Category: News

Two local US government servers were recently hit by ransomware attacks. They were from Potter County, Texas and Baltimore City Hall, Maryland. Baltimore City Hall shut down most of its servers out of precaution while in Potter County, the entire network was shut down which forced its employees to perform their tasks manually.

Baltimore City Hall initial statement says “critical services, such as police, firefighters, etc., operate normally; however, the computer network of the city is infected by a variant of ransomware. We do not have evidence that a data breach has been presented, but we will continue to take precautions; more information will be revealed shortly”.

It was later disclosed that Baltimore City’s computers were encrypted by the RobbinHood ransomware.

In Potter County, their computers are already about to complete its recovery process. However, following the attack, with the entire network on off limits, all 550 employees were forced to use paper and pencils temporarily.

“This is what we’re using now. Paper and pencil, we’re going old fashion around here. Seriously, that’s what we’re having to do,” said Potter County Sheriff Brian Thomas at the time.

It is unknown whether both of these attacks are linked to recent attacks on the computer infrastructure of some local governments in the U.S.

A Polish security researcher, who goes by the Twitter name ‘Lasq’, has recently discovered an exploitable bug in Facebook’s mobile app and submitted through Facebook’s Bug Bounty platform the details of a spam campaign on the social media site. 

Lasq noticed the bug when some of his Facebook friends began publishing a malicious link to a website with funny pictures. But before seeing the site’s content, users had to declare first that they are at least 16 years old. After confirming their age, these users were redirected to a website with funny photos, a French-comic themed spam campaign, plus loads of ads.

By allowing consent, mislead users are also letting the link to be posted on their respective walls which then obviously exposes the link to more users, who will likely repeat the same process.

This is known as a clickjacking scam. It attempts to trick users into clicking on malicious links (something different from what the user perceives) hidden within legitimate-looking videos, images, and articles. This particular one works by loading a webpage into an invisible iFrame on a decoy site, and only works on mobile.

The method used by the spammer targets Facebook users in France using Android mobile. It doesn’t appear to work on the web version. The bug gives access to the Share button allowing the perpetrator to publish a link in the victim’s Timeline section without consent.

The issue still exists until today. Facebook, however, dismissed the report and didn’t address the problem since it doesn’t have any “serious security consequences” and that it does not change the state of the account of the affected user. It rejected Lasq’s report 12 hours after its submission.

An estimated 35 million voters information from 19 states went up for sale on a dark web hacking forum. This was uncovered last Monday, October 15, by researchers from Anomali Labs and leading cybercrime intelligence provider, Intel 471. The discovery came just four weeks before the scheduled November 2018 US midterm elections. The data being sold contain full names, physical addresses, phone numbers, and voting history.

The hacked voter records came from the following states:

• Georgia
• Idaho
• Iowa
• Kansas
• Kentucky
• Louisiana
• Minnesota
• Mississippi
• Montana
• New Mexico
• Oregon
• South Carolina
• South Dakota
• Tennessee
• Texas
• Utah
• West Virginia
• Wisconsin
• Wyoming

Out of the mentioned 19 states, 3 states alone comprise 23 million records – Texas (14 million), Wisconsin (6 million), and Louisiana (3 million). They were offered for prices between $1,300 and $12,500. For the remaining 16 states, no record counts were provided but their price ranges from $150 to as high as $4,000.

From Anomali Labs:

“Of note, the seller indicates they receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments. Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum.

To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history. With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft.”

U.S. Department of Homeland Security (DHS) said in a report titled “Threats to Precision Agriculture” that there is an imminent risk and cybersecurity threats relating to the technology used by the agricultural industry. Simply known as precision agriculture, this technology relies on IoT or what is known as the Internet of Things. It aims to improve agricultural and livestock management through GPS, remote sensors and communication systems supporting them. Its adoption has significantly widened thus also increasing the potential security risks associated to it.

Based on the report, threat scenarios like malware infection, phishing, and incorrect usage of external drives like USBs could compromise automated systems with the deployment of precision agriculture. If any of these happen, it can lead to data loss, equipment destruction, loss of resources, and reputational damage. It can also put confidential data at risk for theft.

Best practices were also discussed in the said report which could mitigate the threats.

“Adoption of information security standards for precision agriculture is important for the future success of precision agriculture, along with industry efforts for equipment interoperability and data use / privacy. Vetted best practices, borne from hard experience learned in other sectors which have proceeded agriculture in the digital revolution, offer a proven path for data security.”

The US Department of Justice has announced this week that it has sentenced Nigerian Onyekachi Emmanuel Opara (30) of Lagos, Nigeria to 5 years prison time and was ordered to pay $2.54 million for defrauding victims in its Business Email Compromise (BEC) scam. Opara ran his fraudulent scams for two years (2014-2016) along with co-defendant David Chukwuneke Adindu targeting thousands of victims worldwide including the following countries:

• Australia
• New Zealand
• Singapore
• Sweden
• Switzerland
• United Kingdom
• United States

The sentence was served in Manhattan federal court. Adindu was already sentenced last December 14, 2017 to 41 months in prison and was also ordered to pay about $1.4 million in restitution.

This type of scam, BEC (also known as ‘CEO Fraud’), is very profitable since it only needs to be successful a few times to be highly cost-effective for the criminals. For his operation, Opara sent fake emails to employees of the victim companies pretending to be from their supervisors or from third-party vendors or partners which they had held business relationships with. Because the messages were sent from email account domains that appear to be similar to the true domains of respectable companies or spoofed from legitimate addresses, recipients are easily deceived.

Aside from his BEC scam, the 30-year old fraudster also registered to dating websites posing as an attractive young woman named “Barbara”. He was able to engage in romantic relationships through this and convince individuals in the US to send him money overseas or to accept funds from his BEC scams so he can hide the money trail.

Opara was arrested in December 22, 2016 in Johannesburg, South Africa. He was extradited to the United States a month later, pleading guilty just last April for conspiracy to commit wire fraud and wire fraud leading to his incarceration.

Despite being charged by US authorities last March for cyber-attacks, Iran-based hackers Cobalt Dickens or Silent Librarian has continued its phishing operations. They have now been targeting universities and academic institutions around the world in a bid to steal intellectual property.

In these latest wave of attacks, the group allegedly stole information from a total of 76 universities located in 14 countries including the following:

• United Kingdom
• United States
• Canada
• China
• Switzerland
• Australia
• Israel
• Japan
• Turkey

They have also targeted 47 US and foreign private sector companies, including the US Department of Labor and the United Nations.

The hack involved creating spoofed websites resembling that of the login pages for the said 76 universities. An estimated 16 domains contained over 300 spoofed websites including online libraries.

Targets are sent links to the fraudulent domains through phishing emails. Those who have fallen prey and filled in their credentials into the fake pages would have handed the group their login details. After “successfully” logging in, users are then sent onwards to the real service while this information is saved by the cyberattackers to gain access to legitimate systems.

Several computer systems at the PGA of America were recently hijacked with a ransomware. On Tuesday morning, August 7, staff discovered that their system had been compromised when ransom notes started appearing on their screen: “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm [sic].” It locked down critical files and demanded cryptocurrency for their return. The association has to transfer bitcoin to the hackers or risk losing their files forever.

The notice includes a bitcoin wallet address where the funds will be sent and a pair of encrypted email addresses. The amount of ransom was not specified but the hackers, proving their “honest intentions” and “good faith”, said they would unlock two files for free.

According to a report from Golfweek, the files contained creative materials for the PGA Championship at Bellerive and next month’s Ryder Cup in France. That includes extensive promotional banners and logos used in digital and print communications, and on digital signage around the grounds at Bellerive. The stolen files also include development work on logos for future PGA Championships. Some of the work began more than a year ago and cannot be easily replicated.

Following the advice of law enforcement agencies and cybersecurity experts, an anonymous source told Golfweek that PGA officials had no intention to meet or pay any extortion demands. The network remained locked. Complete control of the servers were not yet regained and external researchers are still currently investigating.

As of the moment, PGA of America has declined to comment on this matter. As the PGA Championship kicks off at Bellerive, the tournament has been unaffected so far and is slated to continue as per the usual schedule.

Security researchers have recently uncovered a massive cryptojacking campaign that relies on compromised MikroTik routers. It targets these routers to conduct cryptocurrency mining by changing its configuration. It injects a copy of the Coinhive in-browser cryptocurrency mining script into every web page that a user visited.

The campaign has taken off the ground this week and was in its initial stages. It mainly focused on compromising devices located in Brazil but later began targeting MikroTik routers in other geo-locations all over the world. In total, 210,000 MikroTik routers have been compromised.

The hack exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS.  This flaw was was reportedly discovered early this year (April 2018) but accordingly patched the next day.

If you own a MikroTik router, it is advised that you should install the the latest MikroTik firmware as soon as possible. Also, as an added precaution, security mechanisms such as firewalls should always be enabled.

364 inmates from five Idaho prisons exploited a vulnerability in their prison-issued tablets to issue themselves nearly $225,000 worth of digital credits to their accounts. They were able to crack and leverage a software vulnerability on their JPay tablets to increase their balances. The transferred credits were then used to buy music, ebooks and games.

The Idaho Department of Correction (DOC) discovered the hack earlier this month. They emphasized though that no real money was stolen and that the credits did not involve taxpayer dollars.

For a few years now, tablets are allowed at low-security level prisons across the United States. This gives the inmates the privilege to email their families, access educational materials, read news, and even purchase music and simple computer games. They’ve been offered through a contract between JPay and CenturyLink.

Prison officials have already reprimanded the inmates involved in the hacking. They have been charged with a disciplinary offense and lost various privileges. They may also be reclassified to a higher security risk level.

According to the DOC, JPay has managed to recover $65,000 worth of digital credits from the 364 inmate accounts. It has also blocked the inmates involved from being able to download music and games until the company is compensated for their losses.

Over the weekend of July 14, North Carolina-based LabCorp, United States’ biggest blood testing laboratories network, forced a shutdown on its IT network after hackers breached into their system.

As part of its breach response policy, the company immediately took various portions of its systems offline to contain the hack.

Excerpts from the form 8-K they filed with the Securities and Exchange Commission read:

“LabCorp detected suspicious activity on its information technology network.”

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,”

“Work has been ongoing to restore full system functionality as quickly as possible”

The breach could potentially expose millions of patient records at risk. Taken from their webpage: LabCorp provides diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year.

The company, however, is trying to downplay the incident assuring their customers not to worry.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said in its statement.

FBI is currently monitoring the situation and LabCorp is required to alert customers whose data were compromised within 60 days.

Healthcare organizations are often the target of hackers and cybercriminals for data breaches because it is believed that the highly sensitive data they keep on records is worth a lot when sold online.