Cyber Watch – May 24, 2024

Xforce cyber watch banner
Cyber Watch | DigitalXForce

Welcome to the Cyber Watch series for today, Friday 24th, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.  

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

68 Major Software Firms Commit to CISA’s Secure by Design Pledge

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a significant milestone in enhancing cybersecurity, with 68 leading software manufacturers voluntarily committing to CISA’s Secure by Design pledge. This initiative aims to secure critical infrastructure by requiring participating companies to deliver measurable progress toward seven specific security goals within one year.

The seven goals outlined in the commitment encompass implementing multi-factor authentication, reducing default passwords, demonstrating a reduction in specific vulnerability classes, increasing the installation of security patches, establishing vulnerability disclosure policies, improving transparency in vulnerability reporting, and enhancing capabilities for collecting evidence of cybersecurity intrusions.

By joining the Secure by Design pledge, these 68 software manufacturers have committed to taking concrete actions that will strengthen the security of their products and services. This includes exhibiting steps taken to increase the application of multi-factor authentication, reducing the use of default passwords, and demonstrating a measurable reduction in one or more vulnerability classes across their offerings. 

Scottish National Records Agency Data Exposed in NHS Ransomware Attack

National Records of Scotland (NRS) has revealed that sensitive personal data it holds was accessed and published on the dark web as a result of the recent ransomware attack on NHS Dumfries and Galloway. The leaked data, part of a 3TB trove released by cyber criminals, includes:

  • A small number of cases with sensitive NRS information are temporarily held on the NHS network for patient record transfers.
  • Some information from statutory birth, death, and marriage registers is used for patient identification.
  • Less than 50 individuals had data leaked that potentially puts them at risk of harm – they have been contacted.

The ransomware gang behind the attack believed to be Inc Ransom, had initially published a proof pack of patient and staff data before releasing the full cache when NHS Dumfries and Galloway did not meet their ransom demands.

Most Companies Lack Adequate Protection Against Costly Website Impersonation Scams – Memyco

Memcyco’s inaugural report on website impersonation scams reveals a concerning gap in cybersecurity defenses, with the majority of companies lacking effective solutions to counter this growing threat. Key findings include:

  • 53% of respondents said their existing cybersecurity solutions do not effectively address website impersonation attacks.
  • Only 6% claimed to have a solution that effectively tackles these attacks, despite 87% recognizing it as a major issue.
  • 69% of companies admitted to having faced website impersonation attacks against their website.

The report highlights the severe financial impact of these scams, with cybercriminals earning over $1 billion from phishing-related attacks in 2023 alone, more than triple the amount in 2020.

While 72% of companies have monitoring systems for detecting fake websites, 66% primarily learn about attacks from customers, and 37% through “brand shaming” on social media.

With 48% of respondents aware of upcoming regulations likely enforcing customer reimbursements for such scams, effective protection against digital impersonation fraud is becoming a necessity to avoid revenue loss.

“Website impersonation scams are growing because attackers rely on companies having limited visibility into these kinds of attacks,” said Israel Mazin, Memcyco’s CEO, highlighting a “glaring blindspot” in cybersecurity. See: Point-Based Cybersecurity Solutions are Doing More Damage by Creating “Blind Spots”

Lawmakers Propose Amendment for New U.S. Cyber Force Military Branch

House Armed Services Committee members Morgan Luttrell (R-Texas) and Chrissy Houlahan (D-Pa.) are advancing a proposed amendment to the upcoming fiscal year’s defense authorization legislation that would establish a dedicated Cyber Force as a new armed service under the Department of Defense.

The amendment calls for an independent evaluation by the National Academy of Sciences on the viability of creating this new cyber military branch. The evaluation should be completed within around nine months after an agreement is reached with the Defense Department.

Rep. Luttrell cited the rapidly growing cyber threats and risks faced nationally and globally as the driving force behind the need for a dedicated Cyber Force that “operates specifically in this cyberspace.”

While the amendment is expected to face rejection from U.S. Cyber Command due to its ongoing assessments, Luttrell expressed confidence in the high likelihood of the amendment’s approval by lawmakers.

NYSE Parent Company ICE Fined $10M for Failing to Report 2021 Cyber Breach

In a significant enforcement action, the U.S. Securities and Exchange Commission (SEC) has imposed a $10 million penalty on Intercontinental Exchange Inc. (ICE), the parent company of the New York Stock Exchange (NYSE). The financial giant was cited for failing to promptly disclose a cybersecurity incident involving a zero-day VPN vulnerability in April 2021, violating regulations that mandate timely reporting of such breaches.

According to the SEC’s findings, a third-party company alerted ICE about a potential system intrusion exploiting the VPN flaw. The following day, ICE confirmed the breach after detecting malicious code on one of its VPN concentrators. However, despite having reasonable grounds to conclude an unauthorized entry had occurred, ICE delayed notifying its regulated subsidiaries, including NYSE, for four days.

The delay prevented these entities from properly assessing the intrusion and fulfilling their independent disclosure obligations under the SEC’s Regulation Systems Compliance and Integrity (Regulation SCI). The SEC emphasized that timely reporting of cyber incidents is crucial, as it allows the agency to swiftly protect markets and investors when multiple entities are affected.

In addition to the monetary penalty, several ICE subsidiaries, including Archipelago Trading Services, NYSE Arca, ICE Clear Credit, and the Securities Industry Automation Corporation (SIAC), agreed to cease-and-desist orders for their roles in the incident.

Massive Data Breach Hits Association of California School Administrators

The Association of California School Administrators (ACSA) has disclosed that nearly 55,000 individuals may have had their sensitive information compromised due to a sophisticated cyberattack. The ACSA, a leading umbrella organization serving over 17,000 educators, fell victim to a ransomware attack last September, which resulted in unauthorized access to their systems between September 23rd and 24th, 2023.

The investigation revealed a chilling reality – the threat actors potentially exfiltrated a trove of confidential data, including names, addresses, dates of birth, Social Security numbers, driver’s license information, payment card details, medical records, health insurance data, tax identification numbers, student academic records, employment credentials, and online account login information.

While ACSA found no evidence of identity theft or fraud stemming from the breach, the organization swiftly notified the impacted individuals in early May 2024 and is providing 12 months of credit monitoring services. This incident underscores the ever-increasing risks faced by educational institutions and the need for robust cybersecurity measures to safeguard sensitive data.

CentroMed Healthcare Provider Suffers Data Breach Impacting 400,000 Patients

San Antonio-based primary care clinic CentroMed has disclosed a major data security incident that exposed the personal and medical information of approximately 400,000 current and former patients. The breach was detected on May 1st, 2024 when CentroMed became aware of suspicious activity in its IT network.

An unauthorized individual had gained access to CentroMed’s systems around April 30th and accessed files containing sensitive patient data, including names, addresses, dates of birth, Social Security numbers, financial account information, medical record numbers, health insurance details, diagnosis/treatment information, and claims data.

This type of healthcare data can be extremely valuable on dark web markets, enabling medical identity theft where threat actors submit fraudulent claims to insurers. The exposed personally identifiable information (PII) also puts patients at risk of various fraud schemes like identity theft, phishing attacks, unauthorized purchases, and loan fraud.

Eventbrite Algorithm Surfaces Illegal Drug Sales Among Recovery Events

An investigation by WIRED has uncovered a disturbing issue on Eventbrite, the popular event management and ticketing platform. Among legitimate listings for addiction recovery events, such as Ryan’s Ride for Recovery organized by the Kelder family to honor their son lost to overdose, Eventbrite’s platform and algorithms are surfacing numerous illegal listings for the sale of prescription drugs like Xanax, Valium, and oxycodone.

Despite Eventbrite’s policies prohibiting the sale of illegal substances, the investigation found over 7,400 events violating these terms. Listings included offers to sell fentanyl powder “without a prescription,” Social Security numbers, escort services, and links to untrustworthy online pharmacies flagged by authorities.

Alarmingly, Eventbrite’s recommendation algorithms actively suggested these illicit listings alongside legitimate events through simple search queries or in the “related events” section. Searches for terms like “opioid” would sandwich treatment practitioner conferences between listings for ordering oxycodone.

The Kelder family, who founded the addiction recovery organization RYAN after their son’s overdose death, expressed outrage at the illegal drug sale listings appearing alongside their events aimed at helping those struggling with substance abuse disorders.

Critical Flaw in WinRAR Allows Screen Output Spoofing, Malware Execution

A high-severity vulnerability tracked as CVE-2024-36052 has been uncovered in WinRAR versions before 7.00, posing a significant risk to Windows users of the widely-used file compression and archiving software.

The vulnerability stems from WinRAR’s failure to properly validate and sanitize file names within ZIP archives containing ANSI escape sequences. These sequences allow attackers to manipulate the displayed file name, tricking users into opening seemingly harmless files like PDFs or images.

However, due to improper handling of file extensions, WinRAR’s ShellExecute function incorrectly executes hidden malicious scripts like batch or command files instead of the expected file type. This allows attackers to stealthily install malware while displaying a decoy document to evade suspicion.

Researcher Siddharth Dushantha discovered the issue and differs from CVE-2024-33899, which affects WinRAR on Linux and UNIX platforms, leading to screen output spoofing and denial-of-service attacks via similar ANSI escape sequence exploitation.

To mitigate this critical vulnerability, users are strongly advised to update to WinRAR version 7.00 or later, which includes a patch addressing the flaw. Additional precautions like enabling file extension visibility in Windows and exercising caution when opening archives from untrusted sources can further reduce the risk of exploitation.

PSNI Fined £750,000 by ICO for Leaking Data of Nearly 10,000 Officers

The Police Service of Northern Ireland (PSNI) has been fined £750,000 by the Information Commissioner’s Office (ICO) for a serious data breach that exposed sensitive information about its workforce of 9,483 officers and staff.

In the 2023 incident, human error led to the online publication of a spreadsheet containing surnames, initials, ranks, and roles – including details of those in sensitive surveillance and intelligence roles, putting officers’ safety at risk.

The ICO stated the PSNI would have faced a crippling £5.6 million fine had the regulator not adopted a new policy to minimize the impact of fines on public sector bodies over two years.

The data was inadvertently published on an FOI website for over two hours before being copied and distributed. Four individuals were arrested on terror charges following the leak, highlighting the severity of the incident amidst an elevated terrorism threat level in Northern Ireland.

The Information Commissioner described it as a “perfect storm of risk and harm,” noting the immense distress and life-altering precautions many officers had to take due to genuine fears for their lives stemming from the avoidable error.

That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success