Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Watch out for phishing
If you receive a vague request for help via email, particularly from someone you haven’t been in contact with recently, be suspicious! Contact them by phone or text, or otherwise firmly establish the person’s identity before providing any assistance. Check out today’s “Checking in” scam advisory for more information.
Phishing Alert: “Checking in” scam
There have been numerous recent reports of a straightforward – but potentially costly – phishing scam making the rounds. A victim’s personal mailbox is breached by a threat actor, who then crafts an innocent email entitled “Checking in” which is sent to all parties mentioned in emails in the mailbox. Not just the contacts or address book is harvested – the hacker also traverses “cc” lists on emails to spread the attack even further. The bogus email message contains brief pleasantries like “I hope this email finds you well,” or “Hope you’re enjoying the warmer weather,” but concludes with “Are you busy? I need a little favor from you.”
The hacker then actively watches for email responses, personally engaging with any respondents to ask for emergency e-transfers of money or gift card numbers, supposedly to help the sender out of a jam. Take precautions to prevent this kind of attack by implementing two-factor authentication, and react quickly if you discover you have been breached: change your email password immediately and monitor your emails carefully.
Wave of Internet attacks deletes data from Western Digital storage devices
Storage hardware manufacturer Western Digital has issued a notice warning users about a new series of attacks targeting its “My Book Live” and “My Book Live Duo” network-attached storage (NAS) devices accessible from the Internet.
According to the June 24 bulletin, unknown threat actors have begun exploiting a 2018 vulnerability to gain access to the storage devices and issue “factory reset” commands that erase all data and settings on the external drives. The bug – coded CVE-2018-18472 – allowed hackers to bypass authentication on the NAS devices, and run commands with root privileges armed with only the IP address of the device on the Internet. Original concerns about the vulnerability revolved around threat actors deploying ransomware, exfiltrating data, launching cryptomining activities, or commandeering the devices for use in DDoS attacks. However, it is believed that a new threat actor performed a mass scan of the Internet for vulnerable devices and exploited the bug to issue the factory reset command on any available unit.
The extent of Western Digital’s advice to mitigate the risk of further incidents is to disconnect the devices from the Internet, as no patches will be forthcoming. The “My Book Live” series of NAS devices received its final firmware update in 2015. In 2018, when the vulnerability was first identified, a report estimated about two million of the devices were still accessible on the Internet.
While the provincial government agrees there are some improvements to privacy law in the new bill, there is still significant room for improvement. In the white paper, the government also signaled that Ontario is prepared to proceed with its own privacy law if national consensus on further changes to C-11 cannot be agreed upon.
Microsoft reports new attacks from NOBELIUM hacking group
The Microsoft Threat Intelligence Centre has reported new activity from the Russia-based NOBELIUM threat actor group. NOBELIUM, also known as APT29, is widely thought to have been responsible for the SolarWinds hack in late 2020.
The June 27 bulletin revealed that NOBELIUM allegedly launched a wave of “password spray” and other brute-force attacks against global targets in recent days. Nearly half of the activity was focused at American interests, followed by 10% in the United Kingdom. Some 36 countries were attacked in all. The targeted entities were “primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services,” according to the bulletin.
Microsoft reported that, to date, the recent wave of attacks had been largely unsuccessful, with only three entities having been compromised. While not naming the victims publicly, Microsoft did confirm that they had notified the entities through its “nation-state notification process”.
Microsoft implied that the minimal success of the attacks was due to the use of multi-factor authentication and the deployment of zero-trust security architectures.
CanSSOC announces no-cost threat feed service for research and education sectors
On June 18, the Canadian Shared Security Operations Centre (CanSSOC) announced that funding is now being provided to allow them to offer their cyber threat feed service to eligible research and education (R&E) organizations at no cost. CanSSOC is a not-for-profit organization that helps coordinate people, technology and processes to help research and educational institutions defend themselves against cybersecurity threats.
The funding was provided by CANARIE (formerly the Canadian Network for the Advancement of Research, Industry and Education) through its Cybersecurity Initiatives Program (CIP). CANARIE is the not-for-profit organization that operates the backbone network of Canada’s national research and education network (NREN).
CanSSOC describes the feed service, which was launched as a pilot in June 2020, as “uniquely [serving] the R&E sector by identifying emerging threats based on intelligence shared among trusted national and global partners”. According to their announcement, the threat feed “aggregates and curates threat intelligence from public and private cybersecurity organizations and open-source feeds to deploy directly into organizations’ existing firewalls to block malicious traffic”. As with other threat intelligence feeds, the real-time data presented can be used to monitor and prioritize threats, or even block suspicious activities altogether.
The news of the support for the threat feed comes on the heels of the May announcement that CanSSOC is entering a partnership arrangement with cybersecurity agencies in the United States, the U.K., and Australia to address the vulnerability of higher education institutions to cyberattacks and share real-time data to mitigate those risks on a global level.
To enquire about eligibility to participate in the threat feed program, a research or educational institution must first enroll in the CIP. For more information or to start the process, organizations may contact the appropriate provincial or territorial NREN partner. Organizations that are already participating in the CanSSOC pilot can continue to use the service once they have enrolled in the CIP.
