Egregor ransomware hits again, another business email scam victim and insider blamed for Italian job.
Welcome to Cyber Security Today. It’s Monday December 7th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
It was just over a month ago that a leading ransomware gang called Maze claimed it had stopped operating. If true a group called Egregor, first seen in September, is trying to fill the void. The Egregor ransomware strain has quickly hit a number of organizations, including Metro Vancouver’s TransLink public transit system. The latest victims are American retail chain KMart and an international human resource consulting firm called Randstad. In a statement last week Randstad said a limited number of servers were hit, but data relating to operations in the U.S., Italy, France and Poland were affected. The Egregor gang has begun publishing what it says is some of the data it stolen before encrypting information.
Stealing data and threatening to release it to embarrass an organization is one pressure tactic hackers are using. The ZDNet news service reports that ransomware gangs have recently been trying another pressure tactic: Phoning companies they suspect are trying to evade paying ransom demands. Cybersecurity experts think one call centre is making the phone calls on behalf of several gangs because the threatening messages are so similar.
There are a number of tactics to reduce the odds of being victimized by ransomware. One of them is to encrypt all personal data of customers and employees, as well as sensitive corporate data. And you only know what data is sensitive if you do an inventory. Many organizations don’t know what they have hidden deep in text files and databases.
Criminals don’t care who they steal money from, including charities. The latest example is a hunger relief group in Philadelphia, which lost $1 million after falling for a phishing scam earlier this year. The charity called Philabundance reported the incident publicly last week. According to the Philadelphia Inquirer, crooks took advantage of the $12 million community kitchen the non-profit was building to re-direct a payment to a construction firm. This sophisticated scam began in the spring when the attackers infiltrated the charity’s email system and put in controls that blocked certain legitimate emails from getting through. Then they sent an email spoofing the email address of a real construction firm on the project that included an invoice. Payment was made July 6th, but the theft was only discovered 18 days later when the legitimate construction company asked where its money was. The nonprofit has since increased cybersecurity training and now requires executive approval for large payments. Bad enough that someone fell for a spoofed email address, but to me the heart of this scam was the infiltration of the email system. It sound like the administrator’s account wasn’t protected and was taken over.
Last week the Interpol police co-operative warned that COVID-19 vaccine scams will likely emerge now that doses are starting to be delivered. Well, Vice News reports finding multiple vendors on the dark web selling what are allegedly bottles of the Pfizer vaccine for the equivalent of $1,300 a dose. Payment in bitcoin, of course. Hopefully no one is desperate enough to fall for buying anything, let alone medications, on a criminal website.
Most employees and contractors are trustworthy. Some are not. Here’s the latest example: An Italian news agency says someone close to helicopter maker and defence contractor Leonardo Spa has been accused of installing malware on computers to steal data. Leonardo describes the accused as a former collaborator for the company. The malware, installed by a USB key on workstations, was able to avoid anti-virus systems and upload data to a website between 2015 and 2017.
Finally, a reminder that tomorrow is the second Tuesday of the month, which means it’s the day Microsoft releases security updates for Windows and other products.
That’s it for Cyber Security Today. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.