Blog

This month’s edition of the Consortium Networks Monthly Newsletter is a huge policy roundup! Our semi-annual Washington Watch is out along with an overview of the current state of data privacy regulation in the United States. To round us out, we’ve included our analysis of the Microsoft hack last month and an overview of insider threats.

Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.

Washington Watch: August 2023

Washington Watch is an amalgamation of executive, congressional, and judicial action on various topics within cybersecurity designed to inform on the trends and conversations happening in Washington surrounding cyber. We hope the information provided here will help your organization prepare for any changes it will need to make based on legislation or other federal action that may be taken and that it will start a conversation about the national movement towards greater cybersecurity and resilience.

The Eye of the Storm: Malware in Focus

In June 2023, a Federal Civilian Executive Branch (FCEB) agency in the United States uncovered unusual email behavior, subsequently revealing a fresh espionage campaign connected to China. A month later, on July 11th, Microsoft released a blog post revealing that a Chinese-based hacking group gained access to an unspecified number of email accounts across approximately 25 organizations. This hacking group, known as Storm-0558, primarily targets government agencies in the United States and Western Europe and focuses on espionage and data theft.  

The Call From Inside the House: Understanding and Preventing Insider Threat

Insider threats pose significant risks to organizations of all sizes but are unfortunately often overlooked or misunderstood by security teams. These threats come from individuals with access to an organization’s systems, networks, or data, including employees, contractors, business partners, and former staff.

A State-by-State Data Privacy Roundup

As it stands today, 11 states in the United States have passed comprehensive data privacy laws with many of these just going through in the first half of this year. Comprehensive data privacy goes hand-in-hand with cybersecurity and the two can and should bolster each other.

In the continued absence of a national-level data privacy bill, many states have begun to push in this direction to ensure their citizens’ rights are protected and provide private businesses clarity– particularly in a world in which global businesses based in the United States must contend with the patchwork of legislation in the US and the heavy-handed GDPR in Europe, along with many other countries’ data privacy laws. Taking the guessing game out of privacy is being seen as an increasingly important business accelerator by the states. 

In Other News

Hacks

Russian TV Hacked by Ukraine in a Sabotage Attack: Russian TV broadcasts were hit with a cyber attack displaying the Ukrainian message “the hour of reckoning has come” along with videos of the Ukrainian military in action. The hack was allegedly carried out by the Ukrainian Defense Ministry.

HCA Healthcare Patients Have Their Private Information Stolen and Sold by Hackers: HCA healthcare patients’ full name, city, and last appointment information data is being sold on a data breach forum.

Ukrainian Hackers Take Down Russian Rail Website: TheRussian-State owned rail station RZD’s website was taken offline by supposed Ukrainian hackers forcing citizens to go in person to railway stations to buy tickets. IT Army, a Ukrainian hacking group, has claimed the attack that shut down their networks for at least 6 hours. This is the second DDoS attack on RZD since the war began. 

North Korean Hackers Linked to GitHub Attack: Microsoft blames the recent GitHub attack on North Korean hackers. The hack was a low level social engineering campaign that targeted employees that had accounts associated with cryptocurrency, online gambling, and blockchain. No GitHub or NPM systems were compromised during the attack. 

IT Firm JumpCloud hacked by Nation-State: Though the country has yet to be named, JumpCloud claims it was a “sophisticated nation-state sponsored threat actor” that gained access to their network and began the spearphishing campaign. The attack began on June 22 and was detected on July 5th due to uncommon framework activity for specific customers. 

Cyberattack Leaves at Least Two British Ambulance Services without Access to Patient Files: The Swedish software company Ortivus was hacked on July 18th and left the electronic patient records for at least two British ambulance services out of reach. The company stresses patients were not directly affected. 

Critical Compromise of Air Force Communications by Air Force Personnel: Arnold Air Force Base was tipped off that one of their engineers was taking home radios from the base. After getting a search warrant they searched their residence and found 90,000 dollars worth of tech taken from the base and highly secretive access to radio communications technology. While they haven’t been charged with anything yet this is following close behind the Pentagon security breach earlier this year. 

Ransomware

Estée Lauder Becomes MOVEit’s Newest Victim: Massive cosmetics brand Estée Lauder’s newest has been hacked by not one but two malicious groups, BlackCat and Clop. BlackCat claims to have worked separately from Clop via the MOVEit operation and to have stolen more than 130 gigabytes of company data. 

Mattress Giant Hacked by Black Cat: Mattress giant Tempur-Sealy was hit with a massive cyber attack forcing the company to shut down all of their IT systems. They were attacked by Black Cat/AlphV, a well known hacker group. 

Offshoot of Royal Ransomware Hits Tampa Bay Zoo: One of the most popular zoos in the United States was hacked, causing the theft of employee and vendor data. This is believed to be the work of a Royal ransomware group offshoot called BlackSuit. 

Port of Nagoya Hit with a Major Ransomware Attack: The Port of Nagoya, Japan’s largest trading port, was hit with a cyber attack from the LockBit group. Officially LockBit hasn’t claimed the attack but the Port attributes it to them. This is the second hit to this port in the last year after the DDoS attack from KillNet last September. 

North Carolina Town Handling Ransomware Attack: Cornelius, North Carolina, a suburb of Charlotte, is handling the aftermath of a ransomware attack that shut down several city-wide facilities and services. 

Trinidad and Tobago Hit with Debilitating Cyberattack: Trinidad and Tobago was hit with a cyberattack that has caused significant outage and service disruption. This nation that serves more than 1.4 million people has lost the ability to even log into their email accounts or access important documents. 

Mississippi County Hit by Ransomware Attack: A coastal Mississippi town on the edge of the state was thrown adrift when a phishing campaign that led to a brute force attack took down almost every government device connected to the server. The ransom was decidedly not paid and the appropriate authorities were notified. 

Hawaii Community College pays Ransomware Group After NoEscape Attack: Hawaii Community College was ransomed by the NoEscape ransomware group after student data was stolen. In order to avoid the information being leaked, the college paid the ransom and is in the process of getting services back online.

Patches Needed

Upwards of 300,000 Firewalls Vulnerable to FortiOS RCE Bug: Many Fortigate firewalls are at risk of infection due to CVE-2023-27997, a remote code execution vulnerability. While a patch was released, there are over 300,000 appliances that are vulnerable to being compromised and accessible from the internet. 

Apple Patches Zero-Day Vulnerability: Apple released its third security update in a short time due to the exploits found in spyware campaign Operation Triangle. These are specifically targeting Russian Apple users and the attacker remains unknown. This most recent patch is to address vulnerability CVE-2023-38606. 

Latvian Equipment Manufacturer MikroTik Routers Vulnerable to Attacks: Vulnerability CVE-2023-30799 has a patch available but not heavily advertised which leaves many of its routers at risk of being hacked. Researchers at VulnCheck say that ‘hundreds of thousands’ of devices are currently at risk due to this vulnerability. 

Two Vulnerabilities Discovered in Linux Operating System Ubuntu: Two vulnerabilities found in Ubuntu have the potential to give malicious actors the ability to edit privileges within the system. These specific vulnerabilities lie within the OverlayFS. Due to a separate version of Ubuntu the patch that originally mitigated these vulnerabilities did not carry over with the same effectiveness and has left systems vulnerable. 

Guidance

Advisory on IDOR Vulnerabilities: CISA and its Australian counterpart released a joint warning this month on Insecure Direct Object Reference (IDOR) vulnerabilities that allow hackers to issue requests  to websites or APIs that do not require authentication.

Reports

DDoS Attacks Increasing in Frequency: Cloudflare released a report that found that DDoS (Distributed Denial of Service) attacks have risen by 15% in comparison to the first quarter of this year. However, they are still down relative to Q2 of last year.

US Struggles to Safeguard Water Supply: A spreadsheet by the Environmental Protection Agency (EPA) obtained via FOIA request shows that water utilities are struggling to implement appropriate cybersecurity measures. This report comes on the heels of a court pausing an EPA rule targeting this same issue.

IBM Reports Data Breach Cost at $4.5M: A recent IBM report found that the cost of a data breach has reached an all time high of $4.5 million per incident– a 15% increase since 2020. In the same report, IBM found that the cost of a healthcare data breach tops all other sectors in terms of cost, averaging $11 Million per incident, a 53% three-year increase.

TTPs 

North Korean Linked Hackers are Using Fake US Military Job Recruitment Documents to Trick People into Downloading Malware: A North Korean linked group of hackers dubbed STARKMULE have been observed using fake United States military job recruitment documents as a way of convincing people to download malware. One of the dangerous factors that come into play is that the malware is being held on very legitimate websites which allows this group to continue to evade detection. 

Most Government and Critical Infrastructure Cyber Attacks Involve Legitimate Credentials: Valid account information was a critical feature in at least half of the cyberattacks on government agencies, critical infrastructure, and state-level government bodies. A strong mitigation strategy to avoid these kinds of attacks would include secure passwords, email filtering, patching, and multifactor authentication. 

Hackers are Using TrueBot Malware in Phishing Campaigns in US and Canada: Authorities are warning that bad actors are using TrueBot malware, also called the Silence Downloader, in phishing emails posed against US and Canadian targets. 

Iran Associated Hackers are Targeting Middle Eastern Affairs and Nuclear Security Experts: Middle Eastern affairs and nuclear security experts are being targeted by Iran-supported hackers. These hackers are pretending to be UK think tank fellows and have been spreading Mac specific malware to devices. The goal of the campaign seems to be reconnaissance and to monitor the policy positions of experts in the field. 

Honeywell Joined CISA in Their Warning of Several Serious Vulnerabilities: CISA and Honeywell both are warning the manufacturing industry of a series of vulnerabilities affecting a line of industrial control tools used in the industry. Nine vulnerabilities were found and dubbed ‘Crit.IX’ and let users have unauthorized access via remote code execution. CISA says that 7 of the 9 are critical vulnerabilities. 

APT41 Hackers Targeting Mobile Devices with WyrmSpy and DragonEgg Spyware:  The Chinese APT41 hacking group is targeting Android mobile devices with spyware called WyrmSpy and DragonEgg. Adding mobile devices to their repertoire is dangerous because of the amount of personal and corporate data most adults keep on their mobile device. These two  spywares are often pretending to be default system apps or apps that impersonate Adobe Flash. 

Ukrainian Diplomats were Lured in by a Fake BMW Advertisement: A flier for a used BMW that had embedded malicious code was sent to 22 different foreign missions in Kyiv, Ukraine. The original flier was innocuous enough but threat actor ‘Cozy Bear’ or APT28 intercepted it and infected the attachment. They made the flier more appealing by lowering the price and then embedded malicious software into the photos. It was only discovered due to an interested party calling about a much cheaper car than the man was actually selling. 

Investments and Innovations 

FCC Pushes for an Update to E-Rate Program to Allow Schools to Buy Cyber Protection: The Federal Communications Commission (FCC) Chair Jesscia Rosenworcel is spearheading the push for schools to be able to buy cyber security protection under the E-Rate program. 

CISA Programs Help Identify and Respond to Cyber Attacks: CISA’s Continuous Diagnostics and Mitigation (CDM) program has standardized responses to groups of cyber incidents including the MOVEit breach. It also helped on a recent email security gateway hack. This program was first launched in 2018 by the Department of Homeland Security and is now under CISA’s jurisdiction. 

A Possible New Cyber Centered Military Service: A bill introduced in the Senate would require the DoD to work with the National Academy of Public Administration to explore the creation of an independent cyber-focused branch of the military. As of now Pentagon leaders are resisting and trying to continue to rely on the US Cyber Command. 

CyberSentry Launches Webpage: CyberSentry is a CISA managed threat detection and monitoring program. CyberSentry monitors for both known and unknown malicious activity centered around information technology and operational technology networks. This program website is launched as we see our adversaries become more and more capable of hacking into large critical infrastructures in major countries. CyberSentry has already detected several infections including unintentional exposures, infected OT equipment, and malwares.  

Legal

Encryption Under Legal Threat Globally: Both the United States and European Union are considering children’s online safety bills that would require backdoors to allow law enforcement into encrypted apps like WhatsApp and Signal. Either of these bills would be a huge blow to end-to-end encryption.

Federal Ruling Harming CISA Information Sharing Efforts: A federal court order barring communication between senior federal officials and social media companies on matters related to protected speech is chilling efforts to scale-up public-private information sharing efforts. 

EPA Water Regulation Suspended: The 8th Circuit Court of Appeals in St. Louis, Missouri, temporarily suspended the EPA’s plan to better secure water filtration systems across the country. Further coverage by Consortium Networks can be found here and here.

EU Court Requires Meta to Change Data Governance: Following a number of costly fines to the company, the European Union Court of Justice ruled that Meta must change its data governance policies so that it does not track customer web surfing and use of browser apps.

Payroll Services Provider to Pay $6M for Data Breach: The payroll services provider UKG reached $6 million settlement over a 2021 data breach caused by a ransomware attack. This settlement underscores the risk third-party providers hold in being financially liable for cyberattacks.

New Jersey Supreme Court to Hear Merck NotPetya Insurance Dispute: Following Mondelez’s win in the European court system, the New Jersey Supreme Court agreed to review the legal battle between Merck and several major insurance providers over insurance disputes related to the 2017 NotPetya cyberattack.

Privacy 

Bangladesh Government Fixes Website That Leaked 50 Million Citizens’ Personal Data: An insecure government webportal was discovered that housed the names, phone numbers, birth certificates, and national IDs of millions of Bangladeshi citizens. The leaked data was taken offline two weeks after the appropriate officials were made aware but, as of now, the future ramifications are unknown. 

Clop Leaking Stolen MOVEit Data on Clearweb Sites: Cl0p, the group most famous for the MOVEit attacks, has followed in ALPHV’s footsteps and begun leaking stolen data on the open web to strongarm victims into paying a ransom. 

CapCut App Gathering Massive Amounts of Personal Data: CapCut is the video editing companion app to Tik Tok and that is gathering tremendous amounts of personal information on its users. Biometric data such as face scans and voiceprints are being gathered from minors using the app without setting up an account, seeing a privacy policy, or obtaining parental consent. CapCut is collecting not only users’ photos and videos but also their location, gender and birthday. 

Massachusetts has a New Proposed Bill that Would Ban the Sale of Cell Phone Location Data: Massachusetts is considering a ban on the sale of cell phone location data altogether. This new bill would only allow providers to use location data to provide a product or service that the person wants, such as allowing location for an UberEats app. This bill would only apply to cell phones and would not do anything about information collected on other mobile devices. 

Policy

Federal

White House Unveils IoT Security Labeling System: The Biden administration unveiled the consumer technology labeling plan put forth last Fall that aims to strengthen the cybersecurity of smart home devices. More coverage by Consortium Networks here.

SEC Incident Reporting Rule Approved: In a change from a recent announcement that no rule would be approved until October, the SEC approved an incident reporting rule that will require companies to disclose “material” cybersecurity events within four business days of the company “deciding the incident is material.”

TSA Revises Cybersecurity Directives for Oil and Gas Pipelines: The TSA updated its oil and gas pipeline security directives to require pipeline owners to submit updated cybersecurity assessment plans to the TSA annually, report results of assessments each year, and test at least two cyber incident response plans.

At the State Level

CPRA Enforcement Postponed to 2024: The California Superior Court ruled that the California Privacy Rights Act (CPRA), a supplement to the CCPA, cannot be enforced until March 2024 following a lawsuit by the California Chamber of Commerce arguing that state businesses would not have enough time to prepare for the previous enforcement date.

California Privacy Regulators Set Sights on Internet-Connected Cars: The California Privacy Protection Agency (CPPA) announced that the first sector it will review is manufacturer’s treatment of data collected from vehicles to include locations, smartphone connections, and images from cameras.

Nevada Enacts Consumer Health Data Privacy Law: Nevada Governor Joe Lombardo signed into law a sweeping consumer health data privacy law that requires covered entities to provide privacy rights to consumers providing health data to companies not covered by other laws like HIPAA that apply to health care providers.

Rhode Island Amends Data Breach Law: Rhode Island significantly updated its data breach notification law this month to require companies to notify state policy within 24 hours of incident discovery and notify individuals affected within 30 days .

International 

Online Freedom at Risk Due to French Cyber Bills: The French Digital Bill and Military Planning Law together are trying to give access to the authorities so they may appropriately fight against future cyber threats. However this would allow a large amount of internet censorship which could set a dangerous precedent of limiting online freedom in the name of preemptive security.  

Big tech Privacy Probes Revamped: The European Commission recently reported new rules to help investigators deter privacy breaches. This rule requires the main privacy authority to report a summary of major problems to their peers and allow for feedback while in the early stages of the process. 

NATO Summit Brings New Cybersecurity Pledges: The NATO summit held in Lithuania saw a number of allies agree to a new set of cybersecurity pledges. The official word is a restatement of the alliance’s Strategic Concept of 2022 that integrates “NATO’s three cyber defense levels- political, military, and technical.” This will hopefully push allies to improve their cybersecurity posture and become more proactive and assertive in the face of state-sponsored cyber attacks. 

A Potential New Law Would Allow GCHQ to Monitor UK Internet Logs to Detect Fraud: The Cyber and Signals Intelligence Agency in Britain could be allowed to monitor logs of live domestic internet activity to recognize fraudulent activity under a new law under consideration in the United Kingdom.

Green Light Given to EU/US Data Protection Framework: On July 10th, the European Union approved the long-discussed Data Privacy Framework (DPF) that creates a pathway for European businesses to send data to the United States without enforcing additional data protection measures.

About Consortium Networks

Consortium Networks is a cybersecurity risk, technology, and networking organization on a joint mission to connect and educate the community. Consortium was founded to change the “game” and help our clients make sense of the spaghetti labyrinth they call cybersecurity. By mapping our clients’ controls to industry standards and risk, we help them reduce complexity and risk to their organization and people. The outcome: clients will quickly understand their gaps and realize the impacts of their investment decisions, strengthening their cyber hygiene, and ultimately, protecting the business.

Our Concierge way of working sets us apart and follows four timeless principles of customer service: attitude, consistency, service, and teamwork. We are devoted to helping others selflessly in both our work and personal communities.

Our Services

Penetration Testing

Consortium Networks’ Penetration Testing Services are designed and deployed by an expert team of in-house security professionals utilizing cutting-edge techniques and tools to simulate real-world attack scenarios to assess the security posture of your organization’s networks, systems, and applications. By deploying controlled, authorized attempts to exploit weaknesses, Consortium Networks uncovers potential vulnerabilities and delivers accurate and actionable results, enabling you to strengthen your defenses proactively.

Cyber Risk Assessments

The expert team of cybersecurity professionals at Consortium helps you identify and prioritize where to direct your limited capacity by conducting a comprehensive cybersecurity assessment. We leverage industry standards and accepted frameworks along with a cyber risk quantification platform to obtain an objective view of your current cyber risk backed by empirical data.

Request for Proposals (RFP) and Procurement Advisory

Using Consortium’s in-house expertise with vendor selection, RFP drafting, and submission review along with our knowledge of the unique aspects of your business and cybersecurity environment, Consortium will review your RFP to ensure it sets a solid foundation for your relationship with the technology providers you ultimately select. We help you avoid frustrating and costly amendments by making sure your organization has appropriately scoped your RFP from the start.

Cybersecurity Policy Library Development

The expert team at Consortium helps you implement a concise policy library based on industry best practices and conformant standards, specifically NIST Cyber Security Framework and NIST SP 800-53 v.5. The Cybersecurity Policy library document enables you to forge a consistent strategy for correlating the needs of your business to the ongoing process of cyber risk management.

Cybersecurity Incident Response Preparedness

The Consortium CSIRT program provides you with an expert evaluation of your current incident response (IR) capabilities to identify strengths and areas for improvement and provides practical recommendations and supporting documentation for the development and formalization of your CSIRT program.