Info Security
Homelife of Connecticut Residents Secretly Recorded
A man from Connecticut has been arrested on suspicion of using digital devices to record his neighbors.
Waterford resident Keith Hancock allegedly recorded 10 victims from outside their homes, two of whom were juveniles. Six of the individuals were filmed while undressing.
Hancock is also suspected of recording more victims while inside his home on Overlook Drive.
Cops arrested 53-year-old Hancock on Tuesday and charged him with eight counts of voyeurism and three counts of criminal trespass in the third degree.
According to an arrest affidavit for Hancock, the alleged voyeur admitted filming individuals in two residences without their knowledge or consent.
The investigation that led to Hancock's arrest began on October 07 2021 when the Waterford Police Department responded to a report of an intruder entering a male resident's backyard.
According to news source The Day, the resident became aware of the intruder's presence when he let his dog out into the yard and the animal started to bark. When the resident shone a flashlight into the yard, he was able to see an intruder running away.
The resident searched his backyard and found a pair of binoculars and a black Canon camcorder stashed behind a tree. A portable chair and two posts were discovered on the other side of the wall that separated the resident's property from his neighbor's.
Stored on the SD card inside the recovered camcorder was video footage of another home, focusing on an upstairs window.
Police traced the camcorder to Hancock and obtained a search warrant for his residence. Stored on a laptop seized in the search was video footage of a woman undressing. Another video showed a woman naked from the waist down and urinating into a toilet.
The bathroom in the video matched a bathroom shown in an online real estate listing of Hancock's house. When officers searched Hancock's bathroom, they found a hole in the base of a cabinet set opposite the toilet through which they believe the defendant filmed his victims.
Hancock was released on a $100,000 bond. He is scheduled to appear in court on February 23.
Pennsylvania Approves Ransomware Bill
Pennsylvania has approved new legislation barring state and local governments from using taxpayers’ money to pay ransoms to cyber-criminals.
Senate Bill 726, amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, was approved by the Pennsylvania Senate on Wednesday. The legislation has now advanced to the House of Representatives for further consideration.
The amendment defines ransomware and makes it illegal to possess, use, develop, sell or threaten to use the malware in Pennsylvania.
Penalties set for the newly imposed ransomware offenses vary depending on how much money is being exploited. While some violations are classed as first-degree misdemeanors, others have been designated a first-degree felony.
While prohibiting state and local governments from spending taxpayers’ dollars on cyber ransoms generally, the legislation allows this practice to go ahead should a declaration of disaster emergency be made and authorized by the governor.
Under the new legislation, state agencies, including the General Assembly, local government entities, school districts, state-related universities, community colleges and charter and cyber schools are required to notify the Office of Administration of ransomware attacks within an hour of discovery. Commonwealth agencies must report ransomware within two hours.
The Office of Administration is required to notify the FBI of ransomware attacks within 24 hours. In addition, the office must submit an annual report to the General Assembly on ransomware attacks.
The bill’s primary sponsor, senator Kristin Phillips-Hill, said: “We have seen an increase in ransomware attacks in governmental entities at all levels, as well as against critical infrastructure across the United States.
“We know that these attacks will grow as technology used by criminals becomes more sophisticated.”
She added: “This legislation draws a line in the sand to say that taxpayers will not pay the ransom requested by entities seeking to illegally extort cash from hard-working Pennsylvanians.”
On January 19, the Senate of Pennsylvania also approved legislation that would create a new Office of Information Technology and require cybersecurity best practices across state agencies.
The new office would manage and maintain IT procurement within state agencies and establish a strategic plan for future IT projects across state government.
Memorial Health System Confirms Data Breach
A cyber-attack on an Ohio-based health system may have exposed the protected health information (PHI) of 216,478 patients.
Memorial Health System was hit with ransomware in the early hours of August 15 2021. The incident forced the health system to suspend user access to all information technology applications related to its operations.
The disruption caused surgical cases and radiology exams to be canceled and placed Memorial Health System emergency departments on diversion.
Speaking at the time of the incident, Memorial Health System president and CEO Scott Cantley said: “Staff at our hospitals – Marietta Memorial, Selby and Sistersville General Hospital – are working with paper charts while systems are restored, and data recovered.”
A press statement, released three days after news of the ransomware attack broke, gave the impression that Memorial Health System had opted to pay its attackers.
“We have reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible,” said Cantley in the August 18 statement.
He added: “We are following a deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care.”
An investigation into the security incident determined that attackers had broken into the health system’s network on July 10 2021, then waited a month to deploy ransomware.
In September last year, Memorial Health System discovered that the patients’ data might have been accessed and exfiltrated in the incident. A review of what files the threat actors could have accessed was carried out.
By December 9 2021, it had become clear that patients’ names, addresses, Social Security numbers, medical/treatment information and health insurance information may have been viewed and stolen.
Memorial Health System began notifying impacted patients via letter on January 12 2022. Individuals affected by the data breach have been offered a complimentary 12-month membership to Kroll’s credit monitoring service.
Jennifer Offenberger, associate vice president of service excellence at Memorial Health System, said: “While the extensive investigation with the FBI and cybersecurity teams indicates no reason to suspect there has been any fraudulent use or public release of patient information associated with this incident, we are notifying patients whose information may have been accessible during the breach.”
(ISC)2 Appoints its First CISO
(ISC)2 has announced the appointment of Jon France, CISSP, as its first chief information security officer (CISO).
The non-profit association of certified cybersecurity professionals said France will lead all of its cybersecurity operations. This includes providing regular risk assessments and strategic insights to (ISC)2’s senior management and the board of directors and ensuring security is ingrained in all aspects of the organization’s strategy.
In addition, he will advocate best security practices for members around the world, publicly representing the body in this respect. He will report directly to (ISC)2 CEO Clar Rosso.
France’s new role follows more than 25 years of experience building and leading diverse technology and security teams. His primary focus has been on raising the resilience of the broader technology ecosystem and the information that flows through, protecting organizations and consumers.
Before his new post, France was head of industry security for GSMA, a global organization representing the mobile ecosystem. Here, he led GSMA’s fraud and security function and served on the company’s leadership team. He previously served as deputy IT director and business continuity manager LexisNexis.
Commenting on the appointment, Clar Rosso, CEO of (ISC)², said: “The role of CISO at (ISC)² is a unique one, and Jon provides us with the experience and passion to lead our security operations and serve as an advocate for our members around the world.
“Jon has a strong track record of managing multi-disciplinary international teams and delivering results, and he will help (ISC)² to continue our rapid growth and global expansion while ensuring security is always a primary consideration.”
Two-Fifths of Ransomware Victims Still Paying Up
Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.
The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.
Some 87% said their organization had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.
Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.
This will have helped increase the total figure for cybercrime losses over the period. In 2019, just 15% of responding organizations reported losses of $500,000 or more, but this figure almost doubled to 28% by the following year. Figures for 2021 weren’t available.
Part of the challenge appears to be the inability of organizations to quickly detect and respond to any suspicious activity on their networks. Less than half (46%) said they strongly agree current solutions can evolve to detect new globally identified threats.
This is born out in response times: organizations take several days to detect known attacks from adversaries, including cybercrime organizations (3.6 days), individual hackers (3.5 days), APTs (3.3 days) and nation-states (2.9 days), the research claimed.
“We’ve known that cyberattacks have been increasing over the course of the pandemic, but we didn’t know to what degree global enterprises as a whole were being impacted,” said Anomali president Hugh Njemanze.
“This research reveals that adversaries have not only stepped up the number of attacks they have started launching since COVID-19 first struck the world, but have also greatly improved their success rates.”
It will remain frustrating for industry watchers that many organizations are still paying their extorters.
Research has revealed that even those who do so find their stolen data is leaked or monetized by their attackers in any case. A separate study claimed that paying might actually double the cost of recovery.
#COVID19 Phishing Emails Surge 500% on Omicron Concerns
The latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking, according to Barracuda Networks.
Cyber-criminals often use newsworthy events in their social engineering attacks, and COVID-19 provided a bumper opportunity when it emerged in 2020.
The security vendor observed a 667% month-on-month surge in COVID-19 phishing emails from February to March that year. It recorded another significant increase when new vaccines were released at the start of 2021.
Now public concern over the highly transmissible Omicron variant is catching the eye of phishers.
Among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves.
Some impersonate testing labs and providers, or even employees sharing their results, said Barracuda.
In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete delivery of the kit, the vendor claimed.
Barracuda Networks CTO, Fleming Shi, said the answer lies in improving employee phishing awareness training and plugging in advanced email security.
“Capitalizing on the chaos of the pandemic is not a new trend in the world of cybercrime. Yet with constantly evolving tactics, and new trends to latch on to, it’s easy to see why scammers are not giving up on this trick,” he added.
“Just like the threat of COVID-19, pandemic-themed scams are not going to disappear overnight, but fortunately, there are a number of tactics that businesses and consumers can employ to ensure they remain protected.”
In related news, a Comparitech study this week claimed that unscrupulous healthcare workers are enabling a massive black market in COVID-19 digital vaccination certificates and passes.
The researchers found dark web adverts looking for any such workers who empathize with the anti-vaxxers buying these passes.
“When someone buys a fraudulent certificate, they must first sign up for their country’s respective COVID vaccination database. They send their name, PIN number and other necessary info to the vendor,” Comparitech explained.
“A doctor or other healthcare worker marks that person’s record with confirmed vaccination. The buyer’s QR code then becomes valid. It takes just a few hours for the process to complete once a purchase is made.”
Merck Wins $1.4bn NotPetya Payout from Insurer
Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.
The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.
However, the malware soon spread globally, causing potentially billions of dollars of damage.
Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”
However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.
Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.
However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.
Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”
Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.
“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.
“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”
Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.
Biden Signs Memo to Boost National Cybersecurity
United States President Joe Biden has signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks.
The requirements for federal civilian networks were laid out in Biden’s Executive Order 14028 (EO 14028) issued May 12 2021. The new memo, signed Wednesday, specifies how the provisions of EO 14028 apply to national security systems.
The NSM establishes timelines and guidance for how cybersecurity requirements, including multi-factor authentication, encryption, cloud technologies and endpoint detection services, will be implemented.
It also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA).
Commenting on this particular requirement of the NSM, Mark Manglicmot, vice president of security services at Arctic Wolf, said: “To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.”
The NSM further authorizes the NSA to create Binding Operational Directives that require agencies to take specific actions against known or suspected cyber-threats and vulnerabilities. In addition, it requires the NSA and the Department of Homeland Security to share BODs and “learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.”
Under the new memo, agencies are required to secure tools known as cross-domain solutions that transfer data between classified and unclassified systems.
In a statement released Wednesday, the White House said: Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems.”
James McQuiggan, security awareness advocate at KnowBe4, noted that the memo omitted any requirements around cybersecurity education or creating a security culture among users.
He said: “When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyber-attack.”
11:11 Systems Acquires iland
Managed infrastructure solutions company, 11:11 Systems, has acquired Texas-based cloud services provider, iland.
The completion of the acquisition was announced on Thursday. The terms of the deal were not disclosed.
Headquartered in Houston with regional offices in London and Sydney, iland delivers cloud services including Disaster-Recovery-as-a-Service (DRaaS), Infrastructure-as-a-Service (IaaS) and Backup-as-a-Service (BaaS) from its cloud regions throughout North America, Europe, Australia and Asia.
11:11 Systems said it intends to leverage iland’s award-winning Secure Cloud Console, which natively combines deep layered security, predictive analytics and compliance to deliver visibility and easy management for iland’s cloud services.
The deal follows 11:11 Systems’ recent acquisition of Green Cloud Defense, a channel-only, cloud Infrastructure-as-a-Service (IaaS) provider.
“By adding iland’s steady 25% YOY momentum to 11:11 Systems’ expanding national network of MSPs, VARs and IT consultants, a hyper-growth pathway has been created,” said 11:11 Systems in a statement.
Brett Diamond, CEO of 11:11 Systems, said his company’s recent acquisitions were motivated by making cybersecurity more straightforward for its customers.
“CIOs and IT leaders are being pushed to address increasing numbers of security threats, application vulnerabilities and network weaknesses that can leave organizations exposed to data breaches; at the same time, they are tasked with laying the right foundation within their infrastructure to embrace hybrid cloud, navigate sophisticated application requirements, artificial intelligence and more while data and devices continue to multiply exponentially,” said Diamond.
He added: “11:11 Systems is focused on significantly simplifying our customers’ approach to cloud, security and connectivity to drive greater security, innovation, and responsiveness and adding iland and Green Cloud as core ingredient platforms substantively advances this mission.”
For iland, the deal brings an opportunity for expansion and innovation, according to the company’s CTO, Justin Giardina.
“Joining 11:11 Systems, which now includes Green Cloud, will open up the doors of innovation even wider with new opportunities to expand services across the iland platform, which will further enhance our customers’ ability to manage and monitor their hybrid environments,” said Giardina.
Third Firmware Bootkit Discovered
Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild.
The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41.
MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor.
The malicious implant was found hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS).
Once MoonBounce’s components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.
The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash.
Researchers said that Bootkits of this kind are extremely hard to detect because the code they target is located outside of the device’s hard drive in an area that most security solutions do not scan as standard.
Firmware bootkits are also difficult to delete. They can’t be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.
“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” noted researchers.
While investigating MoonBounce, researchers appeared to detect a link between the bootkit and Microcin malware used by the SixLittleMonkeys threat actor.
“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, senior security researcher with GReAT (Kaspersky’s Global Research and Analysis Team).
Applications Open for Next NCSC for Startups Cohort
Applications have opened for the latest NCSC for Startups program, which is focusing on companies developing products to protect SMEs from ransomware.
The program, designed to help the growth and development of the UK’s most promising cybersecurity startup firms, was launched last June. It is run by the National Cyber Security Centre (NCSC) and Plexal, and is a successor to the successful NCSC Cyber Accelerator program.
The first companies to participate in this new program were announced in August.
For its next cohort, NCSC for Startups is inviting applications from startups creating products designed to protect SMEs from surging ransomware attacks. Specifically, these are companies that:
- Can defend SMEs from ransomware by providing accessible, low-cost protection
- Encourage firms to implement secure backups to minimize the impact of an attack
- Address risks posed by remote desktop protocol (RDP) as more businesses and individuals implement home and remote working
Cyber-criminals have dramatically increased their targeting of SMEs during the pandemic, with many of these businesses having to undertake rapid digital transformation projects. Yet many of these firms do not have the necessary cybersecurity skills or tools to protect themselves.
Successful applicants will receive continuous onboarding for 12 months, working with leading cybersecurity experts to develop, adapt and test their products.
Chris Ensor, deputy director for cyber growth at the NCSC, commented: “Ransomware presents the most serious cyber security threat to the UK, and it is vital that organizations protect themselves.
“Our latest NCSC for Startups challenge provides a great opportunity for innovative companies to collaborate with us in the fight against ransomware and strengthen the UK’s defenses.”
Saj Huq, director of innovation at Plexal, said: “Ransomware doesn’t just affect large, established companies: there is a growing risk to SMEs that make up the backbone of our economy, and anyone who lives and works online are potential victims.
“This is a unique and game-changing opportunity for startups to work on the biggest cyber-threat around alongside experts from the NCSC and industry who are working day in, day out, to keep the UK safe – and I hope they respond to this call with a sense of urgency and mission.”
Interested companies can submit their applications at: https://www.ncsc.gov.uk/section/ncsc-for-startups/join-the-ncsc-for-start-ups.
The NCSC for Startups program forms part of the UK’s National Cyber Strategy, unveiled in December.
Twitter Mentions More Effective Than CVSS at Reducing Exploitability
Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.
Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.
It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.
Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.
To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.
Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.
“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.
“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”
Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.
“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.
Eleven Arrested in Bust of Prolific Nigerian BEC Gang
Nigerian police have arrested 11 more suspected members of a prolific business email compromise (BEC) gang that may have targeted hundreds of thousands of organizations.
Interpol coordinated Operation Falcon II with the Nigerian Police Force (NPF) over 10 days in December 2021, having sought input from other police forces across the globe investigating BEC attacks via its I-24/7 communications network.
Those arrested are thought to be part of the Silver Terrier (aka TMT) group. One individual had the domain credentials of 800,000 potential victims on his laptop, while another was monitoring online conversations between 16 companies and their clients and diverting funds to TMT, Interpol claimed.
A third is suspected of BEC attacks across West Africa, including Nigeria, Gambia and Ghana.
Any intelligence and evidence gleaned from the operation will be fed into Interpol’s Global Financial Crime Taskforce (IGFCTF) to help prevent further fraud.
“Operation Falcon II sends a clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud, particularly as we continue our onslaught against the threat actors, identifying and analyzing every cyber trace they leave,” said Interpol director of cybercrime, Craig Jones.
“Interpol is closing ranks on gangs like SilverTerrier. As investigations continue to unfold, we are building a very clear picture of how such groups function and corrupt for financial gain. Thanks to Operation Falcon II we know where and whom to target next.”
The first iteration of this anti-BEC campaign was run in 2020 and resulted in the arrest of three TMT suspects. The gang was thought to have compromised as many as 500,000 victim organizations by that time, according to Group-IB, which was involved in both operations.
“Group-IB’s APAC Cyber Investigations Team has contributed to the current operation by sharing information on the threat actors, having identified the attackers’ infrastructure, collected their digital traces and assembled data on their identities,” it explained in a statement.
“Group-IB has also expanded the investigation’s evidence base by reverse-engineering the samples of malware used by the cyber-criminals and conducting the digital forensics analysis of the files contained on the devices seized from the suspects.”
Red Cross: Supply Chain Data Breach Hit 500K People
The International Committee of the Red Cross (ICRC) has revealed a major data breach that compromised the personal details of over 515,000 “highly vulnerable” victims.
It was stolen from a Swiss contractor that stores the data on behalf of the global humanitarian organization headquartered in Geneva.
The ICRC claimed it originated from at least 60 Red Cross and Red Crescent National Societies worldwide.
Some of the most vulnerable members of society are affected, including individuals separated from their families due to conflict, migration and disaster, missing persons and their families and people in detention, it added.
“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, the ICRC’s director-general.
“This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”
There’s no indication the information has been shared publicly yet, but that’s no guarantee it won’t be in the future. That’s why Mardini pleaded with the threat actors not to leak or sell the spoils of its attack.
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” he said.
“The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”
Given financially motivated cyber-criminals have targeted hospitals with ransomware in the past, there’s certainly no guarantee that Mardini’s words will be heard. Nor is it clear whether it was a criminal rather than a state-sponsored attack.
As a result of the attack, the ICRC said it had been forced to shut down its Restoring Family Links service, which it claims reunites 12 missing people on average with their families every day.
Researchers Hack Olympic Games App
Cybersecurity researchers in Canada have found a “devastating flaw” in the MY2022 app, designed for use by attendees of this year’s Winter Olympic Games in Beijing.
The vulnerability was discovered by the Citizen Lab – an academic research laboratory based at the Munk School of Global Affairs at the University of Toronto.
In findings published Tuesday, researchers said that the flaw allows encryption that protects users’ voice audio and file transfers to be “trivially sidestepped.”
Researchers warned: “Health customs forms which transmit passport details, demographic information and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.”
The Citizen Lab reported its findings to the app’s vendor but did not respond.
“While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress,” stated researchers.
The German Olympic Sports Confederation (DOSB) said that downloading the app has been mandated for travelers seeking entry to the People’s Republic of China to attend the 2022 Winter Olympic Games.
“Without My 2022 there is no immigration into China according to the Beijing playbooks,” said the DSOB.
The confederation shared some cybersecurity advice it had received from the German Federal Institute of Information Security (BSI) regarding the MY2022 app.
“Our athletes are being equipped with a smartphone from IOC partner Samsung in Beijing. BSI recommends using MY2022 on these devices in China and deinstalling it at home,” it said.
The International Olympic Committee (IOC) stated that MY2022 users could configure the app to disable access to features including files, media, calendar, camera, contacts, microphone and location data.
Many countries have planned a diplomatic boycott of the Beijing Olympics over China’s record of human rights violations, including the systemic abuse of the Uyghur and other minority ethnic communities.
Boycotts have been planned by the UK, United States, Lithuania, New Zealand, Scotland, Australia, Canada, Latvia, Estonia, Belgium, Austria, Japan, Netherlands, Denmark and Sweden.
Ransomware Attack on Moncler
Cyber-criminals have stolen data from Italian luxury fashion brand Moncler and published it on the dark web.
The maker of down jackets confirmed Tuesday that it had suffered a data breach after being attacked by the AlphV/BlackCat ransomware operation in December.
Attackers hit Moncler in the final week of 2021, causing a temporary outage of its IT services which delayed shipments of goods ordered online.
Some data stolen in the incident was published online on Tuesday after Moncler refused to pay a ransom to its attackers.
Data compromised in the security incident relates to Moncler employees, former employees, suppliers, consultants, business partners and some customers registered on the company’s website.
Moncler said in a statement: "While the investigation related to the attack is still ongoing, Moncler confirms that the stolen information refers to its employees and former employees, some suppliers, consultants and business partners, as well as customers registered in its database.
“With regard to information linked to customers, the company informs that no data relating to credit cards or other means of payment have been exfiltrated, as the company does not store such data on its systems.”
The fashion brand said that the brief interruption to the logistical side of its operation had not put a major dent in its profits.
“Data breaches are part of the web attack lifecycle and continue to fuel Account Takeover (ATO) and credential stuffing attacks. Therefore, we need to protect the apps that power our daily lives by disrupting the web attack lifecycle,” commented Kim DeCarlis, CMO at cybersecurity company PerimeterX.
They added: “This includes stopping the theft, validation and fraudulent use of account and identity information everywhere along the digital journey.”
Trevor Morgan, product manager with data security specialists comforte AG, said that data-dependent businesses need to assume that they are a target for cyber-criminals.
“Squirreling sensitive data away behind protected perimeters won’t cut it anymore as a defensive measure,” said Morgan.
He added: “Only robust data-centric security, such as tokenization or format-preserving encryption applied directly to sensitive data elements, can help mitigate the situation if the wrong hands get ahold of your data.”
US Organizations Urged to Improve Cybersecurity
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) is urging every organization in the US to implement cybersecurity measures.
Insights issued Tuesday by the cyber defense agency warned that cyber-threats could disrupt essential services and potentially impact public safety.
“Over the past year, cyber-incidents have impacted many companies, non-profits and other organizations, large and small, across multiple sectors of the economy,” said CISA.
“Most recently, public and private entities in Ukraine have suffered a series of malicious cyber-incidents, including website defacement and private-sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions.”
The agency emphasized that past deployments of similar malware, such as NotPetya and WannaCry ransomware, had caused significant, widespread damage to critical infrastructure.
Organizations of all sizes were urged by CISA to “take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise.”
Actions advised by the agency include ensuring that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication and ensuring that software is up to date.
Organizations should also confirm that all ports and protocols not essential for business purposes have been disabled and test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyber-attack.
For US organizations working with other organizations in Ukraine, particular caution was urged.
CISA said: “If working with Ukrainian organizations, take extra care to monitor, inspect and isolate traffic from those organizations; closely review access controls for that traffic.”
Tom Kellermann, head of cybersecurity strategy at VMware, said that the importance of patching software with known exploited vulnerabilities could not be understated to reduce the risk of ransomware.
“We must remember that modern ransomware leaves a RAT behind and secondary infections will metastasize,” warned Kellerman.
Kellerman believes that cyber-criminals will increasingly deploy ransomware for reasons other than financial gain.
“Ransomware attacks that aim to cripple systems, rather than receive payment, will increase due to geopolitical tension,” he predicted.
UK Proposes New Laws to Strengthen National Cyber-Resiliency
The UK is planning new laws to strengthen the county’s cyber-resilience in response to surging critical infrastructure and supply chain attacks.
The proposals were published by Department for Digital, Culture, Media and Sport (DCMS) today, who stated that new measures are required to drive up security standards in IT services used by almost all UK businesses.
This involves amending and widening the Network and Information Systems (NIS) Regulations 2018, which places cybersecurity obligations on companies that provide essential services such as water, energy, transport, healthcare and digital infrastructure. This includes requirements to undertake risk assessments, put in place reasonable security measures to protect their network and report significant events. Failure to comply can result in fines of up to £17m.
The government now wants to include managed service providers (MSPs) within the scope of this legislation. This is because MSPs have privileged access to their client’s networks and systems, potentially enabling attackers to attack a wide range of organizations through a single breach.
The government also wants to amend the NIS regulations to force large companies to provide better cyber-incident reporting to regulators like Ofcom, Ofgem and the ICO. This includes a requirement to inform these bodies of all cyber-attacks they are hit with, not just those impacting their services. In addition, the government plans to give itself the power to update the NIS regulations in the future without introducing new legislation.
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, commented: “Cyber-attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber-threats. Every UK organization must take its cyber-resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Another aspect of the DCMS’ plans is to give more powers to the UK Cyber Security Council, which began work as an independent body last year. Under the proposals, the council, which works to boost professional standards and career prospects for cybersecurity professionals, will be able to define and recognize cyber job titles and link them to existing qualifications and certifications.
This means people would have to meet competency standards set by the council before using a specific job title in cybersecurity. This will help employers identify the specific cyber skills they need in their organizations and develop clearer career pathways for those operating in the sector. As part of this initiative, a Register of Practitioners will be created to show the cyber professionals recognized as ethical, suitably qualified or senior. This is similar to registers that exist in the medical and legal professions.
Simon Hepburn, the CEO of the UK Cyber Security Council, said: “The UK Cyber Security Council is delighted that these proposals recognize our cyber workforce lead role that will help to define and recognize cyber job roles and map them to existing certifications and qualifications.
“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”
The DCMS is now inviting stakeholders to respond to these proposals, with a deadline of April 10 2022 regarding the planned legislation to improve the UK’s cyber-resilience, and March 20 2022 for the plans to embed standards and pathways across the cyber profession.
The strategy forms part of the UK government’s National Cyber Strategy, which was published at the end of last year.
McAfee Enterprise and FireEye Relaunches as Trellix
McAfee Enterprise and FireEye have relaunched as a new company called Trellix, its parent firm Symphony Technology Group (STG) has announced.
McAfee Enterprise and FireEye merged in October 2021 following STG’s acquisition of McAfee Enterprise earlier in the year.
The name Trellix has been chosen for the relaunch as it evokes the structure of a trellis, a strong and safe framework used to support the structured growth of climbing plants and trees.
The company aims to offer customers ‘living security,’ the concept of technologies that can learn and adapt to counter evolving cyber-threats. Trellix’s XDR platform provides over six hundred native and open security technologies, designed to provide security analysts with the insights to respond quickly to threats.
William Chisholm, managing partner at STG, commented: “We are incredibly excited to have Trellix in the STG portfolio. Customers can expect Trellix’s living security platform to deliver bold innovation across the XDR market.”
Bryan Palma, chief executive officer of Trellix, said: “As today’s organizations push to achieve digital transformation, a strong security foundation is required to ensure continued innovation, growth and resiliency.
“Trellix’s XDR platform protects our customers as we bring security to life with automation, machine learning, extensible architecture and threat intelligence.”
STG added that it expects to launch the McAfee Enterprise Secure Service Edge (SSE) portfolio as a separate business later this quarter, inclusive of cloud access security broker (CASB), secure web gateway (SWG) and zero trust network access (ZTNA).
In November 2021, a deal was agreed for the purchase of the rest of the McAfee business by a group of private investors.
Man Charged with Smuggling Tech Exports to Iran
A US citizen has been charged with violating sanctions by exporting IT goods and services to Iran.
Kambiz Attar Kashani, 44, who also holds Iranian citizenship, was arrested last Friday and charged with conspiring to illegally export to the Central Bank of Iran (CBI).
He allegedly acted as principal for two United Arab Emirates (UAE) companies, set up to procure the technology from US companies from around February 2019 to June 2021. Kashani and his co-conspirators are said to have lied about the final destination of these exports, claiming they would be used by the UAE firms.
The technology in question included several fixed attenuators, common electrical components found in radio frequency (RF) products. Also “exported” were subscriptions to open-source operating systems, several network storage systems and six power supplies.
A license was also purchased from a US company that produces software allowing large organizations to “develop and deploy proprietary, internal-use applications to their employees,” according to court documents.
Kashani is being charged with violating the International Emergency Economic Powers Act (IEEPA). The US Treasury’s powerful Office of Foreign Assets Control (OFAC) previously classified CBI as a Specially Designated National (SDN), indicating that the bank is acting for or on behalf of terrorist organizations.
That’s because of its support for Lebanese Hizballah and the Qods Force of Iran’s Islamic Revolutionary Guards Corps (IRGC).
Kashani is charged with one count of conspiracy to unlawfully export goods to Iran, which carries a maximum jail term of 20 years and a $1m fine.
“Technology illegally transferred to Iran from the United States could be used by terrorists, which is why the FBI and its partners devote significant resources to these investigations,” said assistant director Alan Kohler Jr. of the FBI’s Counterintelligence Division.
“Those doing the bidding for Iran in the United States should expect the full force of our law enforcement and intelligence community partners.