Friday Five 3/27
Cybercrime groups capitalize on pandemic anxiety, Norwegian Cruise Line suffers data breach, and more - catch up on all the week's news with the Friday Five.
1. World’s Third Largest Cruise Line Norwegian Suffers Data Breach by Sam Varghese
As if cruise lines trying to stay afloat - pun-intended - during this financially difficult time didn't have enough on their plates, now they have to worry about protecting their data, as most operations have moved to virtual platforms. Norwegian Cruise Line, the world’s third largest cruise line, suffered a data breach that exposed the email addresses and passwords of almost 27,000 travel agents. The data was breached from Norwegian’s travel agent portal on March 12 and was found posted on a hacking forum on March 13th. The database contained clear text passwords and email addresses belonging to travel agents, something tha makes them easy targets for account takeovers on numerous platforms with the same password, sophisticated phishing emails and fraud. This puts further pressure on agents who are already vulnerable at this time, and it could even put smaller agents out of business. An NCL spokesperson has reassured the public that the website has been shut down, and that they are in the process of asking travel partners who may have been affected to change their password for the site and any site that uses the same password. The cruise line believes this to be a unique and isolated incident and says it remains committed to protecting their partners’ security and confidentiality.
2. Cyber Gangsters Hit UK Medical Firm Poised for Work on Coronavirus with Maze Ransomware Attack by Bill Goodwin
Just days after the cybercrime group Maze Ransomware publicly promised to halt all attacks on medical research organizations during the coronavirus pandemic, they attacked a medical research organization during the coronavirus pandemic. The group attacked the computer systems of London-based Hammersmith Medicines Research (HMR), a company that performs early clinical trials of drugs and vaccines. IT staff of HMR discovered the attack on Saturday, March 14 and were able to stop it in its tracks and restore their computer systems and email by the end of the day. A spokesperson for the company revealed that they had recently “beefed up” their security defenses, so they were able to react efficiently and experience no downtime. Although functions were restored, Maze sent the company a ransom demand as well as medical files that were eight to 20 years old, of former patients, to prove they gained access to HMR’s data. The research company does not have the funds to pay a ransom demand even if it wanted to. In response, the group then published personal details of thousands of former patients in response to HMR declining to pay the ransom. The files contain medical questionnaires, copies of passports, driving licenses and national insurance numbers of almost 2,300 patients.
3. Hackers Breach FSB Contractor and Leak Details About IoT Hacking Project by Catalin Cimpanu
Digital Revolution, a Russian hacker group, has published technical documents, diagrams, and code fragments supposedly belonging to a contractor for the FSB, Russia’s national intelligence service. The project was named “Fronton” and was intended for hacking Internet of Things (IoT) devices. Fronton’s technical documents were put together following a procurement order placed by FSB’s Information Security Center, and they charge InformInvestGroup CJSC with building an IoT hacking tool. Based on the screenshots shared by Digital Revolution, the project appears to have been put together in 2017 and 2018 and heavily references the IoT malware strain Mirai, which was used to build a massive IoT botnet in 2016. The botnet illustrated in the Fronton project would be built to carry out password dictionary attacks against IoT devices, and if efforts were successful, the device would be enslaved to the botnet. The technology would also specifically target internet security cameras and digital recorders which were deemed ideal for carrying out DDoS attacks. ZDNet was able to see these documents firsthand and had security researchers analyze the report.
4. Elite Hackers Target WHO as Coronavirus Cyberattacks Spike by Raphael Satter, Jack Stubbs, Christopher Bing
The World Health Organization (WHO) and its partners have been dealing with a two-fold increase in cyberattacks on top of battling the coronavirus outbreak. The most recent effort by elite hackers, speculated to be the group known as DarkHotel, to break into WHO’s system was unsuccessful. The break-in attempt was first spotted by a Reuters cybersecurity expert on March 13 when he observed a group of hackers activate a malicious site that mimicked WHO’s internal email system. The site was used in an attempt to steal passwords from multiple agency staffers, but all messages sent to email addresses maintained by the hackers went unreturned. The World Health Organization, as well as many United Nations agencies, have issued cybersecurity warnings during the coronavirus pandemic as any information about cures, tests, or vaccines would be priceless to hackers everywhere looking to capitalize on international concern.
5. New Attack on Home Routers Sends Users to Spoofed Sites that Push Malware by Dan Goodin
Yet another story of attackers capitalizing on pandemic anxiety, this time focusing on hacking home and small-office routers. The compromises are hitting Linksys routers and are attempting to install malware by redirecting users to malicious sites that pose as COVID-19 informational resources in attempt to steal passwords and cryptocurrency credentials. Although the attackers’ specific tactics are unclear, researchers suspect the bad actors are guessing passwords used to secure routers’ remote management console or guessing credentials for users’ Linksys cloud accounts. The malicious site that users are directed to claims to offer a “COVID-19 Inform App” that has all of the latest information regarding the virus. If a user clicks the download button, they are redirected to a Bitbucket page that offers a file that installs malware. Industry experts are offering tips to users to prevent attacks on routers such as turning remote administration off on devices whenever possible and ensuring that router firmware is up to date.