Cybersecurity News: April 24 –April 30, 2021

2nd Sight Lab cloud security news and notable cyber security industry information for the week of April 24 — April 30, 2021

2nd Sight Lab | Cybersecurity | Vulnerabilities | Malware | Threat Reports | Breaches and Attacks | Cost of a Data Breach | Laws & Legal | Investments

Free Content on Jobs in Cybersecurity | Sign up for the Email List

2nd Sight Lab News

Teri Radichel, CEO of 2nd Sight Lab, will be presenting at CloudLIVE 2021 ~ a cloud security conference from CloudHealth by VMWare. This presentation will cover five top threats to your cloud and how to defend against them. Find out why breaches are occurring and more effective risk management strategies to defend against them. Register today!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you like this blog, please clap, follow, join, or pass it on. Thanks! 👏

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Cybersecurity

A group prepared a report with strategies for combatting ransomware. It has some interesting ideas which can be pursued to help reduce the impact of this problem. However, it doesn’t provide a solution to a critical element of the problem: Organizations need to better secure their systems.

Much of the report seems to recommend more committees and slips in a recommendation that sounds like a proposal to provide funds to organizations that have been attacked by ransomware. If that is the correct interpretation that action will, ironically, reduce the urgency for organizations to improve system security because if they get attacked, they know they will get money to deal with it.

Governments should establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities;

Taxpayers may not want to pay to bail out organizations that have not properly invested in effective cybersecurity solutions after they are attacked by ransomware. A proactive strategy is better than a reactive strategy as explained in this post: Defensive cybersecurity strategies -> Don’t let the attacker get the ball.

Perhaps funds should be provided in advance to organizations that cannot afford to prepare for ransomware such as schools and underfunded medical facilities. The funds could go towards training to help companies understand cybersecurity fundamentals construct proper networks and implement secure systems — not for buying cyber insurance, paying ransoms, and purchasing ineffective products. The money could also go to research and development to come up with new provable security solutions and effective risk management, topics in this book on cybersecurity for executives.

Although I’m supportive of taking down criminals and networks carrying out these attacks, complications exist when it comes to taking down networks and prosecuting hackers in foreign countries. The effectiveness may also be short-lived as soon as one attacker network gets shut down, another will spring up. The attackers are largely outside the jurisdiction of US law enforcement. Indictments will have little effect in some cases. Efforts in this area will help but not completely solve the problem.

Until companies address ineffective strategies used for cybersecurity, ransomware attacks will continue to harm organizations, national security, jobs, healthcare patients, and the economy. Executives need to take greater responsibility to maintain secure systems.

The NSA has released a cybersecurity advisory with some tangible steps organizations can take to reduce cyber risk:

Stop Malicious Cyber Activity Against Connected Operational Technology

Biden administration is preparing an order to improve cybersecurity in response to the SolarWinds attack.

Among other things, the draft order includes something similar to the National Transportation Safety Board, or NTSB, for cyber. Just as the NTSB inspects the wreckage of a plane and recovers black boxes to see if the crash requires a systematic fix, a cyber NTSB would potentially paw through code and data logs to discover the root causes that permitted a successful cyberattack.

We need to know what is causing the breaches to solve the root problems. That is also a topic of my talk at CloudLive. How can you defend against what you don’t understand? Notice how many cybersecurity reports in this news feed do not specify how the systems were breached.

Ransomware gangs are going to start informing companies of customers of data breaches if they don’t pay fast enough. This could lead to more data breach disclosures or at least faster disclosures or payments.

Engineers of physical infrastructure need to understand cybersecurity since much infrastructure involves systems connected to the Internet.

Good strategy though of course, the devil is in the details.

This 100-Day Plan, when viewed along with with the Federal Energy Regulatory Commission’s (FERC) December 17, 2020 Notice of Proposed Rulemaking (NOPR) to establish an incentive-based framework for utilities that voluntarily make cybersecurity investments that exceed the current mandatory Critical Infrastructure Protection (CIP) Reliability Standards, and the forthcoming Department of Homeland Security’s “60-day sprint” initiative focused on industrial control systems, signify a new and welcome trend in government support for critical infrastructure.

A student steals a teacher’s password, logs in, and changes grades. In response, UK is providing free cybersecurity training to teachers. Brilliant!

The agency responsible for developing and fielding defense systems for ballistic missiles — and recently hypersonic missiles — has failed to complete assessments since 2017 to identify cyber vulnerabilities and possible attack routes, the nonpartisan Government Accountability Office noted.

More of this, but suggest background checks.

The San Diego Workforce Partnership Thursday announced a two-year, $1.5 million grant from the James Irvine Foundation to fund CyberHire San Diego, a movement aimed at increasing the number of unemployed, underemployed and low-wage workers in quality cybersecurity careers.

Massachusetts expands K-12 cybersecurity training.

The University of New Hampshire is offering a free cybersecurity camp for high school students this summer.

In Wake of Recent Breaches, FAA Wants to Up Cybersecurity of National Airspace System

Is this supposed to say “vetted” instead of “vested?” Vetted by whom? Additional research is required before forming an opinion.

Creating safer cloud journeys with new security features and guidance for Google Cloud and Workspace

FBI-DHS-CISA Joint Advisory on Russian Foreign Intelligence Service Cyber Operations

Vulnerabilities

New Spectre-style hardware vulnerability discovered at University of Viginia.

Hackers exploiting Mac bug. Patch. Patrick Wardle of Jamf to the rescue again.

Malware

Cool. FBI teams up with ‘Have I Been Pwned’ by Troy Hunt to alert Emotet victims.

Cyberspies target military organizations with new Nebulae backdoor

Please don’t download “WhatsApp Pink.”

GitHub Explores New Anti-Malware Policy but the Community Expresses Concerns.

2nd Sight Lab leverages the ability to find tools on GitHub to perform assessments for customers more quickly. Some of these same tools get incorporated into systems that companies buy to perform security assessments. It’s hard to draw a line here. On the one hand it helps companies provide a service that helps other companies secure their systems by understanding the attacks. On the other hand, the code is out there for malicious actors as well. With bug bounties and more security research going on we’re probably better off with the code out in the open to inspect to understand how they work and create defenses based on indicators of compromise. Additionally, there’s a fine line between what is an offensive or defensive tool. Some can be used both ways to find flaws in systems — for good or for evil purposes.

WeSteal blatantly posting and selling malware. Here’s how it works:

WeSteal uses a simple but effective way to swipe cryptocurrency-receiving addresses: It rummages through clipboards, searching for strings matching Bitcoin and Ethereum wallet identifiers. When it finds them, WeSteal swaps out the legitimate wallet IDs in the clipboard with its own IDs. When a victim tries to paste the swapped wallet ID for a transaction, the funds get whisked off to the attacker’s wallet.

Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

Can you live without the macro?

Law enforcement automatically removing Emotet malware from victim machines.

Babuk ransomware authors claim they will shut down but will make the code public afterwards.

ToxicEye uses Telegram for command and control.

RotaJakiro: A long lived secret backdoor with 0 VT detection.

https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en

PortDoor Espionage Malware Takes Aim at Russian Defense Sector. RTF Document.

Threat Reports

Breaches and Attacks

West Nyack man loses $35,000 to scam that stemmed from malware subscription. Gave scammers his bank account to get a refund for a subscription. Never give your bank account. This highlights the fact that wire transfers at banks need an overhaul. So much risk related to that process.

https://bronx.news12.com/west-nyack-man-loses-35-000-to-scam-that-stemmed-from-malware-subscription

Experian API Exposed Credit Scores of Most Americans

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

Chinese businessman admits smuggling U.S. marine tech to China.

Prosecutors said Northwestern Polytechnical University, a Chinese military research institute, tasked Qin with obtaining items used for anti-submarine warfare and that he obtained hydrophones for it from a U.S. manufacturer.

Cybersecurity breach closes Centennial schools in Portland, Oregon. Does not say how.

Saskatchewan Blue Cross shut down systems after discovering a breach. The company is still researching the cause.

Contact Tracing Data Breach Exposed Personal Data For Over 72K Pennsylvanians.

Apparently this was a case of “Here, take my data…” a topic in my upcoming talk at CloudLive.

Illinois attorney general’s office was warned about weak cybersecurity before ransomware attack.

Ransomware potentially linked to Russia

Digital Ocean billing data breach — does not say what flaw caused the breach or how it was fixed.

A data breach at the Wyoming Department of Health publicly exposed COVID-19, influenza and blood alcohol test data from more than a quarter of Wyomingites and some out of state residents, the department announced Tuesday.

The breach occurred when an employee erroneously uploaded files containing that data to the public code-hosting platform GitHub.

Proper network security architecture can help prevent this type of thing.

Software companies exposed to a breach of sensitive pitch information in breach related to exposed Azure storage account.

Reverb hacked. Didn’t say how.

Gyrodata Employee Data Breach. Doesn’t say how.

First Horizon breached. Customer funds stolen. Stolen credentials but doesn’t say how. Access issues also in my upcoming talk.

Disclosed breach after stolen database discovered.

Catholic Charities North Dakota target of a data breach. Suspicious activity related to email accounts. Not specific as to what the activity was or how the organization’s systems were compromised.

More suspicious email activity. Maryland Ortho Practice breach affects 125,000 people. Doesn’t provide specifics.

Personal information of 20 million BigBasket users is now available online for anyone to download and use from a breach that occurred on October 30, 2020.

Amazon warned this customer they had an open S3 bucket.

Suspicious email activity. Does not say how the attackers got in.

Human error causes a data breach at the Vermont Department of Labor. Report finds controls were adequate to find the error.

Ransomware group threatens DC police force with informant leak. This will likely put people’s health and lives at risk. Ransomware criminals have no concern whatsoever for the people they affect.

https://www.infosecurity-magazine.com/news/ransomware-group-dc-cops-informant/

Dutch government pauses coronavirus app over data leak fears.

The Dutch app uses “exposure notification” technology developed by Google and Apple that generates random codes that can be exchanged by phones whose users are close to one another for long enough to possibly transmit the virus.

According to the ministry, Google informed the government Wednesday it has fixed the issue. The Dutch government halted messages from the app for 48 hours to check if the leak has been fixed.

To research further:

Google said that random Bluetooth identifiers “on their own have no practical value to bad actors, and it is extremely unlikely that developers of pre-installed apps were aware of the inadvertent availability of those identifiers.”

Large data dump of billions of passwords and emails.

Hundreds of furious Football Index investors have their identities revealed by DCMS data breach after email in response to complaints about collapsed gambling platform was sent out with recipients’ names not hidden.

Not a good way to send out a breach notification, if that wasn’t clear.

Human error leads to private information about a crime sent to the wrong person. I’m a fan of making people log into systems to get their data instead of emailing sensitive information around. I’ll be writing about that in a future post.

Cost of a Data Breach

In early March, the New York State Department of Financial Services (“DFS”) entered into a consent order requiring Residential Mortgage Company to pay $1.5 million for failing to comply with Cybersecurity Regulation, Part 500 of Title 23 of the New York Code.

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach.

Singapore. Organization that oversees Tafep fined $29,000 over data breach.

Google case accusing the company of illegally tracking millions of iPhone users is going to the US Supreme Court.

Geico sued over breach.

Police Sue Pension Unit Of Equiniti For £1M Over Data Breach

Patient represented by Philadelphia law firm sues Einstein over 2020 data breach.

Class action lawsuit over Einstein breach.

Laws & Legal

Justice Department to undertake 120 day review of cybersecurity challenges

Senators from both sides of the political aisle introduced several bills late last week aimed at strengthening the government’s cybersecurity readiness and response efforts.

State Department Gets Dedicated Cybersecurity Bureau in Proposed Bill

New Georgia Bills Will Affect Public’s Access To Cybersecurity Details:

Georgia House Bill 156, signed by Gov. Brian Kemp in late March, “increases data sharing between different parts of government about data breaches and cyber-attacks,” according to Sarah Brewerton-Palmer, chair of the Georgia First Amendment Foundation’s Legislative Committee.

However, Brewerton-Palmer is concerned the bill could exempt an entire report about cybersecurity breaches from the Open Records Act depending on the interpretation of the law.

One concern about not understanding how systems are breached could relate to breaches of voting systems to change the outcome of elections. If the people in power control access to the information about data breaches of election systems, no one will be able to prove they hacked the systems to keep themselves in power. I’m not saying in any way this is happening, but it is a potential problem.

Debate continues over the ability to initiate a lawsuit based on potential identity theft in the future leveraging the stolen data. Given the number of ways stolen data is used to try to break into other systems and instantiate many types of fraud, monetary, and data loss including the recent barrage of fraud related to unemployment benefits, it is not clear why this is in question. It will be nearly impossible to link future harm to a specific breach because there are so many — but companies who blatantly disregard best security practices still need to be held accountable.

Senate Intelligence Panel working on data breach notification law.

When data breaches and laws impact freedom of the press.

The National Association of Insurance Commissioner (NAIC)’s model data security law (“Model Law”) was recently adopted by Maine and North Dakota.

Investments

Be careful with buzzwords.

Mexico City, Mexico — Banco Santander México has announced an investment of $500 million USD in the country to improve infrastructure and service to customers. In a press conference, the bank said the money will be invested in its infrastructure, systems and cybersecurity to improve its customer experience.

Personal note: The last time I tried to send money to Mexico, which I admit was years ago so I hope it improved, I was informed not to do a bank transfer because you could kiss the money goodbye. Additionally, you could only use one of the Western Union options. I picked the correct option and despite that, the money was sent the wrong way, and $900 was “lost”. I argued with someone in Texas incessantly until I got it back. There likely is more to this problem than “infrastructure.”

Big cybersecurity startups like Tanium, Netskope, and SentinelOne are dragging their heels ongoing public because they don’t need the money or the trouble.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2021

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab