• The ransomware attack impacted everyone who had opened an account, booked or attended a St John Ambulance training course until February 2019.
• The data includes names of those who booked and attended the course, course details, contact information, costs, invoicing details, and driving license data.

What is the issue?

St John Ambulance, the nation’s leading first aid charity suffered a ransomware attack compromising the data belonging to individuals who undertook a training course.

The big picture

St John Ambulance became aware of the ransomware infection on July 2, 2019. Upon which, the first aid charity temporarily blocked access to the infected system. The charity organization confirmed that the attack did not impact its operational systems.

• St John Ambulance notified the Information Commissioner’s Office (ICO), the Charity Commission, and the police authorities about the incident.
• It has hired third-party cyber experts to enhance its security mechanism in order to protect its data systems.
• The organization confirmed that the issue was resolved immediately within half an hour.

“We work as hard as we can to protect our data systems from these types of attacks and employ a range of third party partners and cyber-crime solutions to continually update our protection,” St John Ambulance said.

What was the impact?

• The incident has impacted everyone who opened an account, booked or attended a St John Ambulance training course until February 2019.
• The data includes names of those who booked and attended the course, course details, contact information, costs, invoicing details, and driving license data.
• However, no credit card details or customer passwords were compromised.

“The only data that has been affected relates to our training course delivery. It does not cover supplies, events, ambulance operations, volunteering, volunteer, data, employee data, clinical data or patient data,” St John Ambulance said.

• DanaBot campaigns targeted at European countries also drop a ransomware executable onto target systems.
• The trojan also comes with new plugins, configuration files, and other updates.

Banking trojan DanaBot, which is known to target organizations across Europe, North America, and Australia, has been found being distributed with a ransomware module. Security researchers from CheckPoint came across this new variant in few of the recent DanaBot campaigns. According to the researchers, DanaBot also had new plugins, configuration files, string encryptions, file name generation algorithms as well as had a different communication protocol.

Worth noting

• In a report by CheckPoint, researchers indicate that the new DanaBot is also spread through phishing emails that contain a malicious link. This link acts as a dropper for DanaBot.
• On top of having a new communication protocol, the researchers found that the recent campaigns used additional plugins and configuration files for DanaBot.
• Coming to the ransomware module, it was identified to be a variant of “NonRansomware”, which is known for enumerating files on local drives and encrypting them except for the Windows directory.
• After execution, the ransomware runs a Batch script. This script performs a host of actions which includes disabling Windows Defender, removing system logs amongst others. Furthermore, it schedules a task that executes the ransomware every 14 minutes until a certain period and then proceeds with encryption.

Evolving malware

CheckPoint researchers hint that the threat actors behind DanaBot continue to keep updating the trojan. “For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume its operators will continue to add more improvements,” they said.

“A lot of ransomware still remain a relatively stable source of income for cybercriminals. Therefore such simple ‘copy-paste’ encryptors as the one that was described here will continue to emerge constantly,” the researchers wrote, regarding the prevalence of ransomware attacks.

• The remote management tools which were targeted include Webroot SecureAnywhere and Kaseya VSA.
• The tools have been abused to execute a Powershell script that downloads and installs the Sodinokibi ransomware.

Attackers have hacked three Managed Service Providers (MSPs) and abused their remote management tools to deploy Sodinokibi ransomware on their customers’ systems.

The incident came to light after some of the impacted MSPs reported in a subreddit on Reddit dedicated to MSPs.

The big picture

Kyle Hanslovan, co-founder and CEO of Huntress Lab, analyzed the incidents and revealed the following,

• Attackers compromised the MSPs via exposed RDP endpoints.
• Upon compromise, attackers gained escalated privileges and uninstalled antivirus products such as ESET and Webroot.
• The attackers then searched for remote management tools used by MSPs to manage remotely-located workstations of their customers.
• They then abused the remote management tools to execute a Powershell script on customers’ systems.
• The malicious script downloaded and installed the Sodinokibi ransomware on customer endpoints.
• The abused remote management tools include Webroot SecureAnywhere and Kaseya VSA.

“Two companies mentioned only the hosts running Webroot were infected. Considering Webroot’s management console allows administrators to remotely download and execute files to endpoints, this seems like a plausible attack vector,” Hanslovan said.

Webroot makes 2FA mandatory

After the incident, Webroot mandated enabling two-factor authentication (2FA) for accounts in order to prevent hackers from using any other potentially hijacked accounts to deploy ransomware.

“Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP,” Chad Bacher, SVP of Products at WEBROOT told ZDNet via email.

“To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20,” Bacher added.

• The Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack.
• Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs.

A new Mac cryptocurrency miner detected as Bird Miner has been found leveraging craked installer for Ableton Live 10 software for propagation. Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs. The software is also used for composing, recording, mixing and mastering music.

How does it propagate?

According to Malwarebytes, the Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack. The software is more than 2.6 GB. Once installed, the software downloads Bird Miner’s post-install script among other things. The cracked installer also copies some installed files to new locations with random names.

The files that get dropped on the infected system with random names have a variety of functions. This includes launching three different shell scripts.

Malicious scripts

One of the scripts launched is called Crax and its installed in the /usr/local/bin/ directory. Crax ensures that the malware gains persistence on the victim’s system without being detected by security solutions.

“The first thing it does is check to see if Activity Monitor is running and, if it is, unload the other processes. If Activity Monitor isn’t running, the malware then goes through a series of CPU usage checks. If the results show that it’s pegging the CPU at more than 85 percent, it again unloads everything,” explained the researchers.

After Crax completes its check process, it loads two more processes named ‘com.Flagellariaceae.plist’ and ‘com.Dail.plist’. While the first one runs a script named Pecora, the second runs a script called Krugerite.

These two scripts once again check for Activity Monitor and later launches an executable named Nigel which is an old version of open-source software called Qemu. The Nigel enables attackers to execute the miner code by hiding it inside Qemu images.

Worth noting

Malwarebytes highlights that the malware was first spotted in a pirated Ableton Live 10 installer. Since then, it has been found to be distributed via other software through the same site. The site has been distributing the malware in one form or the other for at least four months.

• All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.
• ‘SACK Panic’ is the most severe vulnerability of all the flaws.

Four TCP networking vulnerabilities in FreeBSD and Linux kernels have been discovered by security researchers recently. All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.

SACK PANIC, the serious one

In a report, Netflix Information Security’s Jonathan Looney has revealed that ‘SACK Panic’ is the most severe vulnerability of all the flaws. Tracked as CVE-2019-11477, the vulnerability has been marked with a CVSS score of 7.5. It could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.

A kernel panic is a kind of vulnerability where an operating system cannot be recovered easily. This could force a restart of a targeted host, causing a temporary shutdown in services.

The SACK Panic flaw impacts Linux kernel version 2.6.29 and later. It can be addressed by deploying PATCH_net_1_4.patch. Additionally, the versions of the Linux kernel up to 4.14 require a second patch PATCH_net_1a.patch.

The other way to mitigate the issue is by completely disabling SACK processing on the system.

What are the other flaws?

As per Red Hat, the two other issues that impact the kernel’s TCP processing subsystem are CVE-2019-11478 (dubbed SACK Slowness) and CVE-2019-11479. These flaws are considered to be moderate severity vulnerabilities.

The CVE-2019-11478 can be exploited by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue, while CVE-2019-11479 allows attackers to trigger a DoS attack.

CVE-2019-5599 is the FreeBSD counterpart of CVE-2019-11478. The flaw impacts FreeBSD 12 installations using the RACK TCP Stack. It can be abused by delivering “a crafted sequence of SACKs which will fragment the RACK send map.”

Linux and FreeBSD admins and users can address CVE-2019-11478 by applying PATCH_net_2_4.patch. The second issue, CVE-2019-11479, can be addressed by using PATCH_net_3_4.patch and PATCH_net_4_4.patch security patches. CVE-2019-5599 can be patched only by applying ‘ ‘split_limit.patch’ and set the net.inet.tcp.rack.split_limit sysctl’’ to a reasonable value to limit the size of the SACK table.

Mermaids UK has apologized for an “inadvertent” data breach which exposed private messages between the charity and the parents of gender variant and transgender children.

As first reported by the Sunday Times last week, over 1,000 pages of confidential emails were leaked online, including “intimate details of the vulnerable youngsters it [the charity] seeks to help.”

The letters, sent between 2016 and 2017, also contained the names, addresses, and telephone numbers of those reaching out to the charity.

When data breaches occur, it is often the case that cyberattackers infiltrate internal networks and steal information — and this data may be published online or sold in underground forums.

However, in Mermaids UK’s case, the material had simply been uploaded to the web and could be accessed just by typing in “Mermaids” and the UK charity number assigned to the group.

After being warned of the leak on Friday, the charity removed the content from public view.

CNET: Black Hat cancels Rep. Will Hurd’s headline speech after Twitter backlash

In a statement, Mermaids UK called the data breach “inadvertent” and insists there is no evidence of the sensitive material being abused.

Mermaids said the leak involved roughly 1,100 emails between executives and trustees, rather than the correspondence of private users, according to the BBC. A spokesperson said the records were not related to “Mermaids service users emailing each other, and their emails and private correspondence being available to an outside audience.”

The charity added that the emails stemmed from a “private user group” and “the information could not be found unless the person searching for the information was already aware that the information could be found.” (Considering the publication was able to find the information through a simple online search, however, this position may not be wholly accurate.)

The UK’s Information Commissioner’s Office (ICO) has been informed, a step now demanded in light of the General Data Protection Regulation (GDPR) legislation, introduced in 2018.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

Under the terms of GDPR, organizations now must be prompt when it comes to reporting data breaches and should they be found wanting in terms of data protection and security, heavy fines can be issued. Each security incident is considered on a case-by-case basis.

Mermaids has also contacted the families affected, alongside stakeholders and the Charity Commission.

See also: Have I Been Pwned: It’s time to grow up and smell the acquisition potential

“Mermaids apologizes for the breach,” the charity added. “Even though we have acted promptly and thoroughly, we are sorry.  At the time of 2016 — 2017, Mermaids was a smaller but growing organization. Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur.”

Australian consumers reported over AU$110,000 in monthly losses from NBN scams in the January-May 2019 period, according to the Australian Competition and Consumer Commission (ACCC).

Compared to the average monthly losses of AU$38,500 in 2018, this is a near 300% increase.

“People aged over 65 are particularly vulnerable, making the most reports and losing more than AU$330,000 this year. That’s more than 60% of the current losses,” ACCC Acting Chair Delia Rickard said.

Despite being only halfway through the year, the amount of reported losses for NBN scams in 2019 has already exceeded the total of last year’s losses, which was around AU$462,000.

“Scammers are increasingly using trusted brands like ‘NBN’ to trick unsuspecting consumers into parting with their money or personal information,” Rickard added.

See also: ACCC questions fairness of NBN basic pricing

The most common types of NBN scams, the ACCC said, include scammers pretending to be the NBN attempting to sell NBN services or test the speed of their connection and asking them to provide personal details such as their name, address, date of birth, and Medicare number or payment; scammers pretending to be NBN Co or an internet provider and claiming there is a connection problem that requires remote access to fix, allowing them to install malware or steal valuable personal information; and scammers calling during a blackout offering consumers the ability to stay connected during a blackout for an extra fee.

“We will never make unsolicited calls or door knock to sell broadband services to the public. People need to contact their preferred phone and internet service provider to make the switch,” NBN Co chief security officer Darren Kane said.

“We will never request remote access to a resident’s computer and we will never make unsolicited requests for payment or financial information.”

This follows the ACCC in April releasing its annual Targeting scams report, which unveiled that the total combined losses from scams in 2018 exceeded AU$489 million  — AU$149 million more than the year prior, up 41.7% year on year.

Of that total reported amount, AU$107 million was reported to Scamwatch, the ACCC’s scam reporting website.

“These record losses are likely just the tip of the iceberg. We know that not everyone who suffers a loss to a scammer reports it to a government agency,” Rickard said at the time.

RELATED COVERAGE

Cryptocurrency scams took over AU$6m from Australians in 2018: ACCC

While hacking scams accounted for over AU$3 million in reported losses.

ACCC starts breaking out Vodafone NBN customer connections

Vodafone Australia is sitting around the level of Aussie Broadband and MyRepublic in the latest ACCC Wholesale Market Indicators Report.

TPG is still king of NBN speed report

TPG still delivers on its download speed promises the most often, while Exetel won on upload speeds, Telstra on latency, and Optus on the highest number of daily outages, according to the fifth ACCC report.

ACMA warns TPG, Foxtel, Aussie Broadband on priority assistance

TPG, Aussie Broadband, MyRepublic, Foxtel, Activ8me, Exetel, Dodo, Skymesh, Southern Phone, Spintel, and V4 Telecom have been formally warned to provide accurate information on priority assistance services.

NBN pulls in AU$2b revenue so far for FY19

For the first nine months of FY19, NBN has reported AU$2 billion in revenue and negative AU$808 million in EBITDA.

Network technologies are changing faster than we can manage them (TechRepublic)

Kentik’s Cisco Live survey shows networks are changing faster than they have in decades, and companies are stumbling trying to keep up with the changes.