In total, there have been more than 281,000 data breach notifications since the initiation of GDPR, with Germany (77,747), the Netherlands (66,527), and the U.K. (30,536) topping the list. Italy tops the list in aggregate fines with more than €69.3 million (about $84.5 million) in fines imposed since the initiation of GDPR. Germany and France stood second and third with aggregate fines of €69.1 million and €54.4 million, respectively.

Key Findings

• Around €158.5 ($192,80) of fines have been imposed since January 28, 2020, a 39% increase on the previous 20-month period since the application of GDPR.
• Double-digit growth for breach notifications for the second year running with 121,165 breaches notified since January 28, 2020, compared to 101,403 breaches notified in the previous year, a 19% increase.
• Denmark tops the rankings for data breach notifications.
• Italy has imposed the highest aggregate fines and France has imposed the highest individual fine to date.
• Regulators have not had everything their own way this year with several multi-million-euro fines being successfully appealed or significantly reduced.
• The highest GDPR fine to date remains the €50 million (about $61 million) imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

The research findings are based on the latest GDPR fines and data breach reports from the EU, the U.K., Norway, Iceland, and Liechtenstein.

Ross McKean, Chair of DLA Piper’s U.K. Data Protection and Security Group, said, “Fines and breach notifications continue their double-digit annual growth and European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship.”

Related Story: Four Biggest GDPR Fines of 2020

The post EU Regulators Imposed over €272.5 Mn in GDPR Fines to Date appeared first on CISO MAG | Cyber Security Magazine.

Why Safe-Inet VPN Services were Shut Down?

According to Europol, the Safe-Inet VPN service has been active over the past decade. Europol said that its service gained popularity among the underground cybercriminals as a “Bulletproof” service since it boasted of tools having up to five layers of anonymous VPN security. This degree of protection allowed cybercriminals a virtual shield that law enforcement organizations around the globe found difficult to penetrate.

Riding the wave of its popularity, the VPN service was sold at a higher premium to underground threat actors whose operations included ransomware attacks, e-Skimming frauds, data breaches, and various other forms of cybercriminal activities.

Europol said, “The Law enforcement was able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.”

The Takedown

The international takedown was codenamed “Operation Nova.” The law enforcement agencies involved in the takedown include:

• Germany: Reutlingen Police Headquarters (Polizeipräsidium Reutlingen)
• Europol: European Cybercrime Centre (EC3)
• The Netherlands: National Police (Politie)
• Switzerland: Cantonal Police of Argovia (Kantonspolizei Aargau)
• United States:  Federal Bureau of Investigation (FBI)
• France: Judicial Police (Direction Centrale de la Police Judiciaire)

The takedown was a coordinated effort by the agencies mentioned above, as Safe-Inet’s infrastructure was spread across the globe. Europol, however, played a pivotal role in making it possible. The European Cybercrime Centre (EC3) led the path forward to bring all the law enforcement agencies together for devising a joint strategy to prepare for the final takedown.

Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said, “The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service.”

The VPN Safe-Inet taken down by in an operation supported by #Europol. Safe-Inet was being used by some of the world’s biggest cybercriminals.
Its servers are now offline and more investigations are ongoing.

Read more here: https://t.co/zpe7MANzQM pic.twitter.com/nB8VEqepnB

— Europol (@Europol) December 22, 2020

Safe-Inet’s seizure served as an example of the much-needed international cooperation between countries to take down cybercriminals and make the internet a safer space.

What the U.S. DoJ Said

According to the statement by the U.S. Department of Justice,  Operation Nova helped seize three domains providing similar services – SAFE-INET.COM, SAFE-INET.NET and INSORG.ORG – which were used for criminal activities. It added that the service websites were offered in English and Russian languages, shedding light on the geo-targets of its providers.

Post the seizure, all agencies are further investigating the log files and physical infrastructure confiscated from Safe-Inet to get a hold of all the cybercriminals using it as a service.

Related News:

Europol and European Commission Launch New Decryption Platform to Combat Encryption Misuse

The post Operation Nova: Global Law Enforcement Agencies Seize ‘Safe-Inet’ Criminal VPN Service appeared first on CISO MAG | Cyber Security Magazine.

The data breach came to light after CybelAngel’s six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the communication standards used by health care providers to send and receive medical data.

CybelAngel’s researchers examined over 4.3 billion IP addresses and found more than 45 million unique medical images that are left exposed on 2,140 unprotected servers across 67 countries, including the U.S., the U.K., and Germany. “The analysts found that openly available medical images, including up to 200 lines of metadata per record, which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords,” the researchers explained.

David Sygula, Senior Cybersecurity Analyst at CybelAngel, said, “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by health care professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

Todd Carroll, CybelAngel CISO, said, “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the health care institutions that are governed by regulations to protect patients’ data.”

The health care sector suffered various challenges in medical data security. While opportunistic cybercriminals are preying on sensitive medical information by exploiting the pandemic,  health care providers must boost their cybersecurity posture to protect their patients’ personal data.

The post 45 Mn Unique Medical Images Exposed Online via Unprotected Servers appeared first on CISO MAG | Cyber Security Magazine.

Key Findings

• Australia stood second with 7% of ransomware attacks, followed by Canada (6%), the U.K. (5%), and Germany (4%).
• The public sector was the primary target in 2020, with 34% of attacks, followed by education (29%), manufacturing (33%), health care (24%), and general services (23%).
• In the Q4 of 2019, ransomware victims paid over $45,000 to threat actors. While in Q2 2020, victims paid up to $180,000 on average.
• Most of the attacks were operated by infamous hacker groups like Maze (17%), REvil/Sodinokibi (16%), NetWalker (14%), and Ryuk (13%), making 60% of ransomware attacks globally.
• The average ransom demand for a Maze attack is $420,000, Ryuk ransomware operators demand $282,590 on average, and the NetWalker group demands $176,910.
• Ransomware actors targeted organizations that are having an average of 37,000 or more employees.

BlackFog predicts that an organization is attacked by a cybercriminal every 11 seconds and the damage costs from these attacks will hit around $20 billion by 2021.

Ransomware: A Lucrative Business

A recent survey from the Financial Services Information Sharing and Analysis Center (FS-ISAC), highlighted that rapidly evolving ransomware attacks have become a primary security concern for most financial organizations. The research indicated that ransomware operators have openly claimed successful attacks against eight financial institutions globally in 2020, three of which were banks. The FS-ISAC suggested that even organizations with robust cybersecurity defenses are still vulnerable to ransomware threats, especially through their third-party providers. Read the full story here…

The post 5 in 10 Ransomware Attacks in 2020 Occurred in the U.S. appeared first on CISO MAG | Cyber Security Magazine.

“Banks in the U.K. also noted challenges around authentication of existing customers, including complying with legislation. This was a concern for 54% of respondents, probably driven by the Payment Services Directive 2 (PSD2), which establishes technical and operational rules around verifying the real payer, both for banking and payment card accounts. The lack of integration between authentication systems across customer channels is a concern for half of U.K. banks,” the survey stated.

The study revealed that most consumers are looking for digital interaction, stating that 82% people in the U.K. are prepared to open accounts digitally. However, 54% of U.K. banks said the consistency of identity validation across channels is a challenge. While 72% of banks in the U.K. use digital methods to capture identity for personal bank accounts, only 36% of banks said they capture customer identities and verify them in the same channel. One in three U.K. consumers (32%) said they would abandon an application process if forced to process via a non-digital channel.

“Historically, identity solutions were developed for face-to-face interactions and have since been adapted to the needs of new channels and products. As digital interaction is accelerated by the impact of COVID-19, it exposes the weaknesses inherent in using identity verification processes that were not intended for digital channels,” said Sarah Rutherford, Senior Director of Identity Fraud Marketing at FICO.

“Banks need to move fast to work out how identity fits into their digital onboarding and authentication strategies. The fragmented approach is impacting the customer experience. The benefits of moving to a single identity infrastructure across all channels and product lines should be assessed as a matter of priority. This approach reduces unnecessary friction and confusion for customers, avoids multiple copies of documents being held across the institution and facilitates faster onboarding of cross-sell opportunities. Banks that still rely on processes first developed for branches will be disadvantaged,” Rutherford added.

The post Lack of Digital Interaction is a Barrier Between U.K. Banks and Customers: FICO appeared first on CISO MAG | Cyber Security Magazine.

 Key Highlights 

• On September 10, 2020, University Hospital Düsseldorf (UKD) was hit by a ransomware attack, mistakenly. The attackers were targeting another University with a similar name.
• Nearly 30 internal servers were affected in this attack, which limited the health care operations of the hospital to an extent that it had to deregister itself from emergency care providers list.
• A 78-year old lady in need of immediate critical care was asked to be taken to another hospital in Wuppertal, nearly 19 miles (30kms) away. This delay in medical assistance and re-route to another medical facility probably led to her death.

What Happened

On September 11, 2020, a 78-year old lady from Düsseldorf required emergency medical attention as she faced a ruptured aorta. The lady’s medical history was known and stored on the systems of the health care providers at the Düsseldorf University Hospital. However, the University Hospital was under a ransomware attack that locked out their systems while the lady was being transported to the emergency ward. With the entire hospital system being under a lockdown caused by the cyberattack, the emergency responders in the ambulance carrying the patient were told to shift her to another hospital in Wuppertal, nearly 19 miles (30kms) away. With the unavailability of the patient exact records and data, the doctors at Wuppertal could not do much and the lady, unfortunately, breathed her last.

However, the doctors who attended the lady explained that delay in getting critical medical aid was the primary reason behind her unfortunate demise. It was a no brainer to drive so long when a patient was in dire need of emergency services, but the medics were still following their protocols.

Asserting “Negligent Homicide”

Christoph Hebbecker, a cybercrime prosecutor in the German city of Cologne, told the local media that his office was treating this as a case of “Negligent Homicide” against the ransomware attackers and are further investigating into the matter.

Hebbecker said, “An initial suspicion with regard to negligent homicide is justified”. So far, the investigation for attempted blackmail and computer sabotage has been underway. Further, the exact circumstances that led to the woman’s death will be investigated which will help draw conclusive evidence. But if the delay in services is the primary cause of death then the ransomware attackers can very well be charged with negligent homicide.

The post Ransomware Paralyzes a German Hospital; Patient Dies due to Delayed Aid appeared first on CISO MAG | Cyber Security Magazine.

 Key Highlights 

• RedCurl is a Russian-speaking APT Group.
• It has conducted 26 targeted attacks on commercial organizations, out of which 14 were successful.
• Its targets are spread across multiple fields including construction, finance, consulting, retail, banking, insurance, law, and travel.
• The targeted companies are located in Russia, Ukraine, the U.K., Germany, Canada, and Norway.
• It uses phishing and spear-phishing campaigns for the spread.
• Its operators use PowerShell script to go undetected against legacy security solutions.
• The attackers used legitimate cloud storage services like Cloudme, koofr.net, pcloud.com, etc. for communicating with the victim’s infrastructure.

The Use of Phishing and Spear-Phishing Tact

Initially, the hacker group carried out extensive research about their targets and drafted a well-written phishing email posing as the target company’s HR staff. They sent emails to multiple employees in the same department, which made them less vigilant. For example, the employees would receive the same email of annual bonuses.

The attackers gave special attention while drafting the spear-phishing email content. The emails had legitimate-looking company addresses and logos and featured the sender address in the company’s domain name.

Delivering Through the Cloud

RedCurl operators also strategically placed the malicious links to its payloads in the emails. They used archives, which directed their potential victims to legitimate cloud storage software like Cloudme, koofr.net, pcloud.com, etc., making them believe that they were opening a legitimate file containing information about the annual bonus breakdown. On clicking the link, it would download a Trojan downloader on the victim’s network called RedCurl.Dropper (hence the name). Any person trying to open this file would initiate the malware installation, which in turn would drop other payloads to search the network and exfiltrate data from all types of files and folders back to the cloud.

What needs to be noticed is how the hackers used cloud technology for infection and exfiltration instead of the traditional CnC/2C (command and control) server. This shows that the threat vectors are evolving and cybercriminals are getting smarter by the day. What will be interesting is to see how the defenders evolve.

The post Researchers Issue a Red Flag for RedCurl APT Group appeared first on CISO MAG | Cyber Security Magazine.

The incident came into light after the University of Edinburgh, which runs the ARCHER supercomputer, reported the security exploitation on the ARCHER login nodes. “Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place,” the authorities said in a statement. It is said that attackers infected the login portal of the supercomputers, however the machinery that runs the computations were not impacted in the incident.

Similarly, bwHPC, the organization that coordinates research projects across supercomputers in Germany, reported that five of its high-performance computing clusters were taken down due to security incidents.

“Due to an IT security incident the state-wide High Performance Computer (HPC) systems- bwUniCluster 2.0, ForHLR II, bwForCluster JUSTUS, bwForCluster BinAC, and Hawk are currently not available. Our experts are already working on an assessment of the problem,” bwHPC said.

In Switzerland, the Swiss Center of Scientific Computations (CSCS) confirmed that its supercomputer facilities had been attacked and that it had temporarily closed access.

“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the center has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS,” the authorities said.

More security incidents surfaced reporting similar kinds of attacks. A similar intrusion was reported at a high-performance computing center located in Spain. Security researcher Felix von Leitner claimed that a supercomputer stored in Barcelona was affected by a security issue and had been shut down.

It is unclear if the attacks were linked to a particular hacking crew. The authorities did not provide any further information on the security incidents.

The post Hackers Launch Cryptocurrency Mining Attack on Supercomputers Across Europe appeared first on CISO MAG | Cyber Security Magazine.

Hackers have launched a distributed denial-of-service (DDoS) attack on Germany-based food delivery service Takeaway.com (Liefrando.de). Attackers demanded two bitcoins (around US$11,000) in ransom to stop the attack. In DDoS attacks, hackers flood the target with useless traffic to inhibit the availability of services provided by the target.

Liefrando offers delivery services from more than 15,000 restaurants in Germany, where people under COVID-19 and other health emergency regulations hugely depend on the service. Some customers claim that the service provider accepted new orders, despite its systems being stopped and they were not being processed. However, the company informed that it’ll refund orders that had been paid online and were not delivered.

“Our systems have been attacked and are currently under maintenance to ensure the security of all data. This can lead to a delay in order processing. We apologize for the inconvenience and hope to return to normal soon,” Jitse Groen, Founder and CEO of Liefrando, shared on Twitter.

Groen also shared a note from the attackers which said, “Hi Jitse! Pizza.de is under attack. We want 2 BTC, tell me when you’re ready to pay. After payment we stop attack and help you to protect your company. We can attack another sites takeaway company. We are waiting for your answer.”

Cybercriminals Vow Not to Attack

Amid the slew of Coronavirus pandemic, cyberattacks on the business sector became an additional threat level and hurdle to organizations, especially for healthcare providers. However, on the flipside, several ransomware groups recently came forward to assure that they would hold back from attacking health organizations during the Coronavirus crisis. Lawrence Abrams from Bleeping Computers reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to find out if they would cease to target Healthcare organizations during this time of dire crises. They also stated that if any health care organization is hit by mistake; they would decrypt it for free.

The post Attackers Launch DDoS Attack on Food Delivery Startup Liefrando appeared first on CISO MAG | Cyber Security Magazine.

History of Crypto AG

The Swiss company, which was established during the World War II, manufactured encryption devices and machines that were sold to countries in the Latin American region including Brazil and Argentina, Asian rivals India and Pakistan, Iran , African countries of Egypt, Algeria, Libya, Morocco, Tunisia, Ethiopia, Ivory Coast, Nigeria, Tanzania, South Africa and even the Vatican.

Boris Hagelin, the founder of Crypto who had fled to U.S during the beginning of the Word War II, previously worked with the CIA and National Security Agency  (NSA). While nearing retirement, Hagelin put the company on sale. CIA and Germany’s spy agency BND, in a bid to keep their upper hand in the encryption technology and in order to decode other countries’ secrets during the rising geopolitical tensions of the Cold War, showed keen interest in buying the company’s stakes.

Thus, CryptoAG was secretly bought by a Liechtenstein front company (in future known as the SIEMENS group) that was owned 50-50 by the CIA and Germany’s BND for US$8.5 million. The two nations agreed to let the Swiss spies know this little secret, while only a few from the top Crypto AG management knew about it. Both U.S. and Germany asked for an intentional weakening of its encryption products sold to other nations, this meant that whenever required, they could break the encryption algorithms and intersect secret communications of these countries.

The Suspicious Success of the Swiss Spying Machine

One such example is when U.S. and Germany were able to intersect the communication where the Libyan officials were heard celebrating after terrorists exploded a bomb in a Berlin nightclub in 1984. As this ownership of CIA was a top secret, even the then President of the U.S., Ronald Reagan had no idea about it as he was publicly quoted suspecting the Crypto AG’s involvement in this incident. But these suspicions were never confirmed.

However, Crypto AG’s products are still in use in at least a dozen countries around the world, which means secrets of these nations could still be monitored. But the company was dismembered in 2018 and liquidated by its shareholders whose identities have been permanently protected under the byzantine laws of Liechtenstein, a tiny European nation with a reputation of high financial secrecy.

The post CryptoAG: The Swiss Spying Machine appeared first on CISO MAG | Cyber Security Magazine.