North Korea exploits weak email DMARC settings, and the latest Verizon analysis of thousands of data breaches.

Welcome to Cyber Security Today. It’s Friday May 3rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.

North Korean hackers are trying exploit improperly configured DMARC email server security controls to hide spearphishing attacks. The warning to email and IT security administrators comes from American cyber agencies. DMARC is short for Domain-based Message Authentication, Reporting and Conformance. Without properly configured DMARC policies, threat actors can send spoofed emails that look as if they came from a legitimate domain’s email exchange. A DMARC policy tells a receiving email server what to do with the email after checking a domain’s Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records. Depending on whether an email passes or fails, the email can be marked as spam, blocked, or delivered to an intended recipient’s inbox. What should you be doing? Update your organization’s DMARC security settings.

The U.S. Cybersecurity and Infrastructure Security Agency has added a bug in Github’s email verification process to its Known Exploited Vulnerabilities Catalog. It’s a warning to application developers to install the latest version of Github if they haven’t already done so. This particular hole could allow an attacker to change the password of a GitLab account via the password reset form and successfully retrieve the final reset link. This hole was patched in January.

Separately the Agency issued a warning to American small and medium-sized businesses that China is targeting them just as much as big companies. These small firms can include utilities, hospitals, communications providers, banks and municipalities. What can small and mid-sized firms do? Report every cybersecurity incident to the Cybersecurity and Infrastructure Security Agency so it can see trends. They should also use the free advice and services the Agency offers, enroll in a free vulnerability scanning service, and resolve to make their organization resilient to cyber attacks.

Pro-Russian hacktivists are targeting operational technology devices like internet-connected industrial control systems. That warning came this week from cybersecurity agencies in the U.S., Canada and the U.K. The attacks largely manipulate equipment to create nuisance effects. However, the report adds, some attackers have done physical damage to equipment. That includes causing water pumps and blower equipment exceed operational limits by altering settings, turning off alarms and changing administrative passwords to lock out operators. How are they doing this? The usual ways — by taking advantage of outdated software, default passwords and login services that don’t have multifactor authentication enabled. There’s a long list of recommended defensive actions, but they all boil down to this lesson: An OT network is just as much a target as an IT network.

A hacker recently compromised the Dropbox Sign infrastructure of the Dropbox file sharing service to steal data of subscribers. Data stolen includes email addresses, usernames, phone numbers, hashed passwords, API keys, OAuth tokens and multifactor authentication login information. Dropbox Sign is a service allowing users to digitally sign documents. The data theft could allow a threat actor to impersonate almost any company official. Dropbox Sign’s IT infrastructure is largely separate from Dropbox, the company says, and there is no evidence the hacker accessed documents, agreements or payment information. Users are being forced to reset their passwords and to create new API keys and digital tokens.

An American judge this week sentenced a Ukrainian man to just under 14 years in prison for deploying the REvil ransomware strain in over 2,500 attacks. The accused was also ordered to pay $16 million in restitution. The man, who was caught and extradited from Poland, pleaded guilty in Texas to charges of conspiracy to commit fraud and other charges.

A Connecticut jury has convicted a Nigerian man for his role in running a business email compromise scheme. The man and his partners sent targeted emails pretending to be from trusted companies to trick officials into transferring millions to bank accounts controlled by the crooks. The man will be sentenced in July.

Police in Europe and Lebanon are now acknowledging shutting down 12 call centers and the arrest of 21 people last month behind a range of scams. They included fake police calls, investment frauds and romance scams. Police got a break last December after a bank teller in Germany became suspicious when a customer asked to withdraw over EUR 100,000. A fake police officer called the victim and demanded the money.

Exploiting software vulnerabilities in web applications was the most common way organizations were hacked last year. That’s one of the prime findings in the latest annual Verizon Data Breach Investigations Report. Exploited vulnerabilities in third-party suppliers such as business partners and internet providers was also a prime factor. Another finding: Human errors, including clicking on links, were involved in 68 per cent of data breaches. Unfortunately, that’s no change from last year’s report. Alarmingly, the percentage of breaches caused by internal actors — including employees or partners allowed to access IT networks — increased last year. The authors analyzed over 30,000 security incidents in the 12 months ending October 2023, of which more than 10,626 were confirmed data breaches in 94 countries. This free report is essential reading for all IT pros.

Later today Jim Love will host the Week in Review podcast.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Credential stuffing attacks are hitting firms using Okta ID management solutions, and more.

Welcome to Cyber Security Today. It’s Monday, April 29, 2024. I’m Howard Solomon.

Credential stuffing attacks on organizations that use Okta’s identity and access management solutions have spiked in the last nine days. The company issued that warning on Saturday. It comes after Cisco Systems warned last week that it is seeing large scale brute force attacks on a number of gateways and web application authentication services. These are attacks where hackers try to sign-in using large lists of usernames and passwords collected from data breaches, phishing or malware campaigns. The attacks use anatomizing tactics like being routed through TOR networks or residential proxies. Regardless of where the attacks come from, IT administrators have to take defensive steps. These include turning on security features in cloud-based authentication services for logins, insisting employees use phishing resistant multifactor authentication or passwordless authentication and creating network zones to block login requests from countries where your organization doesn’t operate.

Anyone looking online for a job should be careful they aren’t taken in by a scam. That includes software developers, who are being tricked into downloading malware under the guise of proving their coding abilities. That’s the warning from researchers at Securonix. Threat actors possibly from North Korea are setting up fake online job postings and interviews from legitimate-looking companies. To test their skills applicants are asked to download software from places that appear legitimate, like the GitHub open source code repository. However, what they download is malware that can steal information from developers’ computers. It’s been said before: Be careful answering job ads on the internet.

Kaiser Permanente, which operates hospitals and clinics across eight states and the District of Columbia, says information on about 13.4 million current and former members and patients was recently leaked. How? Through third-party data trackers installed on its websites and mobile platforms. The admission was made to the Bleeping Computer news service. The data was collected by Google, Microsoft Bing and X social media platform. The data would have IP addresses, names and details about searches. But it didn’t include passwords or financial information. Bleeping Computer notes usually tracker data is shared with advertisers and data brokers.

An American debt collection agency is notifying almost 2 million people about a data breach. Financial Business and Consumer Solutions says its IT system was hacked in February. Data stolen included names, Social Security numbers, dates of birth and individuals’ account information.

An accounting and consulting firm that does analytics for healthcare providers is notifying just over 1 million Americans of a data breach at its IT provider. Berry, Dunn, McNeil & Parker says that last fall a hacker got into the system of Reliable Networks of Maine, the managed service provider of the analytics unit. Data stolen included names, addresses, drivers licences and non-driver identification card numbers.

Twenty-three staff members of the Los Angeles County Health Services agency fell for a phishing scam in February that resulted in the theft of patient data. In a letter sent to affected people last week, the county said a hacker was able to get hold of the login credentials of 23 employees who clicked on a link in an email message. The notice doesn’t say how many people were victims. What the thief got was data that could have included names, dates of birth, home addresses, phone number(s), e-mail addresses and personal medical information.

A new Android malware that steals bank login information from smartphones has been discovered. Researchers at ThreatFabric call it Brokewell. It’s getting distributed by ads claiming to be an update for the Chrome browser. When you want to update any browser — or any application — don’t click on an ad, a text message or a popup claiming to be an update. Update only through the application’s settings.

Finally, should people and companies who provide cybersecurity services be licenced? Earlier this month Malaysia passed legislation requiring cybersecurity professionals and service providers to be licenced. Regulations on which providers of services will need to be licenced haven’t been worked out yet. But Malaysia follows Singapore and Ghana to require a licencing scheme. Ghana requires not only businesses but cybersecurity pros providing managed services, penetration testing and vulnerability assessments to be licenced. The news site Dark Reading quotes one expert worrying that licencing is a way to control researchers and journalists who want to blow the whistle on lax cybersecurity in businesses and government. Another expert says it could help develop cybersecurity specialists. A commentator with the SANS Institute notes that the idea is to help weed out unqualified people from being hired for cybersecurity work. But it will depend on what knowledge cyber pros are supposed to have.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday April 26, 2024. From Toronto, I’m Howard Solomon.

In a few minutes David Shipley, head of Beauceron Security, will be here to discuss some of the biggest news of the past week. They include the latest developments in the ransomware attack on Change Healthcare, a vulnerability found in an abandoned open source project, the next step in Canadian cybersecurity legislation for overseeing critical infrastructure and the passing in the U.S. of a law demanding China’s TikTok become Americanzied.

But before we get to the discussion here’s a review of other headlines from the past seven days:

The Top 10 countries hosting the greatest cybercriminal threats are led by the usual suspects: Russia, Ukraine and China. That’s according to university researchers. Others nations in descending order are the U.S., Nigeria, Romania, North Korea, the United Kingdom, Brazil and India. The countries in the Cybercrime Index were ranked on the professionalism and technical skill of resident threat actors. Russia was easily ahead of number two Ukraine by more than 20 points.

A threat actor has been interfering with the software update mechanism of the eScan antivirus product. According to researchers at Avast, the goal is to install backdoors and coinminers on corporate IT networks by substituting a maliicous update for a real one. Based in India, eScan is also sold in the U.S., Latin America, Germany and Malaysia. The vulnerability was supposed to have been fixed last July. Avast says it is still seeing new infections, perhaps because some eScan software on corporate computers hasn’t been updated properly.

Among the continuing problems suffered by the city of Leicester, England from a ransomware attack seven weeks ago is the inability to shut some city street lights. A local news site reports the problem is a residue of having to shut municipal IT systems. The attackers stole and published city data.

Some brands of booze in Sweden may be hard to get hold of this weekend because of a ransomware attack on a liquor distributor, the company has warned.

Pressure from police to block end-to-end encryption on common apps continues. Last week European police chiefs issued a statement urging governments and industry to stop allowing end-to-end encryption of apps and social media platforms. They say it will stop law enforcement from obtaining evidence for criminal charges. Others say end-to-end encryption protects privacy.

A veterinary clinic in Marysville, Kansas is notifying almost 26,000 customers their data was stolen when the company’s online payments page was compromised. Credit card data was among the information copied earlier this year.

The public school board of Buffalo, New York is notifying just over 19,000 people some of their personal information was seen by a hacker. The incident took place in February when two email accounts were accessed. Names, contact information and Social Security numbers could have been seen.

And the Catholic Diocese of Cleveland is notifying almost 10,000 people that personal data was copied when a hacker compromised an employee’s email account early this year or late last year. Information included names and Social Security numbers. You may recall last Friday I reported that the Catholic Diocese of Phoenix was notifying people of a data breach.

(The following is an edited transcript of the first of four topics in the discussion. For the full discussion play the podcast)

Howard: Joining me now from Fredericton, New Brunswick is David Shipley, CEO of Beauceron Security.

Let’s start with the latest from the February ransomware attack on Change Healthcare, a technology and payments provider to hospitals and clinics across the United States. On Monday parent company UnitedHealth Group acknowledged that data stolen “could cover a substantial proportion of people in America.” That’s short for “this was a huge data breach.” Data stolen included protected health information or personally identifiable information, but not doctors’ charts or full medical histories. In addition, UnitedHealth told TechCrunch that a ransom was paid to the hackers “to do all it could to protect patient data from disclosure.” This lines up with claims by an affiliate of the BlackCat/AlphV ransomware gang that Change Healthcare paid US$22 million to the gang — but the gang leaders took all of the money and didn’t pay the affiliate their cut. Meanwhile, a second ransomware gang, RansomHub, is posting data it says is from Change Healthcare. It isn’t clear if that was part of the original data theft or a new hack.

David Shipley: Keep in mind that the previous high water mark for a substantial proportion of the population was the Anthem Blue Cross breach in 2015 in which 80 million people’s records were stolen and resulted in a $117 million dollar class action settlement in which Anthem did not admit any wrongdoing. The attack was allegedly tied to nation-state level espionage and was quite sophisticated. But it was the pre-ransomware cowboy era , not the that we’re in now. So my thoughts are, this one is going to be massive.

Howard: What did you think about the UnitedHealth announcement and this whole ransomware attack — in particular where the AlphV/BlackCat gang seems to have taken all the money and then announced they were disbanding?

David: It’s not the first time bad actors have taken the money and run exit scams. I think what we’ve just discovered is number 1, when you cripple the healthcare system to the level that they just did, when you mess with the pharmacy for the U.S. military, you start thinking, ‘Maybe it’s time to get out of Dodge.’ Yes, they are probably getting a whole lot of heat. So it made sense. Essentially these are little cockroaches, though. They just scurry they hide and then they reform and they come back again a rebranded group. But there’s still the awfulness.

What I’m dying to know is did UnitedHealth get the [data] unlock keys, because if they [AlphV/BlackCat] stiffed the affiliate and they ran with the money did they at least throw them [United Health] a bone so they can lock their data? Or did they just completely run? Even though healthcare data is the one area where I’ve given a hall pass on [allowing] paying ransoms, I kind of hope they didn’t give them the key because this might finally the nail in the coffin of people thinking, ‘Paying the ransom is the sanest option for our business.’

Howard: I want to go back to the huge numbers [of potential victims]. This is 2024. Maybe organizations can’t stop every cyber intrusion but shouldn’t IT leaders know enough that that systems have to be segmented so that no more than a small chunk of data can be stolen?

David: I don’t necessarily disagree. But I think what you’re saying presumes that people can accurately simulate or test chains of consequences in the digital environment. That each on their own is not catastrophic. But when combined in very unique ways, boom! What do I mean by that? Let’s just take a story: A server that was in the testing environment that never got switched off on its own, probably not that big of a deal [if it’s compromised]. Take that server and now it’s actually in production, problematic if it’s not getting patched, if it’s being over-provisioned with way too much access. See Microsoft’s recent pain. Think if people knew things like that, where big glaring red alerts are, would they do something about it? They absolutely would act on it. I am completely convinced that we cannot accurately deal with this [cybersecurity] because of cyber chaos theory … We presume with great arrogance that we have control over increasingly complex opaque systems or systems-in-systems and that we can somehow get a handle on all the possible permutations and combinations that can lead to cyber attacks. See Microsoft’s two very painful breaches this year [as evidence] that even the biggest of us can’t do it.

Howard: Also on Monday the Wall Street Journal said that whoever broke into Change Healthcare used a stolen username and password. That’s still a highly usable weapon [for threat actors].

David: Usernames and passwords have been in play in computing for 50-plus years. Mark my words they will be around for at least another 50 years. Change is hard in technology. Change is even harder in humans. We are not even through the beginning of the end chapter when it comes to passwords. This is why people, process and culture are the root of cyber events, not just technology.

Howard: Next Tuesday, UnitedHealth CEO Andrew Witty is scheduled to testify before a committee of the U.S. House of Representatives. They won’t be in a good mood.

David: Grab your popcorn. But also in a certain sense UnitedHealth is paying the price that all of us have incurred by not demanding better when it comes to cyber hygiene for critical infrastructure, by demanding increasingly digital systems and never anticipating the negative consequences that come from the use of technologies. As a species we have a damn near fatal blind spot when it comes to the risk side of technology. We are so overly hyper-focused on all the benefits all the rewards, all the gains, or all the coolness, of something bright and shiny that we never stop to think, ‘Just because we can do something doesn’t mean we should do something.’

Howard: And this attack has been hugely expensive for the company. Last week UnitedHealth estimated that costs so far for remediating this mess is US$872 million. On top of that, it’s provided billions of dollars in advance funding and no-interest loans to healthcare institutions, their customers, that were caught short when Change Healthcare systems had to be temporarily closed …

David: Maybe the best thing that comes from that is that people will invest [in cybersecurity] because you know that $800 million remediation cost? We have a term for that: We call it ‘technical debt’ …

Howard: What if they had spent, say, $10 million [more] on increased cyber security [before the attack]?

David: The lack of independent, academic peer-reviewed studies into root cause analysis [of incidents], like a CSRB [Cybersecurity Safety Review Board] report could point at that. That is the most important thing we’re missing. In this industry we love to haul around and scare the pants off people. “Six billion dollars is going to be lost to cybercrime!” But we don’t tell them how easy it could have been to avoid, or the massive amount of ROI [return on investment] that just comes from doing it [cybersecurity] proactively.