The five trends driving ransomware tactics

Ransomware attacks continued to increase in 2020, and 2021 looks set to follow the trend. Unfortunately, the past 12 months has seen substantial evolution in ransomware tactics, as attackers look to improve their results.

In this post we look at 5 key ways this critical cyber threat is evolving.

End of year wrap: What the Four Seasons Total Landscaping debacle taught us about privacy and security

It’s been a dumpster fire of a yearand so, for our end-of-year wrap, we looked to the most ridiculously hilarious moment of the year.

Here are five lessons we took from the infamous Four Seasons Total Landscaping debacle: 

News round-up Dec 2020 – Escalation in ransomware tactics, world-first privacy settlement and more

December 1, 2020

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

For what appears to be the first time, a privacy settlement has dictated the need for an organisation to consider gender-based privacy risks. We look at the implications of the settlement in this roundup. Believe or not, there’s been yet another escalation in ransomware extortion tactics, while we look at why the Government’s critical infrastructure security bill is causing tech companies to get hot under the collar.  

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

News round-up Oct 2020 — Update on ServiceNSW databreach, Twitter upping its security game, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

It’s in the nature of this game that there’ll always breaches and bungles, so increasingly it matters how you respond. And in our eyes, some recent response actions are worth commending. The NSW Government opened up on how it might have prevented the Service NSW breach, while Twitter laid out how it is upping its internal security game after a hack in July. We also explore if NAB’s step into the world of bug bounties sets a new bar for security maturity.

Key articles:

Australians want more control over privacy, survey shows

Summary: Privacy is a major concern for 70% of Australians while 87% want more control and choice over the collection and use of their personal information, a new study shows.

Key risk takeaway: As businesses roll out services that are increasingly data-driven, one of the more salient findings of the survey was that privacy is now the leading consideration when individuals choose an app or program to download, ahead of quality, convenience and price. Concerns around collection practices – particularly around the purpose for which data was collected – was another prominent finding. These views reinforce the importance of approaches such as privacy-by-design and practices such as Privacy Impact Assessments (PIA), which seek to “bake in” good privacy practices early into the development of new projects or initiatives. The Office of the Australian Information Commissioner this month also issued guidance for agencies on how to screen for potentially ‘high privacy risk’ projects to determine whether a PIA is required under the agencies’ privacy code.

Tags: #privacy #communityattitudes #privacyimpactassessments  

Service NSW hack could have been prevented with simple security measures

Summary: The personal data of 186,000 customers and staff were leaked after a cyber-attack on Service NSW in April that compromised the email accounts of 47 employees.

Key risk takeaway: We covered the news of this attack in our May roundup – our focus here is on Service NSW’s response. Transparency, responsiveness and empathy for affected customers are core principles of a trust-building response. Service NSW has attracted criticism for taking four months to notify affected customers, illuminating a key challenge in translating these principles into reality. In the wake of a breach many organisations lack the capabilities to quickly identify and assess the data types involved and, more pertinently, the extent of likely harm for affected customers – resulting in lengthy delays to notification. That appears to have been the case here, with Service NSW describing that much of the breached data was in unstructured form (eg. in emails, handwritten notes, forms and scans). Encouragingly, head of Cyber Security NSW Tony Chapman demonstrated commendable transparency in his responses around root causes, citing the preventative roles multi-factor authentication and reduced email-based data sharing could have played. Some may argue these concessions are like shutting the gate after the horse has bolted – another perspective is that these disclosures demonstrate an understanding of what is required to prevent recurrence of similar incidents in the future.

Tags: #databreachresponse

Woman dies during a ransomware attack on a German hospital

Summary: In what is being described as the first possible death directly linked to a cyber-attack, a woman has died after a German hospital couldn’t accept emergency patients due to a ransomware attack.

Key risk takeaway: In seeking to illuminate why cyber security matters, we often describe the potential impacts of cyber incidents. Large financial, reputational and operational impacts are serious enough, but for organisations in the health sector, impacts to the wellbeing of individuals (to the point of death) are sadly also very much on the cards. Do incidents like this – where human life is at stake – complicate advice to “never pay ransoms”? It’s hard to say, but seems fair to observe that there’s mixed views in some quarters, with some organisations reserving the right to make a risk-based judgement. In this scenario, even the attackers tweaked the ‘conventional’ rules of extortion – when told they had impacted a hospital treating emergency patients, they withdrew the ransom demand and provided a decryption key. Sadly, it was too late for the impacted woman. This incident follows ransomware attacks on a Thai hospital and on one of Chile’s biggest banks, resulting in the shutdown of all its branches, with disruptions lasting over a week.

Tags: #ransomware

NAB crowdsources cyber security with bug bounty program

Summary: NAB is the first of the Big Four banks to include a bug bounty program in its security strategy

Key risk takeaway: We’ve previously written that bug bounties are increasingly seen as a sign of a mature approach to security. The foray of a major Australian bank (traditionally more conservative) into the world of “crowdsourced security assurance” is arguably further evidence of the mainstreaming of these approaches, and a step we wager took some hearty advocacy by the security team to get sign-offs from legal-types and executives. Given the global cyber security skills shortage, bug bounties can offer organisations access to a broader and internationally-based pool of security talent to test and assure key systems. A key consideration is to see bug bounties not as a replacement but a complement to existing capabilities within a layered security strategy.

Tags: #bugbounty #layereddefence

Twitter prepares for US election with new security training, penetration tests

Summary: Ahead of the US election Twitter has been bolstering its internal security and privacy controls, including by requiring staff to complete additional training, deploying hardware security keys to employees, and engaging in penetration tests and privacy impact assessments.

Key risk takeaway: Here’s something of a blueprint for hardening systems in the wake of a phishing-based breach. After suffering such a breach in July, Twitter has stepped up a range of protections – most notably around employees – by increasing training requirements, enhancing checks on employees with key systems access and rolling out “phishing-resistant security keys”. A mix of baseline security/privacy training for all staff coupled with more targeted and dynamic learning content for specific role types (as Twitter appears to be pursuing) also reflects the strategies that we are increasingly seeing being pursued in the local market. Also of note is Twitter’s push to ensure appropriate privacy measures are implemented before projects launch: in the first six months of 2020 Twitter completed more than 300 privacy impact assessments compared with 100 PIAs in 2018.

Tags: #securityawareness

News round-up Sept 2020 — Thousands of licence details exposed online, HeathEngine to pay $2.9mil, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

It’s a veritable smorgasbord – our latest roundup includes incidents traversing cloud security, phishing, extortion, distributed denial of service attacks and insider threat. We also look at a particularly egregious breach of trust by a healthcare website.

Key articles:

Data breach exposes tens of thousands of NSW driver’s licences online

Summary: A cache containing about 54,000 NSW drivers licences was found online by a Ukrainian security consultant. The data was linked to an unnamed private business that apparently failed to configure privacy settings appropriately on cloud storage.

Key risk takeaway: As we reported in May, misconfigurations of cloud services is one of the rising reasons behind data breaches – and so it has come to pass that tens of thousands of NSW drivers have been outed. The story here is a little more complex though, as it’s the NSW Government that has come under scrutiny for a lack of disclosure and notification to impacted residents – even though it was an unaffiliated third-party commercial operator that made the security bungle. It illustrates the complexity of responding to a data breach in the era of third-party data sharing, and the complex expectations that define what is trustworthy behaviour. Scenario planning can go a long way to being prepared for these contingencies and having well-thought out responses.

Tags: #cloudsecurity #notification

 

HealthEngine to pay $2.9 million for misleading reviews and patient referrals

Summary: Health directory and online booking site HealthEngine has been ordered to pay $2.9m in penalties after admitting that it disclosed personal information of over 135,000 patients to third party private health insurance brokers without adequately disclosing this to customers.

Key risk takeaway: Privacy Officers now need to consider consumer law risks when reviewing or drafting any communications or notices about how customer information will be handled. Failure to clearly communicate how personal information will be used and disclosed may amount to misleading and deceptive conduct (whether or not it also breaches the Australian Privacy Principles). The Australian Competition and Consumer Commission (ACCC) has become increasingly active in the privacy space since the conclusion of its Digital Platforms Inquiry in June 2019. HealthEngine may be the first casualty of this new focus on consumer privacy harms, but it’s unlikely to be the last. The Commission currently has two separate cases pending against Google alleging misleading and deceptive conduct in relation to privacy, and ACCC Chairman Rod Sims says there are plenty more in the works.

Tags: #ACCC #ACL #Privacy #Penalties

 

New Zealand Stock Exchange suffers day four disruption following DDoS attacks

Summary: A distributed denial of service (DDoS) that hit the exchange halted trading and prevented the publishing of market updates.

Key risk takeaway: So-called “DDoS extortions” have been around for a few years, but the recent attacks are being seen as among the most dangerous and targeted. The attack on NZX was one of many reported DDoS attacks against global financial service providers, with the criminal gang responsible demanding Bitcoin payments as extortion fees to stop their attacks. Where DDoS in the past has targeted public websites, a particular characteristic of recent attacks is the targeting of back end infrastructure, which can be potentially more disruptive. DDOS mitigation services should be considered for any business, particularly those with a high profile (where a website outage would be particularly damaging) or those that operate critical online services (where even a short outage would have substantial impact).

Tags: #ddos #cybercrime

 

SANS shares details on attack that led to their data breach

Summary: SANS Institute suffered a data breach after an employee fell for a phishing attack, resulting in more than 500 emails containing approximately 28,000 records of personal information being forwarded to attackers.

Key risk takeaway: SANS is a leading provider cyber security training for organisations around the world, so perhaps the lesson from its breach is, rather humbly, “there but for the grace of god, go I.” The attack draws on a rising phishing attack method – OAUTH phishing – where targeted users receive what looks like a legitimate shared document. Upon clicking the email request, they are typically asked to provide their credentials (eg to O365) and grant various permissions to a third-party app. This grants access to the app’s developer/owner – which is an attacker. Read more about OAUTH app examples here, ironically on a SANS discussion forum. Options to defend against this form of attack include preventing employees from being able to install unverified OAUTH apps and, of course, testing staff ability to detect this form of phishing via phishing simulations.

Tags: #phishing #oauth

 

Former Uber Security Chief Charged With Concealing Hack

Summary: Uber’s former head of security has been charged with attempting to conceal a hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.

Key risk takeaway: CISOs around the world may be sleeping a little less comfortably, with the action brought by US prosecutors underscoring how much personal accountability is carried by those running security functions. At the heart of the criminal complaint is that former Uber CSO Joe Sullivan failed to disclose a major breach to regulators in 2016, even as it was being investigated for an earlier breach. A particularly notable callout by the prosecution team was that the “cover-up” prevented law enforcement learning about the hackers and being in a position to disrupt their activities – which included going on to “hack other companies in a way similar to what they had done to Uber”. This suggests that authorities view a company’s responsibility to disclose breaches not only in terms of its duty to its own customers, but also in terms of its important to protecting the broader economy.

Tags: #CISO #crisisplanning #cybercrime

 

A Tesla Employee Thwarted an Alleged Ransomware Plot

Summary: A Tesla employee rejected a US$1m offer to install malware on Tesla’s network, reporting the bribe to Tesla instead.

Key risk takeaway: Insider threat is perhaps one of the less covered threats to organisations’ systems and data – perhaps this story might lift it in prominence given the hype and attention usually associated with Elon’s electric enterprise. The story affirms the willingness of cybercriminals to coax their way into a network in any way possible – whether through sophisticated technical or cyber means or more old-fashioned coaxing and cajoling. Insider threats of the malicious (versus accidental) kind are challenging to defend against. Technical measures include strong access controls and monitoring (especially for critical systems) and data loss prevention tools. Equally important are human measures such as background checks, and creating a culture in which employees feel comfortable reporting anomalous behaviour.

Tags: #insiderthreat