fbpx

InForce Cyber

Threat Report March 2020

Covid-19 affected us not only physically, but it was also used in major phishing campaigns. March 2020 also brought us a lot of ransomware attacks with some new malware under the spotlight. Here is a list of major breaches and cyber security incidents for the month:

US Railroad Contractor Reports Data Breach After Ransomware Attack

RailWorks Corporation, one of North America’s leading railroad track and transit system providers, disclosed a ransomware attack that led to the exposure of personally identifiable information of current and former employees, their beneficiaries and dependents, as well as that of independent contractors.

Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm

Sodinokibi (aka REvil) is available in the underground market as a Ransomware-as-a-Service model, the gang behind the Sodinokibi ransomware has been very active in the US in recent months, in December, CyrusOne, one of the major US data center provider, was hit by the same ransomware. In January, Synoptek, a California-based IT service provider decided to pay the ransom to decrypt its files after being infected with the Sodinokibi ransomware.

Coronavirus pandemic has unleashed a wave of cyber attacks 

While most of the world is trying to deal with the COVID-19 pandemic, it seems hackers are not on lockdown. Cyber criminals are trying to leverage the emergency by sending out “phishing” attacks that lure internet users to click on malicious links or files. This can allow the hackers to steal sensitive data or even take control of a user’s device and use it to direct further attacks.

The last thing you want at a time like this is to become a victim of a cyber attack and maybe even lose your computer. But there some straightforward guidelines that should help you protect yourself.

Many people are searching online for information about COVID-19. But the pandemic has created what the World Health Organization (WHO) calls an “infodemic, in which people are bombarded with an overabundance of both accurate and inaccurate information that is circulating on the internet, making it hard to know what to trust.

New Lampion Trojan Found Attacking Portuguese Users

There’s a new Trojan in town – “The Lampion Trojan”, this malware as discovered by security researchers is distributed via phishing emails that target Portuguese users and it appears like it’s from Portuguese Government Finance & Tax.

Flaw in popular VPN service may have exposed customer data

NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customers’ email addresses and other information.

The security hole was linked to three payment platforms used by NordVPN – Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the issue, the flaw was uncovered by a researcher going by the moniker ‘dakitu’ and was disclosed via popular bug bounty platform HackerOne.

Data Breaches

Henning Harders (Australia)
On March 15th, 2020, the company noticed unusual activity on its systems. The company believes that some of its customers’ commercial data may have been accessed. Maze ransomware operators have since published 6.5GB worth of data belonging to the company. The published data includes financially sensitive information and employee salary information, as well as information that exposes the names of its corporate clients, client email contact lists, and more. The data is reportedly only meant to be proof of the Maze group’s breach. This could mean that more data may be published in the future.
On March 15th, 2020, the company noticed unusual activity on its systems. The company believes that some of its customers’ commercial data may have been accessed. Maze ransomware operators have since published 6.5GB worth of data belonging to the company. The published data includes financially sensitive information and employee salary information, as well as information that exposes the names of its corporate clients, client email contact lists, and more. The data is reportedly only meant to be proof of the Maze group’s breach. This could mean that more data may be published in the future.
Rogers Communications (Canada)
The company stated that on February 26th, 2020, they became aware that their external service providers had made information available online that provided access to a database managed by that provider. Credit card information, banking information and passwords were not present on the exposed database, however, it did contain addresses, account numbers, email addresses and telephone numbers.
The company stated that on February 26th, 2020, they became aware that their external service providers had made information available online that provided access to a database managed by that provider. Credit card information, banking information and passwords were not present on the exposed database, however, it did contain addresses, account numbers, email addresses and telephone numbers.
Golden Valley Health Centers (US)
The private health information of Golden Valley Health Centers patients may have been exposed after an unauthorised third party gained access to an email account containing patient data. The data breach was first discovered on March 3rd, 2020, and may have compromised patients’ medical information, including billing and insurance information, patient referral information, and appointment records.
The private health information of Golden Valley Health Centers patients may have been exposed after an unauthorised third party gained access to an email account containing patient data. The data breach was first discovered on March 3rd, 2020, and may have compromised patients’ medical information, including billing and insurance information, patient referral information, and appointment records.
Ameren Missouri (US)
A ransomware attack that targeted LTI Power Systems led to the theft of schematics and equipment diagrams for Ameren’s Sioux Power Plant and Labadie Power Plant. LTI Power Systems provides utility equipment to Ameren Missouri. The data appeared on a ransomware server towards the end of February 2020. A spokesperson for Ameren Missouri asserted that it has ‘no reason to believe that the information obtained is confidential or critical to our operations’.
A ransomware attack that targeted LTI Power Systems led to the theft of schematics and equipment diagrams for Ameren’s Sioux Power Plant and Labadie Power Plant. LTI Power Systems provides utility equipment to Ameren Missouri. The data appeared on a ransomware server towards the end of February 2020. A spokesperson for Ameren Missouri asserted that it has ‘no reason to believe that the information obtained is confidential or critical to our operations’.

Security Threats By Trend

Recommendations

  • Update vulnerable services
  • Only allow traffic to necessary and well secured ports
  • Update AV solutions
  • Phishing training for the employees.
  • Regular pentests would identify possible weak points

Sources:
Exploit-DB
McAfeee
TrendMicro
Symantec
NIST
Google
FireEye