IT Security News Blast – 6-18-2021
IT Security News Blast - HIATUS
The blast will be dormant during the upcoming week. Back on Monday, 6/28.
Ransomware claims are roiling an entire segment of the insurance industry [Subscription]
That’s pushing insurance carriers to reevaluate how much coverage they can afford to offer and how much they have to charge clients to do so. Underwriters are demanding to see detailed proof of clients’ cybersecurity measures in ways they never have before. For example, not using multifactor authentication, which requires a user to verify themselves in multiple ways, might result in a rejection.
Bad cybersecurity behaviors plaguing the remote workforce
Over one quarter of employees admit they made cybersecurity mistakes — some of which compromised company security — while working from home that they say no one will ever know about. 27% say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training.
50,000 security disasters waiting to happen: The problem of America's water supplies
"If you could imagine a community center run by two old guys who are plumbers, that's your average water plant." [...] As many as 1 in 10 water and wastewater plants had recently found a critical cybersecurity vulnerability. Most shocking, more than 80 percent of the major vulnerabilities that the surveyed facilities had were software flaws discovered before 2017, indicating a rampant problem of employees not updating their software.
UF Health Leesburg and UF Health The Villages fall victim to “cyber security event”
The Villages-News said the attack was suspected to be caused by ransomware. They reported, “The attackers are reportedly demanding a $5 million ransom, although UF Health has not confirmed that number and remains tight lipped on the situation.” The UF Health spokesman Frank Faust did not confirm that what he called a “cybersecurity event” was a ransomware attack or if there is a demand for payment.
Ransomware Reshapes Health Care Security Landscape
Another 7% said the data was not encrypted, but the organization was still held for ransom. This is because some attackers are turning to extortion-style attacks, which means that instead of encrypting files, they steal and then threaten to publish data unless the ransom demand is paid. [...] The average bill in the health care sector for rectifying a ransomware attack, considering downtime, personnel, device cost, network cost, lost opportunity, ransom paid, etc. was $1.27 million.
Biden tells Putin certain cyberattacks should be 'off-limits'
[The] 16 sectors designated as critical by the U.S. Homeland Security Department, including telecommunications, healthcare, food and energy. [...] A senior administration official said that the proposal was focused on "destructive" hacks, as opposed to the conventional digital espionage operations carried out by intelligence agencies worldwide.
Lessons Learned from the SolarWinds Cyberattack, and the Future for the New York Department of Financial Services’ Cybersecurity Regulation
Ensure that third party service provider and other vendor risk management policies and procedures should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors. These policies should include provisions requiring third-party service providers to immediately notify the regulated company when a cyber event occurs that impacts or could potentially impact an organization’s information systems or non-personal information that is maintained, processed or accessed by the vendor.
First American settles cyber-security reporting action
‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.’ First American settled the action without admitting or denying wrongdoing. It agreed to pay a $487,616 penalty.
Senate bill to require hack reports within 24 hours and punish violators
Under the new Senate bill, federal contractors that don't promptly report cyber incidents could lose their contracts, while other noncompliant companies could face “financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year,” according to the draft bill, first reported by CNN. Agencies that don't report their own breaches would face inspector general investigations.
Federal Legislation Considers Banning Ransom Payments to Hackers
With these two recent ransomware attacks—and subsequent payments—receiving massive publicity, congressional law makers have begun to question whether ransom payments should be permitted or remain legal, or if federal law makers should step in to prohibit such ransom payments as a means to curtail these forms of attacks.
CISA under pressure to put more teeth in cyber requirements following Colonial Pipeline attack
Ranking Member John Katko (R-N.Y.) is pushing to get CISA to a $5 billion annual budget. The Biden administration is seeking $2.1 billion for CISA in fiscal 2022, an increase of $110 million from last year’s appropriation. The American Rescue Plan Act of 2021 also allocated $650 million in emergency funding for CISA.
Senators unveil legislation to crack down on cyber criminals
[The] International Cybercrime Prevention Act, which would enhance criminal violations for hackers targeting critical infrastructure such as dams, power plants, hospitals and election equipment. It would also expand the Justice Department’s ability to go after botnet groups by allowing injunctions against botnets involved in certain destructive cyberattacks, destruction of data or other issues that pose a violation of the Computer Fraud and Abuse Act.
Analysis: The Cyber Impact of Biden/Putin Summit Meeting
"Cyber wasn't completely off the front pages before, but for far too long this has been seen as a niche issue - and it shouldn't be. It's a core issue of our national security and economic security. And although these discussions have come in fits and starts in the past, this summit should be seen as a transformational moment."
Follow these steps to stay secure and maintain privacy at home
"When the pandemic hit and everyone started working from home, security professionals became immediately concerned that hackers would exploit the use of personal devices. And that's of course exactly what happened," said Frances Zelazny, startup advisor and "internet of things" analyst. "Within months, there were malicious sites and viruses circulating all over the place, with the home router and printer being the entry point of choice for malicious exploitations.
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Throughout their investigation, researchers saw hundreds of compromised mailboxes in multiple businesses. All forwarding rules were configured to send emails to one of two attacker-controlled accounts if the messages had "invoice," "payment," or "statement." Attackers also added rules to delete the forwarded emails from the victim's mailbox.
Cisco Smart Switches Riddled with Severe Security Holes
- CVE-2021-1566: Cisco Email Security Appliance and Cisco Web Security Appliance (Certificate-Validation Vulnerability)
- CVE-2021-1134: Cisco DNA Center (Certificate Validation Vulnerability)
- CVE-2021-1541 through 1543; CVE-2021-1571: Cisco Small Business 220 Series Smart Switches (Session Hijacking, Arbitrary Code-Execution, Cross-Site Scripting, HTML Injection)
- CVE-2021-1567: Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module (DLL Hijacking)
Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique
"With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau said. "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)."
Largest US propane distributor discloses '8-second' data breach
On May 10th, J. J. Keller detected suspicious activity on their systems associated with a company email account. As such, the vendor promptly began investigating their network to discover that a J. J. Keller employee had fallen victim to a phishing email, leading to a compromise of their account. [...] By May 21st, J. J. Keller notified AmeriGas that this eight-second breach exposed records of 123 AmeriGas employees present in the files viewable to the attacker.