SamSam ransomware is back and the Colorado Department of Transportation is its most recent victim. More than 2,000 agency computers had to be shut down on Feb 21 to prevent the ransomware from spreading across the entire infrastructure.
According to CBS local news, the critical systems used to manage road traffic and alerts were not affected. The attackers encrypted some files and requested bitcoin in exchange for the decryption key.
Although DoT is working with a security company to repair the system, the FBI was also called in for further investigation of the damage.
“Early this morning state security tools detected that a ransomware virus had infected systems at the Colorado Department of Transportation. The state moved quickly to quarantine the systems to prevent further spread of the virus,” said David McCurdy, OIT’s Chief Technology Officer.
“OIT, FBI and other security agencies are working together to determine a root cause analysis. This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”
Colorado Department of Transportation is one of the many organizations that fell victim to SamSam ransomware that in January infected vulnerable networks in hospitals, city councils, educational facilities and transportation systems.
Following its infection with SamSam and the encryption of over 1,400 files, a hospital in Indiana paid $55,000 to restore its systems. In that case, although they had data backups, they chose to pay the ransom. SamSam doesn’t spread via phishing campaigns but takes advantage of unsecured devices directly connected to the internet and uses them to spread laterally across the network.
About 1,000 patients at Penn Medicine are receiving letters saying a computer with some of their personal information on it was stolen.
A laptop containing patient files was reported stolen from a car at the King of Prussia Mall parking lot on Nov. 30, according to a spokesperson at the University of Pennsylvania Health System. So far, there is no indication the computer has been turned on or the patient information accessed, they stated.
Patient names, birth dates, medical records, account numbers, and some other demographic and medical information were on the computer. There were no Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen, according to Penn Medicine.
The health system is working with Upper Merion Township police, as well as the relevant internet service provider.
Penn Medicine is reviewing internal procedures to safeguard patient information contained on portable devices, the spokesperson said.
Patients with questions can contact the Penn Medicine Incident Response Line at 1-833-214-8740.
A new widespread ransomware worm, known as “Bad Rabbit,” that hit over 200 major organizations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims’ networks.
Earlier it was reported that this week’s crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco’s Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.
NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA’s leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak.
Bad Rabbit Uses EternalRomance SMB RCE Exploit
Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims’ networks.
Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware.
EternalRomance is one of many hacking tools allegedly belonged to the NSA’s elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year.
EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft’s Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.
Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010).
Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims’ into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.
How Bad Rabbit Ransomware Spreads In a Network
According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.
Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.
However, according to Cisco’s Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.
“We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,” Talos researchers wrote.
“Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.”
Is Same Hacking Group Behind Bad Rabbit and NotPetya?
Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim’s hard drive and “wiper” code that could erase hard drives attached to the infected system, the researchers believe it is “highly likely” the attackers behind both the ransomware outbreaks are same.
“It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Russian security firm Group IB noted.
“Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc.”
NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.
How to Protect Yourself from Ransomware Attacks?
In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network.
Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system.
Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these.
Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn’t always connected to your PC.
Written by: Mohit Kumar Continue Reading
BASSETT-The records from more than 500 patients at Bassett Family Practice were stolen in August, company officials say. On Friday, officials from the facility sent out letters to all of their patients, informing them what was included in the theft and what steps the medical practice is taking to prevent it from happening again.
The patient information included each person’s full name, date of birth, account number at the medical practice, identity of their insurance provider and potentially some details about the reasons behind recent visits to Bassett Family Practice, such as the type of sickness a patient was suffering from. All of that information was stored on a laptop, which was sitting in an employee’s car. Officials at the practice say they aren’t certain on a specific date, but say the laptop was stolen from the employee’s vehicle between the evening of Aug. 12 and the morning of Aug. 14. While a police report was filed immediately, officials with the facility waited until Oct. 13 to inform patients of the incident.
“The time was spent working with law enforcement, consulting our legal counsel, recovering the backup and researching the files,” said Bassett Family Practice Finance Director Alvin Franks, when asked why the facility had delayed in releasing the information. “The files to be researched were voluminous and we wanted to ensure we were not double counting anyone.”
In this case, Franks said Bassett employees had to first search for and find the backup to the stolen laptop, in order to see what information had been transferred on to it. In the letter sent out to patients, the facility states that “while there were details about office visits, such as [the] identity of the affected individual’s provider name and reason for visit, much of the information for the affected individuals was account balance information for the procurement of medical services contained in spreadsheets, which, by law, is still considered HIPAA protected information.”
Bassett Family Practice officials made it clear repeatedly, both in the letter and speaking with Bulletin staff, that there were no social security cards, debit or credit card information stored on the stolen laptop.
The information had to be released before Oct. 15, as theft of patient records is a violation of HIPPA, the Health Insurance Portability and Accountability Act. Signed into law in 1996, HIPPA gives specific instructions for safeguarding a patient’s medical records and other information. The Bulletin reached out to officials with the U.S. Department of Health and Human Services and they directed us to the department’s website, which gave a complete breakdown of the law. According to the department’s website, information about any type of breach has to be “provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
Since the breach took place at some point between Aug. 12-14, letters had to be sent out no later than Oct. 14, in order to fall within the 60 day window. A copy of one of the letters sent out by Bassett Family Practice, which the facility provided to the Bulletin, gives a date of Oct. 13 for when this was sent out. HHS officials said because there is some question about when the theft occurred, that letter met the time requirements. They also said Bassett employees didn’t break any laws by not immediately informing patients.
As for taking the laptop out of the facility, there is no portion of the HIPPA Security Rule that makes that decision illegal. The current HIPPA edition, which has been revised over the last two years, states that a facility “must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected information.”
When asked on Monday, HHS officials also could not point to anything stating that removal of a laptop containing patient information from a facility violated policies.
The equipment was on a laptop in the first place due to the fact the facility was making a transition to a new IT system. As part of that switch, which is now complete, all patient information is stored only on a company server and not on any laptops being used by employees. Franks also said the medical practice was removing files already on laptops to the server, as well as encrypting all laptops with Symantec Encryption Software.
As of Oct. 16, there was nothing to report from law enforcement in terms of a suspect or any leads on who may have stolen the machine. Based on the fact the laptop was unlabeled and had been stolen from inside the vehicle, Bassett officials said they didn’t think it was stolen with the intent to access protected health information.
To the knowledge of both local law enforcement and Bassett Family Practice employees, no one has accessed the patient information. They know this because if the patient information is accessed, the facility’s server will receive a notification. If that happens, Franks said employees can protect the information by remotely wiping the laptop clean.
“There is also a fail-safe, where the organization could delete the information on the laptop, should it ever be accessed through the operating system,” Franks said. “The laptop has not yet been recovered nor accessed at this time.”
Any patients of Bassett Family Practice with questions about the theft can call the facility at 1-888-746-7175.
Article by: Martinsville Bulletin – Brian Carlton Continue Reading
Another day, another data breach. This time one of the world’s “big four” accountancy firms has fallen victim to a sophisticated cyber attack.
Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.
Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.
The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that “very few” of its clients had been affected, the Guardian reports.
The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.
Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.
Besides emails, hackers also may have had potential access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a Deloitte spokesperson told the newspaper.
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.”
Deloitte’s internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was “impacted” by the breach.
Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.
Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.