Cybersecurity News of the Week, September 22, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

SecureTheVillage is in the news this week with the announcement of continued progress in our innovative team-based learn-by-doing LA Cybersecure™ Program. We’re proud of the work of these smaller businesses and nonprofits who are helping change the cybersecurity management model for smaller organizations.

• First Small Businesses Certified “Cyber Ready” in SecureTheVillage Program to Improve Cybersecurity of Smaller Organizations: SecureTheVillage’s innovative LA Cybersecure™ Program Provides Education, Tools, and Coaching to Empower Small Businesses and Nonprofits to Protect Themselves in a way that, until now, only Big Businesses have Been Able to Achieve. … LOS ANGELES – September 16, 2024 SecureTheVillage is proud to announce that the first three participants in its innovative LA Cybersecure™ Program have been Certified Cyber Ready by the prestigious Cyber Readiness Institute. … Los Angeles nonprofit SecureTheVillage announced the LA Cybersecure™ Program in October, 2023 in this press release. The program, partially funded by the Center for Internet Security’s Alan Paller Laureate Program, aims to enhance cybersecurity practices among smaller businesses and nonprofits, equipping them to better defend against cybercrime. … The program officially kicked off in January with its first Cohort of five companies, including a law firm, an accounting firm, two technology companies, and a nonprofit. Cohort participants completed Sightline Security’s Kickstart Program in April as we described here. … Three of the participants have now completed the Cyber Readiness Institute’s Cyber Readiness Program and have been Certified Cyber Ready.

On another note, in a futile attempt at maintaining a work-life balance, my wife and I are taking some time off. I’ll be back with the full News and Patch Report on October 13. What happens on the 29th and 10/6 depends on my success at striking the right balance. Stay tuned. And stay cyber-safe.

From SecureTheVillage

• Upcoming Events
  • Fifth Annual LA IEEE Coastal LA Computer Society Cyber Security Summit 2024 – South Bay, October 19.
  • From our friends at CyberWyoming: Wyoming Virtual Cybersecurity Conference, October 23.
  • A Reasonable Approach to Reasonable Security. January 2025.  SecureTheVillage’s 5th Annual Reasonable Security Summit.
• Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure™. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
• IT Service Provider / MSP? Grow revenues. Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure™. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the reasonable IT security management they need. … The LA Cybersecure™ Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
• SecureTheVillage FREE Newsletters. Sign up or share with a friend!
  • Cybersecurity News of the Week & Weekend Patch Report. Our award winning newsletter. Essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned.
  • Family Protection Newsletter: Our monthly newsletter for non-cyber experts. For your parents, friends, and those who need to protect themselves in a digital world.
• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
• Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians ^TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village.^TM. 

Cybersecurity Nonprofit of the Week  …  The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®). CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. … The Center released its newest publication, “A Guide to Defining Reasonable Cybersecurity” at this year’s RSA Conference. … Strong proponents of collaboration and innovation, CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). … SecureTheVillage is a recipient of a grant from the Center’s Allen Paller Laureate Program to support our launch of a Pilot Program to measurably improve the cybersecurity of small and midsize organizations.  … The Center for Internet Security is one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Kudos to Santa Clara County Deputy District Attorney Erin West for her great work on behalf of cyber-fraud victims. Erin’s a hero to us in the field and it’s great to have The Wall Street Journal cover her great work on behalf of victims even as the sad reality is that there’s too many people like Erika DeMask who are having their lives ruined by these kinds of scams.

• ‘Pig-Butchering’ Scams Cost Americans Billions. This Lawyer Is Taking Them On. Prosecutor Erin West has been one of the few to have any success against the criminals perpetrating a new type of fraud. … In 2022, an unusual case came across the desk of Erin West, Santa Clara County Deputy District Attorney Erin West, a California prosecutor who specializes in cybercrime. The victim was a 30-year-old man who thought he had met his soul mate on a dating app until he realized he had been conned out of $300,000. He was so ashamed that at times he was suicidal. … West and her investigative task force pulled off something of a miracle: They recovered about 70% of the man’s money by tracing the funds to a wallet on a cryptocurrency exchange and then obtaining a warrant to freeze and seize it. It was the first time anyone was known to successfully claw back money stolen through a new type of fraud called “pig butchering,” in which scammers build victims’ trust and convince them to invest in bogus schemes. 
• Illinois widow loses $1M life savings after ‘pig butchering’ scam: Erika DeMask thought she’d finally found love again — but instead she lost her entire life savings over a period of several months in a “pig butchering” scam.

Brian Krebs describes a new twist on an old scam. One more reminder of how important it is to always be suspicious online.

• Scam ‘Funeral Streaming’ Groups Thrive on Facebook: Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

Two major law enforcement takedowns this week. Kudos to our FBI and their international partners.

• Global Coalition Takes Down New Criminal Communication Platform: Europol and Eurojust, together with law enforcement and judicial authorities from around the world, have successfully dismantled an encrypted communication platform that was established to facilitate serious and organised crime perpetrated by dangerous criminal networks operating on a global scale. The platform, known as Ghost, was used as a tool to carry out a wide range of criminal activities, including large-scale drug trafficking, money laundering, instances of extreme violence and other forms of serious and organised crime. 
• U.S. and allies seize control of massive Chinese tech spying network: The United States and allied countries said Wednesday they had taken control of a network of 260,000 internet-connected cameras, routers and other devices that the Chinese government had been using to spy on sensitive organizations. … The operation, which occurred last week, took aim at a botnet known as Flax Typhoon, which U.S. officials said was run by a government contractor in Beijing, a publicly traded company called Integrity Technology Group. The FBI won a court order to send the infected devices commands that detached them from the network.

As the election gets closer, it’s becoming clear who Iran and Russia are supporting. While they don’t get to vote, they do get to attempt to alter the outcome. We have to keep our guard up to not be influenced.

• Iranian Hackers Sought to Pass Off Pilfered Information to Biden Team: The emails were part of a sweeping effort by Iran to steal and disseminate sensitive internal communications between aides working for former President Donald J. Trump.
• Russian cyber operatives shift focus to Harris campaign, Microsoft say: Russia is now throwing all of its disinformation resources behind operations designed to undermine the Harris-Walz campaign, according to a Microsoft report released Tuesday.

 In a major ethical breach, it turns out LinkedIn has been training their AI on our data without telling us or giving us the opportunity to opt-out. Memo to Congress: Pass opt-in.

• How to stop LinkedIn from training AI on your data: LinkedIn limits opt-outs to future training, warns AI models may spout personal data. … LinkedIn admitted Wednesday that it has been training its own AI on many users’ data without seeking consent. Now there’s no way for users to opt out of training that has already occurred, as LinkedIn limits opt-out to only future AI training.

Instagram has updated its platform for teenagers in response to intensifying pressure over children’s safety online. While it may be a good start it’s not a substitute for strong laws and regulations to protect our children.

• Instagram, Facing Pressure Over Child Safety Online, Unveils Sweeping Changes: The app, which is popular with teenagers, introduced new settings and features aimed at addressing inappropriate online contact and content, and improving sleep for users under 18. … Instagram unveiled a sweeping overhaul on Tuesday to beef up privacy and limit social media’s intrusive effects for users who are younger than 18, as the app faces intensifying pressure over children’s safety online.

Healthcare security is again in the news.

• Cyberattacks plague health care. Critics call the federal response ‘inadequate’: Central Oregon Pathology Consultants has been in business for nearly 60 years, offering molecular testing and other diagnostic services to patients east of the Cascade Range. … Beginning last winter, it operated for months without being paid, surviving on cash on hand, practice manager Julie Tracewell said. The practice is caught up in the aftermath of one of the most significant ransomware attacks in American history: the February hack of payments manager Change Healthcare.
• Data on nearly 1 million NHS patients leaked online following ransomware attack on London hospitals: People with symptoms of sensitive medical conditions, including cancer and sexually transmitted infections, are among almost a million individuals who had their personal information published online following a ransomware attack that disrupted NHS hospitals in London earlier this year, according to an analysis shared with Recorded Future News.

Two big legal settlements this week.

• 23andMe Agrees to $30M Settlement That Could Pay $10,000 to Data Breach Victims: Personal information for nearly half of the popular genetic testing company’s customers — 6.9 million people — were exposed in the data breach.
• AT&T to pay $13 million FCC settlement for 2023 data breach: AT&T has agreed to pay $13 million to resolve a Federal Communications Commission (FCC) investigation into whether the telecom giant was adequately protecting customer data. … The investigation centered on a January 2023 incident where hackers infiltrated the cloud environment of an AT&T vendor and stole troves of customer information. The FCC was looking into whether AT&T did enough to stop the attack and more generally keep customer data safe.

This week in cybercrime. The known largest ransomware payment. Columbus, OH struggles to get out from under a cyberattack while suing a whistleblower who found resident information on the dark web. Seattle refuses to pay ransom.

• Cencora pays $75 million in Bitcoin in the largest known case of ransomware attack: Cencora Inc., a major drug distributor, paid $75 million in Bitcoin (BTC) to hackers following a ransomware attack, marking the largest known cyber extortion payment to date. As reported by Bloomberg, the payment was made in three installments in March after Cencora discovered a data breach in February.
• Columbus data breach: 21% of city systems still down, IT chief says: More than 20% of Columbus’ systems are still down nearly two months after this summer’s cyber attack against the city, Sam Orth, Mayor Andrew Ginther’s technology chief, revealed in his second weekly update to City Council on the incident.
• Dark web researcher warned Columbus, Ohio, residents ransomware attack was bigger than mayor said. The city is suing him: An IT researcher based in the city who tracks the dark web and cybercrime accessed three terabytes of hacked data, and warned through the media that the breach went much deeper than the city had disclosed to residents. … He was sued by his hometown.
• Port of Seattle’s refusal to pay bitcoin ransom highlights cybersecurity dilemma:The Port of Seattle is dealing with a common conundrum facing victims of a ransomware attack: to pay, or not to pay. … Rhysida, the ransomware group that carried out an Aug. 24 cyberattack on the Port of Seattle last month, reportedly began posting stolen files on the “dark web” as the Port refuses to pay 100 bitcoin, equivalent to around $6 million.
• Construction firms breached in brute force attacks on accounting software: Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks.

Section 4:  Securing the Technology.

Lots of updating this week.

• Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution: Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution. … The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol.
• 5 New Vulnerabilities Added to CISA’s Known Exploited List: Urgent Action Required: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog. … The vulnerabilities are identified as CVE-2024-27348 (Apache HugeGraph-Server Improper Access Control Vulnerability), CVE-2020-0618 (Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability), CVE-2019-1069 (Microsoft Windows Task Scheduler Privilege Escalation Vulnerability), CVE-2022-21445 (Oracle JDeveloper Remote Code Execution Vulnerability), and CVE-2020-14644 (Oracle WebLogic Server Remote Code Execution Vulnerability).