Russian Sandworm Hacking Group Exploits Exim Mail Servers

A Russian hacking group named Sandworm (Fancy Bear) is taking advantage of an Exim Mail Transfer Agent vulnerability, which is typically employed for Unix-based systems. The vulnerability, monitored as CVE-2019-10149, is a remote code execution vulnerability which was found in Exim version 4.87.

An update to resolve the vulnerability was made available on June 5, 2019, nevertheless numerous businesses still didn’t update Exim and stayed vulnerable to hackers.

The vulnerability could be taken advantage of by transmitting a uniquely made email which permits the completion of commands having root privileges. Subsequent to the flaw exploitation, an attacker could install software programs, execute code they pick, alter data, make new accounts, and possibly get access to saved information.

As per the latest National Security Agency (NSA) notification, Sandworm hackers exploit the vulnerability by means of adding a malicious code in an SMTP message’s MAIL FROM field. Attackers can exploit businesses by using insecure Exim versions which possess internet-facing mail transfer agents.

Following the vulnerability exploitation, the attackers obtain a shell script from a networked server and utilize it to create privileged users, change SSH settings to enable remote access, turn off network defense settings, and implement another script to enable further exploitation. This would likely permit the attackers to acquire total control of the email server. When that occurs, all inbound and outbound e-mail messages can be intercepted and exfiltrated.

Sandworm is one of Russia’s General Staff Main Intelligence Directorate, also identified as GRU. The hackers have formerly performed attacks on European and the United States nations. The group has carried out a few cyberattacks on foreign government authorities that are alleged to have affected Russia’s 2016 presidential election.

The NSA has advised mitigations to avert flaw exploitation. The most important advice is updating Exim to version 4.93 or a new release without delay. The update will resolve the CVE-2019-10149 vulnerability along with other vulnerabilities which hackers may likely exploit. After upgrading, administrators must be certain that software updates are checked on a regular basis and updated the instant new versions are available. Exim Mail Transfer Agent software could be updated using the Linux distribution’s package manager or straight from Exim.

When it isn’t possible to update quickly, it might be likely to spot and deter exploit efforts. For example, “Snort 3 rule 1-50356 warns about exploit attempts automatically for enlisted Snort Intrusion Detection System (IDS) users. Administrators need to also consistently confirm that there are no suspicious system changes for example added accounts and SSH keys. Alterations would point out a breach.

The NSA proposes reducing user access privileges whenever setting up public-facing mail transfer agents and system segmentation ought to be employed to differentiate functions and prerequisites. It is crucial to keep public mail transfer agents distinguished from sensitive internal resources in a DMZ enclave, and firewall rules must be set to stop unexpected traffic from being able to access trusted internal resources. It is additionally necessary to only allow mail transfer agents to transmit outgoing traffic to essential ports. All other ports need to be stopped up.

PHI Exposed Due to Geisinger Wyoming Valley Medical Center and District Medical Group Data Breaches

District Medical Group (DMG) in Arizona, which is an integrated medical group, has commenced informing 10,190 patients about the potential compromise of some of their protected health information (PHI). On March 11, 2020, DMG learned that an unauthorized man or woman had acquired access to the email accounts of a number of its employees after responding to phishing email messages.

DMG quickly carried out a password reset to stop the unauthorized person from accessing the accounts. A prominent cybersecurity agency was hired to check out the breach. The investigation confirmed the compromise of several email accounts between February 4, 2020 and February 10, 2020.

An evaluation of messages and file attachments in the breached email accounts confirmed they comprised patient details for instance names, medical information, medical record numbers, and health insurance data. The Social Security numbers of a limited number of patients were also potentially exposed. There is no evidence uncovered that implied the attackers accessed or copied the emails.

DMG advised the affected patients to be alert and keep an eye on their accounts and statements for any hint of fraudulent activity. As a safety precaution, the medical group offered complimentary credit monitoring and identity theft protection services to individuals who had their Social Security numbers listed in the accounts.

DMG has improved employee education and has taken action to boost email security to stop more breaches from now on.

HIPAA Newshipaanews

An Employee of Geisinger Wyoming Valley Medical Center Fired for Unauthorized Health Record Access

Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA found out that an employee has long been accessing patient medical records with no valid work reason.

GWVMC was notified to the probable HIPAA breach on March 20, 2020 and initiated an internal inspection. The personnel was allowed to use patient data to accomplish everyday work tasks, nevertheless it was learned that the employee viewed the medical records of 805 patients beyond those work tasks. The unauthorized access commenced in July 2017 and kept on up to March 2020.

The investigation didn’t show any proof that imply the access of health data with malicious motive. As a safety precaution, GWVMC offered complimentary credit monitoring and identity theft protection services to the affected patients.

The employee viewed the following types of information: names, phone numbers, addresses, email addresses, dates of birth, Social Security numbers, medical disorders, diagnoses, prescribed medicines, visit notes, dates of service, test results, and appointment details.

GWVMC took suitable disciplinary measures against the worker for breaking HIPAA regulations and hospital policies. The staff is no longer working at GWVMC.

Study Reveals That Paying a Ransom Increases Two-fold the Expense of Recovery from a Ransomware Attack

Institutions that suffer a ransomware attack could be persuaded to pay the ransom to diminish downtime and costs on recovery, yet a Sophos survey shows institutions that pay the ransom in fact wind up expending far more than those that restore their files using backups.

The FBI doesn’t endorse paying a ransom since doing so gives threat actors funds to make it possible for them to carry out even more attacks on victims. In addition, there’s no assurance that the attackers will give legit keys for decrypting information. The higher cost may now be another point added to the checklist of reasons for not paying.

The market research agency Vanson Bourne performed the survey between January and February 2020 on roughly 5,000 IT decision makers at firms with 100 to 5,000 personnel all across 26 countries among them are Canada, the United Kingdom and the United States.

51% of the surveyed people mentioned they had suffered a ransomware attack in the past 12 months, 73% reported that the attack resulted in data encryption. 26% of the attacked establishments paid off the ransom and 73% did not pay. 56% of organizations mentioned they had recovered their files from backups. Out of the organizations that settled the ransom, 95% reported they had retrieved their information. 1% of organizations that paid the ransom demand mentioned they did not retrieve their data.

84% of companies mentioned they acquired a cyber insurance policy, nevertheless only 64% stated that policy dealt with ransomware attacks. Of the 64% that got insurance protection for ransomware attacks, 94% claimed the insurance firm paid the ransom.

Ransomware attack victims were instructed to provide an approximate cost of the attack, as well as downtime, employees costs, devices costs, lost revenue, and other linked costs. The average cost in the event where the organization did not pay the ransom was $732,520. The cost spent by businesses that paid the ransom was close to twice that amount – $1,448,458.

The ransom payment ought to be covered, which is usually large, and a lot of the expenses linked with an attack need to be covered even when the ransom is paid off. It may well be an enticing solution to pay the ransom in order to be able to recover quicker, nevertheless the fact is recovery may well not be reduced significantly even when paying the ransom. Ofttimes a separate decryption key is needed per endpoint therefore recovery will still be an unbelievably time consuming activity, which might not be easy. It is additionally not unheard of for data to be corrupted during the encryption and decryption.

The take-home principle is to be sure that you have the choice of retrieving files using backups, which means making sure a number of backups are prepared with one copy kept on an air-gapped device. Backups need to be tested also to be sure that data wasn’t corrupted and it’s possible to get back the file. You should then abide by the FBI’s instructions and not pay the ransom unless of course, you have no other solution.

Nigerian BEC Scammers Focus Attacks on Government Healthcare Agencies and COVID-19 Research Organizations

Business email compromise attackers from Nigeria were discovered targeting COVID-19 research bodies, pandemic response services and government healthcare institutions to obtain bogus wire transfer payments as well as install malware.

The Unit 42 team researchers of Palo Alto Networks identified the attacks connected to a cybercriminal group named SilverTerrier. SilverTerrier threat actors were extremely active particularly last year. Since 2014, the group had conducted around 2.1 million BEC attacks. Last year, SilverTerrier carried out 92,739 attacks every month. June had the highest activities with 245,637 attacks.

The group was identified exploiting vulnerability CVE-2017-11882 in Microsoft Office along with malware installation, though most often the group uses spear phishing emails to pin individuals from the finance department. Using standard phishing baits such as phony invoices and notice of payment advice, recipients are fooled into opening malicious email attachments that trigger malware installation. SilverTerrier utilizes several variants of malware including information stealers (PredatorPain, Lokibot, and Pony) and remote administration tools to preserve persistent access to breached systems. The gang uses malware for theft of sensitive information and access to payroll systems and bank accounts. BEC attacks are likewise done to get fraudulent wire transfer payments.

Unit 42 researchers have observed three of the group’s threat actors in the past 3 months so they know who performed the 10 COVID-19 related malware campaigns on healthcare organizations responding to COVID-19 cases in Italy, Australia, Canada, the U.S and the U.K.

The most current targets were local and regional governments, government medical organizations, insurance companies, research companies, medical publishing businesses, and universities with medical courses and medical facilities. The researchers tracked 170 unique phishing emails, including some that were tied up with personal protective equipment and face masks supplies.

According to Palo Alto Networks, 2019 had 172% more SilverTerrier attacks and the attacks will probably not decrease in 2020. Consequently, government agencies, public utility providers, medical and insurance providers, and universities with medical courses must be more careful with COVID-19-related email messages with attached files. Since the attacks are generally carried out through email, the top security measure is the training of employees to know which are spear-phishing emails. Then, an advanced spam filtering software must be used to prevent the receipt of spam in inboxes. It is also important to monitor for CVE-2017-11882 Microsoft Office vulnerability and employ patches right away.

Shareholder Files a Lawsuit Against LabCorp to Get Back Losses Because of Data Breaches

A shareholder of LabCorp is filing a lawsuit against the company and its management and directors for the loss in share value that was a result of two cyberattacks encountered by the LapCorp in the last year.

LabCorp was terribly impacted by the data breach that occurred in 2019 involving American Medical Collection Agency (AMCA), a medical debt collection firm. The hackers who accessed AMCA’s systems acquired the information of 10,251,784 patients who availed LabCorp’s services. The breach affected about 24 of AMCA’s customers.

TechCrunch reported another LabCorp data breach in January 2020 which affected about 10,000 LabCorp records, which the legal action claims was not disclosed to the public by AMCA nor stated in any SEC submissions. The breach was caused by a site misconfiguration and made it possible for the records to be accessible to any individual. The breach was likewise not submitted to the HHS’ Office for Civil Rights, though TechCrunch researchers affirmed that the files were comprised of patient information.

Raymond Eugenio owns shares in LabCorp that lost value because of the data breaches and filed the legal case on April 23, 2020 to retrieve those and other lost profits. As per the lawsuit, the defendants are LabCorp including 12 of the firm’s directors and executives, which include LabCorp Director Adam Schechter, CIO Lance Berberian and CFO Glenn Eisenberg.

The lawsuit states that before to the AMCA data breach and afterwards, LabCorp didn’t use proper cybersecurity measures and had no enough supervision of cybersecurity, which directly caused the two breaches.

In a filing with the SEC, LabCorp stated the company expended $11.5 million for the AMCA data breach in 2019 as well as remediation expenses, nevertheless, the lawsuit states that the number is merely a portion of the overall losses and doesn’t include the value of litigation that ensued. A few class-action lawsuits were submitted by the AMCA data breach victims that identified LabCorp and so the shareholders have no knowledge about the overall lost values. The legal case likewise says that the second breach hasn’t been verified publicly or in SEC filings. Consequently, Eugenio states that LabCorp was unsuccessful in its duty to its shareholders and failed in its duties of commitment, health care, and good faith.

The lawsuit states LabCorp

  • didn’t execute useful internal guidelines, measures, and controls to secure patient info,
  • there was not enough oversight of state and federal rules compliance and its internal guidelines and processes
  • was unable to have enough data breach response package set up
  • PHI was given to AMCA with no guarantee the company had adequate cybersecurity controls in position, LabCorp didn’t make certain that the persons and entities impacted by the breach were discovered promptly, and that the organization didn’t make sufficient public disclosures concerning the data breaches.

The legal action wishes to get refund for harm endured because of the breaches and public acceptance of the January 2020 breach. The lawsuit furthermore demands a change of corporate governance and internal processes and calls for a board-level committee to be established and the designation of an executive officer to make certain enough monitoring of information security.

PHI Exposed Due to Ambry Genetics and Arizona Endocrinology Center Breaches

Ambry Genetics, a genetic testing lab located in Aliso Viejo, CA, is informing 232,772 persons about the compromise of their protected health information (PHI) because of a email security breach. With roughly 233,000 records, this healthcare data breach is the number two biggest ever reported in 2020.

Ambry Genetics found an unauthorized person accessed the email account of a worker from January 22 to January 24, 2020 and probably viewed and downloaded the PHI of its patients. The security group and third-party computer forensics professionals could not verify the viewing or stealing of any details in the breached email accounts, nevertheless, no report was obtained that indicate the improper use of any private data.

An analysis of the compromised email accounts showed that they consist of data like names, medical details, and other data correlated to the services offered by Ambry Genetics. The Social Security numbers of some persons were also compromised.

Ambry Genetics has undertaken steps to strengthen security and gave workers even more training regarding email security.

Ex- Arizona Endocrinology Center Doctor Discloses PHI of 74,000 Patients to New Company

Arizona Endocrinology Center is informing 74,122 patients concerning the impermissible disclosure of their PHI to a medical group by a doctor who left the Arizona Endocrinology.

before Dr. Dwivedi quit Arizona Endocrinology Center, he duplicated patient information and shared the data to More MD, his new company. The doctor copied from the EHR the following data: patient names, addresses, phone numbers, healthcare record numbers, and the primary physician of patients. Dr. Dwivedi didn’t get any Social Security number, medical insurance data, or financial facts.

Arizona Endocrinology Center discovered the breach on February 17, 2020 when patients reported that they got sms from More MD informing them that Dr. Dwivedi is now with the medical group. More MD furthermore promoted its services in the sms. The breach investigation showed the information was copied on January 12, 2020.

Arizona Endocrinology Center advised its patients that it doesn’t have any business connection with More MD and that Dr. Dwivedi isn’t working with Arizona Endocrinology Center anymore. Hence, it was hard to acquire guarantees that patient files were already erased and isn’t going to be used. The practice stated on its webpage that their patients and their families can freely get in touch with Dr. Dwivedi and More MD to question them concerning their personal data.

Class Action Lawsuit Filed Against Tandem Diabetes Care With Regards to January 2020 Phishing Attack

Tandem Diabetes Care Inc., the San Diego medical device company, is confronted with a class action lawsuit in California in association with a January 2020 data breach that led to the exposure and likely stealing of the protected health information (PHI) of around 140,000 people.

Unauthorized persons were able to access to an employee’s email account between January 17 and January 20, 2020 due to a phishing attack. The email account contained data that differed from patient to patient. The variety of personal and confidential data comprised of names, birth dates, insurance data, billing data, healthcare files, and Social Security numbers.

Tandem Diabetes Care submitted the report of the breach to the HHS’ Office for Civil Rights on March 17, 2020 specifying that there were 140,781 people impacted. Concurrently, the company mailed notification letters to the impacted persons.

The case was submitted in the U.S. District Court in the Southern District of California and states that Tandem Diabetes Care violated the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members are seeking compensation for the negligent disclosure of their private and medical information and injunctive relief.

CMIA calls for healthcare service providers to employ security measures to take care of the privacy of individually identifiable medical data and forbids the disclosure of that information with no prior patient permission. Compared with HIPAA, CMIA has a private cause of action that enables patients to take on legal action regarding the negligent disclosure of their private health information.

The plaintiff is referred to as as C.H. and the putative class is separated into two subclasses: All California citizens who had their identities, private information, and medical details included in the email account and all other persons whose details were disclosed.

The legal case states negligence for not securing individually identifiable health data. By making Defendant’s email account available to third parties, Defendant negligently made, retained, preserved, saved, and then compromised the individual identifiable medical data of the Plaintiff and the Class members.

The case states that Tandem Diabetes Care was unable to retain enough technological safety measures, which specifically and proximately resulted in foreseeable risk of patient information loss and damage, which includes identity theft along with other economic losses.

The lawsuit states that patients have sustained damages because of the unauthorized exposure of their persona and PHI and seeks nominal compensation of $1,000 for every class member, refund for actual damages had, damages granted by the common law, and legal fees.

Joshua B. Swigart of the Swigart Law Group filed the legal case and is attempting to get class-action status, not to mention a jury trial.

McHenry County Health Department Ordered by the Court to Disclose COVID-19 Patients’ Names to First Responders

The Illinois McHenry County Health Department refused to give 911 dispatchers the names of COVID-19 patients because of patient privacy protection, just like what they used to do with all patients who might have other infectious diseases including hepatitis and HIV.

According to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule, PHI can be disclosed to police officers, paramedics, and 911 dispatchers in certain cases. In March 24, 2020, the HHS’ Office for Civil Rights presented a guidance document with the title COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

It was spelled out in the guidance that the HIPAA gives covered county health department permission to disclose PHI to a police official or other people who might be exposed to somebody who is COVID-19 positive so as to avert or control being infected with COVID-19, per 45 CFR 164.512(b)(1)(iv). OCR moreover mentioned that it is essential that first responders know PHI like patient names to evade or lessen a serious and upcoming threat to a person or the public’s health and protection.

Though the disclosures are allowed, the County Health department noted on Friday that it would still not disclose any data considering that it is a violation of patient privacy and to avoid giving first responders a false sense of security. First responders ought to reckon that the man or woman residing in the house they go into is COVID-19 positive and could possibly infect others. The Country Health Department suggested that first responders should have the same precautions as when having other public interactions.

The MCDH expressed its professional public health opinion and said that with the knowledge of how the disease spreads, the lack of testing, epidemiological information and the stay-at-home set up, providing the personal names of patients is over and above the minimum information required to protect police officers.

A few law enforcement agencies established in McHenry County filed a case to pressure the County Health Department to provide the data for the sake of the protection of first responders. MCDH is presently confronted with two lawsuits, the first case was on behalf of the four police departments in the County. The County Sheriff’s office filed the second case. In the lawsuit, the police department wants the MCDH to disclose the data to the the McHenry County Emergency Telephone System Board so that the responding officers would get an alert if there is a need to take more protective steps. The County Sheriff asserted in its lawsuit that responders are unable to take the same safety measures in all community interactions since there is not ample personal protective equipment available.

The court granted a temporary order prompting MCDH to provide the data. The ruling mentioned that by giving the names helps police officials to perform their job properly and keep the community safe.

As a result of the court order, MCDH will be providing to dispatchers the patient names when requested, albeit on a case-to-case basis. The tightest control will be implemented by MCDH when disclosing information to keep patient privacy protected.

COVID-19 Inspired Attacks Invade Threat Landscape

A recent Proofpoint report reveals that cybercriminals are currently mostly just running campaigns that are pertaining to COVID-19. 80% of all cyberattacks determined by the company are associated to COVID-19.

The new analysis was conducted on around 500,000 e-mail, 300,000 malicious hyperlinks, and above 200,000 malicious email file attachments. Proofpoint specialists found over 140 phishing and malware syndication campaigns and the cases are still increasing. The coronavirus theme covers almost all probable threats, with COVID-19 threats being performed by small players to well-known APT gangs. The email campaigns are diversified and repeatedly change. Proofpoint researchers think the varied nature of attacks will persist and attacks will very likely increase.

A Check Point report conveys the same story. In the middle of-February, Check Point saw several hundred coronavirus-associated malware attacks every day. In latter March, attacks had gone up to 2,600 per day with 5,000 attacks reported on March 28, 2020. These attacks included emails that have “COVID” or “Corona” in the subject line, email file attachment name or links to a domain or URL that contains those phrases.

In the last two weeks only, Check Point Research shows that over 30,000 domain names were bought pertaining to the COVID-19. Even though just 0.4% of the domain names were verified as malicious, 9% were suspicious, and plenty more may be employed by cybercriminals for phishing, fraud or malware distribution. The researchers observed that over 51,000 coronavirus-associated domains were bought from the middle of-January.

Cloudflare reviewed online threats and pointed out the 6-fold growth in online threats during the last month. Barracuda Networks noted a 600% growthrise in phishing attacks from the last days of February and noticedremarked a spike in impersonation tricks and business email compromise frauds.

The FBI already gave alerts regarding coronavirus and COVID-19-linked phishing scams and one more advisory was released on April 1, 2020 regarding the threat of attacks on software program and computer systems being to assist at-home personnel. Because of the growth in the number of at-home staff all through the 2019 Novel Coronavirus pandemic, a lot of people use teleconferencing and telework methods to manage communication with bosses, co-workers and clients.

Cybercriminals are trying to find vulnerabilities in virtual private network (VPN), teleconferencing and telework alternatives and so the FBI estimates greater exploitations of vulnerabilities in the coming period. These attacks are meant to steal sensitive information and pass on malware and ransomware.

Personnel at the FBI’s Internet Crime Complaint Center (IC3) assessed 1,200 issues regarding COVID-19-associated scams as of March 30, 2020. Attacks were recorded by first responders and healthcare establishments handling the COVID-19 crisis. The FBI has notified the continuation of these attacks, and it is most likely that threat actors will likewise begin targeting people doing work from home.

Meticulously consider the software you or your business uses for telework requirements, which include video conferencing application as well as voice over Internet Protocol (VOIP) conference call systems. Malicious cyber criminals are seeking tactics to exploit telework software vulnerabilities so as to get sensitive data, spy on conference calls or virtual conferences, or do other malicious activities.

Echoing the researches of Barracuda Networks, the FBI has given notice regarding BEC scams after getting a number of complaints from organizations that cybercriminals are doing BEC attacks asking for early payments because of COVID-19. There were likewise efforts made to modify direct deposit data for personnel to reroute payroll.

A lot of organizations have been pushed into acquiring new portable devices to make it possible for their personnel to work from home. The FBI alerts that these devices bring a risk of pre-installed malware, that could very easily be sent to business networks when personnel connects wirelessly.

Hackers Attack WHO and HHS to Swipe Login Credentials

An innovative team of hackers targeted the World Health Organization (WHO) and its associates trying to steal login information to obtain access to its network by faking WHO’s internal email system. A number of WHO staffers got spear-phishing messages that contained hyperlinks to a malicious web page having a phishing kit.

Cybersecurity specialist Alexander Urbelis discovered the spear-phishing attack on March 13. Urbelis is at the same time a lawyer with Blackstone Law Group centered in New York. The malicious webpage utilized to host the phony WHO login page was employed in other attacks on WHO personnel in the past.

It is unsure who was to blame for the campaign, nevertheless, it is thought to be a threat group referred to as DarkHotel located in South Korea. The objectives of the attackers are not understood, though Urbelis believes that taking into account the extremely focused nature of the attack, the attackers were on the lookout for specific information. DarkHotel has in the past performed a few attacks in East Asia for surveillance purposes. It’s probable that the hackers were seeking to obtain access to data concerning potential solutions, likely remedies, or vaccines for COVID-19.

Reuters was the earliest to tell about the story and reached out to WHO CISO, Flavio Aggio for additional facts. Aggio mentioned the campaign did not succeed and the attackers were not able to gather any information. Aggio validated the big increase in occurrences of targeting WHO in the past weeks. WHO was faked in a number of phishing campaigns that make an effort to steal information and pass on malware. Aggio reported that attacks directed at impersonating WHO have gone up more than twice throughout the coronavirus outbreak.

Phishers Take Advantage of Open Redirect on HHS Webpage to Deploy Racoon Information Stealer

Phishers were identified to be taking advantage of an open redirect on the HHS site to redirect people to a phishing web page.

Open redirects are utilized on sites to direct visitors to a different site. Open redirects could be employed by any person and are quite often used by cybercriminals for their phishing activities. Links begin with the official web page of the site having the open redirect, therefore persons checking out the web page link may be misled into believing they are going to a reputable website. They are in the beginning, however, the end destination is a phishing site.

The email employed a COVID-19 trick and gave facts regarding the coronavirus and enclosed a URL with the words “Find and lookup your health-related symptoms.”

Security analyst @SecSome identified the open redirect on a Departmental Contracts Information System subdomain. It was utilized to connect to a malicious file that contained an lnk file which executes a VBS script to install the Racoon information stealer. Stealing of credentials and sensitive details from 60 various applications is doable with the Racoon information stealer.