Cybersecurity News of the Week, October 8, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

This October marks the 20th anniversary of Cybersecurity Awareness Month. Since its creation in 2004, Cybersecurity Awareness Month has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk and generated discussion on cyber threats on a national and global scale. In support of this year’s campaign, the Cybersecurity and Infrastructure Security Agency (CISA) has launched its cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency’s (CISA) awareness campaigns and programs that encourage all of us to take action each day to protect ourselves when online or using connected devices. The campaign includes four basic steps individuals and families can take to protect themselves, along with four basic steps small and midsize organizations can take.

  • Staying Safe Online Is Easy With These Four Steps: We can all collaborate to build a safer, more trusted digital world! By learning the four simple steps we can take to stay safe online at home, work and school, and sharing these tips with our community, we can all become significantly safer online.
  • Secure Your Business: Protect your business, your employees and your customers with easy and effective safety habits and policies. Your business is digitally connected—to employees, vendors and customers. Your systems store sensitive information. Sensitive business information and customers’ and employees’ personal data could be at risk from online threats. No business is too small to be a target for online crime—the fact is, small businesses are much more likely to be targeted by cybercriminals than larger companies.

Small and Midsize Organizations. Take your security to the next level. As part of our LA Cybersecure initiative, SecureTheVillage has launched a Pilot Program to enable 50 small to midsize organizations to measurably improve their cybersecurity readiness. The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.  Find out more and register now.

Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Sightline Security

Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Sightline’s mission is to equip, empower, and support nonprofits to navigate and embed cybersecurity into their organizations with confidence. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community. Sightline Security is playing a major role in our LA Cybersecurity Pilot Program. Like SecureTheVillage, Sightline Security is a fellow-member of Nonprofit Cyber. SecureTheVillage is proud to have Sightline Security founder and President Kelley Misata on our Board.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Leveraging the vital role of IT service providers and MSPs in the LA Cybersecure Pilot: (Video) (Podcast): IT service providers and MSPs are crucial players in securing our digital world. They are the front lines securing their small and midsize businesses. How can SecureTheVillage partner to equip them with the business development and security skills to better secure their clients? What is their role in the LA CyberSecure Pilot, our new initiative elevating the cyber readiness of small to midsize organizations with support from the Center for Internet Security (CIS)? …even as we were interrupted mid-podcast by the new federal alert system text messages, we carry on! … Dive into a new episode of #LiveonCyber with Stan Stahl, PhD, and Julie Michelle Morris! Be part of the revolution, the movement, the solution. Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in privacy and information security affecting your business and community!

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

According to a recent AARP Study, an estimated $28.3 billion is lost to elder fraud scams each year. The FTC states that reported losses from scams on social media have been $2.7 billion since 2021.

  • FBI warns of surge in ‘phantom hacker’ scams impacting the elderly: The FBI issued a public service announcement warning of a significant increase in ‘phantom hacker’ scams targeting senior citizens across the United States. … “This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,” the FBI said. … “Victims often suffer the loss of entire banking, savings, retirement, or investment accounts under the guise of ‘protecting’ their assets.” … In such scams, multiple fraudsters masquerading as bank representatives are contacting unsuspecting victims, falsely alleging that their accounts have fallen victim to hacking attempts.
  • Americans reported $2.7 billion in losses from scams on social media, FTC says: Online fraudsters have taken billions of dollars from Americans in recent years and they are using social media to do it. … Since 2021, Americans lost $2.7 billion in scams from social media, the Federal Trade Commission said in a scam report published Friday. And that figure is only a fraction of the actual harm, as most cases of fraud go unreported, the agency noted.  … Cybercriminals have become more creative and skilled at tricking victims through text messages, by phone and online. Cybersecurity experts say the first defense against scams is looking for telltale signs such as someone creating a sense of urgency while soliciting you for money.

The following story is disturbing for several reasons. First, is the actual theft of sensitive genetic information. One can only imagine the devastating impact if Hitler had 23andMe’s data. Given that the attack was perpetrated by what is known as credential stuffing, it’s also  a stark reminder of the importance of using different passwords on different web sites. It’s also an illustration of a system weakness: even as you protect your information with a unique strong password, your information is still exposed by someone you’re related to who reuses their password.

  • Genetic tester 23andMe’s hacked data on Jewish users offered for sale online: The stolen data could cover more than half of the company’s 14 million customers who have made their information visible to relatives, including distant cousins. … A hacker is offering to sell records identifying names, locations and ethnicities of potentially millions of customers of genetic testing company 23andMe, beginning by touting a batch that would contain data of those with Jewish ancestry. … A 23andMe spokeswoman confirmed that the leak contained samples of genuine data and said the company is investigating. She said it appeared likely that the hacker or accomplices used a common technique called credential stuffing: Taking username-and-password combinations published or sold after breaches at other companies, and trying those combinations to see which were reused by 23andMe customers. When the hacker found logins that worked, they copied all the information made available to legitimate users by their relatives, sometimes hundreds of them per account.

Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.

In October 2022, after a four-week trial, a federal grand jury found former Uber Chief Security Officer Joe Sullivan guilty of obstruction along with knowing something is a felony and covering it up. The verdict sent shock waves through the cybersecurity community, adding the threat of prosecution to a job that is increasingly more difficult and challenging. In this excellent article, Sullivan discusses the case, the necessity of working with and through the legal department, and what it means to be a security leader.

  • Joe Sullivan: What’s a Breach? ‘It’s a Complicated Question’: The Question is Also One for the Legal Team to Own, Says Uber’s Former CSO. … Trick question for CSOs: When does a security incident qualify as being a data breach, triggering notification or other regulatory rules? … The answer is that it’s “a very complicated question” that cybersecurity leaders should leave to their legal team while they stay fully in the loop, said former Uber CSO Joe Sullivan, sharing lessons learned from the U.S. Department of Justice’s successful prosecution against him.

Blackbaud settled their breach litigation lawsuit against 49 states and the District of Columbia. The breach – along with Blackbaud’s inadequate response – has already cost the company more than $50 million. Still to go is a settlement with California.

  • Blackbaud to pay $49.5 million to settle ransomware litigation: Software provider Blackbaud Inc. said Thursday it will pay $49.5 million to 49 states and the District of Columbia to settle litigation filed in connection with a 2020 ransomware attack. … In March, the Charleston, South Carolina-based company agreed to pay $3 million to settle U.S. Securities and Exchange Commission charges it made misleading disclosures about the ransomware attack, which affected more than 13,000 customers.

Meanwhile the Federal government is ramping up cybersecurity requirements for government contractors. This includes an 8-hour breach notification requirement for key contractors.

  • Federal CISO looks ahead to conversation around new contractor cyber rules: A top White House cybersecurity official says the “conversation is being started” around sweeping new cyber requirements for federal IT contractors. … One rule published in the Federal Register this week includes a provision that would mandate some key contractors report cyber incidents to the government within eight hours. Another aims to standardize cybersecurity requirements for unclassified information systems across government. … The proposals stem from President Joe Biden’s May 2021 cybersecurity executive order. The EO included a major goal to ensure information technology and operational technology contractors share more cybersecurity information with agencies. “These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on federal information systems,” the order states.

Several stories this week demonstrate how the cybercriminal cartels are becoming even more dangerous.

  • AI-Generated Phishing Emails Almost Impossible to Detect, Report Finds: The potential for cybercriminals to use AI chatbots to create phishing campaigns has been cause for concern and now it has been found to be almost impossible to detect AI-generated phishing emails, according to email security provider Egress.
  • Hackers With AI Are Harder to Stop, Microsoft Says: New cybersecurity research shows artificial intelligence and new encryption tactics test corporate defenses. … Microsoft found that cybercriminals can subscribe to underground phishing services for $200 to $1,000 a month. … Hackers are using AI and encryption in new ways to make cyberattacks more painful, according to new research from Microsoft. …  Stealthier attacks are being crafted by hackers using both artificial intelligence tools that have been on the market for a while and generative-AI chatbots that emerged last year, said Tom Burt, Microsoft’s corporate vice president for customer security and trust. … “Cybercriminals and nation states are using AI to refine the language they use in phishing attacks or the imagery in influence operations,” he said. … Meanwhile, an emerging development in ransomware shows hackers remotely encrypting data, rather than encrypting it within hacked networks, Microsoft said. By sending encrypted files to a different computer, attackers leave behind less evidence and make it harder for companies to recover. Around 60% of human-operated ransomware attacks that Microsoft observed in the last year used this technique.
  • Cybercrime gangs now deploying ransomware within 24 hours of hacking victims: Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report. … Cybersecurity company Secureworks warns that “2023 may be the most prolific year for ransomware attacks to date” with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.
  • Southeast Asian Casinos Emerge as Major Enablers of Global Cybercrime: A growing number of casinos in Cambodia, Laos and Myanmar are engaging in large-scale money laundering, facilitating cyberfraud that is costing victims in America and abroad billions of dollars, according to new research by the United Nations.

Meanwhile our organizations continue to struggle to fill cybersecurity positions Notwithstanding the great work being done to train people with cybersecurity skills, the market remains highly inefficient.

  • Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance: Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job. … The cybersecurity skills gap issue may be further from being solved than expected despite the large amount of money being invested around the world to train professionals, according to a report by the Information Systems Audit and Control Association (ISACA). While the volume of training has increased the number of entry-level professionals, organizations are looking for experienced cybersecurity personnel, the international IT governance professional association says. … “Continued hyper-focus on the perceived worker shortage to fill unverifiable open cybersecurity positions is problematic, for it not only fails to address duplicate job postings but also the perspectives of aspiring cybersecurity professionals who spent significant time and money completing pathway programs and yet remain unable to secure employment in the cybersecurity field,” ISACA states in its State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations report. … “Failure to resolve this critical issue will magnify the existing problem of students and career changers being unable to obtain employment due to lack of experience, despite any knowledge, skills or credentials they have acquired,” found the report.

This week in cybercrime.

  • MGM Resorts Refused to Pay Ransom in Cyberattack on Casinos: Fallout will have a $100 million negative impact on quarterly earnings, Las Vegas-based company says. … MGM Resorts International refused to pay a hackers’ ransom demand in a September cyberattack that threw its Las Vegas Strip resorts into chaos and crippled its properties and technology nationwide, according to a person familiar with the matter. … Service disruptions from the attack and efforts to resolve the issue will cost the company more than $100 million in the third quarter, MGM said in a regulatory filing Thursday.
  • Clorox shares slide after company says cyberattack hit sales hard: Clorox shares fell after the company said a cyberattack disclosed in August significantly hurt sales in the prior quarter. … Raymond James also downgraded Clorox, citing the larger-than-expected material effect the attack had on the company and saying it doesn’t expect a recovery in the stock in the short term.
  • Sony confirms data breach impacting thousands in the U.S.: Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information. … The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.
  • Santa Monica – Malibu Unified School District recovers majority of near $3 million scam: The Santa Monica-Malibu Unified School District was the victim of a fraudulent transaction involving construction funds in late August, with nearly $3 million taken from the district coffers. … On August 28, the district became aware that it was a victim of “a carefully orchestrated online hack,” as a hacked email of a construction contractor was used to perpetrate a fraud, taking $2,933,511 from a regular electronic funds transfer to the contractor. During an investigation between SMMUSD, the Los Angeles County Office of Education (LACOE), the Santa Monica Police Department (SMPD) and the Federal Bureau of Investigation (FBI); it was determined that a hacked email account of the company was the source of the fraudulent transaction, not a district email account. … The investigation efforts recovered $2,733,305 of the lost funds, leaving a shortfall of $200,206 that the district is “aggressively pursuing.” The district is demanding the company, unknown at this time, behind the compromised email reimburse the shortfall.
  • NATO says it is addressing an apparent cyberattack after strategy documents posted online: NATO says it is “actively addressing incidents” affecting its unclassified websites after a hacking group claimed to have stolen numerous strategic planning and research documents from the alliance.

Section 4 – Managing  Information Security and Privacy in Your Organization.

Building a strong cybersecurity culture is vitally important as the vast majority of security incidents involve social engineering and phishing. Towards that end, here’s an excellent piece by Perry Carpenter, Chief Evangelist for KnowBe4 Inc.

  • Cybersecurity Mistakes That Have Nothing To Do With Technology—And How Companies Can Fix Them: Today’s organizations understand the importance of cybersecurity. They know cyberattacks and data breaches are frequent, more targeted and more dangerous. They recognize the risks of ransomware, the disruption it can cause and the damage it can inflict on organizations. … Though many businesses have a level of technological defenses in place, threats continue to evade security controls, and breaches continue to succeed. Why is that the case?

Here’s a government report on the most common network security misconfigurations. The list includes basic security controls; the equivalent of basic blocking and tackling. Most are easy for small and midsize organizations to implement. At the top of the list, for example, is a failure to change default configurations of software and applications. Number 2 is improper separation of the user/administrator privilege. Every IT Department, every IT service provider, every MSP needs to review this list and make certain they’ve got the basics covered.

  • NSA and CISA reveal top 10 cybersecurity misconfigurations: The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations. … Today’s advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge