A Chinese hacking group’s reach may be bigger than we thought.
Welcome to Cyber Security Today. It’s Friday, January 12th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The reach of a Chinese hacking group known for going after critical infrastructure in the United States may be more extensive than known so far. Researchers at SecurityScorecard say the IT network of the group researchers call Volt Typhoon is communicating with government websites in the U.K., Australia and India as well as the U.S. Among the tools it is apparently leveraging are particular models of unpatched routers from Cisco Systems. A patch for these devices was issued five years ago. And because these models are end-of-life there are no new updates for them. Network administrators have to watch for Cisco RV320 and RV350 devices. They should have been replaced a long time ago.
Threat actors are taking advantage of employees’ annual responsibilities such as company satisfaction surveys, enrolling in benefit programs, 401k updates and salary adjustments as lures to steal their credentials. That’s according to researchers at Cofense. The hackers know that companies often send staff email notifications about these things. So they are that by sending employees phishing emails with attachments or QR codes that appear to come from management or the HR department. The messages ask staff to login to see the material. Staff need to be reminded to use standard email security skepticism. For example, be wary of messages that start, “Dear employees.” Even if a message is personalized, check the email address of the sender to be sure it’s legit.
In November I told listeners that Fidelity National Finance, which provides title insurance and settlement services for the American mortgage and real estate sector, had suffered a data breach. This week it told a regulator it has now determined that data on approximately 1.3 million customers may have been copied by the attacker.
Someone at a Texas-based company that sells school security solutions allowed the creation of a non-password-protected database with sensitive student data to sit open on the internet. According to cybersecurity researcher Jeremiah Fowler, the database belonged to Raptor Technologies and was in three separate cloud storage buckets. It held information on students, teachers, parents and school safety plans. As soon as it was notified the company blocked public access to the database. It’s more evidence that corporate and IT managers aren’t closely training or supervising employees who create databases.
An American company called NASCO, which administers benefits for American health plans, has doubled the number of victims from the hack last year of its MOVEit file transfer application. The company now says data of almost 1.7 million people was stolen in the hack. According to researchers at Emsisoft, so far 2,730 companies or government departments around the world have admitted data on over 94 million people was stolen from their MOVEit servers.
An Alabama law firm called Burr & Forman which acts for a behavioral healthcare provider is notifying almost 20,000 people a hacker copied their personal data last fall. Data stolen included names, Social Security numbers, medical coding information with dates and descriptions, and insurance information.
The World Economic Forum released two cybersecurity forecasts based on surveys with experts. In one, misinformation and disinformation were listed as the top risk organizations will face over the next two years. That ranked ahead of extreme weather events. The other report suggests the number of organizations that maintain minimum viable cyber resilience dropped 30 per cent compared to last year’s survey. The biggest drop came from small and medium-sized companies, while large companies showed gains in cyber resilience.
Palo Alto Networks has released a background report on the Medusa ransomware gang. Security teams and researchers may find useful information in it. The paper includes indicators of compromise defenders should be watching for.
Fortinet has released a security update to address a vulnerability in its FortiOS and FortiProxy software. A cyber threat actor could exploit this vulnerability to take control of an affected system.
And Cisco Systems has patched a critical vulnerability in the web-based management interface of its Unity Connection unified messaging platform. If the security update isn’t installed an attacker could upload files to Unity Connection server and then do serious damage from there.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.