SolarWinds demands fraud allegation be dropped, a Canadian sentenced for ransomware attacks, and more.
Welcome to Cyber Security Today. It’s Monday, January 29th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
SolarWinds is going to court to fight the U.S. Securities and Exchange Commission’s allegations that the company and its chief information security officer defrauded investors by overstating its cybersecurity practices. The allegation relates to the lead up to the 2020 revelation of the compromise of the SolarWinds Orion software update mechanism. Security observers were stunned to learn a Russian-based threat group was able to insert a malware-filled application update into the mechanism that some organizations downloaded. Last week, Bloomberg Law says, SolarWinds asked a court to dismiss the SEC charges, saying they are unfounded. “The SEC is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs.” “The case is fundamentally flawed,” SolarWinds says, “and should be dismissed in its entirety.”
A Canadian man has been sentenced by an Ottawa judge to two years in prison for his role in cyber attacks including ransomware. The CBC said Matthew Philbert received that sentence Friday after pleading guilty to criminal charges of running attacks. They started with phishing messages. There were over 1,100 victims of various attacks. According to the Ottawa Citizen, his targets included three police departments.
The Medusa ransomware gang has claimed responsibility for attacking Kansas City’s transportation authority last week. That’s according to the news site Security Affairs. It says the gang has published samples of allegedly stolen data as proof of its claim. All transit services are operating but temporarily riders couldn’t call regular phone numbers.
Threat actors are increasingly using the Greatness Phishing Kit to trick Microsoft 365 users into downloading malware. That’s according to researchers at Trustwave. Greatness is a phishing-as-a-service platform that charges hackers US$120 a month in bitcoin to use for launching phishing campaigns. The platform generates deceptive emails with attachments that capture passwords and — if the victim is gullible — their multifactor authentication codes. Employees need to be reminded not to fill out login forms that come from links in emails.
It’s vital that every company have a way — by email or by phone — to take seriously warnings their cybersecurity controls may have a hole. Otherwise that hole will be found by a threat actor. I raise this because security researchers at Britain’s RedHunt Labs recently felt they had to contact the TechCrunch news service to relay a warning to Mercedes-Benz of a serious problem. A Mercedes developer had left an authentication token in a publicly-available GitHub repository where they presumably were working on application code. RedHunt Labs believed the token would have given anyone access to Mercedes’ GitHub Enterprise Server and the ability to muck around with corporate software code. Two things here: First, companies and government departments may be shy about putting phone numbers and email addresses on the web these days, but they can’t ignore the fact that some calls from people may be more than harassment or silly questions. Second. application developers need to be regularly reminded of what not to do on GitHub or any other public code repository. And managers need to watch their work to make sure security rules are enforced.
Don’t like marketing companies scraping your personal information from social media platforms and reselling it to advertisers? Well, social media platforms are finding it hard to stop. In the latest incident, a California judge last week ruled that an Israeli company called Bright Data did nothing wrong in scraping public data from Facebook and Instagram. Bright Data is being sued by Meta — the parent company of Facebook and Instagram — for breach of contract and tortious (TOR-SHUS) interference with contract. Ars Technica reports that the judge agreed the terms of Facebook and Instagram don’t prevent logged-off scraping of public data. As a result the judge dismissed that part of Meta’s lawsuit before trial. The claim of tortious interference with contract still exists. Meta can appeal the decision.
In addition to advertisers, know who else buys internet records of Americans from data brokers? The National Security Agency. U.S. Senator Ron Wyden released documents last week from the NSA that he says confirm the electronic spy agency buys data that can reveal which websites people visit and the apps they use. The problem, Wyden alleges, is that the data is collected illegally and obtained without a warrant from a judge. The U.S. Federal Trade Commission recently said data brokers have to obtain the informed consent of Americans before selling their data.
American insurance broker Keenan & Associates is notifying 1.5 million people some of their personal data that it holds was stolen in an August data breach. That data included names, dates of birth, Social Security numbers, driver’s licences, passport numbers and health information.
Last October reports began emerging of ransomware groups taking advantage of a vulnerability in Citrix Netscaler application delivery controllers and gateways called Citrix Bleed. Now comes word that Planet Home Lending is notifying almost 200,000 Americans personal data it holds on them was stolen in a November ransomware attack. The cause was exploitation of that vulnerability. The data was in a read-only folder with loan files that included applicants’ names, addresses, Social Security numbers, loan numbers and financial account numbers.
Another victim of Citrix Bleed is Comcast cable. In December Comcast told Maine’s attorney general’s office that has to notify almost 35 million of its customers that personal data it holds was stolen from its system between the time Citrix released patches for the vulnerability and Comcast implemented mitigations.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
