[Security Weekly] UK-Based COVID-19 Vaccine Testing Center Hit By Ransomware

4th Week of March 2020


1. UK-based COVID-19 vaccine testing center hit by Maze ransomware


Hammersmith Medicines Research, a medical research center in the United Kingdom, revealed last Sunday about suffering a ransomware attack.

The research center is one of the key facilities that has been preparing to help the testing of COVID-19 vaccines. According to its clinical director Malcolm Boyce, the attack took place on March 14, in the midst of a dangerous surge of COVID-19 cases in the UK. The attackers belonged to the Maze ransomware group, whose common tactic is to steal confidential data and threaten to publish them online for a ransom payment.

Ironically, the Maze ransomware group had announced earlier this month that they would not target healthcare and medical facilities during the coronavirus pandemic. They have clearly broken that promise The attackers exfiltrated patient records from the facility which included those who participated in testing trials during the past 20 years. A portion of the files was already published on the dark web. Ransom payments are demanded to stop further exposure. 

Fortunately, no service disruptions and system shutdown were experienced as the attack was spotted right away and stopped in time. Malcolm Boyce has stated that he would not pay any ransom to the criminals.

Sources: Forbes, Computer Weekly


2. Hack of Russian intelligence agency exposed cyberattack project targeting IoT devices


A Russian hacker group named Digital Revolution has reportedly hacked the Federal Security Service (FSB), Russia’s intelligence agency. The hackers released sensitive documents that contained information about an FSB project aimed at hacking the Internet of Things (IoT) devices.

The “Fronton” project, meaning “frontier” in English, has developed a state-sponsored cyberweapon that exploits security vulnerabilities of IoT devices on a massive scale. These devices, ranging from security cameras to smart speakers, are installed in millions of homes and offices. Their security measures are relatively weak compared to smartphones and computers. For example, one vulnerability is that they can be easily controlled if hackers obtain their factory-preset passwords.

According to the released documents, the project was initially drafted in 2017 and developed in 2018. Note that the intention of the project is not to attack the owners of the IoT devices, but to obtain control on millions of devices and create a huge IoT botnet in order to carry massive distributed denial-of-service (DDoS) attacks at foreign governments and companies. The project listed security cameras and digital recorders as its primary targets because their video-transmitting capabilities signal that they have a large enough data transmission channel that is sufficient to launch DDoS.

DDoS attacks are commonly used for political purposes. A large-scale DDoS attack can shut down data hosting servers for hours, paralyzing services provided through the internet. An attack on internet service providers can even lead to a massive internet outage.

Sources: Forbes, BBC Russia


3. Tupperware website injected with credit card payment skimmers


One of our most familiar kitchen container brands Tupperware has suffered from a web attack where hackers injected skimmers to its website to steal credit card payment information.

The incident was discovered by security researchers at Malwarebytes on March 20. According to their report, the website had been compromised for at least five days before the discovery. The hackers hid malicious code within the checkout button. Every time a user clicked on the button, the malicious code would activate a fake payment form that looked exactly like the legitimate form. All the names, credit card numbers, expiry dates, CVV2s, and addresses were collected and sent to the attackers.

The hackers were able to hide their activities during the whole time because every time after the user clicks the submit button on the fake form, a fake “session timeout” error box would pop out, which would then lead the user back to the legitimate form. Users would then enter their payment information again to complete the purchase just as usual.

Tupperware’s website receives over one million traffic per month. It is not yet clear how many users could have been affected. It is important for companies to react immediately to such issues, and when necessary, to temporarily shut down service until the issue is resolved. A data breach of customer information can lead to very expensive fines.

[A web application firewall would easily block web attacks like SQL injections and cross site scripting (XSS), preventing you from the above incident. Penta Security’s WAPPLES is one of the most advanced and user-friendly web application firewalls in the global market. Learn more about: WAPPLES.]

Sources: Computer Weekly


4. Data breach at Canon exposed sensitive information of General Electric employees


Earlier this week, General Electric (GE) filed a data breach notice with the Attorney General of California, revealing that the personal information of many current and former employees, as well as their beneficiaries, has been compromised.

GE did not directly suffer any attack. Instead, the breach originated from Canon Business Process Services, an IT service management company that offered data management services to GE. On February 28, Canon notified GE that one of its employee email accounts was hacked by an unknown attacker between February 3 and 14, and that the email contained GE’s employee information managed by Canon.

Both companies did not disclose how the attack happened, but the exposed data included names, addresses, social security numbers, driver’s license numbers, direct deposit forms, passport numbers, birth certificates, and marriage certificates. This affected not only the current employees, but also former employees, as well as their beneficiaries.

GE revealed that its IT system was not affected by the attack. Canon announced that they would be offering free identity protection and credit monitoring services for the affected people for two years.

Sources: TechRadar, SC Magazine


5. Chinese state-sponsored hacker group APT41 launches massive hacking campaign on IT solution providers


According to security researchers at FireEye, starting at the beginning of the year, Chinese hacker group APT41 has launched one of the largest hacking campaigns observed. The campaign targeted multiple IT solutions providers, exploiting both zero-day and patched vulnerabilities in Citrix Netscaler, Citrix Application Delivery Controller (ADC), Citrix Gateway, Cisco Routers, and Zoho ManageEngine Desktop Central.

APT41, widely believed to be sponsored by the Chinese government, normally targets foreign governments as well as businesses of key industries. Their main goal has been to steal intellectual property, as well as spying and surveillance on targeted networks.

The current campaign started in January 2020, when the group attempted to exploit a flaw in Citrix ADC and Citrix Gateway. Despite the flaw being publicized and patched back in December, many users who did not update remained vulnerable. Activities dropped during the lunar new year and completely stopped during the state quarantine period due to the COVID-19 outbreak in China. However, a surge in attack was observed again after February 24.

The campaign also exploited vulnerabilities of Cisco RV320 routers and  Zoho ManageEngine Desktop Central. Security experts advise all users of these devices to apply the patches immediately.

Sources: CSO Online, Infosecurity


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt