A data dump of Twitter user details on an underground forum appears to stem from an API endpoint compromise and large-scale data scraping.

Data from 200 million Twitter users has been gathered and put up for free on an underground hacking forum, researchers are warning.

Public account details, including account name, handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However, the database also contains email addresses, the firm found — which aren't part of users' public profiles.

"The availability of the email addresses associated with the listed accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks," said Miklos Zoltan, founder at Privacy Affairs, in a blog post. "The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users."

While it's unclear how the email addresses were accessed, Zoltan noted that the "most likely method used could have been the abuse of an application programming interface (API) vulnerability." After all, at least one past Twitter data leak stemmed from the abuse of a Twitter API, resulting in the linking of phone numbers with Twitter handles. And in August, thousands of mobile apps were found to be leaking Twitter API keys.

Other researchers concur with Zoltan's assessment.

"API security is the real story here," Sammy Migues, principal scientist at Synopsys, said in an emailed statement. "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures."

Twitter has so far been mum on the developments, and did not immediately respond to a request for comment from Dark Reading.

**Public Profile Data Scraping Represents Real Risk****

The 200 million Twitter records appear to be the same data set that appeared for sale for $200,000 in underground markets in December, Privacy Affairs added. At the time, there were 400 million profiles included, but the firm said this latest listing de-duped the database, resulting in a leaner data set with no repeats — and it's now being offered for free to anyone who wants to download it.

Aside from the cyber-danger involved in leaking emails associated with Twitter handles, even the publicly available data could be used for highly targeted attacks.

Specifically, it can be cross-referenced with other data that a user may have shared across platforms to create a 360-degree view of a person — their interests, their likes, the social circles they run in, and even corporate activity (remember, Twitter handles are often used on corporate sites in lieu of direct contact info — and can thus act as metatags that attackers can use to track the user's web presence, far outside of Twitter itself).

In this case, since so much data is collected in volume in a handy database, this process, and the attacks it can engender, can now be automated. This can be a real problem not just for social media users but the platforms themselves — both Facebook and LinkedIn have faced fines and general hot water for past data-scraping incidents. And, who can forget the former's Cambridge Analytica scandal, in which a mind-boggling number of public user profiles and posts were scraped and used to target political messaging to site users.

As far as how to protect oneself from any follow-on cyberattacks (or influence targeting), best practices still apply, according to Jamie Boote, associate software security consultant at Synopsys.

"As always, malicious actors have your email address," he said, via email. "To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams."

There's also a cautionary tale to be had in terms of being careful with what one publicly shares on social media, to avoid making it easy for cyberattackers to build rich-data profiles.

And Privacy Affairs' Zoltan offered another lesson to be learned: "While not a very popular method at the moment, it would also be useful to use 'burner' email addresses or separate email addresses for online accounts while forwarding emails to a master address. This way, even if the email address associated with a Twitter or any other account is leaked, it can’t be associated with the end-user’s identity or other online services."

**

200M Twitter Profiles, with Email Addys, Dumped on Dark Web for Free

New platform features and integrations enable analysts to quickly detect and remediate threats.

**Broomfield, Colo. — January 05, 2023 —** LogRhythm, the company empowering security teams to navigate the ever-changing threat landscape with confidence, today announced a series of expanded capabilities and integrations for its security operations solutions. The updates propel LogRhythm’s ability to be a much-needed force multiplier for overwhelmed security teams who are expected to confidently, effectively, and efficiently defend against cyberattacks.  

Following the October launch of LogRhythm Axon, a groundbreaking, cloud-native security operations platform, the company is introducing new visualizations and powerful analytics that offer seamless visibility into potential security risks. Designed to streamline the experience of security analysts, Axon and its latest updates make it easier for teams to detect, investigate, and report on potential threats, reducing the burden of managing threats and the operating infrastructure.  

“On a daily basis, we strive to empower lean and overburdened security teams with the most intuitive experience and contextual analytics,” said Chris O’Malley, CEO of LogRhythm. “By continuously working to fulfill that mission and deliver innovation that matters to customers every quarter, we are delivering on our promise of helping customers quickly reduce noise and secure their environment so that they can concentrate on safely competing in the digital age where fast beats slow.”  

“Axon has already given our team the tools to effectively analyze our environment and improve our security posture,” said Eric L., Network Engineer at global manufacturing company. “Data collection and correlation to detect threats and respond can be time consuming. Axon gives us an intuitive interface to perform complex searches on data to filter in what really matters. We cannot wait to use the powerful analytics tools that will quickly surface threats.” 

This quarter’s enhancements span LogRhythm’s product portfolio to collectively enable SOC teams to detect and resolve threats more easily, improving analyst productivity and effectiveness. Additional enhancements and integrations with LogRhythm’s Axon, SIEM, NDR, and UEBA solutions released in this quarterly rollout include: 

LogRhythm Axon 

·New custom and out-of-the box analytics rules, including rules for MITRE ATT&CK detections 

·New markdown widget and histogram widget cuts down on time spent searching for data 

·Easily investigate log observations raised by analytics through the Observation Workflow 

LogRhythm SIEM 

·Improved administrative workflow for collection shortens time to configure, deploy, and manage log sources that require Open Collector 

·Enhanced audit logging makes it easier to monitor suspicious activity and track when users make important changes 

·Updated and expanded LogRhythm’s library of supported log sources 

LogRhythm UEBA 

·New detection models for Windows systems to quickly uncover hard to detect threats 

LogRhythm NDR 

·Improved blind spot detection and endpoint visibility through integration with Microsoft EDR  

·Easily ingest data from VirusTotal with new configuration page 

·Improved analyst experience with expanded UI improvements 

“This quarter, we are especially excited about the number of groundbreaking and enhanced capabilities coming to our market-leading solutions,” said Kish Dill, Chief Product and Customer Officer of LogRhythm. “These enhancements and integrations have been curated with the goal of simplifying the lives of security analysts and enabling them to detect threats faster through seamless visibility, enhanced collection, and an intuitive analyst experience.” 

To learn more about LogRhythm’s offerings, please visit: https://logrhythm.com. 

**About LogRhythm** 

LogRhythm helps busy and lean security operations teams save the day — day after day. There’s a lot riding on the shoulders of security professionals — the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources — the weight of protecting the world.   

LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps. Together, LogRhythm and our customers are ready to defend. Learn more at logrhythm.com.

LogRhythm Enhances Security Analytics With Expanded Security Operations Capabilities

In a new survey from Clever, 3 out of 4 school districts say they will increase their spending on security and privacy in the next two to three years; 1 in 4 teachers report that cybersecurity training is missing in their district.

**SAN FRANCISCO****,** **Jan. 5, 2023** **/PRNewswire/ --** Clever, the platform used by more than 70% of U.S. K-12 schools to simplify and secure digital learning, today announced a new survey of school administrators and teachers revealing that the two groups perceive security vulnerabilities differently as the district edtech stack increases. According to the data, three out of four districts say they will increase their spending on security and privacy in the next two to three years. While more than half of administrators (63%) and teachers (53%) believe that their district is prepared to take on digital security challenges, one in four teachers report that cybersecurity training is missing altogether in their district.

Last year, over 90% of educators said they will continue to use at least some of the digital tools they adopted during the pandemic, as schools increasingly embrace devices and digital platforms to enable individualized instruction and student support. But with the expanded access to technology comes greater responsibility on schools and their edtech partners to protect the information these tools may collect. In 2021, nearly a million students were impacted by 67 ransomware attacks against schools, with a cost of over $3.5 billion in downtime.  

To help district and school leaders navigate new edtech practices in this era of increased usage, Clever surveyed almost 4,000 teachers and administrators. The data suggest that educators and administrators perceive the risks in schools differently: only 11% of teachers said a cybersecurity incident would be very likely, but one in four administrators say their district already experienced a hack, phishing incident, data breach, or other cyber attack in the past year.

"Creating a safe digital learning environment requires that everyone -- administrators, educators, students -- play a role," said Mohit Gupta, who oversees security products at Clever. "Cybersecurity is a team sport, and the differences highlighted in the survey offer us a path forward to address vulnerabilities in our schools. While the groups differ on where the risks exist, they agree on what can be done: more training for educators, the use of security tools, and increased specialized staff."

Among additional key findings from Clever's Cybersecure 2023 report:

*   **Teachers and administrators see devices as the greatest tech vulnerability in their district.** Teachers (34%) and administrators (34.3%) alike believe that devices are the most vulnerable part of their technology infrastructure. However, administrators are more aware of potential risks elsewhere as well: they're five times more concerned about vulnerabilities from administrative platforms like a learning management system or student information system, and nearly three times more concerned about vulnerabilities from applications used for curriculum and instruction.
*   **When it comes to identifying risks around human usage of technology, administrators think teachers are the most likely source of security vulnerability, but teachers think students are.** Teachers, responsible for their own safe use of technology and appropriate use by their students, see students (67%) as the biggest risk for a security incident, followed by teachers (27%). In contrast, two-thirds of administrators believe that teachers pose the highest vulnerability threat, and only 19% believe it to be students. Administrators were also three times more likely than teachers to say administrators are a vulnerability.
*   **Teachers and administrators agree on what can be done to improve digital security.** Both groups believe the three most important activities to support security are: 1) more educator training; 2) more or better technology solutions; and 3) more staff focused on technology. Two-thirds of teachers indicated they would want to learn more about topics related to data privacy and security.
*   **Yet, one in four teachers say cybersecurity training is missing altogether in their district.** While the majority of administrators and educators report that privacy and security training happens in their district, a surprising 26% of teachers say they never receive training on privacy or security – representing a big opportunity for districts to shore up their practices.
*   **Increasing challenges means increased spending.** 65% say their spending on digital security will increase over the next two to three years; another 12% say it will increase significantly, and a majority say that federal stimulus dollars are helping support their efforts.

The survey, administered throughout October 2022 using Clever's user database, asked more than 800 US-based school administrators and more than 3,000 US-based educators. To see the full findings and methodology, click here.

**About Clever**

Clever is on a mission to unlock new ways to learn for all students. More than 70% of U.S. K-12 schools now use Clever to simplify access and improve engagement with digital learning. With our free platform for schools and a network of leading application providers, we're committed to advancing educational equity. Clever, a Kahoot! company, has offices in San Francisco, CA and Durham, NC but you can visit us at clever.com anytime.

SOURCE Clever

New Survey: One In Four Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security

Check Point Research (CPR) releases new data on 2022 cyberattack trends. The data is segmented by global volume, industry and geography. Global cyberattacks increased by 38% in 2022, compared to 2021. These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs, who focused on exploiting collaboration tools used in work-from-home environments, targeting of education institutions that shifted to e-learning post COVID-19. This increase in global cyberattacks also stems from hacker interest in healthcare organizations, which saw the largest increase in cyberattacks in 2022, when compared to all other industries. CPR warns that the maturity of AI technology, such as CHATGPT, can accelerate the number of cyberattacks in 2023. 

Check Point Research (CPR) has released new data on last year’s cyberattack trends. The data is segmented by global volume, industries, continents and countries.

**Key Statistics:** 

*   Global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization
*   Top 3 most attacked industries in 2022 were Education/Research, Government and Healthcare
*   Geography of Africa experienced the highest volume of attacks with 1875 weekly attacks per organization, followed by APAC with 1691 weekly attacks per organization
*   North America (+52%), Latin America (+29%) and Europe (+26%) showed largest increases in cyberattacks in 2022, compared to 2021
*   USA saw a 57% increase in overall cyberattacks in 2022, UK saw a 77% increase and Singapore saw a 26% increase

Cyberattacks are increasing world-wide, with 38% more cyberattacks per week on corporate networks in 2022, compared to 2021. Several cyber threat trends are all happening at once.

For one, the ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Second, hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organizations’ employees continue to work remotely.

Third, academic institutions have become a popular feeding ground for cybercriminals following the rapid digitization they undertook in response to the COVID-19 pandemic. In fact, the education/research sector was the number one most attacked industry globally, seeing a 43% increase in 2022 compared to 2021, with an average of 2,314 attacks per organisation every week. Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary. Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public WiFi without thinking of the security implications.

Looking back at cyberattacks for the healthcare sector in 2022, healthcare organizations in the US suffered an average of 1410 weekly cyberattacks per organization, which is 86% higher than the number we saw in 2021, with the healthcare sector ranking second out of all sectors for the most cyberattacks in the US.

Hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.

The healthcare sector is so lucrative to hackers as they aim to retrieve health insurance information, medical records numbers and, sometimes, even social security numbers with direct threats from ransomware gangs to patients, demanding payment under threats of having patient records released. Ransomware gangs also find the attention gained from attacking a hospital as an attractive plus-point for their notoriety.

Unfortunately, we expect the increase in cyberattack activity to only increase. With AI technologies such as ChatGPT readily available to the public, it is possible for hackers to generate malicious code and emails at a faster, more automated pace.

To protect yourself, it is imperative to think about prevention first, not detection. There are several best practices and actions an organization can take to minimize their exposure to the next attack or breach, such as cyber security training, keeping patches up-to-date and implementing anti-ransomware technology.”

**Cyber Safety Tips:** 

1.  **Cyber Awareness Training**: Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
    1.  Not click on malicious links
    2.  Never open unexpected or untrusted attachments
    3.  Avoid revealing personal or sensitive data to phishers
    4.  Verify software legitimacy before downloading it
    5.  Never plug an unknown USB into their computer
    6.  Use a VPN when connecting via untrusted or public Wi-Fi
2.  **Up-to-Date Patches:** Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
3.  **Keep your software updated.** Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
4.  **Choose Prevention over detection:** Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true. Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.

Check Point Research Reports a 38% Increase In 2022 Global Cyberattacks

DevOps platform warns customers of a "security incident" under investigation.

DevOps platform CircleCI is warning users of its continuous integration and deployment (CI/CD) to "immediately" rotate all secrets — think passwords, API keys, SSH keys, configuration files, OAuth tokens, etc. — stored on the platform in the wake of a security incident under investigation at the company.

In a blog post this week, Ron Zuber, CTO of CircleCI, urged customers to first rotate all secrets stored "in project environment variables or in contexts" and then check internal logs for signs of "unauthorized access" from Dec. 21, 2022, and up to the date of rotation.

"Additionally, if your project uses Project API tokens, we have invalidated those and you will need to replace them. You can find more information on how to do that in our documentation here," Zuber said.

The company is continuing to investigate the security breach and plans to provide more details as they emerge. "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well," Zuber wrote.

Meanwhile, CI/CD services have become a popular target of cryptominers for deploying code and setting up cloud-based mining platforms, a recent report from Sysdig found.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CircleCI: Rotate Stored Secrets ASAP

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

Security teams may be missing targeted attacks and advanced exploits if attackers are using evasive techniques to avoid detection. Defenders need to up their game.

Attackers today combine state-of-the-art obfuscation and adaptive environment-specific features to avoid detection by traditional malware analysis systems. If your security team is relying on legacy approaches, like traditional sandboxing, to scan files entering your network, they may miss these dangerous exploits targeting your organization. If your security teams are spending their time with easy-to-detect, common vulnerabilities and not on the targeted attacks, they are exposing your organization to unnecessary risk from cybercriminals.

Nothing about this pattern is new: Researchers develop new anti-malware technology to detect malware attacks. Cybercriminals adapt their malware variants to avoid detection. And the cycle continues.

Attackers are adopting techniques, such as machine fingerprinting and geofencing, where they use information about the victim's application stack and system environments to compromise systems.

**Gotta Catch 'Em All: Geofencing**

There are many ways for malware to get on a victim's machine. Once there, some malware variants remain dormant if the victim's machine or network is not in a specific country. That comes courtesy of geofencing.

The malware looks up the external IP address geographic region via an external database or service and checks whether the device is located in the target region. If the device's geographic location is in a region of interest, the malware detonates. It may install a second-stage malware; steal useful information, such as administrator credentials; exfiltrate data to a system controlled by criminals; and remove all traces of its activity on the machine.

Attackers add geofencing features to malware for many reasons. It may be easier to evade detection by locations with strong security postures. Sometimes they don't want to infect networks in their home countries, where they could face prosecution. Savvy criminals target wealthy countries inhabited by trusting folks who are more likely to open documents and pay ransom. Or they may know that business leaders in a specific region rely on weak defensive postures or are less likely to use two-factor authentication.

One example of a region–specific attack: The South Korean government widely uses the Hangul Word Processor (HWP). North Korean attackers write malware in Hangul to penetrate critical government systems. Trying to use this malware to compromise US government employees, however, would be a waste of resources.

**Finding the Golden Image: Fingerprinting**

Malware authors rely on diverse fingerprinting techniques to determine whether machines are susceptible to their attack chains. Fingerprinting helps malware avoid detection by appearing harmless to antivirus technologies.

The malware remains dormant on the victim's machine unless the environment meets predefined conditions — such as having a specific application installed or certain configuration settings enabled. Attackers also use fingerprinting techniques to figure out whether the compromised system is actually a virtual machine using a preconfigured, out-of-the-box or initial install image. If that is the case, the malware does not detonate.

**What Adaptive and Dynamic Analysis Looks Like**

Traditional sandboxes may not detect advanced malware or targeted zero-day attacks if the attacker is using techniques such as geofencing or fingerprinting. For example, malware that uses geofencing must look up IP addresses to determine its geographic location. In contrast, adaptive dynamic analysis technology can help detect very specific, targeted attacks because it can detect and automatically bypass environment and anti-analysis checks. 

Adaptive analysis performs execution only of instructions related to the malware, as opposed to traditional sandboxes, which are fully virtualized operating systems executing instructions of every service and application on the system. As a result, the total resource utilization for adaptive analysis is significantly lower. Being able to extract intelligence in the form of indicators of compromise (IOCs) enables threat hunting, proactive self-defense improvements, and threat actor attribution.

Threat Actors Evade Detection Through Geofencing & Fingerprinting

**WILKES-BARRE, Pa.****,** **Jan. 5, 2023** **/PRNewswire/ --** Maternal & Family Health Services ("MFHS"), a private non-profit health and human services organization serving Northeastern Pennsylvania, announced today that the organization was the victim of a sophisticated ransomware incident that may have resulted in the inadvertent exposure of sensitive information to an unauthorized individual.  MFHS began notifying potentially affected individuals, including certain current and former employees, patients, and vendors, on January 3, 2023.

On April 4, 2022, MFHS experienced a ransomware incident. Upon learning this, MFHS immediately engaged specialized third-party forensic incident response firms to assist with securing the organization's systems. The firms conducted a forensic investigation to determine the extent of any unauthorized activity and identify what data may have been compromised.  During the course of the investigation, it was determined that elements of personal information of certain individuals may have been compromised.  This personal information included, and potentially was not limited to: names, addresses, dates of birth, Social Security numbers, driver's license numbers, financial account/payment card information, usernames and passwords, medical information and/or health insurance information.  The investigation also found that while MFHS was alerted to the ransomware event on April 4, 2022, the unauthorized access to the organization's systems occurred between August 21, 2021 and April 4, 2022.  MFHS does not have any evidence that any personal information has been misused as a result of this incident. 

Beginning on January 3, 2023, MFHS issued letters to potentially impacted individuals.  The letters include information about the incident and steps that individuals can take to protect their personal information such as the implementation of fraud alerts and security freezes. MFHS is also offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security number and/or financial account/payment card information may have been involved in the incident.

"Maternal & Family Health Services takes the protection our patients' and employees' personal information seriously," said Maria Montoro Edwards, Ph.D., President & CEO of Maternal & Family Health Services.  "We understand the inconvenience or concern this incident may cause and are committed to strengthening our systems' security to prevent this kind of incident from happening again."

MFHS has also launched a dedicated phone hotline for individuals with questions about the incident. Call center representatives are available at (833) 896-7339, Monday through Friday from 9:00 am – 9:00 pm Eastern Time.

**About Maternal & Family Health Services:**

Founded in 1971, MFHS is a private, non-profit health and human services organization that works to meet the health and nutrition needs of Northeastern Pennsylvania's women, children, and families with information, education, and quality care.  MFHS oversees and supports a network of health and nutrition centers in 17 Pennsylvania counties, serving over 90,000 women, men, and children annually.

Maternal & Family Health Services Issues Notice Of Cybersecurity Incident

**WASHINGTON, DC January 5, 2023 –** DirectTrust and the Electronic Healthcare Network Accreditation Commission (EHNAC) today announced the completion of their previously announced merger, effective January 4, 2023. Moving forward, DirectTrust, combined with EHNAC’s accreditation expertise, will create new opportunities for trust and assurance in the healthcare industry – including bringing to fruition new accreditation programs like consumer access and use of health data.

DirectTrust is a non-profit healthcare industry alliance created to support secure, identity-verified electronic exchanges of protected health information. EHNAC is a non-profit standards development organization and accrediting body for organizations that electronically exchange healthcare data.

“We’re excited to officially welcome EHNAC’s team of experts and assessors to the DirectTrust family. The completion of this merger significantly strengthens our accreditation capabilities, in particular for our members who will experience an improved and streamlined accreditation process,” said Scott Stuewe, DirectTrust President and CEO. “However, the impact of this merger will reverberate well beyond our members. This move further supports trust and security in nationwide trust frameworks and networks throughout the healthcare ecosystem as we strive to become the nation’s premier healthcare-focused accreditation, standards development, and technical trust partner.”

EHNAC senior leaders Executive Director and CEO Lee Barrett and COO Debra Hopkinson, long-standing pillars of the health IT trust and accreditation communities, will continue to work for and consult with DirectTrust as Commission Executive Director and Executive Advisor, respectively. EHNAC staff members and assessors will also join DirectTrust. Additionally, the EHNAC Commission will remain intact and be designated as Commissioners overseeing accreditation-specific matters. The DirectTrust Board of Directors will continue as is.

“Now officially part of DirectTrust, we look forward to strengthening our longstanding commitment to helping maintain patient and provider confidence in data-sharing networks and reducing cyber exposure throughout the industry,” said Lee Barrett, Commission Executive Director. “While TEFCA continues its presence as a driving force towards interoperability, accreditation and certification will continue to play a critical role to promote adherence to standards and best practices while protecting patient data and assuring stakeholder trust. We look forward to providing further opportunity for members and accredited organizations to comply with the ever-evolving legislative and regulatory revisions impacting the way health information is shared.”

Additional information, including FAQs, about the DirectTrust-EHNAC merger may be found at https://bit.ly/DTEHNAC.

**About DirectTrust**

DirectTrust™ is a non-profit, vendor-neutral alliance dedicated to instilling trust in the exchange of health data. The organization serves as a forum for a consensus-driven community focused on health communication, an American National Standards Institute (ANSI) standards development organization, an accreditation and certification body through EHNAC (the Electronic Healthcare Network Accreditation Commission), and developer of trust frameworks and supportive services for secure information exchange like Direct Secure Messaging and trusted, compliant document submission.

The goal of DirectTrust is to develop, promote, and, as necessary, help enforce the rules and best practices necessary to maintain privacy, security, and trust for stakeholders across and beyond healthcare. In addition, DirectTrust is committed to fostering widespread public confidence in the interoperable exchange of health information while promoting quality service, innovation, cooperation, and open competition in healthcare. To learn more, visit: DirectTrust.org.

DirectTrust and EHNAC Announce Closing Of Merger

**CAMPBELL, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** iCoin Technology, a U.S. based manufacturer of modern crypto hardware wallets, announced today that it will be adding a secure messaging feature to their existing hardware wallet system for cryptocurrency

"One of the problems with existing secure messaging platforms is that they rely on central severs to control message flow and storage.  These central severs can be compromised by external or internal threats, including password reset requests.  Also, the smartphones or laptops that are used as message endpoints are network connected devices and run multiple applications - which can also expose the messages to attacks.  By encrypting and decrypting the messages only on a cold device, like the iCoin hardware wallet, can the users be sure that no one can intercept and read the messages between the sender and receiver." - Chet Silvestri, CEO, iCoin Technology

The iCoin hardware wallet is a cold device which is never directly connected to a network.  The encryption keys are created and stored only within the hardware wallet and can never be extracted.  The messages are directly entered into the hardware wallet and encrypted before ever leaving the wallet.  The pre-encrypted messages can then be sent over public messaging systems and are tamperproof.

The Secure Messaging feature will be integrated into the iCoin hardware wallet beginning in April 2023 and will also available as a no-cost firmware upgrade for existing iCoin hardware wallet owners at the same time.

"My quote from decades ago of "You have no privacy. Get over it!" has certainly stood the test of time.  But we can and must try to fight back.  The iCoin hardware encrypted secure messaging system will allow users to regain some control of their privacy when it comes to personal communications.   Both Enterprises and Consumers can now use the iCoin system to bring a new level of security to internet-based communication." - Scott McNealy, former CEO and Founder, Sun Microsystems, Inc.

**About iCoin Technology**

Headquartered in Silicon Valley, iCoin Technology is a pioneer of a new class of hardware wallets for the digital economy, blending consumer-grade ease-of-use with industrial-strength security.

Learn more at https://www.icointechnology.com/ or follow us on Linkedin, twitter, or Instagram.

SOURCE iCoin Technology

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading