Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Cybersecurity for smart home technology
Many people may have picked up new tech for their homes over the holidays. But remember that smart devices may create potential entry points to other parts of your home network. Make sure to research and implement security best practices for your new gear, including changing default passwords, fully patching before using the equipment, enabling automatic patches where possible, and limiting the access and data collected by the device and manufacturer to the minimum necessary.
Montreal tourism agency confirms cyber attack
According to a January 4 report in IT World Canada, Tourisme Montréal, a non-profit organization committed to promoting tourism in Montréal, confirmed that it was victimized by cyber attack in early December. Tourisme Montréal has not yet confirmed what ransom demands were made, or whether personal information was disclosed in the breach.
The attack was reportedly carried out by the Karakurt hacking gang who, in their “Winter Data Leak Digest”, named the tourism agency among eleven targets they had allegedly compromised. The other organizations allegedly breached include a Quebec-based construction firm, a Quebec-based bathroom designer, a Canadian First Nation, a Western Canadian data management firm, and a Western Canada-based heavy equipment manufacturer.
According to a report in Bleeping Computer, Karakurt differ from most ransomware attackers in that they do not encrypt data, but focus solely on data exfiltration and extortion, threatening to release or sell stolen data unless a ransom is paid. First active in June 2021, Karakurt ramped up their attacks in the second half of the year, reportedly compromising over 40 sites and posting downloadable, stolen file packs on its sites. According to Bleeping Computer, about “95% of these victims are based in North America, while the rest are European entities. Karakurt isn’t focused on a particular industry, so the victimology appears random.”
Attackers targeting Google Docs comments
In a January 6 report, researchers from Check Point subsidiary Avanan reported a “new, massive wave of hackers leveraging the comment feature in Google Docs” in December 2021. According to the report, the exploit was first identified and reported to Google in October 2021. Google has not responded to the issue.
“Comments” is a standard feature in each of the Google’s Docs, Sheets, and Slides applications; reportedly, the vulnerability exists in all three programs. The report outlines a recent phishing campaign targeting Outlook users, in which threat actors have used Google Docs to target over 500 inboxes across 30 tenants from over 100 different Gmail accounts. The attack approach is straightforward: simply by adding a document comment that mentions the targeted user, Docs automatically triggers an email to that person’s inbox. When the comment is embedded with a malicious link, an unsuspecting recipient may be tricked into downloading malware or jumping to an undesirable site.
Since the email address of the sender isn’t shown (only a plain text name, which can be spoofed), it becomes easier for threat actors to impersonate legitimate entities to target victims. It also “makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize,” according to the report.
Avanan recommends that users double-check the email address shown in the comment, hover over and validate any links before clicking, and vetting the language, tone, and grammar of the comments for anything that looks suspicious. “If unsure, reach out to the legitimate sender and confirm they meant to send that,” the report advises.
New York AG releases credential stuffing report
On January 5, New York Attorney General Letitia James released a report detailing the results of a recent investigation into credential stuffing attacks. “The purpose of this document is to share some of the lessons learned, including concrete guidance to businesses on steps they can, and should, take to better protect against credential stuffing attacks,” explains the report in the introduction. The investigation reportedly discovered more than 1.1 million online accounts compromised in cyber attacks at 17 well-known companies.
The report defines and documents credential stuffing, and explores four key ways of managing the risk of this threat:
1. Defending against credential stuffing attacks, including the implementation of bot detection, multi-factor authentication, and “passwordless” access controls;
2. Detecting and monitoring for credential stuffing breach;
3. Preventing fraud and misuse of customer information; and
4. Responding to a credential stuffing incident
QNAP issues urgent statement on NAS device security
Hardware manufacturer has issued an urgent warning to users of its network attached storage (NAS) devices. According to the statement, “ransomware and brute-force attacks have been widely targeting all networking devices, and the most vulnerable victims will be those devices exposed to the Internet without any protection.”
QNAP’s statement provides straightforward instructions on how to assess the risk associated with its devices; any system that is directly accessible from an external IP address via HTTP should be locked down as soon as possible by disabling the “port forwarding” function of the router, and disabling the Universal Plug and Play function of the NAS.