Welcome to Cyber Security Today. this is the Week in Review podcast for the week ending Friday, December 1st, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss some recent news. But first a look back at some of the headlines from the past seven days:
It almost wouldn’t be a Week in Review podcast if we didn’t talk about ransomware. This week a ransomware operation in Ukraine was broken up, a major American hospital chain was hit, and in this country a ransomware gang named an association that represents pork producers as one of its victims. In addition researchers said the BlackBasta ransomware gang got $107 million in payments over the past 22 months. Terry and I will discuss this.
We’ll also look at an updated report from Okta on a data breach of its customer support system, an authentication problem with Microsoft Access and a report on what information security leaders reflect on after a cyber breach.
In other news the Cactus ransomware gang is exploiting vulnerabilities in the Qlik Sense cloud analytics and business intelligence platform. Researchers at Arctic Wolf say IT departments that have allowed their Qlik Sense installations to be exposed to the internet are at risk. Administrators need to make sure this application has the latest security patches.
A hacking group called Cyber Av3ngers has claimed credit for taking control of an internet-connected system of a municipal water authority in Pennsylvania. Researchers at Check Point Software say the group is affiliated with the government of Iran. The suspicion is the utility was hit because it uses programmable logic controls from an Israeli company, Unitronics. The U.S. Cybersecurity and Infrastructure Security Agency issued a reminder to companies using Unitronics and other internet-connected sensors and controllers to do basic cybersecurity things like change the default password on the devices, not make them visible or disconnect them from the internet, and if they have to be on the ‘net protect them with multifactor login authentication.
Separately, authorities are investigating a suspected ransomware attack against a municipal water utility in Texas.
Zyxel released patches for four vulnerabilities in its network-attached storage devices. Affected are certain models of the NAS326 and NAS542 devices.
Almost two million employees of Dollar Tree and Family Dollar stores are being told some of their personal information was stolen when a data processor was hacked. That company is Zeroed-In Technologies, which does workforce analytics for companies. The hack took place early in August. Data that might have been stolen includes names, dates of birth and Social Security numbers.
Berglund Management Group, which oversees several car dealerships in Virginia, is notifying over 51,000 people of a data breach. Information stolen includes names and Social Security numbers.
Bluefield University of Virginia is notifying just over 23,000 people that some of their personal information was stolen in a May 1st data breach. Information stolen includes names and Social Security numbers.
Meta has purged thousands of Facebook accounts linked to China, Russia and Iran for spreading false or misleading information. Some of the fake personas posed as reporters, lawyers, human rights activists or American residents.
And a Los Angeles man was sentenced by an American judge to eight years in prison for online fraud. That included one incident when he took over a victim’s cellphone by convincing their carrier to change the phone’s SIM card to one the crook controlled. He also impersonated Apple Support staff to access victims’ iCloud accounts and steal their cryptocurrency. In one case, pretending to be from Apple, he persuaded the victim to give him their six-digit two-step authorization code to access their iCloud account.
(The following is a transcript of the first of the four news items discussed. To hear the entire conversation play the podcast)
Howard: In the past seven days hospitals in the U.S. have revealed ransomware attacks, police in Europe worked together to arrest the alleged head of a ransomware group in Ukraine and researchers released a report outlining how lucrative ransomware has been for one gang. According to Corvus Insurance and a blockchain analysis company called Elliptic, the Black Basta gang pulled in at least US$107 million in the past 22 months. The gang is either directly or indirectly connected to the people behind the Conti ransomware group, which stopped operating early last year — around the time Black Basta emerged. What stood out for you in this report?
Terry Cutler: The report touched on the wide range of who can be a victim. This report talked about 322 organizations that were targeted –and obviously they weren’t prepared –anybody can become a victim. You talked about the Conti connection. We’re seeing a lot of [gang] members switching teams, or maybe creating a new group. It’s always the same team, just recycled. This [ransomware] is not going away anytime soon. And because of the whole crypto back end, the cryptocurrency laundering, it’s very, very difficult to find out where these guys are coming from … So it goes to show if you’re connected to the internet you will be attacked. If your systems are vulnerable, you’ll be exploited. So get your [IT security] audits done.
Howard: What caught my eye was that about one-third of victims paid a ransom to this gang, and the average ransom payment was US$1.2 million dollars.
Terry: I witnessed that amount here in Canada. I really didn’t believe this number when I started seeing the stats. Who’s going to want to pay this kind of money? [But] we saw an MSP [managed service provider] get hacked and they [the hackers] got access to their customers and hacked the customers. By the time the MSP got back up and running their [recovery] bill went from a $10,000 audit to $1.2 million in less than two months because of legal fees, round-the-clock support to get their systems back up and running … If you get hit with a ransomware attack you’re going to be down for at least 100 hours. There’s a stat that shows that most small and medium-sized businesses are going to fold within six months of a cyber attack. The other thing is when you get hit with ransomware your data is encrypted.
We’ve talked about this — is it more cost-effective to pay the ransom get your data back? Or live what you have, because a lot of times the backups will be will be encrypted as well. It really depends on how sensitive this information is.
