Archive for May 31, 2021

Threat Actors Release Patient Data Stolen from New Zealand Hospitals to the Local Media


Cybercriminals who targeted hospitals in New Zealand’s Waikato district have published the stolen patient data to the local media outlets, with the outlets declining to publish the details as health systems struggled to come back online more than a week after the ransomware attack. According to the local media, the leaked data includes official-looking records and documents containing names, phone numbers, and addresses of patients and staff. 

The release of the information comes a week after the health system’s information services were entirely shut down by hackers, impacting clinical service, disrupting the treatment of patients and the payroll process of staff members. As a result, hospitals shifted to manual processes to support a backlog of patients while the public was asked to look for alternative avenues for treatment for non-critical conditions.

The breach comes after Ireland’s hospitals suffered a ransomware attack which was quite similar to the Waikato ransomware attack. Officials were forced to shut down many of their computers after hackers secured access to the health service’s systems. Also, hospitals had to cancel services and staff had to rely on pen and paper rather than PCs. 

The Federal Bureau of Investigation (FBI) stated this week that the hackers who targeted the Irish hospitals call themselves the ContiLocker Team and use a strain of ransomware known as Conti to break into victims’ machines and extort payments. When Waikato hospitals first had to shut down, the head of New Zealand’s doctors’ association, Deborah Powell, said the attack appeared to be of the same type. 

“This is a criminal investigation and we have every confidence that it is being dealt with by NZ Police and cybersecurity experts. Care and safety of patients remain our highest priority, and we must concentrate on health services and supporting our staff to do their job,” Waikato DHB Chief Executive Kevin Snee said in a statement.

Andrew Little, the health minister and the minister responsible for New Zealand’s intelligence agencies, said he could not give anxious patients any assurance that their personal data hadn’t been compromised. 

The New Zealand government’s cyber agency refused to comment on the collaboration with Irish authorities regarding the incident. “The NCSC knows from its involvement in other significant cyberattacks that malicious actors can monitor what is being said in the media, and this can influence their behavior,” the National Cyber Security Centre said in a statement.

S&P: Cyberattacks Could Trigger More Rating Actions on Banks


Since the Covid pandemic intensified digitalization and remote working, the banking sector is becoming more vulnerable to cybercrime, according to S&P Global Ratings. 

In a report titled "Cyber Risk In A New Era: The Effect On Bank Ratings," the ratings agency stated that cyberattacks can affect credit ratings primarily through reputational damage and potential financial loss. Banks and other financial organizations are potential targets for cyber attackers because they hold valuable personal data and serve specific financial or economic requirements and sectors. 

Credit Analyst Irina Velieva stated, "Cyber attacks have had only a limited effect on bank ratings to date but can trigger more rating actions in the future as cyber incidents become more frequent and complex.”

Meanwhile, S&P stated, "Although it is crucial to learn from previous attacks and strengthen cyber-risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence because the nature of threats will continue to evolve." 

According to the report, the cyber defense will become a more critical aspect of organizations' overall risk management and governance frameworks, necessitating increased expenditures and more advanced tools. The internet banking system is made up of many different programmes, networking devices, internet service providers, and other organizations. All of them are possible points of entry for attackers.

As per the RBI's annual report for 2019-20, the amount involved in banking frauds increased 2.5 times from Rs 71,500 crore in 2018-19 to Rs 1.85 lakh crore in 2019-20. 

Various banks and financial institutions rely on merchants and fintechs to provide third-party services. If outsider merchants don't have adequate security in place, the bank could find itself in hot water. Spoofing is also common when hackers create a website that appears and performs exactly like a financial institution's website's URL. 

When customers enter their login information on a spoof website, the information is stolen and used by those fraudsters later. There are chances that cybercriminals can commit fraud using a person's personal and financial information. A bank's privacy breach might result in the bank's customers' information being sold or purchased on the dark web by other attackers.

An Advisory Issued by Carnegie Mellon University Warns Against the Vulnerability in Checkbox Survey


In the wild, CERT Coordination Center (CERT/CC) in Carnegie Mellon University alerts about a Checkbox Survey vulnerability that might enable a remote attacker to unleash arbitrary code without actual identification. 

A checkbox is a GUI widget that allows the user to choose between one of the two mutually exclusive alternatives. The Checkbox Survey allows organizations generate professional surveys with quick access from any desktop or mobile device, as a customizable online surveillance tool designed in ASP.NET. For example, a basic yes/no inquiry may ask the user to answer in 'yes' or 'no.' Checkboxes will be displayed with the required choices. 

This vulnerability in the Checkbox Survey, which was identified as CVE-2021-27852, is linked to the insecure deserialization of view state data, a technique applied by the ASP.NET web page framework. 

Microsoft stated that “When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields.”

By using a _VSTATE arguments, before version 7.0 – the Checkbox survey engaged its View State functionality that is deserialized using Los Formatter. 

“Checkbox Survey before version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server, “ read the advisory.

The Checkbox Survey Code organizes the data but overlooks the server configuration of the ASP.NET View State Message Authentication Code (MAC), which an attacker can effectively use to generate a piece of unexpected information that could lead to the execution of the code in the deserialized version. 

The advisory further states that “Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Before version 7.0, Checkbox Survey implements its View State functionality by accepting a _VSTATE argument, which it then deserializes using Los Formatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET View State Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.” 

As an impact of the flaw, a remote, unauthenticated attacker can perform arbitrary Code with the capabilities of a web server by creating a specific request to a server using the Checkbox Survey 6.x. 

View State Data is not being used from Checkbox Survey 7.0. This vulnerability is therefore not included in Checkbox Survey Versions 7.0 or later. One must remove the Checkbox Survey of versions older than 7. 

Also, Checkbox said that they no longer develop Checkbox Survey 6 version, hence it is not at all safe to use this version. If one cannot update to an unimpaired Checkbox Survey version, then at least this software must be deleted from every machine it is installed in.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website


Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

The Ministry of Internal Affairs of Russia will launch a program for recognizing deepfakes in the fall of 2022

The scientific and industrial company "High Technologies and Strategic Systems" (HT and SS SIJSC) will develop a computer program for the Ministry of Internal Affairs that recognizes face substitution in videos, the so-called deepfake videos.

It is not the first time that the company has worked with Russian law enforcement agencies. According to the company's website, their specialists participated in the development of products for the Ministry of Emergency Situations and the Ministry of Defense of the Russian Federation.

The amount that the company will receive is set at 3 million 550 thousand rubles ($48,000). The deadline for the completion of research work is scheduled for November 30, 2022. The program for recognizing deepfakes was named "Mirror".

The Ministry of Internal Affairs explained that with the help of deepfakes, scammers can easily substitute any person by inserting his image on a video in which an immoral act or crime is committed. In addition, experts believe that this technology can be very easily used by phone scammers, so it is important to learn how to quickly and effectively detect such fakes as soon as possible.

According to Yuri Zhdanov, Lieutenant General of the Ministry of Internal Affairs, this technology poses a huge threat, and it is extremely difficult to fight it. It is becoming more and more difficult to figure out where the truth is and where the fake is, so powerful systems for protecting a person from deepfakes should come to help here.

Moreover, the technology is widely used to create realistic pornographic videos featuring celebrities in which they have never been filmed, or fake speeches of major political figures.

One of the most popular deepfakes on the Internet was a video with the founder of SpaceX, Elon Musk, in which he allegedly sings the song "Grass at Home", which is actually performed by the group “Zemlyane”  ("Earthlings").

By the way, the use of DeepFake technology is now prohibited by the largest sites, including Reddit and Twitter.