2021 Week 17-18 Security Roundup

-

 

Summary

Spent a week driving around the western US then had to get caught up with work and school, so didn't have the time nor ability to post an update.  Here is what has happened over that time frame.

For such a long time period there really is not too much actual news.  In my scanning of sites, it appears that the focus has returned to financial sectors and work from home attacks.  One of the things I have noted over the years is that these things tend to be cyclic, which could indicate that there is some dark web coordination that security practitioners are not yet privy to (though nation-state experts might be).  

News

Washington D.C. police server hacked by Russian group

A Russian hacking group named Babuk posted screenshots that seek to prove that they have accessed several databases by the Washington D.C. police department.  The group left a text document on their network outlining how to pay the ransom to get locked files back and to bribe them not to release the data to the gangs that were the subject of one of the databases.  It appears that the D.C. police department is working with the Federal Bureau of Investigations (FBI) to investigate the breach.



Illinois Office of the Attorney General (OAG) hack

From the threat of release of data to an actual release, the DoppelPaymer ransomware gang release a collector of files from the Illinois OAG which was hacked by the gang previously.  Since DoppelPaymer is a sanctioned entity, it is illegal to pay them, so the OAG opted not to pay the ransom.  

Pulse Connect Secure hack

Pulse Secure, a common remote access tool used in government and industry, has been compromised by a group of Chinese actors.  Cybersecurity firm Mandiant made the announcement the week of the 20th.  Since then CISA and other government groups have posted bulletins warning government and critical infrastructure operators to scan their networks using the Pulse Connect Secure integrity Tool (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755) and if evidence of a breach is found to engage in mitigation efforts immediately.  It appears that this had has allowed the Chinese government to have direct access to critical systems for months, but this does not seem as widespread as other attacks that have recently made the news.  It was also announced in another bulletin that Russian actors (namely SVR/Cozy Bear have used a suite of 5 vulnerabilities in common software used by government and industry that include Pulse Secure.  
It should be noted that Pulse Secure claims that they have fixed the issue and that everyone should upgrade to the newest version (currently Connect Secure 9.1R11.4).

Government Bulletins:


Guilderland Central School District ransomware attack

A school district near Albany found some of its systems encrypted in a ransomware attack.  The school moved students in 7th through 12th grades to all remote learning,  They indicated that they were working with local law enforcement to investigate.

NSA has guidance on security IT-OT interconnectivity

The NSA released another cybersecurity advisory on the need to secure the connections between Operational Technology (OT) networks and Information Technology (IT) networks.  Nothing really new for those working in the industry, but it is a reminder that we have to eliminate as many touchpoints to OT networks as we can.  Opening them to the IT networks only increases the attack surface that has to be defended.


Government Advisory:


Legislative actions 

The Civilian Cyber Security Reserve Act

The United States House of Representatives and the Senate have jointly released legislation to create a  system molded after the Army Reserves or National Guard that focuses on cybersecurity.  The goals will be to create a corps that can be called on to shore up our nation's defenses in the cyber realm.  

Breach Notification Bill

The United States Senate Intelligence Committee is working on a bill to create a mandatory breach notification if companies lose access to your data.  As previously mentioned this is tricky to get right as you have to balance a companies right to conduct business with people's ability to know the fate of their sensitive information.  A lot of this was driven by the fact that several agencies and companies were infiltrated over the last couple of years and little to no public statements were made until someone else came forward.  

Jobs

Oklahoma Municipal Assurance Group is looking for a security analyst.  I know Keven personally and would work for him in an instant.  Beyond that, as with a lot of insurance companies, pay and benefits are way above average for the size of the entity.  Lastly, they are in a great part of the Oklahoma City metro area.  It is safe and progressive (in more ways than just politically) so great local government and schools.  While overall property costs are high in the area, within a 5-mile radius of the main office houses can be found at really reasonable prices.


Location: Oklahoma City, OK, USA

Comments

Post a Comment

Popular posts from this blog

2021 Week 11 Security Roundup

-
  Summary This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America.  It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission.  If you are in other sectors hopefully there is information you can find useful as well.   News Windows Outlook Vulnerability The 0-Day for Microsoft Exchange Server keeps making news.  Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit.  Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers.  From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook.  Here are some of the developments that we have seen: ZDNet a
Read more

2021 Weeks 32-40 Security Roundup

-
  Summary Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November. Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself.  News UC San Diego Health sued over breach In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically, the suit alleges failure to adequately train em
Read more

2021 Week 29 Security Review

-
  Summary Sorry, this was late this week.  I was in training on Friday with the good folks at the LSU Academy of Counter-Terrorist Education.  If you are a Tribal or other American first responder or researcher in the field of terrorism and not taking advantage of their amazing resources, please check them out at  https://www.ncbrt.lsu.edu/ . Not a lot of new things this week.  There was an update from the City of Tulsa and their breach.  We also saw REvil disappear from both the Web and the dark Web.  Lastly, CIS tools are taking the forefront in the defensive posture of the SLTT landscape. News City of Tulsa Oklahoma breach Tulsa, which was breached back in May ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ), has announced that at least 27 people had their Social Security number accessed.  The city said they have attempted to reach out to those affected.  To date, more than 18,000 files from the hack have been released to the dark web. https://www.securit
Read more