Cybersecurity News of the Week, September 11, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our top story this week is the cyber attack on the Los Angeles Unified School District. The following four stories are book-ended with a claim by  the Vice Society, a cybercriminal syndicate, that they breached LAUSD systems and a warning about the Vice Society published on September 6 by CISA (the government’s  Cybersecurity & Infrastructure Security Agency that includes several “digital fingerprints” associated with the Vice Society.

• Criminal syndicate claims credit for LAUSD hack; authorities won’t say whether it’s true: A cybercriminal syndicate that calls itself Vice Society has taken credit for the ransomware attack on Los Angeles schools and says it has captured sensitive data, according to published reports on two technology news sites and in tweets from an Associated Press senior technology reporter. Los Angeles Times, September 9, 2022
• Private Data of 400K LAUSD Students Could Be At Risk: Los Angeles Unified School District is unsure whether student academic records were accessed by hackers last weekend, though officials say they haven’t seen evidence of Social Security numbers being accessed. Government Technology, September 9, 2022
• Report identified key vulnerabilities two years before cyberattack on L.A. Unified: An internal report identified key vulnerabilities in the data systems of the Los Angeles Unified School District two years before hackers launched a major cyberattack that has disrupted operations this week in the nation’s second-largest school system. Los Angeles Times, September 8, 2022
• #StopRansomware: Vice Society: The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. Cybersecurity & Infrastructure Security Agency, September 06, 2022 | Last revised: September 08, 2022

As it is still very early in the investigation, several things are still unclear.

• How bad was this? It’s still not known. Student  and administrative data might have been compromised. Critical files might have been rendered unusable by encryption.  It’s also possible that LAUSD systems had this data sufficiently well-protected that the breach was found before the hackers were able to access or encrypt the data. It will likely take several weeks before we get a clear sense of exactly how the hackers got in and how much damage they caused.
• Was LAUSD sufficiently prepared? The ‘knee-jerk reaction” is “Of course not. They got breached.” And there will almost certainly be a measure of truth in this. But the details won’t be known until the post-breach analysis is done. And in information security, the devil is truly in the details. We need to see the whole picture of how LAUSD was managing its information security. The National Institute of Technology (NIST) has identified five key information security management functions: Identify. Protect. Detect. Respond. Recover. The Center for Internet Security (CIS) has identified 18 basic information security controls that management is expected to implement. The post-breach analysis needs to be clear on how LAUSD’s information security practices conform to these guideposts and where they fell-short.
• What about the fact that key vulnerabilities were identified two years ago? While this sounds damning, it leaves unsaid what steps LAUSD has taken over the last two years to fix these vulnerabilities. Moreover, it ignores the basic reality that every system has vulnerabilities. We test systems not to show that they don’t have vulnerabilities but so we can find (and fix) them before the hackers find and exploit them. When I see a report that says there are no vulnerabilities, I know I’m looking at a shallow report that didn’t probe very deeply.
• Did LAUSD have reasonable information security management practices? The lawyers will get to argue this should a lawsuit be filed against LAUSD. Based on my 40+ years of information security management experience, I doubt that LAUSD’s security management practices would meet a “reasonable standard.” I write this not to pick on LAUSD but to continue to raise awareness of how poorly we protect our sensitive and critical information.
• What does the LAUSD hack have to do with me? The LAUSD hack should serve as a reminder to everyone and every organization to take a hard look at their information security and data care practices. Start from the truth that you are – and will always be – vulnerable. If you’re an organization, follow the guidance of organizations like NIST and CIS. If you’re an individual or a family, make sure you’re following the SecureTheVillage Top-8 “How to Avoid Being Hacked.”

Election Security Webinar

Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity as SecureTheVillage presents a community webinar on election security. September 28, 11:00 am – 12:30 pm PDT Register now!!! Sponsorships available!!!

• What Every Citizen Needs to Know: 2022 Election Cybersecurity: Our democracy depends on getting the mid-term elections right. This means — first and foremost — getting cybersecurity right … Everything from protecting sensitive voter identities, registered voter lists, and voting machines; coming to grips with social media; and ensuring confidence in the outcomes. … Find out what’s really going on from three of the nation’s leading experts in election cybersecurity. How vulnerable are our election systems? How is cybersecurity managed in the 50 states? How do we navigate the coming flood of both mis-information and dis-information? How much confidence can we have in the outcome? Panelists include Kim Wyman, Senior Election Security Advisor, Cybersecurity and Infrastructure Security Agency (CISA); Kathy Boockvar, Vice President of Election Operations & Support, Center for Internet Security;  Adam Powell III, Executive Director, Election Cybersecurity Initiative, USC Annenberg Center on Communication Leadership and Policy, University of Southern California. Dr. Stan Stahl, SecureTheVillage President and founder will moderate.

Cyber Humor

Security Nonprofit of the Week … the CyberPeace Institute

Kudos this week to the CyberPeace Institute, an independent and neutral nongovernmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The Institute works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. By analyzing cyberattacks, the Institute exposes their societal impact, how international laws and norms are being violated, and advances responsible behavior to enforce cyberpeace. 

• Through the Cyber Attacks in Times of Conflict Platform #Ukraine, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects.
• The Institute’s Cyber Incident Tracer #Health platform bridges the information gap about cyberattacks on the healthcare sector and their impact on people. CIT #Health currently contains data on 440+ cyberattacks against the healthcare sector across 40 countries.
• The CyberPeace Builders program assists NGOs to build cybersecurity capacity through a trusted and dedicated network of corporate partners who provide volunteers and funding to enable the provision of this support. If you are interested in supporting the CyberPeace Builders or in receiving this support, please reach out to the Institute’s team.

Like SecureTheVillage, the CyberPeace Institute is a member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Julie and I took a post-Labor Day break to spend more time with families. Freeze your credit if you’ve not yet done so. Make sure to use 2FA / MFA. And follow the other SecureTheVillage Top-8 “How to Avoid Being Hacked.”

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

I was surprised and heartened to see this story as I’ve always been concerned about the safety of things like Craigslist and other online sale sites. It turns out safety can be as close as your neighborhood police station.

• Transacting in Person with Strangers from the Internet: Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions. … Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras. Krebs On Security, September 9, 2022

This story too looks interesting. Let’s fight back against the spammers!!

• You Can Sue Spammers for Unwanted Calls and Texts. This Man Won $1,200 — Here’s How: Americans received more than 50 million robocalls in 2021. Here’s what you can do to clamp down on spam. … David Weekly’s phone is filled to the brim with spam calls and texts. Every day, he receives unwanted communications — and he’s stopped answering the phone because of it. One day, he decided to do something about it. … After a spam text message hit his phone in June, he decided enough was enough and sued the spammer. It paid off: He ended up with a $1,200 check. CNET, September 3, 2022

Another reminder to be careful out there.

• Cybercriminals target games popular with kids to distribute malware: Kaspersky research finds Minecraft and Roblox have the most malicious files associated with them. … With 3 billion players globally, the $200 billion gaming market is an increasingly ripe target for cybercriminals – with the perennially popular Minecraft one of the most targeted lures. The Register, September 7, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity and privacy stories to keep you informed.

This week in cybercrime.

• How One Man Lost $1 Million To A Crypto ‘Super Scam’ Called Pig Butchering: A 271,000-word WhatsApp conversation between a Bay Area man and his scammer reveals the heartbreaking mechanics of a new breed of investment racket. Experts believe the global losses are in the billions. *** The message to Cy’s WhatsApp came out of the blue. … “Jessica” told him she’d found his number in her phone contacts and was reaching out because she thought they might be old colleagues. Cy, a 52-year-old man who lives in the Bay Area, didn’t remember her, but she was kind, cordial and engaging. She sent pictures of what she was eating. They discussed their mutual love of sushi, and Cy enjoyed the conversation enough to follow up with her the next day. Forbes Digital Assets, September 9, 2022
• 200,000 North Face accounts hacked in credential stuffing attack: Outdoor apparel brand ‘The North Face’ was targeted in a large-scale credential stuffing attack that has resulted in the hacking of 194,905 accounts on the thenorthface.com website. … A credential stuffing attack is when threat actors use email addresses/usernames and password combinations obtained from data breaches to attempt to hack into user accounts on other websites. … The success of these attacks relies on the practice of password recycling, where a person uses the same credentials across multiple online platforms. Bleeping Computer, September 7, 2022
• Hackers stole Ethereum worth $185,000 from Bill Murray after he auctioned an NFT for charity: Hackers stole Ethereum worth $185,000 from Bill Murray on Thursday after an NFT charity auction. … The actor was auctioning a “Beer with Bill Murray” NFT, with a hacker stealing the proceeds. … The runner-up in the auction gave Chive Charities Ethereum worth $187,000 to compensate it. Business Insider, September 4, 2022

The Russian invasion of Ukraine feature in three stories this week. The first two show the cyber-skills of the Ukrainians while the third shows how Putin continues to use Russia’s cyber-criminals to attack Ukraine.

• Ukraine Shutters Two More Russian Bot Farms: The Ukrainian security service (SBU) has found and dismantled two more Russian bot farms it said were being used to spread disinformation in the war-torn country. … Based in Kyiv and Odessa, the facilities comprised around 7000 fake accounts. They were being used to spread fake content designed to discredit Ukraine’s army and leadership, justify Russian aggression and destabilize the social and political fabric of the country, the SBU claimed. Info security, September 8, 2022
• Hackers Honeytrap Russian Troops Into Sharing Location, Base Bombed: Report: Ukrainian hackers have been baiting Russian troops into sharing their locations with fake profiles of conventionally attractive women on Facebook and Russian social media websites, according to the Financial Times. Newsweek, September 6, 2022
• Russian military using criminal hackers to attack Ukraine, warns Kyiv: Cybersecurity chief says ‘organised criminal gangs’ have joined forces with Kremlin. … The Russian military is turning to criminal hacking gangs to launch cyberattacks on Ukraine, Kyiv’s cybersecurity chief has claimed. The Telegraph, September 10, 2022

In other national cybersecurity news, Albania and the United States have joined forces against an Iranian cyber-attack on Albania.

• Albania cuts diplomatic ties with Iran over July cyberattack: TIRANA, Albania (AP) — Albania cut diplomatic ties with Iran and expelled the country’s embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday. AP, September 7, 2022
• US sanctions Iran intelligence agency over Albania cyberattack: The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Friday imposed sanctions on Iran’s primary intelligence agency and its top official less than two days after Albania cut diplomatic ties with Tehran over an attack on the country’s government websites. The Record, September 9, 2022

Following up a story we had a month or so ago of major vulnerabilities in the 911 system, the FCC is taking steps to bolster the emergency alert system.

• FCC proposes cybersecurity changes to emergency alert system: Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel has proposed several changes to the U.S. Emergency Alert System (EAS) and Wireless Emergency Alerts designed to beef up the cybersecurity of the systems following the discovery of vulnerabilities last month. The Record, September 9, 2022

‘We’re making China’s job easier.’ The massive amounts of digital data being bought and sold — or sometimes freely shared — poses a grave national security risk, according to a former US policymaker and diplomat.

• Data tracking poses a ‘national security risk’ FTC told: During a Federal Trade Commission (FTC) hearing on commercial surveillance this week, Karen Kornbluh, the former US OECD ambassador and FCC exec who now leads the Digital Innovation and Democracy Initiative at the German Marshall Fund, urged the watchdog agency to enact stricter data privacy rules to protect consumers. The Register, September 9, 2022

Meanwhile a DHS watchdog has found US citizenship systems vulnerable to ‘major’ malicious cyberattacks.

• US citizenship systems vulnerable to ‘major’ malicious cyberattacks, Homeland Security watchdog finds: USCIS collects sensitive data for immigration processing, including identity and biometric data. The Department of Homeland Security inspector general said sensitive data held by United States Citizenship and Immigration Services systems could be vulnerable to cyberattacks by malicious actors, saying deficiencies in the agency’s IT security could “limit” DHS’s capability to “overcome a major cybersecurity incident.” Fox News, September 8, 2022

The following two stories offer a bit of good news. But before you risk injury by jumping for joy, keep in mind that the $30 Million or so we recovered from North Korea hackers is only about 5% of what they’ve recently stolen from us.

• Feds claw back $30 million of cryptocurrency stolen by North Korean hackers: Blockchain analysis keeps getting better. Expect more seizures to come. … Cryptocurrency analytics firm Chainalysis said on Thursday that it helped the US government seize $30 million worth of digital coins that North Korean-backed hackers stole earlier this year from the developer of the non-fungible token-based game Axie Infinite. Ars technica, September 8, 2022
• Authorities Shut Down WT1SHOP Site for Selling Stolen Credentials and Credit Cards: An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. … The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking control of four domains used by the website: “wt1shop[.]net,” “wt1store[.]cc,” “wt1store[.]com,” and “wt1store[.]net.” The Hacker News, September 07, 2022

Meanwhile, Maine’s new privacy law and Europe’s GDPR are both in the news this week with stories that have the opportunity to improve the way companies treat our private information.

• Internet service providers drop challenge of privacy law: One of the strictest internet privacy laws in the country has withstood a legal challenge, as a group of telecommunication providers has dropped its bid to overturn it ABC News, September 6, 2022
• Big Instagram fine shows Europe’s top digital privacy enforcer is finally getting tough: Enforcement of the EU’s flagship privacy rulebook against Silicon Valley giants might finally be taking off. … The revelation by POLITICO on Monday that the Irish Data Protection Commission has whacked Instagram with a €405 million fine for mishandling kids’ personal data marks a coming of age for arguably Europe’s most important digital privacy regulator. Politico, September 6 , 2022

Here’s two more class action lawsuits. Don’t be surprised to see LAUSD on this list in the coming weeks or months.

• Patients impacted by CNY data breach file lawsuit against medical billing company: A class action lawsuit has been filed against medical billing company Practice Resources, LLC, after the personal information of 924,138 patients of Syracuse area hospitals and doctor’s offices was compromised in a ransomware attack on the company. CNY Central, September 6, 2022
• Recent data breach gets Samsung hit with a class action lawsuit: A recently filed class action accuses Samsung of failing to protect personal information after the company experienced a data breach in its US-based systems back in July. … According to Bloomberg, a complaint was filed to the US District Court for Nevada on September 6. The complaint claims that plaintiff Shelby Harmer and other affected customers weren’t notified soon enough after Samsung was hit with a cyberattack. Android Authority, September 8, 2022

The following deep look at Russia’s cyberwarfare capabilities is of interest to the cyber-professional.

• Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities: Even before Russian troops invaded Ukraine in February, many experts in the West, in Ukraine, and in Russia believed Moscow would use cyberattacks to inflict major damage on Ukraine prior to or after the start of the military offensive. Indeed, Russia has extensive and formidable cyber capabilities. Reality, however, has played out differently. Center for European Policy Analysis, September 8, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in securing their organizations and protecting  privacy.

As we’ve been reporting regularly, the extent of cybercrime has grown so large that it’s impacting the cyber-insurance market. The result is that traditional risk transfer strategies are becoming less available and, when available, more expensive. A strategy of risk acceptance is also becoming more expensive, posing an existential risk on the organization. This makes risk avoidance and risk reduction the most cost-effective cyber risk management strategy. Did anyone say information security management?

• Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay: Lloyd’s defends stance as critics say policy tweaks make it less worthwhile to spend on premiums. … Critics unhappy about insurers excluding certain nation-state attacks from cyber policies should consider the alternative: higher prices, according to Lloyd’s of London. The Register, September 6, 2022

More stories – should you need them – of hackers raising their game. With the LAUSD hack fresh in your mind, now’s a perfect time to review your information security management practices against the NIST Cyber Security Framework and how well you manage the five information security management functions: Identify, Protect, Detect, Respond, and Recover.

• Ransomware gangs switching to new intermittent encryption tactic: A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped. … This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files’ content, which would still render the data unrecoverable without using a valid decryptor+key. … For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good. … Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail. Bleeping Computer, September 10, 2022
• Prynt Stealer Contains a Backdoor to Steal Victims’ Data Stolen by Other Cybercriminals: Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims’ exfiltrated data when used by other cybercriminals. The Hacker News, September 2, 2022