A Trend Micro investigation revealed that the “port forwarding” feature within GitHub Codespaces could allow cybercriminals to host and deliver malware. The researchers found that it’s possible to exploit the public sharing of forward ports to create a malware server. To do this, threat actors need a legitimate GitHub account to avoid getting flagged as suspicious. However, no incident exploiting the security vulnerability has occurred in the wild so far. 

GitHub Codespaces, available since Nov. 2022, has been a popular choice among developers and large tech companies. It provides them with a container-based environment equipped with tools and dependencies for completing projects. Developers deploy Integrated Development Environment (IDE) platforms inside these virtual containers. This allows them to write, edit, and test code directly within the web browser. 

GitHub Codespaces has over 94 million developer accounts and is used by large companies such as DuoLingo and Vanta. Upon registering, each developer gets to create at least two codespace instances for free. 

GitHub Codespaces Public Port Vulnerability

While private ports forwarding requires cookies or tokens for authentication, a public port is available to just about anybody with access to the URL. According to Trend Micro’s investigation, the trouble with GitHub Codespaces is that when it allows public port forwarding via Transmission Control Protocol (TCP) for users to view and test applications, it also allows cybercriminals a means of entry. 

This enables threat actors to bypass suspicion from threat intelligence platforms. On GitHub Codespaces, ports are forwarded using HTTP. HTTP is less secure than HTTPS. With no malicious history showing, the malware flies under the radar. In Trend Micro’s simulated attack, researchers forwarded the port 8000 using forwardPorts property. Then, they ran a Python-based HTTP server on each successful container startup using the postStartCommand property. 

Consequently, the researchers demonstrated how a cybercriminal could run a Python web server, upload malicious scripts to Codespace, and open a public web server port. After that, they used the URL to distribute malware to end users. Throughout the process, GitHub Codespaces didn’t start any authentication procedures.

This process is similar to how cybercriminals distribute malware on other reputable services, such as Microsoft Azure, Google Cloud, and Amazon AWS.

Using Dev Containers to Enhance Efficiency

Since dev containers within GitHub have all the tools and dependencies used in projects, developers have come to rely on them for rapid deployment. But, at the same time, the same dev containers also help cybercriminals create a malicious web server on GitHub Codespaces within minutes, with zero checks. 

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier, the subdomain associated is also unique. This gives the attacker enough ground to create different instances of open directories,” read the Trend Micro report. 

Usually, the platform deletes codespaces within 30 days, allowing threat actors a month to use a URL. While this particular security vulnerability hasn’t been exploited yet, cybercriminals will waste no time once they’ve figured it out. Their predilection for exploiting free services, such as Dropbox, GitHub, Azure, OneDrive, and more, is well-known and documented. Sadly, these vulnerabilities expose unsuspecting users to the possibility of downloading malware from these platforms. 

GitHub Under Fire

In recent years, GitHub has dealt with a spate of cybercrimes directed toward it. Part of this is due to its growing size and popularity, making it an attractive target for cybercriminals. In response, GitHub is upgrading its security features to deal with these threats. The latest among these actions is GitHub’s step in making 2FA and free secret scanning mandatory for all users. 

As companies unwarily leave access to their code open to the public on GitHub, they’ve been left reeling from the fallout. For instance, Toyota left a publicly available access key on GitHub for 5 years. They later regretted it when cybercriminals compromised the personal information of 296,000 of its customers. 

Similarly, in January 2021, Nissan North America experienced a breach where cybercriminals exposed 20 GB of sensitive information. The security breach occurred due to default access credentials on a Git server (Git is not the same as GitHub, but has similar features). Moreover, in December 2022, Okta authentication provider was targeted via GitHub repositories — but these were private, not public, repositories. 

Business owners who manage software teams must secure the environment where developers contribute code. Preferably, They can do this with some form of multi-factor authentication (MFA) for all commits to restrict access. In addition, businesses must set ports to private — a practice that will reduce the variety of possible attack vectors. These are simple solutions that work like a charm against many lethal threats. Leaving an open public port is a rookie mistake, but it’s often the obvious cause of serious compromises. 

Software Development Environments Need to Step Up

The lesson here is that user authentication should be paramount. It’ll help avoid the consequences emanating from a leak at the top of the software supply chain that can cascade to users and organizations all the way down the line. 

Even though cookies and tokens can make it harder for cybercriminals to breach such spaces, multi-factor authentication (MFA) vastly increases web security. This shows why businesses should take pains in implementing additional security protocols. Ultimately, passkeys will have to replace clunky passwords and MFA in the software world. Nothing at the moment is as important as this shift in the industry, which can finally stem the tide of cybercrime. 

The post Trend Micro’s Investigation into GitHub Codespaces Reveals Malware Vulnerability appeared first on TechGenix.

Meta is suing the London-based “scraping-for-hire” Voyager Labs for using surveillance software to automatically scrape information from 600,000 user profiles on Facebook and Instagram. 

The lawsuit alleges the surveillance firm violated Facebook’s and Instagram’s terms and conditions and California Law. In this instance, information obtained through automated scraping included likes, comments, friends, and users’ photos. Voyager’s surveillance software also scraped information from Twitter, YouTube, Medium, Pinterest, Vimeo, Tumblr, LinkedIn, and Telegram. 

The information Voyager scraped was sold to law enforcement agencies, including the LA Police Department, for profit. Marketing its surveillance software to law enforcement agencies for clandestine intel gathering, the company boasted that its data-scraping activities were untraceable. 

However, in 2017, Meta gave Voyager a warning to cease and desist its scraping activities. These activities had been going on since it first became active on the Facebook platform back in 2016, according to the exhibits of the case released. 

The surveillance software, which cost USD 705,000, created over 38,000 fake Facebook profiles for data scraping purposes. It also tracked COVID-19 victims and their connections. 

AI-Backed Surveillance Software

Voyager designed its AI surveillance software to be untraceable. It then marketed it to law enforcement agencies and departments as an intel gatherer. The surveillance software blatantly disregarded users’ rights and indiscriminately profiled users for criminal behavior. 

Voyager’s website states that the software is “designed to analyze massive amounts of data” and “to uncover social whereabouts and hidden connections between entities.”

Its marketing materials further state that “Voyager’s unique collection methods enable traceless collection from social media networks” and claim that the “collection process cannot be associated with clients servers by any third party or by the social network itself.” 

Meta recently announced its fight against scraping-for-hire, explaining that a data scraper “covertly collects information that people share with their community, family, and friends, without oversight or accountability, and in a way that may implicate people’s civil rights.” 

No Regard for Individual Privacy

In another transgression, Voyager Labs used COVID-19 tracing as a public-interest cover-up for its illegal data-scraping policies and surveillance activities. Its surveillance software targeted individuals, pubs, and religious organizations. 

For instance, followers of Shincheonji’s Church in South Korea were tracked and monitored through the organization’s Facebook page. Through the scraping operation, the firm obtained information on infection rates and individual connections. 

These activities were carried out with intent. As such, they violate both individual privacy and Facebook’s policies, not to mention the sovereignty of individual states whose citizens they monitor. Hyping up its software’s appeal, Voyager claimed it provided near real-time data that was “untraceable” and “completely anonymous”. It achieved this by employing multiple proxies from different vendors and locations.

The Voyager surveillance software case comes after Meta sued another scraping-for-hire company, Octopus, in July 2022. Similar to Voyager, Octopus used automated accounts to scrape data from the profiles of over 350,000 Instagram users. 

However, despite Meta’s best efforts to put itself in a favorable light for protecting users’ rights, its own data-scraping activities are well-known. In 2018, reports on Meta (then Facebook) emerged, alleging it collected SMS and voice data from Android mobile devices. 

The Ongoing Data Scraping Question

Whether or not data scraping is legal is a much-debated question. It largely depends on the context and, chiefly, on what purposes the data will serve later on. Social media sites typically discourage data scraping, because users who feel their data isn’t protected would be incentivized to leave the platform. 

Voyager’s agents on Facebook and Instagram platforms used the data to aid law enforcement and COVID-19 tracking. As such, they might argue they used scraping for the general good. 

Certain jurisdictions, like the EU and California state, enforce users’ rights and privacy with stricter regulations. Data scrapers consider any publicly available information as open-to-scraping, arguing that any private information shouldn’t be public in the first place. 

In April 2022, in a case involving LinkedIn and a data-scraping company, hiQ, an appeals court ruled that data scraping of public information for presentation to corporate companies is perfectly legal. This ruling dealt a serious blow to the fight against data scraping. But the LinkedIn and hiQ case is different from this current lawsuit. In this case, hiQ hadn’t agreed to LinkedIn’s terms and conditions before scraping user information. 

Protection Against Data Scraping

Data scraping is concerning for individuals and businesses. Cybercriminals who gain access to personal information online may later use it in phishing scams and other social engineering attacks. Using scraped personal information, they can contact victims, pretending to be officials from the government.

Many victims end up giving up more sensitive information via email or phone during such interactions. This is because people generally trust that anyone with access to such personal information must belong to the government. But, such information, culled from LinkedIn, Facebook, and Twitter databases is easily accessible on darknet forums. 

That said, steps and protections are available for those who take their privacy seriously. Users should take care when posting online. They could also minimize the number of social media accounts that they use and adjust their privacy settings to protect their information from prying eyes. Facebook, Instagram, WhatsApp, and Twitter have all experienced multiple hacks recently. This should put those worried about their individual privacy on alert. 

Since these platforms have added more privacy controls over the years, users should strive to put them to good use. Some measures that users can take to protect their privacy are requesting data, setting profiles to private, and refusing to upload any Personally Identifiable Information (PII) in a public way. 

A Silver Lining for Public Surveillance Operations

Voyager Labs is a well-backed surveillance software firm that intentionally violated Facebook’s and Instagram’s terms and conditions. Covering up its data-scraping activities under noble causes, it tracked and monitored individuals using sophisticated AI analysis. It did this for purposes it couldn’t disclose to the public without incurring condemnation and ire.

But, despite repeated violations of digital privacy, many see a silver lining. With these incidents becoming public knowledge, the general public will be inspired to exercise care when online. Moreover, data regulation policies within the states are shifting. These policies are starting to align closely with those enshrined in General Data Protection Regulation (GDPR), providing victims with comprehensive and retributive legal recourses against illicit data scraping. 

The post Meta Sues Surveillance Software Firm for Scraping 600,000 Profiles appeared first on TechGenix.

Password crackers at the Office of Inspector General (OIG), tasked with testing security protocols at the US Department of the Interior (DOI), successfully breached 21% of the active accounts’ passwords inside the department within 90 minutes. 

The rig created for the purpose cost less than USD 15,000, but it exposed the many flaws in DOI’s authentication protocols. These included a lack of two-factor authentication (2FA) and extremely weak password management. Among the passwords cracked were the easily-guessable “Password-1234,” and its variations. Surprisingly, that password met the department’s criteria for password complexity. 

Despite decades of guidance from the government on enforcing 2FA protocols, the DOI has failed to follow through. This puts at stake billions of dollars in department revenue and funds. Its other responsibilities involve managing parks and cultural heritage sites, protecting the environment, and assisting indigenous populations. 

The report alluded to the Colonial Pipeline ransomware attack — where a single password leak cost over USD 4.4 million in payments. It warned that such weak password protocols might result in an attack with similarly disruptive consequences. 

Another major issue that the OIG has referred to in the report is the presence of inactive accounts. These accounts could also become a security liability if not fixed. 

Giving its detailed examination of these password vulnerabilities within the department, the OIG has provided the department with eight recommendations. Essentially, the department must implement these recommendations no later than 2024. 

A Damning Report on Password Protocols in the DOI

The DOI didn’t enforce password limits nor disable inactive accounts on time. Moreover, 89% of high-value assets under the department had no 2FA protection. These actions are in clear violation of Executive Order No. 14028, which mandated the enforcement of 2FA across federal systems by Nov. 8, 2021. 

Of the 85,944 active accounts, the OIG cracked 18,174, including 288 with elevated privileges and 362 belonging to senior employees. The department’s password protocols were so lax that they allowed employees to use the same weak passwords across many accounts. For example, 478 unique employee accounts used “Password-1234”. 

The OIG conducted these tests after a previous inspection had revealed weak authentication protocols across DOI’s various sub-departments and agencies. This test came on the heels of that inspection. The OIG conducted the test to determine if the DOI’s cybersecurity protocols were robust enough to protect against stolen and recovered passwords. They were not.

Password Encryption and Publicly Available Password Lists

Aside from an appalling disregard for password management by a federal agency, the report debunks the impenetrability of password hashing. This process encrypts and scrambles passwords, and many public and private companies and departments rely on it. Many believe it to be enough to foil threat actors’ plans to obtain credentials, assuming it to be impenetrable. This complacent thinking leads companies to shun 2FA measures that would further bolster security.

The consequences of not following through on recommended password security measures are now too evident from this story: OIG created a USD 15,000 commercial password cracking rig and ended up cracking over 14,000 passwords within 90 minutes. They cracked another 4,200 hashed passwords within the next eight weeks. 

Since people reuse passwords, password-cracking teams know the hashes for those passwords. For example, the word “password” converts to “5f4dcc3b5aa765d61d8327deb882cf99”. With the enormous number of password breaches at private and public organizations, lists of common and reused passwords are publicly available for anyone to see. 

All the password crackers have to do is input these password lists to speed up their operations. As a result, a cybercriminal group with resources like an efficient password-cracking rig can easily crack vulnerable accounts. They can do this using known hashes and publicly available lists. As such, to ensure that employees don’t reuse passwords shown on these publicly available lists, some tech agencies even purchase them to avoid using the same passwords on their networks. 

Preventing Password Theft

Incidences of password theft across social media and other applications have increased the demand for zero-knowledge architectures. These allow clients to hold the private key that decrypts passwords. While still crackable, it’s regarded as far more secure than conventional encryption, where the service provider holds the encryption and decryption keys. 

On a more basic level, 2FA still counts as the most effective way to ensure network security against an increasing variety of attack vectors. A second authentication layer “adds a layer of security that protects organizations — even when passwords are compromised,” according to the OIG report. Companies that ensure 2FA across as many services as possible make it harder for cybercriminals to infiltrate their network security. 

The next phase in the evolution of stronger user authentication is the replacement of passwords with passkeys. Passkeys have certain inherent advantages over passwords when it comes to security. For instance, a cryptographic key pair is created for users on each website, allowing users to hold onto the private key on their device. Users reuse passwords for convenience, but passkeys will relieve them of their responsibilities to memorize, change, or alter credentials. This will cut back on user error and time lost in password management, developing stronger passwords, and changing and resetting them. Some in the tech space, like Google, have already started rolling passkeys out to users.

A Migration From Traditional Encryption? 

Migration from the conventional means of data storage, encryption, and user authentication is nowhere near the frequency or speed at which cybercriminals are breaching networks. A focus on strengthening security and password protocols is the need of the hour. 

The combined use of passkeys and 2FA across all platforms and devices could go a long way in reducing cybercrime. Unfortunately, as evidenced by the DOI, many organizations still won’t follow through even when a cybersecurity procedure is recognized and mandated. 

The post US Department of Interior Passwords Cracked within 90 Minutes, Report Reveals appeared first on TechGenix.

Beazley, a UK insurance company contracted with Lloyd’s of London, has launched the market’s first cybersecurity catastrophe bond, intended to protect insurers from massive cyber payouts. Risks of these crippling payouts have increased exponentially in proportion to the rise in cybercrime. The catastrophe bond will cover a total payout of USD 45 million (£37 million) for claims exceeding USD 300 million. 

A catastrophe bond covers major events that fall outside premium coverage. It’ll cushion the cyber insurance industry against an increasingly volatile cybersecurity environment that its clients find themselves in. The cyber catastrophe bond is the outcome of a three-year project involving multiple firms, including Gallagher Re and Fermat Capital Management. 

Speaking to the Financial Times, Beazley CEO Adrian Cox stated that the new financial instrument will give cyber insurance firms access to a wider pool of capital: “What that taps into is a pool that is trillions rather than hundreds of billions, and is a pathway for us to be able to hedge and grow.” 

Cyber Catastrophe Bond to Ease Insurance Burden

Last year, Lloyd’s announced a policy change that will leave catastrophic events, like cyberattacks, out of its coverage. Now, the Beazley catastrophe bond may help provide some protection from cyber risks. This is also the first time an insurer has established a liquid insurance-linked securities (ILS) instrument to cover cyber catastrophe incidents. 

Catastrophe bonds work much like ordinary bonds. Investors take out the bond on floating interest rates and pay back the principal sum at the end of the bond duration. Like all bonds, the rewards balance out the risks. But in certain events — like extreme weather events — investors could lose some or all of their investments.

The cyber catastrophe bond eases the pressures on insurers by adding more market actors to contribute to the capital pool. These kinds of bonds act as a form of secondary insurance or “reinsurance” for underwriters. Institutional investors looking for returns pour billions of dollars into these ILS instruments, providing large insurance companies with a form of reinsurance.

Cyber Insurance Industry Teetering in the Face of Cyberattacks 

The Beazley catastrophe bond, though much anticipated, is the first instrument to deal with the ever-evolving threat of cybercrime. Recently, Zurich Insurance CEO Mario Greco stated that cybercrime could soon become uninsurable. However, Beazley’s Cox doesn’t share Greco’s pessimism and says that the cyber insurance industry can be resilient enough to absorb shocks if adequate safeguards are implemented. 

To become more resilient, cyber insurance companies will need accurate risk assessments. While all insurance companies do risk assessments, it’s especially difficult for cybercrimes. This is due to the scale of recent attacks and their increasing sophistication. To make matters worse, many of these breaches go unreported, leading to a void in accurate statistical data. A miscalculation in premiums and risk assessment can mean bankruptcy for a large insurance firm. 

Cyber insurance is a global issue. Cybercriminals are finding ways to attack vulnerable networks and businesses with increasing confidence in an interlinked world. This has hurt cybercrime insurance. The US cost of cybercrime insurance doubled between 2016 and 2019. Despite this, the US Government Accountability Office has outlined the difficulties with cybercrime insurance, such as limited historical data and lack of standardized definitions. The result of this has been that cyber insurance companies are increasing premiums but lowering overall coverage. 

SMBs Hit the Hardest

A potentially overlooked commercial class in terms of cyber insurance is small to medium businesses (SMBs). These businesses need to help themselves by maintaining resilient network security. With mounting premiums for cyber insurance, business owners must decide between insurance, in-house cybersecurity personnel, or high-quality antivirus and malware toolkits. 

New research has indicated that cybersecurity budgets are stretched thin for small business owners. The research shows that, in 2023, business owners will cut back 50% on cybersecurity budgets, from €117,000 to €58,000. This is a concerning level of cutbacks for an area in dire need of resources, given that 79% of SMBs experienced a cyberattack in 2022. Since 32% of SMBs don’t even have a disaster recovery plan in place, a serious priority readjustment is needed in the industry. 

Even if SMBs have their priorities straight, they can’t afford to get the best insurance policies, in-house personnel, and software toolkits like large enterprises. They’ll have to be picky and choose cost-effective security precautions. These invariably include implementing multifactor authentication, conducting employee awareness training, and telling employees to maintain strong passwords.

For safer data storage, SMBs can look into cloud storage options. Despite many breaches, cloud storage services are cheaper and more secure than in-house storage. Additionally, cloud storage providers tend to have more powerful security precautions, and you can take advantage of this at a much better price than storing sensitive information in-house. Having said that, remember that the liability rests with the original data owner in case of a data breach.

Cyber Insurance Needs to Evolve—Quickly

The industry’s failure to standardize definitions has left insurers with no means of assessing business network security before issuing quotes. For example, the industry has no information regarding ransomware payments. This is a sorry state of affairs where insurance companies are at a loss to respond to the rise in cybercrime, which seems to be evolving at a clip faster than can be accurately quoted. 

With all this in mind, Beazley’s catastrophe bond couldn’t have come at a better time. 

The catastrophe bond serves the useful purpose of making cyber insurance more affordable for all business entities, providing a level of safety for insurers to issue better policies. Without these kinds of financial innovations, cyber insurance would continue its death spiral of lower and lower coverage accompanied by higher and higher premiums, potentially to the point where business owners may be forced to take a chance without it. 

Yet, this doesn’t leave the business owners off the hook. Given cybercriminals’ recent onslaught, SMBs will do better by allocating their budgets to cost-effective security protocols to defend against threats as soon as they arise. 

The post Lloyd’s Insurer Beazley Issues World’s First Cyber Catastrophe Bond appeared first on TechGenix.

Cyber threat actors have created a phishing site impersonating the official Zoom video conferencing application to deliver IcedID malware to installers, according to a report Cyble Research and Intelligence Labs (CRIL) issued. IcedID, also referred to as “BokBot,” is designed to steal user banking credentials and primarily targets businesses. The phishing site impersonates the original Zoom site, leading unsuspecting users to download the IcedID along with the application. 

Threat actors usually deliver IcedID via spam emails. But this time, they used a phishing website to carry the malicious load, breaking away from their known methods. IcedID malware steals login credentials for banking sessions using man-in-the-browser attacks. The attackers use multiple injection methods and frequently update their IcedID operations to evade detection from scanners. 

The IcedID Zoom Phishing Scam: Technical Specifications

The download URL for the latest IcedID phishing campaign is explorezoom.com, as opposed to the official Zoom.us. This highlights the importance of always checking domains before downloading anything online. Closely examining domain names or URLs can help reveal whether a download is legitimate. 

Upon download, the Zoom IcedID malware drops two files into the temp folder: ikm.msi and maker.dll. Ikm.msi is a legitimate Zoom file, put there intentionally to lull suspicion. Users downloading from the link may use the application unaware of the threat. The second file, maker.dll, is highly malicious. It’s initiated using rundll32.exe with the “init” parameter. When executed, it uploads the IcedID malware into the memory. 

The IcedID malware is a 64-bit DLL file that uses the following Windows API functions to gather user information and converts the output into numerical data:

• GetTickCount64()
• ZwQuerySystemInformation()
• RtlGetVersion()
• GetComputerNameExW()
• GetUserNameW()
• GetAdaptersInfo()
• LookupAccountNameW()
• CPUID

Later, in the final stage of malware execution, IcedID assigns an ID to the converted numbers and sends them to the C&C server as a cookie. The malware then deploys more malware strains in the %programdata% directory of the C&C server. 

IcedID Malware IOCs and Recommendations

CRIL has listed the indicators of compromise (IOCs), including the malicious link, SHA addresses, domains, and IP addresses. This is useful information for security researchers and network administrators, who can use it to avoid falling prey to the same threats. CRIL has also listed some security recommendations, which are often standardized after a cybercrime event. These include:

• Enforcing strong passwords and 2FA as much as possible
• Employing automatic software and patching updates across multiple devices and platforms
• Using a high-quality malware scanning tool in tandem with antivirus software
• Holding employee awareness training for suspicious URLs, particularly in email links
• Blocking known malware-distributing URLs

Out of all the recommendations, companies shouldn’t underestimate the importance of malware detection and antivirus tools. Even if these fail to prevent the initial breach, they reduce the detection time and, thus, limit the cost and severity of an attack. Early detection helps contain the threat within a few hours rather than weeks or months. This has major cost implications for businesses. 

In its report, CRIL has also detailed the methods of attack used in this latest IcedID malware campaign to help network administrators and business owners identify the attack patterns. These include T1071 and T1095 C&C tactics, which relate to application and non-application layer protocols. Execution tactics include T1204 and T1059, which relate to user execution and the command and scripting interpreter. 

Software Impersonations Becoming Increasingly Sophisticated

Since the Covid-19 pandemic, cybercriminals have increasingly sought to compromise remote work applications like Zoom. Two reasons that make such applications such prime targets for cybercriminals are their widespread adoption and that they serve as means to access more lucrative businesses outside a highly secured network. 

The issue here isn’t just the scale of these attacks — but that these are becoming increasingly adaptive and versatile with time. Cybercriminals are continually tweaking and adapting their models, leaving researchers a step behind in mapping their attack patterns and developing software that can fend them off. 

Commenting on the threat posed by IcedID, CRIL refers to it as a “highly advanced, long-lasting malware that has affected users worldwide.” Cybercrime groups, including Emotet, TrickBot, and Hancitor, have also deployed IcedID malware. Though it’s usually spread through email phishing, cybercriminals created a phishing site to carry the malware in this instance. This also marks the first time that threat actors have used such tactics for deploying IcedID malware.

Yet, despite their sophistication, such attacks are easy to mitigate. For instance, users only need to practice a little awareness and caution to discern the legitimacy of software applications. Email phishing attacks often contain grammatical errors, typos, and poor English. 

Moreover, some websites intentionally use incorrect URLs, known as typosquatting, to masquerade as the original website it’s impersonating. Hurried employees looking to download applications quickly may overlook these subtle signs and unwittingly invite trouble. 

While commercial and enterprise networks may prevent these downloads automatically, remote employees who can navigate any site may be more at risk from the IcedID variant. Since many businesses nowadays employ large remote staff, this could spell disaster for the safety and integrity of a company’s internal communication and sensitive information.

The Key to Staying Safe from Malware in 2023

The best way to remain safe from malware online is to take a pause before downloading an application from any site, as legitimate as it may seem. Cybercriminals are even exploiting Google Ads to rank their phishing site higher in the SERPs to assume legitimacy and trick users into downloading from malicious links. 

Aside from Zoom, other applications targeted through the MasquerAds campaign include AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Audacity, Teamviewer, Brave, and more. Under such circumstances, a user’s best defense is exercising vigilance online. A momentary pause and a closer look can reveal what even sophisticated software might fail to detect. 

The post Zoom Phishing Site Delivers IcedID Malware, Poses Threat to User Banking Credentials appeared first on TechGenix.

Ireland’s Data Protection Commission (DPC) has fined Meta a total of €390 million ($414 million) in a ruling against Facebook’s and Instagram’s use of targeted advertising. The ruling declared both subsidiaries’ method of furnishing user consent under its updated terms and service a violation of Article 6 of GDPR. The fines levied against Facebook and Instagram amount to €210 million ($225 million) and €180 million ($191 million), respectively. 

NOYB, a user privacy protection group, first lodged complaints against Meta’s subsidiaries in May 2018 — immediately after GDPR came into effect. Following this outcome, Meta and its subsidiaries won’t be able to rely on their terms of service as legal cover for obtaining user consent to process their information for personalized ads.

Authorities have repeatedly found Meta in violation of user privacy regulations in Europe, under the GDPR, and also in the US. Just last month, in the Cambridge Analytica settlement, authorities slapped Meta with a $725 million fine, the largest US data privacy class-action lawsuit ever.

The Basis for the $414 Million Fine against Meta

Article 6, under which this recent DPC ruling was made, allows data processing only when an entity complies with one of its six legal premises. In advance of the GDPR implementation in 2018, Meta — then Facebook — changed its terms of services. The company made consent to its processing of user information a precondition for its services. 

Arguing its case, representatives of Meta alluded to their terms of service as a legal contract. The “contract” allowed its subsidiaries to process customer data. However, the DPC disagreed and found it in violation of Article 6, and Articles 5 (1)(a), 12, and 13(1)(c) that concern data transparency. 

“In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR,” read the DPC statement. 

Meta’s Subsidiaries Tried to Bypass GDPR

Max Schrems, who leads NOYB, claims that the prohibition of the use of personal data for targeted advertising is a win for individual privacy. According to NOYB, Meta hid the yes/no binary opt-in decision concerning targeted advertising in its terms and conditions. 

According to Schrems: “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”

Meta very nearly succeeded in its attempt to bypass GDPR as well. DPC’s original fine was €36 million. But when authorities referred the case to the European Data Protection Board (EDPB), it reversed DPC’s decision that Meta and its subsidiaries could use user information for targeted ad campaigns on a legal contract basis. Consequently, the fine was increased by over 1,000%, from €36 million to €390 million. 

Schrems has gone as far as to claim that the DPC colluded with Meta: “This case is about a simple legal question. Meta claims the ‘bypass’ happened with the DPC’s blessing. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled.”

GDPR Affects More than Just Meta

The latest DPC fine puts Meta in a bind. It’ll be unable to operate, in the EU at least, under its current business model. This is especially the case because it’s also struggling to comply with the transatlantic data processing directives. EU authorities are tightening the screws on Big Tech companies. This is in an effort to rein them in and to ensure their compliance with the GDPR. 

Apple and Twitter have also recently found themselves in the line of fire. However, fines against Twitter are much less frequent and far lesser than those against Meta. Twitter is currently under a DPC investigation for a breach that could potentially affect 5.4 million users. Apple, meanwhile, has been fined $8 million by the French regulatory authority Commission Nationale de l’informatique et des Libertés (CNIL) for a non-consensual targeted ad campaign toward iOS 14.6 users. The authority leveled the fine under Article 82 of the French Data Protection Act. CNIL previously fined Google for a breach of the same article.

Small and medium-sized businesses are also subject to GDPR provisions, but these cases don’t make major news headlines. The enforcement tracker has a full list of GDPR cases. The tracker includes details such as entity name, fine amount, relevant GDPR provision, jurisdiction, decision date, and official press statement. 

To avoid GDPR fines, business owners should tread carefully when processing and using user data. In protecting user information, companies must ensure that their databases are secure. Implementing a combination of cybersecurity protocols, including powerful firewalls, multi-factor authentication, antivirus protection, malware scanners, email spam filters, and automated patch management, can help companies avoid violations. 

Implications for Big Tech 

For a long time, Big Tech has been operating above the law. This is even though its involvement in feeding deep analytics with user information is an open secret. All this seems to be changing, with the authorities, in Europe especially, calling for stricter GDPR compliance. These stricter user-privacy enforcement measures have led to Meta signaling its withdrawal from the EU. This is because its subsidiaries rely on the processing of user information to remain operational. 

Other social media and Big Tech platforms and companies also employ targeted advertising. Big Tech, with its use of sophisticated tracking and surveillance and cross-device, cross-platform monitoring, had eluded accountability for quite some time, with little transparency on how it uses user data. 

With GDPR and other directives curtailing Big Tech’s power and enforcing user privacy rights, the playing field is leveling. However, the dream of reclaiming user data and a more sovereign internet still seems distant. 

The post Irish DPC Fines Meta $414 Million for GDPR Violations concerning Targeted Ads appeared first on TechGenix.

Emsisoft has published the state of ransomware report for 2022, providing a synopsis of ransomware attacks that occurred in the US last year. The report categorizes the attacks by the areas they affected — local government, education, and healthcare. Overall, 106 local governments, 44 universities, 1,981 schools, and 290 hospitals faced ransomware attacks. Information in the report came from various sources, including the dark web, press reports, third-party feeds, and disclosure statements. 

Despite the US government’s best efforts and awareness campaigns since 2019, the ransomware attack figures have remained mostly the same in the years following. The report acknowledged its estimations don’t consider the attacks repelled by government efforts. Since accurate ransomware data collection can be tricky, the report indicated that its findings are on the minimum-range side. 

“When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information. What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported,” read the official blog.

Emsisoft State of Ransomware Report: Local Governments

Cyberattacks targeting local governments have jumped from 77 in 2021 to 105 in 2022. However, the figures for this year also include the cyberattack in Miller County, Arkansas. In this incident, a single malware spread to 55 different counties.

A single large-scale incident like that can tip the scales and warp estimations. For example, if you exclude the Arkansas incident, cybercriminals stole data in about 54% of the cases. If you include the incident, the number is down to about 26%. 

Only one local government paid ransom to cybercriminals this year: Quincy of Massachusetts paid  USD 500,000 in ransom to retrieve stolen files. Five million dollars was the highest local government ransom demanded in 2022 in Wheat Ridge, Colorado. 

The following year-by-year comparison shows that the incident figures have remained quite consistent since 2019: 

• 2019 — 113
• 2020 — 113
• 2021 — 77
• 2022 — 105

On Christmas, an attack in North Carolina left 6 local governments locked out of their online records. As a result, they couldn’t access wills, birth certificates, death certificates, marriage licenses, and other documentation. They were forced to use pen and paper, bringing their operational efficiency to a standstill. 

Emsisoft State of Ransomware Report: Education

The attack on the Los Angeles Unified School District, affecting 1,300 schools and 500,000 students, was the most significant of 2022. The total number of education institutions targeted doubled from the previous year: 1,043 to 1,981. This figure includes 45 school districts and 44 colleges. In these attacks, cybercriminals extracted data in 65% of incidents, up from 50% in the previous year. 

Out of all the attacks targeting educational institutions, at least three paid the ransom. This includes the USD 400,000 ransom Glenn County Education Office in California paid. Like the figures of local government attacks, the attacks on educational institutions have also remained stable since 2019:

• 2019 — 89
• 2020 — 84
• 2021 — 88
• 2022 — 89

Attacks on educational institutions carry other costs as well. These attacks bring university operations to a halt and delay module progression. Activities like test markings, accessing online lectures, and submitting assignments are all consequences of ransomware attacks. 

Such costs are unbearable for institutions. They would also require proper awareness among both teachers and students about how ransomware attacks happen. Students are susceptible to clicking on malware and Trojans, which can lead to ransomware. In response to the recent breaches, Berkeley has recommended cybersecurity training for all its students and professors. 

Emsisoft State of Ransomware Report: Healthcare

The healthcare sector, with its vast, sensitive information collections, remains a favorite target of cybercrime gangs. Administrators in healthcare can’t afford the information leaking out, which forces them to give in to the criminals’ demands. The Emsisoft report revealed that the number of cyberattacks in the healthcare sector is huge. Yet, the industry lacks transparent reporting. 

Emsisoft reported 24 healthcare ransomware incidents in 2022, potentially affecting 289 hospitals. In 71% of the cases, cybercriminals exfiltrated Protected Health Information (PHI) and other data. Due to a lack of disclosure, Emsisoft couldn’t ascertain the extent of its reported breaches. However, the most significant cybersecurity incident concerning healthcare in 2022 was the attack on CommonSpirit Health — which operates 150 hospitals. 

More recently, a Hive ransomware attack on the Lake Charles Memorial Health System (LCMHS) in Louisiana affected over 270,000 patient records. Leaked information from the Hive attack included patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, and/or limited clinical information regarding care received at LCMH. 

In an unexpected event recently, LockBit apologized to the SickKids Hospital in Toronto and even offered the decryptor to the hospital after its affiliates held the hospital’s technology for ransom. The group said the attack on the hospital violated its terms of service. However, apologies are rare, and it’s better to be safe than sorry. 

Recommendations, Remedies, and Safeguards

The report focuses on public sector breaches because of the lack of transparency in private organizations. In particular, the lack of transparency around disclosing information related to ransomware or other breaches. Yet, private companies that suppress information related to ransomware and breaches still need to bolster their defenses. This is especially the case since cyberattacks have increased in complexity and extent. 

All commercial entities should implement the most highly recommended cybersecurity practices to protect against and mitigate cyberattack aftershocks. These measures include multifactor authentication across all services, regular and automated patching, high-quality antivirus and malware detection tools, and employee awareness campaigns. Penetration testing is also an excellent way to find weaknesses in any network. 

While commercial entities can choose to pay the ransom to get their data back, the public sector may no longer have this choice: Florida and North Carolina have introduced legislation preventing public sector entities from paying ransomware demands. But private entities could face severe penalties for neglecting proper security measures and failing to protect user information on their servers. 

Future Implications 

Ransomware is here to stay, despite public and private organizations’ best efforts to curb it. In fact, ransomware attacks are growing in sophistication. To counter the new ransomware attacks and to spread awareness about them, Emsisoft first recommends calling them by names that more accurately describe the nature of these attacks. Suggested terms include “data extortion events,” “encryption-based data extortion,” and “exfiltration-based data extortion.” 

Among the report’s blindspots are the success of government efforts and details about the severity of incidents, such as the spread of lateral infection. Regardless, the fact remains that information is key when it comes to ensuring protection against ransomware. In light of all this, Georgia’s legislation to allow public entities to suppress reporting of cybercrime incidents is alarming. 

This could set quite a worrying precedent, as the cybersecurity industry benefits from quick communication regarding the most recent cybercrime breaches. With more sophisticated threats on the horizon, companies can benefit from information sharing and updated defense mechanisms. 

The post Emsisoft State of Ransomware Report for 2022 Reveals No Reduction in Attacks appeared first on TechGenix.

After LockBit encrypted information in an attack on the Hospital for Sick Children (SickKids) in Toronto on Dec.18, it has tendered an apology and a free decryptor to the hospital. LockBit has come out against the attack, calling it a violation of its terms of service by an affiliate, and said it doesn’t target institutions where a compromise “could lead to death.” By Jan. 1, SickKids had restored 60% of its operations.

The hospital was forced to declare “System Failure” under its code “Grey”. Despite disrupting hospital phone lines and web pages, the breach didn’t affect patient care. Attempting to ease privacy concerns from such attacks, the hospital claimed the cybercriminals didn’t steal any sensitive patient information — a rarity in such cases.

The decryptor, which includes Linux/VMware ESXi, suggests that the attack could only encrypt virtual machines on the hospital’s network, and no Windows machines were compromised.

LockBit’s Ransomware-as-a-Service Model

LockBit operates a ransomware-as-a-Service (Raas) model. This enables it to lend the software to affiliates whose job is to use the software to penetrate networks and perform operations. At the same time, LockBit itself only has to maintain the encryptors, decryptors, and websites. These affiliates pocket 20-25% of the profits on each extortion.

Once the cybercriminals encrypt a server, they hold it for ransom, refusing to decrypt it unless the victims make the payment. Mostly, a payment results in server and file decryption. Cybercrime groups run on commercial principles, so they have to keep up their end of the bargain.

LockBit, under its terms, forbids encrypting medical data. Nonetheless, it delayed the release of the decryptor in this case. Yet, the same terms and conditions haven’t stopped its affiliates from breaching hospitals in the past. In August, LockBit affiliates compromised the Center Hospitalier Sud Francilien (CHSF) in France and demanded $10 million in ransom. The group leaked staff and patient data online when the hospital failed to meet its demands.

It seems as if these terms and conditions allow LockBit to keep its distance from affiliates in case its vigilante reputation is at stake. It could plead deniability and sever relations with the affiliate if the attack doesn’t go down well. By lending its ransomware, it can just stay back and lurk in the shadows. 

The ransomware it has developed is automated and easy to use. Once it infects a single host on a network, the virus spreads to other hosts on autopilot. It also automatically completes post-exploitation procedures, such as the escalation of privileges. 

LockBit Protection — Staying Safe in the World of Ransomware

According to Blackberry, LockBit is one of the most active ransomware strains worldwide. With its ransom demands averaging at about $85,000 per victim, it’s safe to assume that the group mainly targets small to medium-sized enterprises. However, it has also compromised large federal and commercial organizations, demanding ransoms in the millions of dollars. 

Blackberry research explained how LockBit works: “LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. Second-stage LockBit establishes control of a victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.”

Knowing these patterns, network administrators can devise their defense mechanisms. Above all, a well-rounded cybersecurity strategy that offers robust protection can thwart any cybercrime group, including LockBit. Networks need high-quality antivirus protection as well as sensitive malware detection systems. Bear in mind that not every security product is made equal — some are far better than others at detecting and preventing infections. 

Better still, network administrators should encourage the use of multifactor authentication across as many services as possible. These vastly reduce the risks of network penetration. For employees, administrators should lay down clear guidelines for changing passwords. Further, they should use automatic patch management that can routinely identify and patch vulnerabilities as they arise. Lastly, reduce user privileges on the network to a functional bare minimum. 

The Continual Critical Infrastructure Threat

As highlighted earlier, hospitals continue to be soft targets for cybercriminals. On Christmas, cyberattacks hit the administrative registrars of six counties in North Carolina. As a result of the attack, processing and access to wills, birth certificates, death certificates, marriage licenses, and other governmental procedures have slowed down or halted completely. Local governments have been reduced to using pen and paper, causing operational efficiency to nosedive. 

LockBit was also busy on Christmas launching an attack on the Port of Lisbon Administration (APL). The Port of Lisbon is a key European port, serving a variety of ships from various countries arriving at its harbors. Currently, the APL website (http://portodelisboa.pt) is offline. LockBit added the APL to its ransomware website on Dec. 29. While the port is operational, the cybercrime gang claims to have accessed financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more.

In Canada, a cyberattack on Dec. 27 shut down the Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia, though no details have been disclosed yet. CMMC is an 18,000-acre estate, producing 100 million pounds of copper on average per year. 

Hospitals Are an Ongoing Target for Ransomware Operations

Despite the odd compassionate turn in tendering an apology and offering decryption, LockBit and other cybercrime groups like it continue to target hospitals. Recently, a Hive ransomware attack exposed 270,000 patient records at Lake Charles Memorial Hospital. 

In another incident, an attack on CommonSpirit Health — a chain of over 150 hospitals — exposed over 600,000 patients’ data. Hospitals are easy targets and contain vast repositories of patient information. From 24 healthcare exploits in 2022, cybercriminals obtained Protected Health Information (PHI) in over 71% of the cases. Poor data protection procedures coupled with sensitive data and many avenues for exploitation make healthcare systems extremely vulnerable and sensitive targets. 

The post LockBit Apologizes, Gives Decryptor to SickKids Hospital in Toronto appeared first on TechGenix.