Cybersecurity News of the Week, March 28, 2021

Individuals at Risk

Cyber Defense

Instagram scams and how to avoid them: Since its launch in 2010, Instagram has seen more than 1 billion accounts opened, and users on the service share close to 100 million photos every day. NakedSecurity, March 22, 2021

Cyber Update

Apple pushes iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 to supported devices: There are no new features in these updates, just a security fix. ars technica, March 26, 2021

Cyber Warning

New Android malware with full range of spying capabilities has been found: Despite its sophistication, the app can be easy for more experienced users to spot. ars technica, March 26, 2021

Fleeceware Apps Bank $400M in Revenue: The cache of apps, found in Apple and Google’s official marketplaces, is largely targeted towards children, including several “slime simulators.” ThreatPost, March 25, 2021

Nearly Half of Popular Android Apps Built With High-Risk Components: Information leakage and applications asking for too many permissions were also major issues, according to a survey of more than 3,300 popular mobile applications. DarkReading, March 25, 2021

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Boards still aren’t taking cybersecurity seriously, warns new NCSC boss. That means everyone is at risk: Organisations aren’t in a position to be complacent about cybersecurity, says NCSC CEO Lindy Cameron, who warns of threats from ransomware to attacks against critical infrastructure. ZDNet, March 26, 2021

Information Security Management

Enterprise Cybersecurity Measurement: On Feb. 4, 2021, the New York State Department of Financial Services issued guidance on the cyber insurance market to foster more robust industry approaches to “managing and reducing the extraordinary risk we face from cyber intrusions.” Critical elements of that guidance include expectations that insurance companies should “rigorously measure insured risk” and “incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” This follows a separate recommendation last year from the Cyberspace Solarium Commission to establish a Bureau of Cyber Statistics. The commission envisioned that the bureau would be “the government statistical agency that collects, processes, analyzes, and disseminates essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem to the American public, Congress, other federal agencies, state and local governments, and the private sector.” Lawfare, March 26, 2021

5 tips for implementing a zero trust model: As attackers increasingly target less traditional users, accounts and assets, organizations should consider such a process to tighten security, says CyberArk. TechRepublic, March 25, 2021

Three billion phishing emails are sent every day. But one change could make life much harder for scammers: Phishing attacks remain extremely popular with cyber criminals – but by applying DMARC, organisations can help thwart them. ZDNet, March 23, 2021

5 reasons why (not only) financial companies struggle with cybersecurity: Why do many organizations have a hard time keeping up with the evolving threat landscape and effectively managing their cyber-risks? WeLiveSecurity, March 22, 2021

Privacy Management

New CCPA Developments: The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider. Robert Braun, JMBM Cybersecurity Lawyer Forum, March 24, 2021

Cyber Warning

Ransomware operators are piling on already hacked Exchange servers: The fallout from the Microsoft Exchange server crisis isn’t abating just yet. ars technica, March 23, 2021

Cybersecurity in Society

Cyber Crime

20 Tales of Online Fraud and How to Fight It: How many types of digital fraud are there? Might as well count the shades of color in a rainbow, says Dan Woods, vice president of F5 Networks’ Shape Intelligence Center: “I’d say they’re infinite.” SecureTheVillage President Stan Stahl is quoted. CISO Series, March 26, 2021

CompuCom Malware Attack Expected To Cost Company $20M: Office Depot subsidiary CompuCom admitted Friday it wasn’t able to substantially restore its service delivery capabilities until March 17, 16 days after a crippling malware attack took place. CRN, March 26, 2021

Insurance Giant CNA Hit with Novel Ransomware Attack: The incident, which forced the company to disconnect its systems, caused significant business disruption. ThreatPost, March 26, 2021

New wave of ‘hacktivism’ adds twist to cybersecurity woes: (Reuters) – At a time when U.S. agencies and thousands of companies are fighting off major hacking campaigns originating in Russia and China, a different kind of cyber threat is re-emerging: activist hackers looking to make a political point. Reuters, March 25, 2021

Average ransomware payouts shoot up 171% to over $300,000: Organisations hit by ransomware attacks are finding themselves paying out more than ever before, according to a new report from Palo Alto Networks. The State of Security, March 25, 2021 Gets Hacked, Spilling Gun Owner Information All Over the Dark Web: Watch out, firearm lovers. The subtly-named, a place where Americans can go to pick out whatever stylish boomstick they like and have it shipped straight to their neck of the woods, seems to have a pretty awful data breach on its hands. Gizmodo, March 25, 2021

Almost $2 billion lost to BEC scams in 2020: Nearly half of reported cybercrime losses in 2020 were the result of BEC fraud, according to an FBI report. WeLiveSecurity, March 23, 2021

Phish Leads to Breach at Calif. State Controller: A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts. KrebsOnSecurity, March 23, 2021

Cyber Surveillance

Facebook shuts down hackers who infected iOS and Android devices: Facebook shuts down hackers who infected iOS and Android devices. ars technica, March 24, 2021

Cyber Espionage

McAfee Discovers a Cyber Espionage Campaign Targeting 5G Technology Firms Using Spoofed Huawei Website: Researchers at McAfee discovered cyber espionage campaigns targeting telecommunications companies linked to 5G technology. CPO, March 25, 2021

Cyber Defense

Google exposes nine-month counter-terror hacking op by ‘friendly’ government, raising questions about what makes an ally: A Google hacking team has exposed — and shut down — an expert counterterrorism hacking operation by a supposed US ally. While the report hid most details, it raised troubling questions on what constitutes an ally in cyberspace. RT, March 28, 2021

National Cybersecurity – Solar Winds

Senators Offer to Let NSA Hunt Cyber Actors Inside the US: After SolarWinds hack, Gen. Nakasone seeks some sort of a fix for the cybersecurity ‘blind spot’ against Russia, China, but others cite privacy concerns in potential expanded authorities. DefenseOne, March 25,2021

How Should the U.S. Respond to the SolarWinds and Microsoft Exchange Hacks?: Over the past two months, news has broken that Russia and China, the United States’s two primary geopolitical adversaries, have both executed major cyber operations against the networks of American companies and government agencies. On their faces, the two attacks share much in common. At least at this early stage, both appear to have been espionage operations designed to give foreign intelligence agencies access to sensitive targets and to steal emails, documents and other data that would be of value to the Russian and Chinese governments. Both attacks were far reaching, affecting tens of thousands of American networks and testing the limits of U.S cyber defense capabilities and the country’s broader cybersecurity strategy. Lawfare, March 12, 2021

National Cybersecurity

New Software Vendor Standards Coming Within Weeks, CISA Head Says: The White House is leading an interagency effort focused on software development that will determine federal procurement of information technology. NextGov, March 23, 2021

The Microsoft Exchange Hack and the Great Email Robbery: As I write this, the world is probably days away from the “Great Email Robbery,” where a large number of threat actors around the globe are going to pillage and ransom the email servers of tens of thousands of businesses and local governments. Or at least pillage those that the purported Chinese actors haven’t already pillaged. Lawfare, March 9, 2021


Recommendations to the Biden Administration On Regulating Disinformation and Other Harmful Content on Social Media: Produced by the Harvard Kennedy School Mossavar-Rahmani Center for Business and Government and the NYU Stern Center for Business and Human Rights, this white paper recommends a range of steps the Biden Administration should take to counter disinformation and other harmful content on major social media platforms. In recent years, the spread of disinformation online has eroded crucial democratic institutions and discourse, especially in connection with elections and with disproportionate impact on underrepresented communities. The Administration should move swiftly to address this threat in a variety of ways. TechPolicy, March 23, 2021

Cyber Defense

Engineer reports data leak to nonprofit, hears from the police: A security engineer and ex-contributor to an open systems non-profit organization recently reported a data leak to the organization. BleepingComputer, March 25, 2021

Cyber Talent

Women in Cybersecurity: Why Diversity Matters: March is Women’s History Month, so it’s a perfect time of the year to look back and see how far women in cybersecurity have come. From pioneering tech to achieving a gender-equal future in today’s world, it’s a story of invention, strength and achievement. SecurityIntelligence, March 24, 2021

Cyber Research

DARPA takes step toward ‘holy grail of encryption’:
The U.S. defense department is searching for what could be considered the “holy grail of data encryption,” which would seal up a loophole that allows hackers to access sensitive information while it’s being processed. LiveScience, March 26, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge