Cybersecurity News of the Week, February 19, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Our top news story this week is from the Guardian. The story is one of several they published in a special investigation exposing the companies and states behind global disinformation campaigns. It’s another in a long history of exposés from The Guardian.

  • ‘Aims’: the software for hire that can control 30,000 fake online profiles: Exclusive: Team Jorge disinformation unit controls vast army of avatars with fake profiles on Twitter, Facebook, Gmail, Instagram, Amazon and Airbnb. …. Revealed: the hacking and disinformation team meddling in elections. … At first glance, the Twitter user “Canaelan” looks ordinary enough. He has tweeted on everything from basketball to Taylor Swift, Tottenham Hotspur football club to the price of a KitKat. The profile shows a friendly-looking blond man with a stubbly beard and glasses who, it indicates, lives in Sheffield. The background: a winking owl. … Canaelan is, in fact, a non-human bot linked to a vast army of fake social media profiles controlled by a software designed to spread “propaganda”. … Advanced Impact Media Solutions, or Aims, which controls more than 30,000 fake social media profiles, can be used to spread disinformation at scale and at speed. It is sold by “Team Jorge”, a unit of disinformation operatives based in Israel. The Guardian, February 15, 2023

Next up is a WaPo story of how our sensitive medical information — yours and mine — is being bought and sold by data brokers … all without our knowledge and consent. Congress: Are you paying attention?

  • Now for sale: Data on your mental health: Capitalizing on the pandemic explosion in telehealth and therapy apps that collect details of your mental health needs, data brokers are packaging that information for resale, a new study finds. There’s no law stopping them. … One company advertised the names and home addresses of people with depression, anxiety, post-traumatic stress or bipolar disorder. Another sold a database featuring thousands of aggregated mental health records, starting at $275 per 1,000 “ailment contacts.” … For years, data brokers have operated in a controversial corner of the internet economy, collecting and reselling Americans’ personal information for government or commercial use, such as targeted ads. … But the pandemic-era rise of telehealth and therapy apps has fueled an even more contentious product line: Americans’ mental health data. And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent. … In a study published Monday, a research team at Duke University’s Sanford School of Public Policy outlines how expansive the market for people’s health data has become. The Washington Post, February 13, 2023

Here’s a story about us, SecureTheVillage. Great thanks to Jeff Berman and MESA for highlighting us.

  • SecureTheVillage Roadmap Includes New Apps, Internship Program: As SecureTheVillage continues its mission to educate, support and advocate for cybersecurity and data privacy, items on its agenda for 2023 include two new apps and an internship program, according to Stan Stahl, PhD, founder and president of the 501(c) (3) organization. … SecureTheVillage is embarking on a mission to make Los Angeles the cyber-safest city in America. Its LA Cybersecure program is organizing  a trusted community of security technology, security and privacy management, cyber-law, cyber-insurance, financial services security, cyber-education, law enforcement, and others. … to take information security and privacy to the masses, to the people who need it to stay safe, to keep their businesses safe. MESA M+E Daily, February 17, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

  • I’m guesting on the Monthly National Scam Forum, joining hosts Debbie Deem, a retired Victim Specialist for the FBI, and Steve Baker, who is retired from the FTC and the Better Business Bureau. We’ll provide cybercrime information to share with older adult clients to mitigate their risk of being a victim of a cyber fraud or address the damages if they have been a victim of a cybercrime. NAPSA Scam Forum, February 23, 11:00AM PT.
  • SecureTheVillage in collaboration with the CA Department of Financial Protection and Innovation (DFPI) is hosting a cybersecurity threat briefing with FBI SSA Michael Sohn. The briefing is specifically designed for financial institutions and other fintech organizations. Information Security Threat Briefing – A DFPI / FBI / SecureTheVillage Collaboration, February 24, 8:30AM PT.

Cyber Humor … Help your parents stay safe.

Cybersecurity Nonprofit of the Week  …  US Valor

Kudos this week to US Valor, a nonprofit with two intertwined objectives: (1) helping veterans transition back into civilian life and (2) helping America meet our cybersecurity workforce challenge. US Valor does this through an innovative Department of Labor approved Apprenticeship Program. The US Valor Cybersecurity Apprenticeship Program (CAP) is all about helping transitioning military personnel and U.S. Veterans experience a smooth transition from military life to the civilian world through its Department of Labor Registered Apprenticeship Program (RAP). I’m a proud member of US Valor’s Advisory Board and I encourage you to support them.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Live on Cyber with Dr. Stan Stahl: (Video) (Podcast): Albert Einstein famously said: “We can not solve our problems with the same level of thinking that created them.” Bill Gates clearly articulated the thinking that got us into our cybersecurity mess when he wrote in his 1999 book Business@The Speed of Thought: “How you gather, manage, and use information will determine whether you win or lose.” Where are cybersecurity and privacy in Bill’s prediction you ask? Exactly!! They’re not. They’re missing. Cybersecurity and privacy did not make it into Bill’s level of thinking until 2002. Join Stan and Julie as they riff on the level of thinking required for cybersecurity and privacy. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Patch now. Google Photos users should update the app before installing the iOS update.

  • Patch Now: Apple’s iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw: Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. The Hacker News, February 14, 2023
  • Microsoft Patch Tuesday, February 2023 Edition: Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks. Krebs on Security, February 14, 2023

It’s not just that Bountiful faked their Amazon ratings. It’s that they did it by hijacking the good ratings of another product.

  • FTC Charges Supplement Marketer with Hijacking Ratings and Reviews on and Using Them to Deceive Consumers: As a result of FTC’s first case targeting review hijacking, The Bountiful Company will pay $600,000. … The Federal Trade Commission took action today against a marketer of vitamins and other supplements called The Bountiful Company (Bountiful) for abusing a feature of to deceive consumers into thinking that its newly introduced supplements had more product ratings and reviews, higher average ratings, and “#1 Best Seller” and “Amazon’s Choice” badges…. The case against Bountiful marks the FTC’s first law enforcement challenging “review hijacking,” in which a marketer steals or repurposes reviews of another product. Bountiful carried out this deceptive tactic by merging its new products on Amazon with different well-established products that had more ratings, reviews, and badges, the FTC said. Federal Trade Commission, February 16, 2023

Section 3 – Cybersecurity News for the Cyber-Concerned.

Because our SEC requires companies to include significant cybersecurity information in its filings, we learned this week that GoDaddy has suffered yet another breach. This breach resulted in cybercriminals infecting visitors to websites of GoDaddy customers. Given that we would likely never have learned of this breach had we not had SEC regulations, it’s a reminder that a strong national breach disclosure law is an imperative if we are going to slow the growth of cybercrime.

  • GoDaddy says a multi-year breach hijacked customer websites and accounts: Three breaches over as many years all carried out by the same threat actor. … GoDaddy said on Friday that its network suffered a multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and install malware that redirected customer websites to malicious sites. … In a filing Thursday with the Securities and Exchange Commission, the company said that three serious security events starting in 2020 and lasting through 2022 were carried out by the same intruder. … “Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated. The filing said the company’s investigation is ongoing. ars technica, February 17, 2023

Next a few good news stories. Kudos to our Secret Service and Department of Justice. And thanks to Spain’s National Police and their High Court. It takes a global village.

  • Spain, U.S. dismantle phishing gang that stole $5 million in a year: Spain’s National Police and the U.S. Secret Service have dismantled a Madrid-based international cybercrime ring comprised of nine members who stole over €5,000,000 from individuals and North American companies. … The cybercrime gang specializes in online scams, employing social engineering, phishing, and smishing to collect sensitive victim details and then use that information to commit financial fraud. … The organization maintained over a hundred bank accounts in various Spanish banks, using them to deposit their criminal proceeds, withdraw cash from ATMs, send it to international accounts, or convert it to cryptocurrency. … As a result of the joint law enforcement operation, the police have arrested eight people in Spain and one in Miami, USA. In addition to the arrests, the police seized luxury items valued at €200,000 and froze assets worth over €500,000. Bleeping Computer, February 13, 2023
  • Russian national with ties to Putin convicted of hacking U.S. companies in $90 million insider trading scheme: “The jury saw Mr. Klyushin for exactly what he is — a cybercriminal and a cheat,” U.S. Attorney for Massachusetts Rachael Rollins said. … A Russian businessman with ties to President Vladimir Putin was convicted Tuesday of participating in a $90 million insider trading scam that relied on confidential information stolen from U.S. companies through computer hacking. NBC News, February 14, 2023
  • Seven Defendants Charged With Million-Dollar Identity Theft And Fraud Scheme: U.S. Attorney Damian Williams said: “These defendants allegedly developed a sophisticated scheme to steal money from innocent victims’ bank accounts.  The defendants allegedly stole victims’ identities, hijacked their bank accounts and cellphones, brazenly impersonated them at bank branches throughout the country, and drained their accounts.  Thanks to our partners at USPIS, TIGTA, CBP, and HSI, the defendants’ alleged crimes have been brought to a halt.” Department of Justice, February 16, 2023
  • Spanish court authorises extradition of Briton who allegedly hacked Biden, Obama Twitter Accounts: Spain’s High Court on Friday agreed to a U.S. extradition request for a British citizen wanted by the United States over a Twitter hack in 2020 that compromised the accounts of several U.S. politicians including Joe Biden and Barack Obama. Reuters, February 17, 2023

In another it takes a village story, Dragos CEO Robert M. Lee describes how a coalition of government and industry groups thwarted a Russian cyberattack targeted at “around a dozen” electric and gas facilities.

  • Russian-linked malware was close to putting U.S. electric, gas facilities ‘offline’ last year: The malware was targeted at around a dozen U.S. facilities in the weeks after the invasion of Ukraine. … Hackers linked to Russia got very close to being able to take a dozen U.S. electric and gas facilities offline in the first weeks of the war in Ukraine, the head of a top cybersecurity company warned Tuesday. … Robert M. Lee, the founder and CEO of Dragos, which helps companies respond to cyberattacks, said hackers with a group Dragos calls “Chernovite” were using a malicious software to try to take down “around a dozen” U.S. electric and liquid natural gas sites. … “This is the closest we’ve ever been to having U.S. or European infrastructure, I’d say U.S. infrastructure, go offline,” Lee told reporters in a briefing. “It wasn’t employed on one of its targets, they weren’t ready to pull the trigger, they were getting very close.” Lee declined to offer details on what prevented the attack from succeeding, but said it was halted by a coalition of U.S. government and cyber industry groups. Politico, February 14, 2023

Our next story is good news for recipients of food assistance as their losses to card skimmers will soon be reimbursed. It’s also bad news in that the law authorizing reimbursement did nothing to push the states into using modern technology … from chips to fraud detection … that would thwart the overwhelming vast majority of card skimming attempts.

  • New Protections for Food Benefits Stolen by Skimmers: Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes. … On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month. … EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. … The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022). Krebs on Security, February 17, 2023

This next story is a major decision in Illinois on the state’s biometric privacy law. The implications of this are certain to be far-reaching. It will certainly push legislatures in all the states as they write privacy laws to be extremely explicit on exactly what constitutes a ‘violation.’

  • Illinois Supreme Court allows massive damages in biometric privacy cases: The Illinois Supreme Court issued a much-anticipated opinion on the state’s biometric privacy law Friday, leaving the door open for massive damages when companies are found to violate residents’ privacy rights but suggesting lawmakers revisit the issue. … The Supreme Court ruled biometric privacy claims accrue under state law every time a person provides their biometric information without prior informed consent. The court acknowledged this interpretation of the law could leave the door open to massive damages — in White Castle’s case, more than $17 billion, but said “the statutory language clearly supports plaintiff’s position.” St. Louis Post-Dispatch, February 18, 2023

It wouldn’t be the Cybersecurity News of the Week if we didn’t have stories of cybercrime and cyber losses. Even the FBI was hit.

  • Exclusive: FBI says it has ‘contained’ cyber incident on bureau’s computer network: The FBI has been investigating and working to contain a malicious cyber incident on part of its computer network in recent days, according to people briefed on the matter. … FBI officials believe the incident involved an FBI computer system used in investigations of images of child sexual exploitation, two sources briefed on the matter told CNN. … “The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” CNN, February 17, 2023
  • Health info for 1 million patients stolen using critical GoAnywhere vulnerability: One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere. … Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information. ars technica, February 15, 2023
  • ‘Phishing’ scam cost small Ohio city $219,000, finance director his job: Phishing-scam training has become a commonplace requirement in many workplaces  these days. But not everyone is adhering to its lessons. … When emails from a fake paving company landed in the inbox of an accounting assistant working for a small Ohio city last month, the assistant was hooked. USA Today, February 17, 2023
  • Data exposed in Des Moines schools ransomware attack that disrupted district: Des Moines Public Schools says some data was exposed in a confirmed ransomware attack that caused major disruptions in early January and canceled school for two days. … Interim Superintendent Matt Smith confirmed Friday the data compromise during the cyberattack but said the district is still investigating. Those affected by the data breach will receive a notification letter, he said. No timeline has been set. Des Moines Register, February 17, 2023
  • Royal Mail’s international deliveries in limbo after hack: UK postal and parcel service still locked in £65 million stand-off with ransomware hackers. … The UK postal and parcel delivery company, Royal Mail, has been unable to give a date for when its international operations will resume as it remains locked in a stand-off with hackers. … The cyberattack could potentially end in a large-scale leak of company information. The National News, February 16, 2023

Section 4 – Managing  Information Security and Privacy in Your Organization.

Ransomware attacks are expensive no matter what. But they’re a lot less expensive if you’re able to recover your data. And they can be existential if you can’t. Here’s a good piece on thinking through the practicalities.

  • A CISOs Practical Guide to Storage and Backup Ransomware Resiliency: One thing is clear. The “business value” of data continues to grow, making it an organization’s primary piece of intellectual property. … From a cyber risk perspective, attacks on data are the most prominent threat to organizations. … Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data. The Hacker News, February 14, 2023

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge