A website used by Toyota suppliers is hacked, a ransomware gang partner pleads guilty and more.
Welcome to Cyber Security Today. It’s Wednesday, February 8th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Threat actors are expected to focus this year on compromising supply chains, bypassing multifactor authentication (MFA) and taking advantage of misconfigured APIs. That’s the prediction of analysts at the NCC Group in their annual Threat Monitor Report. Ransomware attacks were down slightly in 2022, the report says. But, it also warns ransomware gangs are effective in finding new ways to squeeze victims.
Speaking of ransomware and supply chains, last week I told you about a ransomware attack on a British-based company, ION Group, that makes applications for banks and financial trading firms. The latest news is a claim by the LockBit ransomware gang that a “very rich unknown philanthropist” paid the ransom demand. Evidence of that, perhaps, is that ION Group’s name has been removed from the gang’s data leak site, says CPO Magazine. The unit of ION Group that was hit supplies solutions for the financial derivatives market. According to the news story, derivative trading has suffered long delays in processing transactions since the attack.
More on supply chain attacks: Supply chains are companies that link to your company’s IT systems. Hack one and access is gained to many other companies. It’s not necessarily hard. This week a security researcher for a company called Eaton Works revealed they were able to hack into the web portal used by Toyota’s parts suppliers. They did it after discovering four critical vulnerabilities. One was a backdoor login mechanism that allowed anyone to log in as a corporate Toyota employee or supplier by just knowing their email address. After finding a system administrator’s email address the researcher was able to log in and take over full control of the entire system. That included access to Toyota projects and accounts of the car maker’s suppliers, such as tire-makers Michelin and Continental, systems supplier Magna and other big-name firms. This is another reason why cybersecurity is every company’s responsibility — and why web designers have to take security more seriously. The researcher found the holes in October and notified Toyota, which quickly plugged them. News was released only this week.
Attention application and web developers: The OpenSSL Project has released a major security update. It closes eight security flaws threat actors can take advantage of. Developers using OpenSSL for secure communications in their applications or websites need to install the update fast.
A Russian man is facing sentencing in the United States after pleading guilty to laundering cryptocurrency received from victim companies hit by the Ryuk ransomware gang. The man was extradited to the U.S. last year after being arrested in Amsterdam in 2021. According to the U.S. Justice Department, the man was one of several who laundered ransom funds through multiple financial transactions. He faces prison time of up to 20 years.
Here are a few consumer-related cybersecurity news items:
It’s time to start preparing your income tax in Canada and the U.S. Crooks are preparing, too. Researchers at Sophos this week tweeted about seeing email messages to individuals pretending to be from the Canada Revenue Agency. The messages claim you are owed a refund. To collect you have to create a CRA account. Smart people who hover their mouse over the link for signing into or creating an account will see it doesn’t go to a Government of Canada site. This is a warning that governments don’t send messages like this. Another tip: The sender’s full email address obviously doesn’t come from the government. For more about protecting yourself against CRA fraud see this article.
Crooks are also sending fake package delivery notices to Canadians. This takes advantage of the fact that many people are expecting packages after making online purchases. City-TV News reports a Toronto-area woman recently received a text supposedly from Canada Post saying it couldn’t deliver a package to her. It needed a debit card payment of $1.25 to reschedule the delivery, plus her date of birth. No legitimate delivery service will demand a delivery fee or your date of birth.
With the Super Bowl coming this Sunday there’s another reminder that crooks will try to take advantage of the event. Researchers at Synopsys looked at 10 popular Android sports and betting apps and found a number have vulnerabilities, including outdated open-source components. These apps aren’t necessarily suspicious. Their developers may be lazy. But these apps are risky. Before you put money down, be sure what you’re betting on.
Valentine’s Day, which is next Tuesday, is another event crooks try to take advantage of through dating apps. The FBI this week warned people that criminals use personal information for fraud and romance scams. The goal is to steal either personal information that can be used for credit card or bank theft, or to get victims to send them money. Beware of meeting people online who promise to meet you in person but give excuses why they can’t. Beware of people you meet online and then ask for money. Take things slow with people you meet online and ask a lot of questions.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.