Cyberattacks take down Ukrainian military and bank websites
On Tuesday, the websites of Ukraine’s military and two of its largest banks, PrivatBank and Oschadbank, were victimized by coordinated cyberattacks resulting in website outages, defacement, disruption of online transactions and country-wide ATM outages. Officials are blaming massive DDoS attacks for the disruptions as they scramble to restore services. The attacks come on the heels of Ukraine accusing Russia of waging a “massive wave of hybrid warfare” which included the recent take-down of a Russian-controlled bot farm used to propagate disinformation campaigns via social media. The Security Service of Ukraine (SBU) has urged citizens to remain calm, think critically and seek news only from official sources.
(The Register and Infosecurity Magazine)
Super Bowl ad shines a light on QR code risks
This year’s Super Bowl commercial blitz included an ad from Coinbase which featured a colorful QR code ricocheting against the sides of the frame. Those who scanned it were redirected to a promotional website offering $15 worth of free Bitcoin (if they were a new customer) and a chance to enter a three million dollar giveaway. The ad was so popular that Coinbase’s website crashed as a result of incurring more than 20 million hits over the course of one minute. Coinbase’s app also rocketed from 186th to the second most downloaded app in the App Store. While deemed a success by Coinbase, security experts are warning the public to be on the lookout for threat actors who may repost the popular commercial on social media with an updated and malicious version of the QR code.
CISA directs agencies to patch actively exploited Chrome and Magento bugs
The US Cybersecurity and Infrastructure Security Agency (CISA) has added nine new flaws to its list of actively exploited vulnerabilities, including two recently patched zero-days. The first is a high severity Chrome vulnerability (CVE-2022-0609) that can allow attackers to execute arbitrary code or escape the browser’s security sandbox on computers running unpatched Chrome versions. The second is a critical remote code execution flaw (CVE-2022-24086) being actively used to target Adobe Commerce and Magento Open Source versions 2.4.3-p1/2.3.7-p2. CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to deploy patches for these two vulnerabilities by March 1, 2022.
Over half of hospital IoT devices contain critical security vulnerabilities
According to the 2022 State of Healthcare IoT Device Security report from Cynerio, 53% of Internet of Things (IoT) devices used in hospitals were found to contain critical security vulnerabilities.The report revealed that 79% of IoT devices are used at least monthly in a hospital setting which narrows available patching timeframes. The report also highlights that the devices facing the highest level of security risk, include IV pumps, Voice over Internet Protocol (VoIP) phones, Ultrasound machines, Medicine dispensers, and IP cameras.
Thanks to our episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!
Mizuno orders delayed by ransomware attack
The Japanese sports equipment and sportswear company fell victim to a ransomware attack on its US corporate network over the weekend of February 4th. The attack caused phone outages and website issues, with customers reporting that support reps were unable to access existing orders or print shipping labels, potentially delaying orders for up to a month. The outage also affected Mizuno resellers who could no longer place orders using Mizuno’s ‘Direct Connect’ B2B website.The timing of the attack was poor as Mizuno launched their eagerly awaited Pro 221, 223, and 225 golf irons on February 3rd, which had been pre-ordered by many customers.
Apple security flaw under active exploit
A high-risk remote code execution vulnerability has been discovered in Apple Products, which could allow an attacker to assume the security permissions of a user who views a specially crafted web page. Apple is aware of a report that CVE-2022-22620 may have been actively exploited. Affected systems include iOS and iPadOS prior to 15.3.1, macOS Monterey prior to 12.2.1, and Safari prior to 15.3. Users are urged to apply available patches after appropriate testing and to run all software as a non-privileged user.
(Center for Internet Security)
Three-fifths of cyber-attacks in 2021 were malware-free
According to CrowdStrike’s 2022 Global Threat Report, ransomware-related data leaks surged by 82% in 2021, but 62% of these attacks involved no malware at all. Instead, threat actors used legitimate credentials to access networks and then “living off the land” techniques to achieve lateral movement once inside. Such tactics help them bypass detection by legacy tools, but not current network monitoring and other behavior-based security. The report also noted that industrial, engineering, and manufacturing sectors were most frequently hit and that ransomware-related demands increased to an average of $6.1m per incident, up 36% from 2020.
Journalist won’t be prosecuted for viewing source code
Missouri officials have decided not to prosecute Josh Renaud, a reporter for the St Louis Post-Dispatch, who faced potential hacking charges for viewing the source code of Missouri’s Department of Elementary and Secondary Education’s (DESE) website. Renaud found that the site’s client-side source code, which is publicly viewable by anyone through a web browser, exposed the Social Security numbers of school personnel. Missouri Governor Mike Parson (R) publicly accused Renaud of hacking, stating “It is unlawful to access encoded data and systems in order to examine other people’s personal information.” The governor’s claims have been widely ridiculed by cybersecurity and legal experts. Renaud stated, “This decision is a relief. But it does not repair the harm done to me and my family.”