Cybersecurity News of the Week, April 3, 2022

A weekly aggregation of important cybersecurity and privacy news helping you navigate the new world of cybersecurity and privacy.

Stan’s Top-3

Our lead story is an essay by two of the nation’s top cybersecurity thinkers on the need for collaboration, cooperation, and communication. Their point reflects SecureTheVillage’s core principle: It Takes a Village to Secure the Village TM

In an Era of Real-Time Cyber Threats, No Company Can Go It Alone: COMMENTARY. About the authors: Gen. (Ret.) Keith B. Alexander is the former director of the U.S. National Security Agency and the founding commander of U.S. Cyber Command. He currently serves as the founder, chairman, and co-CEO of IronNet, a cybersecurity company. Tom Fanning is chairman, president, and chief executive officer of Southern Company, a U.S. energy company. He previously served as a commissioner of the Cyberspace Solarium Commission. Barron’s April 1, 2022

These next two stories expand on the need for increased collaboration in cyber-defense: The threat is rising while the nation’s cybersecurity workforce needs to grow 60% just to meet current demand.

‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts: The US government is wary about the possibility of a Russian cyberattack on US critical infrastructure paired with Kremlin attempts to spread disinformation about any incident’s effects to sow panic among Americans, a top US cyber official told CNN. CNN Politics, March 26, 2022

As White House Warns of Cybersecurity Threats, 600,000 Jobs Are Open: President Joe Biden has urged U.S. companies to “harden your cyber defenses immediately” amid a growing risk of Russian cyberattacks. For many, that won’t be easy. … The war for talent has been well-telegraphed throughout the country, but it’s particularly acute in cybersecurity. And it’s only worsened as competition in the broader labor market has heated up, heightening both companies’ potential vulnerability to hackers and the urgency to boost the workforce. Bloomberg  Technology, March 30, 2022

Cyber Humor

The Front Page

Other front page cybersecurity and privacy stories.

Kudos to Congress for sending the President new legislation that will provide a more coherent statistical picture of cyber crime.

Cybercrime statistics legislation is ready for president’s signature: For the second time this month, Congress has sent legislation to President Joe Biden that’s designed to keep better track of cybercrime data. CYBERSCOOP, March 30, 2022

With the November election 7 months away, hackers attempt to hack at least 9 states.

Hackers tried to breach email accounts of election officials in 9 states, FBI says: Unidentified hackers tried to breach the email accounts of election officials in nine states last October in an apparent “coordinated effort” to target election officials, the FBI said Tuesday while asking election officials to be on guard for hacking attempts as the midterms approach. CNN Politics, March 29, 2022

Inflation hits cybercrime. Palo Alto Networks’ report shows direct payments to cybercriminals continue to rise for ransomware victims.

Ransomware Payments Hit New Records in 2021 as Dark Web Leaks Climbed, According to New Report from Palo Alto Networks Unit 42: Average ransom demand rose 144% to $2.2 million. Average payment rose 78% percent to $541,010. Posts on name-and-shame Dark Web leak sites climbed 85%. … Ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web “leak sites” where they pressured victims to pay up by threatening to release sensitive data, according to research released today from Unit 42 by Palo Alto Networks. Palo Alto Networks, March 24, 2022

SolarWinds class action lawsuit to proceed. The suit raises serious unresolved questions of “reasonable security.”

Court denies SolarWinds bid to throw out breach lawsuit:

A Texas judge will allow a class-action lawsuit filed against the company, its executives and investors in the wake of the 2020 Orion breach to proceed. SC Media, March 31, 2022

These next stories are important in showing once again how porous our information systems are. Hackers impersonate police to gather sensitive customer data. Kudos to Senator Wyden for investigating.

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”: There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death. KrebsOnSecurity, March 29, 2022

Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill: On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S. Senate’s most tech-savvy lawmakers said he was troubled by the report and is now asking technology companies and federal agencies for information about the frequency of such schemes. KrebsOnSecurity, March 31, 2022

Security Nonprofit of the Week

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Their mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence.  Kudos to Sightline Security for their cyber support to the vital nonprofit community.

Cyber Live with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we put context on the cybersecurity news. … Online bank fraud. Ransomware. Extortion. Your personal social media breached. Often the personal consequence of a lack of cybersecurity isn’t real – until it is.  Let’s explore what can happen if we don’t have measures in place. SecureTheVillage, March 30, 2022

Register Now. Invitation to Sponsor.

SecureTheVillage presents Nicole Perlroth, Award-winning Cybersecurity Journalist and New York Times Bestselling Author. A Virtual Learning Opportunity By & For Leaders in Cybersecurity. May 4, 11:00AM Pacific. Registration now open. Sponsorships still available.

Section 2 – Personal Security and Privacy

Important stories for protecting yourself and your family.

Update your Apple devices without delay as two 0-days are being actively exploited.

Apple rushes out patches for two 0-days threatening iOS and macOS users: Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads, and Macs that give hackers dangerous access to the internals of the OSes the devices run on. With 5 0-days this year, Apple is on track to meet or break its 2021 tally of 12. ars technica, March 31, 2022

Kudos to Wirecutter for their series on simple basic things everyone can do to better protect themselves online.

Every Step to Simple Online Security: Online security is for everyone. Information about your life is spread across dozens, even hundreds, of services—where you shop, communicate, share information, and store files. Losing control of your digital identity can have real consequences, including embarrassing losses of privacy, devastating financial blows, and risks to personal safety. And whether it’s fair or not, the onus is on you to protect yourself. Although the task can seem overwhelming, just a few simple steps are enough to drastically reduce your risks online. NYT Wirecutter, March 31, 2022

Let’s be careful out there.

5 old social engineering tricks employees still fall for, and 4 new gotchas: Despite all the training and warnings, people still fall for these simple social engineering scams. What’s worse, cybercriminals continue to come up with new ones. CSO, March 28, 2022

Section 3 – General Cybersecurity and Privacy Stories

Cybersecurity and privacy stories for those wanting a deeper look.

The Cyberwar in Russia-Ukraine.

US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers: A multi-faceted cyberattack at the onset of Russia’s war on Ukraine knocked out internet service for tens of thousands of satellite modems in Ukraine and elsewhere in Europe, the US-based telecommunications provider that owns the network said Wednesday. CNN Politics, March 30, 2022

Russian hackers targeted NATO, eastern European militaries – Russian hackers have recently attempted to penetrate the networks of NATO and the militaries of some eastern European countries, Google’s Threat Analysis Group said in a report published on Wednesday. Reuters, March 31, 2022

How Ukraine’s Internet still works despite Russian bombs, cyberattacks: A young girl singing “Let it Go” from Disney’s Frozen movie in a bomb shelter. A Ukrainian band in full combat gear offering to live-stream with pop star Ed Sheeran. And shots of civilians climbing on Russian tanks to brazenly wave the Ukrainian flag. The Washington Post, March 29, 2022

Ukrainian telecom company’s internet service disrupted by ‘powerful’ cyberattack: Ukraine’s state-owned telecommunications company Ukrtelecom experienced a disruption in internet service on Monday after a “powerful” cyberattack, according to Ukrainian government officials and company representatives. Reuters, March 28, 2022

Anonymous’ next cyber target: Western companies still doing business in Russia: Posts from an Anonymous-affiliated Twitter account singled out Western companies, demanding that they immediately cease operating in Russia. CNBC, March 31, 2022

 Russian troops’ tendency to talk on unsecured lines is proving costly: Russian troops in Ukraine have relied, with surprising frequency, on unsecured communication devices such as smartphones and push-to-talk radios, leaving units vulnerable to targeting, and further underscoring the command-and-control deficiencies that have come to define Moscow’s month-long invasion, observers say. Stars and Stripes, March 27, 2022

Russian aviation authority switches to paper after losing 65TB of data: Rosaviatsiya has switched to pen and paper after losing 65TB of data. According to sources, it suffered a major cyberattack on Saturday. Cybernews, March 30, 2022

Anonymous Hacks 2 Russian Industrial Firms, Leak 112GB of Data for Ukraine: Anonymous has taken Operation OpRussia a step further by targeting MashOil and RostProekt, which happened to be giants in their respective industries. … The online hacktivist group Anonymous has claimed responsibility for targeting two Russian companies stealing a trove of their data and leaking it online for the public to download. Hackread, March 29, 2022

This next story illustrates a risk that is only going to increase as we increase the complexity of our algorithms.

A Facebook bug led to increased views of harmful content over six months: The social network touts downranking as a way to thwart problematic content, but what happens when that system breaks? … A group of Facebook engineers identified a “massive ranking failure” that exposed as much as half of all News Feed views to potential “integrity risks” over the past six months, according to an internal report on the incident obtained by The Verge. The Verge, March 31, 2022

These next two stories raise the question of “cyber responsibility.” What is the moral responsibility of a technology company to see that their technology is not used by dictators and autocrats to stifle dissent? What is the moral responsibility of a technology company towards fixing the security vulnerabilities in their own products? What legal responsibilities should companies have to fix security vulnerabilities. These questions raise serious concerns about the need for coherent norms, policies, and laws to guide the behavior of technology companies.

Nokia Supported Russia’s ‘Lawful’ Surveillance Program: When Do Technology Firms That Support Autocratic Surveillance Cross the Line? … Finnish technology giant Nokia is facing tough questions over how it helped enable a surveillance program that supports President Vladimir Putin’s autocratic regime. Bank info Security, March 31, 2022

I’m done with Wyze: I just threw my Wyze home security cameras in the trash. I’m done with this company. … I just learned that for the past three years, Wyze has been fully aware of a vulnerability in its home security cameras that could have theoretically let hackers access your video feeds over the internet — but chose to sweep it under the rug. And the security firm that found the vulnerability largely let them do it. The Verge, March 30, 2022

This was an enormous week in cybercrime … including the second biggest haul ever as cyber-criminals stole more than $600 million from a video game maker.

Hackers steal over $600 million from video game Axie Infinity’s Ronin network:  The latest crypto hack has targeted a gaming-focused blockchain network that supports the popular video game Axie Infinity. Hackers made off with about $625 million worth of Ethereum and USDC, two cryptocurrencies, in one of the largest crypto hacks of all time. CNN Business, March 29, 2022

Despite Arrests, LAPSUS$ Hacking Group Strikes Again, Hitting IT Supplier: Software services firm Globant confirms it was hacked after the LAPSUS$ group dumps a 70GB archive allegedly stolen from the company. PC, March 30, 2022

Hive ransomware group claims to steal California health plan patient data: The Hive ransomware group, known for attacking healthcare organizations, posted on its dark web site that it has stolen 850,000 personally identifiable information (PII) records from the Partnership HealthPlan of California. Venture Beat, March 29, 2022

Shutterfly discloses data breach after Conti ransomware attack: Online retail and photography manufacturing platform Shutterfly has disclosed a data breach that exposed employee information after threat actors stole data during a Conti ransomware attack. Bleeping Computer, March 29, 2022

Section 4 – Securing the Organization

Stories to support executives and top management in securing their organizations.

For organizations that take or process credit cards, PCI 4.0 is coming.

What You Need to Know About PCI DSS 4.0’s New Requirements: The updated security payment standard’s goal is to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information, the PCI Security Standards Council says. … The PCI Standards Security Council (PCI SSC) published the latest update to the PCI Data Security Standard (PCI DSS) this week. The gold standard for retailers and financial organizations when it comes to protecting sensitive cardholder data, PCI DSS v4.0 shifts the standard’s focus to outcome-based requirements. DARKReading, April 1, 2022

Kudos to the Cybersecurity & Infrastructure Security Agency (CISA) as it continues its excellent work supporting America’s businesses, nonprofits, and others.

CISA Warns of Ongoing Cyber Attacks Targeting Internet-Connected UPS Devices: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) are jointly warning of attacks against internet-connected uninterruptible power supply (UPS) devices by means of default usernames and passwords. The Hacker News, March 29, 2022

CISA Adds 66 Known Exploited Vulnerabilities to Catalog: CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates. Cybersecurity & Infrastructure Security Agency, March 25, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge