Security

ZebethMedia Disrupt Battlefield alum Perygee helps secure building operations • ZebethMedia

By zebethcontrolPosted on October 25, 2022Posted in Ballistic Ventures, Battlefield alums, edge device security, Perygee, Security, StartupsNo Comments

While ZebethMedia Disrupt Battlefield 2022 is still fresh in our minds, Perygee, a member of the 2020 group, has been helping companies keep their building operations elements secure. It looks at things like HVAC, elevators and sensors; keeping patches up-to-date and searching for vulnerabilities. Today the company announced a $4.75 million seed round, and the general availability of its self-service tier, which lets companies get started with the product without interacting with a sales team. Mollie Breen, a former NSA employee, developed the idea for her startup while she was a student at Harvard Business School. “Perygee is a lightweight, complete platform for IoT (Internet of Things) and OT (operational technology) devices,” Breen told ZebethMedia. She sees one of the company’s key differentiators being time to value. “We’re measuring value in minutes, not months, and we’re complete, so we’re bringing together a lot of different security tools from anomaly detection to vulnerability detection across the entire security stack.” She says the devices her company looks to secure are tough to track because they are often out of the purview of the IT or security teams, yet they interact with the network, and they can be vulnerable to attack. It leads to security blind spots that Perygee is trying to shed some light on. “What we saw over the past 24 months is that that these blind spots aren’t unique to just HVAC devices and security cameras. It actually applies to all devices. So every IoT-OT device has a physical presence that is managed by some non-security stakeholder, whether it’s facilities or an operations team member like an industrial engineer on a manufacturing floor or a clinical engineer on the hospital floor,” she said. To help get going quickly, the company has created a no-code workflow tool to automate common security tasks like patching. The automation also helps facilitate coordination between these often disparate teams from building and facilities operations and the network and security teams to make sure that these tasks don’t fall between the cracks. Image Credits: Perygee Today, the product is managing 30,000 devices, and the startup has 7 employees. Breen says that as a female founder, she is particularly aware of building a diverse company from the cap table to the board to the workforce. When we spoke to her about her $1.75 million pre-seed round at the end of 2020, she said she was actively reaching out to diverse talent on LinkedIn, but she recognizes as the company grows that is not a scalable methodology. “We are looking at our pipeline and looking at the diversity metrics within it. And then I think having internally really honest conversations about where we might be biased around when we’re when we’re thinking about hires. I like to be in those rooms because I’d like to like to think of myself as someone who has a particular pulse on where biases, especially towards women candidates, can show up and how we make sure that we’re not we’re not applying those biases to our pipeline,” she said. Today’s seed round was led by Ballistic Ventures with help from BBG Ventures, a firm that backs early-stage startups with female founders, and several industry angels. The company has raised $6.35 million to-date.

RapidSOS, a big data platform for emergency first responders, raises $75M • ZebethMedia

By zebethcontrolPosted on October 25, 2022Posted in Enterprise, SecurityNo Comments

Emergency response services have had a big boost of data thanks to advances in connected technology, with watches that can detect when their wearers are falling down and are experiencing trauma, cars that can pinpoint where their drivers are located, and home systems that can transmit important data about fires when you cannot just a few of the innovations we’ve seen in recent years. Today, a startup called RapidSOS, which helps connect those data points with those who can turn them into action, is announcing some funding as it continues to grow. The startup has raised $75 million from a group of investors led by security and safety specialist VC NightDragon, with participation also from BAM Elevate, Insight Partners, Honeywell, Microsoft’s Venture Fund M12, Axon, Citi via the Citi Impact Fund, Highland Capital Partners, Playground Global, Forte Ventures, C5 Capital, and Avanta Venture. RapidSOS founder and CEO Michael Martin said that it is not disclosing valuation but it has now raised more than $250 million, and will be using this latest capital injection both expand its technology and its business overall. The two go hand-in-hand: RapidSOS works with major device and software makers, from whom it takes the data points that their services create; applies data science to them to make better sense of the information; and translates that into information that emergency response centers — using a wide variety of their own software — can then use to do their work in triaging and calling out response teams. Considering that emergencies are precisely the kinds of critical situations that need to work quickly and efficiently, the landscape of players involved is in reality huge and fragmented. RapidSOS currently counts 90 tech companies (covering more than 500,000 connected devices and buildings), over 50 public safety vendors, and 15,000+ first responder agencies as customers and users of its platform. So far this year, this has worked out to handling 130 million emergencies. All those numbers represent big growth for the company over last year, when RapidSOS announced $85 million in funding. But considering there are more than 14.4 billion connected devices globally (that includes IoT), and that data and information in the name of quick response can extend into even more areas like smart traffic routing, there is a lot of room to grow. The company’s business today is primarily in the U.S., with operations also in the U.K./Europe and South America, and services soon to be turned on in Japan (helped by a strategic partnership with one of its investors, NTT DoComo) and South Africa. The heart of RapidSOS’s business is a platform that provides APIs to technology, insurance and healthcare companies (the list of tech companies includes the likes of Apple, Google, Uber, SiriusXM and more), which can in turn be used both to channel data and direct voice connections between those companies’ users and emergency response centers. These work on the basis of continuous monitoring that might or might not have the proactive input of the users themselves, depending on the situation. So global events like the pandemic or a natural disaster might be front of mind as typical use cases (I first heard of the company when it went viral during a string of natural disasters years ago), but others include health monitoring for vulnerable individuals, vehicle crash detection, home security, fire, enterprise security, gunshot detection, personal safety, and critical event management. In addition to the tech that it has built to make those connections and parse the data that comes out of them, it’s proven to be a middle man in translating some of the newer innovations at the tech end into actions at the lower-tech responders’ end. “Before, 911 wouldn’t even know your name,” said Martin. “Now they have a live feed of the situation. It’s half a billion devices now working in harmony to save you.” That work has included RapidSOS giving some 20,000 hours of training each year for emergency response centers to “understand emergency workflows and identify technology solutions to solve hard challenges such as verification,” in the words of the company. Some of the triangulation that it’s devised in aid of that verification is showing up in the company’s IP: it has filed a patent on the use of social media as a channel for emergency management (RapidSOS has dozens of patent and patent applications overall). Martin said that the plan was not to raise so soon again after last year, but given the tricky funding climate, the decision was made to double down now, with NightDragon’s focus being a special draw. The firm has made many investments in cybersecurity, but also others working in the adjacent spaces of security and safety such as HawkEye 360, Kraus Hamdani Aerospace, Capalla Space, Premise Data and Interos. “When we look at building greater security and safety for people around the world, this requires greater and more accurate response services for emergencies,” said Dave DeWalt, NightDragon’s founder (and the former CEO of FireEye, McAfee and Documentum). “By leveraging technology, we can save lives and help people feel more secure. NightDragon feels RapidSOS is best positioned to deliver on this mission, and we look forward to working closely with the team to accelerate it.” NightDragon’s wider activity, and RapidSOS’s growth, both speak to a pretty salient point in the current market. Those building something that might be considered critical are faring the storm better than some others. “We have invested in now 13 companies out of our NightDragon Growth I fund, which we announced last July,” said DeWalt. “We have always been diligent around valuation and ensuring that we are investing at multiples that reflect the value that our team and platform bring to the table. For that reason, our investment strategy in our current market hasn’t changed much as we are still following those core principles.”

To better thwart ransomware attacks, startups must get cybersecurity basics right • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in EC Cybersecurity, EC TechCrunch Disrupt 2022, ransomware, Security, Startups, TechCrunch Disrupt 2022No Comments

The Department of Justice (DOJ) famously declared 2021 as the “worst year” for ransomware attacks, but it seems that title could be in 2022’s hands very soon. Despite some rare wins in the war against hackers over the past 12 months — from the government’s seizure of $2.3 million in bitcoin paid out to the Colonial Pipeline hackers, to its successful disruption of the notorious REvil gang — the ransomware threat continues to grow. Over the past few months alone, we’ve seen threat actors ramping up attacks against public sector organizations, including hospitals, schools and in the case of Costa Rica, entire governments. The private sector is also battling a worsening ransomware threat, with attackers claiming a number of high-profile victims such as AMD, Foxconn and Nvidia. Enable multifactor authentication on everything you have. Katie Moussouris, founder, Luta Security Founders of early-stage startups will undoubtedly find it concerning to see even well-known organizations failing to protect themselves from ransomware despite their seemingly endless resources, particularly as it’s unclear exactly where these companies went wrong. “It could be a zero-day or it could be a failure to implement multifactor authentication (MFA) or an MFA bypass,” said Brett Callow, threat analyst at Emsisoft, during a panel discussion on the ZebethMedia+ stage at Disrupt 2022. “There’s no standard answer, and that is what makes this problem so difficult to deal with.”

PayPal rolls out support for passkeys on Apple devices • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in Apple, Apps, iPad, iPhone, mac, PayPal, SecurityNo Comments

PayPal is making it easier to log in to its services — if you’re an Apple device user, that is. The payments giant today announced that it’s adding passkeys as a log in method for PayPal accounts, allowing iPhone, iPad and Mac users on PayPal.com to sign in without using a password. Passkeys are a relatively new industry standard created by the FIDO Alliance and the World Wide Web Consortium — in partnership with Apple, Google and Microsoft — that are designed to replace passwords with bits of data called cryptographic key pairs. (To make matters somewhat confusing, Apple announced its own version of the passkey standard called Passkey in June.) The pairs consist of a public key stored in the cloud and a private key stored locally on users’ devices, separated to ensure that a compromised server won’t give an attacker access to account credentials. Passkeys have the added benefit of supporting a range of authentication techniques including fingerprint scanning, face recognition, PIN codes and even swipe patterns. One downside is that, because passkeys reside on local devices, it can be harder to log into an app or service with them if you’re using someone else’s phone or laptop. But in this way, passkeys are undeniably more secure than your typical password. Image Credits: PayPal With PayPal, Apple device users running iOS 16, iPadOS 16.1 or macOS Ventura can create a passkey by logging into the PayPal website on desktop or mobile, typing their username and password and selecting the “Create a passkey” option. They’ll be prompted to authenticate with Apple Face ID or Touch ID to create the passkey, which will then be synced with Apple’s iCloud Keychain service. Users with devices that don’t support passkeys can still tap an iPhone to log in with a PayPal passkey, but they’ll have to scan a QR code that appears after they enter their username. PayPal passkeys begin rolling out today for users in the U.S. Passkeys will become available in additional countries starting early in 2023, PayPal says, and on platforms beyond iOS, iPadOS and macOS “as they add support for passkeys.”

US charges two alleged Chinese spies over plot to obstruct Huawei prosecution • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in China, Huawei, Security, us governmentNo Comments

The U.S. Department of Justice (DOJ) has unsealed charges against two alleged DPRC spies who are accused of attempting to obstruct a federal prosecution against Chinese telecommunications giant Huawei. In a criminal complaint dated October 20 and made public on Monday, the U.S. claims that two Chinese intelligence officers, Guochun He (known as “Dong He”) and Zheng Wang (known as “Zen Wang”), attempted to bribe a U.S. law-enforcement official to obtain what they believed was inside information about the U.S. criminal case against a “global telecommunications company based in China.” The complaint doesn’t name the company, but the details match up with the known prosecution of the company. Huawei did not respond to a request for comment. The complaint alleges that He and Wang “attempted to direct a person they believed they recruited as an asset” inside a U.S. government law enforcement agency “to obtain confidential information regarding potential new charges to be brought against [Huawei] for the purpose of obstructing justice.” The government alleges He and Wang first cultivated their relationship with the law enforcement employee, who is not named, in February 2017, but that person “subsequently began working as a double agent for the U.S. government.” The men are accused of attempting to extract confidential information about witnesses and trial evidence in the Huawei case and paid the double agent, referred to as “GE-1”, $61,000 in bitcoin, cash and jewelery for what they believed was insider information about the Justice Department’s pending prosecution of the China-based company. At one point in October 2021, the indictment alleges, the undercover agent passed a single-page document to one of the Chinese intelligence officers, classified as “SECRET”, that detailed U.S. plans to arrest two principals from Huawei living in China. They paid the undercover agent $41,000 just for that single page. “Far more than an effort to collect information or intelligence, the actions of the PRC intelligence officers charged in this case must be called out for what they are: an extraordinary intervention by agents of a foreign government to interfere with the integrity of the U.S. criminal justice system, compromise a U.S. government employee and obstruct the enforcement of U.S. law to benefit a PRC-based commercial enterprise,” said Assistant Attorney General for National Security Matthew G. Olsen. “The Department of Justice will not abide nation-state actors meddling in U.S. criminal process and investigations, and will not tolerate foreign interference with the fair administration of justice.” If convicted, He and Wang face up to 60 years and 20 years in prison, respectively. The case was one of three unsealed on Monday relating to alleged Chinese interference in the U.S. justice system. One in New Jersey charges three Chinese intelligence agents with conspiring to act in the U.S. as illegal agents on behalf of a foreign government, while another in the Eastern District of New York accuses several people working on behalf of the Chinese government of “engaging in a multi-year campaign of threats and harassment to force a U.S. resident to return to China,” Attorney General Merrick Garland said Monday.

A bug in Abode’s home security system could let hackers remotely switch off cameras • ZebethMedia

By zebethcontrolPosted on October 20, 2022Posted in Internet of Things, Security, security camera, vulnerabilityNo Comments

A security vulnerability in Abode’s all-in-one home security system could allow malicious actors to remotely switch off customers’ security cameras. Abode’s Iota All-In-One Security Kit is a DIY home security system that includes a main security camera, motion sensors that can be attached to windows and doors, and a hub that can alert users of unwanted movement in their homes. It also integrates with third-party smart hubs like Google Home, Amazon Alexa and Apple HomeKit. Researchers at Cisco’s Talos cybersecurity unit this week disclosed several vulnerabilities in Abode’s security system, including a critical-rated authentication bypass flaw that could allow anyone to remotely trigger several sensitive device functions without needing a password by bypassing the authentication mechanism of the devices. The flaw, tracked as CVE-2022-27805 and given a vulnerability severity rating of 9.8 out of 10, sits in the UDP service — a communications protocol used to establish low-latency connections between applications on the internet — responsible for handling remote configuration changes. As explained by Matt Wiseman, a senior security researcher at Cisco Talos, a lack of authorization checks means an attacker can remotely execute commands through Abode’s mobile and web applications, such as rebooting the device, changing the admin password and completely disarming the security system. Wiseman told ZebethMedia that, in general, the affected device would be deployed in a local network and wouldn’t be directly accessible over the internet. “The more likely attack is from someone on the local network or if someone has access to the device through Abode’s network — for example, if they have the username and password for the mobile application.” “That being said, it could be deployed in a situation where it’s directly accessible over the internet or where someone specifically routes traffic to certain services,” added Wiseman. Talos on Thursday disclosed several other vulnerabilities in Abode’s security system. This includes several 10-rated vulnerabilities that could be exploited by sending a series of malicious payloads to execute arbitrary system commands with the highest privileges and a second authentication bypass flaw that could allow an attacker to access several sensitive functions on the device, including triggering a factory reset, simply by setting a particular HTTP header to a hard-coded value. Cisco initially disclosed the vulnerability to Abode in July and publicly disclosed the flaws this week after patches were made available. Users are advised to update their Iota All-In-One Security Kit to the latest version as soon as possible. In a statement given to ZebethMedia, Chris Carney, Abode’s founder and CEO said: “As a security-first company, we promptly worked to fix, address and patch their findings. This work has already been done, completed and pushed as an update to customers. Additionally, there have been zero reports from Abode customers related to these findings.” Carney confirmed Abode worked with Talos to resolve the security issues. News of flaws in Abode’s internet-connected home security system comes after the U.S. government this week shared more details about its plans to launch a cybersecurity labeling program for consumer Internet of Things devices to better protect Americans from “significant national security risks.” The initiative will launch next year for the “highest-risk” devices — including home security cameras.

US to launch ‘labeling’ rating program for internet-connected devices in 2023 • ZebethMedia

By zebethcontrolPosted on October 20, 2022Posted in cybersecurity, Internet of Things, SecurityNo Comments

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from “significant national security risks.” It’s no secret that IoT devices generally have weak security postures. Weak default passwords have allowed botnet operators to hijack insecure routers to pummel victims with floods of internet traffic, knocking entire websites and networks offline. Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside. As American consumers continue to fill their homes with more of these potentially insecure devices, from routers and smart speakers to internet-connected door locks and security cameras, the U.S. government wants to help educate them about the security risks. Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the “highest-risk” devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others. The initiative, described by White House officials as “Energy Star for cyber,” will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will “keep things simple.” The labels, which will be “globally recognized” and debut on devices such as routers and home cameras, will take the form of a “barcode” that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation. The announcement comes after the White House last year ordered NIST and the FTC to explore two labeling pilot programs on cybersecurity capabilities for IoT devices. It also comes after the U.K. government last year introduced an IoT security bill in Parliament, requiring device manufacturers, importers, and distributors to meet certain cybersecurity standards.

Code analysis tool AppMap wants to become Google Maps for developers • ZebethMedia

By zebethcontrolPosted on October 18, 2022Posted in AppMap, Battlefield, battlefield 2022, Disrupt, Security, software development, StartupsNo Comments

In December 2021, a vulnerability in a widely used logging library that had gone unfixed since 2013 caused a full-blown security meltdown. The 10/10-rated Log4Shell flaw in Log4j, an open source logging software that’s found practically everywhere, from online games to enterprise software and cloud data centers, claimed numerous victims from Adobe and Cloudflare to Twitter and Minecraft due to its ubiquitous presence. It was described by security experts as a “design failure of catastrophic proportions,” and demonstrated the potentially far-reaching consequences of shipping bad code. Boston-based AppMap, going through ZebethMedia Disrupt Startup Battlefield this week, wants to stop this bad code from ever making it into production. The open source dynamic runtime code analysis tool, which the startup claims is the first of its kind, is the brainchild of Elizabeth Lawler, who knows a thing or two about security. Prior to founding AppMap, she founded DevOps security startup Conjur, which was acquired by CyberArk in 2017, and served as chief data officer for Generation Health, later acquired by CVS. After selling two companies into large enterprises with lots of legacy software, Lawler witnessed firsthand how developers were struggling to understand the systems they were tasked with improving, and finding it difficult to deliver fast and secure code in complex microservices and cloud applications. “It’s surprising to me that people have a mental model of how things work that is actually disconnected from how it actually works,” Lawler tells ZebethMedia. “When we don’t know how our software works, we’re making best guesses when we write code.” Image Credits: AppMap That led to the creation of AppMap, which was built on the simple idea that developers should be able to see the behavior of software as they write it so they can prevent problems when the software runs. Unlike static analysis tools that don’t show runtime information, AppMap — which was built from the ground up over a three-year period — runs within the code editor to show developers which components are communicating with which components, at what throughput and latency, at what network speed and whether there are any errors between them, enabling developers to get actionable insights and make improvements quicker than before. All of this is done within an interactive code editor extension, which AppMap designed with the help of comic book artists and musicians in order to make it as easy to use and intuitive as possible. “I’m a data scientist, so I know how overwhelming data can be,” said Lawler. “Google Maps has elegantly shown us how maps can be personalized and localized, so we used that as a jumping off point for how we wanted to approach the big data problem.” To coincide with ZebethMedia Disrupt, AppMap is launching three new features: the ability to share and collaborate with other engineers; performance analysis that alerts developers when code changes will impact performance and scalability; and security analysis that can identify software runtime code issues within a developer’s code editor before they commit their code, be it leaking customer data and secrets into log files or missing or improper authentication or authorization. “We can see the kinds of issues that are now the rising OWASP Top 10. Static issues have gone down in prevalence because we have good scanners for them, but what we don’t have great scanners for are these dynamic issues that are design in nature. If you look at the CWE Top 25, almost half of these are code design issues.” As it’s based on open source, which is evident from the startup’s community-sourced approach to changing its product and adding new features, AppMap is free for developers to use. “We don’t believe you should be charged for self-awareness in programming,” Lawler said. “If we’re going to integrate with your GitHub and we have to provide some background functions or storage, then those are paid services.” Image Credits: AppMap AppMap, which is a seed-stage VC-backed pre-revenue startup, currently has more than 20,000 customers — a figure that’s growing by 20% every month — with developers at IBM, NASA, Sonos and Salesforce using its product. It’s also growing its team, which is made up of employees that have coded at some point in their career and hold deep DevOps, automation, cybersecurity and test-driven development experience. Kevin Gilpin, AppMap’s technical co-founder, describes his career highlight as delivering “build your vehicle online” pages for Ford. Though it only launched in 2021, the startup’s vision goes far beyond preventing developers from shipping bad code. “We spend a lot of time and energy instrumenting things that are downstream of our application, but we’ve never instrumented the creative process. We’ve never really watched people think, design and create in this way. I think that by having observability data in that moment, it’s going to open up a lot of opportunities. As AppMap evolves, I’d like to think about how this gets even bigger than performance analysis and becomes more of an assistive technology in that realm.”

Tata Power, a top power producer in India, confirms cyberattack • ZebethMedia

By zebethcontrolPosted on October 14, 2022Posted in cyber attack, india, SecurityNo Comments

Tata Power, a leading power generation company in India, has confirmed it was hit by a cyberattack. In a brief statement released on Friday, the Mumbai-based company said that the attack impacted some of its I.T. systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer-facing portals and touchpoints,” it said in its filing (PDF) with local stock exchanges. Tata Power did not share any further specifics on the matter. When asked by ZebethMedia, a PR representative refused to answer questions related to the nature of the attack and its impact on the organization, and declined to say whether any data was stolen. “As stated in the Statement, the Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the representative said. The company generates, transmits and retails power in the South Asian nation and aims to double the share of clean energy in its portfolio to 60% in five years from about a third now, with a target to become net zero by 2045. It claims to have an installed and managed electricity generation capacity of 13,974MW, which is the highest in the country. In the recent past, Tata Power has also shown interest in growing its business through rooftop solar and microgrids, storage solutions, solar pumps, EV charging infrastructure and home automation. The company serves more than 12 million consumers via its distributor companies. The Indian government has highlighted the cybersecurity of the country’s nationwide electricity network as a challenge in its public statements. A report by U.S.-based cybersecurity company Recorded Future in April alleged that Chinese state-sponsored hackers had targeted the Indian power sector in a long-term project. Indian External Affairs Ministry spokesperson Arindam Bagchi responded to that report and said the country had not raised this issue with China, according to a media report. China’s foreign ministry spokesperson Zhao Lijian reportedly refuted the allegation.

NHS vendor Advanced won’t say if patient data was stolen during ransomware attack • ZebethMedia

By zebethcontrolPosted on October 13, 2022Posted in Advanced, data breach, NHS, ransomware, SecurityNo Comments

The hackers used “legitimate” credentials to breach the vendor’s network Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised. Advanced first confirmed the ransomware incident on August 4 following widespread disruption to NHS services across the U.K. The attack downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information. In an update dated October 12 and shared with ZebethMedia on Thursday, Advanced said the malware used in the attack was LockBit 3.0, according to the company’s incident responders, named as Mandiant and Microsoft. LockBit 3.0 is a ransomware-as-a-service (RaaS) operation that hit Foxconn earlier this year. In its updated incident report, Advanced said that the attackers initially accessed its network on August 2 using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. The report implies there was no multi-factor authentication in place that would block the use of stolen passwords. “The attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware,” Advanced said in the update. Advanced said some data pertaining to 16 Staffplan and Caresys customers (referring to NHS trusts) was “copied and exfiltrated,” a technique known as double-extortion, where cybercriminals exfiltrate a company’s data before encrypting the victim’s systems. In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by ZebethMedia, Advanced chief operating officer Simon Short declined to say if patient data is affected, or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated. Lockbit 3.0’s dark web leak site did not list Advanced or NHS data at the time of writing. Short also declined to say if Advanced paid a ransom. “We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes,” Advanced said in the update. Advanced said its security team disconnected the entire Health and Care environment to contain the threat and limit encryption, which downed a number of services across the NHS. The extended outage left some trusts unable to access clinical notes and others were forced to rely on pen and paper, BBC News reported in August. Advanced said its recovery from the incident is likely to be slow, citing an assurance process set by the NHS, NHS Digital and the U.K. National Cyber Security Center. “This is time-consuming and resource intensive and it continues to contribute to our recovery timeline,” Advanced said. “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible.” The healthcare industry remains a top priority for ransomware actors. Earlier this month, U.S. hospital giant CommonSpirit was hit by a cybersecurity incident that is disrupting medical services across the country — which it later confirmed was a ransomware attack.