Yet Another Security Blog

  Summary This week's news focused on the legal and water sectors.  On the water side we saw two high profile attracts in the US but it is still unclear if they are related. News SLTT The Kansas Judicial Branch has confirmed that hackers stole sensitive files in a breach last month.  The October attack impacted the availability of several systems at the time.  These systems included the eFiling system, electronic payment systems, and case management systems.   It appears that, like other attacks recently, the threat actors stole data prior to the ransomware phase of the attacks.  Neither Kansas nor the threat actors have identified who is responsible. https://www.bleepingcomputer.com/news/security/kansas-courts-confirm-data-theft-ransom-demand-after-cyberattack/?&web_view=true The New York City Bar Association has disclosed in filings to the states of Main and Vermont that an investigation completed in October confirmed that hackers gained access t...

  Summary Slowly trying to bring this back since I have found no other place that collects this exact information.  My also add a podcast feature around the first of the year. News CISA is exploring becoming a managed service provider of cybersecurity services to critical infrastructure entities.  This is part of the ongoing efforts by the U.S. to take an expansive approach to cybersecurity.  https://securityboulevard.com/2023/11/cisa-to-provide-cybersecurity-services-to-critical-infrastructure-entities/ https://therecord.media/cisa-launches-pilot-program-offering-services-to-critical-infrastructure?&web_view=true SLTT The City of Long Beach, California is deciding whether to declare a state of emergency in regards to their cyber incident that struck systems on the 14th.  The attack affected public-facing services as well as some business operations but appears to have spared the public safety systems. https://www.govtech.com/security/long-beach-calif-mulls-...

Summary This week we saw a wide array of news about cyber security.   News SLTT Pellissippi State Community College was the victim of a ransomware attack that apparently was trying to encrypt data.  They report they did not pay the ransom and are working to figure out the extent of data that was accessed. https://www.securityweek.com/tennessee-community-college-suffers-ransomware-attack?&web_view=true https://www.infosecurity-magazine.com/news/tennessee-college-hit-ransomware/ Infosec Institute is offering scholarships to 15 people from underrepresented groups in the infosec/cybersecurity industry.  It expands on their Accelerate Scholarship Program.   https://www.infosecurity-magazine.com/news/infosec-announces-new/ https://www.infosecinstitute.com/scholarship-opportunities-for-aspiring-cybersecurity-professionals/?utm_source=newswire&utm_medium=pr&utm_campaign=accelerate&utm_content=women#women Clario researchers discovered an unsecured Mi...

  Summary Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November. Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself.  News UC San Diego Health sued over breach In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically...

  Summary Almost all the news this week was dominated by the Kaseya breach which allowed REvil to gain access to and encrypt the systems of 1500+ organizations.  This might end up being even bigger than the Solarwinds attack.  I did not include articles about the PrintNightmare due to it being a more generalized OS Zero-day.  If, you use Microsoft products, however, I strongly encourage you to get up to speed on this issue. Outside of the Kaseya issue, there was also news of new and old attacks against infrastructure components, most notably a couple of water plants that were breached.   News Kaseya breach The technology services company Kaseya had a backdoor in one of their popular remote access applications that allowed bad actors to gain access to thousands of entities over the long weekend, including governments of all sizes.  The backdoor was a Zero-Day bug that was quickly exploited and timed for the U.S. long holiday weekend.  While not as ...

  Summary: This week we have an update on the Tulsa Oklahoma Ransomware attack and data breach as well as an update on the Ireland health system breach by the same group.  NBC and others have recaps of water security.  Several groups are doing cybersecurity exercises and this included a grid attack simulation.   News Tulsa Oklahoma Ransomware Attack  As previously noted ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ) Tulsa was the victim of a Ransomware Attack.  Now it appears that some of the breached data (18,000 + files) has been released.  This again points to the danger of paying the ransom as it appears there is little honor among the hackers.  It should be noted that Conti (the suspected group behind the attack) has a long history of this. https://edition.cnn.com/2021/06/23/us/tulsa-cyberattack-personal-information-dark-web/index.html?&web_view=true https://kfor.com/news/local/ransomware-attackers-relea...

  Summary The Colonial pipeline hack dominated the news cycle this week.  This is probably the largest infrastructure hack in the history of the world. It is probable that this event will be in the news for weeks to come.   News Colonial Pipeline Ransomware Hack This may end up being the largest infrastructure attack in U.S. history.  From the various reports, it looks like the threat actor that launched the attack is Darkside.  Darkside is a group thought to be Russian as they avoid Russian companies and others in Russian speaking former Eastern Block countries.  They released a statement Monday saying that it was an affiliated group and they were vowing to reign in their partners in the future to avoid causing social and political strife.  In the past, the  Darkside group has held themselves as social justice warriors taking down corrupt corporations and has been known to donate 10% of their ransoms to charities.   While none have indi...

  Summary Spent a week driving around the western US then had to get caught up with work and school, so didn't have the time nor ability to post an update.  Here is what has happened over that time frame. For such a long time period there really is not too much actual news.  In my scanning of sites, it appears that the focus has returned to financial sectors and work from home attacks.  One of the things I have noted over the years is that these things tend to be cyclic, which could indicate that there is some dark web coordination that security practitioners are not yet privy to (though nation-state experts might be).   News Washington D.C. police server hacked by Russian group A Russian hacking group named Babuk posted screenshots that seek to prove that they have accessed several databases by the Washington D.C. police department.  The group left a text document on their network outlining how to pay the ransom to get locked files back and to bribe t...

  Summary While I initially thought this would be a slow news week, several articles of interest came out later in the week.  Probably the biggest thing of note is the Biden administration going all in to point the finger at nation-state actors and their attacks against U.S. and allied targets.   News National assessment Normally I try and skip a lot of reports put out by the national intelligence agencies as they are normally focused on the bigger picture and not on SLTT issues.  I have decided to link to the first worldwide threat assessment report in a couple of years because 1) it has been a while since the U.S. has publically acknowledged that we have a cyberwar going on and 2) they mention specifically the risks to utilities and governments at all levels in the United States (and its allies).   The main takeaways from the report are that even if the United States may have taken a break (which I suspect regardless of the guidance from the Executiv...