{"id":27871,"date":"2022-09-02T15:27:58","date_gmt":"2022-09-02T19:27:58","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=501059"},"modified":"2022-09-06T12:00:29","modified_gmt":"2022-09-06T16:00:29","slug":"cyber-security-today-week-in-review-for-friday-september-2-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-september-2-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, September 2, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, September 2nd. I\u2019m Howard Solomon, contributing reporter on cybersecurity for <em>ITWorldCanada.com.<\/em><\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24245811\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">In a few minutes I\u2019ll be joined by Terry Cutler, head of Montreal\u2019s <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Labs<\/a>, to talk about some of the news from the past seven days. First, here\u2019s a roundup:<\/p>\n<p data-ar-index=\"4\">More information is coming out about the impact of the successful text-based phishing attack against messaging provider Twilio. <a href=\"https:\/\/www.itworldcanada.com\/article\/twilio-attack-shows-weaknesses-in-multifactor-authentication-systems\/500449\" rel=\"noopener\">Last week identity security provider Okta said <\/a>the hackers stole some SMS text-based one-time passwords of customers, and we learned hackers also compromised the Authy multifactor setup accounts of some of users. Terry and I will look at the widespread impact of this attack.<\/p>\n<p data-ar-index=\"5\">We\u2019ll also examine <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-august-31-2022-another-email-job-scam-and-how-to-celebrate-international-women-in-cyber-day\/500703\" rel=\"noopener\">how a university student fell for an email job offer scam.<\/a><\/p>\n<p data-ar-index=\"6\">And <a href=\"https:\/\/www.itworldcanada.com\/article\/international-women-in-cyber-day-advice-just-say-yes\/500901\" rel=\"noopener\">because yesterday was International Women in Cyber Day<\/a>, Terry will have thoughts on encouraging more women to enter the profession.<\/p>\n<p data-ar-index=\"7\">Also this week, we learned attackers are finding new ways to leverage the Log4j2 vulnerability.<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/25\/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\/\" rel=\"noopener\"> Microsoft warned<\/a> that a hacking group has found and is trying to exploit vulnerabilities in unpatched service and help desk software made by an Israeli company called SysAid. According to experts at the SANS Institute, the group behind this, suspected of being linked to Iran, has been known to target VMWare instances for this vulnerability. IT departments that use SysAid should have installed the patch to fix the Log4j2 vulnerability long ago.<\/p>\n<p data-ar-index=\"8\">In ransomware news,<a href=\"https:\/\/therecord.media\/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft\/\" rel=\"noopener\"> the Karakurt gang is taking credit<\/a> for an attack on the International Centre for Migration Policy Development, a humanitarian group. The agency acknowledges the attackers got \u201climited access\u201d to its servers. Karakurt says it copied personal information, financial documents and banking information.<\/p>\n<p data-ar-index=\"9\">Also hit by ransomware was an unnamed government service provided by the government of Chile. <a href=\"https:\/\/www.csirt.gob.cl\/eng\/\" rel=\"noopener\">The country\u2019s computer emergency response team said<\/a> the ransomware hit Microsoft and VMWare ESXi servers in the institution.<\/p>\n<p data-ar-index=\"10\">And the Balkan country of <a href=\"https:\/\/www.reuters.com\/world\/europe\/montenegro-blames-criminal-gang-cyber-attacks-government-2022-08-31\/\" rel=\"noopener\">Montenegro says<\/a> 150 workstations in 10 government departments were infected with the Cuba strain of ransomware.<\/p>\n<p data-ar-index=\"11\"><strong>Finally,<\/strong> <a href=\"https:\/\/statescoop.com\/lexington-kentucky-4-million-housing-funds-bec\/\" rel=\"noopener\">the city of Lexington, Kentucky admitted<\/a> it was tricked into sending US$4 million in federal housing assistance funds to a crook\u2019s bank account in an email fraud scheme. A crook sent an email to the city pretending to be from a local housing group. It asked that funds be sent to a bank account different from the usual one the housing group uses for receiving housing funds. A municipal employee complied.<\/p>\n<p data-ar-index=\"12\"><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p data-ar-index=\"13\"><strong>Howard:<\/strong> Joining us now from Montreal is Terry Cutler. Let\u2019s start with International Women in Cyber Day, which was September 1st. However, because that can be a civic holiday in a number of countries it\u2019s being formally celebrated in events throughout the month. IT in general is heavily populated by men, and cybersecurity even more so. How do managers encourage more young women to enter the profession?<\/p>\n<p data-ar-index=\"14\"><strong>Terry:<\/strong> I got to experience some of that when I was a judge for the <a href=\"https:\/\/www.itworldcanada.com\/canadas-top-women-in-cyber-security\" rel=\"noopener\">Top Women in Cybersecurity<\/a> for <em>IT World Canada<\/em> in 2020. A lot of nominations came but there was always a question in my mind why aren\u2019t there enough women in this field? I reached out to a bunch of them to get their take and the common theme was there\u2019s some bullying that goes on, they often don\u2019t get invited to meetings, there are a lot of haters. But in my experience when working with them on projects they\u2019re great multitaskers. They\u2019re great investigators. They pay attention to detail. I\u2019ll give you an example: I did a penetration test on a company and brought in two other experts, one of whom was a female. They a different way of thinking than men. We were trying to troubleshoot one way to break in and she said we should do it this way. Sure enough, it worked. Sometimes men overthink. I think the message here for the guys is to give women a chance to shine.<\/p>\n<p data-ar-index=\"15\">One tip I can give to the women from being a judge on that panel is was it was really hard for me to find out online what they were doing. They weren\u2019t putting out a lot of content as blog or video authors. So one thing I suggest is they should put out more content about how to protect a business. That\u2019s going to grow your brand and propel you to the top of the list very quickly.<\/p>\n<p data-ar-index=\"16\"><strong>Howard:<\/strong> A number of women who I spoke to for <a href=\"https:\/\/www.itworldcanada.com\/article\/international-women-in-cyber-day-advice-just-say-yes\/500901\" rel=\"noopener\">an article on IT World Canada this week on women in cybersecurity and their careers,<\/a> and a number of them spoke about important it is in staff meetings to speak up. They also said when the opportunity comes to take new jobs or a task or be promoted to say yes.<\/p>\n<p data-ar-index=\"17\"><strong>Terry<\/strong>: There are women that are running departments at very large companies like telecoms that handle $100 million portfolios. These positions exist, so women shouldn\u2019t be afraid to step up and speak up.<\/p>\n<p data-ar-index=\"18\"><strong>Howard:<\/strong> We talk a lot about a cyber security shortage of talent \u2014 There are thousands of jobs open in security departments across Canada and the United States. IT leaders, security officers are looking for talent. They can recruit from within. They can find women who are, for example, working for IT support, and customer support. They have some IT knowledge, they can be pulled into the cyber security department and with a bit of training they can be valuable staff.<\/p>\n<p data-ar-index=\"19\"><strong>Terry:<\/strong> Absolutely. And that\u2019s the key \u2014 they have a bit of an IT background. Usually when women go into the workforce cybersecurity or IT is not exactly their number one choice. They\u2019ve got to be techies at heart. They can\u2019t just be forced into this industry. They\u2019re not going to like it but those that already love the tech side and have some IT knowledge and background to start off are in a really good position to move up very quickly.<\/p>\n<p data-ar-index=\"20\"><strong>Howard:<\/strong> Would it help if public schools exposed women \u2014 and men \u2014 to IT topics and such as application coding early in school? In Ontario they just announced they\u2019re going to start teaching kids in grade one how to code. Will that help not only get more women in IT but also a more diverse workforce?<\/p>\n<p data-ar-index=\"21\"><strong>Terry:<\/strong> Absolutely. The longer the younger folks can learn about tech and coding the better it is. And if you understand English, French and coding you are in a really great spot. But coding and tech don\u2019t interest everyone. The issue I\u2019m seeing also in university is the curriculum isn\u2019t always up to date. My experience when I hired an intern was she\u2019d spent three years learning [IT] from PowerPoint. I had to lose about a month getting ramped up. Schools need to be more organized, partner up with cyber security experts to keep the content refreshed and current.<\/p>\n<p data-ar-index=\"22\"><strong>Howard:<\/strong> Here\u2019s something interesting: For that article I interviewed a woman who is a cybersecurity professor at the University of Phoenix who also has a full-time job as a consultant for a cyber security company. The reason is that university has a rule that all faculty have to have jobs in their related field as well as teach. They can\u2019t be full-time faculty members. That\u2019s supposed to allow professors to pull in real-world work they do into their teachings so their courses are up to date.<\/p>\n<p data-ar-index=\"23\"><strong>Terry:<\/strong> That\u2019s really, really great. The problem is some senior cybersecurity folks don\u2019t always have the time to teach as well. That\u2019s why the future, I think, is going to be online teaching, where we can send in pre-recorded content students can watch, and maybe ask questions on a live Zoom.<\/p>\n<p data-ar-index=\"24\"><strong>Howard:<\/strong> Item 2: More news about the impact of the phishing attack discovered at the beginning of August on Twilio. For those who don\u2019t know, many companies use Twilio\u2019s communications platform in their messaging. This was a supply chain attack. It hit one company to get the tools to get into many others. The attacks started with the hackers sending text-based messages to Twilio employees asking them to either confirm their login credentials or allow a change in their calendar, and they had to click on a link to log in. They had to include their two-factor authentication codes. the attackers then got a hold of the employee\u2019s credentials and that led to getting hold of the credentials of users of the Okta identity service to hack into more companies, such as DoorDash, Digital Ocean and Signal. By one security firm\u2019s estimate, the threat actor behind this stole over 9,000 user credentials from 136 companies in countries all over the world. Most companies hit were IT software development and cloud services. Not only were SMS two-factor authentication codes stolen the hackers also compromised the accounts of some people who use Twilio\u2019s Authy multifactor authentication app. Note in this case it wasn\u2019t the app that was compromised but users accounts. The hackers added smartphones to victims\u2019 accounts so the extra multifactor authentication code went to their phones and not the victims and then attackers could then use that combination of codes and credentials to log in.<\/p>\n<p data-ar-index=\"25\"><strong>Terry:<\/strong> It goes to show that [text-based] two-factor authentication isn\u2019t as foolproof as as we thought. We known for years that it\u2019s vulnerable, but it\u2019s better than nothing. Over the years we\u2019re finding hackers are getting much more resourceful and try to find out as much as possible about the target before launching an attack. We know the first phase of any cyber attack is the recon phase, or the footprinting. They want to build their battle map of of how they\u2019re going to attack companies, so they want to know everything \u2014 what the company specializes in, where it\u2019s based, how many employees they have, their ISP, who the vendors are \u2014 that\u2019s how they\u2019re able to successfully send in these types of phishing attacks. There\u2019s been some new methods now of bypassing two-factor authentication. Threat actors register a domain that it\u2019s going to look like yours and create a phishing lure with a link where you don\u2019t only have to type in your two-step verification right away \u2014 like what happened here. It was pretty obvious [it was a scam]: That should have been a flag \u2014 why am I asked for my two-step verification upfront? But the [fake] login page looks completely legit. So as you type in your password it\u2019s then going to prompt you on your phone for the two-step verification. Then they get a copy of the token, replay it and log in as you. Then the threat actor can disable two-step verification and change the password and take over the account.<\/p>\n<p data-ar-index=\"26\"><strong>Howard:<\/strong> This incident again shows the weakness of SMS text-based messaging for two-factor authentication. We\u2019ve said before text-based two-factor authentication is better than none. But even better is the mobile app-based system such as Google Authenticator or Authy or Cisco Systems\u2019 Duo where it\u2019s harder to um to intercept the code. But this particular scam showed \u2014 as I think we\u2019ve discussed before \u2014 the way to get around a strong multifactor authentication is to compromise the account of the user. So the attacker adds an extra phone unknown to the victim and then the codes go to that phone, so the threat actor has bypassed protection.<\/p>\n<p data-ar-index=\"27\"><strong>Terry:<\/strong> That\u2019s why SMS is one of the most non-secure messaging systems out there. The goal is to move away from that and stick with authenticator apps.<\/p>\n<p data-ar-index=\"28\"><strong>Howard:<\/strong> Item 3: A university student was victimized by a sophisticated fake job offer scam. The hacker noticed that this person had a profile with an IT background on the AngelList social media site, found the victim\u2019s email address and sent them a fake job offer from well-known cybersecurity firm Splunk. The victim was asked to do a Skype interview with a supposed HR person. They got a job offer, and then did an online interview with the supposed CIO. And here\u2019s where the scam cost the victim: The CIO said they would pay for the victim to get new computer gear for their home office if the victim registered their credit card with their company account so that they\u2019d be reimbursed. The victim had to buy the computer gear at an Apple store, ship it to an address where supposedly Splunk would install security software and then it would ship the gear back to the victim. Well, that computer gear went to the fraudster as well as the victim\u2019s credit card. This is another example of how crooks take advantage of the fact that today lots of job interviews are done online, especially because of the pandemic.<\/p>\n<p data-ar-index=\"29\"><strong>Terry:<\/strong> This is a really crazy one. We dealt with a scam similar to this in 2020. A large retailer was mass hiring for their warehouses and the scammers duplicated their job application system. Next thing you know applicants were applying to the wrong website. The threat actor said, \u2018You qualify, but you need to buy some equipment from a certain site and we\u2019ll reimburse you for. They even sent fake quotes from the retailer. It looked completely legit. But they were buying the gear for the scammers.<\/p>\n<p data-ar-index=\"30\"><strong>Howard:<\/strong> For one thing no legitimate company is going to say, \u2018We\u2019re going to reimburse you for your expenses, but the way this starts off is you give us your credit card .\u2019 That should be a tip-off. The other thing is the victim tried to verify that the people she was talking to were real. She looked up online the name of the HR person who she was going to have an interview with, and sure enough, Splunk had a real employee with that name. The problem is that doesn\u2019t guarantee that the person that she was talking to was that employee.<\/p>\n<p data-ar-index=\"31\"><strong>Terry:<\/strong> They\u2019re going to great lengths now to make sure the scam is as legit as possible. The key takeaway here is no one\u2019s going ask you to purchase large amounts of gift cards or a large amount of equipment then and then send it off to them. If you\u2019re really hired they will send you a laptop. So education\u2019s key.<\/p>\n<p data-ar-index=\"32\"><strong>Howard:<\/strong> What should online job hunters do to protect themselves from being scammed?<\/p>\n<p data-ar-index=\"33\"><strong>Terry:<\/strong> Companies need to find out if scammers are setting up fake accounts with their name. One tip is to set up Google alerts that trigger so whenever your firm\u2019s name is mentioned anywhere in Google you\u2019ll receive an email. If somebody creates a fake profile with your firm\u2019s name on it and it gets indexed Google will show you that alert and send you the link to where it is. I mentioned I think in a previous podcast where somebody created a fake profile with my name and photo and scammed a woman out of $60,000 in a romance scam. Unfortunately Google didn\u2019t index that fast enough. I found out later on that that my profile was being used.<\/p>\n<p data-ar-index=\"34\"><strong>Howard:<\/strong> The last item we\u2019re going to look at is a highly-targeted phishing scam that was pulled off down under. Some group \u2014 likely a nation-state \u2014 emailed government officials in Australia as well as members of the media and certain companies pretending to be with a news site called Australian Morning News. In their emails the attacker pretended to be reporters doing research or they asked for advice on improving the news. Their emails included a link to the news site, which was a realistic-looking fake website called Australian Morning News that had stories copied from other news agencies. The goal of the scam was to get victims to click on the link in the email and go to that website, where their computers would be infected. Briefly, that\u2019s called a drive-by attack. Aside from being insulted that my profession is being abused this way, this scam shows a lot of work.<\/p>\n<p data-ar-index=\"35\"><strong>Terry:<\/strong> The scammer might have wanted to build a list of infected computers to be part of a botnet and commit crime. But what could also happen is they would run an exploit against the computer to find anything vulnerable in the user\u2019s browser to steal the passwords, maybe turn on the computer\u2019s camera or microphone or harvest as much information as possible. Maybe launch a ransomware attack. They say curiosity killed the cat. So victims say, \u2018Who is this news firm reaching out to me?\u2019 Of course they\u2019re going to click it, because there\u2019s no sense of urgency in the email.<\/p>\n<p data-ar-index=\"36\"><strong>Howard:<\/strong> The suspicion is that because many of the people targeted work for the government of Australia or they worked for defence contractors that this was an espionage scam. And the thing is reporters do email government and corporate officials they\u2019ve never met asking for comment if they want to contribute an article to their publication. So those getting these requests have got a tough choice: If you don\u2019t want to click on a link in an email from someone you\u2019ve never met what do you do? Google the name of the news publication to see if it\u2019s real. But in this case they would have found a link and they would have gone directly to the fake website. That\u2019s presumably the safe thing to do instead of clicking on a link in an email \u2014 but they get infected anyway. Any company can be scammed like this \u2014 and many are by attackers that set up look-alike websites of real companies.<\/p>\n<p data-ar-index=\"37\"><strong>Terry:<\/strong> It\u2019s kind like \u2018living-off-the-land\u2019 tactics, where hackers are using legit methods and tools against us. This happened to a buddy of mine who got scammed out of $445,000. He received an email that looked like it came from the director of marketing at his bank. They asked him to upgrade his profile, so he clicked on the link and ended up on \u2018bank.ru\u2019 \u2014 but website looked identical to the banking website he used. He entered his client card numbers.<\/p>\n<p data-ar-index=\"38\"><strong>Howard: <\/strong>But in that case wasn\u2019t there a clue? The address is website was \u2018.ru\u2019.<\/p>\n<p data-ar-index=\"39\"><strong>Terry:<\/strong> The problem was he was not educated in internet safety. That\u2019s why I created <a href=\"https:\/\/www.cyologylabs.com\/fraudster\" rel=\"noopener\">Fraudster education app.<\/a><\/p>\n<p data-ar-index=\"40\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-september-2-2022\/501059\">Cyber Security Today, Week in Review for Friday, September 2, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on women in cybersecurity, multifactor authentication being bypasse<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-27871","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=27871"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27871\/revisions"}],"predecessor-version":[{"id":27972,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27871\/revisions\/27972"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=27871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=27871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=27871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}