Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Attend CyberToronto 2023!
The CyberToronto 2023 conference is being held December 6 from 10:00 a.m. to 4:00 p.m. ET. The fourth annual, all-virtual, all-free event focuses on the cybersecurity community in the Greater Toronto Area, featuring cyber expert speakers and networking opportunities for newcomers to the industry, students, and seasoned professionals alike. The event has no direct sponsor or vendor involvement, but is presented in partnership with Toronto-based community organizations ISC2 Toronto Chapter, OWASP Toronto Chapter, ASIS Toronto, and Leading Cyber Ladies Toronto.
Event attendance qualifies participants for up to 6.5 ISC2 – formerly branded (ISC)2 – CPE credits.
Dozens of U.S. credit unions affected by third-party ransomware incident
A cybersecurity incident at Maryland-based cloud service provider Ongoing Operations has caused service disruptions for approximately 60 credit unions in the United States. An isolated segment of the MSP’s network was affected by the incident, with teams now working “working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems,” according to the December 2 update on the incident.
While the organization has not confirmed the nature of the attack, which was first identified on November 26, the Citrix Bleed vulnerability is widely believed to be involved in the breach. Exploits of Citrix Bleed – which was identified and patched on October 10 – have been behind a number of cyber incidents in recent weeks. Organizations using affected versions of customer-managed NetScaler ADC and NetScaler Gateway products are urged to patch as soon as possible.
Anglican Church targeted in cyber attack
The office of General Synod of the Anglican Church has been targeted by cyber attackers who used a business email compromise (BEC) attack to steal funds from its bank account, according to November 25 statement from Archbishop Linda Nicholls, primate of the Anglican Church of Canada: “Hackers, possibly from abroad, executed a targeted attack of an employee’s email account using information available online.” All funds stolen have since been fully reimbursed by the financial institution, she added.
Clare Burns, Chancellor of General Synod, has advised that no individual personal financial information was leaked or accessed in the attack.
Staples systems back up after cyber incident
According to a statement (since removed) on Staples’ U.S. website home page, the office supply giant identified a cybersecurity risk on November 27, leading to a temporary disruption to backend processing, delivery capabilities, communications channels, and customer service lines as a result of their reaction to the risk.
Multiple reports described an array of internal Staples operational issues in Canada and the United States as a result of the incident: staff were instructed not to use single-signon logins or answer phone calls, and could not access help desk applications, employee portals, print emails, etc.
All stores remained open, and normal services were reportedly restored by November 30. Staples has not publicly disclosed the nature of the risk identified.
13 Canadian federal departments and agencies using personal data extraction tools
According to a report by Radio-Canada, “tools capable of extracting personal data from phones or computers are being used by 13 federal departments and agencies,” in Canada. The tools involved can be used to recover and analyze data – including information that has been encrypted or password-protected – from computers, mobile devices, or even users’ cloud-based data in some cases. Information like texts, personal contacts, photos, travel history Internet search history, social media activity, and deleted content can be accessed by these tools.
According to the report, the agency use of these investigative tools did not undergo a privacy impact assessment (PIA), as required by a directive from the Treasury Board of Canada Secretariat (TBS). PIAs are supposed to be conducted prior to any new activity that involves the collection or handling of personal information. They are an important exercise to be conducted in order to identify privacy risks inherent in handling personal and confidential data, and identify ways to mitigate or eliminate those risks.
Public service organizations were quick to speak out about the revelation of the use of these tools, with the Public Service Alliance of Canada expressing concern and Jennifer Carr, president of the Professional Institute of the Public Service of Canada, saying: “We need to make sure that if our personal information is gathered, that we know about what information is gathered, how it’s being used and how it could be affected if there are others who were able to access that.”
Feds briefing Canadian energy sector on cyber risk
According to a November 25 report in the Globe & Mail, federal security officials have been “briefing leaders of major energy and utility firms” on the risks of cyber threats to the energy sector. The report was based on a “newly disclosed Public Safety Canada memo [that] reveals a secret-level June meeting was part of a strategy to raise awareness among company executives about the dangers from malicious cyberactivity — reaching beyond the technical experts who already know about the risks.”
According to the memo, the confidential briefings were co-hosted by Public Safety, Natural Resources Canada and the Communications Security Establishment (CSE), and suggests that Public Safety is exploring additional approaches to reach with industry, academia, and provinces and territories with important messages about cyber threats.
The vision, as with the June briefing, “is to reach company executives, as opposed to only the technical experts who are already aware of the risks,” the memo adds.
“Engaging with company executives is critical to embed security across the business ecosystem and ensure a collective approach to strengthening our cyber resilience.”