Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Back to School
It’s a sure sign of the end of summer when kids start heading back to school. Make sure the children in your life are cyber safe as they resume their studies: read and share our ABCs of Cybersecurity article for some great tips to implement this September.
New Hampshire lottery website hit by cyber attack
On Friday, August 26, the New Hampshire lottery and gaming website was compromised after a cyber attack on its third-party hosting provider. According to a statement on the NH Lottery Facebook page, the attackers created a fake banner/pop-up ad on the nhlottery.com website that was intended to lure users into clicking and downloading a .zip file containing malicious code.
During the outage, visitors were warned not to click on any pop-up messages, but for those who might have done so, instructions were provided on how to delete the malicious files and conduct malware scans using freeware tools. Access to the gaming site was shut down for approximately 36 hours as officials worked to resolve the issues and validate services. Operations resumed at around 1:24 a.m. on August 27.
“Our players’ security and integrity of our web platform is our primary concern. We have notified our players of this situation and we will continue to keep the public updated as we receive more information,” advised officials through both social media and local broadcast media. It remains unknown whether personal information was disclosed as a result of the incident.
Chrome users may have received early warning of the attack: the malware detection facilities in the Chrome browser alerted users of the site by presenting a warning saying: “The site ahead contains harmful programs. Attackers on www.nhlottery.com might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit),” suggesting that it had detected potential malware embedded on the site.
Fridays are typically the busiest day for lottery sales, with a “Mega Millions” draw taking place at the end of each work week. In-person sales were not affected by the incident.
Hackers demand $10 million USD ransom after cyber attack on French hospital
The Centre Hospitalier Sud Francilien (CHSF), a hospital centre in Corbeil-Essonnes, a suburb southeast of Paris, France, suffered a significant cyber attack late on Saturday, August 20. Hackers claiming responsibility for the attack reportedly demanded a ransom of $10 million USD to release the compromised systems. Hospital administrators were unequivocal in their resolve not to give in to the demands: “You know the hospital would not pay, has not paid and will not pay this type of ransom,” vowed Gilles Calmes, CHSF director.
In response to the attack, the hospital activated its “white plan” – its formal emergency and crisis response plan. Staff were directed to take manual notes until system access can be restored. “Each day we need to rewrite patients’ medications, all the prescriptions, the discharge prescriptions,” according to Dr. Valérie Caudwell, a department head at the hospital. “For the nurses, instead of putting in all the patients’ data on the computer, they now need to file it manually from scratch.”
On its French language emergency status page, the hospital explained: “The establishment is making every effort to maintain the out-patient care of its patients (consultations and care provided in the day hospital) under the required safety conditions. On the other hand, this exceptional situation could have an impact on the activities of the operating rooms, which are closely linked to the hospital’s technology platform. Each patient concerned will be individually informed of possible re-scheduling, with the follow-up planned to ensure continuity of care with the help of hospitals in our region.”
The bulletins advised that, while the emergency room remains open and non-urgent care is still being provided, risky or complex operations have been transferred to other medical facilities as a precaution. All patients are being urged to bring their own documentation (e.g., the results of imaging exams or test results). The bulletin also confirmed that the attack does not affect the operation and security of the hospital building. Local police are investigating the incident while recovery efforts continue.
IoT alert: 80,000 security cameras still unpatched a year after critical fix published
According to researchers from Cyfirma, more than 80,000 Hikvision IP cameras are still vulnerable to “command injection attacks”, despite the fact that a patch for the critical firmware flaw has been available since September 2021. In their August 23 report, researchers revealed that they had analyzed a sample of about 285,000 Internet-facing cameras, and found that nearly 30% of them still showed vulnerable to exploitation. About 40% of the unpatched devices are in China or the United States.
While the most common exploitation of the bug is to leverage the cameras as “bots” in a command and control attack, a warning from the Cybersecurity and Infrastructure Security Agency (CISA) in January 2022 warned that attackers could take full control of the devices – meaning that a threat actor could abuse the devices to violate the privacy and security of anyone or anything within viewing range of the camera. Despite these warnings, tens of thousands of cameras are still exposed and vulnerable.
The flaw – tracked as CVE-2021-36260 – was disclosed by Hikvision in a September 26, 2021 blog post that provided technical details and a search tool to check for version compliance (any version of firmware older than 210628 is susceptible to the bug, which has been in evidence for at least six years on various models of Hikvision equipment.
The incident is a reminder of the importance of managing IoT devices with the same diligence as more “traditional” computing equipment like PCs and servers. On this and other similar devices, it is essential to maintain current software and firmware updates, strong password protocols, and appropriate device isolation in segregated networks.
