IT Security News Blast – 8-4-2021
Critical Insight Event: Watch a Live Penetration Test
Pen testing is a key way to test your cyber health, but have you ever see one done? Today, August 4th at 12pm PT our team will show you both sides of an attack. See how interaction works during the red team/blue team and walk through potential remediation while testing them in real time. Sign up here.
The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring
A global study of cybersecurity professionals by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) warns that this lack of investment, combined with the challenge of additional workloads, is resulting in a skills shortage that's leading to unfilled jobs and high burnout among information security staff.
DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos
Disturbingly, Yonatan Striem-Amit, CTO and co-founder of Cybereason, told SecurityWeek, “We discovered and have evidence that Chinese advanced groups have been using the Hafnium zero-days since at least 2017.”
After nearly 1 month of EHR downtime, UF Health says patient data was compromised during IT attack
The patient information compromised included names, Social Security numbers, addresses, birth dates, health insurance details and treatment details. The health system did not respond to a comment request by Becker's about how many patients were affected.
Health IT Security Challenges Persist for Hospital Systems
“As demonstrated in this year’s findings, supply chains present a potential vulnerability with wide-ranging and unpredictable impact,” the report states. “Security leaders need to assess current investments and devise a plan of action that aims to rapidly remediate this major vulnerability. That should include, minimally, a risk-based assessment of critical third-party vendors based on access, data they hold or access and services they provide.”
Water infrastructure rife with cyber vulnerabilities, report says
For example, at least 38% of systems nationwide have allocated less than 1% of their overall budgets to IT cybersecurity, according to Information Systems Audit and Control Association's (ISACA) "Cybersecurity 2021 State of the Industry." Another 22.1% of systems were allocating just 1% to 5% of their budgets towards addressing IT cybersecurity issues.
Kaseya ransomware attack sets off race to hack service providers -researchers
Now that criminals see how powerful MSP attacks can be, “they are already busy, they have already moved on and we don’t know where,” said Victor Gevers, head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack. “This is going to happen again and again.”
Cyber-security in manufacturing demands Defense in Depth
A proper Defense in Depth (DiD) strategy, adapted to the OT environment, is becoming a must. CISOs of manufacturing companies will have to justify themselves to the Board of Directors if they do not have an OT cyber security strategy in place these days.
The Cybersecurity 202: The government’s facing a severe shortage of cyber workers when it needs them the most
The government’s cyber workforce has grown by about 8 percent since 2016. A hiring sprint at the Department of Homeland Security resulted in nearly 300 new cyber hires and about 500 more job offers between May and July. But that’s nowhere near sufficient to meet the threats.
Energy Cyber Role Unfilled Over Power Struggle as Hacks Increase
The Energy Department wants the role to be filled by a career employee and the administration has declined to nominate anyone for it. Lawmakers from both parties are so determined to force the White House’s hand that they’ve introduced legislation in both chambers to codify the position as an assistant secretary subject to Senate confirmation.
National Cyber Director: Bureau of Cyber Statistics needed to understand threat landscape
The idea of the Bureau of Cyber Statistics originates with the Cyberspace Solarium Commission, which also urged Congress to create Inglis’ current job. The bureau, as envisioned by the commission, would mandate organizations offering cyber response services or insurance products provide this data for statistical purposes every 180 days.
Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship
Russia's proposed rule expansion, for example, calls for domestic laws to criminalize changing digital information without permission – "the intentional unauthorized interference with digital information by damaging, deleting, altering, blocking, modifying it, or copying of digital information."
Cybersecurity firm blames China for attacks on Asian telcos
The cybersecurity firm further warns that the attackers have access to (and control) of various networks. If they wanted, reckoned Cybereason, China could shut down telecom services to specific people or companies. Some of the attacks have apparently been going on since at least 2017.
Iranian APT Lures Defense Contractor in Catfishing-Malware Scam
In a new report, Proofpoint details how the group TA456, associated with the Iranian Revolutionary Guard, invested years in developing the false profile of a fantasy woman named Marcella Flores, an impossibly shiny haired aerobics instructor from the U.K., to rein in unsuspecting targets.
Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI
Motherboard’s review of court documents from the Williams case and other trials in Chicago and New York State, including testimony from ShotSpotter’s favored expert witness, suggests that the company’s analysts frequently modify alerts at the request of police departments—some of which appear to be grasping for evidence that supports their narrative of events.
Destruction and integrity cyber attacks on the rise
This includes, for example, the manipulation of time stamps through Chronos attacks, or the deployment of deepfake content in business communications compromise (BCC) or business email compromise (BEC) operations, whereby attackers gain access to communication application or email accounts to impersonate the owners’ identity.
Trusted platform module security defeated in 30 minutes, no soldering required
“A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”