Cybersecurity News of the Week, October 1, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Our Top of the News is the launch of LA Cybersecure by SecureTheVillage. Through a generous grant from the Center for Internet Security (CIS) Alan Paller Laureate Program, SecureTheVillage has launched a Pilot Program to enable 50 small to midsize organizations to measurably improve their cybersecurity readiness. Through the Pilot Program we will also develop a strategy and budget for a scalable Program to extend the Pilot throughout the Los Angeles region. The Pilot Program is for small to midsize organizations, businesses, nonprofits, and IT service providers (IT/MSPs). Readers can learn more and apply at LA Cybersecure Pilot.

Julie Morris and I discuss the need for the Pilot on our weekly podcast. We talk about the special challenge faced by small and midsize organizations described 18 months ago by Cisco advisory CISO Helen Patton in We are headed for an ecosystem of cyber haves and cyber nots.

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

• How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

• Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, September 5, 1:00 pm – 2:00 pm PT.
• What Every Business Leader Needs – A Reasonable Approach to Reasonable Security. Don’t miss our 4th Annual Reasonable Cybersecurity Webinar, October 12, 11:00 am – 12:30 pm PT. Register Now.

Cyber Humor

Cybersecurity Nonprofit of the Week … The Anti Phishing Working Group (APWG)

Kudos this week to the Anti Phishing Working Group (APWG). APWG unifies the global response to common cybercrimes and related infrastructure abuse through technical diplomacy; curation of a real-time clearinghouse of internet event data; development of applied research; and deployment and maintenance of global cybersecurity awareness campaigns. All of us can help APWG help us by forwarding malicious-appearing phishing messages to reportphishing@apwg.org. Like SecureTheVillage, APWG is a fellow-member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Cyber Haves, Have-nots & Announcing LA Cybersecure!: (Video) (Podcast): Are small businesses and nonprofits ready to protect themselves, or sitting ducks in cyber warfare? #Cybersecurity isn’t just about money – it’s about talent, time, and foundational cybersecurity measures. How do we bridge the digital divide of #cyberhaves and #cybernots? … This #LiveonCyber episode unveils LA Cybersecure! A groundbreaking pilot program funded by the Center for Internet Security’s Alan Paller Laureate Program, LA Cybersecure, led by SecureTheVillage, will enable 50 small to midsize organizations to measurably improve their cybersecurity readiness. Be part of the revelation, the movement, the solution. Learn more about the LA Cybersecure pilot and apply! https://securethevillage.org/la-cybersecure-pilot/. Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in privacy and information security affecting your business and community!

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Another sad story of a romance scam, as a study shows that too many of our seniors are vulnerable to these despicable attacks.

• Romance scam: Widow swindled out of life savings, finds out she has no home or companion: Finding love cost a widow more than $70,000. After losing her life savings, she’s sharing her story to try and save others from the same emotional and financial heartbreak. … This scammer didn’t just act fast trying to get this woman’s money. He fostered a relationship with her for months, just long enough for her to let her guard down. … “How he did it, I don’t know but it all looked legitimate,” Jennifer Dennis said.
• Study finds seniors more vulnerable than assumed to fake government scams: Senior citizens are more vulnerable than previously thought to financial scams impersonating the government, a new study has found. … Seven researchers from Rush University Medical Center and the nonprofit FINRA Investor Education Foundation published the study Friday in JAMA Network Open. Pretending to represent a phony government agency, one researcher contacted 644 older adults in the Chicago area about a potential compromise of personal information related to their Social Security and Medicare benefits. … Researchers found that 16.4% of the residents, who had an average age of 85.6, “engaged without skepticism” with emails, mailers and live telephone calls between October and December of 2021. Nearly three-quarters of the group provided personal information, including the last four digits of their Social Security numbers.

Do you know what to do if you’re online account has been breached. Here’s some good advice from the Wall Street Journal. One more piece of advice: Freeze your credit!!! Take our test: How Hackable Are You? for other important recommendations.

• Your Online Account May Have Been Breached? Don’t Just Sit There. Do Something: Too many people respond with a shrug and maybe change their password. That’s asking for trouble. … Almost a quarter of the people in one survey said they would return to a compromised website with no changes to their behavior.

Kudos to Wirecutter for pulling a recommendation following the failure of Wyze to responsibly communicate with users following a security incident.

• Why We’re Pulling Our Recommendation of Wyze Security Cameras: After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides. … On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident. … We believe Wyze is acting irresponsibly to its customers. As such, we’ve made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

Illustrating the lack of privacy we discussed in a recent SecureTheVillage webinar, Invasion of the Body & Mind (Data) Snatchers, a new study demonstrates how our data from our smart apps is being bought and sold on the Internet. Wake up Congress!!!

• How health tracking apps, smart watches are selling sensitive data: Earlier this month, a report was released about modern cars invading consumers’ privacy and selling data. Health-tracking apps are doing the same thing. … According to Herb Weisbaum, the Consumer Man with Checkbook.org, “wearable devices can track heart rates, blood pressure, glucose levels, sleep patterns or menstrual cycles,” and this information is being sold to companies. … Companies are allowed to use this information to market to you or share and sell your information to profit. Companies can do this because the industry is unregulated, according to Weisbaum.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

The Chinese Government continues to make the news in their espionage attacks.

• Chinese Gov Hackers Caught Hiding in Cisco Router Firmware: The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently hop around the corporate networks of U.S. and Japanese companies. … According to a high-powered joint advisory from the NSA, FBI, CISA and Japan’s NISC, BlackTech has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to headquarters in Japan and the United States.
• Chinese Hackers Stole 60,000 State Dept. Emails in Breach Reported in July: The disclosure by department officials to Senate staff members revealed the scope of the hack of government email accounts managed through Microsoft. … Chinese hackers who gained access to the email accounts of Commerce Secretary Gina Raimondo and other government officials this year stole 60,000 emails from the State Department alone, according to two people familiar with a briefing Senate staff members received on the matter Wednesday.

The North Korean cybercrime gang also made this week’s news with a story of how they’re finding victims on LinkedIn.

• North Korean Lazarus gang lured victims with fake LinkedIn job opportunities. The North Korean ‘Lazarus’ hacking group targeted employees of an aerospace company located in Spain with fake job opportunities to hack into the corporate network. … The hackers utilized their ongoing “Operation Dreamjob” campaign, which entails approaching a target over LinkedIn and engaging in a fake employee recruitment process that, at some point, required the victim to download a file. … The employee did so on a company’s computer, allowing the North Korean hackers to breach the corporate network to conduct cyber espionage.

Meanwhile it was nice to see a cyberattack inside Russia, even if it only lasted an hour. Kudos to whoever pulled this off.

• Russian flight booking system suffers ‘massive’ cyberattack: A Russian flight booking system was hit by a cyberattack on Thursday, causing delays at airports. … A “massive” distributed denial-of-service (DDoS) attack on the local airline booking system Leonardo was carried out by “foreign hackers,” reported one of the system’s developers, Russian state defense company Rostec. … The incident lasted about an hour and affected the operation of several Leonardo customers, including Russian air carriers Rossiya Airlines, Pobeda and flagship airline Aeroflot.

Even as cyber insurance claims “spike,” a disturbing Wall Street Journal survey continues to demonstrate how little cybersecurity expertise is on Boards. The minuscule number of Boards with cybersecurity expertise on them reminds me of a story a friend of mine told. The Advisory Board of a midsize company that he serves on recommended that management undertake a cybersecurity review. The IT Director said it wasn’t necessary as they had things buttoned up. Just before the next scheduled meeting of the Advisory Board meeting, they were notified that the meeting was postponed. It turns out they were dealing with a ransomware attack. Sad. And unnecessary.

• How Much Cybersecurity Expertise Do Boards Really Have?: New research suggests the answer is: not much … The number of directors at S&P 500 companies who have cybersecurity experience has increased sharply since last year. But the amount of cybersecurity expertise on boards remains relatively low, at a time when boards are under increased scrutiny for security failings.
• Cyber insurance claims spiked in first half of 2023 as ransomware attacks surged: report: A cyber insurance firm reported a significant jump in the number of claims during the first half of the year, adding that damages caused by attacks has also increased. … An analysis from San Francisco-based Coalition found that ransomware was the “largest driver of the increase in claims frequency,” which was up 12% on last year through the end of June. Overall, ransomware was involved in nearly 1 in 5 cyber incidents involving insurance claims, with Royal, BlackCat and LockBit 3.0 the three most common variants.

Kudos to CISA on the launch of their new awareness campaign. Heaven knows, we need help down here at ground level!!

• CISA launches campaign to teach Americans to be safe online: The program is starting with a new commercial that will encourage viewers to adopt basic cyber hygiene. … A new public awareness campaign from the Cybersecurity and Infrastructure Security Agency attempts to do the seemingly impossible: get Americans to change their habits and stay safer online. … A 60-second PSA rolled out on Tuesday aims to get the message out that Americans need to adopt basic cybersecurity habits and will begin airing around the country tomorrow. … The first-of-its kind PSA is part of what CISA is calling its Cybersecurity Awareness Program, a new umbrella program that will house the agency’s public cybersecurity campaigns.

It’s been an abysmal weak in cybercrime, led by the continuing impact of the MOVEit breach.

• Three US firms add over a million MOVEit victims: Sovos, Financial Institution Service Corporation (FISC), and Johnson Financial Group (JFG) said the MOVEit breach impacted the sensitive data of over one million individuals.
• Decade of newborn child registry data stolen in MOVEit mass-hack: Ontario’s government-funded birth registry has confirmed a data breach affecting some 3.4 million people who sought pregnancy care, including the personal health data of close to two million newborns and children across the Canadian province.
• MOVEit Flaw Leads to 900 University Data Breaches: National Student Clearinghouse, a nonprofit serving thousands of universities with enrollment services, exposes more than 900 schools within its MOVEit environment.

Beyond the MOVEit debacle, the rest of the week in cybercrime.

• Product leasing giant warns that sensitive information was stolen during cyberattack: Progressive Leasing, a billion-dollar company that allows people to lease consumer products, announced a cyberattack last week. … On Thursday, the corporation reported the cyberattack to regulators at the SEC, writing that it “believes the involved data contained a substantial amount of personally identifiable information, including social security numbers, of Progressive Leasing’s customers and other individuals.”
• Johnson Controls cyberattack disrupting operations, may involve sensitive DHS info: A cyberattack on building automation giant Johnson Controls is having wide-ranging effects extending even to the U.S. government. … BleepingComputer reported that the Dark Angels ransomware gang took credit for the attack and demanded a $51 million ransom. … On Thursday evening, CNN reporters said they obtained an internal memo from the U.S. Department of Homeland Security raising alarm about the incident and warning that the attack on Johnson Controls may have “compromised sensitive physical security information such as DHS floor plans.”
  Multiple hackers claim responsibility for Sony data breach: Two different malicious actors have claimed to have stolen data from the technology company. … Multinational technology company Sony has allegedly been the victim of a data breach, with various hacking gangs attempting to take credit for the hack.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Ransomware is changing. It’s becoming more dangerous and harder to recover from. If you’re not proactively managing your cybersecurity, you’re putting your fate in the hands of cybercriminal gangs. If you’re a small to midsize organizations, please consider enrolling in our LA Cybersecure Pilot Program.

• FBI warns of new dangerous trends in ransomware: The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims’ networks to encrypt systems in under two days. … The FBI says ransomware affiliates and operators have been observed using two distinct variants when targeting victim organizations. … “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the FBI said. … In contrast to the past, when ransomware groups typically required a minimum of 10 days to execute such attacks, now the vast majority of ransomware incidents targeting the same victim take place within a mere 48-hour timeframe of each other, according to FBI’s data.

Here’s some solid cybersecurity leadership advice from Perry Carpenter, Chief Evangelist for KnowBe4.

• Cybersecurity Mistakes That Have Nothing To Do With Technology—And How Companies Can Fix Them: Today’s organizations understand the importance of cybersecurity. They know cyberattacks and data breaches are frequent, more targeted and more dangerous. They recognize the risks of ransomware, the disruption it can cause and the damage it can inflict on organizations. … Though many businesses have a level of technological defenses in place, threats continue to evade security controls, and breaches continue to succeed. Why is that the case?