Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
ISA hosts “Meet Our Experts” on November 24
ISA Cybersecurity is hosting the latest instalment of the “Meet Our Experts” series on November 24. Enza Alexander, EVP at ISA Cybersecurity welcomes Brian Contos CISO & VP Technology Innovation at Mandiant Security Validation and Bart Lenaerts, Senior Product Marketing Manager – Threat Intelligence at FireEye, Inc. to discuss how you can expose overlapping controls to help realize the full potential from your security investments.
Registration is free, and all registered attendees will receive a link to the presentation afterwards.
SANS Institute reports huge number of unpatched servers still at risk to “old” vulnerabilities
The SANS Institute’s “Internet Storm Center” (ISC) security research team recently conducted a study to determine the number of computer systems that are significantly behind in important patches. The researcher compiled a list of 100 “high impact” vulnerabilities reported in 2019 or earlier. Then, using the widely accessible Shodan search engine, scans were conducted looking for unpatched systems and unsecured services that could leave networks vulnerable to exposures that could have been fixed months – or years – ago.
The results were disappointing. For example, they determined that about 245,000 Windows systems have not been patched against the so-called “BlueKeep” remote desktop protocol (RDP) vulnerability – a flaw that was reported and a fix published in spring 2019. Over 1.21 million Linux servers were found to be exposed to a critical web proxy flaw, also fixable since 2019.
These numbers are really only the tip of the iceberg as well – they only comprise machines that are exposed to the Internet. Many more systems may remain unpatched and present exposure from within an enterprise: hackers breaching a network could move laterally and exploit these vulnerabilities if unpatched.
SANS published the full report and analysis on November 16 in the ISC blog.
Follow-up: Capcom hack may affect 350,000 individuals
As reported in our cyber news of November 9, video game giant Capcom suffered a cyber breach on November 2. New details emerged this week about the scope of the breach.
Capcom has now advised that some confidential information was “verified to have been compromised” in the Ragnar Locker attack. Their statement disclosed that a handful of current and former employee data was exfiltrated, including digital signatures in three cases.
Of greater concern was the notice of the “potentially compromised data” breach affecting approximately 350,000 individuals. The exposed data includes a wide range of personal information (including, variously, names, birthdates, email addresses, gender, mailing addresses and phone numbers) belonging to current and former staff, vendors, shareholders, and customers.
The 350,000 figure remains an estimate because “the overall number of potentially compromised [individuals] cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack[.] Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.”
Capcom also made the observation that “investigation and analysis of this incident took additional time due to the targeted nature of this attack, which was carried out using what could be called tailor-made ransomware, as was covered in some media reports, aimed specifically at the company to maliciously encrypt the information saved on its servers and delete its access logs.”
Canadian cyber threat assessment report published
On November 16, the Canadian Centre for Cyber Security (CCCS) released its second annual national cyber threat assessment report. The National Cyber Threat Assessment 2020 report presents sobering predictions and warnings about the state of cyber security in Canada.
The report warns of the rising number and sophistication of cyber threats, identifying cyber fraud and identity theft as the threat most likely to affect Canadian individuals and organizations. The report specifically called out state-sponsored threats from China, Russia, Iran, and North Korea as the most serious cyber threat due to the sophistication of the threats, the demonstrated pattern of espionage (particularly around COVID-19 research), and potential to disrupt larger enterprises and critical infrastructure with ransomware.
While the study downplayed the threat to Canadians from online foreign influences (e.g. in politics), it highlighted the potential for Canada to be “collateral damage” in attacks on international partners like the United States due to our intertwined media ecosystems.
The well-presented report concludes with a summary of key resources provided by the CCCS over recent times, many from their continuing “Awareness Series” of posts.
Municipal services in Saint John, NB hit with ransomware
According to a post on the city’s Facebook page, the municipal computer systems of Saint John, NB have been hit with a ransomware attack. In a subsequent press conference, Mayor Don Darling said “unusual activity” was discovered late November 13 during routine monitoring, and the city responded by shutting down all online resources.
While “routine” city services remain operational, the city’s website, internal IT systems, email and phone system were taken down as a result of the attack. The city is unable to process payments (e.g., for water bills or parking tickets) and has suspended the issuance of building permits until a manual process is developed to handle such requests.
In the press conference, Mayor Darling outlined the steps the city had taken as part of its incident response plan. “Teams of experts immediately began investigating to determine what systems were impacted and took steps to isolate the breach and protect networks such as disabling the city’s website, our servers, email, etc.”
While the city said that they had no indication that personal information was accessed or transferred, they advised residents “out of an abundance of caution, and as we advised on [November 15], it is generally a good idea to check your personal accounts and credit cards for any irregularities and to notify your financial institution if you see anything odd or suspicious,” according to City Manager John Collin.
Hinting at the severity of the issue, Collin added, “There is no timeline yet for restoration of our IT services, but it is safe to say that we are looking at weeks, not days.”
On November 19, the city employed a third-party service to stand up a temporary website (under the same domain name) to facilitate communications, although much of the functionality of the original site is not currently available. Updates on the cyber attack will be posted on the temporary site and Facebook.