Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Protect your mobile phones from malware
While not as common as PC-based malware, malicious software targeting your mobile phone is a threat as well. Here are some tips to keep your iPhone, Android, or other mobile device safe:
– Install security patches promptly.
– Only download software from official sources like the Apple App Store or the Google Play app. Using “jailbreak” software or apps from third-party sources may expose you to malware or even cause damage to your phone.
– Be suspicious of applications that request updates immediately after installation: the official stores only offer the latest version of apps; if the app asks for update permissions right away, this may be an indication that malware is at work.
– Do not click on links sent to your phone by text, mail, or in pop-ups while browsing, unless you are confident of the source of the link.
– Use the minimum permissions necessary when installing an application. Only allow access to features that you want to enable (e.g., microphone, camera, photos, geo-location), and only enable these features while you are using the application.
– Consider the use of a mobile anti-malware application from a trusted source.
Proofpoint report describes surge in mobile malware threats
In a recent report, researchers at Proofpoint revealed a dramatic 500% jump in mobile malware delivery attempts in Europe since February 2022. The increase is part of a global resurgence in mobile device attacks seen this year, after attack volumes had dropped in late 2021.
The report outlines the top seven malware variants seen in the wild, the regions in the world where they are most prevalent, and their indicators of compromise.
NRC recovering from March 18 cyber incident
Canada’s National Research Council has experienced a suspected cyber attack. After systems personnel discovered the incident on March 18, the NRC posted a message on their website explaining: “Due to a cyber incident, some applications on our website were taken offline and may be unavailable. We are working to bring applications back online as soon as possible.” The message remained up until at least March 28.
In a statement to CTV, Christine Aquino – the NRC’s Director General, Communications – said, “As a scientific organization, the NRC remains constantly vigilant to the risk of cyber attacks. Procedures and controls are in place at the NRC to mitigate these risks; these procedures and controls made it possible for the organization to respond quickly to the March 18 incident.”
No further details about the incident have been released. While suspicion about the source of the attack quickly centred on Russia – particularly after a similar attack against Global Affairs Canada in January 2022 – the NRC also suffered a significant cyber attack in 2014, believed to have been orchestrated by hackers sponsored by the Chinese government.
Report shows sharp rise in WordPress vulnerabilities in 2021
Security researchers at Patchstack have issued a report drawing attention to the risks of unpatched WordPress websites. WordPress is the engine behind about 40% of all websites on the Internet. The report reveals that the number of flaws reported in plugins and themes for WordPress was 150% higher in 2021 than in 2020.
The report, based on data gathered from over 50,000 WordPress-based websites, describes 55 critical vulnerabilities in themes, and 35 among WordPress plugins. The websites tested in the study had an average of 18 different components installed; an average of 6 out of 18 components were found to be outdated. On average, 42% of the websites analyzed had at least one vulnerable component installed.
Website administrators are encouraged to review their WordPress platforms regularly to ensure that their frameworks are up to date (the only current officially supported version is WordPress 5.9); remove unused themes and plugins; ensure that all production components are fully patched; and ensure that complex passwords and MFA are used for authentication.
Florida healthcare contractor pays nearly $1M for misrepresenting cybersecurity posture
In the Department of Justice’s first resolution of a False Claims Act case involving cyber fraud since the launch of the DOJ’s Civil Cyber-Fraud Initiative, Florida-based Comprehensive Health Services (CHS) will pay $930,000 (USD) to settle allegations that they falsely represented their digital medical record cybersecurity compliance to the U.S. State Department and Air Force between 2012 and 2019.
The settlement was based on allegations that CHS had failed to consistently store patients’ medical records on secure systems, and that they had sourced controlled substances that were not approved by the FDA or EMA.
The settlement should serve as a warning to other suppliers to the U.S. government about compliance and reporting practices. An equivalent act does not yet exist in Canada, though financial penalties can flow from inadequate protection of personal information (under PIPEDA) or other regulatory violations. Law firm Baker McKenzie provides a comprehensive review of the Canadian legal and regulatory compliance regime.
White House re-emphasizes cybersecurity in light of evolving Russian threats
In a statement issued March 21, U.S. President Joe Biden reiterated the importance of cybersecurity, citing new intelligence about evolving Russian cyber threats.
“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow,” read the statement.
The best practices recommended are good advice at any time, even without the spectre of Russian interference looming:
– Implement MFA
– Implement tools to scan and mitigate cyber threats
– Maintain current patching and passwords
– Back up your data
– Develop and test your incident response plan
– Encrypt data
– Conduct security awareness training
– Establish relationships with law enforcement and leverage their resources
Hundreds of companies affected by Okta third-party breach
Authentication software company Okta has confirmed that 366 of its corporate customers – about 2.5% of its customer base – were affected by a third-party security breach that allowed hackers to access Okta’s internal network. The company that experienced the initial cyber attack is believed to be Sykes Enterprises, a business process and customer service outsourcing company acquired by Sitel Group in July 2021.
The attack was allegedly conducted by the Lapsus$ crime gang. On March 21, Lapsus$ claimed that it had gained access to one of Okta’s “super user” admin accounts, and posted a series of screenshots as proof.
Okta has come under fire for the delay in reporting the breach, which occurred between January 16-21, 2022. In a statement on the Okta’s website, David Bradbury is the Chief Security Officer at Okta provided a timeline of the incident, investigation, and response. The statement suggests that the months-long delay in notifying customers was due to the length of time taken by the Sitel investigation of the breach. Bradbury also downplayed the impact of the breach, saying: “I am confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers.”