Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Get off IE11
Still using Internet Explorer? Microsoft is reminding users that it will be retiring the final version of IE (IE11) in June 2022, as they continue the process of replacing the browser with Microsoft Edge. Legacy websites and applications based on Internet Explorer will be supported with Edge’s IE mode feature (which will be supported until 2029). Microsoft has published additional information and a transition guide at https://www.microsoft.com/en-us/edge/business/ie-mode.
NL healthcare system breach even more serious than originally believed
The provincial government in Newfoundland and Labrador has revealed that more data was stolen than originally thought during the October 30, 2021 breach of its health care system.
In a March 30 media briefing, Eastern Health CEO David Diamond advised that more than 200,000 files potentially containing patient and employee information – dating as far back as 1996 – had been stolen in the incident that disrupted healthcare services in Newfoundland & Labrador for weeks.
Personal health information – including medical diagnoses, healthcare codes and procedures ordered for patients, and employment information – is believed to be among the stolen data. The exfiltration of the files was discovered on February 25, but the government held back the information as they attempt to determine the specific individuals affected by the breach. “As you can imagine, with 200,000 files, there are literally millions of data points. There’s a lot of manual work involved before we can put a final number, but we expect the number could be large; it could be thousands of individuals between staff and patients,” Diamond said in the briefing.
“In terms of personal financial information and health information, we’re not aware that any of that has been misused at this point,” Diamond added. The province is conducting dark web monitoring to watch for any indications of misuse of the exfiltrated data.
Few additional details about the incident were disclosed in the briefing. When pressed, Health Minister John Haggie refused to identify the attackers, how the breach occurred, or any details about the ransom.
“We’ve been advised by our security advisers… that giving away details of the incident beyond a certain point would be unwise and would possibly jeopardize our abilities in the future to deliver services,” Haggie said, but allowed that “in the fullness of time” public reports would be made available regarding the various investigations.
Diamond advised that the systems managing the provincial healthcare system are now running “pretty much at 100 per cent,” after effectively being rebuilt from scratch from backups.
CSIS confirms Canada targeted by thousands of daily cyber attacks
In a March 28 meeting of the Standing Committee on National Defence (NDDN), Cherie Henderson, Assistant Director, Requirements at CSIS, confirmed that Canada suffers “thousands of cyber attacks on a daily basis” all across the country. “It is an ever-increasing issue,” she warned, noting that CSIS is seeing more activity from more cyber actors than ever before.
Sami Khoury, Head of the Canadian Centre for Cyber Security concurred, advising that the CCCS continues to see Russia, China, North Korea, and Iran as the greatest sources of state-sponsored threat.
Henderson explained that Canada’s most vulnerable sector at the government level remains the research and development arena. Canada is a leader in the R&D space, and numerous countries want that intellectual property for themselves. Henderson also noted Canadian critical infrastructure is also “very vulnerable” to attack, so CSIS is constantly involved in championing heightened protection and awareness here as well.
Henderson emphasized that cooperation and communication are key in facing cyber threats, noting that Canadian government departments and agencies are working well together. CSIS is constantly looking for new tools and ways to improve, and is always looking at modernizing its defenses. But she reminded the panel that it is essential that “all Canadians and businesses and industries are very aware of the cyber threat and can take the necessary precautions and measures to protect themselves.”
The Standing Committee on National Defence studies the Department of National Defence and the Canadian Armed Forces, as well as the domestic, continental, and international security environment.
New patches available for critical Spring Java app and GitLab vulnerabilities
Several patches for critical vulnerabilities of concern to software developers were identified at the end of March:
– New security updates are available for the Spring Java application development framework. These patches close three vulnerabilities; two discovered in 2022, and a third long-standing vulnerability nicknamed SpringShell or Spring4Shell, due to its similarities to the Log4Shell vulnerability in the Apache Log4j logging library. The vulnerabilities could potentially allow remote code execution by a threat actor. In Spring’s initial bulletin and VMware’s formal notification about the patches, users are urged to apply the patches as soon as soon as possible.
– A hard-coded password in the GitLab software development environment could allow remote attackers to take over user accounts. The now-patched bug affects both the GitLab Community Edition (CE) and Enterprise Edition (EE). An advisory from GitLab explains the background of the vulnerability and outlines the patch versions. GitLab strongly recommended that users upgrade all GitLab installations to the latest versions (14.9.2, 14.8.5, or 14.7.7 as applicable) as soon as possible to block potential attacks.
Google sees spike in Ukrainian war themed spearfishing
In a March 30 blog post, researchers from Google published their latest information on several trending phishing attacks that leverage various Ukraine war-related themes.
Google’s Threat Analysis Group (TAG) is seeing increasing state-sponsored activity from China, Iran, North Korea, and Russia, as well as from several unattributed groups attempting to facilitate ransomware attacks.
The blog explores three particular threat vectors in detail (nicknamed Curious Gorge, COLDRIVER (Calisto), and Ghostwriter), all of which deliver phishing emails bearing malicious attacks or links. The post provides a list of IP addresses and domains most commonly linked to the attacks. Ensure your web filtering applications are up to date or consider adding these to appropriate “deny lists” to protect yourself.
$4.67M stolen from DeFi platform Voltage Finance
On March 31, Voltage Finance was the victim of a cyber attack that resulted in the theft of bitcoins and stablecoins valued at an estimated $4.67M (all figures USD). A “re-entrancy bug” in the DeFi platform allowed unidentified parties to repeatedly make unauthorized withdrawals and drain the lending pool. Similar attacks were conducted against Hundred Finance and Agave earlier in March, resulting in $11M in losses.
Voltage Finance announced the losses on Twitter. In a joint statement published by Ola Finance (Voltage’s lending-as-a-service partner), the platforms will be publishing a “detailed report on all the tokens listed across all the lending networks that confirms this attack can not [sic] be replicated on other lending networks.” As they work on a patch, borrowing and lending on the lending network has been temporarily disabled.