A warning to water treatment utilities, a boot vulnerability could affect millions of PCs, and more.
Welcome to Cyber Security Today. It’s Monday, December 4th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
American water treatment utilities are increasingly being targeted by threat actors. You may recall that on Friday afternoon’s Week in Review podcast, I reported that a hacking group believed to be from Iran called CyberAv3ngers claimed credit for taking control of the internet-connected system of a municipal water authority in Pennsylvania. It is believed this group targeted the utility because of a vulnerability in a programmable logic controller it uses from an Israeli company called Unitronics. Three new things have happened since that report: First, late Friday American and Israeli cyber authorities issued an advisory that CyberAv3ngers and its affiliates are going after any organization using Unitronics devices. It says that since November 22nd several wastewater treatment plants have been compromised. How? Likely because the default passwords on the Unitronics devices weren’t changed, says the alert. The gang considers every piece of equipment made in Israel is a legal target. It’s not clear if CyberAv3ngers did any damage in these attacks. But three U.S. Congressmen have asked the U.S. Justice Department to investigate.
The third piece of related news is that the Hunters International ransomware gang has listed Florida’s St. Johns River Water Management District as one of its victims.
Cyber authorities urge any critical infrastructure provider to take security precautions including making sure as few IT devices as possible are open to the internet. And to make sure default passwords that come with internet-connected equipment are changed.
IT administrators and home computer owners should be watching this week for firmware patches from device manufacturers. Scheduled for Wednesday, the BIOS updates will plug vulnerabilities discovered in computers’ Unified Extensible Firmware Interface, or UEFI. The UEFI is part of a computer’s boot-up process. The holes were discovered by researchers at Binarly. The vulnerabilities, dubbed LogoFail, allow an attacker to get around crucial security boot protections. Researchers believe computers and servers from Intel, Acer, Lenovo and others running x86 or ARM processors are potentially vulnerable. Details will be revealed at this week’s Black Hat Europe conference, but you can get a preview in a Binarly blog.
About 60 American credit unions are dealing with the aftereffects of a ransomware attack one of their IT service providers. According to the news site The Record, the provider is called Ongoing Operations, which is owned by a credit union technology firm called Tellance. The news site quotes the National Credit Union Administration saying the incident happened November 26th. Not only have some credit unions been having IT trouble, so are other companies that rely on the same provider. It’s another example of the risks that an organization’s IT partners can bring unless there is built-in resilience.
It’s important organizations hit by a data breach don’t make things worse for the victims. Like accidentally publishing the names of those whose personal information was stolen. The latest example comes from MGM Resorts. You may recall it was hit by the BlackCat/AlphV ransomware gang in September. One of the victims was the wife of a Canadian-based cybersecurity researcher. On Saturday she was emailed a data theft notice by the hotel. However, while the email address was right the letter itself was addressed to another woman, presumably also a victim. So now at least one person knows that someone else’s personal information was stolen.
Are you still running a version of Microsoft Exchange email server that’s no longer supported with security updates? If so you’re foolish. And apparently, you’re not alone. According to a site called Shadow Server, almost 20,000 out-of-date Exchange Servers are open to the internet. About 6,000 of them are in the U.S. and Canada, and about 10,000 of them are in Europe. Versions no longer supported by Microsoft include Exchange Server 2013 and prior. If you’re administering an old version of any software and it gets hacked your excuse to the CEO is …
The U.S. headquarters of office supply chain Staples said it had to temporarily take some of its IT systems offline after a cybersecurity incident. It issued few other details.
Finally, a Russian man extradited from South Korea to the U.S. will be sentenced in March after pleading guilty for his role in developing and deploying the Trickbot malware. Trickbot is used by crooks to steal money and install ransomware. In June one of the convict’s partners was sentenced to two years and eight months in prison. This is the latest move in law enforcement’s attack on the distribution of Trickbot. The Russian man was extradited in 2021. Earlier this year U.S. named and sanctioned several suspected Trickbot gang members.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.