[Security Weekly] University of Utah Pays $457,000 Ransom to Prevent Leak of Student Data

4th Week of August 2020


1. University of Utah pays $457,000 ransom to prevent leak of student data

The University of Utah (U of U) released a statement on its website on August 21 disclosing that they had paid $457,000 to a ransomware operator.

According to the statement, the IT network of U of U’s College of Social and Behavioral Science was hit by a ransomware attack on July 19. The university’s Information Security Office (ISO) effectively mitigated ransomware deployment so that only 0.02% of the data stored in the servers were encrypted. The encrypted portion of the server was then restored from backups.

However, as a typical double-extortion ransomware attack, the attackers had already exfiltrated a copy of the data before trying to encrypt them. Thus, despite failing to lock the database, they threatened to publish data containing the students’ confidential information.

After careful considerations, the university decided to pay the demanded ransom to prevent the leak of student information.

Security researchers suspect the attacker to be part of the Netwalker ransomware group, since the group has been recently active in attacking a number of American universities, including UCSF, Michigan State, and Columbia College Chicago.

Many have warned that paying ransomware operators to prevent data leak is a bad idea because there is no way to ensure that the attackers would delete the data as promised. They could still secretly sell the data or use them for credential stuffing, phishing, and identity thefts, all of which are hard to trace.

The best way to prevent a double-extortion ransomware attack is to encrypt sensitive data. MyDiamo is an encryption solution made for open source databases such as MySQL and PostgreSQL, supporting partial encryption and column-level encryption. It is a freemium solution that is free for individuals and non-profit organizations. Click here to learn more.

Sources: ZDNet, Threatpost


2. New Zealand Exchange suffers DDoS attack two days in a row, tradings halted

NZX, New Zealand’s stock exchange based in its capital Wellington, suffered continuous DDoS attacks by foreign threat actors for two days in a row.

According to NZX, the first attack happened in the afternoon of August 25, when a high volume DDoS was detected entering through its network service provider from IP addresses offshore. This quickly paralyzed NZX’s websites and its Markets Announcement Platform. NZX had to call for a trading halt at 3:57 p.m.

On the morning of August 26, just as NZX announced that the attack had been mitigated, another attack forced the exchange to shut down again at 11:24 a.m, halting NZX’s Main Board, the NZX Debt Market, and the Fonterra Shareholders’ Market. NZX later explained that the attack caused a series of network security issues, and that trading would resume at 3 p.m.

These attacks are very similar to a series of foreign-based DDoS attacks that hit a wide range of governments and businesses in Australia back in July. Many speculate that these could be from the same group of state-backed threat actors. 

NZX is central to New Zealand’s economy. This incident has raised serious concerns about New Zealand’s readiness to combat the latest cyber threats.

Sources: The Guardian, Infosecurity


3. Stock photo website Freepik discloses data breach affecting 8.3 million users

Freepik, the company that operates both freepik.com, one of the largest stock photo websites, and flaticon.com, a stock icon website, disclosed a data breach incident on August 21 which impacted 8.3 million registered users on both websites.

Before publicly disclosing the incident, Freepik had already contacted law enforcement and started to send out breach notification emails to its users for over a week.

According to the disclosure, the attackers leveraged a vulnerability on Freepik’s websites and launched an SQL injection attack to gain access to its servers.

The data breach affected the oldest 8.3 million registered users. Compromised data included the email addresses of 4.5 million users who used federated logins from Google, Facebook, and Twitter, as well as the usernames and hashed passwords of 3.8 million users who had a Freepik account.

Among the 3.8 million leaked passwords, 3.55 million of them were hashed in bcrypt, while another 229,000 of them were hashed in MD5, the least secure hash function. Freepik forced a password reset for all users whose passwords were hashed in MD5, while recommending all the rest to reset their passwords if they were easy to guess.

An SQL injection attack like this could have been easily prevented by a web application firewall like WAPPLES. Click here to learn more.

Sources: ZDNet, Bleeping Computer


4. North Korean hacker group Lazarus targets cryptocurrency firm via LinkedIn

Lazarus, an advanced persistent threat (APT) group linked to North Korea, targeted an employee at a cryptocurrency firm on LinkedIn with a fake job offer, suspected of attempting to steal cryptocurrency.

According to researchers at cybersecurity firm F-Secure, who discovered this incident, this attack is part of a global campaign that targeted firms from over a dozen countries.

Posing as a seemingly legitimate blockchain technology firm, the attackers sent a message on LinkedIn to the system administrator of an undisclosed cryptocurrency firm. The message contained a job offer for a position that matched the employee’s skills.

After downloading the attached Microsoft Word document, a message popped up claiming that the document is protected by General Data Protection Regulation (GDPR), and that the user would need to enable macros on Word to view the content. After enabling macros, malicious codes embedded in the macro were released to infect the victim’s computer.

F-Secure did not specify the damage and aftermath of the attack.

Active since 2009, Lazarus is also known as APT 38 or Hidden Cobra. Due to continuous economic sanctions posed on North Korea, the group has started to target cryptocurrencies in recent years.

Extra caution should be taken before downloading any attachments received on social media platforms. If the legitimacy of the sender cannot be verified, ask for more information before taking any action.

Sources: Computer Weekly, Threatpost


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security