Cybersecurity News of the Week, March 14, 2021

Individuals at Risk

Identity Theft

How to Get Hacked and Become a Victim of Identity Theft: Yes, online security can be a drag, but if you’re tempted to click on that fun Facebook quiz or skip your phone update just this one time, here’s what could happen. Kiplinger, March 12, 2021

Cyber Privacy

How confidential are your calls? This iPhone app shared them with everyone: Don’t panic. his isn’t a case of secretive nation-state phone interception methodologies (or spying, as it is often called). NakedSecurity, March 11, 2021

Online health security – when ‘opt out’ isn’t an option: What happens when you try to opt out of e-health to avoid issues in the event of a breach? WeLiveSecurity, March 10, 2021

Cyber Update

Microsoft Patch Tuesday, March 2021 Edition: On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users. KrebsOnSecurity, March 9, 2021

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Actionable Tips for Engaging the Board on Cybersecurity: Up your game with your company’s board of directors to help them understand your cybersecurity priorities. DarkReading, March 11, 2021

4 ways to keep the cybersecurity conversation going after the crisis has passed: 4 ways to keep the cybersecurity conversation going after the crisis has passed. CSO, March 8, 2021

Information Security Management

Top 10 Cybersecurity Vulnerabilities of 2020: What cybersecurity vulnerabilities new and old should organizations look out for this year? Let IBM X-Force be your guide to today’s top cybersecurity threats with this detailed report. SecurityIntelligence, March 10, 2021

WFH security lessons from the pandemic: The unplanned worldwide experiment in remote work has been a trial by fire for security pros. Here’s how IT teams have protected work-from-home employees, and what needs to be done moving forward. Computerworld, March 8, 2021

Mitigating the hidden risks of digital transformation: New, cross-discipline risk management techniques are necessary to securely reap the benefits of transformative technologies. CIO, March 8, 2021

Cyber Talent

Why the Demand for Application Development Security Skills Is Exploding: Application development security is a key task when it comes to looking to the future of cybersecurity. A recent industry study shows it is the fastest-growing cybersecurity skill for the year ahead. Demand is expected to increase by 164% over the next five years. Such growth would bump up the total number of job openings requiring this skill from 29,635 in 2020 to 48,601 a few years from now. SecurityIntelligence, March 9, 2021

Cyber Insurance

New York’s DFS publishes a Cyber Insurance Risk Framework: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk. Security Magazine, March 11, 2021

Cybersecurity in Society

Cyber Attack

REvil Group Claims Slew of Ransomware Attacks: The threat group behind the Sodinokibi ransomware claimed to have recently compromised nine organizations. ThreatPost, March 12, 2021

Cyber Attack Taps Operations at Molson Coors: Molson Coors acknowledges meaningful cyber incident in regulatory filing on Thursday. IndustryWeek, March 11, 2021

Hackers access security cameras inside Cloudflare, jails, and hospitals: Cloud-based camera service Verkada exposed hardcoded password—and its customers. ars techncia, March 10, 2021

Accellion Attack Involved Extensive Reverse Engineering: Sophisticated Attackers Took the Time to Master a 20-Year-Old Product, FireEye Says. BankInfoSecurity, March 3, 2021

Cyber Attack – Exchange Server

There’s a vexing mystery surrounding the 0-day attacks on Exchange servers: A half-dozen groups exploiting the same 0-days is unusual, if not unprecedented. ars technica, March 11, 2021

Warning the World of a Ticking Time Bomb: Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem. KrebsOnSecurity, March 9, 2021

A Basic Timeline of the Exchange Mass-Hack: Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. KrebsOnSecurity, March 8, 2021

Cyber Privacy

Lawmakers Are Conflating Privacy and Security, and That’s Bad for Everyone: In the world of information technology, the term “privacy” has officially become a homonym. It’s not just the US trying to define privacy 50 different ways; we see great disparities among EU member states regarding enforcement and penalties around GDPR compliance violations. Throw the invalidation of Privacy Shield guidance in the mix this past July, and the task of ensuring organizational compliance around data privacy in the US has truly never been more challenging. How do we move forward when language, even basic definitions, are often at odds or even completely contradictory? CPO, March 12, 2021

Internet Advocates Call on ISPs to Commit to Basic User Privacy Protections…Co-written by EFF, the Internet Society, and Mozilla: As people have learned more about how companies like Google and Facebook track them online they are increasingly taking steps to protect themselves, but there is one relatively unknown way that companies and bad actors can collect troves of data. EFF, March 10, 2021

Know Your Enemy

Growth in Ransomware Attacks in 2020 Driven by Large Gangs, Ransomware-as-a-Service and Credential Dumping: A new report from cyber intelligence firm Group-IB provides a deep analysis of 2020’s ransomware trends, finding that ransomware attacks have now become the most lucrative area of cyber crime. The primary driver has been large and organized ransomware gangs with a preference for targeting large enterprise-scale organizations (a trend referred to as “Big Game Hunting”), with these threat groups taking full advantage of the rapid switchover to remote work during the Covid-19 pandemic. CPO, March 11, 2021

National Cybersecurity

As legislators work toward law requiring companies to alert feds to breaches, key hurdles emerge: After two major hearings on Solarigate, one domestic policy proposal grabbed the spotlight: requiring organizations to alert the government to major cyber incidents in the interest of national security. Experts say the idea has merit – if only legislators can balance the promise with the potential liability and burden placed upon industry. SC Magazine, March 12, 2021

What the first-ever U.S. national cyber director will need to succeed: The greatest espionage act in modern memory was launched with an ancient tactic. Elite hackers embedded a digital Trojan horse within routine software updates from an IT supplier named SolarWinds. Instead of conquering the city of Troy, the invaders penetrated the networks of nine U.S. military and civilian government agencies and numerous Fortune 500 companies. Fortune, March 11, 2021

White House warns organizations have ‘hours, not days’ to fix vulnerabilities as Microsoft Exchange attacks increase: Washington (CNN)The Biden administration warned Friday that organizations face enormous risks from the recently disclosed Microsoft Exchange vulnerabilities that have affected thousands of private organizations. CNN, March 11, 2021

Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China: The proliferation of cyberattacks by rivals is presenting a challenge to the Biden administration as it seeks to deter intrusions on government and corporate systems. The New York Times, March 7, 2021

Cyber Warning

A new type of supply-chain attack with serious consequences is flourishing: New dependency confusion attacks take aim at Microsoft, Amazon, Slack, Lyft, and Zillow. ars technica, March 8, 2021

Cyber Enforcement

Europol Credits Sweeping Arrests to Cracked Sky ECC Comms: Sky ECC claims that cops cracked a fake version of the app being passed off by disgruntled reseller. ThreatPost, March 12, 2021

Cybercriminal Law Enforcement Crackdowns in 2021 … A follow-up on our previous blog, Emotet Disruption, expanding on cybercriminal law enforcement crackdowns in 2021: While many of us have spent the beginning of 2021 at home, shamelessly hitting the “yes I’m still watching” button, international law enforcement has been busy tackling cybercrime. But “busy” might even be an understatement. In the last two months, law enforcement took down a major dark web marketplace, arrested operators of a prolific malware variant, and disrupted two infamous ransomware groups. Now is an ideal time to look back at all this activity and consider the question: what difference do these actions make in the cybercriminal threat landscape? Digital Shadows, March 2, 2021

Cyber Miscellany

Five worthy reads: Understanding quantum computing and its impact on cybersecurity: Five worthy reads is a regular column on five noteworthy items we discovered while researching trending and timeless topics. In this week’s edition, let’s explore how quantum computing works and how it impacts cybersecurity. SecurityBoulevard, March 12, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge