Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Safe Online Job Hunting
With the start of a new year and amidst a dynamic job market, a lot of job opportunities are appearing online. But be forewarned that not all of those postings are legitimate! Scammers continue to post fake jobs in order to try to extract your personal information for identity fraud, or simply to steal financial details or money.
Even on comparatively reputable sites like LinkedIn and Indeed, cyber criminals are laying traps for the unwary. If a job sounds too good to be true, or you are pressed for personal information or upfront “service charges” during the initial recruitment stages, proceed with caution.
The Edmonton Police Service has a detailed advisory providing a list of red flags to watch out for, tips on how to conduct your job hunt safely, and what to do in the event you’ve been duped.
Florida healthcare provider hit by “IT security issue”
Florida’s Tallahassee Memorial HealthCare (TMC) has been forced to cancel outpatient procedures and non-emergency surgical procedures and divert ambulances to other facilities as it deals with an “IT security issue” discovered on February 2.
According to a February 3 breach notification released on its website and on Twitter, the healthcare facility activated its IT system downtime protocols and shut down its systems to contain the impact of the incident. “We prepare for situations like this and have implemented a series of backup and downtime protocols – including relying on paper documentation – to enable our colleagues to continue to provide safe, high-quality care to patients,” according to the website.
TMC has not yet disclosed the root cause of the incident, or whether any personal health information has been disclosed. “This is an active, ongoing investigation. We contacted law enforcement when this incident occurred, and we continue to work with the appropriate law enforcement agencies. We are also working with third party experts to assist in the investigation.”
In their February 5 update, the hospital reported that progress is being made, but many services still remain unavailable as the investigation and recovery continues.
Security researchers discover unsecured PII data in the cloud
A February 2 report from Website Planet announced the discovery of “an open and non-password protected database that contained 717,814 records and the Personally Identifiable Information (PII) of thousands of Canadian citizens.”
The data, which appeared to contain “home mortgage loan related information that included names, phone numbers, email addresses, physical addresses, and more,” appeared to be under the stewardship of Toronto-based mortgage company 8Twelve Financial Technologies Inc. The data (which has now been secured after the researchers reported their findings to 8Twelve), included:
- 717,814 exposed records across a folder named “applicant” and five folders named “application”
- applicant names, emails, phone numbers, and physical addresses
- 8Twelve employee information, including names, email addresses, and internal notes about the prospective loan or customer, indicating whether an applicant was creditworthy.
Canada’s Communications Security Establishment calls LockBit an “enduring threat”
Quoted by the CBC, Canada’s Communications Security Establishment (CSE) is calling for a “heightened state of vigilance” against retaliatory attacks from Russia-aligned hackers, and “assesses that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023.”
“In 2022, LockBit was responsible for 22 per cent of attributed ransomware incidents in Canada and an estimated 44 per cent of global incidents,” according to CSE spokesperson Evan Koronewski.
LockBit was allegedly responsible for cyber attacks against the town of St. Mary’s, Ontario and Westmount, Quebec last year, in addition to an attack on Toronto’s Hospital for Sick Children (for which LockBit issued an apology afterwards).
Zero-day vulnerability reported in Fortra’s GoAnywhere MFT product
A zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file-transfer solution is currently being actively exploited, according to a report in The Record. The application has users around the world, and is “used by dozens of major companies and schools, including the University of Cincinnati, Think Mutual Bank, Nemours [children’s health facilities], University of Cincinnati and many local [U.S.] government offices,” with a focus on the finance, healthcare, higher education, insurance, retail, and telecom sectors.
The bug was first reported publicly by Brian Krebs in his Mastodon social media account. No public acknowledgement has been made by Fortra, but the internal security advisory published by Fortra on February 1 and released by Krebs contains specific threat information and mitigation strategies. The Record report also suggests that Fortra may be temporarily implementing a service outage while the vulnerability is being investigated.
The internal bulletin states: “A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT. The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS). If the administrative console is exposed to the public internet, it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources.”
The bulletin emphasizes that the vulnerability only affects the administrative interface, not the web client interface.