Category: IT Security

What’s the worst that could happen when a Ransomware hits a Hotel?

Recently, hundreds of guests of a luxurious hotel in Austria were locked in or out of their rooms when ransomware hit the hotel’s IT system, and the hotel had no choice left except paying the attackers.

Today, we are living in a digital age that is creating a digital headache for people and organizations around the world with cyber attacks and data breaches on the rise.

Ransomware

is one of them.

The threat has been around for a few years, but during 2016, it has turned into a noxious game of Hackers to get paid effortlessly by targeting hospitals, Universities, private businesses and even police departments and making hundreds of millions of dollars.

Now, the

Romantik Seehotel Jäegerwirt 4-Star Superior Hotel

has admitted it paid €1,500 (£1,275/$1,600) in Bitcoin ransom to cybercriminals who managed to break into their network and hack their electronic key card system that prevented its guests from entering or leaving their rooms.

The luxury hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, like several other hotels in the industry, has a modern IT system that includes key cards for its hotel doors, which could not be programmed.

Also Read: This Tool Detects Never-Seen-Before Ransomware Before It Encrypts Your Data

According to the hotel management, the hotel has been hit multiple times by hackers, but this time they managed to take down the entire key system, preventing its guests to getting in or going out of their rooms,

reported

The Local.

Besides gaining control of the electronic key system, the hackers even gained control over the general computer system, shutting down all hotel computers, including the reservation system and the cash desk system.

Once the hotel made the payment, the system was completely restored that allowed the hotel staff to gain access to the network and hotel guests to enter and exit their rooms.

What’s interesting? Even after the hotel fulfilled the hackers demand, the hackers left a backdoor to the hotel system in an attempt to conduct another cyber attack later.

Fortunately, the security standards of the hotel had been improved by its IT department, and critical networks had been separated to thwart the attack, giving attackers no chance to harm the hotel again.

Furious hotel managers decided to go public with the incident to warn others about the dangers of cyber attack, with Managing Director Christoph Brandstaetter said:

“The house was totally booked with 180 guests; we had no other choice. Neither police nor insurance helps you in this case. 

The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found. 

Every euro that is paid to blackmailers hurts us. We know that other colleagues have been attacked, who have done similarly.”

The Ransomware had stolen the nights of many businesses and organizations, as they would often be blamed to fight up to this nasty threat.

Ransomware criminals often demand the ransom in Bitcoin (BTC) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.

The frequent payment to Ransomware encourages criminals to stash the cash and develop a more enticing framework for the next target. So, instead of paying or encouraging this scheme, keep your software and systems updated and avoid clicking suspicious links.

Again bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected.

Security researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers.

The new vulnerability,

discovered

by Trustwave’s SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process.

Kenin discovered the flaw (

CVE-2017-5521

) when he was trying to access the management page of his Netgear router but had forgotten its password.

Exploiting the Bug to Take Full Access on Affected Routers

So, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve their login credentials easily, giving him full access to the device.

But Kenin said the newly discovered flaw could be remotely exploited only if the router’s remote management option is enabled.

While the router vendor claims the remote management option is turned off on its routers by default, according to the researcher, there are “hundreds of thousands, if not over a million” routers left remotely accessible.

“The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default this is not turned on,” Kenin said. “However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using the vulnerable equipment.”

If exploited by bad actors, the vulnerability that completely bypasses any password on a Netgear router could give hackers complete control of the affected router, including the ability to change its configuration, turn it into botnets or even upload entirely new firmware.

After trying out his flaw on a range of Netgear routers, Kenin was surprised to know that more than ten thousand vulnerable devices used the flawed firmware and can be accessed remotely.

He has also released an 

exploit code

 for testing purpose, written in Python.

List of Vulnerable NETGEAR Router Models

The SpiderLabs researcher stressed that the vulnerability is very serious as it affects a large number of Netgear router models. Here’s a list of affected Netgear routers:

• R8500
• R8300
• R7000
• R6400
• R7300DST
• R7100LG
• R6300v2
• WNDR3400v3
• WNR3500Lv2
• R6250
• R6700
• R6900
• R8000
• R7900
• WNDR4500v2
• R6200v2
• WNDR3400v2
• D6220
• D6400
• C6300 (firmware released to ISPs)

Update the Firmware of your NETGEAR Router Now!

Kenin notified Netgear of the flaw, and the company confirmed the issue affects a large number of its products.

Netgear has

released

firmware updates for all of its affected routers, and users are strongly advised to upgrade their devices.

This is the second time in around two months when researchers have discovered flaws in Netgear routers. Just last month, the US-CERT advised users to

stop using Netgear’s R7000 and R6400

routers due to a serious bug that permitted command injection.

However, in an effort to make its product safe, Netgear recently partnered up with Bugcrowd to launch a

bug bounty program

that can earn researchers cash rewards of up to $15,000 for finding and responsibly reporting flaws in its hardware, APIs, and the mobile apps.

Google on Wednesday pumped more life into the use of physical keys as a second form of authentication when it added Security Key enforcement support to G Suite.

Admins inside enterprises managing deployments of the suite of cloud-based productivity apps, formerly known as Google Apps, can now enable two-step verification using Security Keys as a second factor.

Security Keys are physical USB tokens that can be configured to cryptographically verify a user at login.

Google also announced the availability of a hosted S/MIME service extending encryption capabilities on Gmail beyond TLS.

“TLS only guarantees to the sender’s service that the first hop transmission is encrypted and to the recipient that the last hop was encrypted. But in practice, emails often take many hops (through forwarders, mailing lists, relays, appliances, etc),” Google said. “With hosted S/MIME, the message itself is encrypted. This facilitates secure transit all the way down to the recipient’s mailbox.”

Google said the availability of S/MIME adds account-level signature authentication, which is unlike DKIM, which provides only domain-based authentication.

“This means that email receivers can ensure that incoming email is actually from the sending account, not just a matching domain, and that the message has not been tampered with after it was sent,” Google said.

On both fronts, Google is providing users additional identity verification and authentication. With Security Keys, which Google has supported since 2014, Google is positioning this support as enhanced protection against phishing.

“Instead of entering a unique code as a second factor at sign-in, Security Keys send us cryptographic proof that users are on a legitimate Google site and that they have their Security Keys with them,” said Christiaan Brand and Guemmy Kim of the Google Account Security team. “Since most hijackers are remote, their efforts are thwarted because they cannot get physical possession of the Security Key.”

Google also announced that this protection can extend to mobile devices (Android and iOS) since the Security Keys also support Bluetooth Low Energy and pair with devices over the BLE protocol.

“BLE Security Keys, which work on both Android and iOS, improve upon the usability of other form factors,” Brand and Kim said.

Yesterday’s announcement was a complement to a larger rollout on Monday of enterprise controls to G Suite, Google said.

In addition to Security Key enforcement, G Suite also supports data loss prevention technology in Google Drive. Admins can use it to add security controls to sensitive data and manage content as it’s stored and how it’s shared. It can also be configured to protect scanned documents via OCR and enforce data protection and sharing policies on that front.

Facebook, last week, announced that it had added support for physical keys for account security as a second form of authentication.

“Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone,” said Facebook security engineer Brad Hill.

Google, Facebook and other technology providers have for years supported second factors of authentication, usually via SMS or email messages that prompt users to enter a PIN in addition to their passwords. Google said additional protection is coming soon for personal accounts, which builds off its partnerships with FIDO Alliance; the FIDO Universal Second Factor authentication has been used internally on Google physical keys, the company said.

Computer viruses do not discriminate.

They are not just hacking your email and online banking accounts anymore.

Computer viruses do not distinguish between a personal computer or a hospital machine delivering therapy to patients — and the results could prove deadly.

Cyber attacks on hospitals have emerged as a significant cyber security risk in 2016, which not only threaten highly sensitive information but also potentially harm the very lives of those being protected.

In the latest incident, hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS) network on Sunday.

In a bright-red alert warning labeled "Major incident" on its website, the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) said its systems in Scunthorpe and Grimsby were infected with a virus on October 30.

The incident forced the trust to shut down all the major systems within its shared IT network in order to "isolate and destroy" the virus and cancel surgeries.

"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."

Some patients, including major trauma patients and high-risk women in labor, were diverted to neighbouring hospitals.

Although the majority of systems are now back and working, the NHS Trust has not provided any specific information about the sort of virus or malware or if it managed to breach any defense.

The incident took place after the U.S. and Canada issued a joint cyber alert, warning hospitals and other organizations against a surge in extortion attacks that

infect computers with Ransomware

that encrypts data and demand money for it to be unlocked.

Although it is unclear at the moment, the virus could likely be a ransomware that has previously

targeted hospitals

and healthcare facilities.

Life Threatening Cyber-Attacks

With the rise in

Ransomware threat

, we have seen an enormous growth in the malware businesses.

The countless transactions of Bitcoins into the dark web have energized the Ransomware authors to distribute and adopt new infection methods for the higher successful rate.

Today, Ransomware have been a soft target for both Corporates as well as Hospitals.

Since earlier this year, over a dozen hospitals have been targeted by ransomware, enforcing them to pay the ransom amount as per the demand by freezing the central medical systems.

Technological advancement in the medical arena has digitalized patients data in the form of Electronic Medical Record (EMR) in order to save them into the hospital’s central database.

Since the delay in patients treatment by temporary locking down their details could even result in the patient’s death, the attackers seek 100 percent guarantee ransom by infecting hospitals with Ransomware.

Due to this reason, in most of the cases, hospitals generally agrees to pay the ransom amount to the attackers.

Earlier this year, the Los Angeles-based Presbyterian

Medical Center paid $17,000

in Bitcoins to cyber crooks in order to restore access to its electronic medical systems, after a ransomware virus hit the hospital.

Also back in April, the MedStar Health chain that runs a number of hospitals in the Baltimore and Washington area, was attacked with

Samsam ransomware

(or Samas) that encrypted sensitive data at the hospitals.

Followingly, many more hospitals, including Methodist Hospital in Henderson and Kentucky, Desert Valley Hospital in California and Chino Valley Medical Center, have been infected with Ransomware.

Tags: 

This week the US Attorney for the Southern District of Texas unsealed indictments against 56 individuals operating a conspiracy to commit wire fraud through a sophisticated scam involving five call centers in Ahmedabad, Gujarat, India.

The Call Centers — HGlobal, Call Mantra, Worldwide Solutions, Sharma Business Process Outsourcing Services, and Zoriion Communications — placed calls in four primary types of telefraud, and then laundered the money through a network of Domestic Managers, Runners, and Payment Processors in the United States.   The money was then moved via a Hawaladar, a person who runs an underground banking system, or an international money transfer service called a Hawala.  Hawala banking speeds the availability of international funds by operating on a trust system where the Hawaladar can incur or pay debts in one country for a large number of trusted parties from locally available funds on hand.

October 27, 2016 Press Release

Fraud types

IRS Scams: India-based call centers impersonated U.S. Internal Revenue Service officers and defrauded U.S. residents by misleading them into believing that they owed money to the IRS and would be arrested and fined if they did not pay their alleged back taxes immediately.

Law Enforcement Scams: India-based call centers also impersonated various law enforcement agencies, as with the IRS scams, threatening immediate arrest if the victim failed to comply with transferring funds.  (This blog has covered this scam before, including sharing a recording of one such call — see: "

Warrant for Your Arrest Phone Scams

" from November 7, 2014.)

USCIS Scams: India-based call centers impersonated U.S. Citizen and Immigration Services (USCIS) officers and defrauded U.S. residents by misleading them into believing that they would be deported unless they paid a fine for alleged issues with their USCIS paperwork.

Payday Loan Scams: India-based call centers defrauded U.S. residents by misleading them into believing that the callers were loan officers and that the U.S. residents were eligible for a fictitious "payday loan".  They would then collect an upfront "worthiness fee" to demonstrate their ability to repay the loan.  The victims received nothing in return.

Government Grant Scams: India-based call centers defrauded U.S. residents by misleading them into believing that they were eligible for a fictitious government grant. Callers directed the U.S. residents to pay an upfront IRS tax or processing fee.  The victims received nothing in return.

Roles in the Operation

In the US, the primary parties were the Domestic Managers, the Runners, and the Payment Processors.  A Domestic Manager directed the activities of the runners and provided them with the resources they needed to do their work, including vehicles, and credit cards to be used to pay business expenses.  The Runners job was to purchase temporary "GPR cards" (General Purpose Reloadable) and then send the information about these cards to the scammers who were working in the call centers in India.  When they reached the "payout" portion of the scam, the funds would be transferred from the victim to the Runner’s GPR card.  The Runners would then retrieve the cash and send it further upstream, often via Western Union or Moneygram using false identification documents. 

Data Brokers helped to generate "lead lists" for the Call Center Operators.  (For example, One of the data brokers used by the call centers was working as an IT Consultant for a company in New York.  Vishal Gounder would steal the PII from company databases and use the identities to activate the GPR cards.  )

Payment Processors acted as the intermediary between the Runners and the Call Centers for exchanging funds either through Hawaladars or via GPS Cards and international wire transfers.

The Indicted

The largest number of arrested and indicted individuals came from the HGlobal call Center.  I’ve illustrated the information from the indictment below:

HGlobal: Runners in 8 states, including Alabama

The other Ahmedabad, Gujarat, India Call Centers and their indicted members

 

GreenDot Investigations 

One of the methods that the members of the conspiracy were tracked was by their reliance on certain GPR cards, including the GreenDot MoneyPak cards.  When a GreenDot MoneyPak card is used, an identity and a telephone number have to be associated with the card.   The call centers in India operate primarily by using "Magic Jack" devices to place unlimited international calls over Voice Over IP (VOIP) lines where they can choose the callerid number that is displayed.   GreenDot investigators found that more than 4,000 GreenDot cards had been registered to the same Magic Jack telephone number, (713) 370-3224, using the identity details of more than 1,200 different individuals!

That Magic Jack number was controlled by Hitesh Patel, the call center manager of HGlobal.

The criminals did a poor job back-stopping their fake identities.  In this case, the Magic Jack was registered to the email "acsglobal3@gmail.com" which used as its recovery email hitesh.hinglaj@gmail.com, which lists the telephone number 9879090909, which Hitesh also used on his US Visa Application.  The Magic Jack device had been purchased in Texas by Asvhwin Kabaria, who used the email acs.wun@gmail.com to send the news to acsglobal3@gmail.com that he was shipping him 20 Magic Jack devices via UPS.  The same individual would ship more than 100 Magic Jack devices to other members of the conspiracy, including people in India and in Hoffman Estates, Illinois.

Another Magic Jack number, (630) 974-1367, was associated by 990 Green Dot GPR Cards using 776 different stolen identities.  (785) 340-9064 was associated with 4,163 Green Dot cards using 1903 different stolen identites!  That one was used by Jatan_oza@rocketmail.com which was frequently checked from the same IP address that Magic Jack calls using this number were originating.

Sunny Joshi (sunny143sq@yahoo.com) was shown to have purchased $304,363.45 worth of GPR cards in a single month (October 2013!)  Emails to and from Sunny often had spreadsheets documenting which transactions had been funded by which GRP cards.  One spreadsheet showed $239,180.79 worth of transactions from 116 different cards!

Another investigative trick was to look for cards that were used in "geographically impossible" situations.  For example, on January 13, 2014 at 11:37 AM a conspirator used a card to buy gas in Racine, Wisconsin.  On the same day at 12:46 PM the same card was used to buy groceries in Las Vegas, Nevada.

At least 15,000 victims have been confirmed to have lost money to these scammers, and an additional 50,000 victims are known to have had their identity details in the possession of these scammers.

The Most Vulnerable Among Us

The most vulnerable victims seem to have been recent immigrants and the elderly.  Those who are accustomed through habit or fear to quickly obeying any order of authority, even when it seems incredulous.   There are several victims who were ordered repeatedly to purchase the largest possible Green Dot cards ($500 value) and to do so in batches over several days.  One victim in 2013 purchased 86 cards worth $43,000 and transmitted the details to the scammers.  These cards were accessed from the IP of the 703 Magic Jack phone and transferred by email to "hglobal01@gmail.com".  

One resident of Hayward, California was contacted repeatedly from January 9, 2014 through January 29, 2014 and extorted into purchasing 276 MoneyPaks worth $136,000 and transmitting the PIN numbers to the thieves.  She was frightened into believing she was speaking with the IRS and would be immediately arrested if she did not comply!

Recent immigrants are also especially vulnerable.  In one of the many examples from the indictment, Rushikesh B., a resident of Naperville, Illinois, was extorted for $14,400 by an individual claiming to be the Illinois State Police and threatening arrest if he did not immediately pay fines related to immigration violations.

Those who work with our elderly and with recent immigrant communities are strongly encouraged to remind them that NO LAW ENFORCEMENT OFFICIAL will EVER take payment for a fine via money transferred over the internet or email!  Nor will they ever require a GPR card to be used to pay such a fee!   

Anyone who hears of a friend, family member, co-worker who has been a victim of such a scam is strongly encouraged to file a report. 

For all IRS-related telephone scams, please help your colleague to report the scam by using the TIGTA website, "

IRS Impersonation Scam Reporting

" run by the Treasury Department’s Inspector General for Tax Administration. 

The URL is: https://ift.tt/1PRZw8x

For all other Telefraud scams involving government impersonation, this FTC website may be used: 

https://ift.tt/2eo9NvK

Email Traffic a key to the Case

The indictment goes on for 81 pages listing incident after incident, including many email accounts used by the criminals.  Some of the criminals made accounts for money movement, such as money.pak2012@gmail, payment8226@gmail, but others used their "primary emails" like Cyril Jhon who used the email cyrilhm2426@gmail for his conspiracy traffic. Saurin Rathod used the email saurin2407@gmail, while Hardik Patel used hardik.323@gmail!  One of the payment processors, Rajkamal Sharma, sent over 1,000 emails to conspirators with directions about where to deposit various funds. Almost 50 pages of the 81 page indictment are walking through the evidence uncovered by email analysis!

The full indictment is a fascinating read … you can find a copy here:

The indicted:

Hitesh Madhubhai Patel

Hardik Arvindbhai Patel

Janak Gangaram Sharma

Tilak Sanjaybhai Joshi

Saurin Jayeshkumar Rathod

Tarang Ranchhodbhai Patel

Kushal Nikhilbhai Shah

Karan Janakbhai Thakkar

Manish Balkrishna Bharaj

Rajpal Vastupal Shah

Sagar Thakar (aka Shaggy, Shahagir Thakkar)

Cyril Jhon Daniel

Jatin Vijaybhai Solanki

Jerry Norris (aka James Norris, IV)

Nisarg Patel

Miteshkumar Patel

Rajubhai Bholabhai Patel

Ashvinbhai Chaudhari

Fahad Ali

Jagdishkumar Chaudhari (Jagdish)

Bharatkumar Patel (Bharat)

Asmitaben Patel

Vijaykumar Patel

Montu Barot (Monty Barot)

Praful Patel

Ashwinbhai Kabaria

Dilipkumar Ramanlal Patel

Nilam Parikh

Dilipkumar Ambal Patel (Don Patel)

Viraj Patel

Abshishek Rajdev Trivedi

Samarth Kamleshbhai Patel

Harsh Patel

Aalamkhan Sikanderkhan Pathan

Jaykumar Rajanikant Joshi

Anjanee Pradeepkumar Sheth

Kunal Chatrabhuj Nagrani

Subish Surenran Ezhava (aka Chris Woods)

Sunny Tarunkumar Sureja (aka Khavya Sureja)

Sunny Joshi (aka Sharad Ishwarial Joshi, Sunny Mahashanker Joshi)

Rajesh Bhatt (aka Manoj Joshi, Mike Joshi)

Nilesh Pandya

Tarun Deepakbhai Sadhu

Vishalkumar Ravi Gounder (Vishal Gounder)

Bhavesh Patel

Raman Patel

Rajesh Kumar Un

Aniruddh Rajeshkumar Chauhan

Rahul Tilak Vijay Dogra

Vicky Rajkamal Bhardwaj

Clintwin Jacob Chrisstian

Aneesh Antony Padipurikal (Aneesh Anthony)

Jatankumar Kareshkumar Oza (aka Jatan Oza)

Rajkamal Omprakash Sharma

Vineet Dharmendra Vasishtha (aka Vineet Sharma, Vineet Vashistha)

Gopal Venkatesan Pillai