This week’s Cyber Security Headlines – Week in Review, March 20-24, is hosted by David Spark with our guest, Kurt Sauer, VP, Information security, Workday
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Dutch shipping giant Royal Dirkzwager confirms Play ransomware attack
The maritime logistics company has confirmed that it was hit with ransomware from the Play group, the latest in a string of attacks targeting the shipping industry. The company’s CEO told The Record the ransomware attack did not have an effect on operations but did involve the theft of data from servers that held a range of contracts and personal information. Founded in 1872, Royal Dirkzwager provides information to more than 800 organizations in the maritime industry and registers more than 200,000 ship movements a year. Its systems allow ports to know when ships will arrive and what nautical services will be available when they make it to a port.
Cancer patient sues medical provider after ransomware group posts her photos online
The suit, against the Lehigh Valley Health Network, came after hackers posted nude photos of the cancer patient along with her health records, another sign that ransomware gangs are becoming more brazen in their efforts to convince victims to comply with extortion demands. The Lehigh Valley Health Network suffered the attack on Feb. 6, and publicly disclosed that it was the victim of a cyberattack in a Feb. 22 statement posted to the company’s site. The ransomware group demanded payment but the company refused to pay. The suit seeks class action status for all parties whose data was exposed, and monetary damages to be determined later.
MKS Instruments hit with lawsuit following ransomware attack
In a similar story, a former employee at MKS Instruments is leading a class action lawsuit following a ransomware attack against the semiconductor chipmaker in February, saying the company’s negligent cybersecurity led to the unauthorized and unnecessary breach of personal identifying information. On Feb. 13, MKS discovered it was the victim of a ransomware attack, which impacted business systems and delayed or disrupted the company’s ability to process orders, ship products, and provide other services, according to comments made by CEO John Lee in a Feb. 28 earnings call. According to a complaint filed March 3 in the Orange County Superior Court of California, “John Doe” is a former employee at MKS Instruments’ Irvine branch office. Doe and others provided personal and medical information to their employer, information that the company said may have been stolen and exfiltrated during the attack.
China led zero-days in 2022
Mandiant released a report on the use of zero-days in 2022. It found that use of zero-days significantly decreased on the year, down 32% from 2021 to 55. Financially motivated threat actors used 75% of all zero-days in the report. State-based actors continue to use zero-days more frequently. China-affiliated actors exploited 7 zero-days in the year, Russian and North Korea-affiliated groups each used two, respectively. Of these zero-days, state-backed actors seemed focused on routers, firewalls, and other edge network devices.
Report finds businesses conflicted about cyber security’s role as a business enabler
A new report released by Trend Micro on Tuesday revealed that while nearly two-thirds (64%) global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views about the function. Over half (51%) of business decision makers (BSDs) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly two fifths (38%) even view security as a barrier rather than a business enabler. Nonetheless, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business, with about a fifth (19%) admitting it already has.
Thanks to today’s episode sponsor, Conveyor
More Clop victims come forward
The ransomware group Clop claimed it compromised 130 organizations earlier this year using a compromise in the GoAnywhere file transfer service. On it’s leak site, Clop did not yet name all victims. However this week new victims came forward. The Canadian financing firm Investissement Quebec and Hitachi Energy both said a ransomware group obtained some employee information. Both pointed to security incidents at Fortra, which develops GoAnywhere, as the cause. Fortra did not answer media inquiries about other victims, but did release a patch to the exploit in February. Other victims that came forward include Community Health Systems, Hatch Bank, and the enterprise data management company Rubrik.
Pinduoduo app declared malware
Google flagged several apps from the Chinese e-commerce giant Pinduoduo as malware, suspending its official app in the Play Store. Google will also use its Google Play Protect feature on Android to block users from installing third-party APKs of these flagged apps and warn users who already have it installed to remove them. Security researchers speaking to TechCrunch claim the app attempts to exploit several zero-days to compromise devices. A Pinduoduo spokesperson denied the “speculation and accusation” that its app was malicious.
Bogus ChatGPT extension steals Facebook cookies
Google has removed a ChatGPT extension from the Chrome store that steals Facebook session cookies – but not before more than 9,000 users had installed it. The malicious extension – Chat GPT For Google (note the erroneous space in the name of the chatbot) – is very similar in name and code to the real ChatGPT For Google extension. In fact, the phony extension is based on the same open source project used by the actual ChatGPT For Google tool – all the fraudsters had to do was add a few lines of cookie-stealing code. The cookie thieves push the fake add-on through malicious, sponsored Google Search results for “Chat GPT 4,” the researchers said, thus capitalizing on users who want to try out the latest version of the chatbot.
UK government sets out vision for NHS cybersecurity
The UK government has published a new strategy designed to boost cyber-resilience in the health and social care sector by 2030 with the goal of helping the sector’s disparate organizations improve cyber-risk management, data protection and incident response and recovery. Although the details will not be ready until summer, the government shared the five pillars of the new strategy, designed to minimize cyber risk and improve incident response. They are:
• Identify where disruption will cause the greatest harm to patients, such as disruption to critical services
• Unite the sector to take advantage of scale, tap national resources and expertise, and accelerate response
• Ensure leaders are engaged, employees know the cyber basics and more security specialists are recruited
• Embed security into emerging technology to better protect it from cyber-threats
• Support every health and care organization to minimize the impact of incidents and recovery time