This week’s Cyber Security Headlines – Week in Review, March 22-26, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Will Lin (@williamlin), managing director & co-founder, ForgePoint Capital

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

REvil Ransomware gang demands $50 million from Acer

Taiwanese computer maker Acer, the sixth-largest personal computer maker in the world, suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web. The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday. Acer has a market share of roughly 6% of all global sales. The company reported a total revenue of roughly $3 billion in Q4 2020, hence the record-breaking ransom demand.

(The Record)

Victoria University of Wellington accidentally wipes files on all its desktop PCs

Last Friday, IT staff at the Victoria University of Wellington in New Zealand started a maintenance procedure aimed at reclaiming space on the university network—in theory, by removing the profiles of students who no longer attend the university, but instead deleted all the files stored on all its desktop computers. While items in network drives, and the cloud were still accessible, some PhD students for example, had potentially lost a year’s worth of data because they had files stored in a program solely on their desktop computer. For many others, their entire computer had been reset, eliminating apps and presenting a completely “clean” profile that looked factory new.

(ArsTechnica)

Democrats prepare swarm of antitrust bills targeting Big Tech

They’re not preparing a big, hulking antitrust bill to rein in Big Tech. That would be an easy target to defeat. Instead, Democrats are preparing about 10 smaller, narrowly focused bills that should be ready in May. Rep. David Cicilline, who runs the House Judiciary Committee’s antitrust panel, told Axios that narrowly targeted bills have a better chance of gaining bipartisan support and that this approach makes it tougher for the likes of Amazon, Facebook, Apple and Google to quickly flex their lobbying muscles against reforms they don’t like. He’s also taking aim at Section 230 of the Communications Decency Act: also known as online companies’ key protection against liability from users’ posts.

(Axios)

GAO says it’s not entirely sure how safe the electric grid is

The U.S. Government Accountability Office—the GAO—says that the electricity grid’s  distribution systems are increasingly vulnerable to cyberattacks, but it doesn’t really know what the potential impact of an attack would be. In a new report, the GAO said that the Department of Energy—the DOE—hasn’t yet outlined what steps it would take to fully address risks to distribution systems, though it did update its plans following a 2019 GAO report on grid cyber-security issues. For one thing, DOE’s plans don’t address weaknesses in supply chains. Officials say that the DOE hasn’t tackled that question because it has instead prioritized risks to the grid’s generation and transmission systems. 

(Security Week)

Thanks to our episode sponsor, Trend Micro

Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.

Disgruntled IT admin sent to prison for wiping Microsoft user accounts

Deepanshu Kher was sentenced to two years in prison for breaking into the network of a Carlsbad, California-based consulting firm that had hired him to help with a migration to a Microsoft Office 365 environment. The client was not pleased with Kher’s, which resulted in him being fired. Three months afterwards, in June 2018, the 32-year-old infiltrated the firm’s servers from outside of the US and deleted over 80% of employee Microsoft Office 365 accounts, with over 1,200 out of 1,500 wiped in total. Kher will face two years behind bars and three years of supervised release, and must also pay $567,084 in damages.

(ZDNet)

Ransomwared bank tells customers it lost their SSNs

Flagstar, a bank based in Michigan that was hacked in January of this year, has now revealed that customers, as well as people who never had an account with the bank, had their social security numbers and other personal information stolen. This is a correction to their initial statement in which they said only employees’ information had been stolen. One victim of the breach, said he has never been a Flagstar customer, but had taken a mortgage with a different bank who then sold it to Flagstar without his consent in 2019.

(Vice)

Privacy and security issues with Slack’s Connect DM rollout

Slack rolled out Connect DMs, letting any Slack user direct message another even if outside an organization. To send messages, users must send email invitations, once accepted the DMs appear in the Slack sidebar, though organizations retain control of their own messages in these conversations. Many users pointed out that Slack’s implementation suffered from a major privacy and security flaw, with users able to customize invitation emails with any text they like, which would be sent from a Slack originating email address, easily getting around existing blocked contacts. Slack said it is now disabling letting users customize invite emails.  

(The Verge)

(ZDNet)

Security engineer reports data leak, hears from police

Earlier this month, security engineer Rob Dyke discovered an exposed GitHub repository exposing passwords, API keys, and sensitive financial records which belonged to Apperta Foundation. Dyke subsequently reported the leak, which had been open since 2019, to the Foundation, who initially thanked him for the disclosure. However on March 9th, he received a notice from Apperta’s legal team, followed by an email by the Northumbria Police cyber investigator in relation to a report of “Computer Misuse.” Dyke had previously worked with Apperta and said he followed their established disclosure policies when reporting the leak. 

(Bleeping Computer)

Fake COVID credentials flourish on the dark web

Security Researchers at CheckPoint found faked COVID-19 negative test results and vaccine certifications for sale on dark web marketplaces, for around $25 and $250, respectively. Ads for these false credentials have increased 300% over the last three months. Researchers also found vaccine doses for sale on the illicit marketplaces, with doses from AstraZeneca, Sputnik, SINOPHARM and Johnson & Johnson ranging in price from $500 to $1000. 

(Security Affairs)