Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.
Bank of America insider charged with money laundering for BEC scams
A U.S. District Court for the Eastern District of Virginia indictment alleges that three men infiltrated the corporate networks of small and large companies in the United States and across the globe, between January 2018 and March 2020. They accessed email servers and email accounts by phishing employee credentials, and via malware. One of the three, being a Bank of America and TD Bank employee, was opening bank accounts under his co-conspirators’ and victims’ names, and also falsified bank book entries. The three spent months intercepting communications and getting to learn about billing systems, style of communication, vendors, clients, and people responsible for transactions, in order to send requests for payment that mirrored real transactions.They made off with a total of $1.1 million.
Medtronic recalls insulin pump controllers over cyberattack risks
The company describes these as severe vulnerabilities that could lead to injury or death of the patients, since an attacker could exploit the vulnerabilities to modify the quantity of insulin that the pumps provide to the patient. The urgent medical device recall applies to the MiniMed™ brand remote controller, which uses a wireless radio frequency to communicate with the insulin pump. The company pointed out that to date, it has not received reports of any injuries resulting from this issue.
Navy warship’s Facebook page hacked to stream Age of Empires game
The official Facebook page of a destroyer-class Navy warship, the USS Kidd, was taken over by someone who wanted to stream the online multiplayer strategy game Age of Empires, and did so for an entire day between October 3 and 4 . Facebook is used by the US military as an official communication channel, particularly for family-readiness groups. Experts state that many official pages are managed using a shared login, and as a result, multifactor authentication (MFA) is not enabled.
Microsoft report details the changing cybercrime landscape
The company recently published its second annual Microsoft Digital Defense Report, providing insights collected across its trillions of security signals on the evolving state of ransomware, malicious email, and malware. The rise of ransomware-as-a-service operations was unsurprisingly discussed, with Microsoft finding that consumer, financial, and manufacturing sectors the most commonly targeted. The company also saw a surge of phishing emails steadily increasing from June 2020 to June 2021, with a large spike in November. In malware, Microsoft saw web shell-based exploits increase, with an average of 140,000 web shell threats on servers from August 2020 to January 2021, and an average of 180,000 encounters per month in 2021.
You got nuclear secrets in my peanut butter!
A Navy nuclear engineer and his wife were arrested for allegedly violating the Atomic Energy Act by attempting to sell nuclear warship data to what they believed to be an agent of a foreign power, but in reality was an FBI agent. Court filings indicate the couple mailed an unnamed foreign government on April 1, 2020 with instructions on how they should contact them using encrypted communications. An FBI’s attaché in the foreign country gave this to the FBI, who made contact in December 2020 using encrypted ProtonMail email. The defendant agreed to handover documents at a dead drop in exchange for Monero cryptocurrency, with the SD card of information hidden in half a peanut butter sandwich. Eventually three data dead drops were made in total, in exchange for $70,000 in crypto.
Thanks to our episode sponsor, Bitsight
Biden signs school cybersecurity act into law
Cybersecurity experts hailed the K-12 Cybersecurity Act this week after President Biden signed it into law on Friday. The law, which became one of the rare bills to pass in both the House and Senate, instructs CISA to examine threats facing the nation’s schools and provide cybersecurity recommendations and toolkits. Recently, schools have faced a barrage of ransomware attacks alongside other incidents that leak sensitive data from students and staff, a problem which has worsened since adoption of remote learning during the COVID-19 pandemic. Michael Webb, CTO at Identity Automation, noted that while the bill will increase security awareness and offer guidance for schools to defend against cyber threats, he added, “Most districts lack the capability of managing digital identities, which is the cornerstone of a strong cybersecurity posture today.”
Student used zero-day for school prank
On April 30th this year, Illinois teenage Minh Duong and a group of friends were able to control all networked displays inside Indian Township High School District 214, playing Rick Astley’s memtastic “Never Gonna Give You Up” during a recess period. Minh published a step-by-step guide on how he did this, which started by analyzing log files for the security cameras in the school dating back to 2017. He eventually discovered two novel privilege escalation vulnerabilities in Exterity IPTV products that allowed him to gain access. Minh contacted the company to report them, but never heard back, and said they were still present in late 2020 updates to its software. He also filed a full report on how the attack was done with the school’s IT staff.