Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Does everything need to be connected?
In a recent study, researchers from Italy and the U.K. identified four vulnerabilities in the TP-Link Tapo L530E smart lightbulb – a top seller on multiple online marketplaces – that could be exploited to expose home network passwords. The researchers were able to exploit the devices in five different attack scenarios, with varying impacts on the users’ security, privacy, and safety.
The reminder here is to assess whether you really need every device in your home to be “smart”. The world of IoT can introduce efficiencies, but also creates risks. Only connect devices that genuinely need Internet access, and ensure that you follow security best practices like changing default security settings and monitoring regularly for security patches. Just because you can put something online doesn’t necessarily mean you should.
By the way, patches are available for the light bulbs at https://www.tp-link.com/en/support/faq/3722.
Report: More than 3/4 of Canadian energy companies at heightened risk of BEC attack
In a report released August 24, security company Proofpoint revealed the results of an analysis of the email security settings for Canada’s 40 largest energy concerns. Their research suggested that 77% (31 companies) have not implemented the strictest recommended configuration of DMARC – and 33% have no DMARC protection in place at all.
“DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals to launch phishing and email fraud attacks. It authenticates the sender’s identity before allowing a message to reach its intended recipient, such as energy customers or employees,” explains the press release.
The findings raise concern, as the Canadian Centre for Cyber Security (CCCS) recently published a report suggesting that financially-motivated cybercrime – particularly business email compromise (BEC) and ransomware – is the leading cyber threat facing the Canadian energy industry.
“Due to the high value of the industry’s assets, such intellectual property, trade secrets, and vast amounts of customer data, it is critical that energy organizations prioritize cybersecurity measures to safeguard against potential cyber threats and protect their customers’ data,” according to Proofpoint Canada Vice-President Jeffrey Freedman. “The oil and gas sector, in particular, will very likely continue to be targeted by state-sponsored cyber espionage for commercial or economic reasons, especially during times of geopolitical tension.”
UW research team to help defend energy sector from cyber threats
In an August 23 announcement, the University of Waterloo announced that they have been awarded $1.2M (all figures CDN) in federal funding to help develop an enhanced cybersecurity system to help identify threats before they can cause damage to energy concerns or the supply chains that support them.
The team of 20 researchers will be assessing traditional networks as well as IoT devices to help them identify potential internal risk areas, assess the latest threats, and plan to conduct controlled penetration tests on three energy-sector partners.
“Strengthening the cyber security of Canada’s energy sector supply chains is vital to the reliable and resilient operation of our energy systems, which are facing an increasingly complex cyber threat environment. Working in collaboration with universities and industry leaders, we are continuing to support the development of innovative technologies and approaches that build robust protections into the supply chain and protect our most critical systems against cyber threats,” said the Honourable Jonathan Wilkinson, Minister of Energy and Natural Resources.
Global call for tougher rules around social media data scraping
In a joint statement on data scraping and the protection of privacy, the Canadian government joined 11 other nations in calling for social media companies to do more to prevent threat actors from scraping personal data from their platforms.
“Social media companies and the operators of websites that host publicly accessible personal data have obligations under data protection and privacy laws to protect personal information on their platforms from unlawful data scraping,” according to the letter issued by the GPA’s International Enforcement Cooperation Working Group (“IEWG”), which also warned that “mass data scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions.”
The August 24 statement was released to the public and sent directly to many social media like Meta and X (formerly Twitter). The statement highlighted five key dangers from successful scraping attacks, and laid out a set of “multi-layered technical and procedural controls to mitigate the risks,” acknowledging that no one single approach will be adequately effective in protecting customer data privacy.
Patch alert: Cisco NX-OS, FXOS, and UCS managed software
In a bulletin released August 23, Cisco released fixes for several product vulnerabilities, including three high severity vulnerabilities in NX-OS, FXOS, and UCS managed software. Devices running these operating systems are often key parts of system infrastructure, so users are urged to assess and implement patches or mitigations as soon as possible.
Threat alert: Barracuda email security gateway
In a bulletin released August 23, the FBI warns that threat actors continue to exploit a Barracuda ESG zero-day vulnerability. “The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit,” according to the bulletin, which recommends isolation or replacement of any affected devices.
The vulnerability, discovered in June 2023, was first exploited in the wild as early as October 2022. CISA has also issued an alert detailing some of the exploits, and Barracuda has provided guidance on the issue, also recommending that any compromised ESG appliance be replaced as soon as possible.
