MSPs and their clients

Researchers are warning that hackers are exploiting a plug-in vulnerability to infect MSPs and their customers with GandCrab ransomware.

The bug, CVE-2017-18362, dates back to 2017, and is found in unpatched versions of the ConnectWise ManagedITSync integration plug-in tool, explains a Feb. 8 blog post by Chris Bisnett, security researcher at Huntress Labs. This plug-in is designed to sync data between the ConnectWise Manage professional services automation platform and the Kaseya remote monitoring and management system used by some MSPs.

Huntress Labs suspects that this exploit could be the culprit behind an attack reported on the MSP Reddit channel earlier this month. According to the Reddit user post, a mid-sized MSP had been recently attacked with ransomware that locked up 80 of its customers’ endpoints, including servers. “Owner of a company under the mentioned MSP came over to our shop to purchase a ‘clean’ system,” the post reads. “Seems the MSP is negotiating the ransom amount and will pay up.”

The NIST National Vulnerability Database’s entry for CVE-2017-18362 has been updated this month to reflect recent developments. “ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database,” the entry states. “In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication”

“In 2017, Connectwise announced a vulnerability in their Plugin that allows multiple operations to be performed on a Kaseya server without authentication. Upon discovery of this flaw, Connectwise released an update intended to patch this vulnerability,” says Connectwise in a security advisory that was last updated around Feb. 10. “Kaseya has detected that an extremely small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly.”

About 21% Indian computers and phones are infected with malware: Study

The study conducted by Comparitech judged countries on the basis of malware attacks, cyber-attack preparedness and most up to date cybersecurity-related legislation.

India ranked 15th among 60 countries for the worst cybersecurity with over 25% of its phones and 21% of its computers infected with malware. The study conducted by Comparitech judged countries on the basis of malware attacks, cyber-attack preparedness and most up to date cybersecurity-related legislation.

India scored about 39% in its overall score, though both Pakistan and China are worse off in cyber-security. About 25.25% of Indian phones and 21.8% computers are infected with malware. The study found Japan to be the most cyber-secure country in the world. It scored incredibly low across the majority of categories, only scoring a little higher in the preparation for cyber- attacks and legislation categories. Only 1.34% of its phone and about 8% of its computers are susceptible to malware attacks.

Other top-performing countries included France, Canada, Denmark, and the United States. On the other end of the spectrum Algeria is the least cyber-secure country in the world with 22.88% of its phones and 32.41% of its computers infected with malware. It was the highest-ranking country for lack of legislation and computer malware rates, and also received a high score in the categories for mobile malware and preparation for cyberattacks. Other high-ranking countries were Indonesia, Vietnam, Tanzania, and Uzbekistan.

Germany has the most number of attacks related to financial malware while as a country China is where most telnet attacks originated from.

Critical security flaw found in control systems of several hospitals and supermarket chains

  • Research study exposed a security flaw existing in temperature control systems manufactured by Resource Data Management.
  • Many popular names that incorporate these control systems include Marks & Spencer, Ocado & Way-on.

Resource Data Management (RDM), a Scottish firm engaged in providing remote monitoring solutions, was found to have security loopholes in its temperature control systems (TCS).

According to security researchers Noam Rotem and Ran L who conducted a detailed analysis, there may be thousands of organizations using these systems affected by the security vulnerabilities.

Hospitals and supermarket chains including Marks & Spencer, Ocado, and Way-on, use TCS built by RDM. From the report, it is evident that these systems use unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80).

On top of this, all of them had default usernames and passwords, which are left unchanged by administrators. Thus, anyone with the right URL could easily access these systems.

Thousands of vulnerable systems

The researchers warned about the number of vulnerable system stating, “A basic scan reveals hundreds of installations in the UK, Australia, Israel, Germany, the Netherlands, Malaysia, Iceland, and many other countries around the world. As each installation has dozens of machines under it, we’re looking at many thousands of vulnerable machines.”

The researchers found over 7,000 installations with vulnerabilities through Shodan. The scary part is some of the devices installed with these control systems could even be found by a Google search.

In their research, Rotem and Ran also demonstrated how RDM-made control systems in a hospital as well as a supermarket, could be easily accessed. All they had to do was find the device URL and input the default username and password combination. Similarly, they even got into systems of Marks and Spencer and other companies from Italy, Germany, and Malaysia.

Change the credentials

Meanwhile, Rotem and Ran informed RDM of these security issues. However, the company first fended off the researchers without showing interest in the incident but later responded saying that they have no control over how their customer configure their TCS installations.

Furthermore, RDM has notified of an update to resolve this issue and has urged user admins to change default credentials in TCS.