Cyber Risk Update 30 DEC 2022

There are supply chain risks when we use cloud services:

• Two misconfigured AWS S3 buckets apparently belonging to McGraw Hill exposed more than 117 million files belonging to hundreds of thousands of students. https://www.theregister.com/2022/12/20/mcgraw_hills_s3_buckets_exposed/

Threat Actors have been using a triple extortion method to get organizations to pay the ransom:

• Ransomware hackers take demands directly to college students: ‘For you, it’s a sad day’ https://www.nbcnews.com/tech/security/ransomware-hackers-take-demands-directly-college-students-s-sad-day-rcna61253

• Threat actors lean heavily on phishing attacks, vulnerabilities in software and containers, and stolen credentials to break into organizations. https://www.cybersecuritydive.com/news/how-attackers-break-organizations/629686/

Local governments are still a target:

• On December 16, 2022, Victoria's firefighting service said that a cyberattack disrupted its network, email, and dispatch systems. https://www.theage.com.au/national/victoria/fire-rescue-victoria-blames-cyberattack-for-dispatch-system-outage-20221216-p5c70l.html

USB devices are still an attack method for the bad guys:

• The Raspberry Robin worm has been used in attacks against government office systems across Latin America, Australia, and Europe since at least September 2022. The malware utilizes infected USB drives as a distribution vector to download an MSI installer file that deploys the main payload. https://thehackernews.com/2022/12/raspberry-robin-worm-strikes-again.html

Warnings & PSAs:

• In a public service announcement, the U.S. Federal Bureau of Investigation (FBI) said threat actors are purchasing advertisements that impersonate legitimate businesses or services, specifically finance and cryptocurrency exchange platforms. https://www.ic3.gov/Media/Y2022/PSA221221

• CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape. https://www.cybersecuritydive.com/news/top-ciso-concerns-cybersecurity-strategy/631172/

Cyber Insurance:

• Ransomware hacking isn't tantamount to a physical attack, the Ohio Supreme Court ruled, meaning a software developer can't use its property insurance to cover losses. https://www.govinfosecurity.com/ohio-supreme-court-says-ransomware-physical-damage-a-20808

• As insurance costs and requirements rise, some municipalities seek self-insurance and service providers’ cyber incident warranties to help in cases of ransomware and other incidents. https://www.govtech.com/computing/facing-cyber-insurance-woes-local-governments-find-other-options

Legal and Compliance:

• Privacy laws go into effect on Jan. 1 in California, Colorado, and Virginia, and DataGrail CEO Daniel Barber says it's time businesses take privacy seriously. https://www.scmagazine.com/editorial/analysis/data-security/datagrail-ceo-daniel-barber-cisos-better-understand-their-responsibilities-around-data-privacy