Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Stay current on alerts and advisories
Consider subscribing to services that offer current information about the latest vulnerabilities and how to manage them. Threat intelligence feed services provide insights about emerging patterns of attack seen in the wild; the Canadian Centre for Cyber Security (CCCS) has a dedicated alert and advisories page and RSS feed; and NIST’s National Vulnerability Database (NVD) provides companies a variety of ways to subscribe to the latest bug reports and advisories across hardware and software platforms.
New IoT vulnerability may affect 80% of hospitals in North America
Healthcare manufacturer Swisslog Healthcare has confirmed a set of nine vulnerabilities affecting the Nexus control panel of their Translogic pneumatic tube system (PTS) stations. This technology is believed to be used in more than 80% of major hospitals in Canada and the United States.
The flaws, which researchers have dubbed collectively as “PwnedPiper”, could allow an attacker to seize control of all connected PTS stations and hold them for ransom.
A new version of Nexus Control Panel – version 7.2.5.7 – has been released. It resolves eight out of the nine vulnerabilities. The ninth, CVE-2021-37160, is due to be patched in a future release. In the meantime, the reports on Swisslog Healthcare’s website explain mitigation strategies to protect their IoT devices until a comprehensive patch is available.
Global cybersecurity agencies issue joint threat advisory
On July 28, four of the world’s leading cybersecurity agencies issued a joint advisory notice that provides details and mitigation strategies for 30 of the top global vulnerabilities being exploited today.
The Australian Cyber Security Centre (ACSC), the U.K. National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Bureau of Investigation (FBI) co-authored and published the reports in an important display of cooperation against the shared threat of cybercrime.
The comprehensive report provides a one-stop resource describing each of the 30 common vulnerabilities and exposures (CVEs) identified by the agencies. The CVEs are presented in two lists: the first highlights the most heavily exploited risks seen in 2020, while the second presents the leading threats identified so far in 2021. Details on available fixes, recommended mitigations and detection strategies, and reference material are presented.
The report noted that “four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies”. This is an area of particular concern given that rapid growth in remote work arrangements has made it difficult for some organizations to keep pace with patch management and security hardening. Many of the vulnerabilities mentioned were identified months – or even years – ago, creating frustration that attacks are still successfully exploiting well-known flaws.
Organizations are strongly encouraged to review their environments and take steps to avoid falling victim to these often-avoidable risks.
“BlackMatter” ransomware group announces start of operations
In a July 21 posting on a new darkweb website, ransomware threat actors called “BlackMatter” announced the start of criminal operations. BlackMatter claims to combine the most potent features of the now-defunct Darkside and REvil ransomware groups, while leveraging “LockBit” malware to conduct attacks.
The new threat actors are pursuing access to corporate networks in Canada, the U.K., the United States, and Australia. The group has placed guidelines on the use of its services, indicating that targeted victims must have a revenue of $100 million (USD), have between 500-15,000 hosts in their network, and must not have been previously attacked by other ransomware gangs. Further, the group prohibits attack against certain industries and sectors:
– hospitals
– critical infrastructure (e.g., nuclear or other power plants, water treatment facilities
– oil and gas industry (e.g., pipelines, oil refineries)
– defense industry
– non-profit companies
– government sector
BlackMatter even goes to the extent of promising free decryption for any victimized companies on the banned sector list that are inadvertently attacked using the ransomware service.
Ironically, the criminal group touts its honesty on its web page: “We rely on honesty and transparency in our dealings with our victims. We never attack the company twice and always fulfill our obligations.”
They are clear about their intentions, however: “We are a team that unites people according to one common interest – money.”
D-BOX recovering from mid-July ransomware attack
In a press release July 29, Longueuil, Quebec-based immersive entertainment technology provider D-BOX announced said that it is “gradually resuming its activities” following a ransomware attack first publicly disclosed on July 14. “All major IT systems have been restored and the restoration work should be finalized in the next few weeks,” continued the announcement.
The original attack that disrupted operations is believed to have been limited to internal systems; services to D-BOX customers, which include studios and theatre operators, were not affected.
President Sebastien Mailhot, President & CEO of D-BOX. praised the efforts of the incident response teams involved in managing the incident. He also sought to reassure investors in the company by advising: “The Corporation believes that the financial impact of this cyberattack on the [company’s] results should be negligible.”
There still has been no official confirmation on the source or nature of the attack.
Calgary parking authority inadvertently exposes driver data online
According to a report by TechCrunch, the Calgary Parking Authority (CPA) left an open database containing months’ worth of log data and personal driver information exposed on the Internet.
The parking authority’s website and social media channels had not acknowledged the incident by August 2. However, according to the report, Christina Casallas, a spokesperson for the authority, has confirmed that the server had been exposed since May 13. The authority also advised the researchers that the exposure was due to human error, and that an investigation has been launched to try to determine whether there had been any unauthorized external access to the database over the past 2½ months.
According to the report, information like “full names, dates of birth, phone numbers, email addresses and postal addresses, as well as details of parking tickets and parking offenses — which included license plates and vehicle descriptions — and in some cases the location data of where the alleged parking offense took place,” were available in the database. In some cases, partial payment card numbers and expiry dates were in the log files as well. The files were neither password-protected nor encrypted.
The parking authority secured the database server within a day of notification by the security researchers, who estimate that thousands of individuals may be affected by the potential disclosure.