Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Don’t fall for romance scams this Valentine’s Day
According to the Canadian Anti-Fraud Centre (CAFC), romance scams actually accounted for the second highest fraud-related dollar loss in 2021 (placing behind only investment scams). Criminals can leverage phishing scams and fake social media profiles to capitalize on victims’ emotions. The CAFC provides details on some of the common red flags for romance scams, which often involving tricking victims into sending money or disclosing personal information which can be leveraged for identity theft.
San Francisco 49ers football team network hacked
According to multiple reports, the San Francisco 49ers of the National Football League (NFL) have fallen victim to a ransomware attack. The attack reportedly exfiltrated files from the team’s corporate network before encrypting them, following an increasingly common “double extortion” strategy used by hackers.
The incident came to light on February 12 when operators of the BlackByte ransomware gang listed the 49ers as one of their victims on the BlackByte dark web site, even providing a 292-megabyte sample of the data that was stolen. The team issued a statement on February 13 confirming the attack: “Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident… While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium [the 49ers’ home field] operations or ticket holders.” The 49ers website appears to be unaffected.
The team is working with law enforcement and cybersecurity consultants to manage the aftermath of the attack. A deadline of March 4, 2022, has been issued to pay the ransom; while the amount of the ransom has not been disclosed, it is speculated that a sizeable dollar figure will be involved, as the San Francisco team is one of the wealthiest and highest-profile franchises in the NFL.
First identified in September 2021, the BlackByte ransomware gang operates a ransomware-as-a-service model, renting out their ransomware to third parties who breach victim networks, exfiltrate data, and use the ransomware to encrypt data. According to an FBI security alert issued just a day before the attack on the 49ers, “BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture),” since November 2021.
Canadian sentenced to 80 months in prison for role NetWalker ransomware attacks
On February 7, an Ontario court sentenced Sebastien Vachon-Desjardins to 6 years and 8 months in prison after he pleaded guilty to multiple offenses linked to attacks on 17 Canadian victims.
“Between May 2020 and January 2021, the Defendant victimized 17 Canadian entities and others throughout the world by breaching private computer networks and systems, hi-jacking their data, holding the stolen data for ransom, and distributing stolen data when ransoms were not paid,” said the presiding judge in the case.
The U.S. Department of Justice said that Desjardins allegedly obtained more than $27.6 million (all figures USD) after multiple successful attacks and extortion attempts since April 2020.
Though Desjardins cooperated with the authorities to help identify victims and their losses, he “was not an insignificant actor in these and other offences; he played a dominant, almost exclusive, role in these offences and he assisted NetWalker and other affiliates by improving their ability to extort their victims and disguise their proceeds,” according to the sentencing report.
According to a report in Bleeping Computer, the “FBI discovered Desjardins’s true identity after linking email accounts (Microsoft, Gmail, and Protonmail) he used to register accounts on XSS.is and HackForums with online activity (searches and emails) with various online services (including MEGA and ZoomInfo) he used to upload files stolen from victims’ networks and find financial info on his victims.”
Google pays out $8.7 million in bug bounties in 2021
In a February 10 blog post, Google announced that it had awarded over $8.7 million (all figures USD) to security researchers as part of its Vulnerability Rewards Program (VRP) in 2021. The VRP provides incentives to security researchers to identify and report software flaws in Google products so they can be fixed before being otherwise discovered and potentially abused in the wild.
The bounty figure is a 30% increase over the $6.7 million paid out in 2020.
Most of the bounties were paid out in response to bugs found in the Chrome browser ($3.3M) and the Android operating system ($3M). The largest single bounty of $157,000 was awarded for an Android exploit chain. Over-all, 696 researchers received financial incentives, some of whom donated their bounties to charity in the amount of $300,000.
Microsoft to disable VBA macros by default
In a February 7 blog post, Microsoft has announced that VBA macros will be disabled by default in Office documents downloaded from the Internet, starting in April 2022.
“While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button,” according to the blog. “Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe, including malware, compromised identity, data loss, and remote access… For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet.”
The change is to be introduced in Access, Excel, PowerPoint, Visio, and Word. Microsoft plans to implement the change in suites going all the way back to Office 2013.
Once the change is implemented, users will no longer be able to enable content in downloaded Office documents simply by clicking an override button. Instead, a new message bar will display a security risk alert advising that the file contains Visual Basic for Applications (VBA) macros obtained from an untrusted source, along with a “Learn More” button, all intended to force users to think twice before enabling macros.