Mar 30, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.
The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.
The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.
Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.
The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.
The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.
If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.
Mar 22, 2017 | Cybersecurity News, Internet Security News, Network Security
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code.
Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities.
On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined.
An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem.
The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data.
According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.”
Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just Moodle.
Rubin was able to take advantage of the Moodle security flaws and gain administrative privileges on the server, after which it was child’s play to execute code. Rubin said it was as simple as uploading a new plugin to the server.
Last week Moodle released a patch to address a number of vulnerabilities in the system, although no information was released about what the patch addressed. All users of the system are advised to update to the latest version of the platform and apply the latest security patch as soon as possible.
Failure to update systems and apply patches promptly will leave systems vulnerable to attack, whether it is Moodle or any other platform or software. If patches are not applied it will only be a matter of time before security flaws are exploited to gain access to servers or computers and steal sensitive data.
Mar 15, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers?
It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example.
However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017.
The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted.
There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector.
In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination.
What Data are Cybercriminals Attempting to Steal?
K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors details can be used for longer.
Universities and school systems also hold considerable amounts of intellectual property and research. That information can be sold for considerable sums on the black market.
As we have seen on many occasions this year, the personal information of school employees has been targeted by scammers. Emails have been sent requesting W-2 Form data, which are used to file fraudulent tax returns in school employees’ names.
This tax season, the following colleges, universities, schools and school districts have reported that employees have fallen for a W-2 Form phishing scam and have emailed the data of their employees to cybercriminals.
- Abernathy Independent School District
- Ark City School District
- Ashland University
- Barron Area School District
- Belton Independent School District
- Black River Falls School District
- Bloomington Public Schools
- College of Southern Idaho
- Corsicana Independent School District
- Crotched Mountain Foundation
- Davidson County Schools
- Dracut Schools
- Glastonbury Public Schools
- Groton Public Schools
- Independent School District
- Lexington School District Two
- Manatee County School District
- Mohave Community College
- Morton School District
- Mount Healthy City Schools
- Northwestern College
- Odessa School District
- Redmond School District
- Tipton County Schools
- Trenton R-9 School District
- Tyler Independent School District
- Virginian Wesleyan College
- Yukon Public Schools
As with the healthcare industry, the reliance on data makes schools, colleges, and universities targets for ransomware attacks. Ransomware is used to encrypt data and a ransomware demand is issued to unlock files. In many cases ransoms are paid as no backups of the encrypted data exist.
Some notable cyberattacks on educational institutions that have been reported this year are listed below.
2017 Cyberattacks on Educational Institutions
January 2017
Northside Independent School District in San Antonio, TX, discovered its email system had been hacked. Names, addresses, and dates of birth were potentially stolen. In total, 23,000 individuals were impacted by the incident.
South Washington County Schools in Minnesota discovered that one of its students had hacked into its system and stolen more than 15,000 employee records.
Los Angeles County College was attacked with ransomware in January and was forced to pay a ransom demand of $28,000 to regain access to its files. The attack resulted in most of the college’s infrastructure, including email and voicemail, being encrypted by the ransomware.
February 2017
Horry County Schools in South Carolina was forced to pay a ransom demand of $8,500 to recover data that were encrypted with ransomware. Even though the ransom was paid, systems were taken out of action for over a week as a result of the infection.
These are just a handful of the cyberattacks on educational institutions reported this year. Given the increase in cyberattacks on educational institutions, it is essential that schools, colleges, and universities take action and implement appropriate defences to mitigate risk.
If you are in charge of cybersecurity at your educational organization and you would like to receive tailored advice on some of the best protection measures you can implement to reduce the risk of a cyberattack, contact the TitanHQ team today.
Mar 14, 2017 | Cybersecurity Advice, Internet Security News
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.
Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.
However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.
Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.
In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.
One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.
At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.
Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.
Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.
Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.
Mar 7, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.
The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.
Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.
Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.
DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).
The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.
While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.
Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.
