Cybersecurity News of the Week, April 7, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Our Top-of-the News is a warning. That we averted this disaster was a matter of luck. Counting on luck is a terrible risk management strategy.

  • Did One Guy Just Stop a Huge Cyberattack?: A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world. … The internet, as anyone who works deep in its trenches will tell you, is not a smooth, well-oiled machine. … It’s a messy patchwork that has been assembled over decades, and is held together with the digital equivalent of Scotch tape and bubble gum. Much of it relies on open-source software that is thanklessly maintained by a small army of volunteer programmers who fix the bugs, patch the holes and ensure the whole rickety contraption, which is responsible for trillions of dollars in global G.D.P., keeps chugging along. … Last week, one of those programmers may have saved the internet from huge trouble. … His name is Andres Freund.

Small and Midsize Organizations. Take your security to the next level. Apply Now! If you’re a small business, nonprofit, or IT / MSP in the greater Los Angeles area, apply NOW for LA Cybersecure, a pilot program with coaching and guidance that costs less than two cups of coffee a week. The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.

Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

  • Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, May 7, 1:00 pm – 2:00 pm PT. The LA Cybersecurity Workforce Coalition is for employers, educators, government, nonprofits, and others with a professional interest in the cybersecurity workforce challenge.
  • Information Security Threat Briefing – A DFPI / FBI / SecureTheVillage Collaboration: SecureTheVillage in collaboration with the CA Department of Financial Protection and Innovation (DFPI) is hosting a cybersecurity threat briefing specifically designed for financial institutions, other fintech organizations, and their IT service providers, MSPs, insurance brokers, and others. FBI Supervisory Special Agent (SSA) Michael Sohn is the keynote speaker. Friday, April 19, 8:30 am – 10:00 am PT.

Please Support SecureTheVillage.

  • We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM

Cyber Humor

Security Nonprofit of the Week … CyberWyoming & CyberWyoming Alliance

Established in 2017, CyberWyoming, a 501(c)6 nonprofit, combats cyber risks for Wyoming businesses. It fosters collaboration among communities, fortifying state and national cybersecurity through tailored economic development and workforce training. Providing consultancy and education services, it integrates cyberpsychology into training for small business stakeholders. The CyberWyoming Alliance, a 501(c)3 nonprofit, headquartered in Laramie, amplifies cybersecurity awareness across local communities. Targeting diverse groups, it secures grants, tailors programs, and establishes information-sharing networks to disseminate crucial cybersecurity updates. This strategic approach reinforces cybersecurity throughout Wyoming, making a significant impact on various demographics and entities. CyberWyoming is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

  • Apple Turned On a Buried iPhone Setting. You Might Want It Off. The ‘Discoverable by Others’ switch is on by default. Here’s what it does—and why it isn’t as scary as it sounds. … Apple’s newest iPhone software has a switch turned on by default: “Discoverable by Others.” … This creepy-sounding setting is leading people to think their name and location are being shared without their knowledge or consent. That’s not the case, says Apple, but you might want to turn it off anyway.
  • FTC: Americans lost $1.1 billion to impersonation scams in 2023: Impersonation scams in the U.S. exceeded $1.1 billion in losses last year, according to statistics collected by the Federal Trade Commission (FTC), a figure that is three times higher than in 2020. … The agency compiled this data based on 490,000 reported scams in 2023. Of these, 330,000 were for business impersonation complaints and the rest represent government impersonation incidents. … According to the agency, most of the scams were conducted via phone calls, currently in decline, followed by email and text messages, which are on the rise for the third year in a row.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

The independent Cyber Safety Review Board released its report on Microsoft’s cybersecurity practices. Microsoft needs to do a lot better.

  • Microsoft faulted for ‘cascade’ of failures in Chinese hack: The independent Cyber Safety Review Board’s report knocks the tech giant for shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency. … A review board, mandated by President Biden, issued a scathing report Tuesday detailing lapses by the tech giant Microsoft that led to a targeted Chinese hack last year of top U.S. government officials’ emails, including those of Commerce Secretary Gina Raimondo. … The Cyber Safety Review Board’s report, a copy of which The Post obtained before its official release, takes aim at shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach. It is a blistering indictment of a tech titan whose cloud infrastructure is widely used by consumers and governments around the world. … The board issued sweeping recommendations that if implemented would dramatically strengthen the openness and security of the booming cloud computing industry. … The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals around the world, was “preventable” and “should never have occurred,” the report concludes.

In-depth analysis from Foreign Policy: Washington prepares for a worst-case scenario of attacks on critical infrastructure.

  • ‘Everything, Everywhere, All At Once’: U.S. Officials Warn of Increased Cyberthreats: A transnational effort produced stark revelations about the extent of China’s malicious cyberactivities last week, with indictments and sanctions against Chinese government-linked hackers accusing them of targeting foreign government officials, lawmakers, politicians, voters, and companies. The accusations, made by the United States, United Kingdom, and New Zealand, centered mainly on espionage and data theft but also involved what U.S. officials and experts said is an alarming evolution in Chinese cybertactics. … While the main indictment against seven Chinese nationals was brought by the U.S. Justice Department, the Treasury Department’s Office of Foreign Assets Control announced sanctions on two of those individuals and a company linked to China’s Ministry of State Security for targeting U.S. critical infrastructure sectors, including a Texas energy company and a defense contractor that makes flight simulators for the U.S. military. … “What is most alarming about this is the focus is not on data theft and intellectual property theft but rather to burrow deep into our critical infrastructure with the intent of launching destructive or disruptive attacks in the event of a major conflict,” Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said in an interview. 

New FBI report shows 22% increase in reported cybercrime losses compared to 2022.

  • FBI Releases Internet Crime ReportCalifornia Received Highest Reported Monetary Losses and Complaints Nationwide … The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recently released its annual Internet Crime Report. The report offers critical insights into the cyber threat landscape based on aggregated data from complaints reported during the last calendar year. The 2023 report reveals alarming increases in both the frequency and financial impact of online fraud perpetrated by cybercriminals. In 2023, the IC3 received a record number of complaints from the American public: 880,418 complaints with potential losses exceeding $12.5 billion, which is nearly a 10% increase in complaints and a 22% increase in losses compared to 2022. In the state-wide rankings, California received both the highest number of complaints and reported losses, with nearly 80,000 complaints and over $2 billion in losses.

New small business survey by MetLife & U.S. Chamber of Commerce shows cyberattack greatest concern.

  • Small Businesses Think Cyberattacks Are Biggest Threat, Survey Shows: The MetLife & U.S. Chamber of Commerce Small Business Index for Q1 2024 surveyed respondents about future threats and crisis planning. The survey includes compelling findings on how small businesses perceive—and plan to respond to—those threats. … Small businesses say cybersecurity attacks are the threat they’re most concerned about. … A majority (60%) of small businesses say cybersecurity threats, including phishing, malware, and ransomware, are a top concern.

The Brooklyn DA has seized nearly two dozen web domains associated with ‘pig butchering’ scams.

  • Brooklyn prosecutors target ‘pig butchering’ crypto scam that cost victims millions: Prosecutors in Brooklyn seized nearly two dozen web domains associated with a scheme known as “pig butchering,” in which scammers strike online conversations with unsuspecting victims, gain their trust and then steer them into bogus cryptocurrency investments. … Brooklyn-based victims were scammed out of at least $5 million after they were convinced to invest in cryptocurrency by someone they met through a random text message, a dating site or through a WhatsApp group, according to the Brooklyn District Attorney’s Office.

In a lawsuit, Google has sued developers in China it accuses of distributing applications through the Play Store that were used in ‘pig butchering’ scams.

  • Google sues two crypto app makers over allegedly vast “pig butchering” schemeCrypto and other investment app scams promoted on YouTube targeted 100K users. … Google has sued two app developers based in China over an alleged scheme targeting 100,000 users globally over four years with at least 87 fraudulent cryptocurrency and other investor apps distributed through the Play Store. The tech giant alleged that scammers lured victims with “promises of high returns” from “seemingly legitimate” apps offering investment opportunities in cryptocurrencies and other products. Commonly known as “pig-butchering schemes,” these scams displayed fake returns on investments, but when users went to withdraw the funds, they discovered they could not.

Meanwhile it appears the Lockbit ransomware gang is having trouble reconstituting itself three months after several governments took them down.

  • LockBit Ransomware Takedown Strikes Deep Into Brand’s Viability: Nearly three months after Operation Cronos, it’s clear the gang is not bouncing back from the innovative law-enforcement action. … Despite the LockBit ransomware-as-a-service (RaaS) gang claiming to be back after a high-profile takedown in mid-February, an analysis reveals significant, ongoing disruption to the group’s activities — along with ripple effects throughout the cybercrime underground, with implications for business risk.

A law firm has sued its IT provider and backup provider over a breach. What makes this story extra-strange is that there was apparently no formal contract between the parties. How does a law firm not have a contract with a critical supplier? And how does an IT vendor not have a contract defining its terms-of-service?

  • MSP, Backup Vendor Sued Over Cybersecurity Breach: Are managed service providers liable for cybersecurity breaches experienced by their clients? A lawsuit in California is exploring this legal question. … A Sacramento, California law firm Mastagni Holstedt is alleging that its MSP, privately-owned Sacramento-based LanTech LLC failed to protect it from a ransomware attack that took down its systems. … The firm is seeking more than $1 million in damages. The firm employs 42 attorneys. The firm is also suing backup vendor Acronis.

This week in cybercrime.

  • US Cancer Center Data Breach Impacting 800,000: Cancer treatment and research center City of Hope this week started notifying over 800,000 individuals that their personal and health information was compromised in a data breach. … The data breach occurred between September 19 and October 12, 2023, the center notes in a notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office. … During that time frame, an unauthorized third-party accessed a subset of City of Hope systems and copied some files containing the affected individual’s information. …The stolen data, the organization says, includes names, dates of birth, email addresses, phone numbers, driver’s license numbers, ID numbers, Social Security numbers, bank account numbers, credit card details, health insurance information, and medical information.
    Omni Hotels says widespread outages caused by cyberattack: Omni Hotels & Resorts confirmed on Wednesday evening that recent technology outages were caused by a cyberattack that was first discovered last Friday. … The U.S.-based chain — which operates 50 hotels and resorts across North America — has been dealing with technological issues all week making it difficult for guests to check in and make new reservations. … Customers have flooded social media platforms with complaints about a range of issues they endured  when staying at Omni-owned hotels this week.
  • Panera Bread week-long IT outage caused by ransomware attack: Panera Bread’s recent week-long outage was caused by a ransomware attack, according to people familiar with the matter and emails seen by BleepingComputer. … BleepingComputer has learned that a ransomware attack encrypted many of the company’s virtual machines, preventing access to data and applications. The company has since restored some of its systems from backups.
  • Japanese optics company Hoya says cyber incident affected production: Hoya Corporation, one of the world’s largest manufacturers of lenses and other optical gear, said on Thursday that a possible breach of its systems has affected some production plants and the ordering system for some products.
  • As Birmingham computer outage continues, city using paper time sheets: For weeks, Birmingham city workers have been conducting business the old fashioned way — on paper — as many computer systems experienced what Mayor Randall Woodfin’s office called a “network disruption.” … Multiple government sources have told that the city is the victim of a ransomware attack, with hackers gaining access to the city’s computer systems and demanding payment for the city to get its data back.

And in an odd story, it seems like one of the hackers of Prisma Finance has offered to return some of the $11 million he stole in return for a press conference confessing to their inadequate cybersecurity.

  • Prisma Finance hacker defends exploit, demands public apology: One of the wallets tied to the hack of Prisma Finance, a liquid staking protocol that was exploited for $11 million by multiple attackers on Mar. 28, has claimed to be a “white-hat” hacker interested in returning funds to the protocol, rather than a “black-hat” hacker who would keep the funds for themself. … Before considering returning the funds, the hacker has demanded that the Prisma Finance team hold an online press conference, identify themselves publicly, and apologize to users, investors, and praise the hacker for working with them to solve the issue. … In an on-chain message to Prisma Finance, the hacker criticizes the Prisma team for not catching the mistake, and claims that the press conference would help send a message to the entire decentralized finance space. “I hope this would help ppl be more careful participating in defi, the teams would be more responsible, and everyone would change their minds about things like this,” the hacker wrote in an on-chain message to Prisma Finance.

Section 4 – For the technology-minded.

  • New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts: Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named ‘Tycoon 2FA’ to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. … The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.
  • Vulnerability database backlog due to increased volume, changes in ‘support,’ NIST says: The National Institute of Standards and Technology (NIST) blamed increases in the volume of software and “a change in interagency support” for the recent backlog of vulnerabilities analyzed in the organization’s National Vulnerability Database (NVD). … For years, the NVD has been an invaluable resource for cybersecurity experts and defenders who rely on it for key information about vulnerabilities. … But in mid-February, important metadata from the NVD was removed and the organization struggled to process waves of new vulnerabilities. NIST posted a notice on its website claiming it was “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” 
  • Cisco Warns of Vulnerability in Discontinued Small Business Routers: Cisco says it will not release patches for a cross-site scripting vulnerability impacting end-of-life small business routers. … Tracked as CVE-2024-20362 and remotely exploitable without authentication, the flaw impacts the small business RV016, RV042, RV042G, RV082, RV320, and RV325 routers, which have been discontinued and no longer receive security patches. … While Cisco says it is not aware of this vulnerability being exploited in the wild, there are no workarounds for the bug and users are advised to migrate to a supported product. Discontinued Cisco networking devices are known to have been exploited in attacks.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge