macOS Security | So How Do Macs Get Infected With Malware?

Three pervasive myths about Macs that you can find in almost any online discussion about security and macOS are “Macs are safe by design”, “Macs are not numerous enough to be of interest to malware authors” and (consequently) “there’s no real malware threats out there for macOS”. We’ve talked about the weaknesses in macOS security on a number of previous occasions, and we’ve also talked about some of the common and not-so-common threats that are out there in the wild, too. 

But as I’ve noted in the past, the view of security researchers and the views of those opining on social media are often at odds simply because the latter are speaking from their own experience and don’t have the overview that researchers have. SentinelOne protects hundreds of thousands of Macs and our telemetry paints a very clear picture, a picture that has changed vastly even in the last two to three years. But people can only argue from what they know, so let’s share a little knowledge. How do Macs really get infected? Let’s count the ways.

1. Self-inflicted Damage? Cracks, Pirates and Porn

A common argument among those who grudgingly admit there might be a “minor” problem of malware on macOS is that it is only users engaging in “risky behaviour” that are susceptible to malware, and (for some often unstated reason) this doesn’t count as a “real” problem. This argument is often swiftly followed by the claim that had these users only followed “Apple’s advice”, or “common sense” or some other prescription about what users should and should not do on a computer, then they would not have ended up with malware on their (or their company’s) Macs. The fact they didn’t do the former and ended up with the latter? Well, “only themselves to blame”. 

I believe such moralizing hinders rather than helps the real security effort needed to improve macOS security, not just for this subset of users but for all. I also don’t believe this attitude is representative of Apple itself, if you look at the kind of things that Apple’s own security tools try to detect. Rather, this is the view of a certain vociferous subsection of Apple enthusiasts. 

However, before we get further into that, let’s first take a look at the kind of threats we’re talking about here.

Those that frequent torrent sites in search of free access to copyrighted material – from books and TV series to blockbuster movies and proprietary software – share something in common with those that frequent adult entertainment sites (regardless of whether they are or are not the same users): they are disproportionately likely to expose themselves to macOS malware. 

Take this Torrent user’s offerings, for example. 

As they say on TV, “don’t try this at home, folks!” Taking the first offering in the list, the Adobe Photoshop DMG unpacks to contain both the genuine software, a patch for it, and a hidden cryptominer.

In another example, a number of easy-to-find websites offer “cracked” versions of popular apps, including another Adobe Zii crack. Here’s one:

Clicking on the link for the Adobe Zii 2020 5.2.0 Universal Patcher appears to provide a disk image for the same software.


However, after mounting the image we find no application at all, just a single mach-O file called “AdobeFlashPlayer”. 


A quick lookup of the hash on VirusTotal confirms that it’s malware. 

0d5b129d4e4f1da8847b4579cc8c4f59e12c17effa924bb2624983f0ade51ba4

Yet another site offers a crack of popular video and screencast editing software Camtasia, among many other paid-for applications. In case you know someone tempted, point them to the following sobering reality:

Downloading the DMG we find it contains an “Install” file; this time, neither an App bundle or a mach-O, but an obfuscated shell script.

And, of course, that’s malware, too.

Blaming Users Is No Way To Do Security

Regardless of the source of the infection or the payload delivered, in all these cases the user behaviour has one thing in common: each is attempting to find or obtain some premium product (or service) without paying for it. Knowing this, malware authors lure victims with promises of expensive or popular software and infect them with malware, usually instead of, but sometimes as well as, providing whatever was promised in the lure.

Are these users to blame for their own cheap skating, IP-stealing ways? There’s certainly no argument here that this kind of behavior shouldn’t be condoned and those guilty of actually stealing IP should be sanctioned by the appropriate authorities where possible. But playing the blame game ignores, rather than solves, the security issue. If users are committing crimes, surely we want them to be punished in appropriate ways by the proper authorities, not by malware authors?

More importantly, dismissing victims of supposed ‘self-inflicted’ cyber crime ignores the reality that the damage done by such malware can both have consequences far greater than the supposed ‘crime’ (you tried to steal a $99 software and lost your credit card credentials) and also can collaterally affect other users on the same device or network, a particular worry for enterprises with Mac fleets. 

In short, let’s not leave security in the precarious and unreliable hands of moralists, and instead deal with the problem properly: through advanced behavioral AI that can protect such users from themselves, and protect the rest of us from such users. 

2. Scamware, Scareware and all the PUPs

Not every user infected with macOS malware was looking to get something they should be paying for on the cheap. Some users are looking for genuine software to solve a problem, but they will rapidly encounter all kinds of sites with misleading cues and confusing download buttons, particularly if they are using a browser without some kind of advertising or pop up blocker.

A common source of scareware pop ups is product review sites, many of which are fake and lead consumers on a merry-dance through several links before throwing the inevitable alert claiming something like “Adobe Flash Player is out of date” or “Your Mac is infected with a virus”. 

Similarly, many such sites are littered with malvertising, with flashy graphics or annoying gifs with fake “Close” button lures which, after a few redirects, end up in a predictable pop-up like the one below. In this example, the ‘Later’ button re-pops the alert while the ‘Install’ button treats the user to one variant or another of OSX.Shlayer.

3. Search and (Be) Destroy(ed)

Even without visiting such sites, general Internet searches for macOS-related content can turn up results with JavaScript redirection to fake App Store pages that deliver Shlayer malware, adware or PUP installers.

In this example the user conducts a search via Google for “Can You Expand A Dmg Without Mounting?” Among the the first page hits is this one, hosted on weebly.com:

hxxps://newsletternew979[.]weebly[.]com/can-you-expand-a-dmg-without-mounting[.]html

When the referrer is Google.com, the above site uses Javascript to replace the original content with a fake App Store and download links to OSX.Shlayer malware. 

The site is scripted such that if the user follows a direct link or comes from another search engine, no redirection occurs. However, when the user is referred from Google, the original content is replaced with the fake App Store and the lure to download the malware. 

4. Phishing, Targeted Attacks and…Ransomware?

And all this is without mentioning the actual malware campaigns that are directly aimed at Mac users. In the last 18 months or so, we’ve seen the return of OSX.Dok, unknown actors behind the GMERA malware campaign and plenty of Lazarus/AppleJeus campaigns targeting cryptocurrency exchanges and crypto wallet users to name just a few. 

Only this week a well-known Remote Access Trojan/Backdoor from the Windows world (Dacls RAT) with links to Lazarus APT was discovered to have a macOS variant. 

There is also evidence that the ransomware plague which so far has spared macOS users may be coming our way soon as ransomware-as-a-service vendors like SMAUG begin to offer Mac-compatible malware. At present, we have yet to see this particular threat active in the wild or validated it for it’s efficacy against Mac targets, but the fact that such offerings are being made suggests cyber criminals are aware of the value of infecting macOS users: “Don’t leave money on the table by focusing only on Windows”, the message states.

But…Apple Have Your Back, Right?

Although you can find many Apple enthusiasts and social media “influencers” still denying that there is a malware problem on macOS, you won’t find anyone from Apple sharing that view (if you can find anyone from Apple to share a view, that is…). 

Joking aside, Apple are well aware of the problem and as we’ve pointed out before, have admirably stepped up their attention to security in the last 12 to 18 months. XProtect and MRT.app are now regularly updated, and there’s no doubt that they are both far more comprehensive than they’ve ever been before. Indeed, I’ve even written about how to keep up with Apple’s security updates myself as a means of threat research. 

That said, the issue now is not so much that Apple isn’t working hard to protect the platform as that the current tools on the platform are simply not up to the job. They are built on old technology – Yara Rules, path lists, code signing certificates – that require having already seen a threat before writing a signature to stop it. 

Conclusion

Malware is a growing problem on macOS. It certainly isn’t as big a problem as it is on the Windows platform, but it’s way past the point where anyone with any reasonable knowledge of what’s going on in the wild would deny it. 

Yes, users are sometimes culpable, and sometimes gullible; but burying our collective heads in the sand and assuming that if we can’t see macOS malware it can’t see us will only serve to exacerbate the problem. It’s been proven beyond argument that no matter the platform, the only effective way to do enterprise security is to stop chasing malware samples and start detecting malware behaviors. If you’d like to see how SentinelOne can help protect your enterprise, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Run:AI brings virtualization to GPUs running Kubernetes workloads

In the early 2000s, VMware introduced the world to virtual servers that allowed IT to make more efficient use of idle server capacity. Today, Run:AI is introducing that same concept to GPUs running containerized machine learning projects on Kubernetes.

This should enable data science teams to have access to more resources than they would normally get were they simply allocated a certain number of available GPUs. Company CEO and co-founder Omri Geller says his company believes that part of the issue in getting AI projects to market is due to static resource allocation holding back data science teams.

“There are many times when those important and expensive computer sources are sitting idle, while at the same time, other users that might need more compute power since they need to run more experiments and don’t have access to available resources because they are part of a static assignment,” Geller explained.

To solve that issue of static resource allocation, Run:AI came up with a solution to virtualize those GPU resources, whether on prem or in the cloud, and let IT define by policy how those resources should be divided.

“There is a need for a specific virtualization approaches for AI and actively managed orchestration and scheduling of those GPU resources, while providing the visibility and control over those compute resources to IT organizations and AI administrators,” he said.

Run:AI creates a resource pool, which allocates based on need. Image Credits Run:AI

Run:AI built a solution to bridge this gap between the resources IT is providing to data science teams and what they require to run a given job, while still giving IT some control over defining how that works.

“We really help companies get much more out of their infrastructure, and we do it by really abstracting the hardware from the data science, meaning you can simply run your experiment without thinking about the underlying hardware, and at any moment in time you can consume as much compute power as you need,” he said.

While the company is still in its early stages, and the current economic situation is hitting everyone hard, Geller sees a place for a solution like Run:AI because it gives customers the capacity to make the most out of existing resources, while making data science teams run more efficiently.

He also is taking a realistic long view when it comes to customer acquisition during this time. “These are challenging times for everyone,” he says. “We have plans for longer time partnerships with our customers that are not optimized for short term revenues.”

Run:AI was founded in 2018. It has raised $13 million, according to Geller. The company is based in Israel with offices in the United States. It currently has 25 employees and a few dozen customers.

Microsoft to open first data center in New Zealand as cloud usage grows

In spite of being in the midst of a pandemic sowing economic uncertainty, one area that continues to thrive is cloud computing. Perhaps that explains why Microsoft, which saw Azure grow 59% in its most recent earnings report, announced plans to open a new data center in New Zealand once it receives approval from the Overseas Investment Office.

“This significant investment in New Zealand’s digital infrastructure is a testament to the remarkable spirit of New Zealand’s innovation and reflects how we’re pushing the boundaries of what is possible as a nation,” Vanessa Sorenson, general manager at Microsoft New Zealand said in a statement.

The company sees this project against the backdrop of accelerating digital transformation that we are seeing as the pandemic forces companies to move to the cloud more quickly with employees often spread out and unable to work in offices around the world.

As CEO Satya Nadella noted on Twitter, this should help companies in New Zealand that are in the midst of this transformation. “Now more than ever, we’re seeing the power of digital transformation, and today we’re announcing a new datacenter region in New Zealand to help every organization in the country build their own digital capability,” Nadella tweeted.

The company wants to do more than simply build a data center. It will make this part of a broader investment across the country, including skills training and reducing the environmental footprint of the data center.

Once New Zealand comes on board, the company will boast 60 regions covering 140 countries around the world. The new data center won’t just be about Azure, either. It will help fuel usage of Office 365 and the Dynamics 365 back-office products, as well.

GitHub gets a built-in IDE with Codespaces, discussion forums and more

Under different circumstances, GitHub would be hosting its Satellite conference in Paris this week. Like so many other events, GitHub decided to switch Satellite to a virtual event, but that isn’t stopping the Microsoft-owned company from announcing quite a bit of news this week.

The highlight of GitHub’s announcement is surely the launch of GitHub Codespaces, which gives developers a full cloud-hosted development environment in the cloud, based on Microsoft’s VS Code editor. If that name sounds familiar, that’s likely because Microsoft itself rebranded Visual Studio Code Online to Visual Studio Codespaces a week ago — and GitHub is essentially taking the same concepts and technology and is now integrating it directly inside its service. If you’ve seen VS Online/Codespaces before, the GitHub environment will look very similar.

Contributing code to a community can be hard. Every repository has its own way of configuring a dev environment, which often requires dozens of steps before you can write any code,” writes Shanku Niyogi, GitHub’s SVP of Product, in today’s announcement. “Even worse, sometimes the environment of two projects you are working on conflict with one another. GitHub Codespaces gives you a fully-featured cloud-hosted dev environment that spins up in seconds, directly within GitHub, so you can start contributing to a project right away.”

Currently, GitHub Codespaces is in beta and available for free. The company hasn’t set any pricing for the service once it goes live, but Niyogi says the pricing will look similar to that of GitHub Actions, where it charges for computationally intensive tasks like builds. Microsoft currently charges VS Codespaces users by the hour and depending on the kind of virtual machine they are using.

The other major new feature the company is announcing today is GitHub Discussions. These are essentially discussion forums for a given project. While GitHub already allowed for some degree of conversation around code through issues and pull requests, Discussions are meant to enable unstructured threaded conversations. They also lend themselves to Q&As, and GitHub notes that they can be a good place for maintaining FAQs and other documents.

Currently, Discussions are in beta for open-source communities and will be available for other projects soon.

On the security front, GitHub is also announcing two new features: code scanning and secret scanning. Code scanning checks your code for potential security vulnerabilities. It’s powered by CodeQL and free for open-source projects. Secret scanning is now available for private repositories (a similar feature has been available for public projects since 2018). Both of these features are part of GitHub Advanced Security.

As for GitHub’s enterprise customers, the company today announced the launch of Private Instances, a new fully managed service for enterprise customers that want to use GitHub in the cloud but know that their code is fully isolated from the rest of the company’s users. “Private Instances provides enhanced security, compliance, and policy features including bring-your-own-key encryption, backup archiving, and compliance with regional data sovereignty requirements,” GitHub explains in today’s announcement.

Equinix just recorded its 69th straight positive quarter

There’s something to be said for consistency through good times and bad, and one company that has had a staggeringly consistent track record is international data center vendor, Equinix. It just recorded its 69th straight positive quarter, according to the company.

That’s an astonishing record, and covers over 17 years of positive returns. That means this streak goes back to 2003. Not too shabby.

The company had a decent quarter, too. Even in the middle of an economic mess, it was still up 6% YoY to $1.445 billion and up 2% over last quarter. The company runs data centers where companies can rent space for their servers. Equinix handles all of the infrastructure providing racks, wiring and cooling — and customers can purchase as many racks as they need.

If you’re managing your own servers for even part of your workload, it can be much more cost-effective to rent space from a vendor like Equinix than trying to run a facility on your own.

Among its new customers this quarter are Zoom, which is buying capacity all over the place, having also announced a partnership with Oracle earlier this month, and TikTok. Both of those companies deal in video and require lots of different types of resources to keep things running.

This report comes against a backdrop of a huge increase in resource demand for certain sectors like streaming video and video conferencing, with millions of people working and studying at home or looking for distractions.

And if you’re wondering if they can keep it going, they believe they can. Their guidance calls for 2020 revenue of $5.877-$5.985 billion, a 6-8% increase over the previous year.

You could call them the anti-IBM. At one point Big Blue recorded 22 straight quarters of declining revenue in an ignominious streak that stretched from 2012 to 2018 before it found a way to stop the bleeding.

When you consider that Equnix’s streak includes the period of 2008-2010, the last time the economy hit the skids, it makes the record even more impressive, and certainly one worth pointing out.

Confluent introduces scale on demand for Apache Kafka cloud customers

We find ourselves in a time when certain businesses are being asked to scale to levels they never imagined. Sometimes that increased usage comes in bursts, which means you don’t want to pay for permanent extra capacity you might not always need. Today, Confluent introduced a new scale-on-demand feature for its Apache Kafka cloud service that will scale up and down as needed, automatically.

Confluent CEO Jay Kreps says that elasticity is arguably one of the most important features of cloud computing, and this ability to scale up and down is one of the primary factors that has attracted organizations to the cloud. By automating that capability, they give DevOps one less major thing to worry about.

“This new functionality allows users to dynamically scale Kafka and the other key ecosystem components like KSQL and Kafka Connect. This is a key missing capability that no other service provides,” Kreps explained.

He points out that this is particularly relevant right now with people working at home. Systems are being taxed more than perhaps ever before, and this automated elasticity is going to come in handy, making it more cost-effective and efficient than was previously possible.

“These capabilities let customers add capacity as they need it, or scale down to save money, all without having to pre-plan in advance,” he said.

The new elasticity feature in Confluent is part of a series of updates to the platform, known as Project Metamorphosis, that Confluent is planning to roll out throughout this year on a regular basis.

“Through the rest of the year we’ll be doing a sequence of releases that bring the capabilities of modern cloud data systems to the Kafka ecosystem in Confluent Cloud. We’ll be announcing one major capability each month, starting with elasticity,” he said.

Kreps first announced Metamorphosis last month when the company also announced a massive $250 million funding round on a $4.5 billion valuation. In spite of the current economic situation, driven by the ongoing pandemic, Confluent plans to continue to build out the product, as today’s announcement attests.

Dtex, a specialist in insider threat cybersecurity, raises $17.5M

A lot of enterprise cybersecurity efforts focus on malicious hackers that work on behalf of larger organizations, be they criminal groups or state actors — and for good reason, since the majority of incidents these days come from phishing and other malicious techniques that originate outside the enterprise itself.

But there has also been a persistent, and now growing, focus also on “insider threats” — that is, breaches that start from within organizations themselves. And today a startup that specialises in this area is announcing a round of growth funding to expand its reach.

Dtex, which uses machine learning to monitor network activity within the perimeter and around all endpoints to detect unusual patterns or behaviour around passwords, data movement and other network activities, is today announcing that it has raised $17.5 million in funding.

The round is being led by new investor Northgate Capital with Norwest Venture Partners and Four Rivers Group, both previous investors, also participating. Prior to this, the San Jose-based startup had raised $57.5 million, according to data from PitchBook, while CrunchBase puts the total raised at $40 million.

CEO Bahman Mahbod said the startup is not disclosing valuation except to say that it’s “very excited” about it.

For some context, the company works with hundreds of large enterprises, primarily in the financial, critical infrastructure, government and defence sectors. The plan is to now extend further into newer verticals where it’s started to see more activity more recently: pharmaceuticals, life sciences and manufacturing. Dtex says that over the past 12 months, 80% of its top customers have been increasing their level of engagement with the startup.

Dtex’s focus on “insider” threats sounds slightly sinister at first. Is the implication here that people are more dishonest and nefarious these days and thus need to be policed and monitored much more closely for wrongdoing? The answer is no. There are no more dishonest people today than there ever have been, but there are a lot more opportunities to make mistakes that result in security breaches.

The working world has been on a long-term trend of becoming increasingly digitised in all of its interactions, and bringing on a lot more devices onto those networks. Across both “knowledge” and front-line workers, we now have a vastly larger number of devices being used to help workers do their jobs or just keep in touch with the company as they work, with many of them being brought by the workers themselves rather than being provisioned by the companies. There has also been a huge increase in cloud services,

And in the realm of “knowledge” workers, we’re seeing a lot more remote or peripatetic working, where people don’t have fixed desks and often work outside the office altogether — something that has skyrocketed in recent times with stay-at-home orders put in place to mitigate the spread of COVID-19 cases.

All of this translates into a much wider threat “horizon” within organizations themselves, before even considering the sophistication of external malicious hackers.

And the current state of business has exacerbated that. Mahbod tells us that Dtex is currently seeing spikes in unusual activity from the rise in home workers, who sometimes circumvent VPNs and other security controls, thus committing policy violations; as well as more problems arising from the fact that home networks have been compromised and that is leaving work networks, accessed from home, more vulnerable. These started, he said, with COVID-19 phishing attacks but have progressed to undetected malware from drive-by downloads.

And, inevitably, he added that there has been a rise in intentional data theft and accidental loss arising in cases where organizations have had to lay people off or run a round of furloughs, but might still result from negligence rather than intentional actions.

There are a number of other cybersecurity companies that provide ways to detect insider threats — they include CloudKnox and Obsidian Security, along with a number of larger and established vendors. But Mabhod says that Dtex “is the only company with ‘next-generation’ capabilities that are cloud-first, AI/ML baked-in, and enterprise scalable to millions of users and devices, which it sells as DMAP+.

“Effectively, Next-Gen Insider Threat solutions must replace legacy Insider Threat point solutions which were borne out of the UAM, DLP and UEBA spaces,” he said.

Those providing legacy approaches of that kind include Forcepoint with its SureView product and Proofpoint with its ObserveIT product. Interestingly, CyberX, which is currently in the process of getting acquired by Microsoft (according to reports and also our sources), also includes insider threats in its services.

This is one reason why investors have been interested.

“Dtex has built a highly scalable platform that utilizes a cloud-first, lightweight endpoint architecture, offering clients a number of use cases including insider threat prevention and business operations intelligence,” said Thorsten Claus, partner, Northgate Capital, in a statement. Northgate has a long list of enterprise startups in its portfolio that represent potential customers but also a track record of experience in assessing the problem at hand and building products to address it. “With Dtex, we have found a fast-growing, long-term, investible operation that is not just a band-aid collection of tools, which would be short-lived and replaced.”

Enterprise companies find MLOps critical for reliability and performance

Enterprise startups UIPath and Scale have drawn huge attention in recent years from companies looking to automate workflows, from RPA (robotic process automation) to data labeling.

What’s been overlooked in the wake of such workflow-specific tools has been the base class of products that enterprises are using to build the core of their machine learning (ML) workflows, and the shift in focus toward automating the deployment and governance aspects of the ML workflow.

That’s where MLOps comes in, and its popularity has been fueled by the rise of core ML workflow platforms such as Boston-based DataRobot. The company has raised more than $430 million and reached a $1 billion valuation this past fall serving this very need for enterprise customers. DataRobot’s vision has been simple: enabling a range of users within enterprises, from business and IT users to data scientists, to gather data and build, test and deploy ML models quickly.

Founded in 2012, the company has quietly amassed a customer base that boasts more than a third of the Fortune 50, with triple-digit yearly growth since 2015. DataRobot’s top four industries include finance, retail, healthcare and insurance; its customers have deployed over 1.7 billion models through DataRobot’s platform. The company is not alone, with competitors like H20.ai, which raised a $72.5 million Series D led by Goldman Sachs last August, offering a similar platform.

Why the excitement? As artificial intelligence pushed into the enterprise, the first step was to go from data to a working ML model, which started with data scientists doing this manually, but today is increasingly automated and has become known as “auto ML.” An auto-ML platform like DataRobot’s can let an enterprise user quickly auto-select features based on their data and auto-generate a number of models to see which ones work best.

As auto ML became more popular, improving the deployment phase of the ML workflow has become critical for reliability and performance — and so enters MLOps. It’s quite similar to the way that DevOps has improved the deployment of source code for applications. Companies such as DataRobot and H20.ai, along with other startups and the major cloud providers, are intensifying their efforts on providing MLOps solutions for customers.

We sat down with DataRobot’s team to understand how their platform has been helping enterprises build auto-ML workflows, what MLOps is all about and what’s been driving customers to adopt MLOps practices now.

The rise of MLOps

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe’s largest private hospital operator (according to the company’s Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Overall, Fresenius employs nearly 300,000 people across more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States. This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies.

On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off, and that a cyber attack had affected every part of the company’s operations around the globe.

The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.

Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers,” Kuhn said in a written statement shared with KrebsOnSecurity. “As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The assault on Fresenius comes amid increasingly targeted attacks against healthcare providers on the front lines of responding to the COVID-19 pandemic. In April, the international police organization INTERPOL warned it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.

On Tuesday, the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert along with the U.K.’s National Cyber Security Centre warning that so-called “advanced persistent threat” groups — state-sponsored hacking teams — are actively targeting organizations involved in both national and international COVID-19 responses.

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the alert reads. “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for many victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Security researchers say the Snake ransomware is somewhat unique in that it seeks to identify IT processes tied to enterprise management tools and large-scale industrial control systems (ICS), such as production and manufacturing networks.

While some ransomware groups targeting businesses have publicly pledged not to single out healthcare providers for the duration of the pandemic, attacks on medical care facilities have continued nonetheless. In late April, Parkview Medical Center in Pueblo, Colo. was hit in a ransomware attack that reportedly rendered inoperable the hospital’s system for storing patient information.

Fresenius declined to answer questions about specifics of the attack, saying it does not provide detailed information or comments on IT security matters. It remains unclear whether the company will pay a ransom demand to recover from the infection. But if it does so, it may not be the first time: According to my reader source, Fresenius paid $1.5 million to resolve a previous ransomware infection.

“This new attack is on a far greater scale, though,” the reader said.

Decrypted: Chegg’s third time unlucky, Okta’s new CSO, Rapid7 beefs up cloud security

Ransomware is getting sneakier and smarter.

The latest example comes from ExecuPharm, a little-known but major outsourced pharmaceutical company that confirmed it was hit by a new type of ransomware last month. The incursion not only encrypted the company’s network and files, hackers also exfiltrated vast amounts of data from the network. The company was handed a two-for-one threat: pay the ransom and get your files back or don’t pay and the hackers will post the files to the internet.

This new tactic is shifting how organizations think of ransomware attacks: it’s no longer just a data-recovery mission; it’s also now a data breach. Now companies are torn between taking the FBI’s advice of not paying the ransom or the fear their intellectual property (or other sensitive internal files) are published online.

Because millions are now working from home, the surface area for attackers to get in is far greater than it was, making the threat of ransomware higher than ever before.

That’s just one of the stories from the week. Here’s what else you need to know.


THE BIG PICTURE

Chegg hacked for the third time in three years

Education giant Chegg confirmed its third data breach in as many years. The latest break-in affected past and present staff after a hacker made off with 700 names and Social Security numbers. It’s a drop in the ocean when compared to the 40 million records stolen in 2018 and an undisclosed number of passwords taken in a breach at Thinkful, which Chegg had just acquired in 2019.

Those 700 names account for about half of its 1,400 full-time employees, per a filing with the Securities and Exchange Commission. But Chegg’s refusal to disclose further details about the breach — beyond a state-mandated notice to the California attorney general’s office — makes it tough to know exactly went wrong this time.