More lessons from the Russia-Ukraine cyber war, a US medical lab fined after theft of old data, and more.
Welcome to Cyber Security Today. It’s Monday, February 27th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The first-year anniversary of the Russian invasion of Ukraine has spawned a lot of analysis of the cyber side of the war. One, from researchers at Florida-based ReliaQuest caught my eye. It has two conclusions about cyberattacks on businesses that information security pros should think about. First, some cybercrime groups are keeping their allegiance to Russia quiet. This is because after the Conti ransomware group said it was on the side of Russia, a Ukrainian security researcher leaked their communications in retaliation. As a result the gang’s operations were impaired. It allegedly has disbanded. Other cybercrooks that support Russia learned the lesson. They’re quiet about that support. The conclusion: Criminals are no longer focused on just chasing your firm’s money when they chose targets. Second, hacktivists aligned with Russia represent one of the biggest cyber threats to most businesses, the report says. These are groups launching distributed denial of service attacks. Both conclusions complicate things for security teams looking to attribute where attacks come from. My advice: Attribution is less important than a multi-layered defence. Crooks may have chosen your firm because it has revenue. Or because your government supports Ukraine.
An unknown threat actor is using the Discord messaging platform to host ransomware and malware sent to unsuspecting victims. According to researchers at Menlo Security, many of the targets are government departments in North America and the Asia Pacific regions. A typical attack starts with an email inviting a victim to click on a link to an app on Discord. The link goes to a malicious password-protected zip file. When opened it downloads malware. Lesson: Employees must regularly be reminded to not trust links in messages, especially if they’re the ‘Hey, try this.’ variety.
In January, IBM issued a patch to close a serious vulnerability in its Aspera Faspex file transfer tool. The hole serious enough that the U.S. government has added the bug to its catalog of known vulnerabilities being exploited by threat actors. US civilian government departments have until March 14th to install the patch. If your IT department uses this utility and hasn’t installed the update yet, do it fast.
By the way, also added to the patching catalog are two vulnerabilities to Mitel’s MiVoice communications platform.
An American lab that does DNA testing has agreed to pay US$200,000 to two U.S. states as a result of a data breach in 2021. The lab, DNA Diagnostics Centre, failed to properly use reasonable data security measures to protect sensitive personal information, the attorney generals of Ohio and Pennsylvania said. A hacker was able to copy and exfiltrate 28 databases. The thing is, those databases — which included patients’ social insurance numbers — dated back to a 2012 acquisition of a competitor. The lab didn’t realize it still had those databases. Lesson: You can’t secure your organization if you don’t know where all your data is. Or prevent it from being fined for the theft of data you don’t know you have.
News Corp., which owns Fox News, the Wall Street Journal and other media outlets, has admitted a data breach it discovered this month began as far back as two years ago. The Bleeping Computer news site says attackers got names, dates of birth, social security numbers, drivers licence numbers, passport numbers, financial and medical information on some employees. The attackers also accessed email and document storage systems. The suspicion is the attacker is affiliated with China and the goal was spying.
Scammers continue getting away with putting deceptive ads with links on search engines like Chrome. These ads fool unsuspecting victims who give away personal or financial information. One of the latest victims is journalist and author Cory Doctorow. He admitted on Twitter he was recently fooled by what he thought was a search engine link to his favourite Los Angeles-area takeout restaurant. He ordered a meal on the fake site, which sent the order to the real site — but secretly added 15 per cent to the tab. Luckily the restaurant spotted something wrong and canceled the order. But there are two questions: First, why can’t search engines do a better job at detecting fake ads, and second, how did a credit card company get fooled? For those who don’t know, an ad on a search engine looks like a description and link to a legitimate website. But if you look closely the word ‘ad’ or ‘sponsored’ will appear beside the company’s name. When people search for a product, relevant ads appear at the top of the results. You’ve got to to think carefully if you want to click on them.
Finally, can you trust the privacy descriptions developers write about their apps in Google’s Play Store? Maybe not, say researchers at Mozilla. They looked at 40 popular free and paid apps to see if their data collection policies align with what was disclosed on Google’s Data Safety Forms. Those are the descriptions that people who use the Play Store see. There were significant discrepancies between the apps’ own privacy policies and what shows on the Play Store, the report says. This is similar to a finding about apps in the Apple Store, the Washington Post found in 2021. Lesson: No app store platform is responsible for what app developers write about their products. In fact, if you look closely Google and Apple say that. Mozilla suggests platforms that distribute apps require developers to follow a standard disclosure form, just like companies that make packaged food have to put a Nutrition Facts label on their products.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.