Two US companies pay $850,000 for data breaches, and more.

Welcome to Cyber Security Today. It’s Friday, May 26th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.

This is Memorial Day in the U.S., and the Spring Bank holiday in the U.K., so if you’re listening from those countries, thanks.

New York State levied US$850,000 in fines against two companies last week for failing to protect consumers’ personal information. PracticeFirst Medical Management Solutions had to pay US$550,000 in penalties for failing to update its firewall after an update was issued in January, 2019. Almost two years later a hacker exploited that unpatched vulnerability to steal unencrypted personal and medical data on over 1.2 million people. As part of the settlement, the company has to maintain a comprehensive IT security program, encrypt personal data, adapt appropriate authentication methods and maintain a vulnerability management program.

Separately, Sports Warehouse, which runs several online sporting goods websites, agreed to pay the state $300,000 stemming from a 2021 data breach involving unencrypted information of 2.5 million customers. An attacker apparently used a brute force attack to get into servers. Like the agreement with PracticeFirst, Sports Warehouse has to maintain a comprehensive IT security program and encrypt personal data. In addition it has to strengthen the requirements for customers’ passwords, hash all stored passwords and promise to delete personal data when there is no longer a business need to keep it.

Switzerland’s ABB Group, a multi-billion dollar manufacturing company, has acknowledged being hit by ransomware. In a news release last week the company said the attacker copied an unspecified amount of data. The company said a “limited number” of servers and endpoints were directly affected by the malware.

A new ransomware gang calling itself Buhti has surfaced. According to researchers at Symantec, the gang uses variants of the leaked LockBit and Babuk ransomware code to attack Windows and Linux systems. The group uses what appears to be a custom-developed information stealer to search for specified file types. And it’s quick to exploit recently disclosed vulnerabilities. For example, one recent attack leveraged the recently patched PaperCut vulnerability.

A new piece of malware aimed at industrial control systems has been discovered. Researchers at Mandiant say the malware, which it calls CosmicEngery, can disrupt power transmission in electric utilities through devices running the IEC-104 protocol. These are commonly used in Europe, the Middle East and Asia. That makes CosmicEngery similar to the Industroyer malware used against electric utilities in Ukraine.

An increasing number of people are buying products online. That doesn’t mean they’re enjoying it. According to a recent worldwide survey by Adyen, a payment processing firm, around 60 per cent of consumers find online shopping less attractive because of fraudsters. Almost a quarter of respondents said they experienced payment fraud over the past year. The question for online retailers is what are you doing to ensure customers feel secure on your site?

Attention network administrators with Zyxel firewalls in their environment: Unpatched devices are now being mass exploited by the Mirai botnet. That’s according to security researcher Kevin Beaumont. There’s no reason why devices on your network should be hit, because patches were released April 25th. By the way, Zyxel separately announced fixes for two other potentially serious flaws affecting its firewalls. These patches need to be installed as well.

The open source PyPi repository of Python projects is taking another step to increase security. By the end of the year every account that maintains a project on the platform must have enabled two-factor authentication. That’s to prevent a threat actor from taking over the account and replacing a developer’s code with malware. So why wait: Turn it on now. Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, it may begin selecting certain users or projects for early enforcement.

Finally, what’s the biggest lesson a CISO learned from a ransomware attack? Make sure executives are designated in advance to be decision-makers for cyber incidents. That’s according to the news site Dark Reading, which last week carried a synopsis of a presentation given by the CISO of the American division of tire maker Bridgestone. The division was hit by ransomware in 2022. Executives — not the IT team — are going to have to decide if the company should disconnect networks, pay ransomware or make other critical moves. So make sure designated executives are part of tabletop exercises held by the cyber incident response team so they know what to expect. You do have a designated cyber incident response team, right …?

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, May 29. 2023 – Two US companies pay $850,000 for data breaches, and more first appeared on IT World Canada.

Leave a Reply