The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
Marriott Breach Exposes Far More Than Just Data (December 4, 2018)
Summary: Marriott International’s recent breach has compromised the names, addresses, and passport numbers for more than 327 million victims.
Why it matters: Historically, consumer breaches have focused on the financial impact and compromise of personally identifiable information (PII). However, in this case the historical account of the travel patterns, partners and activities of millions was also exposed. Marriott has already agreed to pay for passport replacements if the company finds that customers have been victims of fraud. This breach highlights the criticality of cyber inspection and due diligence in mergers and acquisition (M&A). Companies can not only acquire assets but also vulnerabilities. It is absolutely necessary that companies perform an extensive evaluation of a prospective company before a merger in order to minimize cybersecurity risks while enabling rapid change. Look at the security tools they use, determine if there’s an incident response team, ask about personnel cyber training, require the prospective company’s CISO or CRO to provide an in-depth look at their practices, policies, and protocols, and if they don’t have any in place, or don’t have anyone in charge of security, ask why. Cyber defense in depth can be costly and delay an acquisition, but sound security vastly outweighs the price of a breach.While it may take some time for Marriott to recover, the company has an opportunity to set a new standard for hotel cybersecurity best practices by responding responsibly to the breach, holding leadership accountable, and taking action to cement new cyber practices and tools across the company. Marriott has the opportunity to show consumers that not only do they protect customers and their personal belongings during their stay, but they protect their digital assets as well. Rather than being remembered as the company that suffered a massive breach in 2018, Marriott can become the company that others in the industry model their cyber practices after in 2019.
Huawei CFO Meng Wanzhou Arrested in Canada, Faces Extradition to United States (December 6, 2018)
Summary: Huawei’s Chief Financial Officer (CFO) has been arrested in Canada and faces extradition to the United States.
Why it matters: The Chinese company continues to make headlines again this week after CFO Meng Wanzhou was detained between flights in Canada. It’s currently unclear what exactly prompted the arrest, but many point to the suspicion that Huawei broke sanctions by selling telcom equipment to Iran. If you haven’t been following the story, check out last week’s roundup, which explains how the company is considered by many to be a threat to national security. In today’s technological cold war, we expect that it’s not just military and government leaders who will come under cyber fire and face charges. In the case of Huawei and other Chinese companies that are often majority owned by the state, the distinction between government leaders and business executives is blurry at best. This latest arrest is an escalation—one that may isolate the company beyond the point of recovery, or may also result in Chinese retaliation. This headline is another reminder of the inherent risks within the supply chain and the increasing difficulty cyber professionals face when it comes to balancing application whitelist dependencies with hard-to-manage blacklists.
Over 100,000 PCs Infected with New Ransomware Strain in China (December 4, 2018)
Summary: Over 100,000 Chinese users were recently infected by a new strain of unnamed ransomware.
Why it matters: Ransomware is still making headline news, but that’s a trend that is starting to fade. Malicious actors are being identified more regularly, as evidenced by criminal charges against a North Korean hacker behind WannaCry and the recent indictment of the two Iranian men responsible for the SamSam ransomware. While that’s good news, it’s not the primary driver behind the decrease in ransomware attacks—after all, there’s no shortage of bad actors and countering them is like a ceaseless game of Whack-a-Mole. Instead, the frequency of ransomware attacks is largely due to the difficulty attackers have in actually collecting the ransom. In this newest attack, Chinese WeChat is used to request payment—the same payment service previously used in other attacks that resulted in the arrest of the attackers. Again, it’s not just the arrests; victims often find it difficult to pay the ransom because they don’t understand how cryptocurrency works. Instead, attackers are looking to cryptocurrency mining as a more reliable and lucrative method.
Top CFOs Are Being Targeted by a Sophisticated Email Scam (December 4, 2018)
Summary: A Nigerian group known as “London Blue” is employing an increasingly common scam known as ‘business email compromise’.
Why it matters: While hackers are often thought of as operating in isolation out of a dark basement or a coffee shop, staring at a screen full of complex code, the reality is that there are myriad hacktivist groups that are well-organized, strategic and operate exactly like a business. Within the group, there are subgroups akin to business ‘departments’ with specific responsibilities and objectives: reconnaissance, social engineering, email marketing to name a few. The groups often work 9-5, just like many honest-earning business employees. That’s why we typically see spikes in attacks around major events like Black Friday and Cyber Monday, with increases in fraud attempts by as much as 150%. Spikes vary by industry however, with July being the ‘fraudiest day in retail.’ Social engineering plays a significant role in this particular email scam, and it’s something that’s easier than you might think. It is critical that all employees, but especially those at the executive level, take a ‘trust but verify’ attitude before taking action on all incoming email.
Adobe Fixes Zero-Day Flash Bug after Attackers Target Russian Clinic with Exploit (December 5, 2018)
Summary: In a new scam referred to as Operation Poison Needles, hackers exploited a critical vulnerability in a November 29 phishing operation targeting a Russian state health care institution.
Why it matters: This isn’t the first time we’ve seen zero-day exploits leveraged by malicious actors to target clinics or hospitals. Just earlier this year, a Moscow-based company offered zero-day exploits specifically for hospital software. Zero-days will remain a significant threat for the foreseeable future—even networks that have good security in place are at risk when a zero-day exploit hits. It’s still important to maintain vigilant endpoint compliance and defenses against phishing attempts as well as USB devices, also frequently used to deliver a malicious payload, but when a zero-day is identified, it’s best to regularly check for vendor software patches and think before you click. As the research around this zero day explains, the responsible party has yet to be identified with confidence, but some suspect a connection to an international incident along the Kerch Strait, during which Russian Federal Security Service border service coast guard boats fired upon and later captured three Ukrainian Navy ships. In an increasingly connected and complex world, we’re going to see more and more cyber-kinetic events.