Here we go again: Intel processors with problems

We all know the importance of chips in IT and embedded systems. Without the processing power, we would have many boat anchors sitting around collecting dust. One manufacturer, Intel, is in the news once again.

New Warning Issued

Research is being done on different platforms across the world. There are labs actively seeking viable exploits on the equipment, from the chip to the system level. In this case, Positive Technologies researched this issue and detected the exploit with the Intel processors. The processors released in the last five years have a security flaw in the silicon. As this is in the silicon, it can’t be fixed or patched with a firmware update, which is a problem.

Target

The issue is with the Converged Security and Management Engine (CSME). This is a subsystem in the CPU, which takes care of the security tasks, securing the entirety of the firmware. This process is during the processor operations, beginning when the power button is pressed.

Exploit

The vulnerability is would, when successful, would allow the unauthenticated user to potentially enable escalation of privilege. This would lead to the attacker being able to extract the chipset key stored on the PCH microchip and gain access to the data encrypted with this key. This is clearly not the optimal situation. What makes this worse is, if there were to be an attack, it is not possible to detect this.

On a brighter note, all is not lost. The exploit is rather difficult to process. First, the attacker would need physical access to the processor and time to complete the attack. Second, the attack itself is by far not easy. If one of the steps was not easy, having to complete them both only makes this exponentially more difficult to complete in the unauthorized environment. In certain limited instances, the attack could be performed with malware engineered to bypass the target’s OS-level protections. While this is a significant detriment, the potential attack removes the chain of trust for the platform.

Granted, this is still a possible attack, which is why there is attention being paid to this and mitigation put in place, correcting most of the issues. This sounds like a perfectly workable plan, however, there are so many known and unknown vectors, this is still a tough job.

Mitigations

While this is relatively serious, Intel has put in place mitigations. These mitigations were supposed to have done beginning in May 2019. Before the present mitigations are in place, the firmware and processor are still vulnerable when the system boots on. These, while the intent is in the right place, may not be sufficient to fully mitigate the issue. 

As noted, the issue with CSME cannot be fixed since the firmware errors are hard-coded in the Mask ROM. Instead of researching and trying options repeatedly which don’t work to fix the direct issue, Intel took this in a different direction and addressed the attack vectors, indirectly working to fix the problem. There are a number of attack vectors with this

References

Allan, D. (2020, March). Latest intel CPUs have ‘impossible to fix’ security flaw. Retrieved from https://www.techradar.com/news/latest-intel-cpus-have-impossible-to-fix-security-flaw

Dent, S. (2020, March 6). Researchers discover that intel chips have an unfixable flaw. Retrieved from https://www.engadget.com/2020-03-06-intel-chips-unpatchable-security-flaw.html

HalGameGuru. (2020, March 6). “Unfixable” security flaw found in intel CPUs. Retrieved from https://linustechtips.com/main/topic/1162393-unfixable-security-flaw-found-in-intel-cpus/

Help Net Security. (2020, March 12). Scientists expose another security flaw in intel processors. Retrieved from https://www.helpnetsecurity.com/2020/03/12/load-value-injection/

KW, T. (2020, March 22). Security experts have found another flaw in intel processors. Retrieved from https://klse.i3investor.com/blogs/future_tech/2020-03-22-story-h1485581927-Security_experts_have_found_another_flaw_in_Intel_processors.jsp

Lemos, R. (2020, March 6). Physical flaws: Intel’s root-of-trust issue mostly mitigated. Retrieved from https://www.darkreading.com/vulnerabilities---threats/physical-flaws-intels-root-of-trust-issue-mostly-mitigated/d/d-id/1337254

Positive Technologies. (2020, March 5). Positive technologies: Unfixable vulnerability in intel chipsets threatens users and content rightsholders. Retrieved from https://www.ptsecurity.com/ww-en/about/news/unfixable-vulnerability-in-intel-chipsets-threatens-users-and-content-rightsholders/

The Star. (2020, March 22). Security experts have found another flaw in intel processors. Retrieved from https://www.thestar.com.my/tech/tech-news/2020/03/22/security-experts-have-found-another-flaw-in-intel-processors

Warrant, T. (2020, March 6). A major new intel processor flaw could defeat encryption and DRM protections. Retrieved from https://www.theverge.com/2020/3/6/21167782/intel-processor-flaw-root-of-trust-csme-security-vulnerability

Yet another lesson for misconfiguring cybersecurity in servers

When a person donates blood, the donation center collects data from the people. This is recorded and retained. This is done throughout the planet. Singapore likewise is involved with this process. Early in 2019, blood donor’s data, located in a database, was breached. While this was broadcast across the globe within the first few weeks after, most people read the headline and the high-level summary, and may not have dug into the details.

Vulnerability

The attack used was not excessively complex. There was an unsecured database that was available. Also, given the circumstances, this also was not likely encrypted. The database was located on an internet-facing server. The clearly incorrectly configured, openly accessible server information was leaked on the internet for two months prior to this being reported. The data was exposed for nine weeks beginning January 4, 2019, as reported by the Health Sciences Authority (HSA). The HAS provided the data to the 3^rd party organization, SecurSolutions Group, to update the database. This prominent issue was detected by a cybersecurity subject matter expert (SME).

The SME contacted Singapore’s Personal Data Protection Commission (PDPC) on March 13^th. The HSA, once alerted to the issue, worked with SecurSolutions Group to disable access to the account. The HAS is working with the SME to delete the data. As a coincidence, the cybersecurity researcher was based outside of Singapore. One report stated it appeared there was no unauthorized access during the subject period to the database, while another stated the data was access by an unauthorized party and possibly exfiltrated.

Affected

There were 808,201 blood donors who were affected by this negligent act. This exceptionally large number represented the blood donors since 1986, or to put this in perspective, the blood donors over the last 30+ years. The data possibly/probably accessed and exfiltrated included the names, NRIC, gender, number of blood donations, dates of the last three blood donations, and may have included the blood type, height, and weight. The odd coincidence with this instance was this was not the first time SSG (SecurSolutions Group Pte Lt.) noted its servers had been accessed by other unknown IP addresses.  

Lessons Learned

This issue brings up so many areas of concern.

a)      The data on the internet-facing server. In general, they should have thought twice about this. While this occurs all the time across the globe, there are inherent issues, especially when this is not configured correctly. As this was the case, the data was not secured. There was nothing present to prevent any unauthorized access, as this was openly accessible.

b)      You need to know the scope. The third-party contactor posted the data on the server. This was done without HAS’s knowledge or approval. In a review of the contract, this was not allowed. As with any agreement, the parties need to read the contract to know the scope of the project, and what may and may not be done.

c)       SCM. The supply chain management is still not fully addressed as a part of cybersecurity. When data is entrusted to a third party, they really should be vetted well before the contract’s execution. Without properly addressing cybersecurity in the supply chain, the business is allowing for a massive mountain of problems. SSG clearly breached its contractual agreement. This is especially notable since the service provider’s (SSG) had been accessed by unknown IP addresses since late 2018. This was also not the first occurrence of an attack. In 2017, the same server was attacked. With the same server being targeted, was the 2017 excursion used in the recon process, instead of a one-time attack? Overall, the business needs to ask or require a 3^rd party to assess your vendor’s security posture.

d)      The database was not encrypted. Seemingly, if you are going to have this off-premises, and accessible you might want to have some form of encryption on the data. If this database contained data not attributable to the persons and was a generic aggregation, that’s one case. This had confidential data for persons directly attributable to them.

In closing…

This certainly was not the first error in judgment and most certainly won’t be the last time this happens in the industry. These instances keep occurring across the globe. Somehow we need to publish not only the error but also the remediation methods so others do not keep perpetuating the idiocracy. Please pass this along. After a configuration, the admin should check the configuration to make sure it is within the industry’s norms and guidelines. If it is not, the subject hardware should be reconfigured and retested. This isn’t quantum mechanics. Let stop the cycle of stupidity.

Resources

CAN. (2019, March 30). Blood donor data leak: HAS’s vendor says information that went online was accessed illegally and possibly extracted. Retrieved from https://www.channelnewsasia.com/news/singapore/personal-data-of-800-000-blood-donors-accessed-illegally-hsa-ssg-11395364

Choo, F. (2019, March 16). 800,000 blood donors’ data put online by HAS vendor. Retrieved from https://www.straitstimes.com/singapore/health/800000-blood-donors-data-pmt-online-by-hsa-vendor

Gatlan, S. (2019, March 15). Insecure database exposes 800,000 singapore blood donors. Retrieved from https://www.bleepingcomputer.com/news/security/insecure-database-exposes-800-000singapore-blood-donors/

Johnston, M. (2019, March 18). Personal data of 800,000 blood donors exposed in singapore. Retrieved from https://sg.channelasia.tech/artricle/6518921/personal-dta-800-000-blood-donors-exposed-singapore/

Paganini, P. (2019, March 16). Secur solutions group data leak exposes 800,000 singapore blood donors. Retrieved form https://securityaffairs.co/wordpress/82452/data-breach/secur-solutions-group-data-leak.html

Siew, A. (2019, March 19). More than 800,000 blood donors had personal data exposed, in latest leak in singapore. Retrieved from https://www.techgoondu.com/2019/03/19/more-than-800000-blood-donors-had-personal-data-exposed-in-latest-leak-in-singapore/

The kids are alright! But the network isn't!

K-12 schools are throughout our landscape in small towns and large cities. The number of students varies per region, requiring small buildings or one large enough for a medium-sized business. They may be located on short, two-lane roads or primary thorough-fares. When we drive by these, we know they are educational facilities teaching the next generation. While the primary focus is the same for these institutions, there is another commonality. These have some form, be it rudimentary or complex, of a network holding a mass amount of data, managing operations where needed and facilitating email communications. One issue with these networks has been cybersecurity. With constricting budgets, it has become tough to get everything done as planned. 

Attack

One such school is Wolcott Public Schools. The school system, located in Connecticut was attacked successfully. The attackers naturally had a full array of tools available to use. They chose an all familiar one, which has proven to be very effective. Their system was compromised with ransomware. The use of ransomware has proven itself over the last two years to be an epidemic. The attack started in May 2019, at the end of the school year. They, in vain, attempted to manage this issue internally. Ransomware, with select tools, may be able to be removed by the target. This is with very few cases with the early variants, which may still be in use. This issue came to a tipping point and needed to be brought in front of the town officials when they were not able to correct the issue.

Effects

The successful attack had deep-rooted effects on the school. If this affected one user’s station, there would be a much different case. They were forced to lock down several servers. While these were locked down, they were not able to access or work with any of the data secured on these. Fortunately, a portion of the files was located in other locations as back-ups. While this sounds unpleasant, analyze through all of the learning activities that could not occur as the files were encrypted. On the bright side, no student data was compromised.

Remediation

This was a rather significant issue. Having data tied up and not usable is problematic for anyone. With the school district, there are timelines involved with reporting data to the state and possibly federal agencies. Post-detection, the school district did contact the FBI after the ransomware. The focus with this, naturally, was who was behind the ransomware attack.

As noted, the affected systems were shut down for all purposes. Once the school IT workgroup decided they were not going to be able to fix the issue, they consulted with the Wolcott Board of Education. The risks and benefits of paying the ransom were discussed and debated. The Board of Education approved the ransomware payment by a vote of 6 to 1. The hope was to secure the decrypt key. The amount noted for the payment was up to the amount the town charter would allow, or $9,999. This was the ceiling amount. An amount greater than this would require a bidding process, and an extended amount of time, which is something they did not have. Without the ransom being paid and the decrypt key is provided, a portion of the middle and high school files would not be usable in any form. In this incident, of the schools in the district, the high school, middle school, and central office only had a back-up server.

Comments & Concerns

Ransomware has become an epidemic. This has become a massive issue across many industries. Any business connected to the internet is susceptible to this. One fact not covered in the publications is the method of infiltration. This may have been an employee clicking on a link or file, inviting the malware in through the front door, and allowing it to scurry about in the network. Ransomware training is a necessity in this day. The employees need to know what to look for as a constant reminder. In the case of an individual oversight, which generally is a detriment to such a significant level, the employees need to know what to do.

Resources

Backus, L. (2019, August 30). FBI probes hacking of CT school’s computer. Retrieved from https://www.ctpost.com/local/article/FBI-probles-hacking-of-CT-school-s-scomputers-14401437.php

Data Breaches. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-colcott-public-schools/

WFSB. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-wolcott-public-schools/

Johnson, K. (2019, August 28). Ransomware attack targets Wolcott public schools. Retrieved from https://www.nbcconnectictu.com/news/local/Ransomware-attack-targets-wolcott-public-schools-558610611.html

Passmore, S. (2019, August 30). Board passes motion to allow Wolcott superintendent to pay ransom after cyber attack. Retrieved from https://www.weny.com/story/40985421/board-passes-motion-to-allow-wolcott-superintendent-to-pay-ransom-after-cyber-attack

Qakbot: Malware nuance causing headaches!

Malware is a valid, viable tool for attackers. There are the usual variants that have been coded over time. As these are introduced over time, the signature attack became known and the defensive systems know to look for these. The attackers clearly are aware of this and code variants of this malware to evade detection. One such example is Qakbot.

Origins

Qakbot is not a new malware example. This has been around since 2007, making it an old veteran of the computer infection/malware game. While this has been in the environment for such an extended period, it is still a viable attack tool, especially with the nuance as of late.

Operations

This works via propagating with network shares. This was designed to not only disable a node, but also an entire network. This works with multiple components is endeavors. The early variants used the “.qbot” string. This used a single layer of encryption when encrypting the machines.

As time passed, the later variants set the configuration files to hidden. To yet further obscure the files, and folders, this also used random names. To further complicate the host’s workflow, the configuration file’s encryption was doubled.

With this iteration, to infect the client, the attacker may lure the victim to a malicious site, which would host the exploit kit. They also may simply email the special pdf to the victim. As the victim becomes infected, the malware began to detect if the user was visiting a banking or finance related website. Specifically, this malware was coded to detect activity with JPMorgan Chase, Citibank, Citigroup, Huntington Bank, Bank of America, Wells Fargo, 5/3 Bank, Key Bank, PNC Bank, and others.

This was also configured to harvest credentials from Windows machines, Outlook, Windows Live Manager, RDP, and Gmail messenger. If this was not enough, the malware also looked for Internet Explorer’s password manager.

Long-Lasting Malware

In the cybersecurity field, not all malware has such a long, viable life in actually being useful in attacks. With this iteration, there are many components, with each of these functioning differently. A useful update is when it detects being in a VM, the malware uninstalls itself. With this function, it would be substantially difficult for the researcher to reverse engineer the sample or monitor its acts, as it removes itself. The malware isn’t static, offering a difficulty in placing a signature in the AV tools, as the malware is updated as needed from the C&C center. To make itself even more difficult in detecting, the updates are designed to mutate its appearance. At one point in this cycle, 85% of the infected systems were in the US. The primary successful targets were the academic, government, and healthcare industries. This level of penetration was mostly due to its code allowing it to modify itself.

Resources

Cluley, G. (2016, April 16). Mutating qbot worm infects over 54,000 PCs at organizations worldwide. Retrieved from https://www.tripwire.com/state-of-security/featured/qbot-malware/

Dela Torre, J. (2011, September 1). Qakbot: A disaster waiting to happen. Retrieved from https://www.virusbulletin.com/virusbulletin/011/09/qakbot-disaster-waiting-happen

Millman, R. (2019, May 3). Qakbot malware avoids discovery by breaking itself in two. Retrieved from https://www.scmagazineuk.com/qakbot-malware-avoids-discovery-breaking-itself-two/article/153689

Trend Micro. (2011, January 12). QAKBOT: A prevalent infostealing malware. Retrieved from https://www.trendmicro.com/vinfo/us/threat-encyclepedia/web-attack/80/qakbot-a-prevalent-infostealing-malware

Doctor's Management Services (DMS) - Pwned!

Doctor’s offices have a mission-to take care of their patients. This focus is on the patient’s mind also as the person is sitting in the doctor’s office waiting. One way to streamline operations and potentially improve cash flow is to outsource the billing function. There are many firms focused on efficiently billing for the doctor’s services. These businesses, due to their operations, hold much of the same data as the doctor’s offices. These businesses also derive income as they process the claims. These two factors make these businesses perfectly viable targets. One such business was Doctor’s Management Services (DMS). DMS is based in Massachusetts. The business primary mission is to provide medical billing and services to their clients, the doctor’s offices and hospitals.

Attack

The initial stages of the attack occurred on April 1, 2017. The attack vector was a remote desktop protocol attack through an endpoint. This was detected on Christmas Eve, 2018. When the files were encrypted and the staff was not able to access them, the management knew they had a rather significant problem. The business hired forensic professionals to investigate the incident. Through the investigation, the malware was determined to be GandCrab.

Unfortunately, this did not affect only one client. This affected 38 different practices. The patient’s PII could have been compromised as part of this compromise. This includes, much to the patient’s detriment, their name, address, date of birth, social security number, driver’s license number, Medicare/Medicaid information, and other medical information. This does not necessarily mean the patient’s PII had been accessed, however, I would be willing to presume it has. Otherwise, why would the attackers be seeking to breach their security? The business did report this to the HHS per HIPAA regulation. The business also notified the persons whose PII was affected.

Post-Encryption

As expected, the business was given a ransom amount. Once paid the decrypt key would be provided. The business refused to pay. This is generally the optimal route, given the opportunity for more malicious acts. The business elected to use their back-ups and rebuild the files.

Mitigation

Clearly, there was a need for improvement in this situation. The business updated its network security and limited access to the system from IPs outside of their organization. There was also additional staff training, to assist in the attempt to remove, as much as possible, the potential for this to occur again. 

Questions

The attackers appear to have had unfettered access to the system from April 1 through December 24, 2018. This is an exceptionally long time for an unauthorized third party to have full access to the system and not be noticed by the SIEM and InfoSec personnel. The question in the mind of many is what did the business have in place that did not work at all?

Resources

Cyware. (2019, April 25). Doctor’s management service hit with gandcrab ransomware attack compromising patient data. Retrieved from https://cyware.com/news/doctors-management-service-hit-with-gandcrab-ransomware-attack-compromising-patient-data-b6eebd02

Davis, J. (2019, April 25). Medical billing service reports April 2017 ransomware attack. Retrieved from https://healthitsecurity.com/news/medical-billing-service-reports-april-2017-ransomware-attack

Dissent. (2019, April 24). MA: Medical billing services notifies patients of ransomware incident. Retrieved from https://www.databreaches.net/ma-medical-billing-service-notifies-patients-of-ransomware-incident/

Jones, K. (2019, July 19). Gandcrab in huge profit as SMBv1 exploit is dismissed. Retrieved from https://hackercombat.com/gandcrab-in-huge-profit-as-smbv1-exploit-is-dismissed/

Olenick, D. (2019, April 25). GandCrab ransomware strikes doctor’s management services. Retrieved from https://www.scmagazine.com/home/security-news/ransomware/gandcrb-ransomeware-strikes-doctors-management-services/

Sowells, J. (2019, April 28). Another healthcare firm falls victim to gandcrab ransomware. Retrieved from https://hackercombat.com/another-healthcare-firm-falls-victim-to-gandcrab-ransomware/

Truta, F. (2019, April 25). GandCrab ransomware claims another healthcare firm. Retrieved from https://securityboulevard.com/2019/04/gandcrab-ransomware-claims-another-healthcare-firm

Woods, A. (2019, April 29). GandCrab attack on doctor’s management service exposed patient data. Retrieved from https://www.2-spyware.com/gandcrab-attack-on-doctors-management-service-exposed-patient-data

Woesnotgone Meadow; April 5, 2019

In the Meadow, we are online quite frequently. One headache the residents have dealt with has been with passwords. Some of our residents have found it difficult to remember all the passwords they have for the different sites. Most of the residents have begun using a password manager. Margie from the library recommended using a password manager. Generally, these work fine. This was not the case, however, with Blur.

Abine is the corporate entity behind Blur, a password manager, and DeleteMe, an online privacy protection service. Abine functions to encrypt the user’s passwords used with Blur. Blur’s service is to improve the user’s privacy with its secure password management service.

There was a rather significant compromise recently. This was not actually an attack, but more of a case of negligence. A reasonably prudent person would secure the cloud platform where the data was located. If the person was not exactly secure on how to do this, they would then research this or hire a party to do this. After all, the company is the steward of the data and is responsible for it.

This did not exactly happen here. An Amazon S3 storage bucket contained the subject file. This was unfortunately misconfigured. On December 13, 2018, the business was notified by a security researcher there was an issue. The business had no idea. A server was accessible and exposed a file with sensitive client information. The business, post-notification, did examine this, as you would expect instead of just taking the word of a researcher, and found the assertion was correct. This was announced on their business blog.

Of all the potential companies to have an insecure file open and accessible, this was the one. This should not have been misconfigured and insecure, given what the company focused on.

In this specific instance, there were 2.4M Blur users affected. The affected users were the ones who registered prior to January 6, 2018. The user data was left exposed and accessible. This included the user’s email address, a portion of the user’s first and left name, the user’s password hints, the user’s last two IP addresses used to login for the Blur app, and the user’s encrypted password. In this case, no DeleteMe user data was involved.

As noted, this was not exactly an attack. The data was openly exposed and accessible, however, there was no direct evidence the data was exfiltrated.

This was another example of a misconfigured AWS bucket which was not configured correctly. There may have been a time issue, or other factors involved. One of the managers should have actually reviewed this, and not just checked the box.

Resources

Abrams, L. (2019, January 2). Abine blur password manager user data exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/abine-blur-password-manager-user-data-exposed-online/

Cimpanu, C. (2019, January 2). Data of 2.4 million blur password manager users left exposed online. Retrieved from https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/

Smith, A. (2019, January 2). Data on 2.4M gbine blur user’s ‘potentially exposed’. Retrieved from https://www.pcmag.com/news/365672/blur-users-personal-details-potentially-exposed

Waqas. (2019, January 3). Abine blur password manager exposed data of 2.4M users. Retrieved from https://www.hackread.com/abine-clur-password-manager-exposed-data-of-users/

Woesnotgone Meadow; March 26, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we have our school system. This isn’t huge, however, is just-right-sized for the community. We have all the amenities of the larger schools and cater to the students. This can be a blessing and create an issue. Any school can be a target, as the Bridgeport schools in CT have found.

Public schools abound through the nation. These are located locally and in certain instances, even within the neighborhoods, their students live in. The schools provide a vital service to the residents and the children in the community. The subject school is the Bridgeport School District, located in Bridgeport, CT.

The attack was much like so many others experienced not only in the school districts but also across the different industries. The school district was targeted for a ransomware campaign. This was allegedly delivered via a phishing attack. This is presumed, as this is the general attack vector. This, however, was not directly stated.

Although no data was exfiltrated, the ransomware was successful. The general operation is for the PCs and/or servers (preferably servers) to be encrypted, and the decrypt key is supplied (hopefully) after the fee is paid, or if the back-ups are viable and current, use these. With this attack, a portion of the district’s data was indeed encrypted. The composition of the data was not detailed in the publications. The amount of the ransom was not listed either.

The school district’s superintendent stated no data was exfiltrated. The attackers were, however, able to access Power School, which was used to store the student’s data. A few of the teachers noted the data encrypted was primarily from their work efforts (e.g. lesson plans and teaching materials). The student’s work and student’s and teacher’s personal data were not affected by this issue.

Once the school district detected the issue they worked through the weekend to fix this. The plan was to limit the damage to the data. Subsequently, all district employees were required to change their passwords. The employees were also directed not to bring in their own equipment into the workplace. The school district was actively working with law enforcement.

This successful attack is an example of what to focus on with the users for the health, and cybersecurity of the organization. With BYOD (bring your own device), the business or entity when this is allowed, also allows any issues on the employee’s personal laptop or device into the network if it attached. The business is at the whim of the person’s level of cybersecurity hygiene, or lack of. Also, there should be substantial training on email and phishing, including what to look for and suspicious requests.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Lambeck, K.C. (2019, January 8). Bridgeport schools computer network falls victim to cyberattack. Retrieved from https://www.ctpost.com/local/article/Bridgeport-Schools-computer-network-hit-by-113515819.php

Lambeck, K.C. (2019, January 9). Connecticut school district hit with ransomware attack. Retrieved from http://www.govtech.com/security/Connecticut-School-District-Hit-with-Ransomware-Attack.html

Olenick, D. (2019, January 8). Bridgeport, Conn., schools hit with ransomware. Retrieved from https://www.scmagazine.com/home/security-news/bridgeport-conn-schools-hit-with-ransomware/