Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Never reuse passwords across accounts!
A recent survey by the Identity Theft Resource Center (ITRC) reported that nearly 50% of all respondents use the same password across multiple accounts and services. Hackers know these numbers, and whenever they manage to crack or steal a password from one service, they will often pivot to try it on other common websites and services. Don’t run the risk of multiplying the impact of a breach by using the same credentials in several places! Be part of the safe half: make your passwords complex and unique, and consider the use of a password manager to help keep track of them.
Unsecured database exposes hundreds of thousands of transportation industry credit records
A January 11 report from Website Planet reveals the discovery of a publicly-accessible database of over 820,000 records – including over 600,000 credit records – relating to transportation companies and individual drivers based in Canada and the United States. The personal information exposed in the database included banking details and Social Insurance Numbers (SIN), all unencrypted and without password protection.
The common thread in the entries in the database, according to the researchers who discovered the files online, appears to be TransCredit, a Florida-based credit report company that describes itself as “one of the primary business credit reporting agencies for the transportation industry and beyond,” on its website.
The researchers immediately notified TransCredit upon discovering the unsecured database and, while they received no formal response, they found that access to the database was blocked soon afterwards. According to the report, “[i]t is not clear if this data was exposed by a contractor or a 3rd party who had access to these reports, or if this was in fact TransCredit’s internal database”. Further, there was no indication of how long the data had been exposed, or whether the affected parties had been contacted – as is required by Florida law.
Appropriately, the researchers “highly recommend that anyone in the transportation industry revisit your data protection policies, talk about scams and fraud awareness with your employees and team. Change passwords using unique and complex characters. Monitor transactions and monitor credit accounts for suspicious activity,” as the exposed data could potentially be used to construct phishing or spear-phishing campaigns if it has fallen into the wrong hands.
Maryland Department of Health confirms ransomware in December incident
According to a January 12 update bulletin, the Maryland Department of Health (MDH) confirmed that a cyber attack on their systems late last year was in fact a ransomware attack.
MDH experienced a service disruption on December 4 as a result of network security incident. At the time, MDH detected unauthorized activity involving multiple network infrastructure systems. Immediate defensive measures were implemented to contain the incident: servers were taken offline to protect the network, affected systems were isolated, and the MDH website was rerouted to the state’s primary webpage – all of which resulted in dozens of health department services and resources becoming unavailable. Since then, an investigation has been ongoing to determine the extent of the attack and to determine whether any data had been exfiltrated.
While the rapid response appears to have mitigated system damage, the incident reflects the significant impact of even a quickly-contained breach: over six weeks after the incident, a number of services are still affected and a costly and time-consuming inquiry into the matter continues.
Russian security takes down REvil ransomware gang
In a series of raids and arrests on January 13, Russia’s Federal Security Service (FSB) took decisive measures to “liquidate” the notorious REvil ransomware gang and “neutralize” the gang’s computing infrastructure, according to a report in Threatpost
The FSB raided 25 locations in Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk, seizing over $7M (CDN) in physical assets; US$600,000 and €500,000 in cash; various cryptocurrency accounts; and a score of luxury vehicles. 14 alleged cybercriminals were also arrested, charged with “illegal circulation of means of payment.” One of the figures detained is reportedly the mastermind behind the Colonial Pipeline cyber attack in May 2021, according to a statement from the White House quoted in the Wall Street Journal.
According to an FSB media statement, the driving force behind the raids was a formal request for action from U.S. authorities. “As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation,” according to the statement.
REvil (a.k.a. Sodinokibi) made world headlines in 2021 with the Colonial Pipeline attack, along with ransomware attacks on JBS Foods and the zero-day supply-chain attack that affected an estimated 1500 customers of software company Kaseya. After a brief hiatus from July to September 2021, REvil returned to operations, but have been under constant attack from law enforcement agencies in recent months.