2022 September Cyber Bytes

A Cyberattack Hits The Los Angeles School District, Raising Alarm Across The Country

Source: The Associated Press on September 7, 2022

LOS ANGELES — A ransomware attack targeting the huge Los Angeles school district prompted an unprecedented shutdown of its computer systems as schools increasingly find themselves vulnerable to cyber breaches at the start of a new year.

The attack on the Los Angeles Unified School District sounded alarms across the country, from urgent talks with the White House and the National Security Council after the first signs of ransomware were discovered late Saturday night to mandated password changes for 540,000 students and 70,000 district employees. Though the attack used technology that encrypts data and won't unlock it unless a ransom is paid, in this case the district's superintendent said no immediate demand for money was made and schools in the nation's second-largest district opened as scheduled on Tuesday. Such attacks have become a growing threat to U.S. schools, with several high-profile incidents reported since last year as pandemic-forced reliance on technology increases the impact. And ransomware gangs have in the past planned major attacks on U.S. holiday weekends, when they know IT staffing will be thin and security experts relaxing.

While it was not immediately clear when the LA attack began — officials have only said when it was detected and a district spokesperson declined to answer additional questions — Saturday night's discovery reached the highest levels of the federal government's cybersecurity agencies. According to a senior administration official, this pattern of support was consistent with the Biden administration's efforts to provide maximum assistance to critical industries affected by such breaches. The official, who spoke on the condition of anonymity to discuss the federal response, said the school district did not pay ransom, but would not get into detail on what potentially might have been stolen or damaged and what systems were affected by the breach.

The White House's response to the LA incursion reflects a growing national security concern: A Pew Research Center survey, published last month, found that 71% of Americans say cyberattacks from other countries are a major threat to the U.S. Authorities believe the LA attack originated internationally and have identified three potential countries where it may have come from, though LA Superintendent Alberto Carvalho would not say which countries may be involved. Most ransomware criminals are Russian speakers who operate without interference from the Kremlin. LA officials did not identify the ransomware used. "This was an act of cowardice," said Nick Melvoin, the school board vice president. "A criminal act against kids, against their teachers and against an education system."

So far this year, 26 U.S. school districts — including Los Angeles — and 24 colleges and universities have been hit by so-called ransomware, according to Brett Callow, a ransomware analyst at the cybersecurity firm Emsisoft. With victims increasingly refusing to pay to have their data unlocked, many cybercriminals instead use the same technology to steal sensitive information and demand extortion payments. If the victim doesn't pay, the data gets dumped online. Callow said at least 31 of the schools hit this year had data stolen and released online, and noted that eight of the school districts have been hit since Aug. 1. The upsurge on schools as summer vacations end is almost certainly not coincidental, he said. "It is the No. 1 threat to our safety," said Michel Moore, chief of the Los Angeles Police Department. "It is an invisible foe and it is tireless."

Tireless — and expensive, even outside of any monetary demands. A ransomware extortion attack in Albuquerque's biggest school district forced schools to close for two days in January, while Baltimore City's response to a 2019 hit on its computer servers cost upwards of $18 million. The LA attack was discovered around 10:30 p.m. Saturday when staff first detected "unusual activity," Carvalho said. The perpetrators appear to have targeted the facilities systems, which involves information about private-sector contractor payments — which are publicly available through records requests — rather than confidential details like payroll, health and other data. He said district IT officials detected the malware and stopped it from propagating but not until after it infected key network systems, necessitating the reset of passwords for all staff and students.

Authorities scrambled to trace the intruders and restrict potential damage. "We basically shut down every one of our systems," Carvalho said, noting that each one had been checked and all but one — the facilities system — restarted by late Monday night, when the district first notified the public of the hit. On Tuesday, federal authorities separately warned of potential ransomware attacks by the criminal syndicate known as Vice Society, which has allegedly disproportionately targeted the education sector. Authorities have not said whether they believe Vice Society is involved in the LA attack and the group did not respond to a request for comment on Tuesday. "The fact that a joint cybersecurity advisory relating to Vice Society was issued within days of the attack on LAUSD being discovered may be telling, especially as this gang has frequently targeted the education sector in both the U.S. and the U.K.," said Callow, the ransomware expert.

Vice Society first appeared in May 2021 and, rather than a unique variant, it has used ransomware widely available in the Russian-speaking underground, security researchers say. Among victims claimed by Vice Society are the Elmbrook School district in Wisconsin and the Savannah College of Art and Design. Ransomware gangs routinely dissolve after high-profile attacks such as last year's Colonial Pipeline incident, which triggered runs on gas stations. Their members then reconstitute under new names. While there was pressure to cancel school in Los Angeles on Tuesday, officials ultimately decided to stay open. Had the activity not been discovered on Saturday night, Carvalho said there could have been "catastrophic" consequences. "If we had lost the ability to run our school buses, over 40,000 of our students would not have been able to get to school, or it would have been a highly disrupted system," he said. The district plans to do a forensic audit of the attack to see what can be done to prevent future incursions. "Every teacher, every employee, every student can be a weak point," said Soheil Katal, the district's chief information officer.

Phishers Take Aim At Facebook Page Owners

Source: Help Net Security by Zeljka Zorz on September 14, 2021

Phishers are looking to trick owners of Facebook pages with fake notices from the social network (i.e., Meta, the company behind Facebook, Instagram, and WhatsApp), in an attempt to get them to part with sensitive information. The method they are using to harvest information is quite clever: they create a lead generation form via the Meta Ads Manager and include the link to it in the phishing email. Such a link makes it less likely that email security solutions will flag the email as potentially malicious and can also give a false sense of security to the potential targets, as the email ostensibly came from Facebook and contains a link to a page hosted on Facebook.

“Our researchers have been consistently tracking phishing emails that come from legitimate sources,” says Jeremy Fuchs, a cybersecurity researcher at Avanan. Hackers often leverage sites that appear on email security services’ Allow lists – and Facebook is one of those. “So, a link from Facebook would appear to be legitimate and not scanned for further malicious content,” he explained. Avanan has spotted two types of phishing emails with links to a lead generation form on Facebook:

  • A (fake) notification saying that one of the users’ ads was reported because it does not comply with Meta’s advertising policies, and a threat that their ad account will be disabled if they don’t fill an appeal form
  • A (fake) notification that the users’ page has been reported for violating Meta’s Terms of use, and a threat that their account will be disabled if they do not fill an appeal form within 24 hours 

If one knows what to look for, there are many discrepancies that make it obvious the emails have not been sent by Meta or the “Media Operations Team Facebook”: grammatical and stylistic mistakes, the emails coming from an Outlook domain and addressed to “Dear User” (and not to the specific user), the threat of account disabling, the attempt to create a sense of urgency… But unfortunately, just the fact that the phishing link points to Facebook can be enough to fool some users. Fuchs told Help Net Security that the phishers are not specifically targeting known owners of Facebook ad accounts. Instead, the emails – and there’s a lot of them – are sent indiscriminately, obviously hoping to hit that specific category of users. The fake appeal forms might ask for any type of information, including account login credentials and credit card information. With the former, attackers may hijack victims’ Facebook ad account and use it for attacks at a later date (e.g., to create phishing forms, push malicious ads on Facebook and Instagram, etc.)

Passengers Exposed to Hacking via Vulnerabilities in Airplane Wi-Fi Devices

Source: Security Week by Eduard Kovacs on September 14, 2022

Researchers have discovered two potentially serious vulnerabilities in wireless LAN devices that they say are often used in airplanes. Researchers Thomas Knudsen and Samy Younsi of Necrum Security Labs identified the vulnerabilities in the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec, a Japan-based company that specializes in embedded computing, industrial automation, and IoT communication technology. One of the security holes, CVE-2022-36158, is related to a hidden webpage that can be used to execute Linux commands on the device with root privileges. The device’s web-based management interface does not provide a link to this hidden page.  “From here we had access to all the system files but also be able to open the telnet port and have full access on the device,” the researchers explained in a blog post.

The second vulnerability, CVE-2022-36159, is related to a backdoor account and the use of a weak hardcoded password. The researchers found a root user account with a default hardcoded password that is likely designed for maintenance purposes. The password is stored as a hash, but it was quickly cracked by the experts. An attacker can use this account to gain control of the device. Contec says its Flexlan wireless LAN devices are ideal for use in distribution systems, factories, offices and with embedded devices. However, the researchers say they are often used in airplanes for Wi-Fi access points that passengers can use to connect to the internet and in-flight services. Aircraft manufacturers and in-flight entertainment system vendors have always maintained that hacker attacks on passenger-accessible systems do not pose a risk to flight controls and safety due to isolation of the systems.

However, malicious actors could still find these types of vulnerabilities useful, as shown by researchers in the past. Younsi told Security Week that the flaws they have found could be exploited by a passenger, as the vulnerable interface is accessible. The attacker could, for example, collect the data of other passengers or deliver malware to their devices. “We can imagine a scenario where a malicious actor can spoof the HTTPS traffic by uploading his own certificate in the router to see all requests in clear text,” the researcher explained. “Another scenario would be to redirect the traffic to a malicious APK or iOS application to infect the mobile phone of each passenger.”

In its own advisory, the vendor said, “there are possibilities of data plagiarism, falsification, and system destruction with malicious programs if this vulnerability was exploited by malicious attackers.” Contec explained that the vulnerabilities are related to a private webpage that developers can use to execute system commands, and this page is not linked to from settings pages available to users. Firmware versions 1.16.00 for FX3000 series and 1.39.00 for FX2000 series devices address the vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) did recently publish an advisory describing vulnerabilities in a Contec medical device, but it has not released an advisory for the Flexlan issues. Japan’s JPCERT/CC did release an advisory this month. The affected devices are not used only in airplanes. Nihon Kohden, a Japanese manufacturer of medical electronic equipment, issued a statement recently to inform customers about these vulnerabilities, saying that it’s investigating the impact on its products and systems.

Online Scams on Queen Elizabeth's Death Are Here

Source: KnowBe4 by Stu Sjouwerman on September 13, 2022

The Sun just reported that experts are sending a warning about online scams in relation to Queen Elizabeth's passing.
These threat actors are utilizing social engineering tactics by using phony Twitter accounts to offer tickets to next week's funeral. The link to the tickets takes you instead to a fraudulent website that asks for your bank login. There's also another scam identified from email and social media scams that the Queen has left behind large sums of money for the taking.  

Javvad Malik, KnowBe4's Security Awareness Advocate, had this to say to the Sun, "Criminals are swift to capitalise on public events, whether it be a natural disaster, a sporting event, or the death of a prominent person. With the passing of the Queen, people should be vigilant of scammers trying to exploit the situation." Current event scams are not going anywhere, and it's important for your users to stay up to date on the latest phishing trends. New-school security awareness training can ensure your users are reporting any suspicious activity in their day-to-day job operations.

Law Firm Informs 255k Of Hipaa Data Incident 10 Months After Hack

Source: SC Media by Jessica Davis on September 9, 2022

Warner Norcross & Judge recently informed the Department of Health and Human Services of a Health Insurance Portability and Accountability Act data breach impacting 255,160 individuals. The law firm provides employment and immigration services to healthcare entities, including three of the largest hospital systems in Michigan. On Oct. 22, 2021, WNJ first discovered unauthorized activity on “some of its systems” and took steps to secure the network. A digital forensics firm was brought on to investigate and to perform a “data mining and manual review.” WNJ found that personal and protected health information was contained in the protected systems, including names, dates of birth, Social Security numbers, driver’s licenses, passports, and government IDs, annual compensation amounts, benefit contribution details, credit or debit card numbers and PINs, financial accounts or routing numbers, and other sensitive data.

The notice appears to explain the lengthy delay in notifying patients as tied to its data mining to identify impacted information and individuals. But under HIPAA, covered entities and business associates are required to report within 60 days of discovery, not at the close of an investigation. WNJ has since “taken steps to help prevent a similar incident from occurring in the future.”