The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good

This week’s good news is a string of convictions displaying law enforcement and the legal system’s determination to fight cybercrime. A Cypriot national who hacked major websites as a teenager and threatened to release the stolen user information unless the websites paid a ransom has been sentenced to federal prison. Joshua Polloso Epifaniou hacked several sites of US companies between October 2014 and November 2016 while living with his mother in Cyprus.

In another case, a Nebraska Man was sentenced to 21 months in prison for stealing and selling data from his employer. Timothy Young, 50, of Moorefield, Nebraska, worked at a data analytics and risk assessment firm based in New Jersey. He obtained confidential, non-public information such as names, login names, passwords, email addresses, and telephone numbers belonging to some of the company’s clients. Young was sentenced to three years of supervised release and was ordered to pay restitution of $296,370.

Graham Ivan Clark was behind a headline-hitting hack on Twitter last summer. He has taken a plea deal with prosecutors that will see him serve three years in prison, followed by three years probation.

Graham, who orchestrated the hack of famous Twitter accounts including President Joe Biden, former President Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos and others, was only 17 at the time of the offense. Consequently, he was sentenced as a “youthful offender” and avoided the minimum 10-year sentence that would have applied if he’d been convicted as an adult.

The Bad

Cyber criminals have been targeting healthcare facilities again this past week, and with fury. Australia’s Eastern Health, the operator of four hospitals in Melbourne, was the victim of a cyber attack that took some of its IT systems offline and forced it to postpone all elective surgeries. The nature of the attack is unclear, but actors targeting healthcare facilities are typically looking to extort victims via ransomware.

Eastern Health stated that “Patient safety has not been compromised”.

The healthcare sector is not the only part of our public infrastructure under attack. The targeting of higher education institutions, K-12 schools and seminaries in 12 US states and the UK has prompted the FBI to issue an alert to the education sector about a ransomware variant called Pysa (also known as Mespinoza).

The variant has been tracked by the FBI since March 2020 and uses an initial penetration vector of either phishing emails or RDP endpoints hijacked via compromised credentials.

Open source Advanced Port Scanners and IP Scanners are then used for network reconnaissance, before more open source tools such as PowerShell and Mimikatz are utilized to upload additional malware, grab passwords and exfiltrate sensitive information to cloud storage site Pysa also seeks to disable legacy anti-virus capabilities on the victim’s network before deploying the ransomware, the FBI warned.

The Ugly

Election fraud is something we’ve all been worried about in recent times, but this week electronic vote rigging took a highly unexpected turn. As Hollywood has taught generations of parents and kids, the high school prom is an emotional event in every American teenager’s life. One of the most important aspects of this is the homecoming queen selection ritual. The movies depict how the process of selecting “the most popular girl” can often turn into a beauty contest that gets rather ugly. Now in real life it seems that it has prompted some anxious parent or teen to go so far as committing cyber crimes. A Florida high school conducted online voting to select the winning queen last October, but later found out that 117 votes came from the same IP address within a short period of time.

The fake votes were cast by abusing a system called FOCUS, which houses a wide range of confidential student information, including grades, medical history, test scores, attendance and disciplinary records.

It appears that the winning teen’s mom was a Faculty member in the school’s district and had access to the system. Allegedly, the mother or daughter used this access to obtain over a hundred pupil credentials and use those to cast votes in favor of the daughter. The pair were arrested and charged with fraudulently accessing confidential student information, according to the Florida Department of Law Enforcement.