Make no mistake: We are at war. And the good guys are losing.
There is a strong and growing cybersecurity ecosystem in Arizona. We can and should be leaders in this critical field. This website is designed to be a one-stop resource for students, employees, employers, and educators in the AZ cybersecurity ecosystem.
if you couldn’t access the money in your bank account
if the power was out – for months
if you suddenly lost control of the steering wheel
These are all systems vulnerable to cyber attacks. And we need a new generation of creative, dedicated cybersecurity professionals to protect us.
Cybersecurity is the protection of IT systems (software, hardware, and network) and the availability, integrity, and confidentiality of their data.
2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS).UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country.The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the recovery process took around 3 weeks. The disruption naturally had a major impact financially, with the UHS quarterly earnings report for Q4, 2020 showing $42.1 million in losses, which equated to 49 cents per diluted share. UHS ended the quarter with profits of $308.7 million, up 6.6% from Q4, 2019.Restoring its IT infrastructure resulted in significant increase in labor costs, both internally and externally. Cash flows were also affected as certain administrative functions such as coding and billing had to be delayed until December 2020.
UHS has reported total pre-tax losses of an estimated $67 million in 2020 due to the ransomware attack, mostly as a result of the loss of operating income, reduction in patient activity, and increased revenue reserves as a result of the billing delays. UHS believes it is entitled to recover the majority of the $67 million in insurance payouts.
Author:Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.
The latest security incident shows how ransomware is increasingly threatening critical infrastructure and systems.
Our infrastructure is more vulnerable than we realized, Colonial Pipeline attack shows
On Friday, Colonial Pipeline Company discovered that it had been hit by a ransomware attack. Responsible for delivering gas, heating oil and other forms of petroleum to homes and organizations, the company accounts for 45% of the East Coast’s fuel. The attack forced Colonial Pipeline to shut down certain systems, temporarily stopping all pipeline operations.
In a statement released on Sunday, the company said that it hired a third-party cybersecurity firm to investigate the attack and contacted law enforcement as well as federal agencies, including the Department of Energy. Beyond dealing with the incident itself, Colonial Pipeline is under the gun to get its operations back online safely and securely.
“The Colonial Pipeline operations team is developing a system restart plan,” the company said. “While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
If the pipeline is down for just a couple of days, customers and consumers should be spared any economic or supply issues. But, an attack with longer-term repercussions could trigger higher gas prices and even shortages. More importantly, the incident shows the impact of critical infrastructure as a victim of a cyberattack.
“The economic impact wrought by this cyberattack will bring home to government and energy operators the vulnerabilities in critical infrastructure,” David Bicknell, principal analyst for thematic research at GlobalData, said in a statement. “This is not the first ransomware cyberattack on an oil and gas utility—and it won’t be the last. But it is the most serious. It is also potentially one of the most successful cyberattacks against US critical national infrastructure.”
James Shank, Ransomware Task Force (RTF) committee lead for worst case scenarios, said that this type of attack against critical infrastructure or services shows the rise of ransomware as a threat to national security, especially as we continue to grapple with COVID-19.
“Targeting pipelines and distribution channels like this attack on the Colonial Pipeline Co. makes sense–ransomware is about extortion and extortion is about pressure,” Shank told TechRepublic. “Impacting fuel distribution gets peoples’ attention right away and means there is increased pressure on the responding teams to remediate the impact. Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure.”
DETROIT (AP) — The world’s largest meat processing company has resumed most production after a weekend cyberattack, but experts say the vulnerabilities exposed by this attack and others are far from resolved.
In a statement late Wednesday, the FBI attributed the attack on Brazil-based meat processor JBS SA to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.
REvil has not posted anything related to the hack on its dark web site. But that’s not unusual. Ransomware syndicates as a rule don’t post about attacks when they are in initial negotiations with victims — or if the victims have paid a ransom.
In October, a REvil representative who goes by the handle “UNKN” said in an interview published online that the agriculture sector would now be a main target for the syndicate. REvil also threatened to auction off sensitive stolen data from victims who refused to pay it.
The attack targeted servers supporting JBS’s operations in North America and Australia. Backup servers weren’t affected and the company said it was not aware of any customer, supplier or employee data being compromised.
JBS said late Wednesday said that it expects to resume production at all its plants on Thursday and be running at “close to full capacity” across its global operations.
It is not known if JBS paid a ransom. The company hasn’t discussed it in public statements, and did not respond to phone and email messages Wednesday seeking comment.
The FBI and the White House declined to comment on the ransom. White House Press Secretary Jen Psaki said Wednesday the U.S. is considering all options in dealing with the attack and that President Joe Biden intends to confront Russia’s leader, Vladimir Putin, about his nation’s harboring of ransomware criminals when the two meet in Europe in two weeks.
“I can assure you that we are raising this through the highest levels of the U.S. government,” she said. “The president certainly believes that President Putin has a role to play in stopping and preventing these attacks.”
While there is no evidence Russia benefits financially from ransomware crime — which has hit health care, education and state and local governments especially hard during the pandemic — U.S. officials say its practitioners have sometimes worked for Kremlin security services.
Ransomware expert Allan Liska of the cybersecurity firm Recorded Future said JBS was the largest food manufacturer yet to be hit by ransomware, in which criminal hackers paralyze entire networks by scrambling their data. But he said at least 40 food companies have been targeted by ransomware gangs over the last year, including brewer Molson Coors and E & J Gallo Winery.
Food companies, Liska said, are at “about the same level of security as manufacturing and shipping. Which is to say, not very.”
The attack was the second in a month on critical U.S. infrastructure. Earlier in May, hackers believed to operate with impunity in Russia and allied states shut down operation of the Colonial Pipeline, the largest U.S. fuel pipeline, for nearly a week. The closure sparked long lines and panic buying at gas stations across the Southeast. Colonial Pipeline confirmed it paid $4.4 million to the hackers, who then turned over a software decryption key.
Cybersecurity experts said the attacks targeting critical sectors of the U.S. economy are evidence that industry hasn’t been taking years of repeated warnings seriously.
Cybercriminals previously active in online ID theft and bank fraud moved into ransomware in the mid-2010s as programmers developed sophisticated programs that permitted the software’s more efficient dissemination.
The ransomware scourge reached epidemic dimensions last year. The firm CrowdStrike observed over 1,400 ransomware and data extortion incidents in 2020. Most targeted manufacturing, industrials, engineering and technology companies, said Adam Meyers, the company’s senior vice president of intelligence.
“The problem has been spiraling out of control,” said John Hultquist, who heads intelligence analysis at FireEye. “We’re already deep into a vicious cycle.”
Hultquist said ransomware syndicates are going after more critical and visible targets because they’ve invested heavily in identifying “whales” – companies they think will yield big ransoms.
JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.
Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption to the food supply will likely be minimal in this case. Meat has around a 14-day window to move through the market, he said. If a plant is closed for a day or two, companies can usually make up for lost production with extra shifts.
“Several plants owned by a major meatpacker going offline for a couple of days is a major headache, but it is manageable assuming it doesn’t extend much beyond that,” he said.
Jordan said a closure that runs closer to a week would be more serious, especially for a company like JBS, which controls around one-fifth of the country’s beef, pork and chicken supply.
Critical U.S. infrastructure might be better hardened against ransomware attacks were it not for the 2012 defeat of legislation that would have set cybersecurity standards for critical industries.
The U.S. Chamber of Commerce and other business groups lobbied hard against the bill, condemning it as government interference in the free market. Even a watered-down version that would have made the standards voluntary was blocked by a Republican filibuster in the Senate.
Right now, the U.S. has no cybersecurity requirements for companies outside of the electric, nuclear and banking systems, said David White, president of the cyber risk management company Axio.
White said regulations would help, particularly for companies with inadequate or immature cybersecurity programs. Those rules should be sector-specific and should consider the national economic risks of outages, he said.
But he said regulations can also have an unintentional negative effect. Some companies might consider them the ceiling — not the starting point — for how they need to manage risk, he said.
“Bottom line: regulation can help, but it is not the panacea,”′ White said.
JBS plants in Australia resumed limited operations Wednesday in New South Wales and Victoria states, Agriculture Minister David Littleproud said. The company hoped to resume work in Queensland state on Thursday, he said.
JBS, which is a majority shareholder of Pilgrim’s Pride, didn’t say which of its 84 U.S. facilities were closed Monday and Tuesday because of the attack. It said JBS USA and Pilgrim’s were able to ship meat from nearly all facilities Tuesday. Several of the company’s pork, poultry and prepared foods plants were operational Tuesday and its Canada beef facility resumed production, it said.
The plant closures reflect the reality that modern meat processing is heavily automated, for both food- and worker-safety reasons. Computers collect data at multiple stages of the production process; orders, billing, shipping and other functions are all electronic.
Bajak reported from Boston. AP Writers Rod McGuirk in Canberra, Australia; Alan Suderman in Richmond, Virginia; and Nancy Benac, Eric Tucker and Alexandra Jaffe in Washington contributed to this report.
A massive REvil ransomware attack affects multiple managed service providers and over a thousand of their customers through a reported Kaseya supply-chain attack.
Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.
At this time, there eight known large MSPs that have been hit as part of this supply-chain attack.
Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
Huntress Labs’ John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.
“We are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 business and are working in close collaboration with six of them,” Hammond shared in blog post about the attack.
Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating.
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.
We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.
Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
In a statement to BleepingComputer, Kaseya stated that they have shut down their SaaS servers and are working with other security firms to investigate the incident.
Most large-scale ransomware attacks are conducted late at night over the weekend when there is less staff to monitor the network.
As this attack happened midday on a Friday, the threat actors likely planned the time to coincide with the July 4th weekend in the USA, where it is common for staff to have a shorter workday before the holidays.
If you have first-hand information about this attack or information about affected companies, we would love to hear about it. You can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.
“While we are actively coordinating with law enforcement on a criminal investigation, we are unable to disclose too many details,” Sievert said in a statement published earlier today.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
Sievert added that, following an investigation supported by Mandiant security experts, the company closed the access points used by the hacker to breach T-Mobile’s network.
“We are confident that there is no ongoing risk to customer data from this breach,” the US mobile carrier’s CEO added.
“There is much work to do, and this will take time, and we remain committed to doing our best to ensure those who had information exposed feel informed, supported, and protected by T-Mobile.”
This is the sixth major data breach T-Mobile publicly acknowledged in the past four years:
When asked to confirm Binns’ claims, a T-Mobile spokesperson told BleepingComputer that the company has “nothing to say” outside of what was already publicly shared.
How to protect your data and your T-Mobile account
Any threat actors who got their hands on the information of T-Mobile customers stolen in this incident can use it in highly dangerous SIM swapping attacks that could allow them to take over victims’ online accounts and steal their identity.
All potentially affected customers should be on the lookout for suspicious emails or text messages pretending to come from T-Mobile and not click on any embedded links if they spot one to prevent having their credentials stolen.
T-Mobile encourages customers to take the following actions as soon as possible to protect their accounts:
Set up Scam Shield: Tap into our network’s advanced scam-blocking protection and turn on anti-scam features such as Scam Block and Caller ID.
Enable Account Takeover Protection: Use our free Account Takeover Protection service to help protect against an unauthorized user fraudulently porting out and stealing your phone number (postpaid only).
“FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
“Consumer credit score company Equifax has revealed that hackers accessed up to 143 million customer account details earlier this year. The data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people.”
“On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.”
“A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system.”
“Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.”
“In February, the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data. Cloudflare offers performance and security services to about six million customer websites (including heavy hitters like Fitbit and OKCupid), so though the leaks were infrequent and only involved small snippets of data, they drew from an enormous pool of information.”
“Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and Cloudflare patched the bug within hours, but the data leakage could have started as early as September 22, 2016. Leaked data was only deposited on a small subset of Cloudflare customer sites, and usually it wasn’t visible on the pages themselves. Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.”
“Voter data belonging to almost 200 million Americans has been found online. A conservative US data analytics firm contracted by the Republican National Committee, Deep Root Analytics, left the records available on an unsecured Amazon web server. The 1.1 terabytes of data included names, dates of birth, home addresses, phone numbers, voter registration details and ‘modelled’ ethnicities and religions, according to security firm UpGuard, which stumbled across the information.”
“Although the data wasn’t hacked, being left on an unsecured server meant that anyone who happened to come across it would be able to download and take the information. There’s no evidence to suggest this happened though. ‘That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling,’ UpGuard said in a blog post.”
*Not an attack, but a security failure of epic proportion.
“After disclosing two distinct hacks late last year, one of which implicated a billion users, Yahoo has once again sent an email to users warning them of potentially compromised accounts. The scope is more limited than previously reported breaches, but the threat is both more specific and more devious. This time, it’s from state-sponsored hackers using forged cookies to dig into their information without needing their passwords.”
If you’re the kind of person who likes to take things apart and see what makes them tick…If you care about protecting the world as we know it…If you’re looking for a career that is meaningful, exciting, and rewarding, then cybersecurity might be for you.
Get involved with the AZ Cybersecurity Workforce Collaborative
If you’re concerned that the cybersecurity talent gap exposes vulnerabilities in your organization…If you believe that we need to find new ways to attract the talent that will be essential like never before…You have to be part of the solution.
If you believe that educators and training providers at all levels have a huge opportunity to make a real difference…If you’re open to finding new ways to align with the fast-moving needs of companies…You have to be part of the solution, too.
Provide your email address and we’ll keep you posted on upcoming events, cyber collaborative meetings, and other relevant information. We promise not to spam you and we’ll never share your email outside the collaborative.