On Friday, December 13, New Orleans Mayor LaToya Cantrell declared a state of emergency for the city after a cyberattack was detected around 11 a.m.
The incident began at around 5 a.m. when NOLA Ready – New Orleans’ emergency preparedness campaign – confirmed “suspicious activity…on the City’s network” and a “cybersecurity incident” by the time 11 a.m. rolled around. Once the threat was established, New Orleans’ IT department issued a shutdown of all employee devices and disconnection from Wi-Fi. Servers were also ordered to be powered down following the attack. Emergency response lines were still open to take calls, however.
The City of New Orleans declared a state of emergency shortly after the cyberattack was detected. A press conference was held the Friday of the incident, in which Mayor LaToya Cantrell confirmed that a cyberattack was responsible for the unusual network activity. Officials stated how no data was lost after the attack and that there is still no indication that passwords were compromised. Chief Information Officer Kim LaGrue confirmed that phishing emails had been sent to employees that asked for their login information while the attack went underway. There was also evidence of ransomware – specifically the Ryuk strain – as cause for the cyberattack.
Mayor Cantrell did later affirm that ransomware was behind the attack, but investigations are still ongoing to verify if Ryuk was indeed involved according to the press conference held Monday, the 16th.
It’s always important to take precautionary steps in making sure you’re prepared for an impending cyberattack. Some cybersecurity steps you can take include:
-Backing up all your data
-Being mindful of what email links and attachments you click on
-Patching software vulnerabilities
-Using strong passwords and activating two-factor authentication for your accounts
There’s a new trojan malware spreading through malicious Word documents, and cybercriminals are using this virus to steal personal information and sensitive banking details. The malware, Ursnif trojan, attacks Windows operating systems and is popular with hackers since its main source code was leaked, becoming a more widely available option for cybercriminals to take advantage of. This type of trojan has existed in different forms over the years, starting in 2007 when the code first surfaced in the Gozi banking trojan.
Since the code was leaked, hackers have customized it to their liking, stealing banking account information and other valuable account details. Cybersecurity firm Fortinet has identified a new version of the trojan that spreads through Word documents, it’s file format name: “info_[date].doc.” The hacker attaches a malicious macro script to launch once the document’s macros (a series of operations done through a single command) have been enabled.
The macros can be enabled by clicking “Enable Content” which releases a VBA code that drops a version of the Ursnif malware onto the victim’s computer. This malware then runs “iexplorer.exe” processes to connect to a command and control server on the hacker’s end. In an effort to sway user suspicion, the host list for the server refers to security companies as well as Microsoft.
Researchers have stated that the campaign is still operating. Even though these techniques might seem a little basic, an easy phishing email attack could give these cybercriminals a chance to invade networks and initiate an extensive cyberattack.
As always, be mindful of the emails you receive, especially those with unsolicited document attachments, and check the sender email address to verify if the email is spam. When in doubt, directly contact the company referenced in the email using a phone number provided on the actual website.
Sprint’s mobile network Boost Mobile recently admitted to hackers having breached their customers’ accounts through their main website. The data breach originally occurred back in March and was only recently announced.
A website notification was posted to which the company stated that their site “experienced unauthorized online account activity [and that] an unauthorized person accessed [user] account[s] through [their] Boost phone number and Boost.com PIN code.” The company’s fraud team noted how the incident was quickly taken care of through “a permanent solution [that was used] to prevent similar unauthorized account activity.”
Through access to Boost Mobile’s user account names and PINs, hackers can utilize a type of cyberattack known as credential stuffing to automate and send login requests on the Boost Mobile site to access consumer accounts. The company has already sent a text with a new temporary PIN to those affected by the breach. Users can log into their accounts with the link provided in the text message in order to set a new PIN code. Boost Mobile recommends users reset their PINs if they have not done so already.
In the meantime, the company has also recommended that customers regularly check their Boost Mobile accounts for any fraudulent activity and to report any identity theft or fraud to consumer credit reporting companies.
Recently Microsoft had announced that a security breach had taken place on its Outlook.com site, in which hackers were able to access user accounts, essentially allowing cybercriminals to view email messages, email addresses, and folder names.
According to Microsoft, a support agent’s web mail service was compromised, allowing hackers to access user accounts from January 1st to March 28th, 2019. Once the issue was discovered, the support account was taken down.
Vice’s Motherboard claims that the hackers had access to users’ accounts for six months, to which Microsoft had refuted and stated that the breach occurred within the three month period as mentioned in their notification message to its users. The compromise allowed hackers to even access iCloud accounts to remove the Activation Lock feature on stolen iPhones – a feature that would prevent thieves from factory resetting the devices to sell for profit.
Microsoft had notified those consumers – around six percent – who had their email contents potentially breached by the hackers. The total number of consumers affected by this breach has not been revealed by Microsoft.
Tax Day is coming up on April 15th, and cyber criminals are out to seek profit at many victims’ expense. A tax theme malware called TrickBot is being sent to inboxes, the hackers impersonating payroll providers like Paychex and ADP and sending malware infected Excel documents to their recipients.
TrickBot works by exploiting network vulnerabilities to essentially enter and steal sensitive information such as passwords and bank account details in order to file fraudulent Tax forms to receive returns. Scams caused by TrickBot have cost the IRS over a million in losses back in 2016.
Researchers from IBM X-Force noted how cyber criminals are using domains that look highly similar to actual payroll providers in order to deceive recipients into thinking the email is from a legitimate source.
IBM global executive security advisor Limor Kessem stated how “this campaign [is] highly targeted in its efforts to infiltrate US organizations,” and the threat from TrickBot doesn’t look like it’ll cease. Kessem continues on by explaining that “TrickBot [is] one of the most prominent organized crime gangs in the bank fraud arena, [so] we…expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”
Before clicking on any email link, it is highly advised to double check the legitimacy of the email by looking closely at the sender information. Hovering over an email link also allows you to check on where the URL leads before you actually click on it; just check the small window that pops up above the link to make sure the site is safe.
Just announced yesterday, the U.K. Police Federation of England and Wales (PFEW) survey headquarters had been hit with a cyberattack – the ransomware encrypting computer email systems and databases and deleting backup data.
The attack occurred on March 9 and affected this headquarters solely – consisting of approximately 119,000 police officers – as a statement provided by the Federation revealed how 43 branches spread throughout the U.K. and Wales were not affected.
In a tweet yesterday morning, the Police Federation explains how “[t]here is no evidence at this stage that any data was extracted from our systems but this cannot be discounted.”
Officers of the National Cyber Crime Unit have begun their investigation and are in contact with PFEW to determine the nature of the attack and the extent of damage. According to the PFEW, the attack was likely done as part of a much larger campaign set to cause further havoc.
The incident was reported to the data protection regulator in the U.K. within three days as part of European ordinance, although the PFEW announced the attack 12 days after it first occurred.
User data is now being sold over a dark web marketplace, Dream Market, where individuals sell malware and user data. Currently, the individual(s)–”Gnosticplayers”–is selling the stolen website credentials for around four bitcoin, which is approximately $20,000 in value according to TechCrunch’s reporting. The asking price varies based on which website the data is coming from, as well as user data quality. It is currently unclear on whether the hacker is acting alone or using a team effort in selling acquired user data from this breach.
ZDNet reports the following websites that were affected, including the number of accounts stolen and the price to which the seller is asking for:
Last week’s data breach which included the 620 million user accounts from 16 websites were taken down from the dark web by its seller, as “buyers complained that a prolonged sale would…lead to [the]…databases…becoming available to everyone,” as Catalin Cimpanu from ZDNet reports.
In a recent filing with California’s Attorney General Office, 1-800-FLOWERS was revealed to be the victim of a silent malware attack that affected the business within a four year period. As the filing explains, customer credit card information was stolen from the Canadian branch’s website, while the main 1800Flowers.com website was unaffected.
What is interesting to note is how the malware affected the site for four years without any detection. During the time frame between August 15, 2014 and September 15, 2018, consumers’ first and last names, as well as card numbers, expiry dates, and security codes were all accessed by the unknown hacker(s).
The report did not disclose the number of consumers affected by the breach, but the company is required to inform its customers of the incident when a breach affects more than 500 people, this according to California law.
Interestingly enough, 1-800-FLOWERS was the second company to report a four-year long breach, as the Marriott was also affected within a four-year period when hackers stole 500 million guest records.
For now, the company recommends that all its customers keep a close watch on their payment records and to report any suspicious charges to their bank or issuing card company.
Facebook faced immense backlash as the company announced 30 million personal accounts had been compromised in its most recent data breach back in September. Users’ contact and address information were all accessed during the breach, along with other sensitive data such as a user’s 15 most recent searches.
Facebook’s Help Center can assist users in figuring out if their account was hit by the breach.
Use these steps to find out how:
On the top right corner of your Facebook account, click on the “?” icon to access Help Center. You can also click the link below:
Search “security incident” in the search box above.
Scroll down to the bottom of the page to see the section marked: “Is my Facebook account impacted by this security issue?”
This section will provide a “yes” or “no” answer to its users. The message will also show up on users’ news feeds.
If No, there is no action needed to be taken at this time.
If Yes, you will be in one of these categories:
You’re one of the 15 million users’ whose name and phone/email has been stolen.
You’re one of the 14 million users’ whose account got breached with getting access to your “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places you’ve checked into or were tagged in, website, people or Pages you follow, and the 15 most recent searches.”
You’re in the 1 million users whose access token got stolen, but luckily no information has been breached.
If your data was accessed from this breach, there is no need to change your password or credit card information at this time. Furthermore, keep an eye out for scam calls and spam emails that ask for your personal information such as the login credentials for signing into your accounts. If you were in the 14 million within Group B, it’s best to call your bank or phone carrier to input a pin code to prevent hackers from essentially pretending to be you in order to access your accounts.
After such a massive data breach, should we really trust Facebook as a safe space to continue sharing with our loved ones?
The company says that passwords may have also been revealed, only through an encrypted form not [compromised].
In a statement to consumers on Thursday evening, T-Mobile announced a new data breach that allowed hackers to access more than 2 million people’s personal information such as their name, number, address, accounting number, and account type. Credit card information was not accessed during the breach. T-Mobile’s representative spoke out to Motherboard to explain how “[a]round 3 percent of [the company’s] 77 million customers…may have been affected” (Sean Keane, CNET). A text message was sent to all customers affected by the breach.
It was later discovered that “encrypted passwords” were also exposed in the data breach, as explained by a spokesperson from T-Mobile.John Legere T-Mobile’s CEO mentioned in a tweet that “it’s always a good idea to regularly change account passwords.”
“The company says that hackers couldn’t actually read them — since they were encrypted — but Motherboard says that a pair of security researchers believe T-Mobile used the MD5 algorithm to protect them, a protection scheme whose own author declared it “no longer considered safe” back in 2012. However, T-Mobile wouldn’t confirm whether it used MD5 or not.“.