Discover How Cyber Security Can Protect Your Network during COVID-19

The Importance of Cyber Security

Cyber security has become one of the most critical aspects of data security. Data security is especially relevant today because this school year has gotten off to a strange start. From having to make changes to classrooms regarding COVID-19, and most classes starting out virtually. What if I told you there’s still more that could go wrong…well now that sounds terrifying.

Schools are currently being targeted and hit by ransomware. Cyber security has become a very important aspect of technology in today’s world.The last thing that a school district needs is to be worried about the staff and student’s data security. This is happening because school districts are exposed and do not have time to focus on cyber security plans. After all, they are currently concentrating on many other things to protect their students and return to the classroom safely.

CoreRecon and Cyber Security

What if I told you that could be managed by CoreRecon, and you wouldn’t have to worry about a thing? Cybersecurity is one of the least talked about until it’s too late. Don’t let it be too late, get ahead of the game, and ensure that your district’s network is safe—safe from these hackers that prey on vulnerabilities created by this harmful virus. I know we all just want things to go back to normal, believe me, I’m in the same boat as all of you. Let me tell you a few things about what we do here at CoreRecon that can save you a lot of trouble.

What We Do

We provide managed IT services and cyber security solutions. Managed IT services indicates that your business is outsourcing your technology department or adding that extra layer of help you may require. We are located downtown Corpus Christi, and we will go onsite to you if needed, so you don’t have to worry. We also provide cyber security solutions, which prevents any type of cyber attack from infiltrating your network. We realize you’ve got a million and one things to worry about, don’t let this weigh you done. Trust us, CoreRecon, to get the job done for you.

Please give us a call if you are interested in our services or just have questions: 361-248-3258

Can’t give us a call? Don’t worry we have an email as well

We also have social media so if you’d like to stay in touch with our day to day go ahead and follow us:

Facebook: CoreReconTX

Twitter: @CoreRecon

Instagram: @corerecon

You can reach out to us on there as well if you’d like. We just want to ensure that you and your business remain safe. Thanks for reading!

For more of our blog, go to

Heads up Texas, Your Data Is in Danger

When it comes to cybercrime, there is no discrimination. When it comes to data theft, every Texas government or business is considered a target. However, larger companies are the most targeted. Hackers are stealing data, selling it, and are making money off of your data. According to Jareth at Emsisoft, hackers are using multiple tactics to steal your data, and here is how:

1. Malware

Hackers are using malware such as keyloggers and banking malware to pull login credentials and credit card information. Malware also spreads in the form of email, so it’s essential to have strict email security. By having tight email security, this decreases significantly the chance of being infected by email malware. Many ransomware attacks are using malware to hit significant numbers of businesses and local governments. Texas is a major target for these attacks, so it’s essential to have security policies to protect your business.

2. Phishing

Phishing is a form of social engineering. 

“Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites.”


These hackers use these social engineering techniques to gain access to your personal information that they can use to infect your environment. For example, a Texas school district, Manor Independent School District, was the target of a major phishing scam. The hackers posed as vendors and stole 2.3 million dollars from the Texas school district. Schemes like this occurring bring up the question, how many others have gone unnoticed? 

3.Weak Passwords

Weak passwords are the easiest way that hackers get access to systems. Texas and all other states are vulnerable to this attack. Hackers use different password crackers to steal data such as brute force attacks, keyloggers, and phishing. It is essential to use strong password policies to prevent an attack like this. 

There are multiple ways that hackers can gain access to personal data. Tactics used are malware, phishing, weak passwords, and even unsecured networks. Hackers are stealing data, selling it, and are making money off of your data. Texas remains a primary target for attacks like these. Your data is your data, don’t be the next headline. To prevent an attack like this, contact CoreRecon. Thanks for reading, let us know what you think!

Follow CoreRecon on Twitter:

Wanna see how easy it is to get your website hacked?

Local SEO is just one of the many IT services we provide as a Managed Services Provider.

One of our clients made an error by using a VOIP business phone service that, while the price was “right”, the service did not meet their requirements. CoreRecon had listed the company’s phone number in dozens of internet business listing directories ( in Local SEO parlance, these are known as Citations ).

So our client was forced to get a new phone service and needed CoreRecon to update about 75 listings across the web.

To double check, we googled the old number just to make sure the directories had updated and there were no straggler listings, to our amazement, we stumbled upon a list of what purports to be dozens of previously cracked MySQL database passwords

Cracked MySQL passwords
Cracked MySQL passwords posted to Google for anyone to see


It is not only that easy for hackers to crack the hashes that conceal the passwords to your company’s vital databases, but those nefarious players freely share this info among themselves and do so right out in the open on Google




Call CoreRecon at 800.955.2596 to find out about getting a security assessment for your organization today
(361( 248-3258

Ransomware infects Colorado Department of Transportation

SamSam ransomware is back and the Colorado Department of Transportation is its most recent victim. More than 2,000 agency computers had to be shut down on Feb 21 to prevent the ransomware from spreading across the entire infrastructure.

According to CBS local news, the critical systems used to manage road traffic and alerts were not affected. The attackers encrypted some files and requested bitcoin in exchange for the decryption key.

Although DoT is working with a security company to repair the system, the FBI was also called in for further investigation of the damage.

“Early this morning state security tools detected that a ransomware virus had infected systems at the Colorado Department of Transportation. The state moved quickly to quarantine the systems to prevent further spread of the virus,” said David McCurdy, OIT’s Chief Technology Officer.

“OIT, FBI and other security agencies are working together to determine a root cause analysis. This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

Colorado Department of Transportation is one of the many organizations that fell victim to SamSam ransomware that in January infected vulnerable networks in hospitals, city councils, educational facilities and transportation systems.

Following its infection with SamSam and the encryption of over 1,400 files, a hospital in Indiana paid $55,000 to restore its systems. In that case, although they had data backups, they chose to pay the ransom. SamSam doesn’t spread via phishing campaigns but takes advantage of unsecured devices directly connected to the internet and uses them to spread laterally across the network.

711 North Carancahua Street STE 300
Corpus Christi, TX 78401
Fax: 800.955.2596

Penn Medicine computer with patient info stolen

About 1,000 patients at Penn Medicine are receiving letters saying a computer with some of their personal information on it was stolen.

A laptop containing patient files was reported stolen from a car at the King of Prussia Mall parking lot on Nov. 30, according to a spokesperson at the University of Pennsylvania Health System. So far, there is no indication the computer has been turned on or the patient information accessed, they stated.

Patient names, birth dates, medical records, account numbers, and some other demographic and medical information were on the computer. There were no Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen, according to Penn Medicine.

The health system is working with Upper Merion Township police, as well as the relevant internet service provider.

Penn Medicine is reviewing internal procedures to safeguard patient information contained on portable devices, the spokesperson said.

Patients with questions can contact the Penn Medicine Incident Response Line at 1-833-214-8740.

711 North Carancahua Street STE 300
Corpus Christi, TX 78401
Fax: 800.955.2596

Bad Rabbit Ransomware – WATCH OUT!

A new widespread ransomware worm, known as “Bad Rabbit,” that hit over 200 major organizations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims’ networks.

Earlier it was reported that this week’s crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco’s Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.

NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA’s leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak.

Bad Rabbit Uses EternalRomance SMB RCE Exploit

Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims’ networks.

Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware.

EternalRomance is one of many hacking tools allegedly belonged to the NSA’s elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year.

EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft’s Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.

Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010).

Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims’ into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.

How Bad Rabbit Ransomware Spreads In a Network

According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.

However, according to Cisco’s Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.

“We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,” Talos researchers wrote.

“Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.”

Is Same Hacking Group Behind Bad Rabbit and NotPetya?

Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim’s hard drive and “wiper” code that could erase hard drives attached to the infected system, the researchers believe it is “highly likely” the attackers behind both the ransomware outbreaks are same.

“It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Russian security firm Group IB noted.

“Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc.”

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.

How to Protect Yourself from Ransomware Attacks?

In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network.

Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system.

Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these.

Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn’t always connected to your PC.

Written by: Mohit Kumar

Thieves steal Bassett Family Practice’s patient information

BASSETT-The records from more than 500 patients at Bassett Family Practice were stolen in August, company officials say. On Friday, officials from the facility sent out letters to all of their patients, informing them what was included in the theft and what steps the medical practice is taking to prevent it from happening again.

The patient information included each person’s full name, date of birth, account number at the medical practice, identity of their insurance provider and potentially some details about the reasons behind recent visits to Bassett Family Practice, such as the type of sickness a patient was suffering from. All of that information was stored on a laptop, which was sitting in an employee’s car. Officials at the practice say they aren’t certain on a specific date, but say the laptop was stolen from the employee’s vehicle between the evening of Aug. 12 and the morning of Aug. 14. While a police report was filed immediately, officials with the facility waited until Oct. 13 to inform patients of the incident.

“The time was spent working with law enforcement, consulting our legal counsel, recovering the backup and researching the files,” said Bassett Family Practice Finance Director Alvin Franks, when asked why the facility had delayed in releasing the information. “The files to be researched were voluminous and we wanted to ensure we were not double counting anyone.”

In this case, Franks said Bassett employees had to first search for and find the backup to the stolen laptop, in order to see what information had been transferred on to it. In the letter sent out to patients, the facility states that “while there were details about office visits, such as [the] identity of the affected individual’s provider name and reason for visit, much of the information for the affected individuals was account balance information for the procurement of medical services contained in spreadsheets, which, by law, is still considered HIPAA protected information.”

Bassett Family Practice officials made it clear repeatedly, both in the letter and speaking with Bulletin staff, that there were no social security cards, debit or credit card information stored on the stolen laptop.

The information had to be released before Oct. 15, as theft of patient records is a violation of HIPPA, the Health Insurance Portability and Accountability Act. Signed into law in 1996, HIPPA gives specific instructions for safeguarding a patient’s medical records and other information. The Bulletin reached out to officials with the U.S. Department of Health and Human Services and they directed us to the department’s website, which gave a complete breakdown of the law. According to the department’s website, information about any type of breach has to be “provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”

Since the breach took place at some point between Aug. 12-14, letters had to be sent out no later than Oct. 14, in order to fall within the 60 day window. A copy of one of the letters sent out by Bassett Family Practice, which the facility provided to the Bulletin, gives a date of Oct. 13 for when this was sent out. HHS officials said because there is some question about when the theft occurred, that letter met the time requirements. They also said Bassett employees didn’t break any laws by not immediately informing patients.

As for taking the laptop out of the facility, there is no portion of the HIPPA Security Rule that makes that decision illegal. The current HIPPA edition, which has been revised over the last two years, states that a facility “must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected information.”

When asked on Monday, HHS officials also could not point to anything stating that removal of a laptop containing patient information from a facility violated policies.

The equipment was on a laptop in the first place due to the fact the facility was making a transition to a new IT system. As part of that switch, which is now complete, all patient information is stored only on a company server and not on any laptops being used by employees. Franks also said the medical practice was removing files already on laptops to the server, as well as encrypting all laptops with Symantec Encryption Software.

As of Oct. 16, there was nothing to report from law enforcement in terms of a suspect or any leads on who may have stolen the machine. Based on the fact the laptop was unlabeled and had been stolen from inside the vehicle, Bassett officials said they didn’t think it was stolen with the intent to access protected health information.

To the knowledge of both local law enforcement and Bassett Family Practice employees, no one has accessed the patient information. They know this because if the patient information is accessed, the facility’s server will receive a notification. If that happens, Franks said employees can protect the information by remotely wiping the laptop clean.

“There is also a fail-safe, where the organization could delete the information on the laptop, should it ever be accessed through the operating system,” Franks said. “The laptop has not yet been recovered nor accessed at this time.”

Any patients of Bassett Family Practice with questions about the theft can call the facility at 1-888-746-7175.

Article by: Martinsville Bulletin – Brian Carlton

Deloitte Hacked — Exposes Clients’ Emails

Another day, another data breach. This time one of the world’s “big four” accountancy firms has fallen victim to a sophisticated cyber attack.

Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.

Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.

The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that “very few” of its clients had been affected, the Guardian reports.
The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.

Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.

Besides emails, hackers also may have had potential access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a Deloitte spokesperson told the newspaper.

“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.”

Deloitte’s internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was “impacted” by the breach.

Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.

Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Women’s Health Group of Pennsylvania Notifies 300,000 Patients of Ransomware Attack

A data breach at one of Pennsylvania’s largest health networks has sparked safety concerns and questions regarding why it took several months for patients to be notified.

The Women’s Health Care Group of Pennsylvania, which is based in Oaks, Pennsylvania but has 45 offices serving women in Montgomery, Chester and Delaware Counties, sent a letter to patients this month informing them that hackers had stolen their information. That information included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses.

The following notice, posted on Women’s Health Group’s site on July 18, indicates that this was a ransomware attack:

Notice of Security Breach Incident

Posted: July 18, 2017

On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data. Local Federal Bureau of Investigation authorities were contacted and a report was filed.

As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident. In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost.

The types of files that could have been accessed may have included information about a patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name. No driver’s license, credit card or other financial information was stored in any files on the infected server.

Individuals whose information may have been affected by this incident will receive a letter informing them of this incident, with instructions on steps they can take to receive free credit monitoring and identity theft protection services for a year. We recommend these individuals review all financial account information closely and report any fraudulent activity or suspected incident or identity theft. We have set up a call center with a toll-free help line for individuals who have questions about this incident. The phone number is (877) 534-7033. The call center is staffed weekdays Monday through Friday from 9:00 AM to 9:00 PM (EST) and Saturday and Sunday from 11:00 AM to 8:00 PM (EST)

We sincerely regret any concerns or inconvenience this incident may cause our patients. Maintaining the integrity and confidentiality of our patients’ personal information is very important to us and we are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.

Update: When this incident appeared on HHS’s breach tool, it was reported as impacting 300,000 patients.

New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends

After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users.

Dubbed LeakerLocker, the Android ransomware does not encrypt files on victim’s device, unlike traditional ransomware, rather it secretly collects personal images, messages and browsing history and threatens to share it to their contacts if they don’t pay $50.

Researchers at security firm McAfee spotted the LeakerLocker ransomware in at least two apps — Booster & Cleaner Pro and Wallpapers Blur HD — in the Google Play Store, both of which have thousands of downloads.

To evade detection of malicious functionality, the apps initially don’t contain any malicious payload and typical function like legitimate apps.

But once installed by users, the apps load malicious code from its command-and-control server, which instructs them to collect a vast number of sensitive data from the victim’s phone — thanks to its victims granting unnecessary permissions blindly during installation.

The LeakerLocker ransomware then locks the home screen and displays a message that contains details of the data it claims to have stolen and holds instructions on how to pay the ransom to ensure the information is deleted.

The ransom message reads:

All personal data from your smartphone has been transferred to our secure cloud.
In less than 72 hours this data will be sent to every person on your telephone and email contacts list. To abort this action you have to pay a modest ransom of $50.
Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won’t affect your data in the cloud.

Although the ransomware claims that it has taken a backup of all of your sensitive information, including personal photos, contact numbers, SMS’, calls and GPS locations and browsing and correspondence history, researchers believe only a limited amount of data on victims is collected.

According to researchers, LeakerLocker can read a victim’s email address, random contacts, Chrome history, some text messages and calls, take a picture from the camera, and read some device information.

All the above information is randomly chosen to display on the device screen, which is enough to convince the victims that lots of data have been copied.

Both malicious apps have since been removed by Google from the Play Store, but it is likely that hackers will try to smuggle their software into other apps.

If you have installed any of the two apps, uninstall it right now.

But if you are hit by the ransomware and are worried about your sexy selfies and photographs being leaked to your friends and relatives, you might be thinking of paying a ransom.

Do not pay the Ransom! Doing so motivates cyber criminals to carry out similar attacks, and there is also no guarantee that the stolen information will be deleted by the hackers from their server and will not be used to blackmail victims again.

Article by: Mohit Kumar