Cybersecurity News of the Week, October 25, 2020

SecureTheVillage Calendar

Technology & Security Management HappyHour: Talking to the CSuite: Open Fair Standard. October 27 @ 4:30 pm – 5:30 pm PDT

Cybersecure 2020: A Reasonable Guide to Reasonable Security. October 28 @ 2:30 pm – 5:00 pm PDT

LMG Security Virtual Class: Cyber First Responders. November 5 @ 9:00 am – 6:00 pm PST

Invitational Cybersecurity Workforce Workshop — Linking Supply & Demand. November 10 @ 10:00 am – 12:00 pm PST

Information Security Management Webinar: Conversation on the Cyber Risk Landscape with Deron T. McElroy, CISA. November 12 @ 10:00 am – 11:00 am PST

Insurance Brokers Cybersecurity Roundtable: Case Study of a Breach: Helping Your Clients Prepare for the Inevitable. November 17 @ 2:00 pm – 3:00 pm PST

Financial Services Cybersecurity Roundtable: November 2020. November 20 @ 8:00 am – 10:00 am PST

Information Security Management Webinar: PCI DSS 4.0 with Scott Pierangelo. December 10 @ 10:00 am – 11:00 am PST

Individuals at Risk

Identity Theft

Most People Shouldn’t Pay for Identity Theft Protection: Not a year passes without someone asking me if they should sign up for an “identity theft protection service” like IdentityForce, IDShield, or LifeLock. These types of services are good at marketing—seeking to sell an expensive monthly subscription, they leverage people’s fears of losing their identity. But in most cases you shouldn’t sign up for any of them. The New York Times, October 23, 2020

Cyber Privacy

How to protect your privacy when selling your phone: If your current phone is ready for retirement or you need to sell your current phone to upgrade to a new model, follow these steps to keep your data private. TechRepublic, October 21, 2020

Cyber Defense

Teaching Cybersecurity To Our Kids: Making Sure They’re Safe Online: It’s National Cybersecurity Awareness Month. We’ve compiled easy ways to make sure your kids are safe online. Here’s what you need to teach them. Moms.com, October 23, 2020

FTC Announces New Fraud Reporting Platform for Consumers: ReportFraud.ftc.gov: New reporting system will provide streamlined experience and advice for consumers filing complaints with the FTC. FTC, October 22, 2020

Cyber Warning

FTC: Social Media Scams Accelerate in First Half of 2020: Scams that start on social media have been increasing for years and climbed from $134 million total reported losses in 2019 to $117 million in just the first six months of 2020, the Federal Trade Commission said today. ABA Banking Journal, October 21, 2020

Adblockers installed 300,000 times are malicious and should be removed now: If you have Chromium versions of Nano Adblocker or Nano Defender, pay attention. Ars Technica, October 20, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management

Supply Chain Cybersecurity: What You Need to Consider: As companies and organizations evaluate their attack surface, they know to look at their own systems and infrastructure to defend against threats and manage vulnerabilities. However, what about their critical partners and the supply chain? With up to 80% of cyber-attacks now beginning in the supply chain, breaches at even the smallest vendors can have big consequences for enterprise level operations. The problem of supply chain cybersecurity has become so pressing that the United States Department of Defense is rolling out the Cybersecurity Maturity Model Certification (CMMC) as a means to help secure the defense industry. Prime contractors and subcontractors will have to achieve CMMC compliance to do business as part of a DoD contract. The Primes are also expected to take a greater responsibility to ensure that subcontractors are implementing the appropriate security practices and compliance with the DoD standard. InfoSecurity Magazine, October 23, 2020

Board Decisions on Cybersecurity Spending Primarily Driven by Known Quantities: Compliance Requirements, Responses To Existing Incidents: A new survey of global CISOs and IT decision makers from access management firm Thycotic, shows that board decisions about cybersecurity spending are decidedly reflexive, with the primary drivers being fear of regulatory penalties or the costs of a repeat of a prior breach incident. CPO, October 23, 2020

US Treasury Department ban on ransomware payments puts victims in tough position: The Treasury Department’s advisory warns companies not to pay ransoms to sanctioned entities. The move complicates ransomware incident response and might encourage insurance carriers to drop ransomware coverage. CSO, October 22, 2020

Cyber Warning

LockBit Ransomware Uses Automation Tools to Pick Targets: Sophos: Malware Excels at Evading Detection and Picking Specific Victims. BankInfoSecurity, October 23, 2020

Attackers prey on Microsoft Teams accounts to steal credentials: A new phishing attack impersonates an automated communications message from Microsoft Teams to steal a corporate user’s login credentials. SC Magazine, October 22, 2020

Cybersecurity in Society

Know Your Enemy

Ransomware groups are going corporate: As ransomware attacks have quickly morphed over the past few years into a billion-dollar business, the groups behind them are increasingly adopting the practices and tactics of the corporate businesses they target. SCMedia, October 21, 2020

Cyber Regulation

New York financial watchdog calls for social media cybersecurity regulator after Twitter hack of Biden and Obama accounts: The New York State Department of Financial Services said platforms like Twitter and Facebook are now “systemically important” and need cybersecurity oversight. TechRepublic, October 22, 2020

Cyber Enforcement

US charges Russian GRU officers for NotPetya, other major hacks: A federal grand jury returned an indictment against six alleged Russian intelligence officers who, collectively, were responsible for “conducting the most disruptive and destructive series of computer attacks ever attributed to a single group,” the Justice Department announced Monday. CyberScoop, October 19, 2020

Disinformation

The Now-Defunct Firms Behind 8chan, QAnon: Some of the world’s largest Internet firms have taken steps to crack down on disinformation spread by QAnon conspiracy theorists and the hate-filled anonymous message board 8chan. But according to a California-based security researcher, those seeking to de-platform these communities may have overlooked a simple legal solution to that end: Both the Nevada-based web hosting company owned by 8chan’s current figurehead and the California firm that provides its sole connection to the Internet are defunct businesses in the eyes of their respective state regulators. KrebsOnSecurity, October 22, 2020

QAnon/8Chan Sites Briefly Knocked Offline: A phone call to an Internet provider in Oregon on Sunday evening was all it took to briefly sideline multiple websites related to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. Following a brief disruption, the sites have come back online with the help of an Internet company based in St. Petersburg, Russia. KrebsOnSecurity, October 19, 2020

Cyber Freedom

Joint FBI and CISA Alert Warns of Hackers Exploiting VPN Vulnerability and Zerologon Bug To Compromise Election Systems: The FBI and Cybersecurity Infrastructure Security Agency (CISA) warned that Advanced Persistent Threat (APT) actors employed vulnerability chaining to target government computer networks, including those housing election support systems. The vulnerability chaining method involves combining various vulnerabilities to gain access and maximum control of the targeted computer systems. The joint FBI and CISA alert AA20-283A warns that threat actors exploited Fortinet’s VPN vulnerability in gaining initial access and then employed Zerologon vulnerability (CVE-2020-1472) to gain privileged control of the networks. CPO, October 23, 2020

Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election: (Reuters) – The Louisiana National Guard was called in to stop a series of cyberattacks aimed at small government offices across the state in recent weeks, according to two people with knowledge of the events, highlighting the cyber threat facing local governments in the run up to the 2020 U.S. presidential election. Reuters, October 23, 2020

Phishing groups are collecting user data, email and banking passwords via fake voter registration forms: With the election window closing, phishing groups are striking the iron while it’s hot. ZDNet, October 23, 2020

‘Among Us’ Suffers Attack By Apparent Pro-Trump Hacker—Three Days After AOC’s Hit Twitch Rally: About 72 hours ago, more than a half-million people were watching Rep. Alexandria Ocasio-Cortez play a video game, Among Us, something a bit like a souped-up, extraterristial game of Clue. The Democratic congresswoman had set up a Twitch stream, recruiting several popular gaming influencers for the occasion, and had a double purpose for the session: a campaign rally for Joe Biden. It was a hit, receiving widespread attention and praise, even drawing some bong-hit thinking about whether AOC had shined a light on the future of politics and community organizing. Forbes, October 23, 2020

Ransomware hit a Georgia county. That didn’t stop its ballot counting.: The attack does not indicate any broad effort to tamper with U.S. voting or show systemic vulnerabilities to the U.S. election system. NBC, October 23, 2020

Pennsylvania’s top election official says the state is prepared for election security threat: Bracing for possible security threats approaching and following Election Day, Pennsylvania Secretary of State Kathy Boockvar said her team has been working with federal officials to coordinate a response to any disturbances or attack on the voting system that may arise. The Mercury, October 23, 2020

Cyber Law

Class Actions Seek to Test the Limits of the CCPA’s Private Right of Action: Companies doing business in California should expect to see these boundary-testing CCPA class actions continue until courts weigh in on this unsettled area of law. Law.com, October 20, 2020

Financial Cybersecurity

Cybercrime task force monitoring the global digital financial system: Regulators are addressing the growing threat of transnational cybercrimes in the financial industry. CoinTelegraph, October 24, 2020

Critical Infrastructure

GAO Report Says Airlines Need New Cybersecurity Testing Policy for Avionics Systems: A new U.S. Government Accountability Office (GAO) report identifies six key recommendations for the Federal Aviation Administration’s (FAA) current regulation of cybersecurity requirements for commercial aircraft avionics systems. Aviation Today, October 21, 2020

Internet of Things

Infected IoT Device Numbers Surge 100% in a Year: The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia. InfoSecurity, October 23, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge