Search results for: maze

It is being reported by ZDNet that the Maze ransomware group has attacked two companies that, apparently, refused to pay the requested ransom, so Maze, as it promises, recently released approximately 76GB combined of the companies’ data on the Internet.

True to its threat, once Maze is able to infiltrate a company’s system, it exfiltrates data without the company’s knowledge, then encrypts the data and drops a ransomware note. If the company elects to migrate to its back-up system and refuses to pay the ransom, Maze notifies the company that it has already exfiltrated data and that if the company does not pay a ransom for a certificate of destruction, it will release the data online.

So far, based on our research, Maze has, in an oxymoronic kind of way, been men of their word, as we have not seen any reports that they have reneged on their promise to destroy the data. Criminals who will keep their word! It is a difficult concept to wrap one’s brain around.

Of course, it does make sense, because if they were to accept Bitcoin for a certificate of destruction and then share the data with other criminals or post it online, the word would get out quickly and no companies would ever pay for a certificate of destruction, as they would have no confidence that the criminals would keep their promise. This would destroy Maze’s entire business plan and their flow of income. Ransomware is here to stay and the attacks are becoming more and more sophisticated.

The criminals behind the Maze ransomware [view recent related posts here and here] have gone big and hit Cognizant, one of the largest technology consulting companies in the U.S., with its nasty ransomware.

Cognizant stated on its website that it “can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.”

Maze is particularly nasty because it is known to exfiltrate the data before encrypting the data, but it is unknown at the present time the status of the attack on Cognizant.

According to Cognizant’s filing with the Securities and Exchange Commission on April 20, 2020, the attack “may continue to cause an interruption in parts of our business and may result in a loss of revenue and incremental costs that may adversely impact our financial results.”

Despite the fact that the hackers behind Maze ransomware previously promised not to hit medical organizations during the coronavirus pandemic, it recently attacked a British medical lab that is slated to test COVID-19 vaccines during the pandemic. The Maze hackers previously said publicly that it would “stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus.” Apparently not so.

What do we expect from criminals—that they will actually keep their word? It just seems particularly despicable right now.

Despite the public pledge, the cyber criminals behind Maze [view related posts] hit Hammersmith Medicines Research (Hammersmith), a British laboratory facility that is ready to test coronavirus vaccines with medical trials, with its ransomware on March 14, 2020. According to a spokesman for Hammersmith, which performed tests in the past for the Ebola vaccine, the cyber attack was identified and stopped without paying the requested ransom.

The problem with Maze is that its business plan relies on the ability to exfiltrate the victim’s data, then increase pressure on the victim by threatening to publish the data on the dark web if the victim doesn’t pay the ransom. It has been reported that Maze has used the same pressure techniques with Hammersmith after it refused to pay the ransom. Maze is now threatening to publish patient data from Hammersmith of patients involved in medical trials 8-20 years ago. Maze has reportedly already published some of Hammersmith’s patient data on the dark web. Just what Hammersmith needs to worry about while ramping up to test coronavirus vaccines.

Perhaps the hackers behind Maze should be thinking about their own health when they hamper coronavirus vaccine medical trials and approvals–they may need the vaccine one day. If only they would focus their capabilities on doing some good for the world or leave those who are actually working for the greater good to continue to do their good work without interruption.

Anyone who has purchased a car in the past decade is familiar with the dazzling wave of technology that greets them: giant touchscreens, voice controls, remote start apps. But behind the gleaming infotainment systems and driver-assist cameras, a subtler, more powerful feature has crept into the modern automobile, the ability to observe, record, and report on virtually every aspect of its use and its users.

For years, consumers have worried about smartphone privacy, Alexa eavesdropping, or social media tracking. However, while attention was directed elsewhere, auto manufacturers quietly built an ecosystem that rivals Big Tech in its reach, and, according to a blistering Mozilla Foundation study reported by AP News, completely fails at protecting consumer privacy. Not even one of the 25 major car brands reviewed earned a passing grade.

Why? Because car companies aren’t just making money off vehicle sales anymore. They’re monetizing your data, and the information they scoop up goes well beyond GPS locations or your driving speed. Think:

  • Biological metrics: Weight, heart rate, even facial expressions via sensors and cameras;
  • Personal details: Information from your tethered phone, call logs, text messages, sometimes even biometric or demographic data; and
  • Highly sensitive information: According to some vehicle manufacturers’ own policies, data on “sexual activity” and “intelligence” can be collected.

Unlike a smartphone app, which must explicitly ask for permissions, car makers hide their consent models deep in paperwork signed under pressure in a dealership. Few read these documents and even fewer realize that 84% of cars reviewed by Mozilla share personal data with brokers and service providers, and 76% claim the right to sell your data.

This has transformed cars into ongoing surveillance devices whose output is not for your benefit, but to be shopped around in a shadowy secondary data market, sold to insurers, marketers, and sometimes even government agencies.

What was once private (e.g., how you drive, where you go, who rides with you) can now raise your costs or be used for purposes you never anticipated. The auto industry claims this is about safety or innovation. While crash detection or predictive maintenance require some data, that argument fails when it comes to collecting genetic or intimate personal information.

In the United States, where state-level rules like the California Consumer Privacy Act are only just beginning to probe this problem, most drivers are exposed by default. Federal lawmakers are only now starting to see the domestic, and even national security dangers. Issues range from stalkers misusing connected apps to fears of foreign adversaries accessing U.S. driver data. But for now, self-regulation prevails—and as Mozilla’s findings make clear, it doesn’t work. Consent screens for cars, buried in sales documents and 50-page privacy policies, simply don’t provide real choice or transparency, particularly when a car is used by multiple drivers or passengers.

In an age when car sensors can identify individual drivers, or capture pedestrians in external footage, the question of whose privacy is being violated gets murky. Passengers (who never agreed to anything), can have their images, voices, and even biometrics swept up by default, an uncharted legal territory, with serious implications for consent and wiretapping laws.

The Alliance for Automotive Innovation touts voluntary, non-binding “consumer privacy principles.” In practice, opting out often means disabling mission-critical functions or navigating a maze of settings and customer service calls—hardly a meaningful choice, and often creating a “take it or leave it” arrangement where convenience trumps privacy.

As cars increasingly become platforms for subscriptions and software updates, the industry must realize that trust is everything. Already, lawsuits are hitting data-sharing arrangements. If automakers don’t fix their practices, a harsh regulatory reckoning is inevitable—one that could curtail the very innovation they celebrate.

Today’s car dealerships are not just selling you a car, they’re enrolling you, and everyone who travels with you, into a sprawling, often poorly regulated data marketplace. As drivers and passengers wake up to this reality, demands for transparency, meaningful consent, and real privacy choices will only grow. The road to the future, it turns out, is paved with data. The question is, do we still control the dashboard, or has the car quietly taken the wheel?

During the last Privacy Law class of the semester, we discuss Privacy and Emerging Technology. My students continue to learn about the collection, use, disclosure, and monetization of consumers’ data, and continue to be amazed at how their data is used without their knowledge. They often ask for tips on how to protect their data and make personal choices about when to allow its collection and use.

A helpful resource that I often peruse is the Electronic Frontier Foundation’s website. One tool that is particularly relevant to protecting one’s online privacy is the EFF’s Surveillance Self-Defense tools, which includes background on how online surveillance works, and tools to pick secure applications and security scenarios.

For my students reading this post this week, get ready to discuss the SSD tips and tools during class next week! For the rest of you, take a few minutes to remind yourself of how online surveillance works and how to best protect yourself online.

I continue to be amazed in my day-to-day virtual conversations by how many people are unaware of one of the most devastating compromises ever to happen—the recent compromise of Microsoft’s Exchange versions 2013-2019. It is critically important for all Microsoft Exchange users that are using Exchange On-Premises (such as those using Office 365) to be aware of the compromise because it could have a significant impact on your business.

Microsoft announced that its Exchange versions 2013-2019 were compromised and issued patches for the vulnerabilities on March 2, 2021 [view related post]. It is estimated that more than 30,000 U.S.-based companies will be affected by the compromise, which gives the attackers access to emails and potentially to other information technology assets. This is extremely serious, yet many people are unaware of the gravity of the issue and how it could impact their business.

The U.S. Cybersecurity & Infrastructure Security Agency issued an alert for leaders of companies on the compromise:

For Leaders:

An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:

  • What steps your organization has taken;
  • Whether your organization has the technical capability to follow the guidance provided below; and
  • If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.

Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed.

C-Suite executives and leaders of companies may wish to learn more about the compromise and how it could affect the company and to evaluate this guidance from CISA as soon as possible.

 

We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.

The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.

The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.

The Report is a must read, but here are some highlights (depressing as they are):

  • There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
  • Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
  • Some gangs provide fake proof that they have your data to get you to pay.
  • There is no guarantee that the exfiltrated data will not be sold to other groups.
  • Ransom demands are increasing.
  • The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
  • Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
  • More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
  • Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
  • The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
  • The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
  • Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
  • Most victims of ransomware have less than $50 million dollars in annual revenue.
  • Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
  • The average number of downtime days of victimized businesses is 19 days.

These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”

As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze.

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.

Cyber liability insurers are in a good position to provide insight into the types of cyber incidents that are hitting the industry. Coalition, a provider of cyber insurance globally, which “serves over 25,000 small and midsize organizations across every sector of the US and Canada,” issued its Cyber Claims Report this week about the claims trends it is experiencing and an analysis of cyber risk based upon those claims.

According to the report, after analyzing thousands of reported incidents, it found that “the majority of losses” fell under breach response coverage, cyber extortion costs coverage, and funds transfer fraud coverage. According to the report, “[T]hese three loss types accounted for 87 percent of reported incidents and 84 percent of claims payouts.”

It further confirmed what we are seeing in the industry—that “the types of attack techniques criminal actors used to target our policyholders are also highly concentrated. Phishing, remote access, and social engineering attacks accounted for 89 percent of all known attack techniques.”

If this doesn’t tell you where to put your resources in prevention and resiliency, I don’t know what does. According to the report, 54 percent of all claims came from email/phishing schemes, 29 percent of claims were the result of remote access, 6 percent were attributable to “other social engineering,” and 3 percent each or 9 percent total were attributable to third-party compromise, brute force authentication attacks and “other.”

The report notes that ransomware is becoming increasingly sophisticated, which we have repeatedly reported from our experience, and that it has increased 47 percent in severity from Q1 to Q2 in 2020. This means that the ransomware criminals are increasing their ransom demands and “the complexity and cost of remediation is growing. The average ransom demand amongst our policyholders increased 100 percent from 2019 through Q1 2020, and increased another 47 percent from Q1 to Q2 in 2020.”

The report and the reality that we are seeing is grim. Ransomware strains such as Maze, Ryuk, Sodinokibi and DoppelPaymer are taking ransomware attacks to a new level by exfiltrating data before requesting the ransom, and then showing proof of life that they have the data in their possession and then threatening to publish the data unless a ransom is paid for a certificate of destruction. According to Coalition, the average ransom demand ranges from a high of Maze at $420,000 down to Sodinokibi at $73,920.

The Coalition report paints a stark picture of reality that is necessary to confront in order to put practices in place to implement incident response planning, prevention and resiliency.

When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.