Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Watch out for Omicron variant phishing scams
As concerns mount over the Omicron variant of COVID-19, threat actors are escalating their efforts to capitalize on the situation. Be on the lookout for unsolicited emails, texts, or phone calls regarding rapid or PCR tests; miracle cures; bulletins regarding closures; or government financial relief programs – all of these have been reported in recent days. Rely on trusted and verifiable news sources, and steer clear of potential attempts to harvest personal or financial information.
Log4j update: version 2.17.1 released
Apache has released another update to its embattled Log4j logging software – the latest version is now 2.17.1, available since December 28. While global recognition and response to the vulnerability have been significant, attacks and breaches involving Log4j are still being reported frequently. The Conti ransomware gang has continued to use the vulnerability to target VMware systems, and threat actors have been able to compromise some high-profile targets like the Belgian Ministry of Defence.
Microsoft Exchange suffers “Y2K22” bug
Implementations of Microsoft Exchange Server 2016 and 2019 stopped delivering messages on New Year’s Day this year due to a design flaw nicknamed the “Y2K22 bug”, in a nod to the Y2K bug of 2000. The naming convention Microsoft uses for its malware-scanning engine in Exchange puts the year, month, and day (220101) at the front of another four-digit number (0001): on January 1, 2022, the number generated by this standard exceeded what the system was designed to store, triggering error messages and halting email delivery.
Microsoft was quick to reassure customers that the problem is “not a failure of the AV engine itself,” and “is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues,” and released a patch shortly afterwards.
While the issue is not a security-related concern, urgent customer action is required. Microsoft’s blog provides detailed instructions for both automated and manual resolutions to the problem.
Florida health network reveals data breach
In a January 1 statement, the health network servicing Broward County in south Florida disclosed a breach affecting over 1.3 million patients and staff. In the statement, Broward Health revealed that the October 15 breach disclosed a trove of data including names, addresses and phone numbers, Social Security numbers, bank account information, and medical history data, insurance account information, driver’s license numbers, email addresses and treatments received.
When the breach was discovered on October 19, the health centre “promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation.” However, breach notifications were delayed for months at the request of the DOJ, so the communications would not compromise the initial stages of the law enforcement investigation. That investigation is still ongoing.
The health network is offering two years of identity theft protection services, has now reportedly implemented multifactor authentication for all users of its systems, and has established “minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network,” in response to the breach.
Due to the nature and scope of the information disclosed, the notice also warned affected patients and staff that they are now vulnerable to medical identity theft. The hospital urged those affected to monitor their benefits statements and financial accounts for signs of abuse or fraud.
2021 privacy news summary
While bill C-11 may not have survived the fall federal election in Canada, privacy remains on the radar for provinces and the federal government alike. Emerging legislation is certain to have an impact on data governance and breach reporting requirements. In a recent report, IT World Canada presents the highlights of privacy news in 2021, and a look at what might be in store for 2022 and beyond.
2021 cyber news summary
Headlined by the Colonial Pipeline, Kaseya, and Log4j cyber incidents, 2021 was hectic year in the cybersecurity space. Security news website ZDNet presents a month-by-month summary of the biggest hacks and data breaches of the year.