Srsly Risky Biz: Tuesday, March 24

Tech firms asked to help COVID contact tracing, Healthcare hit with ransomware, Are we at 'peak cyber'?

Tech firms asked to help COVID contact tracing

Lawmakers have asked US tech companies to contribute data to help health authorities monitor quarantine compliance and trace recent contacts of people infected with coronavirus.

As authorities the world over rush to flatten the curve of coronavirus infections, even the most diehard privacy advocates are exhibiting a willingness to temporarily let civil liberties slide in the name of saving lives.

You might be surprised by which of our regular Risky.Biz contributors said as much when we hosted a livestream discussion on cell phone tracking earlier today - which featured Dmitri Alperovitch, Adam Boileau, Patrick Gray and Alex Stamos.

Healthcare hit with ransomware, despite promised truce

Two prominent ransomware actors promised not to target primary healthcare providers until the COVID-19 crisis is resolved.

The Maze and DoppelPaymer ransomware gangs told Lawrence Abrams at Bleeping Computer that they would assist hospitals directly if incidentally infected by their malware. DoppelPaymer’s disclaimer is that it will continue attacking pharmaceutical companies and the broader medical supply chain.

Abrams told Risky Biz that he’s also since heard from the Netwalker ransomware gang, who explicitly stated that all its victims have to pay - healthcare or not.

This week London-based insurer Beazley disclosed that it handled twice as many ransomware-related claims in 2019 than the year prior, and that 35% of the 700+ organizations claiming losses from ransomware attacks in 2019 were healthcare providers.

Hospitals in Croatia and the United States have both fallen victim in recent days, as have fintech firm Finestra and local governments in France.

InfoSec pros turn the tables on ransomware

The COVID-19 crisis is bringing out the best in the InfoSec community, with hundreds of hackers donating their time to projects that aid the healthcare sector.

This week Risky.Biz covered the story of 200 volunteer researchers that in their first week identified 50 hospitals with vulnerable VPN endpoints.

Meanwhile, we are starting to see ‘Coronavirus Fraud Coordinators’ appointed by US Attorneys across the United States, whose remit includes prosecuting ransomware gangs that use Coronavirus-related lures.

Are we at ‘peak cyber’?

There’s talk in VC-land about whether we’ve reached the peak of speculation on cyber security startups.

Some US$5 billion was invested in cyber security startups across 311 deals tracked by Pitchbook in 2019. While nobody would expect an epidemic-plagued 2020 to reach these heights, there is some evidence emerging that the market was already coming off its peak.

Early stage funding and aggregate deal sizes for cyber security startups in the US were already tapering off late in 2019, well before the market crashed.

Newly-unemployed targeted in mule schemes

Cybercrime gangs have long promised unsuspecting jobseekers attractive ‘work from home’ roles that actually serve to launder stolen funds.

As unemployment soars across the Western world, we can anticipate that these gangs will find it easier to hire new mules. Brian Krebs has a great story on a new muling operation that is advertising for new roles to ‘process transactions for a Coronavirus Relief Fund’.

Because we really need a Windows zero-day right now

Microsoft has warned clients of a zero-day vulnerability in Windows - specifically in Adobe Type Manager Library. The vulnerability is being exploited by malicious actors and Microsoft has listed a number of temporary workarounds until a patch is available.

FSB’s botnet schematic dumped online

A hacking group that calls itself ‘Digital Revolution’ has published 12 documents that it claims to have stolen from a subcontractor to Russian intelligence service FSB. The documents include a 2018 proposal to build the intel agency ‘Fronton’ - a Mirai-style botnet from compromised IoT devices. Two years later, there is little evidence that the project went ahead.

Three reasons to actually be cheerful this week:

  1. Singapore open sources contact tracing app: The state of Singapore will release a mobile app that identifies who has been within 2m of a coronavirus patient for longer than 30 minutes. Over 600,000 Singaporeans volunteered to download the app and submit data to health authorities.
  2. Chrome, Firefox remove FTP support: Mozilla has joined Google in removing support for the ageing File Transfer Protocol in their web browsers. On behalf of every blue team: good riddance!
  3. Watching out for your keystrokes: Google engineers have developed and released under open source some new heuristics for detecting USB keystroke injection.

Shorts

New IoT botnet: Meet ‘Mukashi’, a new botnet made up of compromised Zyxel NAS devices and routers. The vendor’s patch for the vulnerability - which doesn’t fix older Zyxel devices and the vulnerability - scores a perfect 10 for severity.

Trickbot adapted for espionage: TrickBot - typically used a banking trojan - has been modified for targeted attacks on telcos in what appears to be an espionage campaign.

WHO sent you that email? Attackers are setting up over 2000 malicious domains a day relating to COVID-19, with many mimicking the World Health Organization. Attackers didn’t need any in one recent phishing campaign, which abused an open redirect condition in the US Department of Health and Human Services website. Not a great look.