Author: rescue@crimefire.in

Why Cybersecurity Regulations And Oversight Are As Important As Safety Standards In The Modern Workplace  Forbes
source

Founded in 1993 by brothers Tom and David Gardner, The Motley Fool helps millions of people attain financial freedom through our website, podcasts, books, newspaper column, radio show, and premium investing services.
Founded in 1993 by brothers Tom and David Gardner, The Motley Fool helps millions of people attain financial freedom through our website, podcasts, books, newspaper column, radio show, and premium investing services.
You’re reading a free article with opinions that may differ from The Motley Fool’s Premium Investing Services. Become a Motley Fool member today to get instant access to our top analyst recommendations, in-depth research, investing resources, and more. Learn More
For more crisp and insightful business and economic news, subscribe to The Daily Upside newsletter. It’s completely free and we guarantee you’ll learn something new every day.
Fancy a firewall, mate?
Manchester-based retailer JD Sports is the latest victim in a string of cyber attacks on major UK entities this month. So far, hackers have descended upon retail, postal delivery, fast food, and news outlets.
On Monday, JD Sports announced that the data of 10 million customers — including names, addresses, emails, phone numbers, and the last four digits of payment cards — were exposed in a recent cyberattack. The company said it doesn’t save full payment info and that there is no reason to believe customers’ online passwords have been obtained. So for now, patrons can rest easy.
The hack might have limited effects on JD’s bottom line. People still need a place to get their Air Jordans, and the company expects to surpass $1 billion in sales for the first time next fiscal year, but the pilfering speaks to growing concern over cyber attacks in the UK. Though not quite fire sale territory, it appears hackers are diversifying their victims:
Gone Phishin’: In 2022, the UK was hit by the third most cyber attacks, right after Canada and the US, according to NordLocker. The UK National Cyber Security Centre has warned that more spear-phishing scams from Russian and Iranian state-sponsored groups are likely to come. Spear-phishing is a very targeted form of cyber attack, often involving emails that appear to be from people or businesses you’re familiar with. It’s slightly more clever than the old Nigerian Prince scam. A word of advice, if your “boss” sends you an odd email asking you to open a link and enter sensitive information, don’t do it. Your real boss will thank you for keeping the company out of harm’s way.
Invest better with The Motley Fool. Get stock recommendations, portfolio guidance, and more from The Motley Fool’s premium services.
Making the world smarter, happier, and richer.

Market data powered by Xignite.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Actions to Take Today to Protect ICS/SCADA Devices:
• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. 
Click here for a PDF version of this report. 
APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 
In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.
The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber actors to:
Refer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.
The APT actors’ tool for OMRON devices has modules that can interact by:
Additionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS). 
Refer to the appendix for TTPs associated with this tool.
The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.
The threat from this tool can be significantly reduced by properly configuring OPC UA security. Refer to the Mitigations below for more information. 
Refer to the appendix for TTPs associated with this tool.
Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementing.
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
For additional guidance on securing OT devices, see 
For additional guidance on securing OPC UA enabled devices, see: 
For more information on APT actors’ tools and TTPs, refer to: 
The information in this report is being provided “as is” for informational purposes only. DOE, CISA, NSA, and the FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this guidance shall not be used for advertising or product endorsement purposes.
The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA.
See tables 1 through 3 for TTPs associated with the cyber actors’ tools described in this CSA mapped to the MITRE ATT&CK for ICS framework. See the ATT&CK for ICS framework for all referenced threat actor tactics and techniques.
Table 1: APT Tool for Schneider Electric ICS TTPs
 
Table 2: APT Tool for OMRON ICS TTPs
 
Table 3: APT Tool for OPC UA ICS TTPs
All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov. 
April 13, 2022: Initial Version|April 14. 2022: Added Resources|May 25, 2022: Added Additional Mitigations and Resources

source

A North Carolina church cheated out of more than $793,000 in funds it had raised to build a new sanctuary has set up a GoFundMe account to try to replace some of the stolen money.
Elkin Valley Baptist Church lost the funds when cyber thieves compromised a staff member’s computer and intercepted an email from Landmark Construction, the builder working on the project, which contained an invoice. The scammers cloned the email and used it to provide false payment information that resulted in the church wiring nearly $794,000 into an unknown bank account.
Senior Pastor Johnny Blevins said the church discovered it had been cheated more than a week later, when the builder, Landmark Construction, inquired about payment.
“At that point, we thought we had paid Landmark, and of course, Landmark was waiting on a check,” Blevins told WXII-TV. “We said, ‘we have paid,’ and through investigation found out it was a fraudulent account.”
With construction underway and half of the raised funds gone, the church said it has had to take out a costly loan to continue the project.
Give a gift of $30 or more to The Roys Report this month, and you will receive “Escaping the Maze of Spiritual Abuse” by Dr. Lisa Oakley and Justin Humphreys. To donate, click here.

“It’s been a disappointing thing, but we are people of faith,” Blevins said. “So, we will keep moving forward and try to find a way to go forward.”
The FBI is investigating the cyber crime, and Elkin Valley Baptist also has hired a cyber analyst to look into the case.
The church said it is now unlikely that it will be able to complete its new sanctuary by May as planned but hopes to resume construction in February.
The church saved for 10 years to raise the funds for the new worship center, which will replace a sanctuary built in 1884.
“Six years ago, we outgrew our sanctuary and now meet in our gymnasium, requiring multiple Sunday services to accommodate all those who wish to worship,” the church said on its GoFundMe site. “For two months each year, we squeeze into the old sanctuary to make room in the gym for the 120+ boys and girls who participate in our Veritas basketball outreach program. It’s an amazing opportunity to minister the love of Christ through competition and sportsmanship. This is one of the many reasons why we need a permanent worship center.”
“Proverbs 24:10 teaches us, ‘If you falter in a time of trouble, how small is your strength!’” the site says. “So, while the loss is great and the task large, through the grace of God and the kindness of so many — we will overcome and emerge stronger.”
This article originally appeared at MinistryWatch and is reprinted with permission.
Anne Stych is a freelance writer, copy editor, proofreader and content manager covering science, technology, retail, and nonprofits. She writes for American City Business Journals’ BizWomen and MinistryWatch.
Keep in touch with Julie and get updates in your inbox!
Don’t worry we won’t spam you.
Southern Baptists have long disagreed over just about everything — from the role of women in the church and which Bible is
Against a patriotic backdrop of U.S. and Florida state flags, Governor Ron DeSantis took the stage at a private Christian university in
The president of the Lutheran Church-Missouri Synod has called for the excommunication of unrepentant white supremacists in the church’s ranks, rebuking an
The Roys Report seeks to foster thoughtful and respectful dialogue. Toward that end, the site requires that people use their full name when commenting. Also, any comments with profanity, name-calling, and/or a nasty tone will be deleted.
Comments are limited to 300 words.
Get new articles and breaking news delivered to your inbox.
© 2022 All rights reserved
Hi. We see this is the third article this month you’ve found worth reading. Great! Would you consider making a tax-deductible donation to help our journalists continue to report the truth and restore the church?

source

Our programs and centers deliver in-depth, highly relevant issue briefs and reports that break new ground, shift opinions, and set agendas on public policy, with a focus on advancing debates by integrating foundational research and analysis with concrete policy solutions.
When major global news breaks, the Atlantic Council’s experts have you covered—delivering their sharpest rapid insight and forward-looking analysis direct to your inbox.
New Atlanticist is where top experts and policymakers at the Atlantic Council and beyond offer exclusive insight on the most pressing global challenges—and the United States’ role in addressing them alongside its allies and partners.
A weekly column by Atlantic Council President and CEO Frederick Kempe, Inflection Points focuses on the global challenges facing the United States and how to best address them.
UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture. UkraineAlert sources analysis and commentary from a wide-array of thought-leaders, politicians, experts, and activists from Ukraine and the global community.
MENASource offers the latest news from across the Middle East, combined with commentary by contributors, interviews with emerging players, multi-media content, and independent analysis from fellows and staff.
IranSource provides a holistic look at Iran’s internal dynamics, global and regional policies, and posture through unique analysis of current events and long-term, strategic issues related to Iran.
EnergySource
January 30, 2023
By Leo Simonovich and Reed Blakemore
{{ searchResult.post_type }}

{{ searchResult.date }}
{{ searchResult.author.name }}

The world is on its way toward building a sustainable, inclusive energy future. Renewable energy sources have seen rapid growth thanks to technology innovation and declining costs. At the same time, digitalization is making conventional energy infrastructure more efficient. Continuing these trends will be critical to meeting global climate goals while raising prosperity around the world. And because energy transformation will herald a new, digitalized energy system, cybersecurity has a key role to play in unlocking that sustainable, inclusive future.
The energy sector must withstand a constant siege of cyberattacks—including some backed by nation-states. New attacks can propagate at the speed of light, and their consequences can take days and weeks to unravel, disrupting markets, making equipment unsafe to operate, and causing cascading effects that spread beyond the targeted organization.
Every energy sector participant—new or established, private or public—has an interest in maturing cybersecurity across an increasingly interconnected digital energy system. To continue to strengthen resilience and reliability, investments designed to improve the cost-benefit profile for cybersecurity are critical not just for the biggest players, but for everyone.
Both new and old energy technologies depend on cybersecurity. Rapid digitalization across the energy sector has increased efficiency and decreased emissions, but also has changed and expanded the vulnerabilities the sector must consider. Attackers increasingly target not just information technologies (IT), but operating technologies (OT) as well.  Retrofits to existing OT infrastructure like pipelines and legacy generating plants mean these are now often network-connected. Newer technologies like wind and solar depend on digital management.
The cyber threat isn’t limited to big players or the Global North. Recent years have seen successful ransomware against the biggest petroleum products pipeline in the United States, against the biggest electricity supplier in Brazil, and against smaller infrastructure operators like the municipal electricity utility in Johannesburg. We have also seen attacks against subcontractors leveraged to penetrate electric utilities connected to the US grid. This is a global challenge, for organizations large and small.
Faced with a continuous onslaught of cyberattacks, the energy sector will need to establish practices and institutions that drive down the cost of deploying strong cybersecurity across the energy value chain. Startups, subcontractors, and small utilities will become a consistently weak link in the energy ecosystem if affordable, effective cybersecurity remains unavailable.
So how can the energy sector ensure that cybersecurity keeps pace with cyber risk, and seize opportunities to get ahead of attackers? How can public and private sector leaders contribute to building a community of trust?
Regulators in the energy sector should ensure they enable—or at a minimum, don’t stifle—technology innovations that enhance cybersecurity. Cyber innovation will need to keep pace with both the new technologies of the energy transformation and the known risks to those technologies, even if slow-moving regulatory processes have not yet accounted for new business models, technologies, or threats.
Similarly, regulators should consider how to encourage rapid information sharing about threat intelligence. Although threat intelligence can help quickly harden targets against novel attacks, operators may be reluctant to share information if they believe it will later lead to legal and financial liabilities. Tabletop exercises that convene public and private organizations can improve incident response, building relationships and providing actionable insights before a crisis occurs.
Public and private sector leaders can both work to expand the pool of cybersecurity talent—one of the chief cost barriers for stronger cybersecurity. Cybersecurity experts are scarce, and experts who are also familiar with the operating technologies enabling the energy transition even more so. Training programs—public or private—will help meet demand. Solutions that expand the scope and power of automation can also help, as can information-sharing that enables security teams to quickly recognize new threats and efficiently apply patches.
For asset operators (public or private), cybersecurity should be part of decision-making on new projects. Considering how to secure new infrastructure or planned retrofits can help reduce the cost and complexity needed to manage risk. Monitoring operations helps operators and cyber analysts understand how systems interact with each other during normal production—and enables earlier detection of malicious activity. Seeking opportunities for automation of routine tasks can reduce the cost of strong cybersecurity. Advancements in machine learning and artificial intelligence make it easier to rapidly draw useful insights from massive data sets.
Private sector collaborations can help build trust and cyber maturity across the industry. Common standards and certifications can help spread best practices and build confidence that potential partners or clients will not introduce new vulnerabilities. Threat intelligence can sometimes be more comfortably shared across peer organizations than with regulators.
Private sector leaders can assess and improve their own organizations’ cyber risk posture. Boards that accurately understand their cyber risks will be better able to invest appropriately in managing those risks. Likewise, making clear that cybersecurity is a cross-cutting competency key to performance for every business unit helps build a strong security culture. And of course, recognizing that cybersecurity is an ongoing effort across the sector helps build the collaboration across the energy sector needed to contend with a dynamic, interconnected cyber threat landscape.
Finally, an inclusive energy transformation will also require cyber-inclusivity. Even as the Global North continues to build the connective tissue necessary to meet the cyber risks of a digitalized energy system, passing those lessons forward as the developing world pursues electrification and sustainable energy access will be necessary to ensure that the energy system of the Global South is constructed with cyber-resiliency in mind. Using global convenings like the Atlantic Council Global Energy Forum in Abu Dhabi earlier this month to bring cybersecurity to the table alongside discussions of increasing energy access is critical to build community and advance shared security in a digital energy system.
Leo Simonovich is the vice president and global head of industrial cyber and digital security at Siemens Energy.
Reed Blakemore is a deputy director at the Atlantic Council Global Energy Center.
EnergySource provides analysis and insight on key energy issues, making sense of key energy trends and their implications for geopolitics, geoeconomics, policy, and markets.
EnergySource Dec 12, 2022
By John Roberts and Julian Bowden
The Caspian has emerged as a major player in Europe’s effort to move away from Russian gas. But logistical and political difficulties could prevent crucial Caspian projects from getting off the ground.
EnergySource Dec 5, 2022
By Joseph Webster
US strategy on offshore wind is steadily evolving. The attendant changes could lay the groundwork for emergence as an offshore wind powerhouse.
EnergySource Nov 10, 2022
By Scott Reese
The energy transition requires scale, but it also requires speed. Through the marriage of human ingenuity with data and computing power, software integration can enable the acceleration of electrification and decarbonization, moving the world closer to loftier climate ambitions.
The Global Energy Center promotes energy security by working alongside government, industry, civil society, and public stakeholders to devise pragmatic solutions to the geopolitical, sustainability, and economic challenges of the changing global energy landscape.
Related Experts: Reed Blakemore
Image: Cables in a data center. (Federal Communications Commission, Flickr, CC0 1.0) https://creativecommons.org/publicdomain/zero/1.0/
© 2023 Atlantic Council
All rights reserved.

source

Robotics & Automation News
Market trends and business perspectives
January 27, 2023 by Mark Allinson Leave a Comment
Remote teams are exposed to more cyber security threats due to an expanded attack surface. With an exponential increase in the number of endpoints, cybercriminals can gain access to sensitive company data.
Enhancing cybersecurity awareness for remote teams is essential, and here are five tips to help with this.
It is important to set standards, expectations, and processes for remote teams. Basic areas to address include whether employees use company-provided or personal devices and a VPN or remote desktop.
Many remote teams use personal devices and home networks. Simply saving a document to a desktop without up-to-date antivirus software could cause an issue.

Bring-your-own-device (BYOD) policies need to be clearly spelled out to prevent remote employees from exposing sensitive company data.
Frequent computer cleaning is crucial for remote workers’ cybersecurity, especially if they use a personal device.
The junk spots stored among unused files can contain potentially harmful documents and take up too much space. Remote teams need a tool and instructions on how to remove them.
The human factor is one of the biggest challenges when it comes to cyber security.
Cyber security awareness involves delivering training to remote employees to help protect against potential security threats.
By creating a cyber security-conscious remote workforce culture, remote teams will be mindful of threats and how to recognize them.
By knowing what steps to take, remote teams can proactively reduce threats and the impact they could have on the company’s bottom line. Recognizing early warning signs before too much damage is done is often the best way to prevent data breaches.
Once-off training is not enough. It is vital to conduct regular training and make it mandatory for every employee, whether through internal training or an external course.
Robust policies and procedures will help to underpin cyber security training. Companies must have policies in place covering aspects such as internet usage, use of the equipment and social media. Specific rules for emails, browsing and mobile use should be in place.
Remote workers need the right access to the right applications to do their work.
Employers must determine which employees need access to the whole internal network and which may only need access to email and cloud-based services.
Implementing “least privilege” or minimum permissions reduces threats without affecting productivity.
Employers should discourage remote teams from using unsecured public Wi-Fi. Many remote workers use their personal Wi-Fi network, and they need to make sure it is set up securely.
Experts suggest remote workers connect to a company’s internal network using a VPN. This helps to maintain end-to-end data encryption. Employees need to know that they must keep patching VPNs with the latest security fixes.
When they use multifactor authentication, it adds another layer of protection against increasing VPN phishing attacks.
Remote teams won’t know if their cyber awareness measures are up unless they put them into practice. Regular cyber security drills can help them to recognize various cyber security threats.
When they can try out their skills on simulated threats, they learn lessons that can help them when faced with real threats. For example, employers could simulate a phishing scam to see how many employees click on or open attachments.
Remote work is expanding the surface of attack threats. Companies need to develop policies and processes to protect against them. They need to train their remote teams and create a culture of cyber awareness in order to proactively prevent attacks.
Filed Under: Computing Tagged With: awareness, cyber, employees, policies, remote, security, teams, threats, training
You must log in to post a comment.
Robotics and Automation News was established in May, 2015, and is now one of the most widely-read websites in its category.
Please consider supporting us by becoming a paying subscriber, or through advertising and sponsorships, or by purchasing products and services through our shop – or a combination of all of the above.
Thank you.
This website and its associated magazine, and weekly newsletter, are all produced by a small team of experienced journalists and media professionals.
If you have any suggestions or comments, feel free to contact us at any of the email addresses on our contact page.
We’d be happy to hear from you, and will always reply as soon as possible.
We support the principles of net neutrality and equal opportunities.

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

source

Note: this article was updated on November 11, 2022 to reflect a development in the Australian Federal Police’s investigation
The hacker responsible for a data breach of Australian health insurance provider Medibank which affected 9.7 million people has released private medical information on the dark web.
The hacker posted a file labelled “abortions” to a site backed by Russian ransomware group REvil on November 10, 2022. It apparently contains information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.  
The hackers also released files containing customer data called “good-list” and “naughty-list” on November 9, 2022. The so-called “naughty-list” reportedly includes details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.
The hacker added to the November 10 data leak post, saying: “Society ask us about ransom, it’s a 10 millions (sic) usd. We can make discount 9.7m 1$=1 customer.”
During question time in Australian parliament on November 10, Minister of Home Affairs Clare O’Neil hit back at the hackers, saying: “I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming [at] you.
“I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cyber-security but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”
David Koczkar, CEO of Medibank, called the release of the data “disgraceful” and a “weaponization of people’s private information”. He also called those involved in the cyber-attack and data leak “deplorable”.
In an attempt to protect those affected by the cyber security incident and the subsequent data leaks, Medibank urged members of the public and the media to not “unnecessarily download sensitive personal data from the dark web” and to “refrain from contacting customers directly”.
The initial cyber security incident occurred on October 13, 2022, when Medibank detected some “unusual activity” on its internal systems. After dealing with the cyber-attack, Medibank said in a statement that there was “no evidence that customer data has been accessed” during the breach.  
Medibank was then contacted on October 17 by the malicious party, who aimed to “negotiate with the [healthcare] company regarding their alleged removal of customer data”.  
The malicious party attempted to weaponize Medibank’s customers’ private medical data to extort the medical insurer, saying that they would release the data of the“1k most [prominent] media persons” that include “[those with the] most [social media] followers, politicians, actors, bloggers, [LGBTQ+] activists [and] drug-addicted people” as well as people with “very interesting diagnoses”.
It was confirmed on October 20 that the hacker’s claims were legitimate. Medibank, however, publicly refused to bend to the hacker’s demands and said it would not pay a ransom over concerns it would “encourage the criminal to directly extort [its] customers”.  
The company also said that it had received council from cyber security experts who had said there was only a “limited chance” that paying the ransom would result in the return of the stolen data.
How we got here with @medibank. It initially said compromised login credentials were used (that may have involved VPN access). The attackers claim they accessed Redshift – an Amazon data warehousing product – via jump servers. #auspol #infosec (1/4)

In a tweet on November 10, journalist Jeremy Kirk suggested that the hack took place as a result of hackers gaining access to Medibank’s internal systems via compromized login credentials, a tactic that “may have involved VPN access”.
According to Kirk, the hackers claim they used jump servers to access Amazon data warehouse Redshift. The hackers also claim that they had access to Medibank’s internal systems for a month before they were discovered. 
On November 7, Medibank revealed the true extent of the hack. The malicious actor gained unauthorized access to and stole the data for 9.7 million past and present customers.
The information included email addresses, phone numbers, addresses, Medicare numbers, names, dates of birth, passport numbers and visa details. It also encompassed the health claims data for 192,000 customers which contained private medical information including where customers were admitted for procedures, service provider names and locations and codes associated with diagnosis and procedures given.
Medibank urged all those affected to “stay vigilant” against cyber attacks that may be levelled against them because of the leak.
The cyber attack has reportedly affected NATOs response to the recent earthquakes affecting Syria an…
Two separate lawsuits have been filed against the company for allegedly failing to protect customer…
This marks the second social engineering attack the company has suffered in less than a year
The lawsuit alleges that LastPass stored crucial information that allowed hackers access to victims’…
This data breach marks the second cyber attack the company has suffered this year, both allegedly by…
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.
Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).
Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.
The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.
Download the PDF version of this report: pdf, 608 kb.
For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).
In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:
Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.
The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.
 
 
The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.
CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.
Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.
CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.
In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.
Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:
Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.
The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.
See table 1 for IOCs associated with the campaign detailed in this CSA.
Domain
Description
Date(s) Observed
win03[.]xyz
Suspected first-stage malware domain
June 1, 2022
July 19, 2022
myhelpcare[.]online
Suspected first-stage malware domain
June 14, 2022
 
win01[.]xyz
Suspected first-stage malware domain
August 3, 2022
August 18, 2022
myhelpcare[.]cc
Suspected first-stage malware domain
September 14, 2022
247secure[.]us
Second-stage malicious domain
October 19, 2022
November 10, 2022
 
Additional resources to detect possible exploitation or compromise:
The authoring organizations encourage network defenders to:
This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
January 25, 2023: Initial Version

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.
Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments.  Through two distinct Notice of Funding Opportunities (NOFO), SLCGP and TCGP combined will distribute $1 billion over four years to support projects throughout the performance period of up to four years. This year, the TCGP will be released after SLCGP.
Through the Infrastructure Investment and Jobs Act (IIJA) of 2021, Congress established the State and Local Cybersecurity Improvement Act, which established the State and Local Cybersecurity Grant Program, appropriating $1 billion to be awarded over four years.
These entities face unique challenges in defending against cyber threats such as ransomware, as they lack the resources to defend against constantly changing threats. The Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.
Read below or print the SLCGP Fact Sheet and Frequently Asked Questions.
DHS will implement the SLCGP Grant Program through CISA and the Federal Emergency Management Agency (FEMA). While CISA will serve as the subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management and oversight of funds execution.
The program is designed to put the funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive the funds from the Federal Government and then distribute the funding to local governments in accordance with state law/procedure.  This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program.
Eligible entities can form their cybersecurity planning and can create Cybersecurity Plans (in accordance with the minimum requirements as stated in the State and Local Cybersecurity Improvement Act), which are a requirement for receiving grant funds. The state-level Cybersecurity Planning Committee leverages previously established advisory bodies that the states may have formed. The membership of the Cybersecurity Planning Committee will be up to each individual state, given they meet the requirements of the legislation and NOFO. States are encouraged to expand their cybersecurity planning committees to include additional expertise based on individual state needs. DHS provides a list of these suggested additional personnel in the NOFO. However, states are not limited to the added personnel on this list.
The Cybersecurity Planning Committee will identify and prioritize state-wide efforts, to include identifying opportunities to consolidate projects to increase efficiencies. Each eligible entity is required to submit confirmation that the committee is comprised of the required representatives. The eligible entity must also confirm that at least one-half of the representatives of the committee have professional experience relating to cybersecurity or information technology. For more information on the composition of the Cybersecurity Planning Committee, including how to leverage existing planning committees, please refer to Appendix B of the Notice of Funding Opportunity.
Cybersecurity Planning Committee membership shall include at least one representative from relevant stakeholders, including:
Not less than half of the representatives of the Cybersecurity Planning Committee must have professional experience relating to cybersecurity or information technology. Qualifications are determined by the states.
Eligible entities are given the flexibility to identify the specific public health and public education agencies and communities the Planning Committee members represent.
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan will be subsequently updated in FY24 and 25. It must contain the following components:
SLCGP Email: SLCGPinfo@cisa.dhs.gov
TCGP Email: TCGPinfo@cisa.dhs.gov
Social Media Handle(s):  Visit CISA on Social Media.
(Please note other links will be added as they become available)
The following list of CISA resources are recommended products, services, and tools at no cost to the state, local, tribal, and territorial governments, as well as public and private sector critical infrastructure organizations.
State and Local Cybersecurity Grant Program Fact Sheet
State and Local Cybersecurity Grant Program Frequently Asked Questions
Cyber Resource Hub
Ransomware Guide (Sept. 2020)
Cyber Resilience Review
Free Cybersecurity Services and Tools
Cybersecurity Plan Template (click “Related Documents” tab to download)
To report an incident, visit www.cisa.gov/report
Key Links:
FEMA has assigned state-specific Preparedness Officers for the SLCGP. If you do not know your Preparedness Officer, please contact the Centralized Scheduling and Information Desk (CSID) by phone at (800) 368-6498 or by email at askcsid@fema.dhs.gov, Monday through Friday, 9 a.m. – 5 p.m. ET.
CSID is a non-emergency comprehensive management and information resource developed by FEMA for grant stakeholders. CSID provides general information on all FEMA grant programs and maintains a comprehensive database containing key personnel contact information at the federal, state and local levels. When necessary, recipients will be directed to a federal point of contact who can answer specific programmatic questions or concerns. CSID can be reached by phone at (800) 368-6498 or by e-mail at askcsid@fema.dhs.gov, Monday through Friday, 9 a.m. – 5 p.m. ET.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Best Practices to Protect Your Systems:
• Control access.
• Harden Credentials.
• Establish centralized log management.
• Use antivirus solutions.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.[8]
Download the PDF version of this report (pdf, 430kb).
Malicious actors commonly use the following techniques to gain initial access to victim networks.[TA0001]
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices.
[1] United States Cybersecurity and Infrastructure Security Agency 
[2] United States Federal Bureau of Investigation
[3] United States National Security Agency
[4] Canadian Centre for Cyber Security 
[5] New Zealand National Cyber Security Centre 
[6] New Zealand CERT NZ
[7] Netherlands National Cyber Security Centre
[8] United Kingdom National Cyber Security Centre 
[9] White House Executive Order on Improving the Nation’s Cybersecurity
[10] NCSC-NL Factsheet: Prepare for Zero Trust
[11] NCSC-NL Guide to Cyber Security Measures
[12] N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based
[13] NCSC-NL Guide to Cyber Security Measures
[14] National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured
U.S. organizations: To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at CyWatch@fbi.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. 
Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. 
New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. 
The Netherlands organizations: report incidents to cert@ncsc.nl. 
United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring.
This document was developed by CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 
May 17, 2022: Initial version

source