Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Bookmark the Ontario Government cyber scam portal
The government of Ontario has developed a helpful portal filled with resources to help identify and respond to common cyber scams. Bookmark this page for quick access to a listing of types and signs of online fraud, and ways to protect yourself and your business.
Suncor continues to recover from cybersecurity incident
On June 25, Suncor issued a brief press release announcing that it was dealing with a cyber incident.
“Suncor has experienced a cyber security incident. The company is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities. At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation. While we work to resolve the incident, some transactions with customers and suppliers may be impacted,” read the statement in its entirety.
Disruptions were felt across the country at Suncor’s Petro-Canada gas stations in the wake of the incident, as numerous gas stations were only able to process cash transactions. On June 29, Petro-Canada tweeted that most locations had restored debit and credit transactions capabilities. However, the post advised that their “app, Petro-Points program and some car washes remain unavailable.”
Petro-Canada has over 1500 locations in Canada, and about 250 car wash locations.
UPS Canada issues privacy incident notifications after SMS phishing campaign
On June 28, United Parcel Service (UPS) confirmed that the company is working with law enforcement and cybersecurity experts following reports of phishing messages that were sent via SMS to certain shippers and customers in Canada. UPS said it was sending privacy incident notification letters to an undisclosed number of Canadian customers whose personal information may have been disclosed.
The incident is believed to have stemmed from an extended data breach involving the company’s online package tracking system, which was actively abused from February 1, 2022 to April 24, 2023. During this period, threat actors were able to access detailed customer shipping information, and appear to have leveraged that information in an extensive SMS phishing campaign.
The phishing messages in the campaign did not attempt to compromise the user’s mobile devices, rather they tried to redirect users to one of a number of domains hosted in Russia. The landing pages for those sites displayed a fake UPS page (complete with UPS logo) and fields for victims to enter their credit card information.
UPS provides online resources to help people recognize, avoid, and report online fraud. If you are victimized by a cyber fraud, report the incident to the Canadian Anti-Fraud Centre.
New cloud security report reveals security gaps
On June 28, security firm Gigamon issued their 2023 Hybrid Cloud Security Survey. Sub-titled “Perception vs. Reality”, the report revealed some startling inconsistencies among respondents. 94% of IT and security leaders surveyed “confidently stated that their security tools and processes provide them with complete visibility and insights into their hybrid cloud infrastructure,” and half of those surveyed stated “they are confident or completely confident they are sufficiently secure across their hybrid cloud infrastructure from on-premises to cloud, yet 90% admitted to having suffered a data breach in the last 18 months.”
The survey also revealed that about a third of security breaches are going undetected at initial compromise, with security professionals only realizing they had been attacked “down the line – either through data appearing on the dark web, files becoming inaccessible, or users experiencing slow application performance.”
Zero trust was another area of mixed messages. While 96% of those surveyed believe that zero trust will be a big trend in 2023 and beyond, more than half of respondents consider it “unattainable” despite its importance. “We are seeing definitively that Zero Trust is a strategic element of security and it’s the best option organizations have to substantially improve their security resilience while maintaining business agility,” according to Ian Farquhar, Security CTO at Gigamon. The U.S. government also recently mandated that government agencies implement zero trust cybersecurity principles.
NCSC issues new study on cybersecurity in the legal sector
The U.K.’s National Cyber Security Centre (NCSC) has released a new report on cybersecurity for law firms and other legal sector entities. The report is an update to an original study published in 2018.
The report identifies and documents five top threats faced by legal institutions; risk areas that many other organizations will find familiar as well:
- phishing emails designed to install malware (including ransomware) or steal credentials
- business email compromise (BEC) attacks designed to trick victims into disclosing sensitive information or sending large sums of money to the attacker
- ransomware and other malware that could disrupt operations and steal sensitive information
- password attacks (including brute force attacks)
- third party / supply chain attacks
In addition to a number of practical resources and tools, the report provides four key tactics for managing cyber risk:
- ensure that senior leadership (e.g., board members, owners, and partners) are engaged and informed about cyber security risk
- conduct a readiness assessment against the NCSC’s “Cyber Essentials” security framework
- explore services like threat intelligence, incident response plan testing, and cyber insurance
- invest in training and security awareness
SolarWinds execs receive notice of pending charges
In a June 23 filing, SolarWinds confirmed that the U.S. Securities and Exchange Commission (the “SEC”) has issued “Wells Notices” to “certain current and former executive officers and employees of the Company, including the Company’s Chief Financial Officer and Chief Information Security Officer” in connection with the ongoing investigation into the Orion software platform compromise in December 2020. These notifications follow Wells Notices issued to SolarWinds at the corporate level in fall of 2022, with respect to the company’s cybersecurity disclosures, public statements, internal controls, and disclosure controls and procedures.
A “Wells Notice” is a notification by the securities regulator, notifying parties of the substance of charges that the regulator intends to bring against the respondent, affording the respondent with the opportunity to submit written statements. It does not necessarily mean the respondents have violated any laws.
The fact that charges may be coming for specific individuals highlights the potentially serious personal exposure for senior executives and others responsible for corporate cybersecurity.
