Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Rogers CEO apologizes for massive service outage, blames maintenance update
A massive network outage at Rogers Communications that shut down mobile and internet services across much of Canada on Friday was not a cyberattack, but was instead what Rogers president and CEO Tony Staffieri described as “a network system failure following a maintenance update in our core network, which caused some of our routers to malfunction.” With many businesses, government agencies and parts of the 911 emergency service rendered powerless during the 15-hour outage, experts are calling this a “learning opportunity for threat actors such as Russian state-sponsored hackers, who can now see how vulnerable Canadian industry, financial institutions and health-care systems are to an attack on a telecom provider.”
Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs
In a statement issued late last week, Professional Finance Company said that during the February attack the Quantum ransomware group used the Bumblebee malware loader to gain access to databases that held names, addresses, accounts receivable balances, information regarding payments made to accounts, dates of birth, Social Security numbers, and health insurance data and medical treatment information. Its role as a debt collection firm means healthcare organizations provide the company with information on patients or customers who have not paid, making them an ideal target for hackers. PFC said it notified the 657 companies in May.
Government contractor pays $9 million over whistleblower allegations
Aerojet Rocketdyne, who is a rocket contractor for the likes of the DoD and NASA, has paid a $9 million settlement for misrepresenting its compliance with US government security requirements. Brian Markus, former senior director of cybersecurity at Aerojet, alleged the company lied about its cybersecurity policies to win more contracts, adding that the company experienced data breaches in 2014 and 2015. Markus filed the claim under the DoJ’s False Claims Act Civil Cyber Defense Initiative, launched in October last year. This was the first case in which a former employee attempted to bring action on a government’s behalf for alleged cybersecurity fraud. Under the False Claims Act’s whistleblower provisions, Markus will receive $2.1 million of the settlement.(Infosecurity Magazine)
FTC is cracking down on false claims of anonymizing data
On Tuesday, the FTC warned tech companies against making deceptive data-anonymization claims. The FTC is especially focused on companies collecting user location information and passing it off to third parties. Acting associate director for the commission’s privacy division, Kristin Cohen, said, “Significant research has shown that ‘anonymized’ data can often be re-identified, especially in the context of location data.” The FTC’s warning follows President Biden’s executive order which urges the FTC to protect the privacy of consumers’ seeking out reproductive health services. The FTC is prepared to sue offenders, which could result in a US court imposing civil penalties.
Thanks to our episode sponsor, Edgescan
Microsoft warns of massive phishing operation
The company warned of a massive series of phishing attacks targeting over 10,000 organizations since September 2021. These attacks use landing pages designed to spoof the Office online authentication page, stealing credentials and session cookies even for users using multifactor authentication. These are then used to access mailboxes for business email compromise attacks. Microsoft suggests organizations implement MFA with certificate-based authentication and FIDO 2.0 support to mitigate this scheme. It maintained that while some implementations of MFA are vulnerable to these phishing approaches, it should remain “an essential pillar in identity security.”
Callback phishing scams impersonate security companies
A new report from the legitimate cybersecurity company CrowdStrike detailed a callback phishing campaign with threat actors impersonating CrowdStrike. Over the past year, the actors would leave messages with companies claiming to be from the security vendors, asking them to call back to resolve a problem or cancel a subscription. Once an organization calls back, the attackers use social engineering to get them to install remote access software. In an update to the campaign, the attackers warn recipients of malicious network intruders compromising workstations, requiring an in-depth security audit that requires access to the device. From there the attackers walk through the employee installing a remote access trojan. CrowdStrike believes the ultimate intention is to launch ransomware on these organizations, and shows ties to the Quantum ransomware gang.
Endemic Log4j software flaw could take years to address, US government review finds
It could take a decade to fully eradicate Log4j from some computer systems, a Department of Homeland Security review board said Thursday. The review board, which the White House established last year to investigate major cybersecurity incidents, called on the government and the private sector to invest much more in securing the open-source software that underpins global IT infrastructure. But while there were reports of ransomware gangs and governments from China to Turkey exploiting the software vulnerability, the high-impact hacks that some analysts anticipated have yet to materialize, the DHS-backed panel wrote.