Old breaches led to new breaches as cybercriminals’ ability to use and monetize personal information rose significantly across all industries.
Past cyber-attacks and the tools used to carry them out have led to new breaches, according to key findings in a new mid-year trend report by cyber threat intelligence provider, SurfWatch Labs. In a study of cybercrime events that occurred in the first half of 2016, the stockpile of personal information garnered from old data breaches led to new compromises and lucrative payoffs for cyber criminals.
“When LinkedIn announced in May of this year that their 2012 breach actually impacted 100 million more users than originally thought, other organizations began to see data breaches they attributed to the LinkedIn compromise, widespread password reuse by users and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Other breached organizations only widened the pool of information available to be stockpiled by bad actors.”
No industry was left untouched, and the tactics used were not new or sophisticated, according to the report that offers a breakdown of industries targeted, the effects of cybercrime and the tactics criminals employed.
SurfWatch Labs collected cyber event activity from thousands of open and Dark Web sources and then categorized, normalized and measured the data for impact based on their CyberFact information model. Highlights from the SurfWatch Labs Cyber Risk Report: 2016 Mid-Year Review include:
• IT and global government were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines.
• The consumer goods sector made up the largest share of industry targets with information bought, sold or otherwise discussed on the dark web.
• Credentials theft is on the rise. Credentials stolen/leaked appeared in 12.7% of the negative CyberFacts in the first half of 2016, up from 8.3% in all of 2015. That rise is driven by massive credential breaches such as LinkedIn, which was the most talked about event over the period.
• Ransomware and extortion are the methods of choice. The first half of 2016 saw a significant spike in ransomware and extortion as researchers, organizations, and government officials scrambled to deal with the growing and costly problem of data or services being held hostage.
“Our research indicates the familiar cadence of ‘we were breached by a sophisticated attack but it has now been contained’ actually contradicts what has really happened so far this year,” said Meyer. “By understanding what the bad guys are up to, we can make better informed forecasts of how cybercrime will impact organizations going forward and therefore what should be done to reduce risk in the future.”
Posts Tagged ‘#cybersecurity’
Old breaches led to new breaches as cybercriminals’ ability to use and monetize personal information rose significantly across all industries.
When the Obama administration pushed out a $35 billion incentive program to pay doctors and hospitals to convert to electronic records, the idea was to modernize the health care industry, not serve it up on a platter to cyber criminals.
But now, American hospitals face weekly ransom threats. If they don’t pay up, files get frozen, surgeries delayed and patients sent across town. One of these days, someone could die as a result. And no one in government has a clear plan to handle it.
Such are the unintended consequences of shovel-ready projects.
The incentive program, which started paying out cash in 2011, “thrust tens of thousands of health care providers into the digital age before they were ready,” says David Brailer, chief of health IT in the second Bush administration. “One area where they were woefully unprepared is security. It created thousands of vulnerabilities in hospitals and practices that lack the budget, staff or access to technical skills to deal with them.”
Desperate hospitals have asked the feds for new financial incentives to boost their security. But Congress seems in no mood to cough up the necessary billions. It created a task force to come up with a report on how an alphabet soup of federal agencies can establish a chain of command for health care security.
Meanwhile, cybercrime attacks are mounting so rapidly that they challenge the financial stability of some health systems, according to experts in information security. The intrusions are interfering with efforts to improve data sharing in health care — and could even threaten patient safety.
Just this week, a Kansas hospital said it paid a large ransom to unblock frozen records — then was told it had to pay more in order to free all the files.
“It’s only a matter of time before someone gets hurt,” Sen. Sheldon Whitehouse (D-R.I.) said during a hearing this month after well-publicized ransomware attacks hit hospitals in Kentucky, California and the nation’s capital.
Whitehouse and Sen. Lindsey Graham (R-S.C.) filed a bill this month to punish cyber criminals if their attacks result in health care system deaths or injuries. But first, they’d have to find perpetrators — in Russia, Eastern Europe or in hidden recesses of the Dark Web.
More rules won’t help, Brailer says. Hospital licensing requirements and medical privacy laws already include extensive security requirements, but providers rarely follow best practices, he said.
The FDA and the Office for Civil Rights in the Health and Human Services department use penalties and guidance documents to push providers and device makers to use better “cyber hygiene.”
Members of Congress also want hospitals to be more dutiful. “If you aren’t following good practices, the regulatory environment isn’t going to save you,” says Rep. Will Hurd (R-Texas), leader of the House Oversight cybersecurity subcommittee. While FBI and other agencies can do better at sharing threat intelligence, “health care has to help itself.”
More federal inspections might increase readiness, but none of these measures attack the underlying problem — the massive gap between the industry’s needs and its resources, Brailer said.
Meanwhile, hackers are launching billions of health care-focused attacks. One major health system was bombarded with a million emails in March alone seeking to implant ransomware in its computers. A small Kentucky hospital had 3,500 attacks on Mother’s Day, according to Leslie Krigstein, vice president of the CHIME.
Last year there were 54 “zero-day,” or brand new attacks; approximately once a week, in other words, hackers sent out an electronic bug so novel that no computer could recognize it.
Ransomware is of particular concern. In these attacks, hackers send out code that freeze computer files until the owner pays ransom in untraceable Bitcoins in exchange for a numeric decryption to unfreeze them. The attacks allow hackers to cash in quickly, whereas stolen medical records may be more difficult to monetize. (More than 100 million records were stolen in 2015 — some for sale on the black market or use in Medicare fraud, some by state actors, apparently for intelligence purposes).
Freakout in the C-Suite
For the first time, the threat of cyberattacks is grabbing the attention of senior health care executives, said Russell Branzell, CHIME’s CEO, who says the executives are “freaking out” as we “enter into a security war for health care.”
Cybersecurity legislation signed into law last year allows health care companies to share information about threats they’ve encountered without risk of being sued for any data breaches they reveal. Other privately run organizations also serve this purpose.
But complying with such recommendations can require major investments — millions to hire new security teams and consultants and to buy new software. Added security spending might mean forgoing a new MRI system, or delaying the hiring of new nurses.
“Cyberthreats are knocking on your door every time you open your laptop or your phone,” said Ty Faulkner, a cyber consultant. “If you aren’t monitoring and checking your data, I question whether you are following good business processes.”
But “many of our members can’t afford the technology and tools they need at this point,” said Branzell. “It’s moving so fast that you could update everything, spend way more than you’re budgeting for, then the next wave of bad guy stuff comes up and you’re already behind again.”
“If you peer into the dark minds of a lot of hospital executives, they are rolling the dice as to where they allocate their budgets,” said Clinton Mikel, an attorney with Health Law Partners.
Health care firms are spending vast sums to lure chief information security officers away from the financial and energy sector. The job description hardly existed in health care two years ago — now there are 500 just in Branzell’s organization.
Some companies are hiring security consultants on a semi-permanent basis, said Mac McMillan, co-founder and CEO of CynergisTek — one of those firms. If they don’t spend that big dough, many worry, a criminal breach of their information could result in bankruptcy levels of litigation.
Cyber insurance protects against some costs, but underwriters won’t write a policy unless the hospital system can demonstrate it is already spending plenty to defend itself.
Successful attacks are inevitable, security experts say. They talk of techniques such as compartmentalizing software, so hacks can be confined to a small area of the computer system, or programs that detect unusual computer activity within an organization, signs a bug has already penetrated the system.
“Most organizations can’t do that for themselves,” McMillan said. “More and more, people are saying to us, ‘I want a partner’ because cybercrime has become an industry.”
Medical devices: A ripe target?
The targets of attack within health care are practically limitless. “It’s hard to imagine a more complex and diverse environment than a hospital,” said Dave Palmer of Darktrace, a company whose technology searches for unusual behavior within networks.
“You have doctors and staff walking around with tablets, millions of dollars worth of scanners and sensitive machinery, all of it digitally integrated. You have visiting consultants there, maybe only a few days a week. Staff, porters, cleaning people.”
Users may not understand that bedside devices like monitors need to be secured, said Dennis Gallitano, a leading cyber attorney. Most cyber strategies are built around detecting and keeping out bugs, but “what about tunnels through the backdoor — a fax machine or pump?”
Device manufacturers are not required to meet the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA); security experts say their protection is often lax, offering an attractive target for hackers looking for new ways into health systems. The FDA has begun working with manufacturers to improve device cybersecurity.
Security conflicts with transparency
One of the main purposes of electronic health records is to encourage information sharing among doctors, so that patients can be looked after in a more holistic way. Cyberthreats, some worry, could lead to a clampdown, because health care companies are leery of sharing data with institutions that might not be secure.
“There is very much a conflict in health care,” Branzell acknowledged. “The traditional model is, ‘Lock the world down.’ That doesn’t work in a world where we’re being asked to become more and more transparent and engage with our patients … With more patient engagement you’ve got people working from home on their Wi-Fi networks.”
Security should not be used as an excuse to block transparency, says Fred Trotter, a hacker and data journalist who serves on HHS’ Cybersecurity Task Force. In Trotter’s view, the solution is to make a distinction between ordinary cybertheft and hacking that has patient safety implications.
Cyberattacks that might, say, cripple an MRI machine until a ransom is paid, he believes, should be classed with other health IT safety issues, such as poor usability or bad software design that could lead to medical errors.
An evil genius and a wayward duck (or chicken, or pig) are equally capable of starting a lethal viral epidemic. By the same token, it shouldn’t matter whether a hacker or a stuck mouse button creates a clinical safety problem, he said.
HHS’ Office of the National Coordinator for Health IT has tried for years to create a safety center where threats and problems with software can be shared, discussed and remedied.
Congress has refused to provide the budget.
The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.
The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history. According to the APWG’s new Phishing Activity Trends Report, the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.
Those quarterly and monthly totals are the highest the APWG has seen since it began tracking and reporting on phishing in 2004.
There was a 250 percent increase in phishing sites between October 2015 and March 2016. “We always see a surge in phishing during the holiday season, but the number of phishing sites kept going up from December into the spring of 2016,” said Greg Aaron, APWG Senior Research Fellow and Vice-President of iThreat Cyber Group. “The sustained increase into 2016 shows phishers launching more sites, and is cause for concern.”
APWG Chairman Dave Jevans said, “Globally, attackers using phishing techniques have become more aggressive in 2016 with keyloggers that have sophisticated tracking components to target specific information and organizations such as retailers and financial institutions that top the list.”
On the heels of this report of record numbers of cybercrime attacks, APWG will be holding its annual general meeting and cybercrime research conference next week in Toronto. There, its global cadre of cybercrime responders, managers and university researchers will be plotting strategies to neutralize the menace of cybercrime, a sprawling threatscape growing seemingly unchecked in scope and virulence in recent years.
In the Q1 Trends Report, APWG found that the Retail / Service sector continued to be the most heavily attacked. APWG member MarkMonitor observed more attacks targeting cloud-based or SAAS companies, which drove significant increases in the Retail/Service sector. Financial and Payment targets were also heavily targeted as usual.
Ransomware continues to be another increasing threat, with APWG members Forcepoint and PandaLabs seeing increasing numbers of ransomware infections in early 2016. According to Carl Leonard, Principal Security Analyst at Forcepoint: “The onslaught of ransomware has not abated in 2016. Ransomware authors exhibited a willingness to adjust their scare tactics and software in Q1 2016 as they sought to scam more end-users. The takeaway is clear – ransomware authors are more determined and aggressive in 2016. End-users should be aware of the danger and take preventative measures.”
APWG co-founder and Secretary General Peter Cassidy reviewing the quarter’s disturbing numbers said, “The threat space continues to expand despite the best efforts of industry, government and law enforcement. It’s clear we have a lot to talk about in Toronto, perhaps broaching some broader resolutions to unify efforts across sectors. After all, what is civilization but the largest conspiracy?”
The full text of the report is available here:
By APWG – Anti-Phishing Working Group
In the weeks since the revelation of the Panama Papers, the world of the rich and powerful has been reeling. A single cyberattack against Mossack Fonseca, a quiet Panamanian law firm, has sent a tsunami around the world, toppling one world leader so far, with more turbulence to come.
The attacker absconded with a vast trove of information, consisting of millions of documents, emails, and other information – so much information, in fact, that journalists and other investigators have been poring through it for over a year.
Still a mystery: the identity or identities of the attackers. Perhaps an insider with access to secret passwords? Or maybe a skilled attacker, well-versed in the intricacies of cyberespionage?
In all probability, neither profile is accurate, because the Mossack Fonseca attack was dead simple. So simple, in fact, that a teenager with no hacking knowledge other than basic googling skills could have done it.
Furthermore, the security mistakes Mossack Fonseca made were appallingly common. So common, in fact, that it’s fair to say most of the readers of this article work for organizations that are making at least one of the same mistakes.
Do you think the same thing that happened to Mossack Fonseca and its clients can’t happen quite so easily to your organization? Here’s your wakeup call: it already has. You probably just don’t know it yet.
What are you going to do about it?
The Mossack Fonseca Attack: Dead Simple
The attacker’s point of entry: older versions of popular open source web server software Drupal and WordPress. In the case of WordPress, a particular plugin was the likely culprit. “We think it is likely that an attacker gained access to the MF [Mossack Fonseca] WordPress website via a well-known Revolution Slider vulnerability,” according to Mark Maunder, Wordfence Founder and CEO. “This vulnerability is trivially easy to exploit.”
Fixed versions of the Revolution Slider as well as Drupal had long since been available – but Mossack Fonseca simply had not updated the software on their web server. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today, as I wrote in an article from April 2015.
The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”
The Revolution Slider weakness is notorious among hackers for its ease of exploit. Simply download and run a simple utility off of a hacker web site, and the utility immediately provides attackers with shell access on the web server, which means they can now navigate the server’s file system at will, uploading, downloading, and executing files however they like.
Normally, a company that hosts its own web server realizes it’s inherently vulnerable, and separates it from other, more sensitive systems and data – but not Mossack Fonseca. “Their web server was not behind a firewall,” Maunder adds. “Their web server was on the same network as their mail servers based in Panama. They were serving sensitive customer data from their portal website which includes a client login to access that data.”
In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. However, even if it had put their web server behind a firewall and separated it from their mail servers, the Revolution Slider weakness would still have allowed attackers to access data on internal systems – it would simply have taken them a bit longer.
Important Takeaways for Any Organization
The most urgent cybersecurity task for any organization is to ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
The most diligent of patch regimens, after all, still have their weaknesses: there is always an interval of time between the discovery of a vulnerability and the availability of a patch, giving attackers an opening.
Secondly, automatic updates can cause their own issues, especially in complex enterprise environments and other situations that require high availability. “[Updating web site software automatically] can break your website without notice,” opines Liviu Macsen, a web programmer from Prestimedia in Romania. “And you can’t do this on corporate environment. Updates are sandboxed and tested before production.”
While keeping software up to date is an essential defensive move, organizations must also pay offense as well by minding their data lineage. Data lineage means knowing who has access to your data and when, similar to how law enforcement must handle chains of evidence. You must also know what people are doing with your information and in particular, how they are securing it.
For the firms that trusted Mossack Fonseca with their confidential information, minding their data lineage was a significant weakness – and a vulnerability attackers were only too willing to exploit. “Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years,” explains Adam Boone, CMO of security vendor Certes Networks. “An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself.”
The third important takeaway from the Mossack Fonseca breach: put your eggs in multiple baskets. Never give anyone access to more than a portion of your sensitive data. Furthermore, the more sensitive the data, the more you need to divide it up.
Such compartmentalization of sensitive information has been an important governmental intelligence tool for centuries, as only people with a ‘need to know’ have access to sensitive information.
In the corporate environment, such compartmentalization requires a new level of segmentation technology. “Without modern access control and application isolation techniques, [law] firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” Boone explains.
The Importance of Segmentation
The final word of wisdom every organization should glean from the Mossack Fonseca debacle: always assume you’ve already been hacked, and that attackers can achieve at least some of their goals before you shut them down. As a result, detecting the presence of hackers and cleaning up the messes they leave are important – but always remember, damage may have already been done.
Proper segmentation of your environment is the best approach to mitigating such damage. Clearly, if Mossack Fonseca had separated their web server and email server from each other and from other confidential information, it would have contained and thus limited the damage.
From the perspective of the law firm’s clients, such segmentation is a more complex challenge. Every one of them should have ensured Mossack Fonseca had the appropriate protections in place, and they should have also divided up their confidential information across multiple law firms.
The segmentation approach that is right for your organization may look different, but remember, chances are not all of your sensitive information is locked away inside secure areas within your network. Much of it may be in the cloud or in the hands of third parties. You can’t prevent all attacks from succeeding in such complex environments, but you can mitigate the damage through proper segmentation.
By Jason Bloomberg