Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020.

In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data.

Ransomware Gangs Renege on Promises to Delete Data

The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom demand tactic.

The Coveware report reveals that, in some cases, the attackers do not make good on their promise even when the victim pays the ransom in full. There have been several cases where stolen data were leaked or stolen after the ransom was paid, and one gang is known to re-extort victims.

The report lists four ransomware operations known not to delete data after the ransom has been paid. The operators of Sodinokibi ransomware have re-extorted some victims, the Netwalker and Mespinoza operators have subsequently leaked stolen data after the ransom was paid in full, while the operators of Conti ransomware have provided victims with proof that files have been deleted, but the proof was for the deletion of fake files. Maze, Sekhmet, and Egregor have similarly leaked data on occasion, although it is unclear whether the leaks after payment were intentional.

Coveware explains that some ransomware operations see data held by multiple parties, which means that even if the threat actor deletes data, there is no guarantee that all copies will be deleted. There have been cases where stolen data are posted in error on leak sites before the victim is even given the chance to make payment.

Coveware warns its customers that payment of the ransom does not guarantee stolen data will not be shared with other threat groups or be used in further extortion attempts. Coveware tells its customers to assume theft of data is a data breach and ensure all individuals impacted by the breach are notified to give them the opportunity to monitor their accounts and take steps to protect their identities, regardless of whether the ransom demand is paid.

Ransom Demands Continue to Increase

The report shows the average ransom demand has been steadily increasing over the past 8 quarters, although the quarterly increases have been more substantial each quarter since Q3, 2019. Ransom demands increased once again in Q3, 2020 with the average demand up 31% from Q2, 2020 at $233,817, with the median payment rising by $1,935 to $110,532. The increase in the average payment indicates ransomware gangs are conducting more attacks on large organizations, where the potential returns are much higher for a similar level of effort.

Biggest Ransomware Threats in Q3, 2020

The biggest ransomware threats in Q3, 2020 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer, with the top two ransomware variants accounting for 16.2% and 13.6% of attacks respectively. Attacks with Maze ransomware peaked in Q3; however, the operators have now shut down their operation, with affiliates involved in the distribution of the ransomware mostly switching to the Sekhmet and Egregor ransomware-as-a-service operations. Attacks involving those ransomware variants increased in Q3 and are expected to continue to increase in Q4.

RDP and Phishing are the Main Attack Vectors

The most common attack vectors used to distribute ransomware have changed little over the past few quarters. Attacks on RDP are still the most common, accounting for more than 50% of infections. This is the attack vector favored by the most prolific ransomware groups such as Sodinokibi and Maze (Sekhmet/Egregor). Almost 30% of attacks see the ransomware distributed via phishing emails, with the number of phishing-related attacks having steadily increased since Q4, 2019. Software vulnerabilities and other forms of compromise are used in less than 10% of attacks.

There are worrying signs that the supply of stolen RDP credentials is now outstripping demand, which is seeing the price for those credentials falling. As the cost goes down it opens up this attack vector to other less technically sophisticated groups, who may choose this method to attack organizations. Coveware warns that this method of attack is the most cost-effective way to compromise organizations, and the importance of properly securing RDP connections cannot be overstated.

The post Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption appeared first on HIPAA Journal.

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA.

“This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers.

The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA.

The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are adept at cracking passwords with automated brute force attacks. Even when strong passwords are used, there is no guarantee that a breach will be prevented. A strong password offers no protection if a user falls for a phishing scam. If passwords are stolen, MFA offers protection and should prevent those passwords from being used to gain access to accounts.

The CoreView M365 Application Security, Data Governance and Shadow IT Report revealed Microsoft 365 administrators are given excessive control and have access to a treasure trove of sensitive information. 57% of Microsoft 365 admins were fund to have excessive permissions to access, modify, and share business-critical data. Further 36% of Microsoft 365 administrators are global admins, giving them full control over their organization’s entire Microsoft 365 environment and 17% of Microsoft 365 admins are also Exchange admins and have access to the email accounts of the entire organization, including C-Suite accounts. Should Microsoft 365 admin accounts be compromised, hackers would have access to the entire Microsoft 365 environment and huge volumes of sensitive data. Not only does the Microsoft 365 environment contain a huge amount of easily monetized data, accounts are also linked to other systems and could be used for a much broader attack on the organization.

The study also revealed companies have invested heavily in productivity and operations applications that empower employees to communicate, collaborate, and work more efficiently, but there has been a rise in shadow IT, especially SaaS applications. SaaS applications are often used by employees without the knowledge of the IT department. Many of those SaaS applications lack appropriate security and open the door to preventable cyberattacks.

“At a basic level, malicious apps can siphon off critical data. Users could also potentially be sharing sensitive company information through these apps to compromised parties, putting organizations at a substantial risk of a data breach,” explained CoreView in the report. “It’s vital that organizations properly monitor these apps for potential security gaps.”

Organizations that move to Microsoft 365 often underestimate their security and governance responsibilities, mistakenly believing that Microsoft 365 is secure by default and includes the necessary protections to prevent data breaches. While Microsoft 365 can be secure, organizations must be proactive and ensure that security is addressed, there is sufficient oversight of shadow IT, and proper data governance.

The post Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication appeared first on HIPAA Journal.

Prior to the 2019 Novel Coronavirus pandemic, many companies allowed some of their employees to spend some of the week working from home; however, COVID-19 dramatically changed the way people work, with national lockdowns forcing employers to rapidly change working practices and allow virtually all of their employees to work remotely.

When lockdowns were lifted, many employees continued to work from home. The new remote working environment is considered by many to be now be the new normal. Remote working has created many challenges, especially for cybersecurity as it is harder for organizations to prevent, detect, and contain cyberattacks when much of the workforce is working remotely.

A recent survey conducted on 2,215 IT and IT security professionals by the Ponemon Institute on behalf of Keeper Security explores the cybersecurity challenges of teleworking and assesses how companies have adapted cybersecurity practices to address the risks of teleworking.

One of the key findings from the survey is remote working has significantly reduced the effectiveness of organizations’ security posture.  When respondents were asked about the effectiveness of their security defenses before and during the pandemic, 71% rated their security defenses as either very or highly effective before the pandemic, with only 44% rating their defenses so highly during the pandemic.

The survey uncovered several reasons for the perceived decline in the effectiveness of those defenses.  When employees work on-site, physical security measures are in place to prevent the theft of equipment and data. 47% of respondents said the lack of physical security at employees’ homes was a significant concern.

71% of IT professionals felt that remote workers were putting their organization at risk of a data breach, while 57% said remote workers are a prime target for cybercriminals looking to exploit vulnerabilities.

Remote workers need to access business-critical applications, with 59% of respondents reporting that remote access to those applications increased during the pandemic. On average, organizations have 51 business-critical applications and 56% of those applications are being accessed remotely.

56% of respondents said the time to respond to a cyberattack has increased during the pandemic and 42% of respondents said they have no understanding about how to protect against cyberattacks with so many remote workers.

There has been a major increase in the use of personal devices due to the pandemic, and BYOD schemes have reduced organizations’ security posture. 67% of respondents said remote workers were using personal devices for work purposes during the pandemic, including mobile phones, which are the most vulnerable devices.

Intrusion detection systems that were effective with office-based working are far less effective with teleworking. 51% of respondents reported an exploit or malware infection that evaded their intrusion detection systems during the pandemic and 61% said they had experienced a cyberattack during the pandemic, with phishing and social engineering attacks the most common attack method.

Despite the risk of cyberattacks, 31% of organizations said they have not implemented multi-factor authentication for remote workers, only 43% provide security awareness training covering the risks of remote working, and only 47% are monitoring their networks 24/7. Less than half of respondents protect company-owned devices with up-to-date anti-virus, device encryption and firewalls. If these security issues are not addressed, organizations will face a far higher risk of experiencing a cyberattack and costly data breach. You can view the full findings of the survey and recommendations on this link.

The post Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment appeared first on HIPAA Journal.

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

• CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
• CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
• CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
• CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
• CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
• CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
• CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
• CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
• CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
• CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
• CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

The post Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom appeared first on HIPAA Journal.