Cybersecurity News of the Week, May 2, 2021

Individuals at Risk

Identity Theft

Experian API Exposed Credit Scores of Most Americans: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. KrebsOnSecurity, April 28, 2021

How Identity Thieves Took My Wife for a Ride: Auto insurers try to make it easy to sign up for a policy. Those efforts have given an opening to scammers. The New York Time, April 27, 2021

Experian’s Credit Freeze Security is Still a Joke: In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. KrebsOnSecurity, April 26, 2021

Cyber Defense

FBI teams up with ‘Have I Been Pwned’ to alert Emotet victims: The data breach notification site now allows you to check if your login credentials may have been compromised by Emotet. WeLiveSecurity, April 29, 2021

Cyber Update

Apple patches severe macOS security flaw: Mac users are being urged to update to macOS Big Sur 11.3 as at least one threat group is exploiting the zero-day bug to sneak past the operating system’s built-in security mechanisms. WeLiveSecurity, April 27, 2021

Cyber Warning

How phishing attacks spoofing Microsoft are evading security detection: The phishing emails use a Microsoft logo within an HTML table, which is not analyzed by security programs, says Inky. TechRepubic, April 28, 2021

4 common ways scammers use celebrity names to lure victims: All that glitters is not gold – look out for fake celebrity endorsements and other con jobs that aren’t going out of fashion any time soon. WeLiveSecurity, April 26, 2021

Cyber Humor

Information Security Management for the Organization

Information Security Management

MITRE Adds MacOS, More Data Types to ATT&CK Framework: Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure. DarkReading, April 30, 2021

Is Multifactor Authentication Changing the Threat Landscape?: Changes to the cybersecurity threat landscape are constant and dynamic: threat actor groups come and go, alter tactics, techniques and procedures (TTPs) and adjust to new defensive mechanisms. Over time, both cyber criminal gangs and nation-state actors endure arrests and swap individuals in what can appear to be an ongoing arms race between good and evil. SecurityIntelligence, April 29, 2021

Ransomware: don’t expect a full recovery, however much you pay: When it comes to all the various types of malware out there, none has ever dominated the headlines quite as much as ransomware. NakedSecurity, April 27, 2021

Cyber Law

Global Data Protection and Security Laws At-A-Glance: Regulation: Personal data protection and privacy law is rapidly evolving in the United States and across the world. However, while some regions, such as the European Union (GDPR), have adopted a more rigid and comprehensive approach, other countries are embracing more sectoral and self-regulated ideologies. Here’s an overview of current APAC regulation. CybersecurityHub, April 28, 2021

Cybersecurity in Society

Cyber Crime

Illinois attorney general’s office was warned about weak cybersecurity before ransomware attack: A state audit released earlier this year warned that Illinois Attorney General Kwame Raoul’s office had a “weaknesses in cybersecurity” that potentially left sensitive information on the agency’s computer network “susceptible to cyberattacks and unauthorized disclosure.” April 30, 2021

More US agencies potentially hacked, this time with Pulse Secure exploits: Zeroday vulnerability under attack has a severity rating of 10 out of 10. ars technica, April 30, 2021

Cyber-attack disrupts cancer care across U.S.: High-tech radiation treatment machines knocked offline following software breach. SecurityInfoWatch, April 28, 2021

Ransomware demands up by 43% so far in 2021, Coveware says: Ransomware hacking groups are getting greedier. Cyberscoop, April 27, 2021

D.C. Police Department Data Is Leaked in a Cyberattack: The department appears to be the third police force to be targeted in a ransomware attack in six weeks, and the 26th government agency hit this year. The New York Times, April 27, 2021

Ransomware attacks at middle market firms jumped significantly in 2020: One-third of middle market organizations reported ransomware attacks in 2020, according to a recent cybersecurity special report from RSM. The consulting firm surveyed 700 middle market executives., April 27, 2021

Malvertisers hacked 120 ad servers to load malicious ads: A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware. The Record, April 19, 2021

Cyber Defense

Emotet Malware Taken Down By Global Law Enforcement Effort, Cleanup Patch Pushed to 1.6 Million Infected Devices: The Emotet botnet, widely considered to be the most dangerous of its type in the world, has been dissolved as of April 25. An international law enforcement campaign that began in 2020 culminated in the infiltration and control of the botnet’s infrastructure, with a beneficial payload delivered to infected devices that scrubs the Emotet malware from their systems. CPO, April 30, 2021

Task Force Seeks to Disrupt Ransomware Payments: Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. KrebsOnSecurity, April 29, 2021

Know Your Enemy

A ransomware gang made $260,000 in 5 days using the 7zip utility: A ransomware gang has made $260,000 in just five days simply by remotely encrypting files on QNAP devices using the 7zip archive program. BleepingComputer, April 24, 2021

National Cybersecurity – Solar Winds

Before SolarWinds, US officials say SVR began stealthily targeting cloud services in 2018: U.S. national security agencies on Monday continued their concerted efforts to expose hacking techniques used by the Russian intelligence agency allegedly responsible for a historic cyber-espionage campaign aimed at the U.S. government. Cyberscoop, April 26, 2021

National Cybersecurity

Justice Department to undertake 120 day review of cybersecurity challenges: The Justice Department will soon begin a 120 day review of cybersecurity challenges in the midst of escalating cyber threats. TheHill, April 30, 2021

Biden Administration Lays Out 100-Day Plan for Power Grid Cybersecurity: “Bold” Moves Proposed, but Key Information Still Not Available: Responding to a recent general global uptick in attacks on utilities and industrial control systems, and in particular the SolarWinds breach of 2020, the Biden administration has announced a 100-day plan aimed at rapid improvement of US power grid cybersecurity. CPO, April 26, 2021

Cyber Defense

Homeland Security Secretary Backs Call for Mandatory Disclosure of Ransomware Payments: DHS Secretary Alejandro Mayorkas said the department will work with a task force developed by the private sector on ways to tamp down the increase in ransomware attacks. NextGov, April 29, 2021

Civilian Cyber Reserve Program Proposed: Legislation Would Create National Guard-Style Program to Counter Cyberthreats. BankInfoSecurity, April 29, 2021

Cyber Misc

Daniel Kaminsky, Internet Security Savior, Dies at 42: If you are reading this obituary online, you owe your digital safety to him. The New York Times, April 27, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge