Cyber Risk News
Pulse Secure has patched a critical zero-day vulnerability that was being exploited by multiple APT groups to target US defense companies, among other entities.
The security update fixes CVE-2021-22893, a critical authentication bypass vulnerability in the Pulse Connect Secure VPN product which has a CVSS score of 10.0.
It was being exploited in combination with bugs from 2019 and 2020, patched by the vendor but not applied by some organizations, to bypass multi-factor authentication on the product. This allowed attackers to deploy webshells for persistence and perform surveillance activities.
Mandiant said at the time that it had tracked 12 malware families to the exploitation of the vulnerability, and at least one state-sponsored attack group, APT5.
Reports of these attacks first started to appear around two weeks ago, with both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issuing warnings to organizations.
Phil Richards, CSO or Pulse Secure’s parent company Ivanti, argued that the firm was making “significant investments” to improve its security posture, including enhancements to its application development processes.
“The Pulse Secure team has worked closely with CISA as well as leading forensic experts and industry groups, including Mandiant/FireEye and Stroz Friedberg, among others, to investigate and respond quickly to malicious activity that was identified on a very limited number of customer systems,” he added.
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we are pleased to be able to deliver a security patch in such short order to address the vulnerability.”
Richards also encouraged Pulse Secure customers to take advantage of an integrity checker tool to see if they’ve been impacted by the threat.
Suspected Iranian hackers have reportedly hit multiple Israeli companies with ransomware, in a new campaign of attacks.
A group describing itself as 'N3tw0rm' (Networm) on Sunday added the logo of H&M Israel to their naming and shaming website, just three days after another local firm, Veritas Logistics, was hit.
Networm is threatening to publish 110GB of data stolen from the fashion retailer and 9GB from transport firm Veritas, including information on customers, invoices, employees and possibly payment data, according to Haaretz.
The group reportedly demanded 3 Bitcoin ($168,000) from Veritas Logistics to delete the data.
A local cybersecurity firm that Haaretz spoke to claimed it was providing incident response for three Israeli companies that had recently been hit by ransomware. There are suspicions an unnamed non-profit may also have been targeted in the ongoing campaign.
The Networm group has been linked to 'Pay2Key' — an Iranian cyber-attack group that hit scores of Israeli firms at the end of last year in what some commentators described as an ideological rather than financially motivated operation.
If that’s true, the attackers have no intention of releasing the stolen information but instead want to undermine the status of Israel as a pre-eminent cyber power, the report claimed.
In fact, it’s not uncommon for ransomware threat actors to hold onto some or all of the data they’ve stolen. A Sophos report out last week claimed that although a third (32%) of victim organizations now elect to pay, only 8% got all their data back last year and 29% didn’t manage to grab more than half of what they lost.
Personal health information (PHI) belonging to tens of thousands of Pennsylvanians has been exposed following a data breach at a Department of Health vendor.
Atlanta-based company Insight Global was contracted by the Keystone State's DOH in 2020 "to provide contact tracing and other similar services" following the outbreak of COVID-19. Now the Department is accusing the company of exposing the data of 72,000 individuals by willfully disregarding security protocols.
Pennsylvanians contacted by Insight Global in a contact tracing data collection operation reported to have cost $28.7m shared their information on the understanding that it would be kept confidential.
Department of Health spokesperson Barry Ciccocioppo stated "certain employees of Insight Global—a vendor contracted by DOH in 2020 to provide contact tracing and other similar services—disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the Commonwealth.
"These documents existed separately from the official data that Insight Global employees were collecting and providing to DOH within secure data platforms."
Information exposed in the data breach reportedly included names, phone numbers, and medical information. The DOH said that their data systems were not impacted by the breach.
“From the briefing I got this morning from the Governor’s Office, there were several employees of Insight Global that ignored or purposefully avoided security protocols, I don’t know whether to make their job easier or what,” said State Representative Jason Ortitay, who serves portions of Washington and Allegheny counties.
He added: “They were basically putting information and people’s names into Google documents and then they were sharing them amongst each other.”
A spokesperson for Insight Global told WXPI that contact tracing information "may have been made accessible to persons beyond authorized employees and public health officials."
The company has launched an investigation into the security incident and taken steps to secure the PHI that was exposed. Free credit monitoring and identity protection services will be offered by the company to individuals affected by the breach.
Insight Global's contract with the Department of Health expires on July 31. The Department has stated that it will not be renewed.
A website through which more than 400,000 users accessed child sexual abuse material (CSAM) has been taken down in an international operation led by German police.
The Boystown site had existed on the Darknet since at least June 2019 and had users all over the world. After creating an account, users could download videos and images depicting the sexual abuse of children, exchange content of this nature with one another, and also chat together via voice channels.
"Among the images and video recordings shared were also recordings of the most severe sexual abuse of young children," German prosecutors said on Monday.
DW reports that administrators of the platform sent advice to users on how to access the site securely to avoid criminal prosecution.
Four German citizens have been arrested on suspicion of being involved with the Boystown platform. Three of those people are accused of operating and maintaining the site.
During mid-April raids on seven properties, police took into custody a 40-year-old man residing in Paderborn in western Germany, a 49-year-old man from the Munich area, and a 58-year-old man from northern Germany who has been living in Paraguay for several years.
The fourth suspect, a 64-year-old man living in Hamburg, is accused of creating an account on the Boystown platform in July 2019 and using it to post over 3,500 pieces of content to the site. If proven to be true, his alleged activity would make this man one of the site's most active users.
An international taskforce set up by the German Federal Criminal Police (Bundeskriminalamt) to target Boystown and its users included Europol and law enforcement agencies from the Netherlands, Sweden, Australia, Canada, and the United States.
Europol said that several other chat sites on the dark web that were used by child sexual offenders were also seized as part of the Boystown takedown operation.
"The image and video data seized during this investigation will be used for Victim Identification Taskforces organized on a regular basis at Europol," stated Europol.
"More arrests and rescues are to be expected globally as police worldwide examine the intelligence packages compiled by Europol."
The Biden administration is reportedly considering teaming up with private companies to monitor American citizens' private online activity and digital communications.
According to news source CNN, multiple sources have said that the Department of Homeland Security (DHS) is actively seeking a way to monitor citizens online without having to first secure a warrant or prove that such monitoring is an essential part of an ongoing investigation.
The sources said that a plan is being formed for the DHS to circumvent these established checks to the government's power by working directly with private firms.
Currently, only the unprotected information that Americans share on social media sites and public online platforms can be accessed by federal authorities.
However, the alleged plan being formed by the DHS would allow authorities to see what Americans are writing and sharing online in access-restricted spaces such as private Facebook groups.
The plan is reportedly not centered on the decryption of data belonging to Americans but is instead focused on getting outside entities with legal access to the information being shared online to report what is being said to the government.
Limits are also in place at the Central Intelligence Agency (CIA) and National Security Administration (NSA) when it comes to domestic espionage.
"It is . . . important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so," said CIA spokesperson Jonathan Liu.
"CIA's activities are subject to rigorous oversight to ensure that they comply fully with US law and the Constitution."
The alleged new DHS plan comes after the PRISM domestic surveillance program, in which the NSA, FBI, and CIA gathered and searched through Americans’ international emails, internet calls, and chats without obtaining a warrant, came under criticism from the American Civil Liberties Union.
ACLU described the program as "violating the Fourth Amendment on a massive scale" and "one of the NSA's worst spying programs."
A personal cell phone number belonging to the UK's prime minister, Boris Johnson, has reportedly been publicly accessible online for fifteen years.
Johnson's number was listed on a think tank press release published on the internet back in 2006 when he was the Member of Parliament for the riverside town of Henley in Buckinghamshire.
The security breach was first reported by the website Popbitch in a piece headlined 'Hoping not to butt-dial Boris'.
“It’s not as though the Prime Minister’s personal phone number could just be floating out there on the internet, is it?" quipped the site.
"It would be absolutely insane if it was tacked on to the bottom of an old press release that he dished out freely while MP for Henley, and Shadow Minister for Higher Education.”
According to the BBC, the exposed number appears to still be in use by the Conservative prime minister.
Leader of the opposing Labor party Sir Keir Starmer described news of the number's availability as "a serious situation [that] carries a security risk."
Starmer said: "A lot of people will be concerned, not just about who has got the number but who has been using it."
Johnson has come in for criticism recently concerning his use of messaging apps and SMS messages after it was reported that he personally texted businessman Sir James Dyson with a promise to "fix" Dyson's tax issue.
"What has come out in recent weeks is [about] privileged access—those who can WhatsApp the prime minister for favors—and this all is further evidence that there is one rule for them and another rule for everybody else," said Starmer.
Speaking on BBC Radio 4's Today program, former national security adviser Lord Ricketts said that “hostile states with sophisticated cyber capabilities or criminal gangs" could have exploited Johnson’s number.
He added that for a prime minister to change their number after taking office is an "elementary security precaution these days."
Home Office minister Victoria Atkins said that the PM was "aware of his responsibilities" on national security and that she had "complete and utter confidence" that he and his advisors would meet those responsibilities.
A software company based in Germany has self-disclosed violating United States sanction laws by exporting American products and services to Iran.
SAP SE, which is headquartered in Walldorf, admitted to carrying out thousands of export violations over a seven-year period.
After self-reporting its transgressions, the company agreed to pay combined penalties of more than $8m as part of a global resolution reached with the United States Departments of Justice (DOJ), Commerce, and Treasury.
SAP entered into a non-prosecution agreement with the three agencies that requires the company to disgorge $5.14m of ill-gotten gains.
From around January 2010 through approximately September 2017, SAP and its overseas partners released US-origin software more than 20,000 times to users located in Iran. Software exported by SAP without a license included upgrades and patches.
"Certain SAP senior executives were aware that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did not remedy the issue," stated the DOJ.
Most of the Iranian downloads went to 14 companies, which SAP's partners in Turkey, United Arab Emirates, Germany, and Malaysia knew to be under Iranian control. The remaining downloads were sold to several multinational companies then downloaded by their Iranian-based operations.
During the same period, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access US-based cloud services from Iran.
The DOJ praised SAP for voluntarily confessing its violations, running an extensive internal investigation, and for cooperating with the US government over a three-year period.
"During this time, SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews in a mutually agreed upon overseas location," stated the DOJ.
SAP also spent more than $27m on remediating its export compliance and sanctions program. Changes introduced by the company included the implementation of GeoIP blocking, the deactivation of thousands of Iran-based user accounts for cloud services, and the suspension of SAP partners who sold to customers affiliated with Iran.
Assistant Attorney General John Demers said: “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated."
The creation of the delegation was officially announced yesterday along with an overview of the subcommittee's mission.
The main goal of the newly formed assemblage will be to assess cyber-threats to America's critical infrastructure and examine actions taken by the government and industry to secure the nation's essential networks.
Privately owned infrastructure across the defense industrial base and telecommunications, finance, and energy and electric sectors will be evaluated in terms of what impact they could have on national security.
Another goal that the group has been set is the promotion of strategies that will mitigate cyber-threats to select critical infrastructure operations.
Meeting quarterly, the subcommittee also aims to foster a spirit of cooperation by identifying and addressing obstacles to greater public-private collaboration, with a specific focus on how this could be achieved through Sector Coordinating Councils (SCCs), Information Sharing and Analysis Centers (ISACs), and other forums.
INSA said that the goal of the subcommittee is to also "serve as a forum for government and industry experts to share perspectives, develop new insights, better account for risk, build resiliency, and promote best practices."
Chris Boyer, vice president of global security and technology policy at telecommunications giant AT&T, has been named as the subcommittee's chair.
Vice chair positions have been accepted by Amentum's vice president for mission engineering Rich Johanning and by the CME Group's global information security external engagement team lead, Sydney Jones.
Initial areas that the subcommittee will focus on include threat briefs on cyber-threats to critical infrastructure sectors, securing critical infrastructure supply chains, and expediting the process of securing clearances for critical infrastructure.
They will also get cracking with a look at ways in which the speed of declassification and tearline report publication could be improved to facilitate faster industry response to cyber-threats.
INSA vice president for policy Larry Hanauer said: “It’s critical that government agencies and critical infrastructure operators improve their cybersecurity cooperation and share information on cyber threats more effectively."
Security experts have welcomed the proposals of a new ransomware report from big tech and law enforcers, but argued that tackling the menace must begin with improved cyber-hygiene.
Convened by the Institute for Security and Technology and trailed since last December, the Ransomware Task Force (RTF) is a team of over 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, and academic institutions.
It includes representatives from the FBI, Europol, the UK’s National Crime Agency and many of the world’s biggest tech companies including Amazon, Cisco and Microsoft.
Its framework document makes five key recommendations to tackle the cyber-threat. The most eye-catching of these is that governments require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading 'desks' to adhere to the same regulatory standards as banks. That means following anti-money laundering (AML), Know Your Customer (KYC) and Combatting Financing of Terrorism (CFT) laws.
Other recommendations include that the US government “execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”
It emerged last week that a new Department of Justice taskforce will work to manage efforts across the federal government to disrupt C&C infrastructure, seize profits, coordinate training and intelligence sharing and more to try and disrupt ransomware groups.
The RTF also called for prioritized law enforcement efforts across jurisdictions and "a clear, accessible, and broadly adopted” international framework to help organizations prepare for, and respond to, ransomware attacks.
However, some security experts were skeptical about the RTF’s recommendations.
ImmuniWeb founder, Ilia Kolochenko, argued that even if cryptocurrencies were regulated, cyber-criminals would find ways to bypass regulations. Indeed, the current AML regulatory regime is widely seen to have failed.
“I’d rather suggest treating the root cause of ransomware: the widespread lack of basic cyber-hygiene,” Kolochenko argued.
“Even the largest organizations from regulated industries often fail to follow the basics: maintain an up-to-date asset inventory, implement risk-based and threat-aware security controls, perform continuous security monitoring and anomaly detection, conduct ongoing security training and awareness, maintain software and patch management programs, and to enforce centralized identity management.”
Others were more welcoming of the task force’s efforts, but agreed that organizations must do more from a corporate cybersecurity perspective.
“It is important for cyber-awareness training to be regular in the workplace, as only then will it build employee knowledge of security and educate them on the significant part they play in protecting the organization,” argued Mimecast’s head of e-crime, Carl Wearn.
“In the face of this increasing level of threat to all organizations, cyber-hygiene and user awareness training will be critical to maintaining security. Hopefully this news will help businesses to understand just how big of a threat ransomware is.”
Fedor Sinitsyn, security expert at Kaspersky, explained that the ransomware landscape had fundamentally changed over the past year, putting enterprises in the crosshairs.
“The primary focus will likely continue to be on companies and large organizations, and that means ransomware attacks will continue to become more sophisticated and more destructive,” he added. “It’s imperative that businesses adopt a holistic, comprehensive set of security practices to protect their data.”
A misconfigured AWS S3 bucket is leaking personal information on 70,000 customers of a popular paleolithic lifestyle site, security researchers at vpnMentor have revealed.
The research team, led by Noam Rotem, discovered the 290MB trove on February 4, and traced it back to Paleohacks, a US health and lifestyle brand that offers content and resources about the paleo diet.
“At the time of writing, the company has ignored every attempt we’ve made to help them close the vulnerability and told us they’re ‘not interested’,” vpnMentor claimed in a blog post yesterday.
The leaky database apparently exposed the personally identifiable information (PII) of around 70,000 users of the site worldwide, dating back to 2015.
The exposed PII includes full names, usernames, dates of birth, email and IP addresses, hashed passwords, employer details, location and more.
Also exposed were password reset tokens for some subscription account holders.
“While the passwords were protected by the bcrypt hashing algorithm (a sophisticated form of password encryption), a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account,” vpnMentor argued.
“Doing so would allow the hackers to take control of thousands of Paleohacks accounts and any additional data stored therein.”
Affected users could also be targeted by follow-on phishing attacks and other identity fraud schemes, if attackers got hold of their data, the researchers warned.
Paleohacks may also invite the scrutiny of Californian privacy regulators and even the GDPR, if EU citizens have had their data exposed, vpnMentor argued.
The S3 bucket was discovered as part of a large web scanning project in which the research team scans for exposed cloud databases. It found the offending bucket unsecured and unencrypted.
The personal safety of Washington DC police officers may be at risk after it emerged that ransomware threat actors had managed to steal personnel files in an attack earlier this month.
The acting chief of the US capital’s Metropolitan Police Department (MPD), Robert Contee, said in an email to staff that 'HR files' containing personal information were part of the haul, according to CNN.
That adds extra jeopardy for officers in the event that the ransomware group in question, Babuk, decides to permanently post the information on its dark web naming and shaming site. A separate report claimed that information on at least five officers was temporarily leaked by the group to show it means business.
The gang has already claimed to have 250GB of internal data from the MPD in its possession following the raid, including information on informants which it threatened to share with local gangs unless a ransom was paid.
Such 'double extortion' tactics are increasingly common among ransomware groups. According to a Coveware report this week, they now appear in a majority (77%) of attacks.
However, rarely do threat actors have stolen information that could endanger lives.
The case is further complicated by the fact that Babuk appears to be calling it a day after having reached its financial goals.
One version of a widely reported note on the group’s dark web site, titled 'Hello World 2' said that breaching the police department was its “last goal.”
“Only they now determine whether the leak will be or not, in any case regardless of the outcome of events with PD, the babuk project will be closed,” it said.
Unfortunately for future potential victims, the gang is planning to open source its malware for others to use in ransomware-as-a-service campaigns.
Security experts were alarmed at the developments in Washington.
“Our research data shows that cyber-criminals are making a conscious effort to hit high-value targets, but the reality is no one is immune from ransomware. The best defense against ransomware is therefore prevention,” argued Nozomi Networks CEO, Edgard Capdevielle.
“This includes training staff on the threat and the techniques cyber-criminals will use to get it onto systems, and performing continuous security monitoring across the entire IT and OT estate, to identify malicious activity or vulnerabilities which cyber-criminals could exploit.”
A task force organized by the Institute for Security and Technology has urged the White House to tackle the rise in ransomware attacks and make it harder for cybercrimes to be committed.
Law enforcement agencies, cybersecurity experts, and governments came together to make a series of recommendations to the Biden administration that aim to disrupt the illegal activities of threat actors.
A report submitted by the task force contained 48 recommendations, including advice to step up the regulation of cryptocurrencies and to root out safe havens sheltering ransomware attackers from capture and prosecution.
The task force noted in the report that the volume of cyber-attacks has increased by four times year on year and that cybercrime is now a $350m criminal industry.
The report is based on consultations carried out with researchers at Chainalysis Inc, cybersecurity experts at Palo Alto Networks Inc, and law enforcement agencies in Canada, the United Kingdom, and the United States.
Among the recommendations contained within the report are five priorities described as “foundational and urgent.” These include using the long arm of the law and diplomatic channels to dissuade countries from offering cyber-criminals a safe haven in which to operate.
“Most ransomware criminals are based in nation-states that are unwilling or unable to prosecute this cyber crime, and because ransoms are paid through cryptocurrency, they are difficult to trace,” states the report. “This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government.”
In the report, the task force notes that cyber-criminals favor cryptocurrencies when extorting payments from their victims as they are largely unregulated and transactions can be difficult to track.
The task force called for governments to step up cryptocurrency regulation and make it a requirement for crypto exchanges and trading desks to enforce basic “know your customer,” anti-money laundering, and financial terrorism laws.
Chainalysis director of market development Don Spies said: “Believe these recommendations can go a long way to combating a problem that’s out of control.”
The report comes a week after the United States Justice Department created its own independent task force specifically to tackle ransomware.
The Irish multinational consulting and processing services company said that the acquisition would strengthen its security presence and capabilities in France and stimulate Accenture’s growth in Europe.
Openminded is a provider of advisory, cyber-defense, cloud & infrastructure security, and managed security services. The company was founded in 2008 and now has over 100 internal staff working in four business units.
In 2020, Openminded’s turnover was €19m. According to its website, the company has 120 active customers in the public and private sectors and 40 editor partners.
Customers of Openminded include Chanel, BNP Paribas, Sarnoff, Etam, La Banque Postal, Banque De France, Thales, AXA, and Accor Hotels.
Kelly Bissell, global leader of Accenture Security’s worldwide workforce of nearly 7,000 professionals, said that the resilience of today’s organizations was dependent on their approach to cybersecurity.
“With cyberattacks becoming more complex, constant and costly every day, companies must fully embed cybersecurity into the different layers of their organizations to ensure resilience,” said Bissell.
He added that the planned purchase of Openminded would help to protect the digital estates of Accenture’s clients going forward.
“The acquisition of Openminded supports our commitment to leveraging technology and human ingenuity to help clients be confident and secure in the face of constant change,” said Bissell.
“We look forward to welcoming Openminded’s team to Accenture and helping clients defend against cyber threats more effectively across their entire ecosystem—now and in the future.”
Hervé Rousseau, Openminded’s founder and CEO, said his company aimed to build a synergy with Accenture that would support the delivery of services worldwide.
“Joining forces with Accenture is a great opportunity for our teams and our clients,” said Rousseau. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale.
“Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient. This is the synergy we are going to build and put at the service of our clients.”
Financial terms of the deal have not been disclosed.
Law enforcement have arrested a nanny based in Boston on suspicion of sharing child sexual abuse material (CSAM) over the messaging app Kik.
An investigation was launched into 36-year-old Roxbury resident Stephanie Lak by the Boston Police Department Crimes Against Children Unit following the submission of a cyber-tip to the National Center for Missing and Exploited Children (NCMEC) on March 2.
Kik’s operator, MediaLab, notified NCMEC of an IP address that had been used to send at least eight files containing images of children aged five or younger being sexually abused.
Police traced the address back to Lak and obtained a search warrant for her home, which was executed on April 15. A laptop and three cellphones were seized by police as evidence from a boarding house on Woodville Street.
Lak was held on $5,000 bail after being arraigned on Wednesday on charges of possessing and distributing CSAM and was instructed by a judge to stay away from children.
District attorney Rachel Rollins said Lak had confessed to sharing more than 100 files depicting the sexual abuse of minors via Kik under the user name ‘sallydally69.’
Lak has worked in the childcare industry as a nanny and as a babysitter. Prosecutors said that she was active on the childcare services website Sittercity as recently as March 19.
Describing the threat Lak allegedly poses to children, prosecutor Nicole Poitier told the judge: “It’s clear she has access to children. She has a long history of being a nanny and a babysitter on that site as well as potential other sites and she has a sexual interest in children.”
In a statement, Sittercity said they had run four background checks on Lak before allowing her to advertise childcare services on their platform and none of them had found evidence of criminal activity. Lak’s Sittercity account was removed when the site’s operators learned of the police’s investigation into her digital communications.
Law enforcement are asking people who have had contact with Lak and think they may be able to identify alleged victims in this case to email [email protected]
The Northern Ireland government has announced a partnership with Immersive Labs and Capita, in which cybersecurity career opportunities will be provided to 16–25-year-olds living in the region.
The pilot initiative will offer free access to an enterprise-grade cyber-skills development platform for those who may not otherwise have access to relevant education courses. Initially, the aim is to upskill 1,000 individuals, who will subsequently have job opportunities in large organizations as incident responders, security architects, and security and vulnerability analysts.
The training will take place via the Immersive Labs gamified online platform, which is used by security teams to enhance skills in areas like software development and incident response. Those youngsters selected for the program will be dropped into browser-based labs portraying a range of cyber-threat scenarios. This will help them develop skills in a range of areas, including understanding how attackers operate and Base64 encoding.
The collaboration is designed to boost employment opportunities in Northern Ireland, a country in the UK, as well as to help address the worrying cyber-skills gap. Last month, a UK government-sponsored report found that half of UK businesses reported cyber-skills gaps in 2020, while the Learning & Work Institute recently warned that the UK is heading toward a “catastrophic” digital skills shortage.
Commenting on the announcement, Northern Ireland economy minister Diane Dodds outlined: “Northern Ireland has a growing international reputation in cybersecurity and the industry has seen significant growth in recent years. Capita have teamed up with Immersive Labs to deliver this online skills development and access to job vacancies. We have been working closely with industry to promote the myriad of varied and rewarding careers within the cybersecurity area and we will ensure candidates who successfully complete training can apply for the relevant vacancies advertised on the platform.”
James Hadley, CEO of Immersive Labs, said: “It’s great to see the Northern Ireland Government taking such a proactive role in addressing the need for cyber-skills, as well as opening up careers to as broad a range of people as possible. Large organizations are not just held back by a shortage of cyber talent, but also a lack of diverse approaches to problems which benefit from a wide range of opinions and backgrounds.”
Recruitment for the scheme will begin in June, and will be open to 16–25-year-olds resident in Northern Ireland who have essential skills or GCSEs in math and English.
Earlier this year, Queen’s University Belfast, Northern Ireland, was recognized for its cybersecurity education program and work promoting cyber-skills in its local community.
The threat actors behind the notorious Emotet botnet managed to collect over four million victim email addresses over the past few years, it has emerged.
The news came from Troy Hunt, Microsoft regional director and founder of breach notification site HaveIBeenPwned.
The FBI recently reached out to Hunt to ask if the site could be used as an intermediary to help those concerned they may have been affected to check their emails against the trove.
“In all, 4,324,770 email addresses were provided which span a wide range of countries and domains,” Hunt explained in a new blog post.
“The addresses are actually sourced from two separate corpuses of data obtained by the agencies during the takedown: email credentials stored by Emotet for sending spam via victims' mail providers; and web credentials harvested from browsers that stored them to expedite subsequent logins.”
Hunt advised any individual who finds their email was in possession of Emotet to ensure their anti-malware is up-to-date, and to change their email account password as well as any passwords and security questions for accounts that might have been stored in their inbox or browser.
“For administrators with affected users, refer to the YARA rules released by DFN Cert, which include rules published by the German BKA,” he added.
Other best practice security tips also apply, including the use of two-factor authentication where possible, and strong unique passwords stored in a password manager, as well as prompt patching of all OS and software.
Emotet was finally disrupted back in January after action from the FBI and European police. Last Sunday law enforcers delivered an update to the botnet designed to erase the malware from all infected machines globally.
However, with some of the group still at large, experts believe it’s only a matter of time before they come back with an improved version of the malware.
Scores of US hospitals are thought to have been affected after a security breach at a specialist provider of equipment for cancer treatments last week.
Swedish oncology and radiology system provider Elekta explained in a company update this week that a “data security incident” had affected its first-generation cloud-based storage system.
“Immediately upon learning of this incident, Elekta partnered with leading cyber experts and law enforcement to launch an investigation to understand what happened, mitigate any possible harm, and offer our customers a reliable solution that delivers on our commitment to ensure that cancer patients have access to precise and personalized radiotherapy treatments,” the statement continued.
“We recognize the impact this might have on customers and their patients and are working tirelessly to enable customers to continue providing secure patient care.”
It said only a subset of US customers were affected and that they had been fully briefed about the situation.
However, reports suggest it was a ransomware attack that forced the firm to take its cloud storage system offline, in order to contain the breach.
HIPAA Journal claimed that one customer, Connecticut-based Yale New Haven Health, was forced to take its radiation equipment offline for over a week, with cancer patients transferred to other providers.
Other Elekta customers were luckier. Lifespan, which runs the Lifespan Cancer Institute and Rhode Island Hospital, reportedly claimed the incident only affected one afternoon of appointments.
A separate report claimed 42 hospitals and clinics were affected by the breach.
Saryu Nayyar, CEO of Gurucul, argued that organizations are only as secure as the weakest link in their supply chain.
“Malicious actors will look for any way in and will always take the easiest path. The best defense is a proactive offense,” she added.
“If your third-party vendors can’t maintain adequate security protocols then you will have to put in place proactive measures such as behavior-based security analytics, which can detect these sorts of unknown threats in real-time. Saving lives is of utmost priority.”