Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: CyberToronto 2021
Cybersecurity Awareness Month may be winding down for another year, but the importance of being “cyber safe” never goes away. Looking for a forum to follow up on the insights you’ve gained over the course of the last month? Consider attending CyberToronto – a two-day, virtual conference that is taking place December 1-2, 2021. There are no sponsors or vendors involved: the event is run and funded by CyberToronto volunteers, and features a growing roster of industry speakers. Register at https://www.eventbrite.ca/e/cybertoronto-conference-2021-tickets-191961029607 or follow on social media at #cybertoronto.
Law firm report warns of risk of cyber attacks on Canadian auto dealers
In an October article in The Ontario Dealer, representatives from law firm Fogler, Rubinoff LLP highlight that the risk of cyber attacks on Canadian auto dealers is higher than ever, as are the potential costs.
Lawyer Justin M. Jakubiak and student Keira Zlahtic describe how Canadian auto dealerships are valuable targets for cyber criminals due to the amount of personally-identifiable information they gather and store on potential buyers. They warn that dealerships that fail to take appropriate measures to protect private and potentially sensitive information are putting their customers at risk and exposing themselves to potential legal liability.
Global effort fights back against REvil ransomware gang
The notorious Russia-based ransomware gang REvil has been hacked and knocked offline by a global team of government and law enforcement groups. According to a report by Reuters, the FBI, U.S. Cyber Command, and Secret Service worked with partners in other governments to breach and sabotage REvil’s digital infrastructure.
REvil made global headlines when they were alleged to have masterminded the attacks on JBS meat processors in June 2021 and compromised Kaseya managed software systems the following month before temporarily suspending operations. As part of the investigation at the time, the FBI secured a copy of REvil’s universal decryptor and various pieces of intelligence about the gang’s infrastructure. When REvil resumed operations in September, they appear to have restored copies of servers taken in July, suddenly opening the door for law enforcement to resume their investigation. The gang has been under surveillance for the last few weeks, until the coordinated global operation disrupted their operations on October 20.
REvil’s website and data-leaking platform “Happy Blog”, where REvil operators disclosed exfiltrated data and listed victims who refused to negotiate or pay ransom, is now offline and inaccessible.
Chinese hack-a-thon breaches latest version of iOS in record time – twice
Forbes reports that hackers competing in the 4th annual Tianfu Cup – an international cybersecurity tournament held in the Sichuan provincial capital of Chengdu – penetrated a fully-patched iPhone 13 Pro with an attack that took only one second to execute.
According to the report, “Team Pangu, which has a history of Apple device jailbreaking, cemented its reputation in this regard by claiming the top $300,000 cash reward for remotely jailbreaking a fully patched iPhone 13 Pro running iOS 15.”
While technical details have not been published, an article in PatentlyApple describes how the hackers bypassed the Safari browser protection mechanism and exploited “multiple vulnerabilities in the iOS15 kernel and the A15 chip to perform a combined attack, successfully bypassing multiple security protection mechanisms, and obtained the highest control of the iPhone 13 Pro, allowing the hacker to obtain photo albums, apps and even directly delete data on the device or execute other arbitrary commands”.
Forbes reports that a second team also breached an iPhone running iOS 15.0.2 in just 15 seconds. As of October 24, 15.0.2 remains the most recent version of Apple’s mobile operating system.
U.S. agencies officially implicate BlackMatter gang on ransomware attacks on agriculture sector
An October 18 alert from the Cybersecurity and Infrastructure Security Agency (CISA) and other American agencies has officially laid the blame for two recent cyber attacks on agricultural concerns in the U.S. on the BlackMatter ransomware gang.
New Cooperative – a farm service provider based in Iowa – was hit by a ransomware attack on September 20, and faced a $5.9-million (USD) ransom. Just days later, Minnesota-based Crystal Valley was also attacked.
The CISA alert warns that BlackMatter has been targeting a variety of critical infrastructure entities since July 2021, and provides a detailed examination of BlackMatter’s tactics and techniques, along with mitigation strategies.
The law enforcement organizations noted that the BlackMatter ransomware-as-a-service operation is suspected to be a “rebrand” of DarkSide, the ransomware group that is alleged to have attacked Colonial Pipeline in May 2021, and suspended operations shortly afterwards. CISA issued an alert about DarkSide in May.
Iowa senators issued an open letter to the Department of Homeland Security, looking for guidance and assistance in defending agriculture concerns against cyber threats, perhaps forgetting that the FBI actually had issued a warning to the food and agricultural sector on September 1: weeks before the attacks.
Sinclair Broadcast Group slowly recovering from cyber attack
A week after hackers took down the corporate servers and systems of American TV conglomerate Sinclair Broadcast Group, operations are still in recovery mode. Sinclair, which operates 185 television stations with 620 channels across 86 American media markets, was attacked on October 16-17. The ransomware attack threw internal operations into chaos, and interfered with local broadcast news, sports, and other scheduled programming content. In a statement on October 18, Sinclair confirmed that “that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted,” and that data had been exfiltrated from the corporate network.
On October 20, Bloomberg reported that the group behind the attack is the infamous “Evil Corp.” ransomware gang that is believed to be based in Russia. “Evil Corp.” is also believed to be the same group that conducted a cyber attack against the Canadian, U.S., and Latin American operations of Japanese technology giant Olympus on October 10. In both the Sinclair and Olympus attacks, a malware variant known as “Macaw” was used to encrypt servers and workstations.
While most Sinclair programming services have returned to normal, multiple reports suggest that internal operations at the controversial broadcaster are still struggling. A spokesperson declined to address specific issues, but indicated that “Sinclair Broadcast Group continues to work diligently to restore the business operations that were disrupted by the recent cybersecurity incident. We are bringing the systems involved back online quickly and securely, and in a way that prioritizes critical business operations,” in a statement late last week.