How Dragos was fooled by an attacker impersonating a new employee, and more

Welcome to Cyber Security Today. It’s Friday, May 12th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.


I’ve been ill this week. I’m grateful to Jim Love, IT World Canada’s chief information officer, for filling in on Wednesday morning’s podcast and later today on the Week in Review.

IT and security pros worry about the IT access of current employees being compromised. They also should worry about those about to be hired as well. This comes after an attempt Monday by an unnamed criminal group to extort Dragos, an industrial control cybersecurity company. The gang compromised the personal email address of a new sales employee before they started work at Dragos. That allowed the crooks to impersonate the new employee and get enrolled with the company online. Once inside the network the crooks were able to access Dragos’ contract management system — used by sales staff– and see a report with the IP address of a customer. That could have led to an attack on that organization. Dragos assumes the goal of the crooks was to launch ransomware against it, because that’s the gang’s usual tactic. But after failing to elevate privileges the gang tried to extort Dragos by threatening to reveal their successful penetration. When no response was received they sent messages to family members of Dragos executives. One big lesson from this incident: Additional identity verification is needed for online onboarding of new staff. Another is the importance of layered defences that prevent things like lateral movement and privilege escalation. One question the Dragos report doesn’t answer: How did the attacker know a person was about to join the company? My guess: They boasted about it on a social media site like LinkedIn, Twitter or Facebook.

Brightly Software, maker of the SchoolDude online platform that helps education institutions place maintenance work orders, is notifying present and past subscribers of a data breach. According to Bleeping Computer, copied were names, email addresses, account passwords and phone numbers. Brightly, which is owned by Siemens, has reset all user passwords.

Cisco Systems Canada did a recent survey of ordinary Canadians about their use of mobile devices. A couple of numbers caught my eye: The first is the use of multi-factor authentication: Only 38 per cent of respondents think they or their family use MFA on their personal devices. Only 27 per cent said they or their family members use MFA for their work and personal devices. Those aren’t impressive numbers. They speak to the need for IT and security leaders to make the use of multifactor authentication mandatory at work — and to spread word employees should use it on their home devices as well. Why is this important? Because 45 per cent of respondents said they frequently work on office documents on their personal devices.

Attention IT administrators with VMware hypervisors in their Linux systems: Make sure they’re fully updated and protected. A new report from researchers at SentinelLabs says 10 ransomware gangs are bundling data lockers in their malware that can take advantage of ESXi. They’re using elements of the leaked Babuk ransomware code that’s been going around since 2021.

Those looking for trends in regulating artificial intelligence systems should look at the progress of legislation in the European Parliament. Two committees yesterday approved what’s called a draft negotiating mandate on AI rules. The proposed framework says AI systems with an unacceptable level of risk to people’s safety would be strictly prohibited. Among them: Real-time remote biometric identification systems — like facial recognition — in publicly-accessible areas. In fact European police would be forbidden from using facial recognition except for prosecuting serious crimes, and only after judicial authorization. Generative AI models, like Chat GPT, would have to comply with additional transparency requirements, like disclosing that the content was generated by AI, designing the model to prevent it from generating illegal content and publishing summaries of copyrighted data used for training. Note that a draft EU law still hasn’t been created. Canada and the U.S. are thinking about AI regulation as well.

A new Windows 11 capability allowing iPhone users to connect to their PCs may have created a backdoor for attackers to get into Apple phones. Researchers at Certo Software say the problem is in the latest version of a Microsoft app called Phone Link. It has long allowed Android users to sync to a Windows computer by WiFi. The ability to connect with iPhones was added last month. However, the researchers say if an attacker has access to a target’s iPhone they can set up Phone Link on their own Windows PC. Then they can spy on the victim’s iMessages and phone call history. Here’s the thing: The iOS version of Phone Link only works with Bluetooth. So the person intercepting a victim’s communications would have to be very close by. One way an iPhone owner can prevent this hack: If you don’t use Bluetooth at all, turn it off. Another way is set a passcode or use a fingerprint so only you can unlock your phone.

Finally, a former employee of a U.S. network equipment maker has been sentenced to six years in prison by a U.S. judge. While working at the firm he stole gigabytes of data from the company in 2021, then tried to extort it for nearly US$2 million for the return of the files. When he didn’t get anything he planted misleading news stories about the company’s handling of the data breach he created, causing its stock to drop. The company wasn’t named in the Department of Justice news release on the case, though it has been identified by other news sites as Ubiquiti.

That’s it for now. But later today the Week in Review podcast will be available. Host Jim Love and guest David Shipley of Beauceron Security will talk about recent news, including progress on fighting ransomware.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon

The post Cyber Security Today: May 12, 2023 – How Dragos was fooled by an attacker impersonating a new employee, and more first appeared on IT World Canada.

Leave a Reply