Cybersecurity News of the Week, June 18, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This week’s cybersecurity news is being dominated by the impact of the MOVEit breach.

In a nutshell: A supplier to hundreds of companies was breached. These companies had their information stolen.

• MOVEit is a tool used by businesses and other enterprises to share large files across the Internet.
• Clop – a Russian cybercriminals gang – has been exploiting a security flaw in MOVEit since at least May to steal information from MOVEit’s customers.
• Clop has begun posting the names of the hundreds of companies it claims to have information from. It says it will start publishing content from those that do not negotiate an extortion payment on June 21.
• Victims to date include government agencies, financial service firms, oil giant Shell, manufacturing companies, nonprofits, etc.  Louisiana and Oregon warned that all their driver’s licenses had been exposed, including include birth dates and home addresses. Louisiana said Social Security numbers and vehicle registration numbers were also at risk. (Clop has said that it did not mean to hit governments and that it will delete their data, though it could sell that information to others without anyone realizing it.)

The financial impact will be huge.

• It doesn’t take an accountant to realize the enormous costs this breach will have on the hundreds of companies impacted by this breach.
• Victims will have to deal with critical business information stolen. They will also have to deal with breach disclosures triggered by theft of protected customer information.
• Litigation and insurance costs could enter the stratosphere. And with it, profits will be diverted and jobs will be lost.

Let’s take this as an opportunity to improve our own cybersecurity.

• Louisiana and Oregon residents (and everyone else) need to freeze their credit. Everyone needs to be extremely vigilant to phishing attacks based on information in the stolen files.
• Small businesses need to take the MOVEit breach as motivation to manage the continued threat from these supply chain attacks.
  • Review security of your file management tools. Do they offer – and are you using – “zero trust” and other security capabilities? What are their security bona fides? (There are no security certainties as illustrate by the fact that MOVEit is ISO certified.)
  • Review the cybersecurity practices and capabilities of your IT service provider. As part of the review, include how thorough a security review they do of companies whose tools they use to manage your network. Your IT service provider should implement the basic security controls of our Nonprofit of the Week the Center for Internet Security.
• Cyber-professionals in management, technology, law, insurance, law enforcement, and educators, let’s use this as a reminder to remind others. The breach is a reminder that our clients, customers, colleagues, even our friends and neighbors need help understanding what’s going on and applying it to their lives.
• As citizens, the MOVEit breach is a reminder of the importance of Security and Privacy by Design and Security and Privacy by Default, two pillars of the Administration’s National Cybersecurity Strategy.

Links

• Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities, TechCrunch
• Energy Department, Other U.S. Government Agencies Hacked in Cyberattack, The Wall Street Journal
• Johns Hopkins impacted by widespread cyberattack, sensitive information may be affected, WBAL-TV
• Millions of Americans’ personal data exposed in global hack, CNN
• The MOVEit ransomware reckoning has begun, The Washington Post
• FACT SHEET: Biden-⁠Harris Administration Announces National Cybersecurity Strategy

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

• Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, July 11, 1:00 pm – 2:00 pm PT. There is no meeting in June

Cyber Humor

Cybersecurity Nonprofit of the Week  …  The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®). CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. Strong proponents of collaboration and innovation, CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). SecureTheVillage is a recipient of a grant from the Center’s Allen Paller Laureate Program to support our launch of a Pilot Program to measurably improve the cybersecurity of mid-size and smaller businesses. The Center for Internet Security is one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Live on Cyber with Dr. Stan Stahl – Solving the Workforce Gap with Wendy Betts, CISSP, CCSP … On LinkedIn and Your Favorite Podcast Platform.

What will solve the workforce gap? with Wendy J. Betts CISSP, CCS (LinkedIn) (Podcast): While Stan continues his summer holiday, Julie Morris is joined by Wendy Betts, CISSP, CCSP who shares her journey into cybersecurity and discusses the workforce gap in the industry. She emphasizes the need for a wider path for talent in cybersecurity and challenges the traditional requirements of a bachelor’s degree, advocating for a focus on passion and drive instead, and the implementation of apprenticeship programs. She highlights organizations like i.c. stars that successfully train individuals for cybersecurity roles.

Sources and Websites: 

• Follow Wendy on LinkedIn: https://www.linkedin.com/in/wendybetts/

•  WiCyS Women in Cybersecurity: https://www.wicys.org/
•  i.c. stars in Chicago – BUILD A CONSTELLATION OF TALENT: https://www.icstars.org/
•  SecureTheVillage: https//www.SecureTheVillage.org

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

FTC releases list of 5 most common text message scams: The Federal Trade Commission has released its list of the five most common text message scams.They are:

• Copycat bank fraud alerts.
• Bogus gifts.
• Fake package delivery problems.
• Phony job offers.
• Fake retailer security alerts.

The main message: Keep a sharp eye on the texts you receive. If you are unsure, always call or go to a website that you know is real. … According to reports in the FTC’s Consumer Sentinel database, text message scams took consumers for $330 million in 2022. WGAL, Lancaster, PA.

Section 3 – Cybersecurity News for the Cyber-Concerned.

National Cybersecurity

• ‘Aggressive’ China cyberattacks are the ‘defining threat’ of our time, top U.S. cyber official says: China’s cyber-espionage and sabotage capacities are an “epoch-defining threat,” the top U.S. cybersecurity official said, warning that in the event of open warfare “aggressive cyber operations” would threaten critical U.S. transportation infrastructure “to induce societal panic.” … “I think this is the real threat that we need to be prepared for,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said at an appearance Monday at the Aspen Institute in Washington, D.C. Easterly was responding to a question about the recently disclosed Chinese infiltration of U.S. military and private sector infrastructure. … “It’s going to be very, very difficult for us to prevent disruptions from happening,” Easterly said. “We, as an American people, need to understand not just cyber resilience but the imperative of operational resilience and the importance of societal resilience,” the CISA director said. CNBC.
• How North Korea’s Hacker Army Stole $3 Billion in Crypto, Funding Nuclear Program: Regime has trained cybercriminals to impersonate tech workers or employers, amid other schemes: Last year an engineer working for the blockchain gaming company Sky Mavis thought he was on the cusp of a new job that would pay more money. … A recruiter had reached out to him via LinkedIn, and after the two spoke over the phone, the recruiter gave the engineer a document to review as part of the interview process…. But the recruiter was part of a vast North Korean operation aimed at bringing in funds to the cash-poor dictatorship. And the document was a Trojan Horse, malicious computer code that gave the North Koreans access to the engineer’s computer and allowed hackers to break into Sky Mavis. Ultimately they stole more than $600 million—mostly from players of Sky Mavis’s digital pets game, Axie Infinity. The Wall Street Journal.
• Microsoft identifies new hacking group controlled by Russian intelligence: A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been linked to Russia’s military intelligence agency, according to new research. … Microsoft said Wednesday that the group, which it calls Cadet Blizzard, played a significant role at the beginning of Russia’s cyberwar against Ukraine. About a month prior to the invasion, the group deployed WhisperGate malware, which targeted numerous Ukrainian government computers and websites, while Russian tanks and troops were surrounding the Ukrainian borders waiting to start the offense. The Record.
• Hackers infect Russian-speaking gamers with fake WannaCry ransomware: Researchers have uncovered a phishing campaign targeting Russian-speaking players of Enlisted, a multiplayer first-person shooter. … While researchers haven’t attributed this attack to any particular group, they believe that the campaign is connected to the ongoing war between Russia and Ukraine. The Record.
• Spy Tool Helped FBI Solve Pipeline Hack, Other Major Crimes, U.S. Officials Say: Biden administration pushes to renew spying law that privacy advocates say inappropriately collects data without a warrant. WASHINGTON—Intelligence gleaned through a surveillance program due to lapse at the end of the year helped U.S. investigators solve a 2021 cyberattack that prompted the shutdown of the largest conduit of fuel on the East Coast, and claw back millions of dollars in ransom the pipeline’s operator paid to the perpetrators, senior U.S. officials said. … The disclosure of the use of the law in pursuing the culprits behind one of the most disruptive cyberattacks ever on U.S. critical infrastructure—previously linked to a Russian criminal group—comes as part of a campaign by the Biden administration to rally congressional support for renewing Section 702 before it expires at the end of December, amid growing bipartisan concern about the program’s risks to Americans’ privacy. The Wall Street Journal.

Privacy News

• US intelligence confirms it buys Americans’ personal data: A newly declassified report says the controversial practice raises “significant issues” for Americans’ civil liberties. … A newly declassified government report confirms for the first time that U.S. intelligence and spy agencies purchase vast amounts of commercially available information on Americans, including data from connected vehicles, web browsing data, and smartphones. … By the U.S. government’s own admission, the data it purchases “clearly provides intelligence value,” but also “raises significant issues related to privacy and civil liberties.” … The declassified report is the U.S. government’s first public disclosure revealing the risks associated with commercially available data of Americans that can be readily purchased by anyone, including adversaries and hostile nations. The United States does not have a privacy or data protection law governing the sharing or selling of Americans’ private information. Tech Crunch.
• Denmark looks to curb collection of data on children by Big Tech: COPENHAGEN, June 12 (Reuters) – Denmark aims to raise the age limit for the collection of personal data from children by tech giants such as Google, Snapchat and Meta, in a bid to curb the massive accumulation of data on young people, the government said on Monday. Reuters.
• FCC to establish privacy and data protection task force: The Federal Communications Commission is establishing a privacy and data protection task force to modernize its policies and bolster its enforcement of digital privacy violations, Chairwoman Jessica Rosenworcel announced Wednesday. The Record.
• FTC to take aim at health apps with updated breach notification rules: The Federal Trade Commission is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications. … In addition to including health app developers, the proposed amendments would also clarify that a security breach includes data security breaches and unauthorized disclosures; revise the definition of a personal health record (PHR) related entity; clarify what it means for a PHR vendor to draw identifiable health information from multiple sources; modernize the method of notice; expand the content of the notice; and consolidating notice and timing requirements, as well as laying out the penalties for not following the rules. … The Department of Justice finalized a $1.5 million FTC settlement with GoodRx in February that required the company to prevent unauthorized disclosures of consumer data in the future and to ensure compliance of FTC rules. The Good Rx settlement was the first enforcement under the rule. SC Media.
• Genetic testing firm accused by FTC of violating customers’ privacy: The Federal Trade Commission is accusing the genetic testing firm 1Health.io of allegedly failing to secure customers’ genetic and health data and for duping them about the potential for getting their data erased. … The agency also said 1Health failed to adequately notify customers about changes to its privacy policy. The Record.

Cybercrime and Cybercriminals

• CISA advisory on LockBit: $91 million extorted from 1,700 attacks since 2020: FBI, CISA and international organizations released an advisory detailing breadth and depth of LockBit, and how to defend against the most prevalent ransomware of 2022 and (so far) 2023. … A new advisory from a consortium of international organizations, including the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center, details incidents involving LockBit, the most prevalent ransomware since 2022, and recommends mitigations. The growing numbers of hybrid workers are creating even more vulnerabilities, with smaller companies particularly vulnerable. TechRepublic.
• Feds catch another LockBit hacker, Justice Department announces: The Justice Department has arrested and charged a Russian national for his alleged role in multiple LockBit ransomware attacks against victims in the U.S. and around the world. Tech Crunch.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Cyber liability insurance vs. data breach insurance: What’s the difference?: Cyber insurance is increasingly becoming a compulsory element in business relationships. Knowing what coverage meets a company’s specific needs can provide better protection. … With an ever-increasing number of cybersecurity threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially. Finding the right insurance has become a key part of the security equation, which is no surprise given that the average cost of a data breach in the US has risen to $9.44 million — more than twice the global average of $4.35 million. … Companies in the US looking to protect themselves have most likely heard the terms “cyber liability insurance” and “data breach insurance.” While they’re often used interchangeably and many organizations tend to think they’re the same, that’s not the case. … Understanding the distinction is important, as cyber insurance is becoming an integral part of the security landscape. CSO.