Weekly CyberTip: Secure your printers too!
According to a January 2022 report from Quocirca, 68% of organizations surveyed have experienced data losses due to unsecure printing practices. You can reduce your risk by keeping the software and firmware on your printers patched as promptly as possible, making sure default passwords and configs are changed, and using firewalls and network configurations to limit access to your print fleet. And make sure to take appropriate steps to wipe printers when decommissioning them – many printers and MFPs have onboard memory that can keep digital copies of content long after the page has been printed.
Proposed Canadian legislation introduces major new cyber regulations for critical infrastructure
On June 13, Canada’s federal government proposed legislation that would place new obligations on certain key critical infrastructure organizations. Bill C-26, An Act Respecting Cyber Security (ARCS), would enact the Critical Cyber Systems Protection Act (CCSPA), which would in turn establish a regulatory framework that calls for specific companies in the financial, telecommunication, energy, and transportation sectors to strengthen their cybersecurity posture and share cyber threat information with the government. Additional sectors could be added over time.
The Act “will require operators of systems to bolster their protections against a wide array of incidents including cyber attacks, electronic espionage, and ransomware. Cyber incidents above a certain threshold will be required to be reported, and the government will be able to compel companies to respond to cyber threats to protect their customers and employees,” explained Public Safety Minister Marco Mendicino to reporters in a press conference after the announcement.
According to a backgrounder published by the government on June 14, the legislation will also address “longstanding gaps in the Government’s ability to protect the vital services and systems Canadians depend on” by enabling Ottawa to designate services that are vital to national interests, compel them to protect their cyber infrastructure, and respond transparently and cooperatively in the face of an attack. The legislative powers proposed in the Act include issuing Cyber Security Directions (CSDs), orders requiring “a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system” – some of the strongest, broadest powers ever seen in this field in Canada.
Under the CCSPA, designated companies would be required to establish formal Cyber Security Programs (CSP) that document their cyber defenses, establish monitoring, implement measures to minimize the impact of cyber attacks, mitigate third-party cyber risks, and set out specific incident reporting rules to the Canadian Centre for Cyber Security (CCCS).
The proposed Act addresses many issues addressed by bills enacted by the United States government in recent months under CISA, including the Strengthening American Cybersecurity Act, the Cyber Incident Reporting for Critical Infrastructure Act, the Federal Information Security Modernization Act, and the Federal Secure Cloud Improvement and Jobs Act.
No timeline has been given for full implementation of the Act, but much debate and discussion lies ahead. The proposed legislation will move to committee review by the House of Commons and the Senate, and will receive input from industry consultations before it can be put into effect.
Cisco issues security advisory for small business routers
In an advisory issued June 15, Cisco announced a vulnerability in the web-based management interface of its Small Business RV110W, RV130, RV130W, and RV215W routers. The vulnerability “could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition,” according to the bulletin.
The routers, however, are end-of-life, and Cisco has confirmed that they will not be issuing patches for the vulnerabilities. Indeed, the only workaround for the bugs is to disable the web management component, or replace the routers. Companies are strongly encouraged to confirm that they have retired these routers, or have taken steps to disable access to the web interface until devices can be replaced.
Cisco is not aware of any exploits of the vulnerability in the wild.
Ransomware gang offers stolen data search facility on public Internet
The ALPHV (a.k.a. BlackCat) ransomware gang has taken a novel approach to its extortion efforts by creating a publicly-accessible website that allowed anyone on the Internet to scan through the files of the gang’s latest victim to see if their personal data had been stolen in a recent attack.
On June 14, the gang started to release data allegedly stolen from The Allison Inn & Spa in Newberg, Oregon. The ransomware gang claims to have stolen 112GB of data, including personal information on 1,500 current and former employees, and 2,500 reservation records from 2022. The gang threatened further disclosures as well: “Your entire accounting will also soon be published on the website as well as in all media,” warned the site.
Experts speculate that the gang is hoping to exert additional pressure on the victims by releasing the data to the broader Internet, instead of exclusively to the ALPHV darkweb portal. Other observers muse that the ploy was more of a publicity stunt or trial run, as the hackers must have realized that the search site would be removed from the public Internet quickly. Indeed, the site was taken down by June 17: “We have suspended the domain to prevent further harm. The activities of the domain were a clear violation of the XYZ Anti-Abuse policy,” said Jocelyn Hanc, Vice President Operations at XYZ, the domain that hosted the gang’s disclosure site for a brief period.
The inn has not disclosed further details on the nature of the attack or their response to it. Their website and social media channels are silent on the incident, though a spokesperson advised that they are contacting affected parties directly. Customers of the inn only had limited data exposed in the breach (dates and charges related to their stays); however, the employee data that was available appears to contain a significant amount of personal information that could be used to facilitate identity theft.