Weekly CyberTip: Watch for royal-related scams
As Queen Elizabeth II is laid to rest today, sadly there are criminal elements who are looking to capitalize on the event. Hackers and scam artists frequently exploit emotional or high-profile news stories to catch victims off guard. Watch for unsolicited or suspicious emails, links, or clickbait advertisements purporting to provide details of the royal funeral, but are actually designed to steal your personal information.
FBI publishes two healthcare sector cyber warnings
Over the course of three days last week, the FBI published two Private Industry Notification (PIN) warnings regarding cybersecurity risks in the healthcare sector.
On September 12 came a warning regarding the heightened security risks posed by unpatched and legacy IoMT devices. “Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.” The FBI’s recommendations include implementing endpoint protection, access management, asset and vulnerability management, and prioritizing security awareness training for staff.
On September 14, the FBI published a warning for healthcare organizations that use third-party payment processors. According to the PIN, the “The FBI has received multiple reports of cyber criminals increasingly targeting healthcare payment processors to redirect victim payments. In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.”
“This year alone, threat actors have stolen more than $4.6 million [all figures USD] from healthcare companies after gaining access to customer accounts and changing payment details,” continued the bulletin, citing one case in which an attacker changed victims’ direct deposit information to a bank account controlled by the attacker, stealing some $3.1 million in the process.
In each bulletin, the FBI provided a series of best practices and risk mitigations for healthcare organizations to implement.
Uber suffers suspected “total compromise” in hacking incident
In a September 15 “Uber Newsroom” post, the company revealed that it had been the victim of a cyber incident. Details were scarce, but in the September 16 update, they reported “no evidence that the incident involved access to sensitive user data (like trip history),” and that all of their services are operational.
According to a report in The New York Times, however, the security breach is significantly more serious. On the afternoon of September 15, staff at Uber allegedly received a Slack system message saying: “I announce I am a hacker and Uber has suffered a data breach,” the text also providing a list of several internal databases that the hacker claimed to have compromised.
The hacker reached out to The New York Times and several cybersecurity firms to repeat the announcement and provide evidence of the successful breach. Acting alone, the unnamed hacker is allegedly an 18-year-old male, who reportedly compromised the company in order to demonstrate its weak security practices. The individual reportedly used social engineering techniques to “compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems,” according to the Times. With this access, the hacker reportedly leveraged elevated security credentials on a network file share and used them to access “production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.”
According to the report, the attacker had full access to corporate email and “is also believed to have gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.”
European Union proposes Cyber Resilience Act
In a September 15 announcement, the European Union (EU) proposed a new Cyber Resilience Act, designed to “protect consumers and businesses from products with inadequate security features”. The proposed legislation introduces mandatory cybersecurity requirements throughout the entire lifecycle of products with “digital elements”.
The measures proposed in the legislation include:
– rules for the marketing of products with digital elements to ensure their cybersecurity;
– essential requirements for the design, development, and production of products with digital elements, and obligations for economic operators in relation to these products;
– Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole lifecycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents; and
– rules on market surveillance and enforcement.
Detailed versions of the proposed Act and its annexes were also published on September 15. The Act has been in the works for over a year. The proposal now moves to the European Parliament and Council for review. Once adopted, member states and economic operators will have two years to adopt the new requirements. The Act will surely have even broader implications, as global trading partners selling goods into the EU will need to be in compliance as well.