Threat Lab

As the year draws to a close, the cybersecurity analysts at Webroot and Carbonite pull out their crystal balls to make their predictions for the year ahead. 

Our experts predict many of the trends they’ve been tracking throughout the year—well-researched attacks, RDP compromise, and the importance of user education—will continue into the New Year. But they’ll be affected by new industry developments such as impending privacy regulations, AI-enabled attacks, and attacks targeting developing nations. 

Highly Targeted Ransomware Will Continue to Devastate Businesses

Unsurprisingly, our experts predict the strong trend toward highly targeted ransomware will bleed into 2020.  

“Highly targeted ransomware will likely continue,” predicts Webroot Software Management Manager Eric Klonowski. “Next year, we predict ransom-motivated attackers will more pointedly observe automatic backup solutions and make attempts to remove and alter the backup data or the task itself.” Klonowski said. 

High-effort, low-volume surveillance techniques are now favored by ransomware operators like the Bitpaymer Group, which has been known to customize ransomware only hours before deploying an attack, first tailoring it to observations gathered on their targets. 

We should expect actors like these to continue to gain access to networks from where they can observe financial transactions and valuable information before determining the most profitable way to strike at their intended targets. 

Phishing will likely also become more targeted as data collected from breaches is incorporated into phishing emails. Things like passwords and recent transactions can go a long way in convincing people an email is legit.—Grayson Milbourne, Security Intelligence Director, Webroot

Long-Awaited Privacy Legislation Will Finally Arrive in the U.S. 

We expect that privacy and security will continue to jockey for primacy of concern in the minds of U.S. citizens. California, which has long led the fight for more stringent data privacy for consumers, is set to enact a law in early 2020 that has often drawn comparisons to Europe’s GDPR. 

As noted by Tech Crunch, California’s new data privacy act, like GDPR, will extend to all organizations that do business with Californians, effectively making it the law of the land nationwide. But Webroot Product Marketing Director George Anderson predicts a groundswell of support among U.S. citizens for stricter data privacy regulations. 

“U.S. citizens will step up their demands for privacy in 2020,” he says. “Privacy legislation in the U.S., which has lagged behind other nations, will be a central issue.” 

But rather than settling for a new set of standards, Anderson wouldn’t be surprised if entirely new revenue models are explored. Models that rely less on selling personal data than, say, subscription fees or some other alternative. 

“I would expect an alternative paid for services that don’t abuse data will emerge, Anderson says. “The existing, untrusted purveyors of convenience will try to pivot, but ultimately lose out heavily. Legislation and technology are starting to converge due to so many abuses of privacy.”

“Adversarial attacks against AI-based security products will likely grow in scope and complexity, which would highlight the fact that  there are fundamentally two types of AI in cybersecurity: AI which acts like a smarter conventional signature and AI which is built into every facet of an intelligent, cloud-based platform capable of cross-referencing and defending itself against adversarial attacks.” —Joe Jaroch, Senior Director of Cybersecurity Strategy, Webroot

Small and Medium-Sized Businesses will Bear the Brunt of Cyberattacks

Findings regarding cybersecurity readiness among small and medium-sized businesses (SMBs) continue to be grim. Despite commonly falling victim to data breaches and other attacks, an attitude still pervades that they are either too small to catch the eye of cybercriminals or that their data isn’t valuable enough to warrant an attack. 

In a study conducted by Webroot and 451 Research, 71 percent of SMBs admitted to experiencing a breach or attack within the previous 24 months that resulted in “operational disruption, reputational damage, significant financial losses or regulatory penalties.”

According to Webroot Security Analyst Tyler Moffitt, that trend is unlikely to abate. 

“We expect that SMBs will continue to be targets for cybercriminals because, just like the public, education, and healthcare sectors, they maintain the same vulnerable environment. They’re low budget, understaffed, and often under-educated on matters of cybersecurity.”

Findings from the 451 Research report confirm Moffitt’s suspicions. A full 36 percent of SMBs surveyed in that study reported that they had no full-time staff on hand dedicated to cybersecurity. 

“The SMBs typically targeted have under 50 employees, and it often falls to a lone IT admin or someone in finance or sales to shore up cybersecurity at the company,” Moffitt says. “Almost always it’s a person who wears many hats and doesn’t have much of a budget or expertise.”

It’s the easily overlooked yet easily exploited security gaps like an unsecured RDP that most worry Moffitt. Without dedicated cybersecurity consulting, these can easily be exploited, yet they are easy to fix.

 “Expect to see more attacks against less developed nations. Attacks like this don’t generate revenue, rather they are meant to disrupt and destroy” —Grayson Milbourne, Security Intelligence Director, Webroot

We Want to Hear Your 2020 Predictions

Are these the developments you expect to see to kick off the new decade? Have some other ideas? We want to hear what hacks, news stories, or trends in cybersecurity you anticipate in the New Year. You can read additional predictions from our staff for the year ahead, plus submit your own, on the Webroot Community. Click here to visit the Community and share your 2020 predictions.

Zeppelin Ransomware Spreading

Over the last month, researchers have been monitoring the spread of a new ransomware variant, Zeppelin. This is the latest version of the ransomware-as-a-service that started life as VegaLocker/Buran and has differentiated itself by focusing on healthcare and IT organizations in both the U.S. and Europe. This variant is unique in that extensions are not appended, but rather a file marker called Zeppelin can be found when viewing encrypted files in a hex editor.

German ISP Faces Major GDPR Fine

The German internet service provider (ISP) 1&1 was recently fined for failing to protect the identity of customers who were reaching out to their call centers for support. While the incident took place in 2018, GDPR is clear about imposing fines for organizations that haven’t met security standards, even if retroactive changes were made. 1&1 is attempting to appeal the fines and has begun implementing a new authentication process for confirming customers’ identities over the phone.

Turkish Credit Card Dump

Nearly half a million payment cards belonging to Turkish residents were found in a data dump on a known illicit card selling site. The cards in question are both credit and debit cards and were issued by a variety of banking institutions across Turkey. This likely means that a mediating payment handler was the source of the leak, rather than a specific bank. Even more worrisome, the card dump contained full details on the cardholders, including expiration dates, CVVs, and names; everything a hacker would need to make fraudulent purchases or commit identify theft.

Pensacola Ransomware Attack

The city of Pensacola, Florida was a recent victim of a ransomware attack that stole, then encrypted their entire network before demanding $1 million ransom. In an unusual message, the authors of the Maze ransomware used explicitly stated that they had no connection to the recent shootings at the Pensacola Naval Base, nor were they targeting emergency services with their cyberattack.

Birth Certificate Data Leak

An unnamed organization that provides birth certificate services to U.S. citizens was contacted earlier this week in regard to a data leak of nearly 750,000 birth certificate applications. Within the applications was sensitive information for both the child applicant and their family members, which is highly sought after by scammers because it is relatively easy to open credit accounts for children with no prior credit history. Researchers are still waiting to hear back from the organization after finding this data dump in an unsecured Amazon Web Services bin.

ZeroCleare Malware Wiping Systems

IBM researchers have been tracking the steady rise in ZeroCleare deployments throughout the last year, culminating in a significant rise in 2019. This malware is deployed on both 32 and 64-bit systems in highly targeted attacks, with the capability to completely wipe the system by exploiting the EldoS RawDisk driver (which was also used in prior targeted attacks). The malware itself appears to be spreading through TeamViewer sessions and, though the 32-bit variant seems to crash before wiping can begin, the 64-bit variant has the potential to cause devastating damage to the multi-national corporations being targeted.

FTC Scam Threatens Victims with Terrorism Charges

FTC officials recently made an announcement regarding scam letters purporting to be from the commission and the numerous complaints the letters have sparked from the public. Victims of the scam are told that, due to some suspicious activity, they will be personally and financially monitored as well as face possible charges for terrorism. These types of scams are fairly common and have been in use for many years, often targeting the elderly with greater success.

Take back your privacy. Learn more about the benefits of a VPN.

Misreported Data Breach Costs Hospital Millions

Following an April 2017 complaint, the Office of Civil Rights has issued a fine of $2.175 million after discovering that Sentara Hospitals had distributed the private health information for 577 patients, but only reported eight affected. Moreover, it took over a year for the healthcare provider to take full responsibility for the breach and begin correcting their security policies for handling sensitive information. HIPAA violations are extremely time-sensitive and the slow response from Sentara staff could act as a lesson for other organizations to ensure similar events don’t reoccur.

Android Vulnerability Allows Hackers Easy Access

Researchers have identified a new Android exploit that allows hackers access to banking applications by quickly stealing login credentials after showing the victim a legitimate app icon, requesting additional permissions, and then sending the user to their expected app. Even more worrisome, this vulnerability exists within all current versions of AndroidOS and, while not found on the Google Play Store, some illicit downloaders were distributing it.

Smith & Wesson Hit by Magecart

In the days leading up to Black Friday, one of the largest retail shopping days of the year, malicious skimming code was placed onto the computer systems and, subsequently, the website of Smith & Wesson. In a slight break from the normal Magecart tactics, they attackers were masquerading as a security vendor to make their campaign less visible. The card-skimming code was initially placed onto the website on November 27 and was still active through December 2.

Webroot has evolved its secure login offering from a secondary security code to a full two-factor authentication (2FA) solution for both business and home users.

Webroot’s 2FA has expanded in two areas. We have:

• Implemented a time-based, one-time password (TOTP) solution that generates a passcode which is active for only a short period of time.
• Given our users the option to either opt-in or opt-out, especially those that leverage Webroot for home and personal use.

Starting in December, with the new updates, users will find it easier to use industry-vetted options, including Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Authy 2-Factor Authentication.

Why Two-Factor Authentication?

First and foremost, we encourage all users to opt-in to maintain a higher level of security. Two-factor authentication adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are adds a layer of security. Each layer of security you add exponentially increases protection from unauthorized access and makes it harder for brute force and credential stuffing attacks to occur.

A Note to Businesses

Users will have the option to opt-in or opt-out of the new Webroot 2FA feature. The Admins tab within our console will show you which of your users have or have not enabled 2FA.

To learn how to enable two-factor authentication, visit the Webroot Community.

Shade Ransomware Takes Crown as Most Distributed Variant

Over the course of 2019, one ransomware variant, known as Shade, has taken over 50 percent of market share for ransomware delivered via email. Otherwise known as Troldesh, this variant receives regular updates to further improve it’s encrypting and methods of generating additional revenue from both cryptomining and improving traffic to sites that run ads. In just the first half of 2019, attacks using Troldesh dramatically rose from 1,100 to well over 6,000 by the second calendar quarter.

PayMyTab Leaves Customer Data Exposed

For more than a year sensitive customer data belonging to users of the mobile payment app PayMyTab has been publicly exposed in an online database using no security protocols. Even after being contacted multiple times regarding the data breach, the company has yet to fully secure customer data and may have to take drastic measures to fully secure their data storage after allowing virtually unlimited access to anyone with an interest in personal data.

Credentials Dump for Major Service Sites

Login credentials for two highly-trafficked websites were discovered in a data dump earlier this week. One dump belonged to GateHub, a cryptocurrency wallet with potentially up to 1.4 million user credentials stolen, including not only usernames and passwords, but also wallet hashes and keys used for two-factor authentication. The second dump contained information on 800,000 users of EpicBot, a RuneScape bot used to automate tasks in the skill-centric MMORPG. While both dumps appeared on dark web marketplaces on the same day, it also seems coincidental that both sites use bcrypt hashing for passwords, which should make them exceedingly difficult to crack assuming it was set up properly.

Louisiana Government Systems Hit with Ransomware

Multiple Louisiana state service sites were taken offline early Monday morning following a ransomware attack that affected mostly transportation services. All 79 of the state’s DMV locations were forced to close until systems were returned to normal, as they were unable to access DOT services to assist clients. While it is still unclear what variant of ransomware was used, the state of Louisiana did have a cybersecurity team in place to stop any further spread of the infection.

Magecart Targets Macy’s Online

Nearly a week after the initial breach, Macy’s officials noticed some unauthorized access between their main website and an undisclosed third-party site. The breach itself appears to have compromised payment card data for any customers who input their credentials during the first couple weeks of October. Macy’s has since removed the illicitly added code from their sites as well as contacted both payment card providers and affected customers regarding the breach.

Orvis Internal Credentials Leaked

A database containing login credentials for numerous internal systems belonging to Orvis, one of America’s oldest retailers, was found to be publicly available for an unknown amount of time. Why the database was publicly accessible at all is still unclear, but the retailer has determined that many credentials were for decommissioned devices. They managed to resolve the security dilemma for the remaining devices relatively quickly.

Mexican Oil Company Hit by Ransomware Attack

A few days ago, Pemex Oil was targeted by a ransomware attack that, according to reports, affected 5% of their computer systems. The demanded ransom, as displayed by the note left by the DoppelPaymer ransomware variant, was 565 bitcoins, or roughly $4.9 million. Fortunately, Pemex had a decent security strategy in place and was able to get their operations running normally by the following day.

Facebook Bug Turns on iPhone Cameras

The latest bug from Facebook is one that turns on the user’s iPhone camera when they open the Facebook app. It appears the bug only works on phones running iOS version 13.2.2, and for users who accepted permissions to allow the app to access the camera. Unfortunately for Facebook, many of its users are already wary of the company’s privacy policies, and so-called “bugs” like this one only serve to increase the level of distrust within its customer base.

PureLocker Ported to All Major Operating Systems

A new ransomware variant, PureLocker, has been successfully ported from Windows® operating systems to both MacOS® and Linux® systems with the typical capacity to fully encrypt all discovered files. Researchers have found that it encrypts files on compromised systems using .CR1 as the file extension, a tag which also appears in the text-based ransom note. This may be tied to a particular affiliate, as PureLocker is being distributed as Ransomware-as-a-Service.

Cyberattack on UK Labour Party

Officials for the UK Labour Party have issued a statement regarding a cyberattack on their computer systems, though it appears that the security they had in place was enough to repel the attack. While they are still unsure as to the origin of the attack, they were able to determine that it was a DDoS attack (Distributed Denial of Service), which floods the targeted systems with an overwhelming amount of cyber-traffic.

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishing, ransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

• Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
• Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
• Create separate admin accounts that limit access. 
  • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
  • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
• Implement expiring privileges and one-time-use credentials.
• Create a guest network leveraging a VPN for employees and guests.
• Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
• Regularly review updated employee access controls, permissions, and privileges.
• Upgrade your firewalls and ensure they are configured correctly.
• Add other forms of network monitoring, like automated detection and response.

BEC Scam Takes Millions from Nikkei America

Officials for Nikkei are working to identify the perpetrators of a recent business email compromise (BEC) scam that took roughly $29 million from the company’s American subsidiary. The illicit transfer took place sometime during the end of September and, though they did make a public statement last week, the only clues they have are the Hong Kong bank account that the funds were sent to. While this is not the largest scam of this type to occur this year, it does serve to underscore the prevalence and continued success of these attacks.

Canadian Province Shuts Down After Ransomware Attack

Government networks for the Nunavut territory of Canada have been taken offline following a ransomware attack that appears to have been executed by an unwitting employee. Fortunately, even thought their security systems failed to block the infection, the affected offices keep regular backups to safeguard against this type of issue. However, even with these failsafe measures, it may still take about a week to get all of the official systems back to full operation.

Facebook API Allows Unauthorized Access to User Accounts

Several developer apps have been found retaining user info and photos from Groups for much longer than previously anticipated by Facebook. This is, by no means, the first time in recent years that Facebook has fallen under scrutiny; it comes nearly a year after the Cambridge Analytica findings, not to mention the more recent news about the company removing thousands of apps that had been misusing customer data. While the social media giant has made a number of changes to stop these types of data leaks, they clearly still have a lot more work to do to ensure their clients’ data is safe.

Indian Education Firm Data Leak

A database belonging to an Indian tech firm may have exposed sensitive information for over 600,000 customers. Even more alarming than the high number of victims is that this leak seems to have begun back in July of this year, begging the question as to why it took so long for the firm to make an official announcement. Due to the sheer volume of exposed data, the company has already started contacting affected customers in hopes of preventing any further misuse of their information.

MegaCortex Ransomware Demos New Tactics

The latest variant of MegaCortex has brought with it a plethora of new features and functionality. While it does still perform RSA encryption on nearly every file on the machine, it now also has the ability to change the main system password, making it very difficult for the victim to access their own system at all. In addition to the typical ransom note that demands quick crypto-based payment, this variant also threatens victims in lurid detail as to how their encrypted files will be published to the masses.

Bed, Bath, & Beyond Data Breach

An official announcement made earlier this week acknowledged illicit access to customer data used in online accounts for Bed, Bath, & Beyond. While the breach didn’t affect payment card information, the retailer quickly began contacting affected customers and took steps to safeguard against future incidents.

Johannesburg Shutdown After Cyber Attack

Three months after a cyber attack hit Johannesburg, South Africa, the city is once again dealing with network outages. After a ransom note was posted to several social media outlets, city officials are still attempting to downplay the attacks by claiming they purposefully took down the sites rather than them being ransomed by hackers. In addition to the ransom note, hackers also posted screenshots proving their control over the city’s network systems and their expectation of payment.

UniCredit Financial Data Leak

Officials working for UniCredit, an Italian banking firm, announced that unauthorized access to their systems has left the sensitive information of nearly 3 million Italian exposed. Fortunately, the stolen information did not include any financial data, but did contain personally identifiable information such as names and contact details. It is unclear how hackers gained access to the data, though it appears the data may have even been taken years earlier in prior security breaches faced by the firm.

Ransomware Shuts Down New Mexico School District

Las Cruces Public Schools, a New Mexico school district, was forced to take their entire system offline following a ransomware attack. While email and other important services are still offline, students have still been attending classes as normal, though the process of fully remediating the incident has just begun. It is still unclear how the attack was initiated, but it’s the latest in a long line of educational institutions that have fallen victim to ransomware this year.

Malware Attack on Indian Power Plant

It has been confirmed that both an Indian nuclear power plant and another piece of infrastructure have fallen victim to a malware attack apparently tied to North Korean actors. Fortunately, the attacks did not allow unauthorized control of the systems, though this attack may have been only a test to determine security and response times in preparation for a larger, future attack. 

“Phishing” may have been a relatively obscure term, but pretty much everyone has heard of it by now. In fact, recent statistics indicate a high likelihood that you—or someone you know—have been the victim of a phishing attack at least once. 

Now, if you remember the classic Nigerian Prince scams from back in the day, you might be asking yourself how the stats could be so high. After all, it seems pretty unlikely that an otherwise cautious person would fall for something like that, right? And in today’s cyber-climate, where the news is filled with headlines about major hacks and malware infections that spread like wildfire, why would anyone click on links from unknown senders or hand over their sensitive, personal information (think SSNs, etc.) without verifying the authenticity of the request? It turns out, there are a lot of subconscious influences at play, and the thing that makes phishing attacks so successful is the way they take advantage of our trust, curiosity, fear, greed, and even desire to do a good job at work.

Understanding the factors that drive a successful phishing attack is fundamental to preventing them in the future. That’s why Webroot partnered with Dr. Cleotilde Gonzalez, research professor at Carnegie Mellon University, to take a deep dive into the psychology of phishing. 

Read our full report, Hook, Line, and Sinker: Why Phishing Attacks Work, for more information on the psychology behind phishing attacks.

Tip #1: Maintain strong, unique passwords. Using individual passwords for each of your accounts will help prevent fraud, identity theft, and other malicious activity. Consider using a secure password manager, and enable two-factor authentication wherever possible.

What kind of person clicks a phishing link, anyway?

The truth? We all do it. While 86% of Americans believe they can distinguish a phishing message from a genuine one, 62% have had their personal information compromised as part of a breach. So what’s the deal here?

“People are generally overconfident about their ability to spot the fakes. Overconfidence is a big problem in many human actions. In this case, this probably happens because the ratio of phishing emails to regular emails feels low, so our mind underestimates the probability of receiving a phishing email, and in turn, overestimates our ability to identify one if we do.” – Cleotilde Gonzalez, Ph. D.

Tip #2: Stay on your toes. The more overconfident and complacent you are about your security, the easier it is for you to be phished. Don’t play into a cybercriminal’s hands. Maintaining a healthy level of suspicion about all links and attachments in messages may make all the difference during an attempted breach.

How are phishers using psychology against us?

By tapping into our own personal sense of urgency, cybercriminals are able to manipulate us in subtle ways that we may not realize until it is too late. Hackers often use cleverly disguised email handles and targeted messaging, known as “spear phishing,” to create a sense of trust and familiarity. This makes links appear more legitimate, and makes us perceive the click as less risky.

“Ultimately, urgency, familiarity, and context have a strong impact on decision making. If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.” – Cleotilde Gonzalez, Ph. D.

What are the most convincing ways for a phisher to tap into your sense of urgency to get you to open their email? 

• 65% of Americans prioritize emails from their boss 
• 54% prioritize emails from family or friends 
• 33% prioritize emails to confirm bank transactions 

That means you shouldn’t feel weird or guilty for verifying odd requests from bosses, family, or friends. If your boss sends you an email asking for out-of-the-ordinary action, don’t hesitate to call them up and ask them for details. (Do this instead of replying to the email.) Same with links, downloads, and requests for information from family and friends. It never hurts to double-check.

Practicing phishing mindfulness, even when clicking links from seemingly trustworthy sources, cuts down significantly of the efficacy of spear phishing attacks. Pay close attention to sender addresses and handles, as well as signatures. If you get an email from your bank, financial institution, or even a regular website for which you have a login, navigate to their official website independently instead of clicking through on that potentially risky email.

Tip #3: Back everything up and do it regularly. All of your important data and files should be regularly backed up to a secure hard drive or cloud storage. When using a physical hard drive, only connect it while backing up. This will help prevent the drive from being affected by an infection.

Why are we still clicking?

Here’s the thing: 76% of Americans know they have received a phishing email, and yet still 56% of people would feel comfortable clicking on a link or attachment from an unknown source on their personal devices. So why are so many of us still willing to jeopardize our safety for an unknown link?

“Risk and under-weighed probability are linked. Risks sometimes come with rewards, right? So if the risk seems low and the reward seems high, you’ll make riskier decisions. It’s like gambling; our minds explore different gain/loss experiences, then respond with risk-taking or risk-averse actions.” – Cleotilde Gonzalez, Ph. D.

Tip #4: Always keep your software up-to-date. Hackers are known to regularly exploit security holes in outdated software and operating systems. By installing software updates when prompted, you can stop many cybercriminals in their tracks. 

What if you’ve been phished? Now what?

With 62% of those surveyed reporting some type of data breach, it’s important to know what to do in the event of a breach that can help keep the damage to a minimum. George Anderson, Product Marketing Director at Webroot, recommends the following steps:

1. Change your account passwords immediately! That includes accounts you don’t believe were breached, but are using the same or a similar password.
2. Set up alerts with your credit agency. 
3. Void existing credit cards and order new ones. 
4. Engage a credit security service. 
5. Notify law enforcement or the appropriate government agency. 

While some of these steps may seem obvious to you, they clearly need to be repeated; of people whose information was stolen or exposed, a baffling 32% didn’t bother to change their account passwords afterward. 

Dr. Gonzales shared her thoughts on what can be done to combat this type of complacency.

“These findings illuminate the fact that what we really need here is a mindset makeover,” she says. “The longer-term reward of security needs to be highlighted, front and center, not placed on the backburner. To do that, we’re going to have to shift the way that people think about security and prioritize their responsibilities. We have to allow the time and brain space for security-related considerations.”

What can we all do going forward?

You can nurture the type of security mindset shift Dr. Gonzalez references by taking small steps. First, you know those software and security updates you (like many people) are probably putting off? Just do them. Enable two-factor authentication wherever possible, especially on important online accounts like your banking and credit institution websites. 

You may even find that your heightened security practices influence those around you to make stronger choices. After all, seeing a person you know being on top of their game can be very motivating to start making personal changes! 

Remember, the most important thing you can do is avoid overconfidence. Don’t underestimate the risk of a phishing attack. Doing that is exactly what will make you a prime target for criminals.

“It’s a classic case of underweighting probabilities, but explicit numbers speak for themselves. Providing this information might help people calibrate the risk and confidence more accurately.” – Cleotilde Gonzalez, Ph. D.

In my previous blog post, Why Healthcare Organizations are Easy Targets for Cybercrime, I discussed various reasons that hospitals and healthcare organizations make desirable and lucrative targets for hackers. In this second installment, I’ll go over how criminals are attacking these organizations, the methods they use, and also what needs to be done to begin to address this dangerous threat. 

Medical Device Compromise

As I mentioned in my first blog on this topic, there is a wide array of connected medical devices in a hospital environment. These devices can be classified into 5 broad categories:

• Consumer wearables, such as sleep pattern monitors, fitness trackers, etc.
• Patient monitoring devices, including insulin pumps, ECG, heart rate monitors etc.
• IVD, blood analyzers, etc.
• Embedded devices, such as pacemakers and implants
• In-house equipment, like medicine dispensing systems, MRI, CT, and X-ray machines, etc.

Devices like these can he hacked in an alarming number of ways. In addition to attacks that could endanger patients’ lives, such as remotely tampering with pacemakers or insulin pumps, these devices may be exploited to enable data theft or to gain access to other hospital infrastructure or systems. In one example from 2017, penetration tester Saurabh Harit managed to compromise a digital pen used for writing prescriptions, which gave him access to a patient database and scans of each prescription.

Learn how can endpoint protection help you secure your business.

Data Breaches

Medical data is a valuable commodity that is openly traded on the dark web. Although hackers and automated malware are often to blame, old-fashioned user error can play a major role in these types of compromises. Phishing remains a preferred method for stealing data and infiltrating networks.

Some examples of stolen medical data include:

• Patient data. Identity and insurance fraud are relatively easy when you have access to the kinds of data medical organizations store about their patients. Additionally, this information can be used to charge expensive medical procedures, claim prescription drugs, or be exploited to breach other organizations outside of the healthcare industry. It can even be used for personal extortion and a host of other crimes.
• Administrative paperwork. Criminals may target medical licenses to forge prescriptions and commit other types of fraud or extortion.
• Prescription information. Criminals may forge prescriptions or drug labels and use them for purposes like fraud and even drug smuggling.
• Biometric data. As biometrics are increasingly used in security measures and law enforcement practices, records of fingerprints, ocular scans, and even heartbeats could be stolen and used for nefarious purposes. 

Ransomware

Because the services that medical facilities provide are essential and often cannot be disrupted without serious risk to patients, ransomware is a weapon of choice. Many organizations have no choice but to pay the ransom, and some health facilities have had to shut down permanently due to these attacks.

Medical facilities worldwide have turned patients away, curtailed or suspended services, and even closed as a result of ransomware attacks. The groups that carry out these attacks have typically done recon on their targets to discover exactly how to breach them and which systems to encrypt to cause maximum disruption. 

Of course, when we talk about ransomware affecting healthcare organizations, one attack stands out above them all: WannaCry. This nasty threat spread like wildfire across the world in 2017 and crippled many organizations through a combination of lateral wormlike propagation and machine-wrecking encryption. One of the largest and most publicized victims was the U.K.’s National Health Service. The attack “disrupted services across one-third of hospital trusts and around 8% of GP practices,” according to a report published by the NHS a year later. On top of that, ambulance services were affected and over 19,000 appointments were cancelled. 

Despite the financial gains to be had when attacking healthcare organizations, WannaCry was actually an example of a cyber-weapon spreading far beyond its intended targets; the attack was not specifically aimed at the NHS or other health orgs affected. 

Ultimately, WannaCry really highlighted the poor security practices prevalent in so many healthcare organizations. The NHS fell under a lot of scrutiny in the aftermath of the attack, particularly as Microsoft had issued a Windows® update that would have fixed the exploited vulnerability months before. Since then, the health service has undertaken a number of changes to shore up defenses.

The Stats

According to a survey of industry Chief Information Security Officers (CISOs) by Carbon Black, the state of cybersecurity in healthcare is somewhat bleak, if unsurprising.

• 83% of surveyed healthcare organizations said they’ve seen an increase in cyberattacks over the past year.
• Two-thirds (66%) of surveyed healthcare organizations said cyberattacks have become more sophisticated over the past year.
• With increased adoption of medical and IoT devices, the surface area for healthcare attacks is becoming even larger. 
• Limited cybersecurity staffing and stagnant cybersecurity budgets in the industry further compound the issues.

Other reports by security companies Thales and Fortinet paint a similar picture. A recent report in the HIPAA Journal puts data breaches at record levels in 2019.

What Needs to Happen

Healthcare’s poor track record when it comes to updates, patching and obsolete operating systems needs to be addressed—no question. Below are some of the other things that need to happen to improve security all around at hospitals and other healthcare practices.

• All staff members should be trained on security risks and best practices to avoid them.
• Medical device designers need to adopt security as a design principle ASAP.
• Hospitals and other facilities need to better audit and patch their devices, operating systems, applications, firmware, etc. to help eliminate vulnerabilities.
• Government initiatives and coordination are essential, not just for the public facilities they run but also for private practices.
• All healthcare practices should have antivirus and other cybersecurity solutions and should have access to security teams who can investigate any breaches to identify and address vulnerabilities.
• Access to devices, middleware, and APIs should be restricted where possible and secured.

And, finally, the “blame game” culture that pervades healthcare needs to be seen for what it really is: an obstacle to progress. Cybersecurity is a group effort that we should all share. From governing bodies to businesses to individual users, each of us has a role to play in creating a more secure connected world.

MedusaLocker Ransomware Spotted Worldwide

While it’s still unclear how MedusaLocker is spreading, the victims have been confirmed around the world in just the last month. By starting with a preparation phase, this variant can ensure that local networking functionality is active and maintain access to network drives. After shutting down security software and deleting Shadow Volume copies, it begins encrypting files while setting up self-preservation tasks.

Bargain Website Server Exposes Customer Data

Several websites used by UK customers to find bargains have left a database filled with customer data belonging to nearly 3.5 million users completely unprotected and connected to the internet. Along with the names and addresses of customers, the database also included banking details and other sensitive information that could be used to commit identity fraud. The researchers who initially discovered the breach notified the site owners, but received no response or any indication the leak would be resolved until nearly six weeks after the database was left exposed.

Arrests Made Following Major BEC Scam

At least three individuals have been arrested in Spain for their connection to a business email compromise (BEC) scam that netted over 10 million euros and affected 12 companies across 10 countries. It appears the operation began in 2016 and involved the cooperation of multiple law enforcement agencies. By creating a web of fake companies and bank accounts, the group was able to successfully launder money into various investments, including real estate, in an attempt to remain undetected.

LA Court System Hacked

The perpetrator of a 2017 spear phishing attack on the LA court system was sentenced to 145 months in prison following convictions on charges of wire fraud, unauthorized access to a computer, and identity theft. The individual was able to compromise employee email accounts and use them to launch a malspam campaign that distributed over 2 million emails.

Pennsylvania School District Hacked

Multiple students are being questioned after school district officials noticed unauthorized access to the student assistance site Naviance, a hack which appears to have been an attempt “to gain a competitive edge in a high-stakes water gun fight.” Access to the site would have also given them access to other student’s personal data, though no financial or social security information is stored on the site. District officials determined the security practices for the site lacking but have not currently released plans for improvement.