A second insurance company sideswiped by the MOVEit hack, a Truebot malware warning, and more.
Welcome to Cyber Security Today. It’s Monday, July 10th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
I’m back from a few days off, so this podcast might be longer than usual.
One of Canada’s biggest insurance companies is the second insurer to acknowledge that it is an indirect victim of the hack of a company that used Progress Software’s MOVEit file transfer system. Sun Life U.S. says information of some of its U.S. subscribers was copied in the theft of data through MOVEit from an American-based information service called PBI. In my June 26th podcast I reported that several U.S. organizations were similarly victimized through PBI via the MOVEit file transfer vulnerability. Sun Life U.S. doesn’t say how many of its members were involved. It uses PBI to check government databases to ensure life insurance benefits are paid or need to be stopped. Data stolen includes people’s names, Social Security numbers, policy/account numbers and/or their date of birth.
Several weeks ago energy producer Shell was listed by the Clop hacking group as a victim of the Progress Software MOVEit compromise. In a brief statement last week the company acknowledged the attack. It said personal information was copied of some employees who worked for BG Group, which Shell bought in 2016. Among the countries workers are or were from are Canada, South Africa, the Netherlands, the Philippines and the U.K.
A U.S.-based online document translation service is suspected of being the source of an unprotected database of personal and business information found on the internet by a security researcher. Jeremiah Fowler told WebsitePlanet that the database had folders with U.S. federal and state tax filings of individuals, digital copies of passports, driver’s licences, birth and marriage records as well as business documents. The document translation company was warned about the existence of the stash. It didn’t acknowledge ownership, but after being notified by Fowler public access to the database was blocked. Assuming the database does belong to this company, the incident is another warning that organizations have to ensure employees know how to protect information that might be accessible to the internet with either a password or encryption.
Last month researchers at Fortinet announced the discovery of two new ransomware variants, one of which they call Big Head. Last week researchers at Trend Micro published a detailed analysis of these and other linked strains. They are likely being marketed as Windows updates and Microsoft Word installers. IT leaders have to impress upon employees the importance of only downloading applications from approved websites. This is particularly important when employees work from home or use their own computers. Otherwise, company-owned computers should be prohibited from downloading software that isn’t approved by the IT department. There’s a link to the report, with indicators of compromise to watch out for, in the text version of this podcast at ITWorldCanada.com
New variants of the Truebot malware are being delivered by hackers to organizations in Canada and the U.S. That’s the warning from the Canadian Centre for Cyber Security and the U.S. Cybersecurity and Infrastructure Security Agency. Truebot is a piece of malware that collects information about infected computers, which is the first step in a cyber attack. Usually Truebot gets into IT systems when employees click on infected email attachments. But the warning notes that the newer versions of Truebot also allow threat actors to infect computers by exploiting an unpatched vulnerability in Netwrix Auditor. This is a tool IT departments use to audit their networks. If your environment uses this tool make sure it’s patched. Then look for indicators of compromise by Truebot. Even if you don’t use Netwrix Auditor you should constantly be looking for information-stealing malware on any company-owned network-connected device.
Some threat actors steal data to sell. Others want data for espionage. One of the latest examples is an email apparently from an expert sent to a U.S.-based think tank on foreign affairs. The message asked permission to send the think tank a draft paper on Iran and global security. After agreeing the sender got a link to an infected document. Researchers at Proofpoint discovered the message was sent by a group dubbed as Charming Kitten, or APT24 by other researchers. It’s believed to be an Iranian government cyber group. Interestingly, the person who agreed to receive the document had a Mac computer, which wouldn’t run the phony document or the malware. So a week later the supposed expert sent the think tank a link to a malicious file that would run on a Mac. One lesson from this: Threat actors sometimes try to start a relationship with a target before emailing a message with an infected document. Be on guard.
Despite the efforts of Google, bad apps continue to slip into the Play store. The latest are two file management utilities spotted by researchers at Pradeo. One is called File Manager, while the other is called File Recovery & Data Recovery. They work with files, all right — they collect personal data from infected Android devices including contact lists for phones, email and social network accounts, photos and location data. In other words, the apps are spyware. Remember, research before you download anything. Beware of apps that claim to have thousands of downloads but few or no reviews. If you’re an IT manager with company-owned devices make sure there are ways that block the downloading of unapproved apps.
Finally, the Hulu streaming service in the U.S. has released the first three episodes dramatizing the 2015 hack of the Ashley Madison dating site. Personal data on 36 million users was released, with some people publicly humiliated. At least one person committed suicide, citing the leak of data. The series is called The Ashley Madison Affair, because the Toronto-based website was marketed as a meeting place for married people who were looking for hookups. How many users were actually married isn’t known. What is known, thanks to investigations by Canadian and Australian privacy commissioners, is that poor identity and access management were the cause. Somehow someone got administrator access. Security reporter Brian Krebs has a column on another aspect of the incident, the acidic relationship between the CEO at the time and a former employee. Ashley Madison found new ownership and survives today, now marketing itself as a place to find “discrete relationships.”
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.
