Get the latest cybersecurity, privacy, and surveillance news for information security professionals

IT Security News Blast – 1-8-2021

SolarWinds hires former Trump cyber security chief Chris Krebs
He will work for SolarWinds to help co-ordinate the company’s crisis response, alongside his new business partner Alex Stamos, a Stanford University professor and Facebook’s former security chief. The pair told the Financial Times it could take years before all of the compromised systems are completely secure again.

For cybersecurity, people are the new perimeter
Continuous monitoring allows for a risk score to be applied to users in real time, enabling an adaptive response to them. This can only happen with a granular understanding of user behavior, though. Having the capability to understand who is accessing agency resources, what they’re doing with them, and in what context is crucial to determining what level of risk a particular user’s actions represent.
Rioters Open Capitol's Doors to Potential Cyberthreats
Mike Hamilton, a former vice-chair of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council and now CISO with security firm CI Security, says that the protests and the ensuing distraction from the riots provided an open door for threat actors. "This is a really great time for another country to exercise access they may have that may be dormant and waiting for an opportunity like this - for example, Senate and House communication systems.”
Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section). Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified.
Ransomware Attack Delays EHR Rollout - Vermont Health Network Postpones Next Phases
Healthcare Strategic Executive for CI Security Drex DeFord explains why the University of Vermont Health Network's EHR plan got delayed post-ransomware attack. Many security professionals have done great work building traditional defenses, "but now they must shift to monitoring networks and applications 24/7/365," DeFord notes. "The goal is to catch ransomware or other cybercriminal activity quickly, put the fire out while it's still small and return to normal operations with minimal disruption," he says.
The big 2021 tech investments for 5 health system CIOs
Health systems plan continued investment in IT infrastructure, cybersecurity, analytics platforms and digital health in the coming year. Despite continued uncertainty due to the pandemic, several large health systems aim to boost virtual health capabilities and further roll out clinical and operational technologies with the dual goal of delivering better, more coordinated care while also being mindful of the overall enterprise budget.
Kaspersky forecasts exploits in elections, healthcare, 5G deployment this year
In 2020, interest in medical research surged among cybercriminals specializing in targeted attacks, spurred by the development of the much anticipated COVID-19 vaccine and its potential significance for the global community. […] The new year may also see more attack attempts targeted toward this sector as new regulatory restrictions, new treatments, and an increase in the number of potential victims continue to attract attention.
The Impact of Management in Information Security
Risk assessment is actually done to answer the following questions: * If a particular hazard occurs in the organization, how much damage will it cause? * What is the probability of any risk occurring? * Controlling how much each risk costs. Is it affordable or not? The results of risk assessment can help in the correct orientation in choosing solutions (which is to eliminate the main threats) and can also be used in formulating and modifying the security policies of the organization.
New Ransomware Advisories from OFAC and FinCEN Create Additional Challenges for Financial Institutions
The advisories include general guidance for financial institutions that are either (1) involved in making a ransom payment or (2) have reasonable knowledge that money is being used by a customer to make a ransom payment. It is this second aspect that adds another dimension of the responsibility on financial institutions they have not previously had to consider.
7 Ways to Help Your Financial Institution Dodge Ransomware Attacks
Security experts are reporting a potential increase in ransomware attacks for the foreseeable future. “As ransomware tools and deployment methods advance,” Molina emphasizes, “criminal groups will continue to launch more targeted attack campaigns resulting in increased paid ransom demands and more negative impact to credit unions’ reputation and bottom-line.”
Financial Data Security: Deep Dive on SOC Reports
By following the SOC framework, users learn to develop and implement cybersecurity best practices and controls, and to keep stakeholders informed about their effectiveness and efficiencies. Not insignificantly, the AICPA designed the framework to be agile and flexible according to guides, rules, and regulations imposed by other global organizations and security frameworks, such as HIPAA and NIST.
Disgruntled former VP hacks company, disrupts PPE supply, earns jail term
Dobbins set about disrupting Stradis' electronic records by creating a secondary user account and both editing over 115,000 records and deleting over 2,300 entries. The FBI said this week that the intrusion "disrupted the company's shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers" who are trying to cope with the COVID-19 pandemic.
SolarWinds hackers accessed DOJ emails, but there’s no indication they reached classified systems
Hackers who tapped into government networks through SolarWinds software potentially accessed about 3% of the Justice Department’s email accounts, but there’s no indication they accessed classified systems, a DOJ spokesperson said in a statement Wednesday. The DOJ Office of the Chief Information Officer learned of the hack on Christmas Eve, according to the statement, where agents accessed the department’s Microsoft Office 365 email environment.
Securing robot endpoints in Operational Technology (OT) environments
Previous attempts to review the security of robots via offensive exercises or tools which mostly focus on proof-of-concept attacks and penetration testing, detecting flaws in the Robot Operating System (ROS). A recent study mentions the identification of several flaws within the ROS-Industrial codebase however it does not explicitly describe exploitable ROS-specific flaws.
JetBrains denies being involved in SolarWinds hack
The reports, citing government sources, said that US officials are looking at a scenario where Russian hackers breached JetBrains and then launched attacks on its customers, one of which was SolarWinds. In particular, investigators believe that hackers targeted a JetBrains product named TeamCity, a CI/CD (Continuous Integration/Continous Development) server that is used to assemble components into the final software app in a process known as "building."
Hack the Army bug bounty challenge asks hackers to find vulnerabilities in military networks
"By crowdsourcing solutions with the help of the world's best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs," he added.
Biden picks cyber veteran to reinvigorate security response
National Security Agency (NSA) cyber security director Anne Neuberger has been picked to lead on cyber security for president elect Joe Biden, as the Trump era drew to a violent end on 6 January 2021 when armed, far right terrorists temporarily occupied the US Capitol building in Washington DC, disrupting the confirmation of Biden’s victory and creating an operational security nightmare.
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad. Based on the injected payload, we believe that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.
Hacker-for-Hire StrongPity APT Going Global with its New Infrastructure
Besides StrongPity, there are several other hacker-for-hire mercenary groups that are actively offering their services and have been observed expanding their scope of attacks.

  • A hacker-for-hire group DeathStalker was observed using a new PowerShell backdoor in their attacks, in early-December.
  • CostaRicto was found operating a global espionage campaign on multiple continents.
New Year, New Ransomware: Babuk Locker Targets Large Corporations
After infection, Babuk contains a hard-coded list of services and processes to be closed before encryption. These include various system-monitoring services, including BackupExecVSSProvider, YooBackup and BackupExecDiveciMediaService. On the processes side, Babuk looks to snuff out 31 processes – from sql.exe to oracle.exe and outlook.exe.
Archivists Are Preserving Capitol Hill Riot Livestreams Before They’re Deleted
Open source research and journalist collective Bellingcat put out a call for people to start saving social media content from the protests as they see it: "Just like after Charlottesville in 2017, many of those who are streaming will delete their streams once they realize how incriminating the footage is."
Insurrectionists’ social media presence gives feds an easy way to ID them
Neither would an agency need actual photos or footage to track down any mob participant who was carrying a mobile phone. Law enforcement agencies have also developed a habit in recent years of using so-called geofence warrants to compel companies such as Google to provide lists of all mobile devices that appeared within a certain geographic area during a given time frame.

You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2020 CI Security. All rights reserved.


CI Security

245 4th St, Suite 405  Bremerton, WA   98337

About Us   |   CI Security News   |   Contact Us 

Add this Email to Your Address Book