Cyber Security Today, Jan. 22, 2024 – LockBit ransomware gang hits the Subway fast food chain, and Data Privacy Week starts

The LockBit ransomware gang hit the Subway fast food chain, and this is the start of Data Privacy Week

Welcome to Cyber Security Today. It’s Monday, January 22nd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

The LockBit ransomware gang says it compromised the Subway fast food chain. It’s threatening to leak hundreds of gigabytes of stolen data on February 2nd. According to the news site SecurtyAffairs.com, that data allegedly includes employee salaries, franchise royalty payments, master franchise commission payments, numbers on restaurant turnovers and more.

A data centre provider in Sweden called Tietoevry says one of its facilities was partially hit by a ransomware attack Friday night. Service to some customers has been affected.

A Russian state-sponsored group used a password spray attack last November to get into a Microsoft legacy non-production test account and then pivot to steal corporate emails. The attack, by a group Microsoft used to call Nobelium and now it calls Midnight Blizzard, was only detected earlier this month. The group used their initial access to get into the email accounts and stole attachments of a “very small percentage” of executives and employees in the cybersecurity, legal and other departments. Microsoft said the attack was not the result of a vulnerability in its products or services.

Last October VMware patched an out-of-bounds write vulnerability in its vCenter Server. However, researchers at Mandiant now say a Chinese-based threat group was exploiting that unknown hole for a year and a half before the patch was released. The discovery comes from Mandiant’s continued research into the group it calls UNC3886, which goes after VMware and Windows virtualized hosts. IT administrators with VMware systems that experienced unexplained crashes since 2021 should look for backdoors and signs of compromise — and, if they haven’t already done, so update to the latest version of vCenter.

The operator of the BreachForums marketplace for hacked and stolen data has been sentenced to 20 years of supervised release. Conor Brian Fitzpatrick received that sentence last week from a Virginia judge after pleading guilty to conspiracy to commit access device fraud, possession of child porn and other charges. According to Cyberscoop.com the 20-year-old will serve the first two years of the sentence as home confinement, won’t have access to a computer for a year and will have to register with state sex offender registries.

The maker of the MOVEit file transfer service hasn’t lost many customers despite the exploitation of a vulnerability last year that saw the personal information of over 90 million people stolen from over 2,000 firms using the application. Progress Software said last week customer retention levels remained steady in the second half of 2023. One cybersecurity analyst told Cybersecurity Dive customers may be sticking with the product because the vulnerability was a zero-day, so they don’t see the developer as negligent.

Finally, today starts Data Privacy Week, when IT, data privacy and organization leaders should think about their data collection and protection policies. They may want to consider a just-released study by Consumer Reports. It says Facebook is a great receiver of personal information from firms that collect individuals’ shopping information. These include big brands (like Amazon), retailers (like Home Depot, Walmart and Macy’s), data brokers and political service firms. This is how Facebook targets ads to its users. One finding: more than 2,000 companies had data on a group of over 2,000 volunteer Facebook users in the study group — but many of those people didn’t directly interact with all those firms. Is all this data collection and selling bad for your business’s reputation? The report says many consumers will be concerned about the extent to which their activity is tracked by Facebook and other companies. It suggests governments demand firms only collect data they need, and that governments improve the ability of consumers to opt out of data collection from several companies at once through automation.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.