CYBER ATTACK HITS HOSPITALS IN VICTORIA
A sophisticated cyberattack has brought down the computer systems of several regional hospitals in Victoria.
The attack affected hospitals in the Gippsland Health Alliance, in the state's east and South West Alliance of Rural Health.
This includes hospitals in Warrnambool; Colac; Geelong; Warragul; Sale; and Bairnsdale; as well as a host of services in smaller towns.
According to Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, the attack can be attributed to human vulnerabilities.
“This is a ransomware attack,” he said. “The ransomware attack shut down the entire hospital systems from patient records, booking and management systems -- which may impact patient contacting and scheduling. Doctors will not be able to access to patients’ health records either.”
Although it is yet to be confirmed the type of attack and who was involved, the Department of Health and Human Services (DHHS) said the cyber incident was uncovered on Monday and the Victorian Cyber Incident Response Service has been deployed to block access to several systems by the infiltration of ransomware, including financial management.
“Hospitals have isolated and disconnected several systems such as the internet to quarantine the infection,” it stated. “The priority is to fix all affected systems and prevent any further compromise.”
According to DHHS, this isolation has led to the shutdown of some patient record, booking and management systems, which may impact on patient contact and scheduling. Where practical, hospitals are reverting to manual systems to maintain their services.
West Gippsland Healthcare Group chief executive officer Dan Weeks said most of the local IT services are still functional including internal intranet communications, phone system, public address system, access to printers and external websites.
Victoria’s Premier Office has confirmed Victoria Police and the Australian Cyber Security Centre are also on board to manage the incident and investigate the scope of the attack.
“A full review will take place to address what has occurred and identify what additional measures may be required to ensure hospitals have the best protection against cyber security incidents,” stated Premier Daniel Andrews.
Attack not exactly a surprise
The incident shouldn’t come as a surprise to the Victorian Government, as an enquiry into the Security of Patients’ Hospital Data by the Victorian Auditor-General’s Office, released in May 2019, found Victoria’s public health system to be highly vulnerable to cyberattacks.
According to the report there were key weaknesses found in health services’ physical security and in their logical security – which covers password management and other user access controls.
“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing of tailgating into corporate areas where ICT infrastructure and servers may be located,” stated the report.
“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”
Archilage told Information Age, it was “very clear” that cybercriminals are interested in “breaking into people’s mindset rather than breaking into systems straightway”.
“Cybercriminals usually launch a ransomware attack by locking the data on a victim’s computer -- typically by encryption,” he said. “Ransomware attacks normally occur through phishing links – which is the art of human hacking.”
“Prevention is better than the cure,” said Archilage. He urged organisations to back their data and follow the Australian Signals Directorate introduction of top eight mitigation strategies to reduce cyber risk across the board of many enterprises as a baseline level of security.
Dane Meah, CEO of InfoTrust encouraged all businesses to implement email authentication controls, limiting the ability of cybercriminals to send spoofed emails.
“Unfortunately, when cyber security is not prioritised, it will take a major incident for people to sit up and realise a proactive approach is needed,” he said. “In a recent case we saw an organisation lose close to $2m in cash. A data breach can be even worse.”
Meah believes there has been a paradigm shift where it’s expected that attacks like these will occur, however it’s how an organisation detects and responds to an incident that matters most.
“I’m sure there’s more that could have been done to avoid this attack - hindsight is 20/20,” he said. “I’d encourage organisations concerned with being hit by ransomware to review the egress points that ransomware hits.”
HACKER BREACHES US BANK
A lone actor has hacked into US bank Capital One in a massive data breach affecting more than 100 million Americans.
Fourteen years’ worth of customer data including 140,000 social security numbers and 80,00 bank account numbers were compromised in the incident.
Capital One became aware of the breach when it received an email linking to a GitHub file of the linked data.
The file contained code for a set of commands that granted access to a cloud server behind a misconfigured firewall and over 700 folders or buckets of data.
Capital One has confirmed it has since fixed the vulnerability on its web applications that are hosted on Amazon Web Services (AWS).
Paige Thompson, 33, – known by the username ‘erratic’ – is the FBI’s main suspect.
She is a former Amazon employee and systems engineer who worked on AWS.
Thompson’s name and GitLab profile was included in the GitHub file dump.
In an affidavit, FBI Special Agent Joel Martini explained how he linked Thompson’s GitHub account to a server list matching IP addresses controlled by the same VPN provider from which the Capital One breach took place.
Martini also tracked Thompson through a Meetup group with “Paige Thompson (erratic)” listed as the organiser.
That group contained a Slack invitation code to a channel on which user ‘erratic’ boasted about files she accessed illegally – and the methods she used to hide her activity.
Martini also linked the Twitter account @0xA3A97B6C with the username ‘ERRATIC’ which had been messaging the person who eventually tipped off Capital One about the data breach.
“I’ve basically strapped myself with a bomb vest, f@#%ing dropping Capital One’s DOX and admitting it,” they said in one message.
Based on this evidence, Martini and other FBI Special Agents executed a search warrant on Thompson’s home earlier this week where they seized devices referencing Capital One and AWS, other potential targets, and further connecting Thompson with the ‘erratic’ alias.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Capital One Chairman and CEO, Richard Fairbank.
"I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right."
The felony charges of gaining unauthorised access to information on a financial institution’s computers carries a maximum sentence of five years in prison and a US$250,000 fine.
SEXTORTION EMAILS HIT AUSTRALIA
Australians are being hit with a new online scam that appears to be coming from their own email account, with more than 300 reports from the public just this week.
The Australian Cyber Security Centre put out an alert this week about the widespread scam, a new form of the common “sextortion” tactic.
The scam involves individuals receiving an email that appears to come from their own email account which threatens to reveal intimate photos of them unless they pay a fee, often in cryptocurrency.
“This scam uses a tactic known as ‘sextortion’ – a form of online blackmail where a cybercriminal threatens to reveal intimate images of someone online, often to their friends and family, unless they pay a ransom quickly,” the alert said
“The scam uses ‘spoofing’ to make the email look like it’s come from your own email address. Email spoofing occurs when email addresses are manipulated to come from a different source but display a legitimate address.
“This is a technique commonly used by cybercriminals to make their scam seem real.”
The Australian Cyber Security Centre, Office of the eSafety Commissioner and Scamwatch have received more than 300 reports from the public of the scam in this week alone.
The alert includes a number of tips and warnings for Australians.
It says that you should never give in to the demands of the scam email, and report it straight away to the Office of the eSafety Commissioner.
You should never give the scammer any money or images, and should cease contact immediately.
You should also immediately change the passwords for all of your online accounts, including your email address, and call 000 if you are fearful for your physical safety.
It’s likely that if a password was obtained and used as part of the scam it was because it was included in a previous breach, and the eSafety Commissioner advised Australians to check if they have been caught up in any using the haveibeenpwned.com platform.
It’s a new form of the common sextortion scam. A global version of the tactic emerged last year, where victims were told that camera in their device had been hacked and footage of them watching pornography or other compromising websites had been obtained, and this would be released if a ransom wasn't paid.
These scam emails often also included the current or former password of the account to add legitimacy.
Earlier this year, the eSafety Commissioner found that most victims of financial sextortion are men, after being threatened to leak sexually explicit images unless they pay a fee.
Its study found that nearly a third of all image-based abuse being reported involve the sextortion technique.
Another report earlier this year found that Australian businesses are also more likely to be vulnerable to email scams than their international counterparts, with phishing attacks on the rise.
AUSTRALIAN ANDROIDS BREACH
More than 100,000 Australian Android users have had their devices infected with malware that replaces popular apps with fake versions serving up advertising, with more than 25 million incidents around the world.
Israeli cybersecurity firm Check Point Research released a report last week detailing the “Agent Smith” malware which it detected earlier this year, but was traced back to January 2016.
The app utilises a previously-known vulnerability in the Android operating system, disguising itself as a version of a popular app, including WhatsApp, and then serving up ads to the owner.
It does this by searching for legitimate apps on the device and replacing them with malware-infected versions.
The malware was downloaded from third-party app store 9Apps.com, not Google’s official Play store.
After it was downloaded, the malware would then infect the innocent apps, which would display advertising out of context.
The infected apps were found to usually be a phone utility, game or adult-themed applications.
The malware was being used for financial gain by the hackers, who would receive money every time someone clicked on the advertising.
But Check Point Research said there are “endless possibilities” for the vulnerability to be exploited in much more serious ways, such as banking credential theft and eavesdropping.
“Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the report said.
More than 15 million of the infected devices were found to be India, with 141,000 in Australia, 300,000 in the US and 137,000 in the UK.
Malware like this is typically focused on developing countries, making the spread of Agent Smith in the US, UK and Australia even more concerning.
Android users should update their phones immediately, and can search for the malicious apps by going to the Apps and Notifications section in Settings, tapping on the app information list, and searching for suspicious applications with names such as Google Updater, Google Installer for U, Google Powers and Google Installer.
These apps should be uninstalled.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” Check Point Software Technologies head of mobile threat detection research Jonathan Shimonovich said.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith.
“In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection, as third party app stores often lack the security measures required to block adware loaded apps.”
There needs to be a more cohesive effort to combat threats like this, Check Point Research said.
“The Agent Smith campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android ecosystem,” the report said.
“It requires attention and action from system developers, device manufacturers, app developers and users so that vulnerability fixes are patched, distributed, adopted and installed.”
The cybersecurity firm connected the malware to a Chinese internet company based in Guangzhou, with its front-end genuine business helping Chinese Android developers to publish and promote their apps on overseas platforms.
Agent Smith was also found to resemble previous malware found on Android devices, like Gooligan, Hummingbad and CopyCat.
It also follows revelations last year that Android users were downloading malware-infested versions of the popular game Fortnite.
Android apps have also been found to automatically share user data with Facebook without the permission of users, according to a Privacy International report earlier this year.
NORTH KOREA MALWARE
The US government has issued a warning about a new malware strain believed to have been used by North Korean hackers.
Dubbed HOPLIGHT, the trojan malware variant has been identified by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) through “analytic efforts” between the agencies.
It is said to be targeting US companies and government agencies.
“Working with US Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government,” said the US Cybersecurity and Infrastructure Security Agency (CISA) in a statement.
“This malware variant has been identified as HOPLIGHT.”
The Malware Initial Findings Report (MIFR) details digital signatures for nine files associated with the malware, seven of which “are proxy applications that mask traffic between the malware and the remote operators”.
“DHS and FBI are distributing this MAR to enable network defence and reduce exposure to North Korean government malicious cyber activity,” the statement said.
According to CISA, the malware is able to generate fake TSL handshake sessions using valid public SSL certificates, which disguise network connections with remote malicious actors.
HOPLIGHT can read, write and move files, create and terminate processes, upload and download files and connect to a remote host, says the report.
A built-in proxy application can also mask communications with the remote command-and-control server.
The Lazarus Group
Referred to by the US government as HIDDEN COBRA, and also known as the Lazarus Group, the North Korean-aligned threat group behind the malware is believed to have been active since 2009.
It is the same group that was said to be responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment, which occurred in the lead-up to the release of comedy film The Interview (the film is about a plot to assassinate North Korean leader Kim Jong-un).
The malware attack copied critical files and rendered many computers within Sony inoperable.
A 2017 report into the WannaCry attack – which affected approximately 300,000 computers globally – concluded it was “highly likely” that Lazarus was behind the incident.
In September of last year, the US Department of Justice issued formal charges to Park Jin-hyok for his role in both the Sony and WannaCry attacks during his time working in the country’s Reconnaissance General Bureau.
Park remains on the FBI’s most wanted list.
FACEBOOK names in plain text
Hundreds of millions of Facebook user records were publicly displayed and accessible on Amazon servers in yet another major privacy incident for the social media giant.
Australian cybersecurity company UpGuard revealed the breach last week, finding records containing sensitive private information of Facebook users being stored on Amazon cloud servers without any protection, meaning they could be viewed and downloaded by anyone that found them.
The records were stored by two third-party Facebook apps and included comments, passwords, photos, names and likes.
The largest dataset belongs to Mexico-based media company Cultura Colectiva, which was openly storing 540 million records, with access only closed after it was reported in the media.
The other app, called At The Pool, stored the passwords and emails of 22,000 users in plaintext.
“The data sets vary in when they were last updated, the data points present and the number of unique individuals in each,” UpGuard said in the post. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships and interactions that were available to third-party developers.”
The passwords stored in the At The Pool dataset were for that specific app rather than for Facebook, but there is significant risk that many users would have duplicated their passwords. The At The Pool parent company’s website has now been taken down. While the data was stored in its own Amazon S3 bucket, it was configured to allow for public downloads.
“This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs and other details were openly exposed for an unknown period of time,” UpGuard said.
These third-party apps were previously able to easily access this sort of information from Facebook, until the company cracked down on this following the Cambridge Analytica scandal. An audit conducted by the tech company suspended hundreds of applications for mishandling user data.
“As these exposures show, the data genie cannot be put back in the bottle,” the cybersecurity researchers said. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continue to leak.”
UpGuard said it received no response from Cultura Colectiva when it notified the company of the breach, and Amazon also didn’t act to close access. The dataset was only secured after Facebook was notified of its existence at the start of this month, UpGuard said.
The At The Pool dataset was taken down during the cybersecurity firm’s investigation.
“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard said.
“For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.
“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”
The access to sensitive data that Facebook apps were given was put in the spotlight last year when it was revealed that political consulting firm Cambridge Analytica had harvested the data of millions of Facebook users without their consent, through an app offering a personality quiz.
It also comes just weeks after it was revealed that millions of Facebook passwords were being stored in plain text on the company’s own internal servers, accessible by employees.
New documents last month also showed that more than 100,000 Australians were caught up in another security breach last year, where Facebook user data on names, contact information and location were accessed.
Freedom of Information documents showed that up to 111,813 Australian Facebook users were impacted by this breach.
Alert: Australia has been hacked
Australian businesses have been infiltrated by large-scale global cyber attacks instigated by China.
The attacks focused on managed service providers (MSPs), which remotely manage the IT infrastructure of organisations, and often hold sensitive information.
It follows the US announcement that it had indicted two Chinese nationals: Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both members of hacking group Advanced Persistent Threat 10 (APT10).
APT10 acts on behalf of China’s intelligence and security agency, the Chinese Ministry of State Security.
It is believed the two men, who are on the FBI’s Wanted list, are currently in China.
The pair can now be arrested if they travel outside of China.
This morning, Australia joined the US in publicly condemning the attacks that have stolen intellectual property from businesses and government, with Senator the Hon Marise Payne, Minister for Foreign Affairs, and the Hon Peter Dutton, Minister for Home Affairs, expressing “serious concern”.
“The worldwide cyber security compromise serves as a reminder that all organisations must remain vigilant about security and that organisations such as MSPs must be responsible and accountable to those they serve,” they said in a joint statement.
In 2015, countries at the G20 Summit – including China – agreed to “refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage”.
Australia and China reaffirmed the agreement bilaterally just last year.
China slammed by US
The US Department of Justice (DoJ) said “hundreds of gigabytes of sensitive data were secretly taken” by APT10 which had targeted a range of companies since 2006.
These companies spanned aviation, banking and finance, satellite and maritime technology, mining and gas exploration, and manufacturing to name a few.
FBI Director Christopher Wray described the list of companies, not named in the indictment, as a “Who’s Who” of the global economy.
“Healthy competition is good for the global economy. Criminal conduct is not. Rampant theft is not. Cheating is not,” Wray said at a press conference.
“China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there. They’re using an expanding set of non-traditional and illegal methods,” Wray said.
“China’s state-sponsored actors are the most active perpetrators of state-sponsored espionage against us.”
The DoJ echoed the sentiments.
“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” said US Attorney Berman.
“As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.
“No country should be able to flout the rule of law – so we’re going to keep calling out this behaviour for what it is: illegal, unethical, and unfair.”
Earlier this year, Australian cyber security expert Charles Widdis warned of China attacking businesses to steal information relating to quality management systems and business processes.
“If you're a company doing business with other countries, you can expect that you're being hacked – because they want to know your negotiating position,” he told Information Age.
“I don’t think [business leaders] accept that there are people whose job it is – they get paid – to take your information. It’s an employee in a company that’s attacking you.
“It’s nothing personal, he doesn’t dislike you – it’s just a job. At the end of the day, he goes home, he’s got a family to feed.
“It’s a real thing and it goes on.”
How China did it
APT 10 used ‘spear phishing’ techniques to introduce malware onto targeted computers. The hackers sent emails that appeared to be from legitimate addresses but contained attachments that installed a program to secretly record all keystrokes on the machine, including user names and passwords.
The DoJ said NASA and the Department of Energy were victims, adding APT10 had compromised “more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.”
The Australian government was less forthright, declining to name affected companies.
The Age named both IBM and SAP as being affected.
ACS President Yohan Ramasundara said the government had done the right thing in calling out the attacks.
“It is encouraging to see the Federal Government come out today and condemn the audacious and targeted Chinese attacks on MSPs that have occurred for more than a decade,” Ramasundara said.
“In a combined report released earlier this year, the Australian Strategic Policy Institute (ASPI) and ACS recommended governments use public attribution as a tool in deterring global cyber crime.
“Deploying improved messaging to both partners and adversaries, as well as creating consequences for actions, are also listed as key recommendations.
“Minister for Foreign Affairs, Senator the Hon Marise Payne, and Minister for Home Affairs, the Hon Peter Dutton MP, have led the way with their attribution of the Chinese cyber-enabled commercial intellectual property theft.”
Nigel Phair, Director of UNSW Canberra Cyber, agreed naming China was a step in the right direction, adding businesses need to be less lax about their cyber security.
“Organisations need to not take information security so lightly and think that it’s not going to happen to them,” he told Information Age.
“This is another wake-up call in a long line of wake-up calls.”
The Australian Cyber Security Centre (ACSC) has issued advice MSPs and their clients can use to limit their exposure and protect their information.
Copyright © Information Age, ACS