City of Atlanta computers held hostage in ransomware attack

Tomáš Foltýn

City officials confirm that Atlanta is dealing with a cyberattack that has locked down some internal systems and is holding them hostage using ransomware.

UPDATE: As of Friday afternoon EDT, the extent of the damage remains unclear. The Atlanta Journal-Constitution reported that Atlanta City Hall employees, when coming to work on Friday, were receiving printed instructions that, as a precaution, they should not use their computers. Hartsfield-Jackson Atlanta International Airport is playing it safe, too, in order to ensure that it remains unaffected. The world’s busiest airport has shut down its free wi-fi network and disabled some of its website’s functionalities.

The City of Atlanta’s computer network has fallen victim to a ransomware attack that has encrypted some of the city’s data, mayor Keisha Lance Bottoms announced at a press briefing on Thursday.

While the full extent of the compromise is still under investigation, the attack is known to have cut off some of the city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

In addition, the mayor encouraged the city’s employees and anyone who had conducted transactions with the city to keep tabs on their bank accounts in case their personal information may have been misused.

New Atlanta Chief Operating Officer Richard Cox, who only started in the role this week, said that several departments have been affected. The departments responsible for public safety, water and airport services are operating as normal, however.

Local news channel WXIA showed a screenshot of an alleged ransom message that had been shared by a city employee. The note demands 0.8 bitcoin (roughly $6,800) per computer or 6 bitcoin ($50,000) for keys to unlock the entire system.

Figure: The announcement of the outages early on Thursday (source: Twitter)

The city learned of the attack at around 5:40 am local time on Thursday, when its IT security team noticed “something that looked peculiar” on a server and began investigating, the city’s acting Chief Information Officer Daphne Rackley was quoted as saying.

As for whether the city would pay the ransom, the mayor said that the city would seek guidance from federal authorities on how to “navigate the best course of action”.

https://www.welivesecurity.com/2018/03/23/city-of-atlanta-computers-held-hostage-in-ransomware-attack/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Pirate websites expose users to more malware, study finds

Tomáš Foltýn

The study found that the more time users spent on pirate sites the higher the likelihood that some type of malware would compromise their computers.

It is hardly a surprise to learn that navigating to pirate websites entails a higher risk of running into malware. But a researcher from Carnegie Mellon University in Pennsylvania, US, set out to quantify the risk that this ‘free lunch’ involves in a real-world setting.

Having observed the online activities of 253 people throughout 2016, Professor Rahul Telang concluded in a newly-released paper that the more time the users spent on piracy sites the higher the likelihood that some type of malware would compromise their computers.

Specifically, every doubling of the amount of time that the users spent on various illegal torrent and streaming sites resulted in a 20-percent increase in malware count on their computers, according to the paper entitled “Does Online Piracy Make Computers Insecure? Evidence from Panel Data”.

Put differently, a 100-percent rise in the time spent on pirate websites increased “the number of malware count by almost 0.05 units”. On average, the visitors of dodgy sites ran into what amounts to 0.24 of a piece of malware per month.

The higher incidence of malware delivery remained unchanged regardless of whether or not adware was included in the equation. “In short, whether we include total malware count or malware count without adware, we find that time spent on infringing sites increases the malware count by almost 20 percent,” reads the study.

Many sites that provide access to pirated content rely on adverts for revenue. However, this may expose visitors to malicious advertising, or ‘malvertising’, in which ads are conduits for a broad range of cyber-threats.

The paper’s classification of files as either benign or malicious relied on the multiscanner site VirusTotal. The paper notes, however, that its measure of malware “is probably an undercount of the actual number of malware files found on user machines since virustotal is not able to identify all malware signatures”.

Another finding gleaned from the study is the fact that people who visit pirate websites are no more likely to take extra precautions by installing anti-malware software. The installation rate for such software was roughly 60 percent for both groups, which were called “infringers” and “non-infringers” in the study. Meanwhile, the infringers were found to spend much more time browsing the internet in general.

To conduct the research, the users’ home computers were fitted with background sensors that captured their browsing data in a discreet manner. The data shed light on a number of parameters – what websites the users visited, if they had anti-malware software or firewalls installed, whether they downloaded any files from sites that make pirated content available, and whether any evidence of malware intrusion into their systems was found.

https://www.welivesecurity.com/2018/03/21/pirate-websites-malware-study/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

UK’s National Lottery urges millions of players to change their passwords

The lottery's operator has found that attackers probably used an automated method known as 'credential stuffing' to access up to 150 customer accounts.

By Tomáš Foltýn

The lottery’s operator has found that attackers probably used an automated method known as ‘credential stuffing’ to access up to 150 customer accounts.

The United Kingdom’s National Lottery is advising all of its 10.5 million registered online users to change their passwords as a safety precaution following a security incident.

The recommendation comes after the lottery’s o perator, Camelot, has detected suspicious activity on a small number of customer accounts. It has found that attackers fraudulently accessed up to 150 customer accounts earlier in March and, once inside, viewed what Camelot described as “very limited information”.

“A much smaller number – fewer than 10 accounts – have had some limited activity take place within the account since it was accessed, but no player has seen any financial loss,” according to the company’s statement.

Camelot has suspended all accounts where suspicious activity was spotted and has contacted their owners in order to help them “re-activate their accounts securely”.

“We are also urging National Lottery players to change their online password, particularly if they use the same password across multiple websites,” reads the statement.

It is understood that the hackers used a common type of automated attack known as ‘credential stuffing’, in which they leverage stolen or leaked authentication details from one online service for attempts to crack open user accounts on other websites.

The success of this attack vector is fueled by the all-too-common practice for many people to recycle their passwords across a number of online services. Frequent data breaches and troves of breached credentials that are readily available online further compound the problem.

The lottery’s website enables customers to fund their National Lottery accounts with credit or debit cards, and then spend the money on online lottery tickets or scratch cards. Camelot gave assurances for The Daily Telegraph that the user accounts do not display full card or bank account details.

In addition, Camelot said that the attackers didn’t gain access to the National Lottery’s core systems or any of its databases that would affect the lottery’s draws or the payment of prizes.

This incident is reminiscent of a similar, though larger, attack in November 2016, when cybercriminals accessed the online accounts of as many as 26,500 National Lottery customers. In September 2017, the lottery’s website and its associated app were unavailable for several hours due to a distributed denial-of-service (DDoS) attack.

https://www.welivesecurity.com/2018/03/20/national-lottery-players-change-passwords/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29