Security week 7

Stay safe. We bring you our regular weekly overview of security news.

South Korea has ordered control of its energy networks against cyber threats

The Korean Ministry of Commerce, Energy and Infrastructure has ordered an inspection of the national energy infrastructure. The impetus for this decision was the attack on the Colonial Pipeline in the USA, where a ransomware attack knocked out supplies for the East Coast of the USA. Oil and gas pipelines, electricity networks and emergency response systems are subject to inspections. South Korea has cold winters and is a frequent target of attackers.

CNA paid a $ 40 million worth ransom to a ransomware gang

CNA Financial Group, one of the largest American insurance companies, paid 40 mil. dollars after a ransomware attack to restore control of its network. Although the company claims it did nothing illegal and consulted its actions, the FBI strongly urges companies not to pay any ransom. The amount paid is one of the highest ransoms ever paid. Overall, in 2020, there is an estimation of 300% increase in the amount paid to cyber criminal groups. Evil corp is probably behind this particular attack and it used Phoenix Locker malware (a variant derived from “Hades”).

Ireland’s health care system under ransomware attack

The Irish Department of Health and the HSE (Ireland’s publicly funded healthcare system) have been the target of a cyber attack. While the Ministry of Health managed to defend itself, the HSE fell victim to the Conti ransomware gang. Although the gang provided a decryptor to enable the recovery of encrypted data, it warned that the stolen data (estimated at about 700 GB) will still be sold or published if HSE does not pay the ransom of almost 20 mil. dollars. As criminal group decryptors have questionable functionality (e.g. speed and execution quality), Emisoft provided HSE with its free file decryption tool. The Ministry will check the HSE to see if the computer network is secure after the restoration. – Health insurance provider’s database compromised

One of the largest health insurance providers focused on student travel insurance was forced to disconnect its website after attackers gained access to personal data in the system. The provider contacted the affected students and at the same time managed to remove the vulnerability that allowed attackers to access the date of birth, gender, encrypted form of password, email and postal addresses and telephone numbers.

All Wi-Fi devices manufactured since 1997 contain FragAttack vulnerabilities

Newly discovered vulnerabilities related to fragmentation and aggregation (FragAttack) are found in all types of devices (PCs, smartphones, smart devices, …), which have been manufactured since 1997. Devices using the latest WPA3 specification are also affected. Although exploiting these vulnerabilities is not easy, the bugs behind these vulnerabilities are easily exploited on unprotected devices. Manufacturers are gradually releasing security updates and are coordinated by ICASI and the Wi-Fi Alliance. Even if the manufacturer still has not released an update, the risk of exploiting vulnerabilities can be minimized. The basic advice is to use HTTPS when surfing. Others include disabling fragmentation, disabling paired views, and disabling dynamic fragmentation on Wi-Fi 6 (802.11ax) devices. There already is a tool on Github to help determine if the access point and Wi-Fi clients contain vulnerabilities.

Ransomware group DarkSide attacked Toshiba Tec Corp.

Following the recent successful attack on the Colonial Pipeline, which provides 45% of the fuel supply for the East Coast of the USA, Toshiba Tec Corp has become the group’s latest target. A factory in France was attacked. Immediately after the detection of the attack, the network between the Japanese European part of the company was disconnected to minimize the possibility of spreading ransomware. Although the investigation continues, the company still claims that no sensitive documents related to customers have been leaked.

The ransomware attack canceled planned operations in hospitals in New Zealand

The attack, probably caused by an infected email attachment, hit the Waikato District Health Board and its six hospitals. All IT services reported outages except email. Due to the lack of access to patient records, planned operations had to be canceled and hospitals were only able to deal with acute cases. Other patients were diverted to nearby hospitals. A forensic investigation into the entire attack is currently underway. The management of Waikato DHB decided not to pay the ransom.

The Brazilian bank trojan horse spreads across continents

The new Bizarro malware targets more than 70 banks, mainly in Europe and South America, on users’ mobile (Android) devices. In addition, it seeks to gain access to and compromise Bitcoin wallets. After infiltrating the device, it terminates all processes in browsers with online banking services, so users must log in again. Then the malware harvests sensitive login data. It also turns off the browser’s autocomplete feature and can create fake pop-up messages to obtain two-factor authentication codes. At the same time, it is a fully functional back door that supports more than 100 commands.