The Maze group, an anonymous cybercrime group who pledged not to target any medical organizations during the worldwide pandemic, broke their promise and carried out a ransomware attack against Hammersmith Medicines Research. Hammersmith Medicines Research is a British vaccine test center that is on standby to perform clinical trials on potential vaccines for the COVID-19 virus.
The attack took place on March 14th, which was just days before the Maze group announced on March 18th that they would not target any medical organizations during the pandemic. The clinical director of Hammersmith Medicines Research, Malcolm Boyce, stated that the attack was noticed in progress and was able to be stopped without causing any downtime. However, the Maze group was able to exfiltrate patient data which they are using to extort the vaccine test center.
Boyce expressed that his company would not be giving into the demands of the cybercriminals, and as a result, the Maze group leaked some of the patient data on the dark web on March 21st. The publishing of the data online completely violated their public statement that they would not continue to attack medical organizations during the pandemic.
“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” Boyce said. If the Maze group follows their typical pattern, they will continue to release the stolen data on a staggered basis until the company pays the ransom or all of the data has been released.
On a more optimistic side, security companies such as Emsisoft and McAfee are providing free assistance to medical organizations being hit by cyber attacks. These companies are providing threat analysis, development of decryption tools, and even negotiating with cyber attackers.
With the growing concern surrounding the novel coronavirus it is not to surprising that some criminals may be ex-pointing peoples fear of infection. Recently Emotet attackers have been using their botnets to send out a phishing campaign centered around the virus. This attacker are sent under the guise of spreading prevention. In addition, they appear to be targeting Japan, The IBM X-Force researchers have discovered a number of emails that appear to look like they have been sent from the Japanese welfare distribution written in Japanese. Each email contains an infected Microsoft word document which when opened will run a obfuscated VBA macro script which installs a powershell which downloads the Emotet Trojan.
Recently the United States Cyber Security Agency warned of a recent spike in Emotet activity. Emotet is a Trojan malware that is a dropper for other malware, a scraper of information, and it will send spam emails from an infected pc in order to grow its botnet. In the past Emotet has been known to drop ransomware as well as trickbot. This is also not the first time this software has used recent events as a phishing campaign. In 2019 they sent out emails stating that they contained Edward Snowdens complete memoir. In addition, they used a phishing scheme around climate-change activism during the rise of Greta Thunburg.
It is not only Emotet using the coronavirus as a tactic to get people to click on their spam email. Malware protection company Kasper has reported up to 10 different flies using this tactic. As rates of infection and panic increase it is easy to assume more spamers will use this campaign tactic to acquire more downloads. It is also likely as threats increase around the virus the scope of the spammers will increase out of Japan and into other regions.
Joshua Schulte, a former member of the CIA, is going to trial this week. Schulte is accused of providing Wikileaks, the controversial whistle blowing website, with the infamous Vault 7 materials. These materials spelled out in great detail the tools and abilities that the Central Intelligence agency has at it’s disposal for conducting electronic surveillance and cyber espionage. The 24 part release has become “the single biggest leak in the history of the CIA,” according to Assistant US Attorney David Denton.
Of the 11 charges against Schulte, seven are connected to his alleged place in the leak. Of these seven, three stem from the CFAA: Unauthorized access to a computer to obtain classified information, Unauthorized access of a computer to obtain information from a department or agency of the United states, and Causing transmission of a harmful computer program, information, code, or command. As for the other four, Schultes has three espionage charges and one charge of theft of government property. The remaining allegations include breaking the terms of his bail agreement by accessing the internet, making false statements (twice), and smuggling cellphones into his Manhattan jail cell. Schulte was indicted on child pornography charges back in 2017, but these are part of a separate trial.
On all charges Schulte has pleaded not guilty, alleging that the CIA’s networks are so insecure that the investigators will be unable to prove if Schulte or another actor took the documents. His attorney claims that DEVLAN, the CIA’s network, has so many insecurities and so little oversight that there is no way to determine whether Schulte accessed those files or if it was another agency employee or government contractor that leaked the files.
The prosecution disagrees, and points to the alleged rocky relationship he had with the agency at the time. According to them, Schulte had been in a months long workplace feud with other devlopers, had been reported multiple times for racist behavior, and had stormed into meetings between managers and a contractor taken on to preform some of his duties.
Virtual Care Provider (VCP) Incorporated is a company for health care facilities to outsource their information technology needs while also maintaining HIPPA compliance. Services include cloud hosting, networking, client support, security, and more. However, over the last month VCP experienced a ransomware attack.
VCP services a number of clients, including 110 operators of acute care and nursing homes across the United States. This on its own doesn’t seem like a lot, but this translates to approximately 45 states running around 80,000 computers. The attack involved a strain of ransomware called Ryuk, a type that encrypts data to suspend access to its users. Many times, an exorbitant amount of money is demanded for the return of the encrypted files. In this case, a fourteen-million dollar ransom had been issued, which VCP reports they can’t afford.
VCP estimates that 20% of their servers have been affected by the attack. According to Brian Krebs from KrebsOnSecurity, who spoke with VCP CEO Karen Christianson, the attack has affected many of the services they provide, such as email, patient records, billing, payroll, and phone systems. One result of these effects was an inability to either view or modify patient records. Unfortunately, this also applied to acute care facilities, making medication distribution and basic patient care more difficult and time consuming as they can’t order electronically.
Reportedly, the attack began on November 17, 2019 and is still affecting client information and payroll processing for around 150 employees. At current, VCP is prioritizing the restoration of their Active Directory services, email, eMAR, and EHR applications. They also state that there isn’t currently a time estimate for when the services will be available again, it depends on the number of affected servers.
Adding to the growing list of standards bodies with which companies must comply to do business, the California Consumer Privacy Act (CCPA) will go into affect on January 1st 2020 (that’s less than a month away) and will likely begin enforcement by July 1st, 2020 at the latest. The focus of the bill is on consumers’ rights to controlling how their information is used and whether or not it is stored, very similar to the goals of Europe’s GDPR.
Who has to comply?
This piece of legislature will apply to any company that does business in California which collects consumers personal information and meets one of the following: The company has an annual gross revenue of $25 million, the company makes at least half of its profit from selling consumer personal information, or handles at least 50,000 consumers’ personal information. In other words, it applies to pretty much every moderately successful site in existence. There are exceptions to this, mostly for those types of data already covered by existing standards or legislature such as HIPAA data.
Some view this as an overreach by the California government and harmful to interstate commerce. Whether or not you agree with that sentiment, you can at least agree that this is a bold move by California, and it was certainly intended to cause the expansion of this policy into other parts of the United States, potentially federally. In fact, several states have already moved to create similar legislature of their own, some being more aggressive than the CCPA.
Companies found in violation are subject to fines, and consumers may have the right to pursue civil suits against companies if they are harmed by misuse of their data.
Consumer Rights Under CCPA
Under the CCPA, consumers have the right to receive notice as to what information companies will be collecting on them. This means we are all probably going to get bombarded with emails again, as was the case with GDPR. The CCPA also requires companies to include this information in their privacy, as well as the user’s rights under CCPA and how the users can exercise these rights.
Consumers have the right to choose to opt-out of programs where their data may be sold to third party entities at any time, and those under the age of thirteen cannot have their information sold unless they opt-in with parental consent. This is a big deal, and will probably have drastic effects on the business models of companies targeted by the clause including companies which make at least 50% of their gross annual income from the sale of personal information. The bill does allow for different pricing in the case that a user should exercise this right.
Importantly, companies cannot discriminate against users who exercise any of these rights, with the exception of the financial incentive for opting into the data sharing programs. This means that a site cannot deny access to any service based on whether a user has deleted their data or requested it, or opted-out of data sharing.
It is great to see that the United States is beginning to catch up to Europe in the field of protecting its citizens’ privacy from abuse by the private sector. I think that this step is necessary if privacy is to exist in any form moving forward as companies wish to collect more and more data so that they can better target our preferences. It will not solve the privacy problem our society is facing by itself, but it is an important step towards taking back some control of our individual privacy as consumers.
It is important to note, however, that this is yet another set of regulations and standards that companies must follow on top of the myriad of other standards they must meet such as PCI, HIPAA, et al. If each state puts forth their own version of this law, this only gets further complicated and strenuous for companies. While standardizing practices is a good thing for protecting consumers, it is important that we do not overwhelm companies with heaps of regulations and standards, as putting too daunting of a gate up often inspires those who are confronted with it to seek another way around it. Surveys have shown that compliance to some standards has been on a slight decline due to the overwhelming amount that must be followed. We must take great care to make fair policy to which adherence is not too great a burden.
Written by, Daniel Szafran
Apologies for the low-tier memes, I didn’t want to brew up my own at 4AM