As #cybersecurity attacks are increasing exponentially, SolarWinds was a target for hackers for almost a year now. Here’s some insight on how it happened and how to prevent being a part of a #cyberattack.
On Friday, December 13, New Orleans Mayor LaToya Cantrell declared a state of emergency for the city after a cyberattack was detected around 11 a.m.
The incident began at around 5 a.m. when NOLA Ready – New Orleans’ emergency preparedness campaign – confirmed “suspicious activity…on the City’s network” and a “cybersecurity incident” by the time 11 a.m. rolled around. Once the threat was established, New Orleans’ IT department issued a shutdown of all employee devices and disconnection from Wi-Fi. Servers were also ordered to be powered down following the attack. Emergency response lines were still open to take calls, however.
The City of New Orleans declared a state of emergency shortly after the cyberattack was detected. A press conference was held the Friday of the incident, in which Mayor LaToya Cantrell confirmed that a cyberattack was responsible for the unusual network activity. Officials stated how no data was lost after the attack and that there is still no indication that passwords were compromised. Chief Information Officer Kim LaGrue confirmed that phishing emails had been sent to employees that asked for their login information while the attack went underway. There was also evidence of ransomware – specifically the Ryuk strain – as cause for the cyberattack.
Mayor Cantrell did later affirm that ransomware was behind the attack, but investigations are still ongoing to verify if Ryuk was indeed involved according to the press conference held Monday, the 16th.
It’s always important to take precautionary steps in making sure you’re prepared for an impending cyberattack. Some cybersecurity steps you can take include:
-Backing up all your data
-Being mindful of what email links and attachments you click on
-Patching software vulnerabilities
-Using strong passwords and activating two-factor authentication for your accounts
Sprint’s mobile network Boost Mobile recently admitted to hackers having breached their customers’ accounts through their main website. The data breach originally occurred back in March and was only recently announced.
A website notification was posted to which the company stated that their site “experienced unauthorized online account activity [and that] an unauthorized person accessed [user] account[s] through [their] Boost phone number and Boost.com PIN code.” The company’s fraud team noted how the incident was quickly taken care of through “a permanent solution [that was used] to prevent similar unauthorized account activity.”
Through access to Boost Mobile’s user account names and PINs, hackers can utilize a type of cyberattack known as credential stuffing to automate and send login requests on the Boost Mobile site to access consumer accounts. The company has already sent a text with a new temporary PIN to those affected by the breach. Users can log into their accounts with the link provided in the text message in order to set a new PIN code. Boost Mobile recommends users reset their PINs if they have not done so already.
In the meantime, the company has also recommended that customers regularly check their Boost Mobile accounts for any fraudulent activity and to report any identity theft or fraud to consumer credit reporting companies.
Tax Day is coming up on April 15th, and cyber criminals are out to seek profit at many victims’ expense. A tax theme malware called TrickBot is being sent to inboxes, the hackers impersonating payroll providers like Paychex and ADP and sending malware infected Excel documents to their recipients.
TrickBot works by exploiting network vulnerabilities to essentially enter and steal sensitive information such as passwords and bank account details in order to file fraudulent Tax forms to receive returns. Scams caused by TrickBot have cost the IRS over a million in losses back in 2016.
Researchers from IBM X-Force noted how cyber criminals are using domains that look highly similar to actual payroll providers in order to deceive recipients into thinking the email is from a legitimate source.
IBM global executive security advisor Limor Kessem stated how “this campaign [is] highly targeted in its efforts to infiltrate US organizations,” and the threat from TrickBot doesn’t look like it’ll cease. Kessem continues on by explaining that “TrickBot [is] one of the most prominent organized crime gangs in the bank fraud arena, [so] we…expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”
Before clicking on any email link, it is highly advised to double check the legitimacy of the email by looking closely at the sender information. Hovering over an email link also allows you to check on where the URL leads before you actually click on it; just check the small window that pops up above the link to make sure the site is safe.
User data is now being sold over a dark web marketplace, Dream Market, where individuals sell malware and user data. Currently, the individual(s)–”Gnosticplayers”–is selling the stolen website credentials for around four bitcoin, which is approximately $20,000 in value according to TechCrunch’s reporting. The asking price varies based on which website the data is coming from, as well as user data quality. It is currently unclear on whether the hacker is acting alone or using a team effort in selling acquired user data from this breach.
ZDNet reports the following websites that were affected, including the number of accounts stolen and the price to which the seller is asking for:
Last week’s data breach which included the 620 million user accounts from 16 websites were taken down from the dark web by its seller, as “buyers complained that a prolonged sale would…lead to [the]…databases…becoming available to everyone,” as Catalin Cimpanu from ZDNet reports.
During the Winter Olympics opening ceremony last week, there was a strange failing of WiFI and television systems for on-site journalists that were covering the event. On Sunday, officials from the Olympics reported that the failures weren’t simply an accident – they were the result of a targeted cyberattack against the international events.
Unfortunately, this isn’t the only cyberattack that the 2018 Winter Olympics have been targeted with. The attacks came after the banning of certain Russian athletes from the games. A Russian hacking group, Fancy Bears, claimed responsibility for the various attacks on the U.S. and International Olympic Committees in result of the ban.
After the attack, Cisco Talos looked into the Olympic Destroyer malware and determined that the malware was capable of interfering with a Windows computer’s data recovery processes. Also, it had the capabilities of deleting critical services.
The researchers stated, “The samples identified, however, are not from adversaries looking for information from the games, but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality.”
Another major issue was the fact that the files on network shares were also gone. Additionally, the malware uses a self-patching feature that allows it change after moving from one host system to the next. Lastly, it was discovered that it was using the EternalRomance exploit, which is an NSA exploit leaked by Shadow Brokers in 2017 – also used to spread NotPetya ransomware last year (alongside EternalBlue).
As of now, that’s the latest information we’ve seen. We’ll update this if there is more information.
More than 74 countries and 45,000 attacks were carried out during a global cyberattack today. Among the countries affected, 16 National Health Services (NHS) hospitals in England were hit, along with FedEx and Spain’s largest telecom.
The attack appears to be carried out by hackers using a stolen tool created by the United States National Security Agency (NSA): WannaCry Ransomware.
With this strain of ransomware, $300 (£233) is being demanded in exchange for the decryption key for each locked system. Hospitals were forced to shut down their emergency rooms and send patients to other locations. Patient records, schedules, phones and email were all compromised during the attack, putting a number of patients at grave risk.
As of now, it is not being seen as a matter of national security brought on by foreign power. It is still being treated as a very serious matter.