The target: Magellan Health, a for-profit managed health care and insurance firm
The take: Names, addresses, employee ID numbers, W-2 or 1099 details, social security and Taxpayer ID numbers, and in some cases, usernames and passwords for an undisclosed number of ‘current employees’.
The attack vector: After an initial round of phishing e-mails, attackers obtained user credentials and accessed internal systems, deploying software to capture login credentials for some staff, and exfiltrating personal employee information before deploying a ransomware attack on Magellan’s system some days later.
This example illustrates the cumulative and progressive nature of a breach, once initiated – no cyber-attack exists in isolation. Once an attacker has gained access to privileged accounts and systems, they can execute multiple attack vectors – exfiltrating sensitive data, and triggering a ransomware attack on internal systems, either to distract from their earlier activities or for purely financial gain. Security controls must be many and layered to ensure that a compromise of one can still be mitigated and contained.
CTV: Canada’s top cybersecurity agency has initiated the takedown of more than 1,000 “malicious imitation” websites attempting to scam or misinform people about the government’s COVID-19 financial aid programs. It has also observed phishing attempts preying on people’s anxiety around the pandemic—some by state-sponsored actors— masquerading as messages from public health officials.
ZDNet: New research released today from Mountain View, CA-based security platform MobileIron has revealed that the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols, despite this group also being highly targeted by malicious cyber attacks.
Institutional Asset Manager: Cybersecurity is consistently in the top quartile of exchange and CCP focus, according to the WFE’s regular surveys of membership priorities. Across the membership, market infrastructures have dedicated time and resources to contingency planning and the associated cybersecurity requirements. These efforts are typically subject to regulatory and supervisory scrutiny, as well as in-house or external auditor stress testing.
ZDNet: The coronavirus pandemic has forced both employers and employees to quickly adjust to remote working – and, often without the watchful eyes of IT and information security teams, workers are taking more risks online and with data than they would at the office.
Charlotte Business Journal: The breach occurred on April 22, as BofA uploaded PPP applications onto the U.S. Small Business Administration's test platform, according to a filing with the California Attorney General's Office. The limited-access platform allowed lenders to test PPP submissions before the second round began.
ZDNet: Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyberattack, including over 2,200 credit card records.
BCW: Businesses of all sizes still harbour the belief that simply having a cybersecurity strategy and implementing the right policies is the complete answer to defending against cybercrime. However, the reality is that much more is needed to achieve strong defences in today’s heightened threat landscape. In fact, according to the recent UK government Cyber Security Breaches Survey 2020, almost half of UK businesses (46%) reported a cybersecurity breach or attack in the last 12 months.
The target: Covve, an ‘intelligent contact management solution’.
The take: a 90GB database containing names, e-mail addresses, phone numbers, business names & titles, social networking links and personalized notes affecting more than 23 million individuals.
The attack vector: While this incident was, at its core, another all too familiar instance of an unsecured database left publicly exposed, the notable factor in this breach is that the personally identifiable information leaked wasn’t that of the service’s users. Since Covve is a contact management app, the names, contact details, notes and social networking handles that were publicly leaked all belong to individuals who do not and probably never have used the service.
From an individual standpoint, this breach highlights just how challenging it can be to maintain control over personal information – 23 million people, through no action of their own, saw their personal information exposed in this breach. From an organizational standpoint, again – a firm must be acutely aware of the kind of data they are storing and processing, and be able to ensure that it is being handled and protected in a manner commensurate to the sensitivity of that data.
GlobeNewswire: Forescout Technologies, Inc. (Nasdaq: FSCT), the leader in device visibility and control, filed a complaint with the Delaware Court of Chancery asserting that affiliates of Advent International Corporation (“Advent”) have violated the terms of their merger agreement with Forescout. Forescout is asking the Court to compel Advent to honor its commitments and immediately complete the pending acquisition of Forescout.
Insurance Business America: Allianz Group has announced the appointment of Dr. Catharina Richter as global head of its Cyber Center of Competence (CoC). The appointment will take effect June 01.
CNN Business: What started as a school-based program to teach kids a new skill is extending into a virtual cyber school. It's filled with lessons and games to teach users how to fix security flaws on webpages, uncover trails left by cybercriminals and decrypt codes used by hackers.
The Sydney Morning Herald: Cyber attackers, including foreign governments, are taking advantage of the coronavirus pandemic to try to hack the computer systems of hospitals and medical services, the Australian government has warned.
BBC: EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers. It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details "accessed".
Reuters: Israeli defence firm Elbit Systems (ESLT.TA) said on Tuesday the Charlesbank Technology Opportunities Fund invested $70 million in Elbit’s commercial cybersecurity subsidiary Cyberbit.
CNN Business: A desire to steal money continues to be the leading motivator behind cyber attacks, according to Verizon's annual Data Breach Investigations Report.
The target: Norfund, a Norwegian state-owned Private Equity company.
The take: $10 million USD, diverted from a microfinance institution in Cambodia to a Mexican bank account.
The attack vector: Attackers gained access to Norfund’s e-mail system, likely via a phishing attack, and studied communication between Norfund and their partners. This allowed them to identify those responsible for money transfers, and create a false Norfund e-mail address to impersonate the individual authorized to wire large sums of money via their bank. The attackers diverted the payment intended for the Cambodian institute to a Mexican bank account, fraudulently created in the same name. The attackers delayed discovery of the fraud by over a month by continuing communication in both directions with both Norfund employees and the Cambodian institute, thereby ensuring that the banks would be unable to reverse the fraudulent transfer.
This is, unfortunately, yet another example of a sophisticated business e-mail compromise attack, wherein a very capable group of attackers used access to an internal system to learn the patterns, habits, and procedures of an organization and then proceeded to exploit them. Addressing complex threats like this one require complex and multi-levelled controls – user phishing training and two-factor authentication for e-mail accounts, monitoring of access to e-mail systems, and robust and layered controls around cash transfers that require multiple channels of verifiable communication.
Financial News: The Covid-19 crisis has been a major headache for the asset management sector — most investment houses have bled heavy outflows and seen revenues plunge as investors wait out the turmoil.
Bloomberg: German Chancellor Angela Merkel accused Russia of mounting what she called an “outrageous” cyberattack on her email account and floated the possibility of further sanctions against Moscow.Read more...
Construction News: A Bam spokesman said the business had “stood up well” after hackers gained access to parts of the company’s IT systems. He added it remained “business as usual” for its operations. The contractor has responded by taking a number of its systems offline, including its website, to neutralise the attack while also adding extra defences to guard against future hacks. Bam Construct has been assisted by its Dutch-based parent Royal Bam and external IT experts in responding to the incident.
CNN: The US Department of Homeland Security and the FBI issued a "public service announcement" Wednesday warning that China is likely launching cyberattacks to steal coronavirus data related to vaccines and treatments from US research institutions and pharmaceutical companies, calling it a "significant threat."
Institutional Investor: Just as the reality of the Covid-19 pandemic was setting in for many Americans, the Treasury Department’s Financial Crimes Enforcement Network issued an admonition advising “financial institutions to remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters.”
ITPro: The aim of the freshly minted partnership includes expanding Deloitte’s managed security services portfolio for customers worldwide. This partnership will also include the integration of Cortex XDR, Cortex XSOAR (formerly Demisto) and Prisma Cloud solutions into Deloitte’s EMEA Cybersphere Center security catalog.
Coindesk: Unscrupulous hackers are socially engineering their way into financial systems and financial accounts. Well intentioned efforts to promote public safety are fostering prospective abrogation of personal data privacy. At the same time, there are new areas of business opportunity for distributed ledger companies emerging from the crisis.
The target: Small Business Administration (SBA), a US government agency that supports entrepreneurs and small businesses.
The take: Up to 8,000 applications for Economic Injury Disaster Loans may have been improperly exposed to other applicants, including such sensitive data as social security numbers, addresses, phone numbers, dates of birth, income and financial/insurance information.
The attack vector: A flaw in the caching configuration of the online loan application portal, implemented to accommodate increased demand, meant that when one applicant pressed the ‘back’ button in their web browser during the application process, they may have been served a page containing the application data belonging to another business.
Scalability of critical infrastructure is an essential component of web applications and electronic tools – sudden increases in demand for certain services are a reality in the face of the evolving COVID-19 pandemic. It is equally critical, however, that while considering system capacity, security controls are not weakened.
The Canberra Times: Up to 150 people have lost $10,000 from their superannuation accounts through a sophisticated fraud, police confirmed.
Federal Police Commissioner Reece Kershaw said a cybercrime team was investigating the fraud, which came to light on April 30.
Security Magazine: LastPass by LogMeIn released findings of its third Psychology of Passwords global report, revealing that people aren’t protecting themselves from cybersecurity risks even though they know they should. Year after year there is heightened global awareness of hacking and data breaches, yet consumer password behaviors remain largely unchanged, says the report.
Dark Reading: Women are better at cybersecurity and protecting themselves online, new research by NordPass suggests. The survey revealed that women are more concerned about the potential harm of their personal online accounts being hacked. They also tend to use unique passwords more often than men.
CNN: The United States and United Kingdom issued a new advisory Tuesday warning of ongoing cyberattacks against organizations involved in the coronavirus response, including health care bodies, pharmaceutical companies, academics, medical research organizations and local government.
Institutional Asset Manager: As firms reopen their offices, reduced density rules are likely to prevail for some time, meaning a workforce that is spread between the office and home. Monitoring communications by staff working in multiple locations will require changes in compliance processes, which may prove challenging if access to on-premise technology is needed.
ZDNet: The US Financial Industry Regulatory Authority (FINRA) has issued a rare cyber-security alert today warning member organizations of "a widespread, ongoing phishing campaign."
Tech Crunch: The UK’s data protection watchdog confirmed today the government still hasn’t given it sight of a key legal document attached to the coronavirus contacts tracing app which is being developed by the NHSX, the digital transformation branch of the country’s National Health Service.
The target: Council of the City of Sheffield in South Yorkshire, England
The take: 8.6 million records of vehicle movements, labelled with license plate numbers and millions of photographs from the county’s 100 surveillance cameras.
The attack vector: The city’s Automatic Number Plate Recognition (ANPR) system was left exposed and publicly available to anyone with an internet connection – furthermore, the internal dashboard on this exposed system employed absolutely no password protection or other method of authentication. Anyone with the public IP address of the system could immediately access and search the system by license plate number, potentially allowing bad actors to recreate the travel patterns and movements of individual citizens, minute by minute.
As we have previously emphasized, security controls must be commensurate with the level of sensitivity of data being stored, and must travel with that data throughout its lifecycle. When personally identifiable information is being collected and processed, best practise would prescribe multiple compensatory layers of protection, as consequences for breaches of such data can include falling afoul of the GDPR and privacy legislation in other jurisdictions.
ZDNet: A cybercrime group operating since mid-2019 has breached the email accounts of high-ranking executives at more than 150 companies, cyber-security firm Group-IB reported today.
Ai Thority: Cofense, the global leader in intelligent phishing defense solutions, announced the appointment of Tom McDonough to its Board of Directors as well as an additional investment from funds managed by BlackRock Private Equity Partners to support Cofense’s growth strategies. Initially inked in 2018 and expanded in 2019, Cofense’s continued partnership with BlackRock provides additional growth capital to advance research and development as well as further the company’s global expansion.
ZDNet: The coronavirus pandemic has brought big changes to the cybersecurity industry, with the vast majority of security professionals now working from home – and almost half being reassigned to general IT support as organisations adapt to the challenges of remote working.
DARKReading: The global shift to remote work has caused a level of network disruption in 86% of companies, a new study shows. Of the organizations surveyed, 41% said they experienced moderate disruptions to network security practices, 23% saw major disruptions, and 22% said disruptions were minimal.
Funds Europe: The UK’s Investment Association has set up a platform to help investment managers protect their firms against cyber security threats.
ZDNet: The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years, F5's cyber-security unit said in a report published.
The Asset ESG Forum: Ongoing worldwide lockdown measures have made working from home the norm, thus increasing the chances of being exposed to cyber-attacks and practices such as phishing - fraudulent messages that resemble e-mails from trusted sources.