Cybersecurity News of the Week, April 4, 2021

Individuals at Risk

Cyber Privacy

533 million Facebook users’ phone numbers and personal data have been leaked online: A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online. BusinessInsider, April 4, 2021

Hackers Are Stealing Sex Vids From Home Security Systems And Selling Them: There’s A Huge Underground Market For Secretly-Filmed Or Hacked Videos. Futurism, April 1, 2021

Cyber Warning

Top Scams Targeting Older Americans in 2021: Here’s how to recognize and protect yourself from these costly cons. AARP, April 1, 2021

Hackers turn to phone calls to infect PCs with malware — what you need to know: Bogus email gets you to call fake tech support, and then the real fun starts. Tom’s Guide, March 31, 2021

Roku setup, activation scam doesn’t include cold calls, bogus links: What to know: All she wanted to do was replace her old Roku device to stream movies and TV shows onto her new TV during the pandemic. If things worked out, she even hoped to use the setup to teach remote classes at a local community college. Detroit Free Press, March 31, 2021

Cyber Humor

“Can you identify the right customer before you release their information” asks a staff training officer.

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Canalysis: Cybersecurity investment grows in 2020, but organizations face record data breaches … “Prioritize cybersecurity … or face disaster,” says Canalys Chief Analyst Matthew Ball: “Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster,” is the message from Canalys Chief Analyst Matthew Ball. According to the latest analysis from Canalys this is the stark reality facing organizations in 2021. For many, it is too late. Canalysis, March 29, 2021

Information Security Management

SolarWinds attack and the importance of a risk-based approach to cybersecurity: The SolarWinds hack of the software supply chain, which is considered the most significant and far-reaching cyber espionage operation targeting the U.S. government to date, has sparked an important conversation about a new risk-based approach to cybersecurity for federal agencies. Federal News Network, April 1, 2021

What is cyber risk quantification, and why is it important?: One way to get C-level managers and cybersecurity department heads on the same page is to employ cyber risk quantification, as it speaks to costs versus risks. TechRepublic, April 1, 2021

Enterprises Remain Riddled With Overprivileged Users — and Attackers Know It: Attackers commonly focus on finding users with too much privileged access as their ticket to network compromise. What can companies do? DarkReading, April 1, 2021

Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies: US federal agencies need to immediately begin more clean-up work on potentially compromised Exchange servers. ZDNet, April 1, 2021

NIST Offers Cybersecurity Guide Tailored to Hospitality Industry: A new practical cybersecurity guide from the National Institute of Standards and Technology (NIST) can help hotel owners reduce the risks to a highly vulnerable and attractive target for hackers: the hotel property management system (PMS), which stores guests’ personal information and credit card data. SecureTheVillage CyberLeader Robert Braun, co-chair of JMBM’s Security & Privacy Group is quoted. Mirage News, March 31, 2021

How SolarWinds Is Recovering and Sharing What It Has Learned Over The Last Three Months: What the last few months have been like for SolarWinds — and what the company has learned about data security. MyTechDecisions, March 30, 2021

Cyber Warning

71% of Ransomware Victims Unable to Restore All Data: Kaspersky Research: Approximately 56 percent of ransomware victims paid a ransom last year, according to a survey of 15,000 consumers conducted by global security company Kaspersky. Yet, only 29 percent of ransomware victims were able to restore all their encrypted or blocked files following an attack, regardless of whether they paid a ransom. MSSP Alert, March 30, 2021

Secure The Human

Phishing Tests Are Necessary. But They Don’t Need to Be Evil: Last December, the website hosting company sent 500 employees an email offering a $650 holiday bonus. Unfortunately, the bonus emails were not sent in appreciation for their record year, as indicated by the email — it was a phishing test. Those who clicked the link were rewarded, not with a bonus, but additional cybersecurity training. HBR, April 1, 2021

Cyber Update

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities: The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks. US Cert, April 2, 2021

Cyber Law

CCPA vs. CDPA: Comparing California and Virginia’s data-protection laws: What marketers and data processors need to know about the differences between these laws. Martech, April 1, 2021

Cybersecurity in Society

Cyber Crime

Update on Accellion Cyberattack: UCOP Offers Complimentary Credit Monitoring and Identity Theft Protection for 1 Year. UCDavis, April 2, 2021

CNA website still down nearly two weeks after what the insurance giant is now calling a ‘sophisticated ransomware attack’: It has been nearly two weeks since CNA sustained what it is now calling a “sophisticated ransomware attack,” and the Chicago-based insurance giant’s website remained down Friday afternoon. Chicago Tribune, April 2, 2021

Malware Attack Takes Mass. Auto Inspection System Down: The automobile inspection system remains down in Massachusetts Friday, a day after the calendar turned to a new month that will render scores of March stickers with the number 3 invalid. NBC, April 2, 2021

Stolen Stanford data leaked after Accellion breach: The list of higher education institutions that’ve had student and faculty data stolen and published online after the compromise of a file-transfer application made by the software company Accellion now includes Stanford University, following the appearance this week of school files on a leak site operated by the hacking group believed to be responsible for the ongoing breach. EDScoop, April 2, 2021

Brown University hit by cyberattack, some systems still offline: Brown University, a private US research university, had to disable systems and cut connections to the data center after suffering a cyberattack on Tuesday. BleepingComputer, April 2, 2021

Large Florida school district hit by ransomware attack: The computer system of one of the nation’s largest school districts was hacked by a criminal gang that demanded $40 million in ransom or it would erase files and post students’ and employees’ personal information online. ABC, April 1, 2021

Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it: Ubiquiti, a company whose prosumer-grade routers have become synonymous with security and manageability, is being accused of covering up a “catastrophic” security breach — and after 24 hours of silence, the company has now issued a statement that doesn’t deny any of the whistleblower’s claims. TheVerge, March 31, 2021

No, I Did Not Hack Your MS Exchange Server: New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. KrebsOnSecurity, March 28, 2021

Cyber Privacy

Supreme Court’s pro-Facebook ruling could unleash “flood” of robocalls…Congress urged to act quickly to update 1991 law: Robocall systems aren’t “autodialers” if they don’t generate random numbers. ars technica, April 1, 2021

Know Your Enemy

FBI alert on Egregor ransomware highlighted affiliate cybercrime model: An emerging strain of ransomware that was the subject of a recent FBI report is relying on an extortion technique in which attackers publish stolen data to a public website in the event that a victim organization refuses to meet hackers’ demands. Cyberscoop, March 31, 2021

Ransomware: Why we’re now facing a perfect storm: Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report. ZDNet, March 30, 2021

National Cybersecurity – Solar Winds

After SolarWinds, Lawmakers Want Companies to Come Clean About Cyberattacks: Companies fear liability. Privacy activists fear government overreach. Congress fears opening doors to nation-state attackers. Wall Street Journal, April 1, 2021

National Cybersecurity

Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach: Washington (CNN)After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. CNN, April 2, 2021

U.S. Cybersecurity Risks: DHS Seeks to Mitigate Six Cyber Issues – MSSP Alert: The Department of Homeland Security (DHS) and its cyber wing will launch a series of 60-day initiatives to tackle the nation’s most pressing cybersecurity threats, DHS Secretary Alejandro Mayorkas told attendees at the annual RSA conference. MSSP Alert, April 1, 2021

Global chip supply chain increasingly vulnerable to massive disruption, study finds: (Reuters) – A new study from a U.S. industry group found that the global semiconductor supply chain has become increasingly vulnerable to natural disasters and geopolitical disruptions because suppliers have become more concentrated in distinct regions. Reuters, April 1, 2021

Cyber Talent

10 pioneering women in information security: As Women’s History Month comes to close, we introduce you (hopefully not for the first time) to some women who broke new ground in infosec, national security, and computer science. CSO, March 30, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge