This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
Verizon 2023 Data Breach Investigations Report: Frequency and cost of social engineering attacks skyrocket. Human error continues to play a significant role in breaches across all industries. What you need to know:
- Cost per ransomware incident doubled over the past two years, with ransomware accounting for one out of every four breaches.
- Pretexting (Business Email Compromise) has more than doubled since the previous year.
- The human element is involved in 3 out of 4 breaches.
- Analysis of the Log4j incident illustrates the scale of the incident and the effectiveness of the coordinated response.
BASKING RIDGE, NJ – Verizon Business today released the results of its 16th annual Data Breach Investigations Report (2023 DBIR), which analyzed 16,312 security incidents and 5,199 breaches. Chief among its findings is the soaring cost of ransomware – malicious software (malware) that encrypts an organization’s data and then extorts large sums of money to restore access.
The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million. This rise in cost coincides with a dramatic rise in frequency over the past couple of years when the number of ransomware attacks was greater than the previous five years combined. That prevalence held steady this year: Representing almost a quarter of all breaches (24%), ransomware remains one of the top cyberattack methods.
The human element still makes up the overwhelming majority of incidents, and is a factor in 74% of total breaches, even as enterprises continue to safeguard critical infrastructure and increase training on cybersecurity protocols.
“Senior leadership represents a growing cybersecurity threat for many organizations,” said Chris Novak, Managing Director of Cybersecurity Consulting at Verizon Business. “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them. With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”
Like ransomware, social engineering is a lucrative tactic for cybercriminals, especially given the rise of those techniques being used to impersonate enterprise employees for financial gain, an attack known as Business Email Compromise (BEC). The median amount stolen in BECs has increased over the last couple of years to $50,000 USD, based on Internet Crime Complaint Center (IC3) data, which might have contributed to pretexting nearly doubling this past year. With the growth of BEC, enterprises with distributed workforces face a challenge that takes on greater importance: creating and strictly enforcing human-centric security best practices.
“Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data. The revenue generated from that information is staggering, and it’s not lost on business leaders, as it is front and center at the board level,” said Craig Robinson, Research Vice President at IDC. “Verizon’s Data Breach Investigations Report provides deep insights into the topics that are critical to the cybersecurity industry and has become a source of truth for the business community.”
In addition to the increase in social engineering, other key findings in the 2023 DBIR include:
- While espionage garners substantial media attention, owing to the current geopolitical climate, only 3% of threat actors were motivated by espionage. The other 97% were motivated by financial gain.
- 32% of yearly Log4j vulnerability scanning occurred in the first 30 days after its release, demonstrating threat actors’ velocity when escalating from a proof of concept to mass exploitation.
- External actors leveraged a variety of different techniques to gain entry to an organization, such as using stolen credentials (49%), phishing (12%) and exploiting vulnerabilities (5%).
One of the ways that enterprises can help safeguard their critical infrastructure is through the adoption and adherence of industry leading protocols and practices.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, July 11, 1:00 pm – 2:00 pm PT. There is no meeting in June
Cyber Humor
Cybersecurity Nonprofit of the Week … The CyberPeace Institute
Kudos this week to the CyberPeace Institute, an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The CyberPeace Institute is home to the Humanitarian Cybersecurity Center (HCC). The HCC provides expert support and practical free cyber assistance to non-governmental Organizations (NGOs), tailored to their needs and located anywhere in the world. Through its Cyber Attacks in Times of Conflict Platform #Ukraine, the CyberPeace Institute is tracking cyberattacks and operations targeting critical infrastructure and civilian objects in Ukraine. The CyberPeace Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Computer Forensics: (Video) (Podcast): Join Julie Michelle Morris in an insightful discussion with Kimberly Pease, CISSP, Partner and Chief Operating Officer at Maryman & Associates, as they explore the world of computer forensics. Gain practical insights into incident response, protecting valuable information, and effective measures to enhance cybersecurity practices in this engaging episode of “Live on Cyber.” Stay tuned for more episodes with Julie and special guests while Stan Stahl, PhD enjoys his summer break.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Act Now
- Android apps with 30 million downloads contain SpinOk Android malware — delete these now: 92 more Android apps found to contain the malicious SpinOK spyware module. … Following the discovery that over a hundred Android apps with 400 million combined downloads actually contained the SpinOk malware, security researchers have now found that an additional 92 apps are also affected. Tom’s Guide, June 5, 2023
Effective cyber defense starts with knowing what’s going on
- How Much Do You Know About Phishing? Take Our Quiz. Phishing occurs when someone sends you a bogus communication disguised as a missive from a legitimate source. You have no doubt seen the con artists’ bait dangling in your inbox. But how much do you really know about the subject? Take this quiz and find out. The Wall Street Journal, June 4, 2023 (Free Link)
Section 3 – Cybersecurity News for the Cyber-Concerned.
National Cybersecurity
- North Korea Makes 50% of Income from Cyber-Attacks: Report : The North Korean regime makes around half of its foreign-currency income from cyber-attacks on cryptocurrency and other targets, a US diplomat has claimed. … A senior official from the Biden administration told Nikkei Asia that attacks directed by the hermit nation had risen sharply since 2018, in lockstep with its nuclear and missile programs. Info Security, June 5, 2023
- New ‘PowerDrop’ malware targeting US aerospace industry: A new malicious PowerShell script is targeting the United States aerospace industry, researchers have found. … Nation-state actors are suspected, researchers wrote, but have not been identified, and it is unclear how the hackers try to gain initial access. The Record, June 6, 2023
Cyber Justice
- US DOJ Indicts 6 for $6M Business Email Compromise Scam: Alleged Conspirators Each Face Up to 40 Years in Prison U.S. federal prosecutors unsealed indictments Wednesday against six Houston-area men for an alleged six-month spree of business email compromise thefts adding up to nearly $6 million. The Department of Justice indicted the men on charges of conspiracy to commit wire fraud and conspiracy to commit money laundering. Bank info Security, June 8, 2023
Victim Compensation
- San Francisco 49ers agree to pay out victims of 2022 data breach: The San Francisco 49ers have agreed to settle a class action lawsuit stemming from a data breach, reaching a deal to pay out nearly 21,000 affected employees and fans. … Just before Super Bowl LVI, in February 2022, the BlackByte ransomware gang attacked the NFL team, obtaining access to Social Security numbers and other personally identifiable information in an incident first reported by The Record. The group also leaked business documents belonging to the 49ers on its leak site. The Record, June 9, 2023
- FTC Issues Annual Report on Refunds to Consumers; Agency Returned $392M in 2022: Report shows total amount sent to consumers in each state. … Federal Trade Commission law enforcement actions resulted in more than $392 million in refunds to consumers in 2022, the agency said in its annual report on refunds. More than 1.9 million consumers benefited from FTC refund payments. Federal Trade Commission, June 6, 2023
Protecting Our Kids
- $20 million FTC settlement addresses Microsoft Xbox illegal collection of kids’ data: A game changer for COPPA compliance: Care About COPPA Compliance may not be the coolest Xbox gamertag, but an FTC action against Microsoft for alleged violations of the Children’s Online Privacy Protection Act Rule suggests it might be a good choice nonetheless. Filed by the Department of Justice on the FTC’s behalf, the $20 million proposed settlement will require Microsoft to bolster privacy protections for kids who use its Xbox gaming system. Federal Trade Commission, June 5, 2023
Free money. Apply now.
- Scammers Are Now Applying To California Colleges Just To Steal The Financial Aid: A stunning 20% of all applications to California community colleges are now “ghost students,” that is, scammers using someone else’s name to pocket the financial aid and never show up for a single class. … The fraudsters are primarily running this scheme on community colleges, which are required to accept any student’s name that has a high school diploma attached to it, and a social security number is not required on an application. And the scheme is becoming extraordinarily common for these schools. The Chronicle notes that 460,000 of the 2.3 million online applications to California community colleges since last July are these fraudulent, “ghost student” applications — meaning that a full 20% of these college applications are fake. SFist, June 2, 2023
Breach with Potential Major Consequences
- E-Discovery Company Casepoint Investigates Data Breach After Files Found On Dark Web: The e-discovery company Casepoint is investigating a data breach after a ransomware gang claimed to have over two terabytes of its data, including attorney files, visa details, information from the U.S. government, “and many other things that you have tried so hard to keep.” … Casepoint’s clients include the U.S. Courts, the U.S. Securities and Exchange Commission, the U.S. Department of Defense, the Marriott hotel chain, and the Mayo Clinic, according to TechCrunch and other reports. LawSites, June 1, 2023
Another Week in Cyber Crime. Money stolen. Personal Information put at risk. People can’t work.
- Another huge US medical data breach confirmed after Fortra mass-hack: Hackers stole another half a million people’s personal and health information during a ransomware attack on a technology vendor earlier this year. … Intellihartx, a Tennessee-based company that handles patient payment balances and collections, said in a notice filed with the Maine attorney general’s office that 489,830 patients had information stolen in the cyberattack targeting its vendor, Fortra. Tech Crunch, June 9, 2023
- BBC, BA and Boots issued with ultimatum by cyber gang Clop: A prolific cyber crime gang thought to be based in Russia has issued an ultimatum to victims of a hack that has hit organisations around the world. … The Clop group posted a notice on the dark web warning firms affected by the MOVEit hack to email them before 14 June or stolen data will be published. … More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken. BBC, June 8, 2023. Tech Target reports that the government of Nova Scotia is also a victim. Tech Target, June 8, 2023
- Outlook.com hit by outages as hacktivists claim DDoS attacks: Outlook.com is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service. Bleeping Computer, June 6, 2023
New Thinking
- How Indigenous Groups Are Leading the Way on Data Privacy: Indigenous groups are developing data storage technology that gives users privacy and control. Could their work influence those fighting back against invasive apps? … Even as Indigenous communities find increasingly helpful uses for digital technology, many worry that outside interests could take over their data and profit from it, much like colonial powers plundered their physical homelands. But now some Indigenous groups are reclaiming control by developing their own data protection technologies—work that demonstrates how ordinary people have the power to sidestep the tech companies and data brokers who hold and sell the most intimate details of their identities, lives and cultures. Scientific American, June 7, 2023
Section 4 – Managing Information Security and Privacy in Your Organization.
IT Security Management: Urgent Action Needed.
- Barracuda Urges Replacing — Not Patching — Its Email Security Gateways: It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes. Krebs on Security, June 8, 2023.
