ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Six months to go for Adobe Flash
The demise of Adobe’s “Flash” software is not news – back in July 2017, Adobe issued a statement advising that Flash would reach end-of-life (EOL) at the end of 2020. However, earlier this month, Adobe issued an updated statement outlining an aggressive decommissioning plan for the product. Adobe is not only reminding users to uninstall Flash from their computers by the end of the year, but they have underscored that they won’t just stop providing updates and support, but will remove all product and download links for Flash effective December 31, 2020.
Browser manufacturers are already preparing to wind down Flash plug-ins and support in their products. Google’s release of Chrome 76 in July 2019 had Flash disabled by default. While a workaround is available for users to re-enable Flash through to the end of this year, Google will remove Flash support outright at the end of 2020 or early 2021. Microsoft announced in 2019 that that Flash will be removed from the Edge browser automatically via Windows Update by December 2020.
From its launch in 1996, Flash enjoyed a 10-15 year run as a dominant development tool for animation, web interactivity and gaming. Persistent attacks by hackers and malware tarnished the image of the product, however. Reliability and performance also suffered as “touch” became more important to user experience on mobile devices, so other more flexible tools like HTML5 and JavaScript took over the market. As recently as 2017, over 75% of all browsers had Flash enabled, but that number dwindled to just 29% by 2019, and is falling further as the EOL date approaches. Use of Flash by web developers has all but disappeared as well: a W3Techs survey of website technologies suggests that just 2.6% of current websites use Flash code, in contrast to a 28.5% usage rate in 2011.
Companies that have not reviewed and removed Flash content from their websites have just six more months to act. Users looking to remove Flash from their computers can consult Adobe support links for Windows and Mac O/S.
A case of mistaken identity for Maze ransomware attackers
Hackers using Maze ransomware have announced an attack against the CSA Group, Canada’s leading safety and performance standards organization. The only problem? The hackers appear to have attacked the wrong CSA Group.
CSA Group, formerly the Canadian Standards Association (CSA), operates under the domain name of csagroup.org. It appears that the hackers inadvertently launched an attack against the domain csagroup.com, which is operated by an architectural and engineering project management firm based in New York City.
Maze ransomware allows attackers to gain administrative access to a target company’s network, exfiltrate unsecured data, then encrypt those systems until extortion demands are met. According to cybersecurity research company Emsisoft, materials posted by the attackers on June 17 demanding a ransom from Canada’s CSA Group actually revealed architectural design drawings and email addresses that appear to belong to the unrelated New York City company. Indeed, the website csagroup.com was offline for 2-3 days after the demands were posted, but service was restored by June 21. No statement or acknowledgement of the suspected attack appeared on the site when it came back up.
Coincidentally, Canada’s CSA Group is very active in cybersecurity testing and hardening evaluations for IoT devices, a growing area of interest as the global number of Internet-connected devices is increasing dramatically.
Cyber Readiness Institute surveys find small business may be underestimating cyber risk
According to a recent study by the Cyber Readiness Institute (CRI), small businesses are expressing less concern about cybersecurity during the pandemic than their larger counterparts. Fewer than a third of companies with 10 or fewer employees responded that their cybersecurity concerns had increased due to remote work arrangements, while 41% of larger companies expressed increased concern. Fewer than half of small companies had increased investment of time or money to bolster cybersecurity, while 80% of larger companies had increased spending.
Training was also a particular area of divide between large and small companies: just 22% of small companies provided additional cyber training in the face of exploding phishing and ransomware attacks, whereas more than half of larger companies surveyed had increased staff awareness.
The full press release was posted on the Cyber Readiness Institute website on June 17. This survey expands on the results from CRI’s March survey results that also highlighted troubling statistics about the preparedness of small businesses in the face of the shifting cybersecurity landscape created by the pandemic. The CRI, based in Washington, D.C., is a non-profit initiative that brings business leaders and cybersecurity experts together to help develop practical, easy-to-use tools and reference materials to help improve cybersecurity readiness.