WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.  Bruce Schneier edition

Protect Your Website from Russian Cyber Attacks

From WordFence

Unfortunately, Russia has commenced an invasion of Ukraine . Our team has entered a higher state of vigilance. A few minutes ago, I published a blog post describing what we’re doing to ensure the 4 million WordPress sites under our protection remain secure, and I’ve included recommendations for you and your team, if you run a business. 

You can find the post on the Official Wordfence Blog…

COVID Testing Scammers

There are companies who exist just to bill your insurance or the government for.  Check out this story

Linux-Targeted Malware Increased by 35%

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021:

Malware targeting Linux systems increased by 35% in 2021 compared to 2020.

XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021.

Merck Wins Insurance Lawsuit re NotPetya Attack

The insurance company Ace American has to pay for the losses:

On 6th December 2021, the New Jersey Superior Court granted partial summary judgment (attached) in favour of Merck and International Indemnity, declaring that the War or Hostile Acts exclusion was inapplicable to the dispute.

Merck suffered US$1.4 billion in business interruption losses from the Notpetya cyber attack of 2017 which were claimed against “all risks” property re/insurance policies providing coverage for losses resulting from destruction or corruption of computer data and software.

The parties disputed whether the Notpetya malware which affected Merck’s computers in 2017 was an instrument of the Russian government, so that the War or Hostile Acts exclusion would apply to the loss.

The Court noted that Merck was a sophisticated and knowledgeable party, but there was no indication that the exclusion had been negotiated since it was in standard language. The Court, therefore, applied, under New Jersey law, the doctrine of construction of insurance contracts that gives prevalence to the reasonable expectations of the insured, even in exceptional circumstances when the literal meaning of the policy is plain.

Merck argued that the attack was not “an official state action,” which I’m surprised wasn’t successfully disputed.

The EARN IT Act Is Back

Senators have reintroduced the EARN IT Act, requiring social media companies (among others) to administer a massive surveillance operation on their users:

A group of lawmakers led by Sen. Richard Blumenthal (D-CT) and Sen. Lindsey Graham (R-SC) have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that was dropped in the face of overwhelming opposition. Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online — backups, websites, cloud photos, and more — is scanned.

On the Irish Health Services Executive Hack

A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices:

The report notes that:

• The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
• It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
• Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
• There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
• There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
• Over 30,000 machines were running Windows 7 (out of support since January 2020).
• The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.

PwC’s crisp list of recommendations in the wake of the incident as well as detail on the business impact of the HSE ransomware attack may prove highly useful guidance on best practice for IT professionals looking to set up a security program and get it funded.

Hybrid work and the Great Resignation lead to cybersecurity concerns

Code42’s study goes into detail about the risks facing cybersecurity leaders and practitioners in the wake of the Great Resignation.

According to the report, there is a 37% chance that the company an employee leaves will lose their IP, with departing employees making up the second-largest cause of a successful data breach, only behind hackers (45%). With cybersecurity and business leaders concerned about this potential loss of IP, the report posits that having an internal risk management program is not enough when programs are challenged with protecting against insider risks.  More…

VMWare fixes holes that could allow virtual machine escapes

Hats off to VMWare for not using weasel words: “When should you act?” Immediately…

VMware Releases Security Updates for Multiple Products

Original release date: February 16, 2022

VMware has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisories VMSA-2022-0004 and and VMSA-2022-0005 apply the necessary updates.

FBI and USSS Release Advisory on BlackByte Ransomware

Original release date: February 15, 2022

The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers.

CISA encourages organizations to review the joint FBI-USSS CSA and apply the recommended mitigations.

French cybercriminals using sextortion scams with no text or links

You’d spot this one a mile away… but what about your friends or family?ll

Irony alert! PHP fixes security flaw in input validation code

What’s wrong with this sequence? 1. Step into the road 2. Check if it’s safe 3. Keep on walki…