Author: rescue@crimefire.in

A paper expanding on greater ability to intervene during hacks – especially on private companies – causes alarm among Coalition and Greens

Labor could face Senate difficulties if it tries to dramatically expand the government’s powers to directly intervene in companies’ IT systems during cyber-attacks.
Under existing laws – which were controversial when introduced by the former Coalition government – the Australian Signals Directorate has the ability to “step in” as a “last resort” in some emergency situations, but only for critical infrastructure assets.
A discussion paper released by the government on Monday proposes expanding the definition of critical assets to include customer data and “systems”.
That option would “ensure the powers afforded to government … extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions”.
But the Coalition and the Greens – which together hold more than half of the seats in the Senate – have expressed reservations about changes that could dramatically expand the reach of the “step in” powers.
The shadow minister for cybersecurity, James Paterson, said the critical infrastructure laws and emergency step-in powers “were never intended to guard against data breaches but even more catastrophic attacks on our most systemically important businesses like telco companies and energy suppliers”.
“It would be a significant departure from the philosophy of those laws and the government would need to make the case it was justified and that ASD had the resources required for what would be a major task,” he said.
The Greens senator David Shoebridge, who is responsible for the party’s policy on digital rights, said the government had “not made a case to justify the expansion of these extraordinary takeover powers”.
Shoebridge said the existing laws were designed for critical infrastructure “and can’t simply be copy-pasted to solve another problem”. He said the nation could not “keep relying on reactive measures and god-like takeover powers”.
“Any powers must be strictly limited in scope and subject to close scrutiny and review, including full transparency in the way the powers are used to ensure people’s personal data is safe.”
While the Labor government has not yet drafted a bill outlining specific changes, it has opened a public debate by declaring it is “having a big look” at cyber laws.
The minister for home affairs and cybersecurity, Clare O’Neil, said the existing laws envisaged that in “limited circumstances it will sometimes be necessary for government to come in and assist an Australian company or organisation to help manage a cybersecurity incident”.
“The problem today is that those powers are very, very narrowly defined,” O’Neil told reporters in Sydney.
“The question Australians need to ask is when we look to 2030 and understand the growing, relentless, huge nature of the threat that we confront, do we want to equip government to be better able to support businesses and organisations when they are under that really serious cyber risk?”
O’Neil said the government was also considering making it illegal to pay ransoms to hackers in a bid to “reduce the fruits of ransomware for cyber criminals” and signal that “we are not a soft target”.
The discussion paper, written by the government’s expert advisory board, said the Optus and Medibank incidents had exposed “gaps” in Australia’s existing incident response functions.
“It is clear that a package of regulatory reform is necessary,” wrote the former Telstra boss Andrew Penn, the former air force chief Mel Hupfeld and the cybersecurity expert Rachael Falk.
Another option they suggested was a new cybersecurity act “drawing together cyber-specific legislative obligations and standards across industry and government”.
The paper said business owners “often do not feel their cyber security obligations are clear or easy to follow” and clearer standards would “increase our national cyber resilience and keep Australians and their data safe”.
Penn told the ABC’s 7.30 program the definition of critical infrastructure should remain under review because “the amount of things we’re doing online today has increased dramatically and that will only continue to increase in the future”.
“The more we do things online, the more they do potentially become vulnerable to malicious cyber activity,” Penn said.
Earlier, Anthony Albanese told a cybersecurity roundtable event that his government was concerned about increasingly prevalent “state-sponsored attacks” and other criminal acts seeking a profit, such as ransomware.
“Clearly as it stands, government policies and regulations, business sector systems and measures and our general awareness and capacity as a nation are simply not at the level that we need them to be,” the prime minister said.
“This is an ever-evolving threat and it will need adaptation from us and from business and government to make sure that we keep on top of this.”
The government also announced it would appoint a new coordinator for cybersecurity, supported by a national office for cybersecurity within the Department of Home Affairs, “to ensure a centrally coordinated approach”.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
WASHINGTON – Today, in recognition of International Women’s Day, the Cybersecurity and Infrastructure Security Agency (CISA) is pleased to announce the signing of a Memorandum of Understanding (MOU) with Women in CyberSecurity (WiCyS) in order to work even closer together to bridge the gender gap in cybersecurity.  
The MOU outlines opportunities for the two organizations to formally partner on bringing awareness to the incredible careers in the industry and building a pipeline for the next generation of women in cybersecurity. WiCyS, a nonprofit organization dedicated to recruiting, retaining and advancing women in cybersecurity, shares a common interest with CISA to close the gender gap in technology and inspire the next generation of cybersecurity leaders.  
“As a senior leader in cyber, one of my top priorities is to inspire more women and girls to see themselves in cyber and join this exciting and impactful field,” said CISA Director Jen Easterly. “I was thrilled last year to join WiCyS at their annual conference where I announced a call to action of achieving 50% women and underrepresented minorities in the cybersecurity field by 2030. Today as we celebrate International Women’s Day, I can’t think of a better way to celebrate than to formalize our partnership and shared mission to bring more women into cybersecurity.”  
“We’re thrilled to be partnering with CISA to strengthen the community of women in cybersecurity and the greater cybersecurity workforce. Our collaboration will ensure that more women and other under-represented groups will have the tools and resources to jumpstart their career in cyber and be supported throughout their journey,” said Lynn Dohm, executive director of WiCyS. “CISA’s goals align perfectly with WiCyS’ mission to develop a stronger, more inclusive workforce, and we look forward to collaborating with CISA to recruit and retain more women in the field.” 
One activity the organizations will first pursue is CISA’s participation in WiCyS’ mentorship program. This program matches professional women in cyber with those women new to the field to help them prepare for advancement at all levels of their cybersecurity career.  
The cybersecurity workforce shortage is not only a concern within the U.S. government, but across the industry and across the nation. Watch Director Easterly’s remarks at the 2022 Women in CyberSecurity Annual Conference.
About CISA 
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

source

Hackers obtain personal data from 200K+ in southern Nevada casino data breach, class-action lawsuit says  KLAS – 8 News Now
source

A portion of what appears to be data hacked from the district was posted online in a nearly hour-long video by the ransomware group Medusa on Tuesday — it has since been removed. 
“All signs point to the Medusa ransomware group, conducting what's called double extortion on the school district,” said Mark Keierleber, an investigative reporter at The 74.
“They are downloading data, locking the district out of systems and threatening to release that data on the dark web if [Minneapolis school officials] don't pay what appears to be a million dollar ransom.”
Minnesota’s third-largest district had also warned families, students and staff that private information hacked from its computer system had been posted online. A statement from a district spokesperson did not offer details about what kind of information was posted or where it was posted to. 
What does that mean? The news, analysis and community conversation found here is funded by donations from individuals. Make a gift of any amount today to support this resource for everyone.
Public schools often have sensitive data on families and students, including financial information, health and discipline records and other identifying material.
The data in question, according to Brett Callow a threat analyst for the cybersecurity firm Emsisoft, can be used by ransomware attackers for illegal means. 
“If their data has been compromised, there is a real risk it could be misused for the purposes of identity fraud, for extortion attempts against those individuals, or the ransomware gang could try to weaponize those individuals,” Callow said.
“In other cases, people have been contacted by email or phone in some cases and the attackers have said, ‘We have all your personal information. We suggest you contact the organization and tell them that they need to pay us.’”
The Minneapolis district said they have reported the incident to law enforcement and are working with IT specialists to review the data in order to contact impacted individuals.
It’s also warning families not to respond to suspicious emails or phone calls and to report any threats or suspicious messages to the district by emailing: privacy@mpls.k12.mn.us
A district spokesperson says its communications to families about the breach are transmitted in English, Spanish, Somali and Hmong. 
District officials are advising students, staff and families to change all passwords for any online personal accounts that may have been accessed on MPS devices. They’re suggesting families reach out to credit reporting bureaus such as Equifax, Experian and TransUnion to freeze their minors’ credit accounts to prevent identity theft. 
“The best recourse that parents and educators and students really have is to look at bolstering your own security,” Keierleber said. “Don’t reuse the same passwords, implement a password manager, two-factor authentication.” 
Attacks like this one have become more common in recent years. Callow said close to 100 similar events have happened in school districts around the country every year since 2019.
But it can be difficult for districts to deal with the threats. 
“Cybersecurity spending isn't always a top priority for districts. They want to spend money on educating kids,” Callow said. “The ideal solution to my mind would be for the federal government to roll out a centrally managed solution that all schools could use because all schools need to do basically the same things.” 
(This story has been updated to include a district spokesperson’s response to an MPR News question about which languages the district uses to communicate messages with families.)

source

An official website of the United States government
Here’s how you know
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
WASHINGTON – Today, the Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers. This is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners. 
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
TSA is taking this emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, which include the following actions:
This is the latest in TSA’s efforts to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats. Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.
On Thursday March 2, the Biden-Harris Administration announced the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. With this amendment and other ongoing efforts, TSA will continue to work closely with the Department of Transportation, CISA and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure.
###

source

Whether it is writing essays or analyzing data, ChatGPT can be used to lighten a person’s workload. That goes for cybercriminals too.
Sergey Shykevich, a lead ChatGPT researcher at cybersecurity company Checkpoint security, has already seen cybercriminals harness the AI’s power to create code that can be used in a ransomware attack.
Shykevich’s team began studying the potential for AI to lend itself to cyber crimes in December 2021. Using the AI’s large language model, they created phishing emails and malicious code. As it became clear ChatGPT could be used for illegal purposes, Shykevich told Insider the team wanted to see whether or not their findings were “theoretical” or if they could find “the bad guys using it in the wild.”
Because it’s hard to tell if a harmful email delivered to someone’s inbox was written with ChatGPT, his team turned to the dark web to see how the application was being utilized.
On December 21, they found their first piece of evidence: cybercriminals were using the chatbot to create a python script that could be used in a malware attack. The code had some errors, Shykevich said, but much of it was correct.
“What is interesting is that these guys that posted it had never developed anything before,” he said.
Shykevich said that ChatGPT and Codex, an OpenAI service that can write code for developers, will “allow less experienced people to be alleged developers.”
Misuse of ChatGPT — which is now powering Bing’s new, already troubling chatbot — is worrying cybersecurity experts, who see the potential for chatbots to aid in phishing, malware, and hacking attacks.
Justin Fier, director for Cyber Intelligence & Analytics at Darktrace, a cybersecurity company, told Insider when it comes to phishing attacks, the barrier to entry is already low, but ChatGPT could make it uncomplicated for people to efficiently create dozens of targeted scam emails — as long as they craft good prompts.
“For phishing, it is all about volume — imagine 10,000 emails, highly targeted. And now instead of 100 positive clicks, I’ve got three or 4,000,” Fier said, referring to a hypothetical number of people who may click a phishing email, which is used to get users to give up personal information, such as banking passwords. “That’s huge, and it’s all about that target.”
In early February, cybersecurity company Blackberry released a survey from 1,500 information technology experts, 74% of whom said they were worried about ChatGPT aiding in cybercrime.
The survey also found that 71% believed ChatGPT may already be in use by nation-states to attack other countries through hacking and phishing attempts.
“It’s been well documented that people with malicious intent are testing the waters but, over the course of this year, we expect to see hackers get a much better handle on how to use ChatGPT successfully for nefarious purposes,” Shishir Singh, Chief Technology Officer of Cybersecurity at BlackBerry, wrote in a press release.
Singh told Insider these fears stem from the rapid advancement of AI in the past year. Experts have said that advancements in large language models — which are now more adept at mimicking human speech — have proceeded quicker than expected.
Singh described the rapid innovations as something out of a “science fiction movie.”
“Whatever we have seen in the last 9 to 10 months we’ve only seen in Hollywood,” Singh said.
As cybercriminals begin to add things like ChatGPT to their toolkit, experts like former federal prosecutor Edward McAndrew are wondering whether companies would bear some responsibility for these crimes.
For example, McAndrew, who worked with the Department of Justice investigating cybercrime, pointed out that if ChatGPT, or a chatbot like it, counseled someone into committing a cybercrime, it could be a liability for companies facilitating these chatbots.
In dealing with unlawful or criminal content on their sites from third-party users, most tech companies cite Section 230 of the Communications Decency Act of 1996. The act states that providers of sites that allow people to post content — like Facebook or Twitter — are not responsible for speech on their platforms.
However, because the speech is coming from the chatbot itself, McAndrew said the law may not shield OpenAI from civil suits or prosecution — although open source versions could make it more difficult to tie cyber crimes back to OpenAI.
The scope of legal protections for tech companies under Section 230 is also being challenged this week before the Supreme Court by a family of a woman slain by ISIS terrorists in 2015. The family argues that Google should be held liable for its algorithm promoting extremist videos.
McAndrew also said ChatGPT could also provide a “treasure trove of information” for those tasked with gathering evidence for such crimes if they were able to subpoena companies like OpenAI.
“Those are really interesting questions that are years off,” McAndrew said, “but as we see it has been true since the dawn of the internet, criminals are among the earliest of adopters. And we’re seeing that again, with a lot of the AI tools.”
In the face of these questions, McAndrew said he sees a policy debate on how the US — and the world in general — will set parameters for AI and tech companies.
In the Blackberry survey, 95% of IT respondents said governments should be responsible for creating and implementing regulations.
McAndrew said the task of regulating it can be challenging, as there isn’t one agency or level of government exclusively charged with creating mandates for the AI industry, and that the issue of AI tech goes beyond the US borders.
“We’re going to have to have international coalitions and international norms around cyber behavior, and I expect that will take decades to develop if we’re ever able to develop it.”
One thing about ChatGPT that could make cybercrime more difficult is that it is known for being confidently erroneous — which could pose a problem for a cybercriminal trying to draft an email meant to mimic someone else, experts told Insider. In the code that Shykevich and his colleagues discovered on the dark web, the errors needed corrections before it would be able to aid in a scam.
In addition, ChatGPT continues to implement guardrails to deter illegal activity, although these guardrails can often be sidestepped with the right script. Shykevich pointed out some cybercriminals are now leaning into ChatGPT’s API models — open-source versions of the application that do not have the same content restrictions as the web user interface.
Shykevich also said that at this point, ChatGPT cannot aid in creating sophisticated malware or creating fake websites that appear, for example, to be a prominent bank’s website.
However, this could one day be a reality as the AI arms race created by tech giants could hasten the development of better chatbots, Shykevich told Insider.
“I’m more concerned about the future and it seems now that the future is not in 4-5 years but more in like in a year or two,” Shykevich said.
Open AI did not immediately respond to Insider’s request for comment.
Copyright © 2023. Times Internet Limited. All rights reserved.For reprint rights. Times Syndication Service.

source

The impact of the Great Resignation and the Great Reshuffle is still strongly felt across many industries, including cybersecurity. There is a talent gap: Companies are struggling to hire enough talent to fulfill their needs and goals.

According to a McKinsey Global Survey, nearly nine out of 10 executives and managers say their organizations face a skills gap or expect one to develop by 2024. This means the talent they do have may not possess the necessary skills to excel in their roles.
However, another impact of these trends is that people who are resigning are also looking to change careers and industries entirely. This a shift that can help organizations minimize the talent and skills gap by looking at a new crop of job candidates who are searching for a different purpose. This is especially true for the cybersecurity field. As we’ve learned over the past couple of years, a cyber degree or typical cyber background isn’t a requirement to be a successful security professional. What arguably matters more are the characteristics or “soft skills” that an employee exhibits.
While I have a background in environmental science, I now lead the Cyber Protection Solutions team at Raytheon Intelligence & Space. Due to my own unconventional route into the field, I have seen firsthand the value of recruiting people with different skills and character traits that are transferable to a cyber role. As more people with unconventional backgrounds look to enter a new field, we can take advantage by identifying a few key traits that might make such candidates crucial to the cybersecurity industry.
Tenacity is a mix of traits including perseverance and grit – all of which can set a job candidate apart. When beginning a career in cybersecurity, with or without a degree or previous experience in the field, there are many learning opportunities, but also multiple learning curves. Tenacity is an important skill to push through these curves, while also being able to absorb new knowledge and apply it for future success.
Additionally, the threats cybersecurity teams face evolve continuously, which require them to pivot often and quickly look for the best solutions. Tenacity plays a key role in making sure that these pivots and solutions are impactful. As hiring teams look at new potential talent from a broader talent pool, identifying those who are tenacious is a great indicator of their potential success – especially for those with non-cyber backgrounds.
Curiosity is also critical when entering the cybersecurity field. Especially for those coming from an atypical background, curiosity can lead to the discovery of solutions that may have otherwise been overlooked. It can help them figure out how hackers think and behave, and influence proactive defense strategies after being able to step into their shoes.
Curious minds can further lead to the discovery of additional interests within the many facets of the field, making those individuals more well-rounded cybersecurity professionals. As hiring managers look to fill cybersecurity roles, identifying curios candidates can be just as – if not more – beneficial than looking for someone who has “typical” cybersecurity qualifications.
Another important quality hiring teams can look for in potential cybersecurity candidates is a strong willingness to learn. This encompasses both tenacity and curiosity: Those who are determined and interested in discovering new information are consistently willing and ready to face new challenges. Cybersecurity can be complex and multifaceted, and those who can be patient and take the time to learn the breadth and depth of the field can be successful in unique ways.
Cyber threat and defense strategies used to combat them are always evolving. Those who have a willingness to learn will be more adept at keeping up with these changes and learn how to adapt them into current processes. Many technical skills can be taught, but a willingness to learn comes naturally. Of course, it is a combination of these traits that widen the talent pool.
As organizations continue to feel the impact of the Great Resignation and the Great Reshuffling, they will face talent and skills gaps that can impact all facets of the business. When looking to hire new employees, the cybersecurity industry would be remiss not to consider talent from varying and unique backgrounds. It won’t be easy, and training will be necessary, but with the proper supportive environment, a diverse set of skills will help you build a stronger cybersecurity team.

source

Cyber crime has risen 92% in past two years, while fraud cases are also becoming much more regular
We have more newsletters
Scotland’s business resilience organisation has changed its name to reflect a rising national threat from cyber crime and fraud.
The Scottish Business Resilience Centre (SBRC), the not-for-profit dedicated to helping educate and support Scottish organisations to avoid the fallout from cyber crime, will now be known as the Cyber and Fraud Centre – Scotland, as it extends its focus to also include financial fraud.
The new brand comes as cyber attacks and fraud are on the rise: latest figures from Police Scotland show the number of cyber crimes in 2021-22 was nearly double that of 2019-20, and fraud has increased 86% this decade.
Paul Atkinson, chair of Cyber and Fraud Centre – Scotland, noted: “Over half of reported crime is related to fraud or cyber, but they’re both hugely underreported – so it’s likely they pose an even greater threat than the numbers indicate.
“As a nation, we are handling support for cyber crime victims well, but victim support around financial fraud is severely lacking.
“We need to examine how to collectively prevent and protect from this type of fraud, and the Cyber and Fraud Centre – Scotland team is well equipped to lead the conversation around this.”
The centre's chief executive Jude McCorry said: “Financial fraud – including cyber crime – is set to be reclassified as a threat to national security, which will see it treated as seriously as terrorism and civil emergencies.
“We’ve seen a huge increase in this type of crime over the past year, and a lot of victims don’t get the support they need, which is why we’ve added fraud to our organisation’s purpose.
“Cyber crime such as cyber attacks and financial fraud often cause businesses to pause operations; ransomware attacks prevent them from accessing their systems and financial fraud could render them unable to pay wages and suppliers.
“This can be devastating for small businesses and charities in particular, who may end up ceasing operations entirely.“
She continued: “We’ve renamed ourselves Cyber and Fraud Centre – Scotland in recognition of our enhanced focus on empowering and educating organisations across the country on the risks caused by cyber crime and fraud.
“The name also clarifies what we do and means we are holding ourselves accountable and committed to tackling cyber crime and fraud to make Scotland a safer place to do business.”
Cyber and Fraud Centre – Scotland will continue its working relationships with partner organisations including the Scottish Government and Police Scotland, to ensure its members can access training progammes and industry experts as needed.
Don't miss the latest headlines with our twice-daily newsletter – sign up here for free.

source

By Apurva Venkat
Principal Correspondent, CSO |
DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general. 
The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.
Founded in 1995, DNA Diagnostic Center is a private DNA-testing company that offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions. 
DNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said. 
DNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach — more than nine years after the acquisition,” the settlement agreement noted. 
“Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. 
The stolen data was collected between 2004 and 2012. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. 
The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.
DNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said.
During this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. 
Investigations revealed that the threat actor logged into a virtual private network on May 24, 2021 using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. 
The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. 
On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.
Between July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. 
In September 2021, the threat actor contacted the company and demanded payment. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. 
The settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. It also requires the lab to designate an employee to coordinate and supervise its information security program. 
The DNA testing company will also have to conduct security risk assessments of its networks that store personal information annually, maintain an updated asset inventory of the entire network and disable or remove any assets identified that are not necessary for any legitimate business purpose. 
The company will have to design and implement reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication, and detect and respond to suspicious network activity within its network within reasonable means, the settlement statement added. 
Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

source