In today’s cybersecurity news…
Nvidia becomes world’s most valuable company
Not directly a cybersecurity story, but undeniably central to the business, Nvidia has just become the world’s most valuable company following a new share price surge on Tuesday. The company is now worth $3.34TN, surpassing Microsoft and Apple. The rise in its value has largely been driven by the need for the chips used for artificial intelligence (AI). For some context, eight years ago, the company’s stock was worth less than 1% of its current price and at that time was mostly in competition with AMD, in a race to make the best graphics cards.
(BBC News)
Markopolo scam delivers infostealer through fake meeting software
A cautionary tale from the world of crypto this week, with a scam being run by the threat group markopolo stealing cryptocurrency delivered through a “purported virtual meeting software named Vortax.” In an analysis published this week, Recorded Future’s Insikt Group said this represents a significant rise in macOS security threats. The researchers say the malware’s success is based largely on work done to “legitimize Vortax on social media and the internet, with the actors maintaining a dedicated Medium blog filled with suspected AI-generated articles as well as a verified account on X (formerly Twitter) carrying a gold checkmark.” The malware is delivered by an installer disguised as the downloadable executable for the Vortax meeting application.
Medibank hack blamed on MFA failure
Following up on a story we have been covering regularly, Australia’s data protection regulator, the Office of the Australian Information Commissioner (OAIC), has revealed through court documents that the 2022 cyberattack on health insurance provider Medibank was likely caused by a lack of multi-factor authentication. Earlier this month we reported that the regulator had alleged Medibank “failed to take reasonable steps to protect personal information.” This statement has now been upgraded in a report released this week by the OAIC which now says the attack was “likely caused because the company neglected basic cybersecurity measures, including requiring its workers to use multi-factor authentication to log onto its VPN.”
U.S. and Indonesia hold joint exercise on security for shipping ports
The U.S. and Indonesia together held their first cybersecurity tabletop exercise last week designed to better prepare for “attacks on maritime critical infrastructure.” The exercise took place Surabaya, Indonesia, between June 10 and 13, and provided simulations of cyber incidents and ransomware attacks aimed at port operations, ship-to-shore cranes and other aspects of maritime activity. The event was coordinated by the U.S. Department of Homeland Security (DHS) along with private sector companies in Indonesia.
Huge thanks to our sponsor, Vanta
G7 to develop cybersecurity framework for energy sector
In an announcement made on Tuesday, the member nations of the G7 have agreed to develop a cybersecurity framework for operational technologies in energy systems that targets manufacturers and operators. Its intention is to “bolster the cybersecurity of the global supply chain for critical technologies used in the management and operation of electricity, oil, and natural gas systems worldwide. The [G7] comprises Canada, France, Germany, Italy, Japan, the UK, and the U.S.
Federal contractors pay for cybersecurity lapses
Two federal contractor companies who were hired during the Covid-19 pandemic to create an emergency rental assistance program (ERAP) for the state Office of Temporary and Disability Assistance (OTDA), are now required to pay a total of $11.3 million in civil penalties after admitting they failed to properly test the system’s security. This failure violated the False Claims Act, a law, more than a century old, which is specifically intended to “protect the government from contractors who misrepresent the quality of their services.” The Office of Temporary and Disability Assistance closed down the ERAP website 12 hours after it went live, after determining that “certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet.”
Gym chain Total Fitness suffers breach
The UK fitness group has been exposed by researcher Jeremiah Fowler, who says he discovered “an unsecured database containing the images of 470,000 members and staff – all accessible to anyone on the internet, no password required.” Speaking to The Register, he added that he had “also uncovered images of members’ identity documents, banking and payment card details, phone numbers, and even – in some cases – immigration records.” Representatives of Total Fitness disputed the extent of the data breach, saying that members’ images comprised a “subset” of the database, and that most images did not contain personally identifiable information, but Fowler claims that members’ images took up roughly 97% of the database. The company has now secured the database, and has reported the breach to the UK’s data regulator, the Information Commissioner’s Office (ICO), for investigation.
Cybersecurity burnout costing firms more than $700M annually
A report from Hack the Box, a cybersecurity training center, suggests that “British and U.S. enterprises may be throwing away as much as $756m each year through lost productivity due to burned-out cybersecurity staff.” The research claims 84% of responding cybersecurity professionals are “experiencing stress, fatigue and burnout due to the rapid pace of technological change, mounting threat volumes and being forced to perform outside their skillset, and that that three-quarters (74%) have taken time off due to work-related mental well-being problems.”