MISCELLANEOUS CYBERSECURITY NEWS:
CISA warns of foreign threat group launching spearphishing
campaign using malicious RDP files - Midnight Blizzard has targeted
more than 100 organizations across government, IT and academia, in
some cases impersonating Microsoft employees.
https://www.cybersecuritydive.com/news/cisa-threat-group-spearphishing/731737/
Executives worry over aging IT systems - Despite ongoing
modernization efforts, tech debt is still hindering mission-critical
infrastructure.
https://www.cybersecuritydive.com/news/tech-debt-infrastructure-kyndryl/731732/
The story behind the Health Infrastructure Security and
Accountability Act - In February 2024, Change Healthcare, a
subsidiary of UnitedHealth Group (UHG), was the victim of a
significant ransomware attack carried out by the ALPHV/BlackCat
ransomware group.
https://www.theregister.com/2024/10/29/hold_the_story_behind_the/
Chinese attackers accessed Canadian government networks - for five
years - A report by Canada's Communications Security Establishment
(CSE) revealed that state-backed actors have collected valuable
information from government networks for five years.
https://www.theregister.com/2024/10/31/canada_cybersec_threats/
UnitedHealth Group names new CISO 8 months after massive ransomware
attack - Longtime security leader Tim McKnight joins the beleaguered
healthcare giant, succeeding Steven Martin, who was appointed chief
restoration officer.
https://www.cybersecuritydive.com/news/unitedhealthgroup-ciso-tim-mcknight/731475/
Three common privilege access mistakes that can lead to a ransomware
incident - SolarWinds, Colonial Pipeline, Hafnium Exchange. What do
these attacks have in common? Beyond their status as some of the
most high-profile attacks of recent years, these breaches signify a
shift in the attack path for threat actors.
https://www.scworld.com/perspective/three-common-privilege-access-mistakes-that-can-lead-to-a-ransomware-incident
FCC Aims to Boost Undersea Cable Security, Purge Adversary Tech -
The Federal Communications Commission (FCC) plans to vote Nov. 21 on
a notice of proposed rulemaking that would review the agency’s
existing licensing rules for undersea cables with the goal of better
protecting that class of critical communications infrastructure by,
among other steps, prohibiting the use of equipment and services
sold by companies based in adversarial nations including China and
Russia.
https://www.meritalk.com/articles/fcc-aims-to-boost-undersea-cable-security-purge-adversary-tech/
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Midnight Blizzard uses RDP to target 100 organizations in US, Europe
- The Russian nation-state threat actor tracked as Midnight Blizzard
has been running spear-phishing campaigns to thousands of targets at
more than 100 organizations, primarily in the United States and
Europe.
https://www.scworld.com/news/midnight-blizzard-uses-rdp-to-target-100-organizations-in-us-and-europe
EmeraldWhale steals 15,000 credentials from exposed Git
configurations - A bad actor identified as EmeraldWhale was observed
running a global operation that targeted exposed Git configurations
— a campaign that resulted in more than 15,000 cloud service
credentials stolen.
https://www.scworld.com/news/emeraldwhale-steals-15000-credentials-from-exposed-git-configurations
Interbank confirms data breach following failed extortion, data leak
- Interbank, one of Peru's leading financial institutions, has
confirmed a data breach after a threat actor who hacked into its
systems leaked stolen data online.
https://www.bleepingcomputer.com/news/security/interbank-confirms-data-breach-following-failed-extortion-data-leak/
Ex-Disney Employee Charged With Hacking Menu Database - In a
vengeful move against the happiest place on Earth, the former
employee allegedly used his old credentials to make potentially
deadly changes.
https://www.darkreading.com/cyberattacks-data-breaches/ex-disney-employee-charged-hacking-menu-database
Schneider Electric investigating cyber intrusion after threat actor
gains access to platform - Schneider Electric on Monday said it is
investigating a cyber incident following claims by a suspected
threat actor that it had gained access to company data.
https://www.cybersecuritydive.com/news/schneider-electric-investigating-cyber/732006/
Columbus, Ohio confirms July ransomware attack compromised data of
500K people - The city notified half a million people their personal
information was at risk following the attack it attributed to a
foreign threat actor.
https://www.cybersecuritydive.com/news/columbus-ohio-ransomware-500k/732154/
California court suffering from tech outages after cyberattack - The
San Joaquin County Superior Court said nearly all of its digital
services have been knocked offline due to a cyberattack that began
earlier this week.
https://therecord.media/california-court-suffering-from-tech-outages-cyberattack
Cyberattack disrupts classes at Irish technology university - The
South East Technological University (SETU) in Ireland has announced
experiencing a cybersecurity incident targeting its IT systems.
https://therecord.media/cyberattack-disrupts-classes-at-irish-tech-university
Colorado scrambles to change voting-system passwords after
accidental leak - The Colorado Department of State said it
accidentally posted a spreadsheet containing "partial passwords" for
voting systems.
https://arstechnica.com/tech-policy/2024/10/colorado-scrambles-to-change-voting-system-passwords-after-accidental-leak/
Rhysida ransomware attack on Columbus claimed 500K victims - The
City of Columbus, Ohio, confirmed Nov. 1 that 500,000 people were
affected by a July 18 ransomware attack that was claimed by the
Rhysida gang.
https://www.scworld.com/news/rhysida-ransomware-attack-on-columbus-claimed-500k-victims
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Guidance on Safeguarding Customers Against E-Mail and
Internet-Related Fraudulent Schemes (Part 1 of 3)
E-mail and Internet-related fraudulent schemes, such as "phishing"
(pronounced "fishing"), are being perpetrated with increasing
frequency, creativity and intensity. Phishing involves the use of
seemingly legitimate e-mail messages and Internet Web sites to
deceive consumers into disclosing sensitive information, such as
bank account information, Social Security numbers, credit card
numbers, passwords, and personal identification numbers (PINs). The
perpetrator of the fraudulent e-mail message may use various means
to convince the recipient that the message is legitimate and from a
trusted source with which the recipient has an established business
relationship, such as a bank. Techniques such as a false "from"
address or the use of seemingly legitimate bank logos, Web links and
graphics may be used to mislead e-mail recipients.
In most phishing schemes, the fraudulent e-mail message will request
that recipients "update" or "validate" their financial or personal
information in order to maintain their accounts, and direct them to
a fraudulent Web site that may look very similar to the Web site of
the legitimate business. These Web sites may include copied or
"spoofed" pages from legitimate Web sites to further trick consumers
into thinking they are responding to a bona fide request. Some
consumers will mistakenly submit financial and personal information
to the perpetrator who will use it to gain access to financial
records or accounts, commit identity theft or engage in other
illegal acts.
The Federal Deposit Insurance Corporation (FDIC) and other
government agencies have also been "spoofed" in the perpetration of
e-mail and Internet-related fraudulent schemes. For example, in
January 2004, a fictitious e-mail message that appeared to be from
the FDIC was widely distributed, and it told recipients that their
deposit insurance would be suspended until they verified their
identity. The e-mail message included a hyperlink to a fraudulent
Web site that looked similar to the FDIC's legitimate Web site and
asked for confidential information, including bank account
information.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
DATA CENTER SECURITY
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through the
use of guards, fences, barriers, surveillance equipment, or other
similar devices. Since access to key information system hardware and
software should be limited, doors and windows must be secure.
Additionally, the location should not be identified or advertised by
signage or other indicators.
Detection devices, where applicable, should be utilized to prevent
theft and safeguard the equipment. They should provide continuous
coverage. Detection devices have two purposes - to alarm when a
response is necessary and to support subsequent forensics. The alarm
capability is only useful when a response will occur. Some intruder
detection devices available include:
! Switches that activate an alarm when an electrical circuit is
broken;
! Light and laser beams, ultraviolet beams and sound or vibration
detectors that are invisible to the intruder, and ultrasonic and
radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and
recording of actions.
Risks from environmental threats can be addressed somewhat through
devices such as halon gas, smoke alarms, raised flooring, heat
sensors, and the like.
Physical security devices frequently need preventive maintenance
to function properly. Maintenance logs are one control the
institution can use to determine whether the devices are
appropriately maintained. Periodic testing of the devices provides
assurance that they are operating correctly.
Security guards should be properly instructed about their duties.
The employees who access secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal of
assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a
need basis:
! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library
Return to the top of the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the National
Institute of Standards and Technology (NIST) Handbook.
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4
Step 4: Selecting Contingency Planning Strategies
The next step is to plan how to recover needed resources. In
evaluating alternatives, it is necessary to consider what controls
are in place to prevent and minimize contingencies. Since no set of
controls can cost-effectively prevent all contingencies, it is
necessary to coordinate prevention and recovery efforts.
A contingency planning strategy normally consists of three parts:
emergency response, recovery, and resumption.89 Emergency response
encompasses the initial actions taken to protect lives and limit
damage. Recovery refers to the steps that are taken to continue
support for critical functions. Resumption is the return to normal
operations. The relationship between recovery and resumption is
important. The longer it takes to resume normal operations, the
longer the organization will have to operate in the recovery mode.
The selection of a strategy needs to be based on practical
considerations, including feasibility and cost. The different
categories of resources should each be considered. Risk assessment
can be used to help estimate the cost of options to decide on an
optimal strategy. For example, is it more expensive to purchase and
maintain a generator or to move processing to an alternate site,
considering the likelihood of losing electrical power for various
lengths of time? Are the consequences of a loss of computer-related
resources sufficiently high to warrant the cost of various recovery
strategies? The risk assessment should focus on areas where it is
not clear which strategy is the best.
In developing contingency planning strategies, there are many
factors to consider in addressing each of the resources that support
critical functions. Some examples are:
Example 1: If the system administrator for a LAN has to be out of
the office for a long time (due to illness or an accident),
arrangements are made for the system administrator of another LAN to
perform the duties. Anticipating this, the absent administrator
should have taken steps beforehand to keep documentation current.
This strategy is inexpensive, but service will probably be
significantly reduced on both LANs which may prompt the manager of
the loaned administrator to partially renege on the agreement.
Example 2: An organization depends on an on-line information
service provided by a commercial vendor. The organization is no
longer able to obtain the information manually (e.g., from a
reference book) within acceptable time limits and there are no other
comparable services. In this case, the organization relies on the
contingency plan of the service provider. The organization pays a
premium to obtain priority service in case the service provider has
to operate at reduced capacity.
Example #3: A large mainframe data center has a contract with a hot
site vendor, has a contract with the telecommunications carrier to
reroute communications to the hot site, has plans to move people,
and stores up-to-date copies of data, applications and needed paper
records off-site. The contingency plan is expensive, but management
has decided that the expense is fully justified.
Example #4. An organization distributes its processing among two
major sites, each of which includes small to medium processors
(personal computers and minicomputers). If one site is lost, the
other can carry the critical load until more equipment is purchased.
Routing of data and voice communications can be performed
transparently to redirect traffic. Backup copies are stored at the
other site. This plan requires tight control over the architectures
used and types of applications that are developed to ensure
compatibility. In addition, personnel at both sites must be
cross-trained to perform all functions. |