A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool. The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel. Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply. While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner.
There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues. However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities.
There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems. Any changes must be completed on site from computers not connected to external systems or software. Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network. After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication. Some recommend a second secure login inside the network that controls the critical infrastructure.
Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems. For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards?
In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed.
The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials.
New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”
According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”
This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.
Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.
The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.
Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.
Users of the Parler social media platform who participated in the riots last week at the U.S. Capitol are reportedly uneasy following the announcement that several activist hackers archived posts as they were happening in real time during the riots, and that they will release the posts publicly to assist law enforcement with investigations. Another activist hacker is reported to have said that she archived material as it was being posted to show how the platform was used to plan the attack and for communication by participants during the assault.
Parler is reported to have been a popular mode of communication during the months leading up to the election last fall after Facebook and Twitter began reviewing and labeling content that was false or misleading.
One of the activist hackers alleges that she archived 30 terabytes (equal to 30,000 gigabytes) of publicly-available posts of the events leading up to and during the riots so they would be preserved before the platform was taken down, which occurred on Monday.
Some of the data that were archived includes legally-obtained GPS data while posts were made by those participating in the riot. The GPS data show that Parler users were posting videos and pictures while they were inside the Capitol, including both chambers of Congress and offices of some politicians.
As the holiday shopping season comes to end, consumers should still be aware that hackers are sending fake delivery notifications appearing to come from companies like FedEx and UPS, especially as the last few days of package arrivals pass by. The hackers’ messages prompt consumers to enter their personal information like credit card information to resolve an issue with package delivery or immediately launch malware or ransomware upon clicking a link. According to a recent CNBC report on this ‘shipageddeon’ launched by hackers, one consumer received an email message appearing to be from UPS informing him that his package could not be delivered. Once he clicked the link provided to solve the issue, his screen started flashing and his computer was encrypted with ransomware requesting 150 bitcoins (or about $66,000). Upon the consumer’s refusal, his computer was wiped clean.
According to the CNBC report, fraudulent delivery messages rose by 440 percent from October to November, according to data from cybersecurity firm Check Point Software Technologies. Overall, fraudulent shipping messages overall rose 72 percent since November 2019. Don’t fall victim to these scams -at a minimum before clicking on a provided link or offering up your personal information make sure that the messages include correct spelling and company logos.
To file in the “no one is immune from a sophisticated attack,” category, well-known and respected security firm FireEye publicly announced this week that it has experienced an attack by a state-sponsored (which means a foreign government) hacking group, which successfully obtained its “red team tools.” This is very concerning, as the red team tools include the “special sauce” FireEye uses to test its clients’ security maturity and vulnerabilities, and could be used as a roadmap for adverse nation states to hack into the U.S. government’s or private companies’ systems.
Kudos to FireEye for making this public so the U.S. government, critical infrastructure and private companies can be on the alert for the tools to be used against them. FireEye has stated that it is working on over 300 countermeasures to assist in combatting the use of its proprietary tools by these adverse threat actors.
Unfortunately, this incident is a cold, hard, awful reminder that even the most sophisticated security firm can become the victim of a cyberattack, and since that is the case, all companies are at extreme risk of an attack and exfiltration of data.
FireEye appears poised to assist in combatting the effects of the incident, so keep a close eye on those measures. We will keep you updated as well.
Brazilian airplane manufacturer Embraer’s data has reportedly been uploaded on a dark web website hosted by ransomware group RansomExx (a/k/a Defray 777) after Embraer reportedly refused to pay a ransom following a ransomware attack last month.
According to ZDNet, the hackers uploaded company files containing “samples of employee details, business contracts, photos of flight simulations, and source code, among others.”
In leaking the data and making it publicly accessible, sometimes selling it at auction, is designed by the attackers to put pressure on the company to pay the ransom to avoid legal obligations and regulatory fines or penalties, or to avoid access to confidential data by competitors and adversaries that can be used against the company.
I have done more online shopping this year than ever before, and I know that I am not alone. With the holidays approaching, this will only increase because of the pandemic, and hackers and fraudsters know it.
A recent report by GBG entitled “GBG State of Digital Identity: 2020,” states that 47 percent of individuals have open up a new online shopping account, 31 percent have opened a new social media account and 35 percent a new online bank account in 2020. In addition, one third of consumers 75 years or older have opened a new online account in 2020.
Additional depressing statistics from that report states that one in five individuals have been affected by identity fraud this year and were informed that their personal information has been exposed following the data breach. Therefore, one third of consumers have become more aware of and consumed about fraud and believe their personal information is exposed on the dark web.
GBG estimates that during the upcoming holidays, each online retailer will have to combat an average of 20,000 fraud attempts.
With these statistics in mind, a recap of tips to think about to protect yourself while online shopping during this holiday season may be helpful:
- Be wary of emails with unbelievable sales that ask you to click on embedded links or attachments
- When shopping online, visit the retailer’s actual website instead of a link that has been provided to you through an email
- Use a credit card and not your debit card for all ongoing shopping
- Use a dedicated credit card for all online shopping so if there is a compromise of that credit card it is limited to that one credit card
- When asked if you want the online shopping site to save your credit card number, click “no thanks”
- Be wary of gift card promotions or requests
- Watch your credit card account statements closely
- Check your credit report frequently
During this holiday season, support your local retailers, shop safely and have a happy, safe and healthy Thanksgiving.
The UK National Cyber Security Centre (NCSC) issued an alert on October 16, 2020, to raise awareness “of a new remote code execution vulnerability (CVE – 2020 – 16952)”, which affects Microsoft’s SharePoint product. According to the alert, “successful exploitation of this vulnerability would allow an attacker to run arbitrary code and to carry out security actions in the context of the local administrator on affected installations of SharePoint server.”
The NCSC recommends applying security updates promptly, “but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities…against UK organisations…NCSC is issuing this alert to ensure that system owners are aware of this vulnerability and to ensure remediation actions are taken.”
According to the alert, the vulnerability affects:
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint server 2019
It is important to note that SharePoint online, which is part of Office 365 is not affected by the vulnerability.
The NCSC “strongly advises that organisations refer to the Microsoft guidance…and ensure the necessary updates are installed in affected SharePoint products. It is also important to keep informed of any possible updated future updates to the guidance…”
Hall County, Georgia reported on October 7, 2020, that it was the victim of a ransomware attack that disrupted some of its systems, including email and telephone services in public buildings and the sheriff’s offices. Last week, the county indicated that in addition to telephone and email services, the ransomware attack also affected the county’s election administration system that verifies voters’ signatures on absentee ballots.
The county states that the ransomware attack (believed to be DoppelPaymer malware) will not affect voters’ ability to cast ballots, but it could slow down the county’s ability to process absentee ballots. According to public reports, there have been 13,703 absentee ballots cast in Hall County as of October 23. This incident is being reported as the first example of a ransomware attack affecting the 2020 election.
The ransomware attack will not completely thwart the ability of election clerks to count valid ballots. The County is able to use a statewide signature database in the event that it is not able to get the County signature matching system up and running, and as a last resort, they can go back to the old days and match signatures with voters’ registration cards.
Predictions are that hackers will be increasing the frequency and mode of attacks until election day, and that they believe that the closer the attack is to election day, the higher the chance is to score a payment.