Cybersecurity News of the Week, October 16, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

CommonSpirit Health, one of the nation’s largest health systems is battling a confirmed ransomware attack. The nonprofit hospital chain has 139 hospitals, more than 1,000 care centers, 150,000 employees, and 25,000 physicians. The attack has caused major disruptions, including its electronic health records system being taken offline and appointments having to be rescheduled. The scale and scope of the attack is still under investigation.

  • CommonSpirit still working to restore EHR systems after ransomware attack confirmed: The attack affects operations across several states, with loss of access to medical records, and the scale of the data breach is still under investigation. … A major ransomware attack at CommonSpirit Health has been disrupting medical operations across several states for nearly two weeks, leaving the Chicago-based health system scrambling to maintain patient care while it conducts a forensics investigation and works to bring its electronic health record systems back online. Healthcare IT News, October 14, 2022

Cyber Humor

Reasonable Security Executive Leadership Online Workshop

Not to be missed. …Executives, CFOs, In-house council, Chief Information Officers, Information Security Officers, Privacy Consultants, Trusted Advisors … As part of Cybersecurity Awareness Month, SecureTheVillage is hosting its 3rd-annual webinar on the topic of reasonable security. … Ask ten cybersecurity professionals what “reasonable security” is and you’ll likely get ten different answers. That’s because – truth be told – what counts as “reasonable security” is a work in progress.

  • What Every Business Leader Needs – A Reasonable Approach to Reasonable Security: Join SecureTheVillage and our expert panel of information security professionals on Thursday, October 20, 11:00 am – 2:00 pm PDT for a workshop-style conversation on how to think through reasonable security. Leave with a framework for ensuring your information security practices are reasonable.
    •  Your information risk exposure
    •  Your information risk tolerance
    •  Your information risk management practices

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: As a prelude to our Reasonable Security workshop this week, Julie and I riff on the challenges facing business owners and executives as they work to ensure their information security practices are “reasonable.” those working to secure  me as we discuss the important subject of “reasonable security.” It’s a phrase that one finds in the law but often with too little specificity. 

Security Nonprofit of the Week  … US Valor

Congratulations and special kudos this week to US Valor and Pedro Dupree, their first candidate apprentice. US Valor is a nonprofit with two intertwined objectives: (1) providing career opportunities to U.S. veterans and (2) helping America meet our cybersecurity workforce challenge. US Valor does this through an innovative Department of Labor approved Cybersecurity Apprenticeship Program (CAP) that helps transitioning military personnel and U.S. Veterans experience a smooth transition from military life to the civilian world. Read their Press Release announcing Mr. Dupree’s candidacy.  US Valor is actively seeking donations from both individuals and corporations to expand CAP. I’m a proud member of US Valor’s Advisory Board.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Update Now. Keeping your systems patched and updated is one of the most important things you can do to secure your information and protect your privacy. The 2nd Tuesday of every month is Microsoft’s Patch Tuesday. See our Weekend Patch and Update Report for other important updates.

  • Microsoft Patch Tuesday, October 2022 Edition: Microsoft today released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. Krebs on Security, October 11, 2022

Elder fraud is alive and well. Don’t fall victim. Protect your family. The fact that the 3rd story is hard to believe only makes it clearer just how serious the problem is.

  • FBI raises flag on elder fraud after thousands of retirees are scammed out of $1.7 billion: The FBI says over 90,000 elderly people in America were scammed out of $1.7 billion in 2021, a precipitous increase in elderly fraud from the previous year. Fox News, October 10, 2022
  • ‘Heartbreakingly Evil’: DOJ Strengthens Fight Against Elder Fraud: Since September, 150,000 elderly Americans have been refunded $52 million they lost as a result of fraud schemes—but the number represents only a small fraction of victims of what some law enforcement authorities call “grandparent scams,” says the Department of Justice. The Crime Report, October 10, 2022
  • Woman defrauded in space romance scam: A 65-year-old woman in Japan paid 4.4 million yen, or $30,000, for a return ticket to Earth for someone pretending to be a Russian astronaut. … Someone who said they were a Russian astronaut on the International Space Station first contacted a woman from Shiga Prefecture on Instagram in June and then asked her to continue their communication on Line, a Japanese messaging app. … The pretend astronaut told the unnamed woman that he was a Russian man who wanted to settle in Japan and marry her, according to Yomiuri Shimbun, a daily newspaper. “Even if I say it a thousand times, it won’t be enough, but I will keep saying it. I love you,” the purported astronaut told his victim. … There was only one obstacle to overcome – the astronaut first needed to return to Earth. He asked his victim to cover the expenses, including a rocket ride and “landing fees.” The woman believed him and transferred 4.4 million yen in five installments from August 19 to September 5. Cybernews, October 11, 2022

Gamer? Someone in your family a gamer? Be careful out there.

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

In addition to the attack on CommonSpirit Health, we have other cyber crime stories this week.

  • Russian-speaking hackers knock multiple US airport websites offline. No impact on operations reported: More than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility. … No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information. CNN, October 10, 2022
  • Mormon Church Data Breach Exposed Members’ Personal Information; The cyberattack occurred in March but was kept confidential at law enforcement’s request, the church says. … The security breach, which was detected on March 23, exposed information such as the full name, gender, email address(es), birthdate, mailing address and phone numbers of church members, employees, contractors and friends, the church said in a press release. CNET, October 13, 2022

This next cyber crime story is a sign of the future and a reminder to secure your WiFi.

  • Airborne Drones Are Dropping Cyber-Spy Exploits in the Wild: Drone-based cyberattacks to spy on corporate targets are no longer hypothetical, one incident from this summer shows. … Once limited to abstract academic conversation among cybersecurity enthusiasts, drones loaded with cyber-spying equipment are now being used in the real world to breach networks and steal information. … this sort of drone exploit delivery attack probably cost no more than $15,000 to put together. DARK Reading, October 12, 2022

North Korea is back in the cyber crime news with the following story detailing how North Korea uses its crypto crime profits to fund its nuclear program.

ProPublica reports on the disruption of a human trafficking scheme where victims were forced to work selling phony investments that defrauded victims out of millions.

  • Authorities Raid Alleged Cyberscam Compounds in Cambodia: Human traffickers who have forced workers to engage in investment scams that defrauded victims out of millions have been disrupted, at least temporarily. Meanwhile, Apple’s app store has removed an app that frequently facilitated the frauds. ProPublica, October 3, 2022

The White House continues to be active in changing the playing field to strategicaly support the nation’s cyber defenses.

  • Federal government considers sharing costs for ‘catastrophic’ cyber incidents: As cyberattacks continue to rise, the federal government is contemplating whether it should step in to help private insurance companies cover some of the costs related to severe cyber incidents. The Hill, October, 9, 2022
  • White House preps security controls for commercial software acquisition: The administration is attempting to leverage the procurement powers of the federal government to bolster software cybersecurity for the first time. … The White House announced plans this week to implement a new set of security requirements covering the acquisition of commercial software in keeping with the provisions of the cybersecurity executive order the president signed last year. … A fact sheet the administration released this week about the new software security requirements suggested the White House was attempting for the first time to leverage the federal government’s procurement powers to bolster cybersecurity in software products across the private sector. FCW, October 14, 2022

Lots of legal action this week, both in the US and abroad, including a fine of nearly $2 million for consumer protection failures by the New York state Attorney General and an agreement by a cybercriminal to repay $22 million to the victim of a SIM-swapping heist.

  • New York AG’s SHEIN Haul: $1.9 Million for data security failures: Videos showing off huge orders of cheap clothing from SHEIN, dubbed “SHEIN hauls,” helped propel the online retailer to viral fame in recent years. But this week, New York state announced its own haul — $1.9 million from SHEIN and parent company Zoetop for alleged data security and consumer protection failures related to a 2018 breach. The Record, October 13, 2022
  •  Action against criminal group that stole hundreds of cars in France using fraudulent software: Supported by Eurojust and Europol, French authorities, in collaboration with Latvia and Spain, have taken action against an organised crime group (OCG) that used fraudulent software to duplicate keys and steal cars in France. In a coordinated action carried out in the three countries involved, thirty one suspects were arrested and twenty-two locations were searched. … The suspects allegedly produced and used fraudulent software to steal vehicles by duplicating the vehicles’ ignition keys. Marketed as an automotive diagnostic solution, the tool was able to replace the original software of the targeted vehicles without respecting the protocol and without the original key. Eurojust, October 14, 2022
  • ‘Baby Al Capone’ to pay $22m to SIM-swap crypto-heist victim: A man who lost $24 million in cryptocurrency in an elaborate SIM swapping scam has won a multi-million-dollar judgment against the thief, who was 15 at the time of the hustle. … According to court documents filed Friday in federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and crypto heist. Pinsky was a New York high school student at the time of the theft in 2018, and it’s said he paid back $2 million about a year later to his victim. … Pinsky, now 20, has also agreed to testify against AT&T, according to Terpin. The Register, October 15, 2022
  • Crypto scam victims seek to hold Coinbase responsible for losses: Over the past year, thousands of people have lost tens, if not hundreds, of millions in cryptocurrency when gangs of sophisticated scammers whisked their money out of their accounts, which are managed by an app from the publicly traded cryptocurrency giant Coinbase. … Now those victims are fighting back. The Washington Post, October 14, 2022
  • Optus could face millions in fines as two new data breach investigations launched: Media regulator and privacy watchdog announce new probes into telco as ACCC reveals it is being flooded with complaints about Optus-related scams. … Optus will be probed by two Australian regulators over the circumstances that led to the company’s massive data breach that exposed the personal information of millions of customers last month. Guardian, October 10, 2022

These next two stories illustrate the ongoing challenges both the good guys and bad guys have in doing their work. Our challenge is keeping ourselves protected even as Microsoft and other technology developers face challenges of their own … and not becoming complacent as cyber criminals might struggle with our own problems.

  • How a Microsoft blunder opened millions of PCs to potent malware attacks: Microsoft said Windows automatically blocked dangerous drivers. It didn’t. … How a Microsoft blunder opened millions of PCs to potent malware attacks. … For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Ars Technica, October 14, 2022
  • Ransomware hackers have a new worst enemy: themselves: In a string of recent incidents, members of notorious ransomware gangs have leaked sensitive information. The incidents pose a major question for hacking groups: Who can you trust if you can’t trust your colleagues? … Take the case of the ransomware gang REvil in 2019.  The Washington Post, October 12, 2022

Our last story shifts from cybersecurity to the world of falsehoods. As Mark Twain said “A lie can travel around the world and back again while the truth is lacing up its boots.

  • Eyeballs and AI power the research into how falsehoods travel online: What sorts of lies and falsehoods are circulating on the internet? … As the midterm election approaches, researchers and private sector firms are racing to track false claims about everything from ballot harvesting to voting machine conspiracies. But the field is still in its infancy even as the threats to the democratic process posed by viral lies loom. Getting a sense of which falsehoods people online talk about might sound like a straightforward exercise, but it isn’t. npr, October 13, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting privacy.

  • Email Defenses Under Siege: Phishing Attacks Dramatically Improve: About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations. … This week’s report that cyber attackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week. DARK Reading, October 8, 2022
  • Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows: The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say. DARK Reading, October 14, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge