The World Health Organization has been attacked by hackers. WHO CISO Flavio Aggio (pictured) says his team has so far fended off the attacks, but the rate has “more than doubled.”
And WHO is not alone. Ransomware scum continue to target hospitals around the world. Their timing couldn’t be worse.
This is serious. So in this week’s Security Blogwatch, we avoid Doctor Who gags.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a puzzling puzzle.
WHO CISO: “WTF?”
What’s the craic? Raphael Satter, Jack Stubbs, Christopher Bing, and Hyonhee Shin tag-team to report—Hackers target WHO:
hackers tried to break into the World Health Organization earlier this month, [say] sources. [It’s] part of what a senior agency official said was a more than two-fold increase in cyberattacks.
…
Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared. … “There are no hard numbers, but such compromise attempts against us and the use of … impersonations to target others have more than doubled.”
…
Sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007. … Cybersecurity firms including … Bitdefender and … Kaspersky said they have traced many of DarkHotel’s operations to East Asia. … Messages sent to … the hackers went unreturned.
DarkWhatNow? Tara Seals the deal—Cyberattacks Spike:
DarkHotel [has] been active since at least 2007. The APT became known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels. But it has widened its targeting over the years, while continuing to leverage zero-day vulnerabilities and exploits. Earlier in 2020, DarkHotel was seen using Office documents for targeted attacks using a zero-day in Internet Explorer.
…
Meanwhile, cybercriminals are tapping into the fears around coronavirus by launching a slew of cyberattacks using COVID-19 as a lure. … One such campaign is distributing a new variant of the HawkEye keylogging malware using spam that purports to be an “alert” from WHO Director-General Tedros Adhanom Ghebreyesus. [And] a scam impersonating WHO … requested Bitcoin donations to the COVID-19 Solidarity Response Fund—the name of a legitimate fund created by … WHO.
WHO is not alone. Patricia Ortega Dolz y Jordi Pérez Colomé are lost in translation—cyber attack on hospital computers:
As if Spanish hospitals did not have enough problems with the coronavirus, a new virus—a computer one—has burst onto the scene. The National Police detected it trying to sneak in as attachments in emails from sanitary authorities.
…
It is ransomware. Experts recommend that medical personnel not open any suspicious emails. … The National Police detected an attempt to block computers in Spanish hospitals.
…
The name of the attached document in the emails that hide the malware is CORONAVIRUS_COVID-19.vbs. When a receiver clicks on the document it is executed and the malware encrypts the files.
What can be done? Davey Winder watches—Meet The Volunteer COVID-19 Cyber Heroes Helping Healthcare Fight The Hackers:
With attacks on medical Facilities … and the news that healthcare workers are being targeted by a dangerous new Windows ransomware campaign, the need to protect those working hard to protect us cannot be overstated. One newly formed group … including company CISOs, penetration testers, security researchers, and more, have vowed to do all they can to help provide cybersecurity support to healthcare services across … Europe.
…
Cyber Volunteers 19 (CV19) was started after a discussion between three prominent members of the information security community. … Lisa Forte is a social engineering and insider threat expert. … Radoslaw Gnat [is] a veteran information security professional. … Daniel Card [is] a self-proclaimed "Cyber Ninja Warrior" and founder of the PwnDefend capture the flag game.
…
If you, or your organization, would like to help with the CV19 volunteer effort to support the healthcare sector, then you can "join the LinkedIn group and register your interest there," Forte says, adding "you can also follow our Twitter account or visit the website for updates."
How? IAmEveryone asks relevant questions:
Which domain registrars do these attackers use? Where do they host? Are they, perhaps, helped by large CDN providers happy to anonymize their traffic?
…
I am predicting that if people die as infrastructure or institutions succumb to attacks mediated by such services, they will no longer be allowed to throw up their hands and pretend to be incapable of making the most obvious judgements.
…
It’s trivially easy to detect domain names intended to mislead: whó.net, or paypál.com. Banning those might be a good first step.
…
Anonymity … will soon go away if everyone continues tolerating a situation where 99%+ of the use of this freedom is for nefarious purposes.
Why? Rick Schumann counts the ways:
Because whatever organized crime cartel gives them their orders, or is paying them, wants to sow chaos all over the world, because it gives them an opening to advance whatever agenda they might have. [Or] because some people just want to watch the world burn to the ground, 'for the lulz.'
…
Maybe the 'agenda' has to do with a profit-oriented operation that goes deeper than just ransoming somebody elses' data, like crashing the economies of countries all over the globe. [Or] maybe the 'agenda' is to literally spread anarchy and chaos for it's own sake, because some people don't think that 'countries' or 'governments' or even 'civilization' is a good idea.
Who? taylodl divides to conquer:
Two kinds of people respond to fires: one, those who want to help put the fire out and do all they can to help; two, those who pour on the accelerant so they can watch the world burn.
Are these type 2 people sociopaths? Yes.
Wither? Whence? Wherefore? ls671 ain’t buying the simplistic answers:
It could be anybody, since what they intend to collect and/or do isn't clear yet. It could even be some agencies that some would categorize as the "good guys" who want to install spyware on representatives of foreign countries for your own protection.
…
The perpetrators aren't always the bad guys wishing to end the world as we know it.
The moral of the story?
Morals? Morals??? No, sorry, they’re in short supply.
And finally
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Flavio Aggio
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
