Sturdy Memorial Hospital-Not so much

 

Hospitals continue to be targeted at an inappropriate rate over the last five years. Other industries have just as valuable data as the medical field, however, hospitals are in the news at a higher rate. One aspect of this driving the attacks is the criticality of the services. The hospitals require access to the data (e.g., patient charts) and networks to perform the operations, both planned and emergency, procedures, and simply to see patients. The high-level data flow for this is quite simple. In the alternative, the system may be breached, and patient data exfiltrated. The ransom may be demanded as a promise to not distribute or sell this data to other unauthorized parties.

Therefore ransomware, in this circumstance is so potent. Also, the patient data is very important to both parties, the hospital and patient. The hospital must report the breach in most instances. The patient, depending on the data itself, may have the pleasure of monitoring their accounts and credit report for decades.

With the exfiltrated data, the hospital generally has two options. They may or may not pay the ransom to keep the data from being sold to other unauthorized parties. Paying the ransom usually is not recommended. The thought, in this case, after the money is received, they would release it anyway. While this has occurred in a limited number of times over the last few years, this is a detriment to the business model and the malware industry. If the organization is reasonably certain the data will be published anyway, there is absolutely no reason to pay a penny. In this instance Sturdy Memorial Hospital did pay the ransom or fee. The amount was not disclosed. As a result of the breach, the hospital mailed letters to the effected parties. As part of the response, the incident was reported to the FBI.

While the attack vector was not noted, the incident is representative of the reach ransomware has. Dependent on the malware strain, all it can take is one person clicking the wrong link. We still need additional training to limit the potential for this to happen elsewhere.

UF; UH-OH

 

Hospital systems are a treasure trove of data. You know the patient’s name, social security number, address, medical records and identifiers, and other information that can be sold in mass, or divided into section for separate sales. With this area of operations, the data is critical for patient care. This provides leverage for any attacker. If they can remove access to the data and network, through an example of ransomware, the facility would be desperate to get this back online and may be more likely to pay a ransom if there is no access to viable back-ups.

The University of Florida Health System recently had the opportunity to work through this portion of their incident response plan. This did affect the services at the two locations targeted and successfully attached. The two locations of UF Health were Leesburg and The Villages. The attackers were able to shut down their systems. Other than the successful attack itself, it is surprising this is not the first time in recent history this occurred, with the prior occurrence last August.

With two events of this nature occurring within one year, it appears there needs to be additional training for staff or the network needs to be improved.

That was an expensive click

 

Everyone needs or is required to have insurance. This may take the form of auto, health, dental, short- or long-term disability care, or any of the other types of insurance. It seems as though if there is a need, you can find insurance for it. One of the largest commercial insurance carriers in the US is CAN. While being one of the largest insurance carriers in the nation certainly is a success to be applauded, this also has the tendency to put a target on you. After all, when a company is this huge, there is a literal mountain of data to target, and the company certainly has deep pockets to pay a ransom, if they so choose.

Recently CNA had the pleasure of working through an incident much like this. Ironically, CNA sells cyber insurance. In this case, the attackers were able to compromise CNA’s system. Post-breach, they were able to encrypt over 15K of the company’s devices using Phoenix Crypto Locker, a variant of Hades. This variant is engineered to encrypt the files on the compromised machines and demand a ransom for the decrypt key. The group, Evil Corp, was paid the ransom by CNA.

For everyone and organizations that believe “This can’t happen to me!”, yes it can. If CNA who has a vast number of resources and even sells the insurance for this type of incident can be successfully attacked, you certainly can also.

Military vehicle manufacturer hacking

 

The Department of Defense (DoD) business contractors continue to be regularly targeted. These organizations tend to work with secret and top-secret data and information as they develop new systems for use in the military. These could be ground vehicles, jets, ships, and other projects. One contractor, Navistar, was targeted and successfully breached. This was published with their Form 8-K filing with the Securities and Exchange Commission (SEC). The company detected the compromise on May 20, 2021.

With the data involved, the company could not be affected by paralysis by analysis, and immediately went into action to contain the breach, and work towards mitigating the effects from this. After these steps, Navistar began investigating the attack. This was done with security and forensic subject matter experts. They also contacted law enforcement.

As a result, from this, the organization took steps with its infrastructure to strengthen its structure and protect the data from unauthorized parties. Through the attack, the systems continued to be operational. While they aggressively worked to minimize any damage, on May 31 they did receive a communication that data had been exfiltrated during the attack. Considering the updated information, they continue dot investigate the issue and determine the scope of the data involved.

This is another example of what could happen. While you continuously work towards securing the enterprise, there is always a vector available. Arriving at this may be difficult, but it is still there.

Tesla; still targeted

 

Over the years since that fateful day in 2015, there have been many people who have made their name with vehicle hacks. The attacks can be mundane or affect critical systems. Disabling the A/C is by far different than the engine or braking system.

Any vehicle system will have vulnerabilities. The researcher just must find them. One auto manufacturer targeted in the last approximately three years has been Tesla. The vulnerabilities found have required physical access and others have not. In this instance, the vulnerability was found by a Canadian software developer from Quebec (Shankar Gomare). Normally the vulnerabilities are found by cybersecurity researchers. In this case, he was working on his “Voice for Tesla” iOS app early in 2021 and noted the significant vulnerability with Tesla’s Bluetooth key technology. The developer’s app functions much like Amazon’s Alexa providing reminders via voice. The difference with this is the application would not require a specific word or phrase, as Alexa does.

Through developing the application, the developer noted Tesla uses two different forms of Bluetooth sensors in the vehicle. These are Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR). This is used generally for streaming music. The other is Bluetooth Low Energy (BLE). The phone key uses this method. You would use this as a convenience as this use allows the keyholder to unlock the vehicle by being proximate to the vehicle with the connected mobile device (e.g., phone).

As you can figure, the exploit involves Bluetooth. The vehicle’s sensors are coded to detect the strongest Bluetooth signal for connected devices within its range prior to the execute unlock function. This occurs generally with the owner’s mobile device. Here is the issue. The researcher noted the BLE connection did not require authentication to connect to the vehicle. This ends up allowing the researcher to unlock any Tesla by acting as the phone key by forcing the vehicle the request the key from the actual mobile device-by pulling on the door handle.

For this to work, the actual owner’s mobile device would still need to be within 200m-400m for the BLE range. This may seem a bit risky if the owner were walking to their vehicle at the end of the day and saw the person. Where this would work much better would be if the Tesla were parked in the driveway in the evening. Yes, this was patched with an over-the-air (OTA) update.

This is another example of the importance of allowing legitimate cybersecurity researchers to act. The researcher conducted himself appropriately and worked with Tesla for a responsible disclosure. Think through what could have happened if the bad actor had this method and went another route.

Community college in Iowa breached

 

Colleges and universities are much like medical facilities in the eyes of the attackers. They both may not have the best defenses in place and hold a mass amount of data on their clients (i.e. students and patients). Also, for both, there have been many, many breaches in the last three years, as noted by the published compromises.

The colleges in Iowa are no different and have been targeted. This time, the Des Moines Area Community College was targeted and breached. An unfortunate side effect of this was for the students the school needing to be shut down for a few days.

The issue began on a Friday as the incident became known, and the school had to partially shut down its network. This continued through Tuesday. Fortunately, the in-person classes resumed on the Wednesday. A date for the online classes to start back-up had not been around.

To assist with the forensic investigation, the FBI was contacted and is involved. Unfortunately, there have been no published details of the attack. The breach again shows us anyone is a target, and your defenses have to be kept up to date.

6/21/2021 Update: The community college does have cybersecurity insurance. The insurance company was negotiating with the attackers. This was indeed yet another ransomware attack. As part of the forensic review the SME did check over 6K of the college’s computer.

Yet another medical facility pwned

 

Medical facilities continue to be pwned by the attackers, week after week, month after month. The latest victim is Scripps Health. May 2, 2021 Scripps was the victim of an attack, which successfully breached its system. The method of malware being placed on the information system has not been published yet. The malware was not trivial, as the administrator was forced to suspend access to a large portion of the network. Scripps posted on Twitter (May 20^th) that most of the functions of their website, scripps.org, were operational again. The other functions were still being worked on. One function still be addressed was the patient portal, which as of May 20, was still offline. Scripps was still researching the breach as of the May 20 date and weren’t completely sure whether the patient data was affected. If this was, the organization would go through the standard notification process. With any institution, but especially those who are stewards of valuable data, cybersecurity can’t be ignored or placed in a situation of just checking the box. As the attacks continue to ramp up and become yet more common, breaches like this and much worse are going to continue.

Still(water) another medical facility breached

 

As of late, I have been tracking more closely the published breaches and their respective industries. The one industry that appears to be in the lead for breaches now are the medical facilities. Generally being in the lead is a good thing, but not in this instance. One of the latest incidences involved the Stillwater Medical Center. One June 13, 2021, they detected the unusual behavior and incident. This was not script kiddie testing out new software just purchased but affected a few systems. Naturally, as a hospital is attacked, the incident response team immediately took to action and began securing the issue. In addition, after the attack was controlled, they began in earnest to work on the forensic review with the help of a firm specializing in forensic work. Law enforcement was also notified. As this was an active attack, certain systems were placed on an off-line status until the immediate issue was resolved.

This reinforces the complete need for cybersecurity, adequate FTE, and budget. While an organization will not be able to defend against every single type of attack now or in the future, and adequate defense in depth is the best course of action.

Carmaker's vulnerabilities aren't just with embedded systems

 

Few companies have full vertical integration of their supply chain, meaning most companies require inputs from outside of the company for their products or services. For vehicle OEMs, they require modules or parts from other manufacturers. The supply chain for this may be rather extensive, depending on the unit or vehicle. This includes the hardware and software.

With all these other companies involved in the vehicle business there is bound to be the occasional issue. With all the third parties involved, there will be a problem or several problems somewhere along the supply chain. This has happened before and will certainly happen again. In particular, VW and its subsidiary had the pleasure of addressing this recently.

Customer records, depending on the data, have varying levels of value to the company and third parties with malicious intent. VW had over 3.3M customer records exposed. This incident is not directly their fault. A vendor happened to leave a cache of customer data open on the internet. We all know what happens when you leave data open and available on the internet. This was not left available for a week or two for anyone to peruse through. The data was left open from August 2019 to May 2021, or nearly two years. To make it worse, the customer data was not for a quarter or year, but for five years (2014-2019). That is a large amount of data there to be viewed. This is very usable in many applications. This is not only a cybersecurity issue, but also data science. This would be valuable to VW’s competitors for a variety of uses.

The data itself was collected for VW’s marketing and sales department. This included the customer’s personal information (name, mailing address, email address, and phone number). Also over 90K customers in the US and Canada had loan eligibility information exposed. This also included driver’s license numbers. Of this sample, a small number also had the customer’s date of birth and social security numbers available.

VW informed law enforcement and regulators regarding the issue. They are also working with cybersecurity subject matter experts (SMEs). There is the situation being handled, however the issue is a bit deeper. The supply chain is a requirement in our society. There are few businesses which have full vertical integration. There will be external vendors involved with your product. While the vendors are present and provide their service, the company still should complete their due diligence not only at the beginning of the business relationship, but periodically through the time when there are transactions. By simply checking the box that the work had been examined in years past is not sufficient. Cybersecurity is a constantly changing industry requiring updated monitoring and adjustment.

Police Departments Continue to be Targeted

 

Police departments are interesting. In business operations, you have business data, customer data, and other points to secure. Police departments do have their operational information but these places also hold a treasure trove of data on the crimes in their area (i.e. evidence). This can be on the persons arrested, the crime, crime scene, and associated data. In addition, the police provide critical service for the area they serve.

Due to these factors, police departments have and continue to be targeted. If simply breaking in isn’t enough of an effort, encrypting or exfiltrating their data can be costly to the department. The Azusa police department recently felt the ransomware sting as the department fell victim to this.

The department announced on May 28, 2021 the issue as being compromised by the ransomware attack. The attackers gained access to the data located in the department’s systems. The department did not pay any ransom or fee. The details have not been provided. From the published information, the ransom was based on releasing information versus encrypting the systems.

The data accessed does appear to be PII, unfortunately. In this case, the attackers appear to have access the social security numbers, driver license numbers, California identification numbers on financial accounts or health insurance. The police department recommended to the parties effected to monitor their credit reports, statements for their accounts, and other information for any unusual or suspicious activity.

This is another example of the far-reaching effects of ransomware. Granted the police department was not affected much, however, the persons permanent and long-term information was. If the data was used for unauthorized purposes, correcting this can be difficult and time consuming, not to mention frustrating.

 

Here we go again; another ransomware pwnage

 

I remember the days of cameras, purchasing color film or if you wanted to be artsy, using the black & white film. There were several different manufacturers to choose from for the film. With time and technology, there has been a shift from the physical medium to digital. One firm still in the industry is FujiFilm. FujiFilm is probably the best known for its photography equipment. Curiously the company also manufactures a range of medical products. As a large firm, there is ample data gathered everyday from customer interactions, business operations, and other aspects of the business cycle. This provides for a substantial target.

It appears that FujiFilm was targeted and successfully attacked. This was evidenced by the company shutting down a portion of the network and disconnecting this from any external contact. It appears this was de to a ransomware attack.

This continues to be an issue across many industries. With the ease of use for ransomware tools and simply using encryption to accomplish the successful attack, this will likely continue and grow.

 

 

Now I have seen it all

 

There are several companies offering cybersecurity in operation, with yet more popping up. This will probably not slow down with the need for cybersecurity persons increasing daily. Seemingly, the nation has noticed over-night with the pipeline attack that cybersecurity is actually important. These companies have various clients in their respective industries.

One of these recently in the news for all the wrong reasons is located in Atlanta. Vikas Singla, COO of Securolytics, was accused of and indicted on June 8 for attacking the Gwinnett Medical Center. The attack itself took place in 2018 and disrupted the hospital’s phone service, obtaining information from a digitizing device, and disrupting network printing services.

Singla has pleaded not guilty to the 18 charges. There were 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer. He was released on a $20k unsecured bond. He is to return to court on June 23, 2021.

The thought is this was done for financial gain. The reason for the attack has not been published, other than this was for financial gain. While this is unknown, this does showcase the need for the review of any insider threat. This is not something people want to act on, as we want to trust our employees, however, this and other instances showcase our need to review this periodically.

New Zealand Health Services Attacked

 

Hospitals provide a plethora of data. The attackers could target hospital and/or patient data. This is exceptionally marketable to many different entities. When the attackers couple this with ransomware, there is ample chances for severe attacks. This malicious tool has been used over the last few years in many different industries. The medical industry has been exceptionally hit by this. This is partially due to the criticality of the data. The attackers know patient care is totally dependent on the EMR/EHR being readily accessible by the medical staff. This was truly a significant problem starting two years with the attacks in the UK.

The attackers have pivoted down under and have attacked the New Zealand health service. Specifically the Waikato District Health Board’s (DHB) network. The Waikato hospital network was successfully breached. The attack, while on point, did not completely cripple the entry network. Of the 103 surgeries, 73 still were able to move ahead. Another hospital in the network did however have to reschedule its surgeries. In rural hospitals, all outpatient activity needed to be deferred. The staff were working to remediate the issue and get the systems back online.

In this case, it appears the attack vector was the simple email attachment. This is another example of an area for employee training. All it takes is the right employee in the right department at the wrong time clicking an attachment.

 

Ransomware around the world

 

Everyone needs insurance. This takes various forms, from life, health, disability, and other forms. One firm in this industry is AXA S.A. This is a global firm with vast reach. A huge company of this size certainly has ample data to target. A portion of the network had been attacked with ransomware.

One May 9, 2021 AXA S.A. announced the company policy was not to pay the ransom when there would be a successful ransomware attack. At that point, the company may have created a bit more attention than intended for itself. The company, interestingly enough, was a victim of ransomware right after this. The target was one of its Asia Assistance Divisions. In this case, the division’s information technology services were adversely impacted for Thailand, Malaysia, Hong Kong, and the Philippines and their data accessed. Allegedly, the Avaddon ransomware group was responsible for the successful attack. During the attack, apparently 3TB of data were exfiltrated. This included ID cards, passport, copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs, bank account scanned papers, hospital and doctor reserved material (private investigation for fraud, and customer medical reports, including HIV, hepatitis, STD, and other illness reports).

Sometimes it is better to just remain in obscurity.

Free software bi-products

 

We all like free software. We find what we want on the internet and download it. Generally, there isn’t an issue. You can download Nmap, Kali Linux, and others with no issue. There is, however, always the anomaly or edge case when there is a problem. A recent issue occurred at a medical institute.

In this instance, a student was working at a biomolecular institute in Europe. The institute happed to allow personal computers on their network. You can guess what happened next. The facility, which was not named, allowed the student on their network with the student’s personal computer. The student happened to have downloaded free software (data visualization software). A little bit of malware piggy backed its way onto the personal computer and then into the network. The student attempted to download the software, which was blocked by Windows Defender. Not taking the hint, the student disabled the service, and then downloaded the software.

Fortunately, the institute had back-ups to use. These were not fully up-to-date, but viable. Recreating a week’s worth of data is painful, but workable. As a wrinkle, the institute also had to rebuild the entity of the computer and server files prior to the data being uploaded.

This attack is a lesson in allowing unknown or tested equipment on the network. Without a NAC or other tools in place, anyone’s personal computer and all the issues associated with it are also invited into the network. There are several tools available to assist with securing this portion of network control along with policies to be implemented.

Your 15-minute quote can get you more than money off

 

We are all familiar with the GEICO gecko offering deals on auto and other insurance. If you have 15 minutes you can save a few hundred dollars. GEICO is the second largest auto insurer in the US and has a broad client base. With such a large company, there is ample data to target in the different systems.

Unfortunately, there was an attack earlier this year, which was successful. This targeted their client’s driver license numbers. The attack was successful with the unauthorized parties having access from January 21-March 1, 2021, or approximately six weeks. GEICO did file a data breach notice with the California attorney general. The affected clients were also notified with a letter.

As much fun as it is for the customers, an examination into the root cause is important. The attack point was the online system exhibiting the vulnerability. Imagine how much data you could access in six weeks…

There are various uses for this seemingly basic information. One noted with the GEICO client notification letter was the potential to use this for false unemployment claims. There could be other uses as this is leveraged with other data.

While the attack point was the portal, GEICO has not published the exact vulnerability allowing this to occur.

In closing the vulnerability, GEICO has also implemented other security measures. This was done also to mitigate any potential future issues. GEICO also is providing a one-year subscription to Identity Force to monitor for identity theft.

Yes, embedded systems are important

 

Do you drive a car? have you in the last five years flown on an airplane? Have you purchased any goods that were shipped to your location? If you have answered Yes to any of these, then embedded systems have played a role in your life. 

Generally, you can separate the cybersecurity area of operations into enterprise and embedded systems. The enterprise is the system we learn so much about in school and for certifications. These are the efforts to secure servers, data located on these, communication, etc. Embedded systems are a bit different. These are the modules in your vehicle controlling and monitoring steering, tire pressure, GPS, and other functions required for the machinery to operate. 

While the functions are distinct, there is a complication. Each of these systems interacts with others. The data collected and commands are used by the other systems. This is especially the case as transportation systems become more connected and autonomous systems are used more. This includes vehicles, airplanes, farm equipment, and other equipment being engineered to operate without human interaction and direction. These systems need to communicate quickly and clearly. Imagine a vehicle of your choice, receiving incorrect or malicious information and data from a "trusted" source. With someone else in control, there could be immediate and serious consequences for anything in or near the equipment. 

All is not lost though. There are steps to assist with securing these systems. The first step is to conduct a threat assessment for the device or module. This has to be done end-to-end and includes all aspects, including hardware, software, data, communications, and anything else involved with the equipment. The analysis itself is static for that point in time. The analysis should be part of the product's lifecycle. When there is a change or update, this needs to be addressed again. The update may affect other parts of the system, and create other issues. 

The next step is to review the current advanced security designs and use these to the fullest extent possible. There are a number of these including virtualization and hypervisors. 

There are further steps to follow based on the individual environment. The important aspect to acknowledge is the embedded systems are very different and need to be tested and secured in a specific manner. 

Military autonomous vehicles need security too!

 Vehicles continue to be targeted by malicious attackers and cybersecurity researchers. There is a certain notoriety involved with successfully exploiting a vehicle and/or its modules. This is a quick track to your 15 minutes of fame. The modules focused on recently have been concentrated on the consumer market. This is a natural extension, as the consumer market is massive, with cars everywhere across the globe. One area though not directly noted in abundance has been the military vehicles. These certainly have the same or nearly same embedded systems the consumer vehicles do. Granted there may be more specialized equipment in certain vehicles, however, they are more alike than different. What is an addition to this is the autonomous factor. Vehicles, consumer and military, are moving towards this. There have been numerous articles emphasizing this, especially over the last three years.

Recently a team of six student from Texas A&M University has been working on this segment of the cybersecurity industry and were recognized as one of the top hackathon teams. The team developed the PHC (picryption, HIVE, clutch) Defense. This was designed to be used with the military autonomous vehicles. What makes this more pertinent are the vehicle's  mission and critical nature. With the work these are tasked with, a hack on one or more vehicles would prove to be disastrous. The developed defense is a nuance to the defense in depth, combining software and mechanical means to secure the vehicle. The Picryption is based on a more proactive measure, with not merely noting and logging an issue but alerting the crew in the vehicle.

This is clearly a step in the right direction. These vehicles in particular have to have protection against these attacks


Resource
https://today.tamu.edu/2021/05/11/aggies-develop-cybersecurity-solutions-for-autonomous-military-vehicles/ 

Interesting new Tesla Hack!

 This is from the “What will they think of next” file. Imagine you have just purchased your dream car-the Tesla Model X. You drive it home, with the windows down and the music on. Life is good. You park in the driveway and start to walk up to your house with a smile on your face. Just before you unlock the door, you look back at your new purchase. There’s an annoying drone nearby. Your new pride and joy starts acting odd, especially since you are not in the vehicle. The doors begin to open together, then one at a time. The trunk opens and closes rhythmically with the doors. 

As odd as this sounds, this is possible and has been done. Researchers presented this work at the CanSecWest conference (virtual) on April 29, 2021. The researchers used two vulnerabilities to attack the Tesla vehicle. Their new exploit was termed TBONE. 

Method

The Tesla uses ConnMan in their network. The researchers focused on this point for their attack. To design portions of the attack, the researchers used a ConnMan emulation tool, KunnaEmu. With this, they did not require access and use of Tesla at all times when testing. What makes this a bit different and interesting is the configuration. 

ConnMan is used to manage the network connections. The attack itself combined a stack buffer overflow when processing DNS requests vulnerability (CVE-2021-26675) with a loophole in the DHCP stack (CVE-2021-26676). 

For the attack hardware, the equipment is easy to source. All the attacker needs is a Wi Fi dongle and a drone. Nothing too complicated. There is also no user interaction required. The complete attack can be done in three minutes. Once done, the attacker can, among other things, inject malicious code. 

Result 

Once exploited, the attacker can do most things a driver can, except start the vehicle. This includes unlocking the doors, unlocking the trunk, changing seat positions, changing steering modes, and changing acceleration modes. This allows full access to the vehicle. This isn’t a thought experiment. The researchers had a full recording of the attack, which they played during the presentation. 

On a tangent, they could have weaponized this. The vehicle could have uploaded the malware, and be used as an access point to infect other Teslas. This is a big deal since this could compromise any Tesla Model X that has not received the patch, even the parked ones. What makes it worse is the system is used by other OEMs who may not have patched this yet. 

Responsible Disclosure 

The vulnerability and attack weren’t sprung on the interested parties a week prior to the conference. They did inform Intel, who created ConnMan. The vulnerability was remediated with FOTA update 2020.44 by Tesla in late October 2020. 

Resources 

https://www.forbes.com/sites/thomasbrewster/2021/04/29/watch-a-tesla-have-its-doors-hacked-open-by-a-drone/?sh=d6f4c271a2bd 

https://flipboard.com/@HotCars2020/aerial-attack-cybersecurity-researchers-managed-to-hack-tesla-with-a-drone/a-li8iYV-aTQC9yfvTZ3ivig%3Aa%3A3466759924-982d88ebd6%2Fhotcars.com 

https://securityaffairs.co/wordpress/117441/hacking/tesla-model-x-hacking.html?utm_source=rss&utm_medium=rss&utm_campaign=tesla-model-x-hacking 

https://www.autoevolution.com/news/hackers-break-into-tesla-using-a-drone-flying-over-the-car-160447.html 

https://www.deskvip.com/a-tesla-car-has-its-doors-hacked-open-by-a-drone 

https://www.torquenews.com/1/tesla-hacked-drone-company-informed-and-fixed-loophole 

https://www.hackread.com/tesla-cars-remotely-hacked-with-drone/ 

https://dronedj.com/2021/04/30/german-pilots-film-their-drone-hack-of-a-tesla/ 

https://www.hotcars.com/aerial-attack-cybersecurity-researchers-managed-to-hack-tesla-with-a-drone/ 

https://kunnamon.io/tbone/ 

Hospitals under attack!

 

One industry that continues to be attacked, and with growing numbers successfully, are hospitals and the medical field. Their data continues to be valuable with the immediate uses and to be dissed and sold several times across the dark web. A method commonly used includes with these attacks is ransomware. The attackers are able to encrypt files, folders, and entire systems and demand a fee, or in addition exfiltrate the data and demand a fee for not publishing this in the public forums. The Sky Lakes Medical Center recently had the opportunity to deal with this issue, arising from their successful attack. Sky Lakes Medical Center is located in Klamath Falls, Oregon.

Data Security Incident

As with any breach, the operations get pretty exciting after one is detected. After all, an unauthorized party is in your system doing who knows what for an indeterminant amount of time. This is especially the case with a healthcare facility due also to a few federal statutes focused on ensuring patient’s data remains private and confidential. In this case, several computer systems were encrypted as part of the attack. The issue was discovered on 10/27/2020. As an initial step, the organization contracted with a cybersecurity firm to investigate the breach.

Data

There was a limited amount of data involved with the breach. The attackers were able to access a limited number of older medical images. Due to the age of these, the effect may be moot. It is fortunate the attackers were not able to access the other areas holding much more current patient data.

Post-Breach

The systems were brought online to continue the facility’s operations. There, also, fortunately, was no evidence any of the accessed data had been misused. To improve the security stance, the organization has taken additional safeguards and added technical security features. At this point, the information published was lacking. For example, the breached systems were not named, if the hospital used recent back-ups or paid the ransom, or if this was accomplished from a phishing email. Regardless of the method, this still shows the importance of employee training and checking your back-ups regularly.

Resources

Hottman, T. (2020, December 24). Sky lakes medical center identifies and addresses data security incident. Retrieved from https://www.skylakes.org/news/releases/sky-lakes-medical-center-identifies-and-addresses-data-security-incident/

Klamath Falls News. (2020, December 24). Sky lakes medical center identifies and addresses data security incident. Retrieved from https://www.kalmathfallsnews.org/news/sky-lakes-medical-center-identifies-and-addresses-data-security-incident

 

 

 

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

 

Phishing continues to evolve

 

Phishing has been one of the more profitable ventures for attackers. This is especially true when phishing is coupled with other attacks, such as ransomware. Since phishing is so useful and potentially a revenue-producing activity, it is no wonder a new method has been devised to further the reach. One well-used method to lure the unsuspecting victim has been the landing page which looks to be perfectly legitimate, however, is full of malware and/or malicious links. This spoofing may also include a login page, to further gather data. With the latest tools in place, the malicious website closed, are easier to find. As this has been known, the attackers have thought through a nuance to the age-old attack-creating a landing page for AV and an alternative, malicious version for the unsuspecting user. The AV version has the appropriate background image. The primary difference is the colors are inverted. This is done due to the AV coded to focus on the landing page’s shapes, not colors. The second step involves the user. The user sees the odd coloration and moves on to the alternative version of the landing page. The other landing page has the correct colors with a little something added for the attacker’s benefit. This attack continues to show the need for user vigilance. If something looks odd, don’t keep clicking. If you click something once that doesn’t look right, don’t click the same thing three times. There probably is a problem. Advise your users not to click on provided links, but type them in.

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511