Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Secure your family over the holidays
SANS has published an excellent guide to beefing up online security for your family over the holidays this year. The portal presents checklists for hardening new devices, digital safety while traveling or shopping online, and informative videos on protecting your home, backing up personal information, and protecting children’s privacy online.
HP issues patches for more than 150 MFP models
HP has issued patches for a series of vulnerabilities affecting more than 150 models of their multi-function printers (MFP). Scores of HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed devices are affected by the vulnerabilities.
The first pair of software bugs are tracked under CVE-2021-39237. Here, affected printers suffer from access port vulnerabilities that make the devices vulnerable to potential information disclosure. As a successful exploit requires physical access to the printer, these vulnerabilities are rated as “high”.
Meanwhile, CVE-2021-39238 describes two font parsing vulnerabilities that cause affected printers to be at risk of compromise from potential buffer overflow. These vulnerabilities are considered critical.
The resolution for all issues is to upgrade each printer’s firmware as soon as possible. MFPs are often forgotten as threat vectors, but their network presence, local storage capacity, and widespread user interaction create attack opportunities when security vulnerabilities are identified. Threats from compromised printers can include unauthorized configuration changes, print job manipulation, accessing spooled print jobs from memory, or, even acting as a launchpad for further cyber attack.
Organizations are encouraged to keep printers and MFPs current with patches, just as they should with other hardware devices, software applications, and operating systems.
New playbook for threat modeling medical devices
Seeing growing concerns about cybersecurity in the healthcare sector, MITRE and the Medical Device Innovation Consortium (MDIC) have released a new document seeking to help IoMT device manufacturers to improve the security of their products. The “Playbook for Threat Modeling Medical Devices” was published November 30 and is available for free download from the MITRE and MDIC websites.
In developing the detailed playbook, the Food & Drug Administration (FDA) in the United States partnered with MITRE and MDIC, approaching medical device manufacturers to run a series of threat-modeling bootcamps and conduct interviews with in-house experts. The new document is designed to help manufacturers create threat models and analysis in a systematic and consistent way, building in device security at the design stage.
Cisco Canada and STEM Fellowship announce high school cybersecurity program
Cisco Canada and the STEM Fellowship are launching a new “Cybersecurity Classroom Training Program” (CCTP) for Canadian high schools. The program focuses on raising cyber awareness and imparting practical digital skills at a younger age. The goal of the program is to reach 2000 teachers and 40,000 students by 2023. The free courses will include instructional modules, labs, and quizzes in a wide range of topic areas including incident preparedness, defensive strategies, digital business, digital art and culture, and digital health.
Teachers interested in getting started with the program are encouraged to contact the STEM Fellowship at cctp@stemfellowship.org to learn more.
Report identifies threat actors targeting health, education, critical infrastructure
A new report from Mandiant reveals that a ransomware group called Sabbath has been targeting critical infrastructure in Canada and the U.S. since June 2021. The education, health, and natural resources sectors have been a key focus for the group.
According to the report, Sabbath is the latest branding for the threat actor group “UNC2190”, which has previously operated under the names Arcane and Eruption. Sabbath began looking for partners to launch a new ransomware affiliate program in September 2021, then created a dark web site called 54BB47h (its characters resembling the word Sabbath) in October. Since mid-November alone, the report indicates that six new victims have been added to the Sabbath website.
UNC2190 has been in operation at least since 2020, when they were posting on various Russian-language dark web forums searching for partners with access to commercial networks. At the time, UNC2190 offered to pay a percentage of ransom payments collected to any hackers that could provide access, exfiltrate stolen data, delete backups, or carry out other aspects of their ransomware operation.
The Mandiant report provides background on threat hunting strategies and indicators of compromise for organizations looking to defend against the threats posed by UNC2190 under its latest operating name of Sabbath. Organizations, particularly those in the targeted sectors, are encouraged to review and update their defensive strategies.