Skip links

Costa Rican government held up by ransomware … again

In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica’s government if a ransom wasn’t paid. This month, another band of extortionists has attacked the nation.

Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica’s Social Security system, and also struck the island’s public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak. 

The Costa Rican government said at least 30 of the agency’s servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

Hive and Conti weren’t known to be acting together in any way, but Emsisoft ransomware analyst Brett Callow told the AP that there’s probably someone coordinating between the two groups. 

“Conti likely partnered with other ransomware operations because it’s been increasingly challenging for them to collect payments since declaring their support for Russia and threatening attacks on US critical infrastructure,” Callow said. If not Conti itself, which recently tried to deflect attention by rebranding, it could be Wizard Spider, the Russia-linked crime-as-a-service gang allegedly behind Conti, Ryuk, and Trickbot.

Ransomware attacks have become 94.34 percent faster since 2019

Speaking of digital extortionists, an IBM X-Force analysis of ransomware attacks between 2019 and 2021 found that the average time it took between initial access and ransomware deployment went from 1,600 hours – more than two months – to just 3.85 days. 

IBM said that most ransomware attacks start with an initial access broker (IAB) breaking into a system and selling their access. And it fingered Conti, with its TrickBot malware, as one of the primary IABs responsible for the increase in ransomware attack speeds. 

“The TrickBot to Ryuk attack path resulted in a 90 percent increase in ransomware attacks investigated by X-Force Incident Response in 2019,” IBM observed in the report of its findings.

The ZeroLogon vulnerability was the key driver in ransomware speed and efficiency increases in 2020, IBM said. That year saw the average time drop to 9.5 days between initial access and ransomware deployment. 

To make matters worse, it doesn’t appear that ransomware actors are developing new tools – they’re just getting better at using the ones they have. Instead of innovating, IBM said, quick attacks are “due to the operationalization of ransomware attacks within the ransomware affiliates and execution against organizations that have yet to implement protection, detection, and response solutions designed to combat the ransomware threat.” 

In other words, patch your systems, back everything up regularly, and check the backups.

CISA warns Dominion voting machines riddled with vulnerabilities

An early leak of a US Cybersecurity and Infrastructure Security Agency (CISA) advisory intended for state election officials is warning of nine separate vulnerabilities in Dominion voting machines used in 16 states.

The research was being conducted in a case unrelated to former President Donald Trump’s false allegations that Dominion voting machines were part of an election stealing plot that cost him the 2020 contest. 

CISA said there’s no evidence to suggest the vulnerabilities have been exploited, and University of Michigan computer scientist Alex Halderman, who conducted the research, confirmed this – though he did note that data was outside the scope of his project.

The CISA memo includes remediation steps for the nine vulnerabilities, which include one requiring physical access, but which could spread malware between machines and allow an attacker to forge access cards used by technicians to service machines. 

Halderman told the AP that the vulnerabilities would be difficult for someone off the street to exploit – but that doesn’t mean they aren’t dangerous. “[The vulnerabilities] are things that we should worry could be exploited by sophisticated attackers, such as hostile nation states, or by election insiders, and they would carry very serious consequences,” Halderman said. 

Dominion defended its machines to the AP as both accurate and secure, and officials at levels across the US federal and state governments have said there is no evidence to support widespread election fraud claims in 2020.

Illinois residents get $100 million Google privacy payday

If you’re living in the Prairie State and use Google Photos the ad giant could have some cash for you, after settling a class action lawsuit.

According to the settlement website, if Illinois residents used the Photos service between May 1, 2015 And April 25, 2022 they could be up for a piece of the $100M pie. A class action lawsuit claimed that the Chocolate Factory stored biometric data on residents, in a breach of the state’s strict data laws, and Google wants to make it go away.

Google admits no fault as part of the settlement. It got off considerably more easily than Facebook, which in 2020 agreed to pay $550M over claims that it broke the state’s strict Biometric Information Privacy Act, introduced in 2008. An attempt to gut the law by a Democratic local politician failed in 2016 and now residents can reap the benefits.

Webmail RCE flaw final nail in languishing groupware project

A group of security researchers from Sonar R&D have found a serious flaw in Horde Webmail that an attacker could exploit to gain total control over a vulnerable instance. The solution? Ditch Horde, the researchers say.

This is a severe bug, and it’s one an attacker can execute with nothing but an email and an externally-hosted image file containing some malicious code. All a victim has to do to activate the attack is open the message.

The vulnerability exists in the default configuration of Horde Webmail, and the researchers said it can be exploited without any knowledge of the instance being targeted. Sonar’s R&D head Johannes Dahse said that there are more than 3,000 Horde instances exposed online. 

So, what exactly did Horde’s developers miss? Type checking. It turns out that when Horde Webmail loads a user’s address book it looks for a bit of info from the user specifying which address book to pull, and it’s supposed to be a string. 

“However, there is no type checking in place which could stop an attacker from sending an array as a parameter and supplying an entirely controlled configuration,” Sonar said. 

Horde hasn’t seemed to keep up on its Webmail project. Despite many of the organization’s Github repositories being updated within the past several days, its Webmail project hasn’t been touched since 2019. 

Sonar’s disclosure timeline reveals the project’s priority, too. It said Horde took a month to acknowledge the report, which the researchers made in early February, but has yet to release a patch. 

80 percent of businesses phished by hacked vendors – every month

A report on the human factor in cybersecurity incidents by Proofpoint found more than 80 percent of businesses face an attack from a compromised vendor account in the course of a month.

The report covers a broad swath of cybersecurity statistics pertaining to how hackers target and exploit humans, who are arguably much easier to hack than computers. Along with some interesting attack data, it also highlights just how widespread and successful phishing and other social engineering attacks are. 

In all, 20 percent of those targeted with a malicious attachment opened it, 11 percent of those who were sent a link clicked it, and 4 percent willingly entered data into malicious forms. In the past year, more than 20 million messages attempted to deliver malware linked to a ransomware attack, the report claims. That’s a lot of successful attacks that worked because they targeted humans. 

Proofpoint’s report also found that high-privileged users were disproportionately targeted, making up nearly 50 percent of the severe attack risk a company faces despite only being 10 percent of the headcount. The report also found that departments dealing with sensitive information, like finance, HR and legal, are attacked more often than those with less organizational privilege. 

“Most cyber attacks can’t succeed unless someone falls for them,” the report argues. Verizon said last week in its Data Breach Investigations Report that humans were the root cause of 82 percent of breaches. ®