WebProNews

Tag: ransomware

  • Rural US Hospitals Are Getting Clobbered by Ransomware

    Rural US Hospitals Are Getting Clobbered by Ransomware

    Rural US hospitals are losing the fight against ransomware due to limited resources compared to bigger organizations.

    According to Cyberscoop, witnesses testified in a recent Senate Homeland Security and Governmental Affairs Committee meeting that smaller hospitals are struggling to combat ransomware attacks. In most cases, while there is plenty of information available to help organizations, the issue stems from a lack of resources, including qualified cybersecurity personnel.

    “We also saw cybercriminals shift their focus to small and rural hospitals with this group lagging behind in strengthening their defenses,” said Kate Pierce, senior virtual information security officer at cybersecurity firm Fortified Health Security. “Our rural hospitals are facing unprecedented budget constraints with up to 30% or more in the red, with the public health emergency scheduled to end in May.”

    Unfortunately, the issue is only going to get worse as bad actors exploit small hospitals’ vulnerability. Some are even stepping up the pressure on smaller hospitals specifically, posting patient information — including nude examination photos — online in an effort to force hospitals to pay up.

    “In recent years, increasingly sophisticated cyberattacks in the healthcare and public health sectors posed alarming threats to people in Michigan, as well as across the country,” said Committee Chairman Gary Peters, D-Mich.

  • Ransomware Survival 101: Don’t Follow Dish Network’s Playbook

    Ransomware Survival 101: Don’t Follow Dish Network’s Playbook

    Dish Network customers are still in limbo, with few answers weeks after the company was crippled by ransomware.

    Dish began experiencing major issues with its website, internal systems, and customer portal going offline in late February. Roughly a week later, the company admitted to suffering a massive ransomware attack, one that crippled operations and resulted in the theft of customer data.

    According to TechCrunch, Dish customers still have no idea what is going on, with many of them unable to access customer support, pay their bills, or get any kind of useful information.

    In fact, a number of customers have had their service disconnected because they have been unable to log into the customer portal to pay their bills. Others are already experiencing voice and email phishing attempts as hackers try to exploit the lack of information from Dish to take advantage of customers looking for answers.

    Company spokesperson Edward Wietecha told TechCrunch that “customers are having trouble reaching our service desks, accessing their accounts, and making payments.” When asked if the company was disconnecting users, Wietecha added that “customers who had their service temporarily suspended for nonpayment received additional time until our payment systems were restored.”

    In addition to the trouble Dish’s own customers are having, there is potential for the problem to be much worse and extend beyond Dish’s roughly 10 million customers. A former Dish retailer told TechCrunch that the company retains a veritable treasure trove of customer data from anyone who has ever signed up for Dish service, including those who never became customers because they didn’t pass the credit check. The information includes “customer names, dates of birth, email addresses, telephone numbers, Social Security numbers, and credit card information.” What’s more, it appears that Dish’s policy is to retain the information indefinitely.

    Overall, Dish is providing a case study of how not to handle a ransomware attack for any company that wants to come out the other side still having customers.

  • Dish Network Customer Data Stolen in Ransomware Attack

    Dish Network Customer Data Stolen in Ransomware Attack

    More details have emerged regarding Dish Network’s recent outage, including the fact that customer data was stolen in the incident.

    Dish began experiencing major issues Thursday morning, with employees unable to work or access internal systems. The company’s website was also down. At the time, CEO Erik Carlson chalked it up to an “internal outage.”

    In a filing with the SEC, however, the company has admitted the issue was the result of a ransomware attack, one that compromised customer data:

    On February 27, 2023, the Corporation became aware that certain data was extracted from the Corporation’s IT systems as part of this incident. It is possible the investigation will reveal that the extracted data includes personal information. The measures described above are continuing while the Corporation, with the assistance of third-party experts and advisors, investigates the extent of the cyber-security incident.

    The company is working to restore the impacted services and is working with law enforcement.

  • Yum Brands Hit by Ransomware, Hundreds of Restaurants Close

    Yum Brands Hit by Ransomware, Hundreds of Restaurants Close

    Yum Brands, the parent of KFC, Pizza Hut, and Taco Bell, was hit by a ransomware attack, leading to hundreds of locations closing.

    Yum Brands acknowledged the attack in a statement Wednesday, saying its IT systems were compromised.

    On January 18, 2023, Yum! Brands, Inc. announced a ransomware attack that impacted certain information technology systems. Promptly upon detection of the incident, the Company initiated response protocols, including deploying containment measures such as taking certain systems offline and implementing enhanced monitoring technology. The Company also initiated an investigation, engaged the services of industry-leading cybersecurity and forensics professionals, and notified Federal law enforcement.

    The company says the overall impact was relatively limited. Most important, Yum Brands says there is no evidence any customer data was stolen.

    Less than 300 restaurants in the United Kingdom were closed for one day, but all stores are now operational. The Company is actively engaged in fully restoring affected systems, which is expected to be largely complete in the coming days. Although data was taken from the Company’s network and an investigation is ongoing, at this stage, there is no evidence that customer databases were stolen. While this incident caused temporary disruption, the Company is aware of no other restaurant disruptions and does not expect this event to have a material adverse impact on its business, operations or financial results.

  • The Guardian Suffers Ransomware Attack, Staff’s Data Accessed

    The Guardian Suffers Ransomware Attack, Staff’s Data Accessed

    The Guardian has suffered a major ransomware attack and has revealed that some staff’s personal data was accessed.

    The Guardian broke the news in late December that it suffered an IT incident it believed was a ransomware attack. Yesterday morning the outlet confirmed that it was indeed a ransomware attack, one that compromised the personal data of its UK-based employees.

    The outlet described the attack as a “highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network,” and likely the result of a phishing attempt.

    There was a bit of good news, however, as there appears to be no evidence that readers’ data was accessed.

    The Guardian said it had no reason to believe the personal data of readers and subscribers had been accessed. It is not believed that the personal data of Guardian US and Guardian Australia staff has been accessed either.

    In an email to staff, The Guardian also said there was no evidence the compromised data had made its way online.

    “We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” said chief executive Anna Bateson and editor-in-chief Katharine Viner.

    “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries.”

    They added: “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”

  • White House to Kick Off International Counter Ransomware Summit

    White House to Kick Off International Counter Ransomware Summit

    The White House is preparing to kick off the International Counter Ransomware Summit Monday, an acknowledgment of ransomware’s growing threat.

    The White House is holding the second International Counter Ransomware Summit, according to AP News, hosting the EU, roughly three dozen nations, and a number of private companies.

    Ransomware has become a major problem for the private and public sectors alike. Ransomware attacks have hit supply chains, cloud providers, government agencies, food companies, universities, and more. Lincoln University was even forced to permanently shut its doors as a result of a ransomware attack.

    The White House wants to help countries and organizations better combat the cybersecurity threat. The summit will include a host of officials, including “FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman.”

    According to AP News, participating countries include:

    Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, the Czech Republic, the Dominican Republic, Estonia, the European Commission, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, the Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom and the United States.

    Participating companies include:

    Crowdstrike, Mandiant, Cyber Threat Alliance, Microsoft, Cybersecurity Coalition, Palo Alto, Flexxon, SAP, the Institute for Security + Technology, Siemens, Internet 2.0, Tata – TCS and Telefónica.

  • Cisco Breached by Ransomware Gang, 2.75GB Reportedly Stolen

    Cisco Breached by Ransomware Gang, 2.75GB Reportedly Stolen

    Cisco was hacked by a ransomware gang in May, with the criminals reportedly stealing 2.75GB of data and trying to extort the company.

    According to BleepingComputer, Cisco confirmed the Yanluowang gang compromised the company’s network but said the bad actors only made off with non-sensitive data. The data was from an employee’s Box folder.

    “Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors,” a Cisco spokesperson told BleepingComputer.

    The company said the breach did not impact its business.

    “Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations,” the spokesperson continued.

    “On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”

    The company also found no evidence of encrypted files that could be used in a traditional ransomware scheme, although it appears that was likely a prime goal.

    “While we did not observe ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” the company wrote in a blog post.

  • Russian Sanctions Are Dampening Ransomware Attacks

    Russian Sanctions Are Dampening Ransomware Attacks

    Sanctions imposed on Russia by the international community are having an unforeseen side effect: ransomware has taken a hit.

    Ransomware has become one of the biggest cybersecurity threats, impacting organizations of all sizes. Government agencies and educational institutions have been hit hard as well, with Lincoln College recently closing its doors in large part because of a ransomware attack.

    It’s no secret that Russia is the home base of many ransomware gangs, with the Russian government turning a blind eye to their activities. According to ZDNet, the sanctions Russia is under are making it difficult for ransomware gangs to carry out their operations and receive payment.

    “One interesting trend we see is, in the last month or two ransomware is actually down. There’s probably a lot of different reasons why that is, but I think one impact is the fallout of Russia-Ukraine,” said NSA director of cybersecurity Rob Joyce.

    “As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them less effective – and ransomware is a big part of that,” he added.

  • Ransomware Leads to Lincoln College Shutting Down Permanently

    Ransomware Leads to Lincoln College Shutting Down Permanently

    Lincoln College has announced it is shutting its doors permanently, largely the result of the COVID pandemic and a recent ransomware attack.

    Lincoln College is in rural Illinois and is one of only a handful of rural colleges the Department of Education identifies as predominantly Black institutions. On the school’s website, it notes it has survived everything thrown at it in its 157-year history, but the pandemic and a ransomware attack proved too much. The institution will permanently shut its doors after the spring 2022 semester.

    Interestingly, Lincoln experienced “record-breaking student enrollment in Fall 2019.” Just months later, however, the pandemic significantly impacted recruiting, fundraising, and other activities. The straw that broke the camel’s back was a cyberattack in December 2021.

    Furthermore, Lincoln College was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections. All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.

    Lincoln College’s situation is a sad reminder of the real-world costs associated with ransomware attacks.

  • Nvidia CEO Calls Lapsus$ Hack a ‘Wake-Up Call’

    Nvidia CEO Calls Lapsus$ Hack a ‘Wake-Up Call’

    Nvidia suffered a major attack at the hands of ransomware group Lapsus$, an attack CEO Jensen Huang is calling a “wake-up call.”

    Lapsus$ is a somewhat different type of ransomware gang. Rather than gaining access and delivering a ransomware payload that encrypts a target’s systems, Lapsus$ tries to gain access to source code repositories, stealing code and demanding a ransom to not release it to the public.

    Lapsus$ has been on a string of attacks, compromising Microsoft, Samsung, and Nvidia. In the case of the latter, the group made off with GPU source code, demanding the company open source its drivers or see the code released publicly.

    According to Yahoo Finance, the hack got Huang’s attention, who was happy it wasn’t worse.

    “It was a wake-up call for us,” Huang told Yahoo Finance. “Fortunately, we didn’t lose any customer information and any sensitive information. They got access to source code, which of course we don’t like, but nothing that is harmful to us.”

    Ransomware has been on the rise, becoming one of the most popular, and profitable, forms of cybercrime. The CEO of Nvidia calling the Lapsus$ attack a “wake-up call” should serve as a cautionary tale to companies large and small.

  • Microsoft Confirms Lapsus$ Hack, Interrupted It In Progress

    Microsoft Confirms Lapsus$ Hack, Interrupted It In Progress

    Microsoft has confirmed it was at least partially compromised by hacking group Lapsus$, saying it interrupted the attack in progress.

    Lapsus$ is a ransomware group that operates somewhat differently than most. Rather than compromising a system and installing a ransomware payload, the group tries to steal source code and intellectual property, and then threatens to release it if a ransom is not paid. The group claimed to have compromised Microsoft, saying it made off with source code for Bing, Bing Maps, and Cortana.

    In a blog post, Microsoft says it interrupted DEV-0537 (Microsoft’s codename for Lapsus$) mid-operation.

    This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

    Microsoft has been monitoring Lapsus$ for some time, and have noted the group’s ability to prey on the interconnected nature of modern systems.

    Early observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of wallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America. More recent campaigns have expanded to include organizations globally spanning a variety of sectors. Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies–to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.

    Microsoft’s revelations come on the heels of several high-profile attacks by the group, including a major successful attack against Nvidia, and an attempted hack of Okta.

  • Okta CEO Confirms Breach Attempt in January, No Major Concern Now

    Okta CEO Confirms Breach Attempt in January, No Major Concern Now

    On the heels of news Lapsus$ was claiming it breached Okta, the company’s CEO has confirmed an attempt in January.

    Okta is a leading identity and authentication services provider, meaning a successful breach against the company could have disastrous consequences for wide range of industries. Ransomware group Lapsus$ claimed to have successfully breached the company, even providing screenshots as proof. Fortunately, the screenshots Lapsus$ provided are likely from an attempt made in January, one that was contained and poses little risk in the present.

    Okta CEO Todd McKinnon made the announcement on Twitter.

    In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)

    We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)

    Todd McKinnon (@toddmckinnon), March 22, 2022

    The revelation is good news for Okta users, provided no additional details emerge from the company’s investigation.

  • LAPSUS$ May Have Hacked Microsoft

    LAPSUS$ May Have Hacked Microsoft

    Continuing its string of high-profile attacks, Lapsus$ may have hacked Microsoft’s code repositories.

    As BleepingComputer points out, Lapsus$ operates differently than many ransomware gangs. Rather than targeting a company’s desktop machines and servers, holding them for a ransom, Lapsus$ targets companies’ code repositories. Once the group has compromised a repository, it demands a ransom in exchange for not releasing the company’s source code and intellectual property (IP) to the world.

    According to BleepingComputer, the group claims it has successfully compromised Microsoft’s source code repositories, specifically its Azure DevOps server. Microsoft has not been able to confirm the claims, but is investigating to see if they are true.

    We will continue to monitor this story and report on any additional details.

  • Open Source Drivers or Else: Nvidia Hackers Make Demands

    Open Source Drivers or Else: Nvidia Hackers Make Demands

    The hackers responsible for an Nvidia data breach have finally made their demands, wanting the company to release open source GPU drivers.

    Nvidia is notoriously opposed to open source drivers for its products. The issue is so well-known that it continues to be a problem in the Linux community, with some Linux distros specifically advertising themselves as being Nvidia-friendly by including the company’s official drivers, rather than the normal open source alternatives. The company has also angered some users by including measures to throttle its GPU performance when used for crypto mining.

    On March 1, it was reported that Nvidia had launched a counter-hacking operation against the LAPSU$ group in an effort to encrypt roughly 1TB of stolen data, so it could not be used in a ransomware demand. It’s unclear how successful that operation was, since the group is now making its demands, according to Ars Technica, targeting both complaints against the company.

    So, NVIDIA, the choice is yours! Either:

    –Officially make current and all future drivers for all cards open source, while keeping the Verilog and chipset trade secrets… well, secret

    OR

    –Not make the drivers open source, making us release the entire silicon chip files so that everyone not only knows your driver’s secrets, but also your most closely-guarded trade secrets for graphics and computer chipsets too!

    YOU HAVE UNTIL FRIDAY, YOU DECIDE!

    Given that today is Friday, we won’t have long to wait to see how this demand plays out, but our money is on Nvidia refusing.

  • Smaller ISPs the Weak Link in Cybersecurity War

    Smaller ISPs the Weak Link in Cybersecurity War

    Everyone uses an internet service provider (ISPs) to connect to the internet, but not all ISPs are created equal when it comes to security.

    Cybersecurity has become a major focus, for private companies and government agencies alike. Recent ransomware attacks have illustrated the vulnerabilities of software, services, and cloud options. Supply chain attacks, where bad actors compromise a commonly-used software component, have become a major attack vector.

    Another, often-overlooked, possible avenue of attack are ISPs. Unfortunately, the playing field isn’t always a fair one, according to Gustavas Davidavicius, Abuse Prevention Team Lead at IPXO. While larger ISPs have the IP and human resources needed to response swiftly to threats, smaller ISPs often can’t compete.

    Davidavicius used the example of a recent DDoS attack against Vocus NZ, New Zealand’s third-largest ISP.

    “The pressures of having to make swift decisions can have a significant impact when managing security breaches. In this case, it seems that a few unfortunate decisions led to filtering out tons of legitimate traffic for all, leaving users without an Internet connection,” Davidavicius explained.

    “Cyber resilience has always been one of the top priorities, however, there is no single best solution that could address all the issues. As with all internet-related activities, the best way to protect yourself varies based on use cases and scope,” he continued.

    Unfortunately, until smaller ISPs are able to address their limitations, they will continue to be a weak link that hackers can exploit, leading to further internet outages.

  • Hive Ransomware Now Targets Linux and FreeBSD

    Hive Ransomware Now Targets Linux and FreeBSD

    Linux and FreeBSD are being targeted by the latest version of Hive ransomware.

    Hive ransomware was first observed in June 2021, with the FBI warning about it in late August. Initially the ransomware targeted Windows only, but the creators are looking to expand that.

    According to security firm ESET, the hackers behind Hive have been working on a Linux and FreeBSD version.

    For the time being, the Linux and FreeBSD versions are not very effective. The ransomware tries to run as root but, unless it has root privileges, it fails to trigger encryption.

    While it’s good news that the Linux and FreeBSD versions of Hive don’t effectively work yet, “yet” is the operative word. It’s likely only a matter of time until the bugs are worked out, opening the Linux and FreeBSD communities to attack.

  • Stopping Ransomware Before it Gets Worse

    Stopping Ransomware Before it Gets Worse

    Injurious to business operations, software infrastructures, privacy safety, and information security, ransomware attacks are becoming far more frequent. The number of ransomware attacks grew by 700% or more in 2020. This growth is forecasted to continue, with at least 3 out of 4 IT organizations being faced with at least 1 ransomware attack by 2025. The total global ransomware damage costs predicted for 2021 is $20 billion, but the true cost of ransomware attacks is much greater. Let’s examine ways of stopping ransomware below.

    Counting the True Cost of Ransomware

    Ceasing, and too often desisting, business operations, ransomware attacks cost businesses up to 23x more than the ransom itself. Enterprise size largely determines the costliness of ransomware attacks, with small to medium enterprises (SMEs) representing 98% of claims in 2019. Ransomware claims varied between $2,500 and $10.1M in 2019, with an average claim of $424,000. Business interruption loss is frequently neglected when tallying ransomware attack damages. That same year, the average cost of SMEs because of interruption was $1.2 million per ransomware attack, with the highest cost being $6.5 million.

    Insurance premium increases, data loss, and heightened risk of reinfection are some of the heftiest post-attack costs. In the first quarter of 2021, premiums increased 29% in January, 32% in February, and 39% in March. For high-risk organizations, these premium increases reached as high as 50-60%. Deductibles were lifted to $1 million, on average, prompting more insurance clients to turn to cyber coverage, which has jumped from 26% in 2016 to 47% in 2020. Data loss is also financially depleting. On average, 61% of ransomware attack victims have lost data to corruption with 82% reporting significant data loss.  Another financial threat is reinfection rates. Transpiring 80% of the time, reinfection is worth protecting against, especially as 46% of victims believe it to be the same attackers. 

    The ransomware group Avaddon made headlines in June of 2021 after calling it quits on their operation. The threat group had 88 known victims, but decryption keys were released for 2934 victims. If all the victims paid the average reported amount, the group made about $1.8 billion but the full extent of Avaddon’s schemes has yet to be uncovered. With just 3% of victims reporting Avaddon’s attacks, the true success of their ransomware-as-a-service operation remains an enigma.

    How to Protect Your Business

    Now is the time to protect your business from ransomware. The best ways to do so are to increase employee alertness, stay in the know,  invest in malware detection, and back up data. Increasing employee alertness entails teaching employees how to assess whether an attachment, link, or email is valid. Staying in the know is key to shielding yourself against ransomware and involves tracking patch and software updates. Early detection of suspicious activity is your first line of defense. The adoption of malware detection is a must. Last but not least, it’s critical to keep data backed up on external devices to aid recovery should there be an attack.

    As ransomware attacks advance,  vulnerability is no longer a question of if but when. Be proactive and protect your business from the devastation bred by ransomware attacks. Learn more on stopping ransomware below:

    Stopping Ransomware Before It Starts
  • State Department Creating Cyber Office to Address Threats

    State Department Creating Cyber Office to Address Threats

    Emphasizing the Biden administration’s focus on cybersecurity, the US State Department is creating a new cyber office.

    Cybersecurity is front-and-center among the issues the Biden administration is trying to tackle. Ransomware attacks are on the rise, and many of the most devastating recent attacks have been at the hands of state-sponsored hackers.

    According to The Wall Street Journal, the State Department will reorganize to create “a new bureau of cyberspace and digital policy to be led by a Senate-confirmed ambassador-at-large and a new, separate special envoy for critical and emerging technology.”

    The changes are expected to be announced later this week, and come on the heels of a report by Microsoft that the Russia-backed group behind the SolarWinds attack has been ramping up its activity.

  • Ransomware Attack Takes Down Sinclair TV Stations

    Ransomware Attack Takes Down Sinclair TV Stations

    Sinclair appears to be the latest victim of a ransomware attack, with its channels going down over the weekend.

    Ransomware has been a growing issue for organizations around the world and across industries. Sinclair is the latest high-profile victim, and disclosed the attack in a filing with the SEC.

    On October 16, 2021, the Company identified and began to investigate and take steps to contain a potential security incident. On October 17, 2021, the Company identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted. Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review.

    The attack disrupted broadcasting on Sinclair-owned channels, and may continue to do so for a time.

    While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely.

  • Microsoft Accused of Hosting Malware ‘For Years’

    Microsoft Accused of Hosting Malware ‘For Years’

    Microsoft is facing additional cybersecurity scrutiny, as a security expert and former employee says OneDrive has hosted malware “for years.”

    Microsoft has not had a good year, when it comes to cybersecurity. The company has had a number of high-profile issues its services, including its Azure cloud platform.

    Kevin Beaumont, a former Microsoft Senior Threat Intelligence Analyst, is calling the company out for not addressing OneDrive abuses.

    https://twitter.com/GossiTheDog/status/1449087925740838922?s=20

    Beaumont also accuses the company of profiting off of its own security failures.

    https://twitter.com/GossiTheDog/status/1449096856194195460?s=20

    Beaumont’s entire thread is a damning indictment of Microsoft’s failures, especially at a time when it is trying to emphasize the importance of cybersecurity.

  • 90% of AWS S3 Buckets Are Vulnerable to Ransomware

    90% of AWS S3 Buckets Are Vulnerable to Ransomware

    AWS is the leading cloud provider, but new research shows that 90% of S3 buckets are vulnerable to ransomware attack.

    AWS is the leading cloud provider, and has a good reputation for security and reliability. Despite that, however, research from Ermetic shows that identities pose a serious risk to security and open buckets up to the possibility of a ransomware attack.

    The IT community regards S3 buckets as extremely reliable. What organizations typically don’t realize is that the biggest risk to this storage comes from another source: identities. A compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data. Recent Ermetic research found that ransomware-vulnerable combinations are very common — putting most organizations using S3 buckets at risk.

    According to Ermetic, every enterprise environment the company studied had at-risk identities, with 90% of AWS S3 buckets vulnerable. A whopping 70% of machines were publicly exposed to the internet with permissions that could be exploited. Some 45%of environments had third party identities whose privileges could be escalated to admin level. In addition, 80% had IAM Users with access keys that had not been used for at least 180 days, but were still enabled.

    “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. “We found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it’s not a matter of if, but when, a major ransomware attack on AWS will occur.”

    In a statement to WebProNews, Saumitra Das, Blue Hexagon CTO and Cofounder, said Ermetic’s research highlights the need to detect threats instead of simply trying to fix misconfigurations.

    “This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations,” Das said. “Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated – sometimes days, weeks and even months. It also highlights that ransomware is not just an on-premises problem but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.”

    Das said there are three things companies must monitor, including runtime activity of identities; cloud storage, including read/write patterns; and network activity, which can help companies ascertain when instances are exposed to the internet and their identities misused.

    “You cannot guarantee that mistakes like identities being enabled for too long, too permissive, leaked in code will not happen,” Das continued. “They can only be reduced. On the other hand, keeping an eye on active attacks on the cloud infrastructure can thwart attackers from gaining enough privilege and access to ransom the data.”