Cybersecurity Archives - TechInformed https://techinformed.com/tag/cybersecurity/ The frontier of tech news Fri, 06 Sep 2024 11:32:14 +0000 en-US hourly 1 https://i0.wp.com/techinformed.com/wp-content/uploads/2021/12/logo.jpg?fit=32%2C32&ssl=1 Cybersecurity Archives - TechInformed https://techinformed.com/tag/cybersecurity/ 32 32 195600020 TI:TALKS: Brazil bans X, plus finding cybersecurity talent with Tom Alcock https://techinformed.com/brazil-bans-x-plus-finding-cybersecurity-talent-recruitment-with-tom-alcock/ Fri, 06 Sep 2024 11:07:03 +0000 https://techinformed.com/?p=25634 In this episode of TI:TALKS, Ricki and TI’s editor, James, discuss cybersecurity talent and the recent ban of X (Twitter) in Brazil after the country’s… Continue reading TI:TALKS: Brazil bans X, plus finding cybersecurity talent with Tom Alcock

The post TI:TALKS: Brazil bans X, plus finding cybersecurity talent with Tom Alcock appeared first on TechInformed.

]]>
In this episode of TI:TALKS, Ricki and TI’s editor, James, discuss cybersecurity talent and the recent ban of X (Twitter) in Brazil after the country’s presidential election due to the spread of misinformation and disinformation across the platform.

They explore the difficulties governments face in regulating social media platforms while maintaining free speech and Elon Musk’s controversial stance on free speech absolutionism.

The conversation then moves to an insightful interview with Tom Alcock, founder of Code Red Partners, who shares his expertise in cybersecurity recruitment. He discusses the need to recruit beyond traditional methods, emphasising practical experience and diverse backgrounds.

Alcock also highlights the challenges of retaining cybersecurity talent, especially the importance of creating inclusive environments that foster engagement and prevent attrition to illicit opportunities. Diversity, he explains, plays a crucial role in bringing new perspectives and enhancing the overall effectiveness of cybersecurity recruitment.

 

 

The post TI:TALKS: Brazil bans X, plus finding cybersecurity talent with Tom Alcock appeared first on TechInformed.

]]>
25634
Transport for London hit by major cyber-attack; no customer data breached https://techinformed.com/major-transport-for-london-cyber-attack-no-disruption-to-service/ Tue, 03 Sep 2024 15:52:31 +0000 https://techinformed.com/?p=25559 Transport for London (TfL), responsible for the English capital’s public transportation network, has been hit with a significant cybersecurity incident. Though specific details remain sparse,… Continue reading Transport for London hit by major cyber-attack; no customer data breached

The post Transport for London hit by major cyber-attack; no customer data breached appeared first on TechInformed.

]]>
Transport for London (TfL), responsible for the English capital’s public transportation network, has been hit with a significant cybersecurity incident.

Though specific details remain sparse, Shashi Verma, TfL’s chief technology officer, has assured the public that there is currently no evidence of customer data compromise.

“We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident. The security of our systems and customer data is very important to us, and we will continue to assess the situation throughout and after the incident.

“There is currently no impact to TfL services, and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident,” he said.

The organisation’s corporate headquarters at Palestra House, Southwark, is thought to be the main site affected. Due to office mitigations, employees have been advised to work from home.

The organisation has been transparent in its communication, aiming to prevent misinformation and reassure the public, particularly given the ongoing nature of the attack.

 

Passenger using an Oyster Card on London Underground: Transport for London hit by major cyber-attack; no customer data breached
A passenger using an Oyster Card on the London Underground

 

Javvad Malik, lead security awareness advocate at KnowBe4, emphasised the need for ongoing vigilance, particularly for organisations managing public infrastructure.

“We also need to bear in mind that the main root causes which allow criminals to penetrate organisations are social engineering, unpatched software, or poor credentials. While it’s not certain how the breach at TFL occurred, it is quite likely one of these avenues would be the culprit,” he said.

Mayur Upadhyaya, CEO and co-founder of APIContext noted that the attack on TfL underscores the importance of securing all parts of an organisation’s IT infrastructure, not just those directly exposed to the public.

He added: “TfL’s response, including the work-from-home directive and enhanced security measures, underscores the need for preparedness and contingency planning to minimise the impact of cyber incidents. Such proactive steps are crucial for maintaining operational resilience and mitigating potential damage.

“In today’s interconnected world, APIs are the lifeblood of digital operations. Securing these gateways is paramount to preventing unauthorised access and data breaches. Regular security assessments, vulnerability management, and incident response planning are essential components of a robust cybersecurity strategy.”

The cyber-attack comes after a string of attacks on public services in recent months, including a June cyber-extortion attempt on the NHS by the Russian ransomware gang Qilin.

William Wright, chief executive of cybersecurity company Closed Door Security, added: “The big question people will also want to know is who carried out the attack and if it can be attributed to another country, like Russia. TfL was also attacked by Russia last year, so it definitely isn’t out of the realm of possibility.”

Last year, personal information was stolen in an attack by a Russian ransomware group.

Wright said: “Given Russia’s recent uptick in attacks on the West, it wouldn’t be surprising, but it is far too early to speculate.”

The post Transport for London hit by major cyber-attack; no customer data breached appeared first on TechInformed.

]]>
25559
A coffee with…Erich Kron, security awareness advocate, KnowBe4 https://techinformed.com/a-coffee-with-erich-kron-security-awareness-advocate-knowbe4/ Fri, 30 Aug 2024 11:07:05 +0000 https://techinformed.com/?p=25492 A well-known speaker on the cybersecurity circuit, Erich Kron educates IT administrators, security professionals and users on ways to protect themselves and their firms from… Continue reading A coffee with…Erich Kron, security awareness advocate, KnowBe4

The post A coffee with…Erich Kron, security awareness advocate, KnowBe4 appeared first on TechInformed.

]]>
A well-known speaker on the cybersecurity circuit, Erich Kron educates IT administrators, security professionals and users on ways to protect themselves and their firms from cyber-threats, which include ransomware, phishing and other social engineering attacks.

After holding IT roles in the US military and aerospace industries, Kron moved into a senior cybersecurity role at the US Army’s Regional Cyber Centre, joining Florida-based Knowbe4 eight years ago, as a security awareness advocate.

Knowbe4 is a security awareness training and simulated phishing platform that helps organisations address the human element of cybersecurity. It boasts over 65,000 customers, which range from small businesses to big enterprises.

Earlier this month the platform acquired UK-based AI powered email security firm Egress to help it create an advanced artificial intelligence-powered cybersecurity platform. Knowbe4 also hit the headlines recently for unwittingly employing a North Korean hacker.

 

Tell us more about Knowbe4’s training platform and how the acquisition of Egress’s business will enhance it?

What our platform really tackles the human element involved in cyber security, which means a lot of training, a lot of education and simulations of phishing attacks. These give you a chance to practice what you have learned during training. If people  make a mistake, it’s not a problem , it’s a fail-safe environment – it’s not the end of the world if you make a misstep.

Egress is going to help us to expand our platform even more so we can do things with the emails – put more warning banners on things that say ‘Hey this looks like a phishing email because of this’…It gives them an idea to be more careful of that email.

Do you cover newer threats such as deepfakes?

We teach people about deepfakes; we educate people on the dangers of deepfakes, but we don’t generally generate deepfakes. We have an AI component within our platform that is very cool. It looks at what people are trained on, and it will choose the  templates relevant to individuals. AI does a really good job with personalising training packages.

Is email still considered the main vector for phishing attacks?

It’s interesting the attackers are starting to pivot. They are trying to get people out of email and onto other platforms such as WhatsApp or Teams. So, we have filters that look at email traffic but if you go on WhatsApp that’s going to be a whole lot harder to see. It’s a clever way of doing it – another evolution of tech in general and then exploiting it for bad.

Are you noticing an increase in attacks on targeted individuals?

Most phishing attacks have always been targeted spear-phishing attacks.  I don’t know that I’ve noticed an increase in it. But I have noticed that the way they carry out attacks is more advanced. For example, in the old days, you’d get an email from the CEO saying I need you to email $250K right away  – there’s always a sense of urgency… But when it’s followed up by a text message people let their guard down there’s an inherent trust. So, for the higher value targets that kind of effort is being put into this to make it successful.

With GenAI phishing appears to be getting more sophisticated – gone are the days of the badly spelt Nigerian Prince scam….

It seems like this when there are 6.4bn fake emails sent out every single day. A lot of these are caught by filters now. But the ones that make it through to people’s desktops are the higher quality ones. Because the bad ones are being caught, a side effect from filters is that people are being exposed to the higher quality ones. Which means the average person is going to be exposed to the more difficult-to-spot attacks.

And now AI is being used to increase the efficiency and the amount of people being attacked. It used to be you’d read one of these scams and the grammar and spelling were awful – what we’re finding now, is that the responses feel authentic. An English-speaking scammer can now turn something into German or American English. AI allows attackers to scale further.

Are we losing the battle?

I wouldn’t say that. But it’s still a tough thing to face. The technology is changing but the tactics remain the same.  They still know that if they get you in a highly emotional state, you don’t think thing through,  that part hasn’t changed.

Frauds can fool the best of us. How did Knowbe4 accidentally end up hiring a North Korean hacker?

I can’t talk about everything because it’s still an open investigation, but we want to be very upfront because we want other firms to understand that this is a threat and we’ve written a blog about it.

We were looking for someone who was an AI developer, and we received over 1000 responses which we got down to 30-40  candidates and went through this whole hiring process. After four zoom calls we ended up hiring someone with a great resume and they went through a background check, the whole nine yards. And we hired them, sent over the equipment, but then we sensed immediately, upon letting them into the network, that they were downloading hacking tools.

Were they able to breach you?

When we hire new employees, their user account only grants limited permissions that allow them to proceed through our new hire onboarding process and training. And the way we do it, the only thing he had access to start with was his training modules.

We’re a very security conscious company – so when we confronted him, he said he was trying to fix something with his router for Wi-Fi. That didn’t add up –  so within 25 mins he was shut off the network.

What was their modus operandi?

This guy was part of a North Korean gang. They used AI generated modified photos as his picture along with a stolen identity of a US citizen and because it was backed by the North Korean state – he had a lot of documents and ID matches.

The guy really knew what he was doing. Then they use VPNs to access the workstation from their physical location, which is usually based North Korea or China. From here it’s  picked up by a new person who takes it to an apartment building and operated by North Koreans working at an IT mule laptop farm.

The scam is that they are actually doing the work for us, acting as our employees and getting very well paid, and they give a large amount of these earnings to the North Korean government to fund their illegal programs.

On a lighter note, how do you take your coffee?

With cream and sugar.

What was the last piece of tech you bought for yourself?

A high-end video card so that I can play around with some of my own AI stuff at home. I’m working with LLMs to test them out and to see what’s going on behind the curtain.

I’m really fascinated by AI graphics – some of those GenAI tools are amazing. I’ve been looking at an AI video generator called Kling AI – which has just opened to the public. It’s hosted in China – which sometimes gives people reservations – but you can generate an image from a text prompt, a video from a text prompt or from taking the image in there and then prompting it to move and look around. It can generate some incredible stuff from just that 2D image. To me that’s fascinating.

The post A coffee with…Erich Kron, security awareness advocate, KnowBe4 appeared first on TechInformed.

]]>
25492
Ransomware gangs of 2024: The rise of the affiliates https://techinformed.com/ransomware-gangs-of-2024-the-rise-of-the-affiliates/ Fri, 30 Aug 2024 09:07:10 +0000 https://techinformed.com/?p=25450 The last 12 months have brought big news on the ransomware front, with law enforcement announcing the takedowns of major ransomware gangs including LockBit and… Continue reading Ransomware gangs of 2024: The rise of the affiliates

The post Ransomware gangs of 2024: The rise of the affiliates appeared first on TechInformed.

]]>
The last 12 months have brought big news on the ransomware front, with law enforcement announcing the takedowns of major ransomware gangs including LockBit and ALPHV/Black Cat.

But despite the success of the FBI and its allies in tackling some of the biggest threat actors, businesses find themselves no safer from cyber-attacks than in previous years.

Security firm WithSecure says the frequency of attacks and ransom payments collected in the first half of 2024 was still higher than over the same periods in 2022 and 2023.

So, has the disbandment of two of the most dominant and well-known ransomware gangs done nothing to make enterprises more secure? Or is something else going on?

Emerging data from reports such as WithSecure’s indicate a shifting trend: affiliates once aligned with LockBit and ALPHV are now avoiding the big-name gang. Trust in a larger group has waned, with many members opting for smaller, more nimble groups.

A shift in the landscape

 

Since the downfall of LockBit in February, cybersecurity experts are still evaluating the long-term impact on the ransomware ecosystem – however, the prevailing consensus is that affiliates are adopting a more “nomadic” approach.

Affiliates are smaller criminal enterprises that lease a ransomware operator’s malware, techniques, stolen passwords etc in return for paying a monthly fee and share a percentage of any ransom payments.

“Through the data, the FBI identified 190 affiliates using LockBit’s service in February,” says Tim Mitchell, a security researcher at Secureworks.

“By May, following sanctions and indictments against LockBit’s admin, only about 60 affiliates remained active,” presenting a dramatic two-thirds reduction in those affiliated following the initial action.

With new sanctions in place, it has become illegal for companies in the US and the UK to pay ransoms to the gang, cutting off its primary revenue stream and attracting affiliates to other gangs.

“It’s surprising that they’re still active, albeit at a much lower rate,” says Mitchell. “March saw a significant surge in victim names, around 170 in one month (though many were possibly rehashed victims from earlier), but by June or July, the number had plummeted to about 12-15 victims.”

Before the exposure of its admin, its leader Dmitry Khoroshev, declared the gang to be the “eternal” group – however, Mitchell believes that without a rebrand, it’s looking unlikely that LockBit will remain as disruptive as before.

For ALPHV, while the FBI disrupted its site in December 2023, the gang continued operating until early this year when it revealed responsibility for the Change Healthcare attack that crippled pharmacies across the US, including those in hospitals.

Allegedly, although not publicly confirmed by Change Healthcare, the gang received a $22 million ransom payment. However, in this case the affiliate who executed the attack did not receive the share, and ALPHV went on to cease operations entirely – suggesting an exit scam.

This incident has eroded trust from both sides of the attack. Despite the large payment from Change Healthcare, the firm has not seen the stolen data, and affiliates left homeless may have lost their confidence in the well-known group.

Fragmentation

 

Following LockBit’s takedown, the number of ransomware groups listing victims has risen from 43 to 68, according to Secureworks data.

“For affiliates, it’s becoming clear that they might not get what they promised from larger groups, which may be driving them towards smaller, more reliable groups,” says Mitchell.

“After BlackCat’s impact on the marketplace, affiliates were left without a platform, and no obvious successor emerged,” he added.

According to cybersecurity firm Mandiant, some threat actors claim to use multiple ransomware families simultaneously, providing them with some level of stability to weather possible disruptions to ransomware-as-a-service (RaaS) offerings.

It expects that “the threat actors impacted will likely in time be able to recover and continue to engage in ransomware and extortion activity.”

Going underground

 

“While government efforts slowed down well-known operators, other groups like Blacksuit, Medusa, and PLAY have filled the void LockBit left,” says Tyler Reese, director of product management at Netwrix.

Tyler Reese, director of product management, Netwrix

 

For instance, according to a report from researchers at GuidePoint security, Medusa is offering generous profit-sharing percentages, with up to 90% going to the affiliates – this is a much better deal than in the past when affiliates were obliged to part with up to 40% of the ransom profits which went to the gangs.

Another smaller gang called Cloak is offering an 85% profit share, with no initial payment needed to become an affiliate – something that appears to have worked for the gang Medusa as victim numbers have surged since February according to WithSecure.

Similarly, Mitchell adds, Qilin – responsible for recently publishing NHS data it attained, and also caught stealing credentials stored in Google Chrome – has stepped up, though it’s not to the same scale as LockBit.

As well as this, RansomHub, which provides infrastructure and features top of Ransomware Groups by number of victims in August this year according to BitDefender, is attempting to recruit affiliates that have been impacted by recent shutdowns or exit scams.

“RansomHub became a bit of a place for homeless ransomware operators,” says Mitchell.

According to WithSecure, it is choosing to attract new recruits by letting them accept payment from the victims directly, before sending their share to the RansomHub – something WithSecure reports to be a possible attempt to reassure those who were spooked by ALPHV’s exit scam, which was only able to occur because the gang controlled payments.

“In terms of top groups, there’s no clear leader, but there are a lot more schemes operating than ever before,” says Mitchell.

To gain access, “it’s still largely through old vulnerabilities in internet-facing services, and reusing stolen credentials,” he adds.

Ransom-where?

 

Determining where in the world an affiliate is located is also harder if acting alone as most use the same tools and will use a Virtual Private Server (VPS) to make it look as if they are in another country.

“These groups are focused on making as much money as possible, focusing on critical infrastructure like hospitals and government agencies to cause major disruption,” says Kevin Curran, senior member of IEEE and professor of cybersecurity at Ulster University.

Kevin Curran, a senior member of IEEE and professor of cybersecurity at Ulster University

 

“AI-enhanced cyber-attacks are a serious concern for the near future. Authorities like the UK’s National Cyber Security Centre (NCSC) are focusing on ensuring AI systems are secure-by-design and continue to urge organisations to adopt robust cybersecurity,” he adds.

Ransomware remains a significant, and costly threat. According to Netwrix 2024 research, 45% of organisations that experienced a cyberattack have had to deal with unplanned expenses to fix security gaps.

Alongside this, 16% faced a decrease in company evaluation, and 13% had to deal with lawsuits compared to only 3% a year ago.

“There is no single solution or ‘magic bullet’ to eradicate ransomware entirely,” says Reese.

“Regular data backups, timely software and system patching, robust endpoint and network protection, and strong identity protections with multi-factor authentication are significant steps toward cyber resilience in the era of inevitable attacks.”

The post Ransomware gangs of 2024: The rise of the affiliates appeared first on TechInformed.

]]>
25450
Operation 911: Anatomy of an Attack (Part 1) https://techinformed.com/operation-911-anatomy-of-a-healthcare-ransomware-attack/ Thu, 29 Aug 2024 17:37:27 +0000 https://techinformed.com/?p=25367 Looking out the window of a top-floor suite in the Mandalay Bay Hotel, across the Las Vegas skyline, a helicopter full of tourists sets off… Continue reading Operation 911: Anatomy of an Attack (Part 1)

The post Operation 911: Anatomy of an Attack (Part 1) appeared first on TechInformed.

]]>
Looking out the window of a top-floor suite in the Mandalay Bay Hotel, across the Las Vegas skyline, a helicopter full of tourists sets off towards the Grand Canyon.

But inside this room full of cybersecurity experts, TechInformed is prepping for a different kind of sightseeing.

More than 20,000 cybersecurity professionals have gathered in the Nevada city in the August heat for Black Hat — a weeklong event that offers security consulting, training, and briefings to hackers, corporations, and government agencies

We were invited to join several of those experts in this suite for an immersive tabletop exercise demonstrating a ransomware attack on a medical facility from both the offensive and defensive sides.

Tabletops are like the war games used to prepare military forces across the globe during times of peace.

The healthcare sector is a prime target for cyber criminals, and a surge in ransomware attacks on hospitals threatens patients’ safety and data.

 

Cyber firm Semperis’ temporary Vegas residence

 

High-profile attacks have included the Change Healthcare ransomware attack in February, which shut down the largest healthcare payment system in the US and led to a reported $22 million ransom payout.

When lives are at risk, the stakes are high: In May, an attack on Ascension Health, the operators of over 140 hospitals in the US, put patients’ lives at risk and crippled revenue flow in the healthcare industry for weeks.

In the UK, meanwhile, a cyber-attack in June on pathology service Synnovis impacted several London hospitals and led to an unprecedently low level of blood stocks across England.

Tabletop scenario

 

And so, a dozen or so people have gathered in this tabletop – Operation 911.

Participants include several hospital executives, the FBI, software developers, security professionals, hackers who have worked for various military organisations and local law enforcement officers from the Las Vegas Metropolitan Police Department.

They are split evenly into two teams: The red team, ‘The Red Raccoons,’ is charged with launching a high-stakes ransomware attack against Sunshine Healthcare, a fictitious hospital located in Las Vegas renowned for its patient care, new innovations, and recent acquisitions.

They are led by Semperis security researcher Tomer Nahum, who has recently achieved Microsoft Most Valuable Researcher (MVR) status.

Semperis healthcare tabletop
From L to R: Jeff Wichman, Marty Momdjian & Tomer Nahum

 

The Purple Knights, meanwhile, take on the role of the hospital incident response and crisis management team. Former ransomware negotiator Jeff Wichman guides them, currently Semperis director of incident response.

Both teams are shepherded through each step by Marty Momdjian, Semperis EVP of services, who boasts over 20 years of healthcare cyber protection.

High profile

 

Momdjian explains that the tabletop is based on a real-life scenario that lasted around 30 days from the start of the event to the recovery.

Profiling Sunshine Healthcare, he adds that the company turned over $9bn in revenue last year and has a total of 2,500 licensed beds in its five Vegas locations. The company owns the only trauma centre in the region and has 50 in-state clinics. For simplicity, all patient records are kept on a single medical record system (an EMR).

“One of the reasons we wanted to feature an expanding facility is that healthcare facilities go through a lot of M&A, and they become vulnerable targets for hackers,” explains Momdjian.

Tabletop objectives for hackers and defenders

 

He adds that because there’s a trauma centre, the stakes are higher because this must be kept up and running – it’s not a case of shutting all systems down.

“This is a real scenario that’s occurred in major metropolitan areas where there are always Level 1 and 2 trauma centres. When those go offline, it becomes extremely chaotic. And it’s very, very painful,” Momdjian adds.

According to the health sector cyber expert, every healthcare company has been striving towards a single EMR for the last decade, but having one centralised point for medical records also makes it more open to attacks.

“If the EMR goes down, all your sites will go down. All physical locations, units, departments, patient care workflows, ADT (patient tracking), and anything that goes through the EMR are on a single platform,” Momdjian points out.

“The Purple Knights especially need to think about that when they are going through the exercise and the steps and what the impact is with any decision you are making.

“On the red team, that’s your target – to get to the EMR, get the data, exfiltrate and then extortion, disrupting patient services to the extent that the hospital has no other option but to pay the ransom.”

Attack framework

 

For the Purple Knights, Momdjian suggests following the latest guidelines from the US Department of Health and Human Service’s HC3 framework, which he has contributed to, as well as the standard NIST framework.

Frameworks like these can help frequently attacked organisations see the wood from the trees. He explains: “There are alerts coming out every single day — it’s complete overload. So the focus for us is working through what really matters when a major ransomware attack occurs—because the faster you respond, the faster you can recover.”

The red team, meanwhile, is instructed to follow the kill chain (the phases or steps involved in a cyber-attack), which, Momdjian adds, is well-documented by healthcare adversaries.

In terms of finding a way into the hospital group’s systems, the red team decides to target VIP executives attached to the company in some capacity. “We’re looking for names of executives that have been in the news a lot and have active social media accounts,” explains one red team member.

“We’ll look at what systems they’re using and what their admins are so that we can come up with some kind of social engineering strategy to gain access to the network,” he added.

The weakest link

 

As Sunshine Health also has a university relationship and a research department, the red team are also sniffing around this to find a way in.

“Universities are notorious for having weak security,” adds another red team member. “We’re using that connection between the university and the main hospital system as an access point so that we can look for weaknesses and external apps.”

linkedIn
Red team target hospital exec via LinkedIn page and dark web password dump

 

The targeting of a prestigious university researcher rings true with one member of the Purple Knights, who asks Momdjian for advice. The expert says he’s encountered this type before.

“They want to be published and are posting a lot. They tend to use the same password for their healthcare system as they do for social media and LinkedIn. And they make it easy for hackers to find because they tend to use their work email address to sign up for other accounts,” he says.

He advises that if these high-profile medics/ researchers don’t cooperate, you need to apply protective measures against them. “Limit their access. If an incident is escalated to a specific level, remove their access because you know they are an easy target. Tell them that it is part of your policy.”

He adds that it’s standard for hackers to find a way in by buying a password dump from the dark web. “So incident response (IR) should start by making a list of their VIP execs — doing dark web checks on execs and VIPs.”

In terms of other defence measures, another member of the Purple Knights added that a lot has been done in terms of setting up the tech stack and putting in defence vectors. “The main threats we identified were any types of social engineering and phishing emails – user training is useful here,” one member suggests.

The team is also working with Sunshine Health’s chief security officer to develop a disaster recovery (DR) plan and an Incident Response (IR) plan.

However, there’s trouble ahead:  the social engineering exercise used by the red team has worked – and they’ve gained access to the network. It’s time for them to start collecting information and living off the land. What steps can the Purple Knights take to mitigate an attack and protect Sunshine Healthcare from these criminals?

For Anatomy of a healthcare attack – part 2: Going for the jugular click here

 

The post Operation 911: Anatomy of an Attack (Part 1) appeared first on TechInformed.

]]>
25367
NPD data breach: Legal and technical perspectives with Lisa Sotto & Matt Berzinski https://techinformed.com/npd-data-breach-legal-and-technical-perspectives-with-lisa-sotto-matt-berzinski/ Wed, 28 Aug 2024 22:31:03 +0000 https://techinformed.com/?p=25353 In this episode of TI:TALKS, host Ricki is joined by Deputy Editor Anne-Marie Corvin to explore the critical issues surrounding the recent National Public Data… Continue reading NPD data breach: Legal and technical perspectives with Lisa Sotto & Matt Berzinski

The post NPD data breach: Legal and technical perspectives with Lisa Sotto & Matt Berzinski appeared first on TechInformed.

]]>
In this episode of TI:TALKS, host Ricki is joined by Deputy Editor Anne-Marie Corvin to explore the critical issues surrounding the recent National Public Data breach. They’re joined by two guest experts, Lisa Sotto and Matt Berzinski, who delve into cybersecurity’s legal and technological dimensions.

Lisa Sotto, a partner at Hunton Andrews Kurth and chair of the firm’s global privacy and cybersecurity practice, offers an in-depth analysis of a lawyer’s role during a cyber-attack. Known as the “Queen of Breach,” Lisa explains how legal professionals manage confidentiality, coordinate forensic investigations, and handle ransomware negotiations.

She also outlines the essential steps companies should take immediately after a breach and discusses the complexities of ransom decisions and regulatory notification obligations.

Next, the conversation shifts to the tech side with Matt Berzinski, senior director at Ping Identity. He discusses the transformative impact of AI on cybersecurity, particularly in relation to the data breach. He warns about cybercriminals’ increasing use of AI for account takeovers and phishing attacks and envisions a future with passwordless authentication powered by technologies like passkeys and FIDO2 standards, which promise enhanced security and a smoother user experience.

This episode comprehensively examines the evolving cybersecurity landscape, blending expert legal advice with forward-looking insights into AI-driven security innovations. Don’t miss it!

 

The post NPD data breach: Legal and technical perspectives with Lisa Sotto & Matt Berzinski appeared first on TechInformed.

]]>
25353
Pavel Durov, Telegram founder, arrested in France amid cyber-crime probe https://techinformed.com/pavel-durov-telegram-founder-arrested-in-france-amid-cyber-crime-probe/ Tue, 27 Aug 2024 17:11:00 +0000 https://techinformed.com/?p=25331 Pavel Durov, founder of messaging app Telegram, was arrested in France over the weekend. French authorities said that his arrest was in relation to an… Continue reading Pavel Durov, Telegram founder, arrested in France amid cyber-crime probe

The post Pavel Durov, Telegram founder, arrested in France amid cyber-crime probe appeared first on TechInformed.

]]>
Pavel Durov, founder of messaging app Telegram, was arrested in France over the weekend. French authorities said that his arrest was in relation to an investigation into online child sexual abuse, drug sales, fraud, and other criminal activity on the platform.

The prosecutors stated that Durov is being held in custody as part of a cyber-crime investigation assessing twelve different offences linked to organised crime.

Telegram has said in a statement, “It is absurd to claim that a platform or its owner is responsible for abuse of that platform.”

Before founding Telegram in 2013, Durov founded a social media company called VKontakte in 2006 in Russia.

In 2014, the founder exiled himself after refusing to comply with the Russian government’s demands to shut down opposition communities on Vkontakte.

Now, Durov is based in Dubai while running the platform there, too.

Telegram joins Facebook, WhatsApp, Instagram, and TikTok as one of the world’s largest social media platforms, with 950 million active users monthly.

The platform offers end-to-end encryption, which means messages cannot be accessed by anyone other than the device that sends and receives them—although this is not a default setting like it is on WhatsApp.

Telegram has previously faced criticism over the ability of users to spread disinformation on the app easily.

The app was cited as one of the platforms used by far-right groups to spread disinformation about refugees that led to rioting in Southport and other UK cities last month.

According to one report, fireworks and flares were being advertised for sale on a Telegram messenger group aimed at UK rioters last month.

Groups can be as large as 200,000, while WhatsApp groups, for instance, can only be as large as 1,000. However, the app, reported to employ less than one hundred staff, said that its moderation “is within industry standards and constantly improving,” and it abides by European Union laws.

“Almost a billion users globally use Telegram as a means of communication and as a source of vital information,” the app’s statement said. “We’re awaiting a prompt resolution of this situation. Telegram is with you all.”

The post Pavel Durov, Telegram founder, arrested in France amid cyber-crime probe appeared first on TechInformed.

]]>
25331
10 steps to protect your business from cyber-attacks https://techinformed.com/top-10-steps-to-protect-your-business-from-cyber-attacks/ Tue, 27 Aug 2024 16:55:44 +0000 https://techinformed.com/?p=25320 In today’s digital age, cyber-attacks pose a significant threat to businesses worldwide, with three in four companies at risk. As cyber threats evolve, safeguarding your… Continue reading 10 steps to protect your business from cyber-attacks

The post 10 steps to protect your business from cyber-attacks appeared first on TechInformed.

]]>
In today’s digital age, cyber-attacks pose a significant threat to businesses worldwide, with three in four companies at risk. As cyber threats evolve, safeguarding your enterprise from potential breaches is more critical than ever. To help protect your organisation, Dr Phil Legg, a cybersecurity expert at Independent advisor Best VPN, has compiled the top 10 proven steps to secure your business from cyber-attacks.

1. Mobile Device Management (MDM)

 

Microsoft Intune and Apple provide MDM capabilities for devices used within an enterprise environment. These capabilities allow IT administrators to manage devices in the unfortunate case of theft or loss. MDM also enables teams to ensure that devices are used for their intended business purposes and helps keep security patches up to date for individual employees.

2. Two-factor Authentication (2FA)

 

Online enterprise platforms such as Microsoft 365 and Google Workspace both support 2FA, meaning that users not only require their password to log in but also need to authenticate their login activity using a second factor, such as a mobile phone authenticator app or a physical security device. If a password is compromised, 2FA provides additional account security to protect your logins from intruders.

3. Password Management

 

Where users are required to maintain accounts for multiple online services, a password manager can help curate and store unique passwords for each service. With unique passwords for different services (websites), even if one is compromised and learnt by an attacker, other accounts are more likely to remain secure.

4. Virtual Private Network (VPN)

 

Last year alone, more than 400,000 cases of fraud and computer misuse were recorded, with 46% of UK businesses experiencing a cyber attack. Providing a secure VPN is essential for maintaining online privacy and security to protect your business from cyber-attacks. At their core, a VPN establishes an encrypted connection between your device and a remote server, keeping your internet activities private and safer from unwanted tracking.

5. Physical security

 

Ensure that employees have clear guidance on maintaining the physical security of their work assets, including laptops and other devices with sensitive information or access.

Backup and recovery: A four-step guide

6. Shoulder surfing

 

Just as physical security is critical, ensure staff are aware of the threat of shoulder surfing – where a stranger can gather your private information by secretly watching your screen. This is especially likely when working in public spaces like cafes and trains. Never reveal sensitive data, like a password or credit card information, on a laptop screen in a public space.

7. Business Continuity Planning (BCP)

 

If a widespread incident were to occur across your IT estate, would you have a plan B? How would the organisation operate without email or access to specific systems? Ensure that a BCP is in place that is both realistic and actionable, with clear guidance on how this would be implemented if necessary.

Understand the operational cost to the business if such an event should occur and assess the expected likelihood of such an event occurring. This should factor into your risk management strategy.

8. Backup & Cloud Storage

 

Understand and classify the importance of your data assets, and ensure that off-site backups are maintained regularly — especially for any data that is crucial for your business to function.

In the case of natural phenomena (e.g., earthquakes, flooding, hurricanes, etc.), consider using cloud storage to provide offsite backup. Microsoft, Google, Apple, and other third parties all offer options for this, alleviating the risk of storing data on a specific physical device.

However, before you create a backup, you should also consider the classification of data and whether the data is appropriate to be stored within a cloud environment managed by a third party.

9. E-mail usage and phishing attacks

 

Ensure that staff remain vigilant about e-mail usage and potential phishing attacks. Provide training so that staff act cautiously when deciding whether to click links from unexpected emails.

Providers such as Microsoft are constantly improving their spam recognition and phishing detection, but scrutinising your inbox is still important. If you are ever in doubt about whether an email is legitimate, consider contacting the sender via phone to confirm that the email is genuine.

10. Social media

 

Provide staff with training on using social media in the business context. Attackers can exploit LinkedIn and other platforms (including company websites) to gain knowledge about organisations.

Ensure staff remain vigilant to such threats, including the potential to be befriended by online contacts via social media and the luring of sensitive information about workplace activity.

Study reveals which U.S. states are most vulnerable to cyber-attacks — find out if your state is safe.

Ready to strengthen your business’s cybersecurity? Start implementing these top strategies today to protect your business from cyber-attacks.

The post 10 steps to protect your business from cyber-attacks appeared first on TechInformed.

]]>
25320
Hacked service accounts involved in 85% of data breaches https://techinformed.com/2024-data-breaches-compromised-service-accounts-reliaquest-report/ Tue, 27 Aug 2024 10:02:54 +0000 https://techinformed.com/?p=25309 New research reveals an uptick in data breaches involving comprised service accounts, which can offer hackers a lucrative way to move around inside an organisation’s… Continue reading Hacked service accounts involved in 85% of data breaches

The post Hacked service accounts involved in 85% of data breaches appeared first on TechInformed.

]]>
New research reveals an uptick in data breaches involving comprised service accounts, which can offer hackers a lucrative way to move around inside an organisation’s network once they have gained access.

In a representative sample of breaches that cyber firm ReliaQuest responded to between January 2024 and July 2024, it claims 85% involved compromised service accounts.

The Florida-based firm noted this marked a jump of almost 15% compared to the same period in 2023.

Often configured and then forgotten, service accounts are used to manage and update servers. Because they are not attached to any human identity and are designed to perform automated tasks, often with elevated privileges, service accounts have become attractive targets for hackers looking to compromise entire networks, according to ReliaQuest.

Service accounts have played a crucial role in several high-profile attacks in recent years.

After breaching an environment via social engineering or phishing, adversaries often attempt to gain access to service accounts to elevate privileges and move laterally through the rest of the environment.

This happened in the 2020 SolarWinds attack, where the threat actors used compromised service accounts to move laterally through targeted networks to access their resources.

 

Five first steps firms can follow to bolster IoT security

 

In the UK, meanwhile, the Information Commissioner’s Office (ICO) recently published a lengthy investigation into the 2020 attack on Hackney Council, concluding that the council failed to implement measures that could have prevented the attack.

These included “the failure to change an insecure password on a dormant account still connected to Hackney Council servers, which was exploited by the attackers.”

Writing in a blog post on ReliaQuest’s website this week, threat researcher Hayden Evans noted that service accounts are often compromised via insecure credential storage, credential dumping and a practice known as “Kerberoasting”, which involves stealing service tickets to uncover the plaintext passwords of network service accounts.

To proactively prevent attacks, Evans suggests using secure password managers to store service account credentials, and verifying whether service accounts have only the necessary privileges.

He also adds that it is vital that firms Identify and document all service accounts in their environment to maintain an accurate inventory and that they remove dormant accounts and deregister service accounts with SPNs if they are no longer needed — as this will reduce the chance of Kerberoasting.

Organisations are also advised to use group Managed Service Accounts (MSAs) to secure passwords and limit account privileges.

The post Hacked service accounts involved in 85% of data breaches appeared first on TechInformed.

]]>
25309
Bad Bots and the Premier League – How to avoid a security own goal https://techinformed.com/how-to-avoid-a-security-own-goal-premier-league-scalper-bots/ Fri, 16 Aug 2024 15:07:29 +0000 https://techinformed.com/?p=25112 As excitement for the start of the 24/25 Premier League season reaches a fever pitch, fans of the sport are no doubt clambering to get… Continue reading Bad Bots and the Premier League – How to avoid a security own goal

The post Bad Bots and the Premier League – How to avoid a security own goal appeared first on TechInformed.

]]>
As excitement for the start of the 24/25 Premier League season reaches a fever pitch, fans of the sport are no doubt clambering to get hold of tickets for key matches. However, for Liverpool FC fans, these plans were halted when a cyber-attack temporarily suspended ticket sales for members just a few weeks back.

The cyber-attack in question was a sophisticated bot attack. This incident was not isolated. Our threat intelligence team has recorded and mitigated similar attempts by scalpers to obtain highly sought-after football match tickets for other Premier League teams.

Tickets to Premier League matches are among some of the most highly sought-after in the world, so as the season kicks off, we’ll look at the growing threat of bots, their role in ticket scalping, and how clubs can ensure they have the best defences in place.

The rising bot threat

 

At its most basic form, an internet bot is a software application that runs automated tasks over the Internet. Bot-run tasks are typically simple and performed at a much higher rate than human Internet activity.

Some bots are legitimate and harmless — for example, Googlebot is an application used by Google to crawl the Internet and index it for search. Other bots are malicious, such as bots used to automatically scan websites for software vulnerabilities and execute simple attack patterns.

Almost 50% of internet traffic now comes from non-human sources, with malicious bots comprising nearly one-third of all internet traffic. These bad bots have become more advanced and evasive, mimicking human behaviour to bypass traditional security defences.

The role of bots in ticket scalping

 

Bots can also be deployed to buy up large quantities of tickets when they become available, preventing genuine fans from purchasing tickets at face value. Scalpers then resell these tickets at significantly inflated prices, exploiting the high demand for these events.

Wherever there’s high demand with a limited supply, bot operators will take advantage of the resell value. This is precisely the case with tickets to highly popular sporting events. The English Premier League is the most popular football league in the world, and malicious actors are inevitably taking advantage.

A wider analysis found that there had been a 59% increase in attacks targeting European sports websites in January and another 66% increase in March, with security incidents increasing from the previous year.

This problem doesn’t just pertain to sports events either — whether it’s highly sought-after concert tickets, game consoles, or the release of limited-edition merchandise.

Why bots can cause an own goal for businesses

 

Ticket scalping is a huge problem for any sports organisation, as it ultimately punishes genuine fans and could damage a club’s long-term reputation. However, that isn’t the only issue bots present.

They can also overload servers, causing website downtime during crucial moments like match days, which impacts fan engagement and revenue.

Additionally, bots can steal sensitive data, leading to potential breaches and loss of consumer trust. They can also inflate web traffic metrics, giving a false sense of popularity and potentially misleading advertisers. For Premier League clubs, these issues can significantly affect their global brand and fan loyalty.

Assembling the right defence formation

 

Football clubs and other sports organisations need to implement a robust multi-layered defence strategy to protect their digital ecosystems.

Just like a football team needs a solid defence to protect its goal, companies must implement an advanced bot management solution to safeguard their digital assets. This solution acts as the defensive line, using behavioural analysis, device fingerprinting, and challenge-response authentication to distinguish between legitimate users and bots, effectively blocking malicious activity.

Continuous monitoring and real-time analytics are akin to the vigilant defenders who constantly scan the field for threats. By analysing traffic patterns and user behaviour, companies can quickly identify and respond to suspicious anomalies that may signal bot interference.

Securing public and private APIs is like fortifying the defensive midfield. APIs are prime targets for bots, and protecting them requires robust authentication, rate limiting, and encryption. Regular updates and patches are essential to close any vulnerabilities that bots might exploit.

Collaboration within the industry is similar to a team working together to share intelligence about the opponent’s strategies. By establishing a shared database of known bot signatures and participating in industry-wide forums, companies can enhance their collective security and stay ahead of emerging threats.

Finally, educating customers about the risks of bots and how to recognise suspicious activity is like coaching the team to be aware of potential threats. Clear communication about security measures and best practices empowers customers to contribute to a safer online environment.

The final whistle

 

As the Premier League gears up for another thrilling season, clubs must ensure they don’t score an own goal by neglecting their digital defences.

Just as a football team relies on a strong backline to fend off attacks, clubs need a robust, multi-layered security strategy to tackle the growing threat of bots.

By implementing advanced bot management solutions, continuously monitoring for threats, securing APIs, collaborating within the industry, and educating fans, clubs can protect their digital assets and maintain the trust and loyalty of their supporters. After all, in the game of cybersecurity, a solid defence is the best offence.

 

Read: Southampton FC strengthens its defences

The post Bad Bots and the Premier League – How to avoid a security own goal appeared first on TechInformed.

]]>
25112