Cybersecurity News of the Week, July 17, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

No Silver Bullets: Our top story this week is a reminder that there are no “silver bullets” in data care. We’re all taught – rightly so – of the need for Two-Factor Authentication (also known as Multi-Factor Authentication, 2FA, MFA, and a host of other names; all of which only serve to confuse people). Two-Factor Authentication is a critical defense; Number 2 on SecureTheVillage’s Top-8 which we’ll be publishing in the next couple of weeks. But it’s not a silver bullet. There are no silver bullets. #Don’tTrust.AlwaysVerify.

  • Ongoing phishing campaign can hack you even when you’re protected with MFA: On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they’re protected with multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, who have targeted 10,000 organizations since September, have used their covert access to victim email accounts to trick employees into sending the hackers money. Ars technica, July 12, 2022

Basic Cyber Hygiene: The next three stories are reminders that we have a personal role to play in protecting information on our devices (and online accounts). Even though I’m surrounded by excellent health and medical care, my health care is still my responsibility. It’s the same with data care. It’s the same with data care. We’re all responsible for protecting the information on our devices and online accounts.

And as the following story shows, the fight is never-ending. Unless you’re a cybersecurity professional, this isn’t the kind of story to lose sleep over. But it is a reminder that we shouldn’t expect our technology to be immune from vulnerabilities. Cyber hygiene is forever.

  • Vulnerability allows hackers to unlock and start Honda cars remotely: The keyless entry vulnerability could potentially impact other non-Honda makes and models … Researchers recently uncovered a vulnerability that could allow hackers to unlock and start multiple Honda vehicle models remotely. The impacted model list identifies 10 of Honda’s most popular models as vulnerable. To make matters worse, the current findings lead researchers to believe that the vulnerability could be present on all Honda vehicles from 2012 through 2022. Techspot, July 9, 2022

Privacy Webinar: SecureTheVillage is hosting a webinar on July 21 at 11:00AM Pacific Time to assist ‘village residents’ understand the risks to their privacy along with what they can do to protect themselves. The privacy challenges raised by the overturning of Roe v. Wade cross political lines and demonstrate that each of us has the personal responsibility to treat our online privacy as a core element of sound data care.

Cyber Humor

Security Nonprofit of the Week … Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®) and the great work they do to make the connected world a safer place for people, businesses, and governments.  Strong proponents of collaboration and innovation, CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks, and CIS Hardened Images®. CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). The Center for Internet Security is also one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Join Julie Morris and me as we continue our lively discussion in the context of the  week’s privacy news. Things we need to know and do to protect our privacy. And things we need the government to do to protect our privacy…  and support our ability to protect ourselves. And what SecureTheVillage is doing to help people protect themselves. Bottom Up meeting Top Down.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Cybersecurity and personal data care. Don’t leave home without it.

  • 7 cybersecurity tips for your summer vacation!: It’s prime vacation season in the Northern Hemipshere, and in some countries, July and August aren’t just months when some people take some days off, but a period of extended family holidays, often involving weeks away from home or on the road. Sophos, July 15, 2022

The next story shows action by the FTC to protect our online privacy. The four stories that follow all point to the need for Congress and the Administration to give us the laws and regulations we need to protect our security and privacy.

  • FTC puts data collectors and brokers on notice in light of abortion bans: The Federal Trade Commission (FTC) warned this week that it will use “the full scope of its legal authorities” to protect people’s private information following concerns raised by members of Congress, activists and others in light of the recent abortion bans that have gone into effect over the last two weeks. The Record, July 12, 2022
  • Experian, You Have Some Explaining to Do: Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address. Krebs on Security, July 11, 2022
  • In a Post-Roe World, the Future of Digital Privacy Looks Even Grimmer: The sheer amount of tech tools and knowledge required to discreetly seek an abortion underlines how wide open we are to surveillance. … Welcome to the post-Roe era of digital privacy, a moment that underscores how the use of technology has made it practically impossible for Americans to evade ubiquitous tracking. The New York Times, July 13, 2022
  • Complaints to Government Show Americans’ Slow Descent Into Madness Over Spam Calls: “HOW LONG MUST I FEAR”, wrote one citizen beset by robocalls. … People at the limit of their patience with spam calls have been emailing the chairwoman of the Federal Communications Commission, Jessica Rosenworcel, in a desperate attempt to make the unwanted calls from scammers and robocallers stop. Emails obtained by the transparency site Government Attic under the Freedom of Information Act paint a picture of desperate people who just want the phone to stop ringing. Motherboard, July 13, 2022
  • The nonstop scam economy is costing us more than just money: Relentless waves of sophisticated phone and online scams are impacting people’s mental health … Constant scam attempts can increase stress levels and strain relationships. Their negative impact on mental health is even worse when the scammers target people based on perceived weaknesses, like advanced age, loneliness or an ongoing illness. That anxiety can spread to their worried family members, they say. The Washington Post, July 13, 2022

Section 3 – General Data Care, Cybersecurity, and Privacy Stories

Data Care, cybersecurity and privacy stories for those wanting a deeper look.

Another week in cyber crime. Each week seems to be like the previous week; the weekly equivalent of the movie Groundhog Day. While reading the headlines and extracts below are sufficient for most of these stories, three stand out. The first is  an example of a third-party attack; a ransomware attack on a debt-collection firm serving several hundred health care customers. Here the health care organization’s patients are harmed by a cyber attack on a third-party with which the health care organization shares information. The second is a story of what may be the new “bottom feeders” among cyber criminals; scammers who give restaurants bad reviews and then extort the restaurant to remove the review. And worth delving deeper is a fascinating look at how easy it is to create a false persona for a social engineering attack.

  • A ransomware attack on a debt collection firm could be one of 2022’s biggest health data breaches: A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year. Tech Crunch, July 13, 2022
  • $8 million stolen in large-scale Uniswap airdrop phishing attack: Uniswap, a popular decentralized cryptocurrency exchange, lost close to $8 million worth of Ethereum in a sophisticated phishing attack yesterday. Bleeping Computer, July 13, 2022
  • Elden Ring Publisher Confirms Ransomware Hack, Customer Info Possibly Leaked: Bandai Namco, the Japanese publisher behind the Ace Combat, Dragon Ball Z, and Dark Souls games, appears to be the latest major gaming company to suffer a major hack. The ransomware group BlackCat added the Elden Ring publisher to its list of victims earlier today, though it’s not yet clear the extent of the damage or how much money the group is demanding. Kotaku, July 11, 2022
  • LendingTree denies connection to data breach affecting 200,000, but confirms a different one: The financial services giant LendingTree has denied any connection to a reported data breach involving 200,000 loan applications found on the dark web, although the company did confirm that the information of tens of thousands of customers was exposed in a separate breach in February. The Record, July 15, 2022
  • Restaurants Face an Extortion Threat: A Bad Rating on Google: Emails sent to dozens of restaurants, including those with Michelin stars, threaten a barrage of one-star reviews unless owners pay. … In a new scam targeting restaurants, criminals are leaving negative ratings on restaurants’ Google pages as a bargaining chip to extort digital gift cards. The New York Times, July 11, 2022
  • ‘Lives are at stake’: hacking of US hospitals highlights deadly risk of ransomware: The number of ransomware attacks on US healthcare organizations increased 94% from 2021 to 2022, according to one report … Last week, the US government warned that hospitals across the US have been targeted by an aggressive ransomware campaign originating from North Korea since 2021. The Guardian, July 14, 2022
  •  Ransomware is hitting one sector particularly hard, and the impact is felt by everyone: Ransomware attacks against education are on the rise. Many institutions are ill-equipped to deal with the threat, so they pay the ransoms. ZD Net, July 12, 2022
  • The industrial internet of things is still a big mess when it comes to security: Critical infrastructure is increasingly targeted by cyber criminals – and while those responsible for running industrial networks know that securing operational technology (OT) and the Industrial Internet of Things (IIoT) is vital, they’re often struggling with basic cybersecurity hygiene, resulting in networks being left vulnerable to attacks. ZD Net, July 14, 2022
  • How Hackers Create Fake Personas for Social Engineering: And some ways to up your game for identifying fabricated online profiles of people who don’t exist.  DARK Reading, July 15, 2022
  • North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware: An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021. … The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity. … Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies. The Hacker News, July 15, 2022
  • New ‘Luna Moth’ hackers breach orgs via fake subscription renewals: A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom. … The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft. Bleeping Computer July 12, 2022

And, as we continue to report, all this cyber crime is wreaking havoc on the insurance markets.

Making the cyber crime problem worse is the number of open jobs in cybersecurity, estimated to be in the neighborhood of 600,000. Cybersecurity is a great career with lots of opportunity. Entry-level work does not require a college education. And there are lots of internships and apprentice-programs available. (SecureTheVillage hosts a monthly Cybersecurity Workforce Working Group of security professionals, educators, workforce development, etc. Please email me if you’d like more information.)

  • How to break into cybersecurity, as told by Accenture’s head of cyber: Among the most in-demand industries is cybersecurity. Major companies, including those in the Fortune 500 are in desperate need of the talent, as previously reported by Fortune, but are running out of options of where to turn. One challenge? Cybersecurity requires a wide range of skills to be successful—and not all of them can be taught in a classroom setting. Fortune, July 11, 2022

Meanwhile on the national security front, the NSO Group is back in the news as an American company is said to have explored buying it.

Section 4 – Data Care in the Organization

Stories to support executives and top management in securing their organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) has added a new actively-exploited vulnerability to its “Patch Now” list. A patch for this vulnerability was released this week as part of Microsoft’s Patch Tuesday. Organizations are urged to install this patch as soon as it can be scheduled.

  • CISA orders agencies to patch new Windows zero-day used in attacks: CISA has added an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) to its list of bugs abused in the wild. This high severity security flaw (tracked as CVE-2022-22047) impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. Bleeping Computer, July 12, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge