The Federal Bureau of Investigation has issued a warning following a rise in Business Email Compromise (BEC) attacks that are taking advantage of uncertainty surrounding the COVID-19 pandemic.

BEC is the term given to an attempt to fool individuals responsible for performing legitimate transfers of funds into sending money to a bank account controlled by the attacker. This is achieved by impersonating an individual within a company that the victim usually conducts business with. A typical attack scenario will see an email sent to an individual in the finance department requesting a change to bank account information for an upcoming payment.

Several attacks have recently been reported to the FBI’s Internet Crime Complaint Center (IC3) that have a COVID-19 theme and municipalities are being targeted that are purchasing personal protective equipment (PPE) and other essential supplies to use in the fight against COVID-19.

In the alert, the FBI offered two recent examples of COVID-19 BEC scams. The first involved a scammer impersonating the CEO of a company and requesting that a scheduled $1 million payment be brought forward due to the Coronavirus outbreak and quarantine processes and precautions. In the emails to employees at an unnamed financial institution, the scammer provided different bank account details for the payment. The email address used by the scammer was identical to the email address of the CEO apart from a single letter.

The second example saw a scammer pose as a client in China who requested all invoices be paid to a different bank account as the current bank was undergoing Coronavirus audits. Several wire transfers were sent to the new account before the scam was detected, resulting in significant financial losses.

The COVID-19 pandemic has given BEC scammers a plausible reason for requesting urgent payments, bank account changes, and alterations to standard payment practices. Individuals responsible for payroll and bank transfers should be on high alert and should treat any COVID-19 related updates to bank account information or changes to standard payment processes as suspicious.

There are several red flags that individuals should look out for to avoid becoming a victim of a BEC scam. These include unexplained urgency in email requests, last minute changes to bank account information or wire transfer instructions, changes to established payment practices and communications channels, requests to only communicate via email or chat platforms, and requests for advance payments. Scammers also impersonate employees and request changes to direct deposit information.

In all cases, any request for a payment change should be verified by phone using contact information on file. Never use contact information provided in the email. Email addresses should be checked to make sure they are the same as previously used email accounts and domains and URLs should be carefully checked for any misspellings of domain names, transposed letters, and foreign characters.

If you believe you may have been a victim of a BEC scam you should contact your financial institution immediately to recall any transferred funds and your employer should report the incident to the FBI’s Internet Crime Complaint Center at https://bec.ic3.gov/

The post FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams appeared first on HIPAA Journal.

Teleconferencing platforms such as Zoom have proven popular with businesses and consumers for maintaining contact while working from home during the COVID-19 crisis, but a slew of Zoom security problems have been identified in the past few days that have raised concerns about the suitability of the platform for medical use.

Zoom Security Problems Uncovered by Researchers

Several Zoom security problems and privacy issues have been discovered in the past few days. The macOS installer was discovered to use malware-like methods to install the Zoom client without final confirmation being provided by users. This method could potentially be hijacked and could serve as a backdoor for malware delivery.

Two zero-day vulnerabilities were identified in the macOS client version of Zoom’s teleconferencing platform, which would allow a local user to escalate privileges and gain root privileges, even without an administrator password, and gain access to the webcam and microphone and intercept and record Zoom meetings.

A feature of the platform that is intended to make it easier for business users to find other individuals within the company was discovered to be leaking users’ email addresses, profile photos, and statuses. The Company Directory feature adds other people to a user’s contact list if their email address in on the same domain. Several consumers reported that strangers had been added to their contact lists when they signed up with a personal email address.

There have also been many reported cases of Zoom-bombing, which is where uninvited individuals join meetings using brute force tactics to guess meeting IDs. The FBI recently published a warning following a rise in hijacking attacks. There have been cases of people hacking Zoom meetings, abusing participants, and using the screen sharing feature to display pornography.

There have also been revelations that Zoom has been sharing background data on users with Facebook via the Facebook SDK, even when users do not have Facebook accounts.

Zoom Platform Does Not Offer End-to-End Encryption

A report published in The Intercept revealed the end-to-end encryption that Zoom claims to implement does not extend to video meetings. When The Intercept contacted Zoom for comment, a spokesperson for the company explained that “Currently, it is not possible to enable E2E encryption for Zoom video meetings.” Instead, “Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The method of encrypting data is similar to that used to secure communications between a web browser and an HTTPS website. This “transport encryption” protects data in transit from one client to the other and means that communications between meeting participants is encrypted, but Zoom has access to unencrypted audio and video content.

Zoom explained to The Intercept that while unencrypted users’ data can be accessed, “Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including—but not limited to—the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”

Answers Sought About Recently Disclosed Zoom Security Problems

Sen. Richard Blumenthal (D-Conn) has written to Zoom CEO and founder Eric S. Yuan seeking answers about the company’s response to the massive increase in users, the growing list of Zoom security problems, and Zoom’s handling of personal user data.

In December 2019, there were around 10 million Zoom meeting participants every day. In March 2020, the number had expanded to an astonishing 200 million a day. The company has been working to continue to provide support for users to ensure there is an uninterrupted service, but the massive increase in consumers using a platform that was designed for business users has been a challenge.

“Zoom is increasingly being used by schools and healthcare providers that have shut down or limited their operations to stop the spread of Coronavirus, raising questions about how its services comply with federal and state privacy laws protecting students, patients, and consumers,” wrote Sen. Blumenthal in the letter.

Sen. Blumenthal also expressed concern about Zoom’s “troubling history of software design practices and security lapses,” referencing the slow response to the vulnerability in the Mac client, which was not fully addressed and took months before it was finally resolved, and then only due to the intervention of Apple.

Sen. Blumenthal seeks answers about the steps being taken to detect and stop Zoom-bombing, the level of encryption used to protect users’ privacy, and the data that is collected, used, and shared with third parties such as Facebook.

New York Attorney General Letitia James is also concerned about the recent Zoom security problems and the company’s response to the massive increase in users. In the letter, Attorney General James expressed concern that the existing security practices at Zoom may no longer be sufficient given the sudden surge in the number of users and the sensitivity of data that is now passing through the platform. She also wants to know whether a broader review of Zoom security practices has been undertaken considering the massive increase in popularity.

CEO Responds to Criticism of Zoom Security Problems

In an April 1, 2020 blog post, Zoom CEO Eric S. Yuan explained that the company is experiencing some growing pains as a result of the massive rise in popularity of the platform this year. In response to criticism of Zoom security problems, Yuan said, “we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

The massive rise in popularity of the platform was not anticipated, neither having a quarter of the world’s population in lockdown and working and socializing from home. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” said Yuan.

It should be noted that all software solutions have vulnerabilities and some of the recently disclosed Zoom vulnerabilities have been made public without giving Zoom much time to respond and fix the issues. Zoom has responded quickly and addressed some of the issues that have come to light in recent days, although several privacy and security issues remain.

Zoom has publicly committed to fix privacy and security issues and proactively assess the platform for other vulnerabilities. Over the next 90 days, Zoom will cease all regular development work and will shift all engineering resources to focus on the biggest trust, safety, and privacy issues. The bug bounty program is being enhanced and penetration tests are being conducted to assess the security of the platform.

Use of Zoom for Healthcare Communications

Enterprise-class communication solutions require enterprise-grade privacy and security protections. This is especially important in healthcare to ensure HIPAA compliance. Zoom offers an enterprise package for healthcare organizations – Zoom for Healthcare – which has been developed to incorporate the necessary safeguards to comply with the HIPAA Privacy and Security Rules; however, the latest security vulnerabilities and privacy issues cast doubt on the level of protection provided.

During the COVID-19 public health emergency, the HHS’ Office for Civil Rights has stated it will be exercising enforcement discretion and will not impose sanctions or penalties for the good faith provision of telehealth services and that applications that may not satisfy all requirements of HIPAA Rules can be used. While there is nothing to suggest OCR would make an exception for Zoom – it is not a public-facing platform – healthcare providers should exercise caution.

There are other teleconferencing solutions available for use by healthcare organizations for the provision of telehealth services, many of which do offer true end-to-end encryption and do not have the security issues that have been uncovered in Zoom. Many of those solutions are also available free of charge, and even the HIPAA-compliant secure messaging platform provider, TigerConnect, has made its platform available to healthcare organizations free of charge following the declaration of the COVID-19 public health emergency.

Since more secure videoconferencing and communications platforms are available, it is strongly advisable to use an alternative solution for telehealth and other healthcare communication during the COVID-19 crisis, and certainly until Zoom addresses its privacy and security issues and completes its platform review.

The post Zoom Security Problems Raise Concern About Suitability for Medical Use appeared first on HIPAA Journal.

The COVID-19 pandemic is forcing many employees to work from home and the infrastructure used to support those workers is being targeted by human-operated ransomware gangs. While several ransomware operators have stated they will not attack healthcare organizations during the COVID-19 public health emergency, not all cybercrime gangs are taking it easy on the healthcare sector and attacks are continuing.

Several cybercrime groups are using the COVID-19 pandemic to their advantage. Tactics, techniques and procedures (TTPs) have been changed in response to the pandemic and they are now using social engineering tactics that prey on fears about COVID-19 and the need for information to gain access to credentials to gain a foothold in healthcare networks.

Ransomware attacks on hospitals can cause massive disruption at the best of times. Ransomware attacks that occur while hospitals are trying to respond to the pandemic will severely hamper their efforts to treat COVID-19 patients. Microsoft has committed to help protect critical services during the COVID-19 crisis and has recently offered advice to healthcare organizations to help them defense against human-operated ransomware attacks.

Microsoft has been tracking the activity of ransomware gangs and information obtained from its extensive network of threat intelligence sources shows some human-operated ransomware gangs are exploiting vulnerabilities in the gateway devices and virtual private network (VPN) appliances that allow remote workers to login to their networks.

One of the most prolific human-operated ransomware gangs, REvil (Sodinokibi), has been exploiting vulnerabilities in gateways and VPN appliances for some time. Vulnerabilities are exploited to steal credentials, privileges are then escalated, and the attackers move laterally to compromise as many devices as possible before deploying ransomware and other malware payloads.

Microsoft says these attackers are highly skilled, have extensive knowledge of systems administration, and are aware of the common network security misconfigurations that can be exploited. The threat actors adapt their techniques based on the security weaknesses and vulnerable services they discover during reconnaissance of healthcare networks and often spend several weeks or months in networks before ransomware is deployed.

Microsoft reports that the REvil gang has been scanning for the internet to identify vulnerable systems and is taking advantage of the increase in use of VPNs and gateways to support remote workers during the COVID-19 pandemic. The vulnerabilities that are being exploited are often fairly low on the list of priorities to fix and therefore remain unaddressed for relatively long periods.

During the course of its investigations and through its threat intelligence sources, Microsoft identified several hospitals that have vulnerable gateways and VPN appliances within their infrastructure. The vulnerabilities identified are exactly the same as those exploited by the REvil gang. Microsoft has notified those hospitals directly to advise them about the flaws and has strongly recommended they perform immediate updates to prevent exploitation of the vulnerabilities.

Microsoft explained that managing VPNs and virtual private server (VPS) infrastructure requires knowledge of the current status of related security patches. The company has recommended all organizations that have VPN and VPS infrastructure should conduct a thorough review and identify any updates that are available and apply those updates as soon as possible.

For several months, nation-state and cybercrime actors have been targeting unpatched VPN systems and are tailoring exploits to take advantage of remote workers, often leveraging the updater services used by VPN clients to deploy malware payloads.

Organizations unsure about how best to secure their VPNs and VPS infrastructure can obtain further information from the National Institute of Standards and Technology (NIST) and the DHS Cybersecurity and Infrastructure Security Agency (CISA), both of which have recently published guidance on how to secure VPN/VPS infrastructure.

The post Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks appeared first on HIPAA Journal.