Forescout Cyber Weekly Roundup
August 02, 2019
The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Stop ‘em before they start: The FBI has expressed interest in a ‘social media early alerting tool’ to help investigators stop terrorist groups and criminal organizations before they execute their plans. One challenge of such a tool is effectively deciphering between legitimate social media sources and fake accounts.
- From 24 to 0: The number of data-driven ‘CyberStat’ review meetings has dropped drastically since 2016. Once used to oversee agency compliance with federal cyber requirements and protect federal information systems, a new report has found that the legacy review process was viewed by many as a mere check-the-box exercise.
- Follow the trail: A recently released report from the Inspector General found that the DoD purchased $32.8 million of commercial-off-the-shelf (COTS) IT products with cybersecurity flaws. This article points to a lack of purchase controls, but the findings also point to a larger problem of supply chain security and the lack of vendor accountability when it comes to security.
- New Army cyber contract: A recent notice from the Army’s research and development community highlights battlespace awareness, a secure operating area, command and control, and tools for stronger defense as the top cyber priorities.
- Retailers “aren’t’ hearing the message”: You’ll see that phrase again, below. With attacks ‘on the rise’ across seemingly every industry, why is it that retailers, enterprises and other organizations aren’t getting the message that they are under attack? Are the consequences not grave enough? Are the attacks not debilitating? Is cyber compromise just an accepted cost of doing business?
- Consumer credit applications exposed (2005-present): While Capital One says its initial analysis indicates that the data wasn’t disseminated or used for fraud, this entire story puts into perspective the timeline of a data breach. We’ve all heard the credit card pitches on a cross-country flight: “Apply now and get 10,000 points!” Or, we’ve heard the pitch from our local bank: “Apply for this line of credit and get 1,000 bonus point rewards!” The point is, smart consumers must no longer assess the best interest rate and rewards options, they also have to consider their potential lender’s cyber history.
- Data breach comes from within: Beauty brand Sephora confirmed a cyberattack on its systems over the past two weeks, affecting online customers mainly from Southeast Asia, Australia, and New Zealand. While the incident did not affect any payment data, Sephora advised impacted customers to reset their passwords.
- We’ll steal your data and we’ll fry your systems, too: Cryptocurrency malware is on the rise and although healthcare delivery organizations (HDOs) are not the specific target, they are considered by many as the most vulnerable due to their sensitive data. HDOs can monitor their regular traffic and CPU activity—deviations should be investigated for potential cryptomining activity.
- Blocked and encrypted but not used—yet: Following the joint statement July 19, Bayamón Medical Center and Puerto Rico Women and Children’s Hospital, based in Puerto Rico, confirmed that they discovered ‘a blocking incident’ affecting patient data and the hospitals’ computer networks. To date, the incident reported alone by Bayamon Medical Center is the largest breach involving ransomware posted on the federal tally so far this year. This attack confirms fears that attacks on the healthcare delivery organizations (HDOs) will not only continue to surge, but also grow more sophisticated.
- Vendor sprawl a problem for healthcare patients: Browser extensions have reportedly leaked users’ data with marketing intelligence service Nacho Analytics. In sum, at least 4 million users may be affected.
- The message isn’t being heard: This week’s Capital One breach puts the spotlight back on cybersecurity within Financial Services. The two biggest banks in the U.S.—Bank of America and J.P Morgan Chase—have combined cyber budgets that have exceeded $1.4 billion annually. Yet just this week we saw another financial cornerstone, Capital One, acknowledge a data breach affecting as many as 100 million customers. What’s clear is that what is accepted as common security practice now simply isn’t working.
- Leading by example: Imaginative attacks that originated with the North Korean government in a bid to make big financial gains are now being leveraged by other threat actors to steal from financial institutions.
- How to make a camera lie: New Forescout research shows that not only do Internet-facing IP cameras regularly contain security vulnerabilities, but those vulnerabilities can enable cyber criminals to not only take over the device, but also alter the video surveillance footage. This type of hack demonstrates yet another way that cyberattacks can have very real physical impacts. Check out the full report, Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT.
- OT overlooked equals risks unseen: Cyber policies are typically focused on traditional IT controls, but the increase of intelligent digitization techniques and the capacity to drive value from earlier disconnected or air-gapped OT systems can potentially compromise these systems.
- Old LAPD database leads to data breach: Exposure of personal information is bad enough, but those in certain career paths, such as a police officer or a prosecuting attorney, for example, take on a different type of risk when their personal data is compromised. On the one hand, their home address or personal phone number might become available on the dark web—sometimes for as little as a few dollars—and could allow previously arrested or convicted individuals to locate them with ease. On the other hand, if their email addresses are exposed, cyber criminals could directly target those individuals and their organizations as a whole with strategic phishing campaigns.
- Patrol response times may be delayed, slightly: The Georgia State Patrol was reportedly the target of a July 26 ransomware attack that has necessitated the precautionary shutdown of its servers and network. This attack follows the Lawrenceville, GA police department attack as well as the attack on the Georgia court system.
- Have I Been Pwned is ‘growing up’—in other words, it’s for sale: This news didn’t break this week, but it’s worth noting. Security researcher Troy hunt revealed last month that it’s time for his data breach service HIBP to ‘grow up’—Troy has manned the keyboard in isolation since he started HIBP in 2013, performing the tasks of an entire team with only two hands. We salute him for his contributions to the security community, wish him well (and look forward to) his next endeavor.
- No more ransom: Launched just three years ago, the No More Ransom project now hosts 82 tools that can be used to decrypt 109 different types of ransomware. Hats off to the leading contributor, Emsisoft, which released 32 decryption tools for 32 different ransomware strains.
- IoT DDoS Attacks-The Return: The largest Layer 7 DDoS, Mirai-style attack ever seen by Imperva utilized more than 400,000 connected devices earlier this year. The event raises the ever-lasting question: Why are so many IoT devices still not designed with security in mind?
- The past is the past: Court decides fate of WannaCry hero Marcus Hutchins: Despite being widely hailed as a hero for helping to stop WannaCry back in 2017, Hutchins was arrested by the FBI three months later for building and distributing Kronos malware between 2012 and 2015. However, the 25-year-old Brit has reportedly “turned a corner” by having changed focus towards ethical hacking, which spared him jail time in the US and may even give him a pardon from the court.
- Android ransomware is back: “Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.”
Operational Technology / Industrial Control Systems
State, Local & Education