Compromised password blamed for pipeline hack, a new phishing scam pushes fake updates and more ransomware groups emerge.
Welcome to Cyber Security Today. It’s Monday, June 7. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Experts insist that following the basic principles of cybersecurity will go a long way to lowering the odds of being victimized by an attacker. The latest proof is last month’s ransomware attack on Colonial Pipeline in the U.S. Hackers got in by exploiting a compromised username and password, according to an official of FireEye’s Mandiant threat intelligence service. Mandiant was called in to investigate the breach. The executive told Bloomberg News the password for a virtual private network account was no longer in use, but was still valid. That password was posted on the dark web, which raises the possibility a current or former Colonial employee used the same password on another account that had been hacked.
This is another example of why multifactor authentication has to be used as extra protection for logins to all computer assets. It also shows why IT departments have to take greater responsibility for password management of changed accounts.
Crooks are taking advantage of increased worries sparked by the Colonial Pipeline attack. They are trying to trick employees into downloading malicious files pretending to be software updates. This warning comes from the cybersecurity firm I.N.K.Y. Targeted phishing messages are circulating that start with, “Given the recent ransomware attack against Colonial Pipelines and many other organizations” the employee is required to run a new update. The link to the update looks like it comes from a legitimate website. And the update page itself has the company’s logo, which also makes the scam convincing.
If your organization looks after software updates behind the scenes, report this kind of email. If your organization pushes updates that you have to install, make sure they are legitimate. Don’t be afraid to ask. Just make sure you don’t phone the number in a suspect email.
Three new ransomware groups have popped up. According to a U.S. incident response company called Speartip, one group is called Prometheus, and claims to have ties to the REvil ransomware gang. However, in most antivirus engines it will be detected as Thanos ransomware. Prometheus has published data it says has been stolen from several Mexican government departments, a gas company in Ghana, an Oklahoma cardiovascular centre and others. The other new group seen by Speartip is called Grief. It claims to have stolen data from five organizations, including a county in Alabama and a firm in Mexico. Meanwhile a U.S. threat intelligence company called Cyble has found a new gang it calls BlackCocaine. Its first victim appears to be a financial services company in India. Regardless of the number of ransomware groups IT departments have to increase their vigilance for signs of an intrusion and set up defences to protect against a successful attacker moving through their computer networks.
Finally, the U.S. continues to try to cripple malware gangs. In its latest move the Justice Department has charged a Latvian woman for her alleged role in creating and deploying the notorious malware suite called Trickbot. The woman was arrested in February in Miami. Trickbot has been stealing personal information, bank account logins and financial information from infected computers around the world since November, 2015. The allegation is the accused wrote code related to the deployment of and payments for ransomware.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon