Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks

Article Link: https://www.csoonline.com/article/652668/iranian-cyberspies-target-thousands-of-organizations-with-password-spray-attacks.html

• According to Microsoft, an Iranian threat actor, known as Peach Sandstorm, was identified to be targeting organizations in the satellite, defense, and pharmaceutical industries.
• In addition to other initial attack vectors, the bad actors leverage brute force password spray attacks on organizations deemed as opportunistic targets. Microsoft identified that the hackers abuse RDP, perform DLL hijacking, and set up new Azure subscriptions on victims’ tenants during their attacks.
• Microsoft recommends taking steps like securing Microsoft Entra ID with conditional access policies and deploying MFA as two of many ways to limit Peach Sandstorm’s password spray campaign.
• Link to Microsoft’s Report: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Requests via Facebook Messenger Lead to Hijacked Business Accounts

Article Link: https://www.helpnetsecurity.com/2023/09/12/hijacked-facebook-business-accounts/

• According to researchers at Guardio Labs, bad actors are sending phishing scams to Facebook business accounts in an attempt to highjack the social media pages of various organizations, such as those in e-commerce and banking.
• The phishers send Facebook Messenger messages inquiring about a product or accusing the page of Facebook community violations following by malicious files of the false concerns in question.
• Guardio Labs estimates that 1 out of 250 account owners have downloaded the malicious files and 1 out of 70 were infected with malware thereafter.

How Attackers Get In: Unpatched Vulnerabilities and Compromised Credentials

Article Link: https://www.csoonline.com/article/652622/how-attackers-get-in-unpatched-vulnerabilities-and-compromised-credentials.html

• This article highlights data from Sophos, who reviewed 150 incident response cases from 2022, which noted that unpatched vulnerabilities and compromised credentials account for the root cause of 37% and 30% of incidents respectively.
• In other words, hackers are abusing unpatched environments and weak credentials to launch attacks.
• The article highlighted that top-down patching support, MFA usage, and legacy system awareness are all beneficial to mitigating unpatched vulnerabilities and compromised credentials as attack vectors.
• Link to Sophos’ Report: https://news.sophos.com/en-us/2023/04/25/2023-active-adversary-report-for-business-leaders/

NSA, U.S. Federal Agencies Advise on Deepfake Threats

Article Link: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3523329/nsa-us-federal-agencies-advise-on-deepfake-threats/

• The NSA, FBI, and CISA released a joint cybersecurity information sheet (CSI) on the threat of deepfakes to organizations, especially those within the Defense Industrial Base (DIB).
• As the report notes, “deepfake” refers to multimedia that has been synthetically created or manipulated using machine learning or artificial intelligence.
• The report highlights that advances in computer technology enhance the ability of bad actors to use deepfakes to impersonate organization leadership and brands in a negative, and possibly compromising or financially devasting, manner.
• The government recommends developing a strategy to respond to potential deepfake threats, making processes for reviewing possible deepfakes, and training personnel on how to spot deepfakes.

Why Executives Should Never be Exempted from Cybersecurity Policy

Article Link: https://www.csoonline.com/article/651579/why-executives-should-never-be-exempted-from-cybersecurity-policy.html

• This article looks at the dangers of allowing exceptions in policy for organizational executives. The article notes that often exceptions highlight that leadership doesn’t want to lead by example in developing a security culture and exceptions often suggest that leadership doesn’t fully support the organization’s security program.
• Additionally, policy exceptions for executives show a lack of understanding or care for the risk around executive roles and the access many organizational leaders possess. The bottom line is that executives need to understand that it is easy for them to be targeted by bad actors. If they were compromised, the cost of a breach would likely be significant.
• The article encourages treating executives and their system access similar to that of other privileged users, such as system administrators, due to the sensitivity of the information leadership has access to. Likewise, tighter access limitations, such as executives receiving generated reports instead of having unnecessary read or write access to individual systems, may further limit the impact of an incident due to an executive being compromised.

How to Transform Security Awareness Into Security Culture

Article Link: https://www.darkreading.com/vulnerabilities-threats/how-to-transform-security-awareness-into-security-culture

• This article looks at how organizations can go beyond security awareness training to develop an organizational security culture.
• Essentially a security culture is developed by investing time and resources into employees to make them care. The article notes that this is similar to how tools, like firewalls and patch solutions, are heavily invested in when problems arise to better address threats.
• The bottom line is that employees should recognize the shared responsibility they have in keeping the organization secure. Explaining the “why,” Gamifying training, and rewarding good behavior are potential strategies for helping make employees care about security.

Delaware’s New Personal Data Privacy Act

Article Link: https://www.jdsupra.com/legalnews/delaware-s-new-personal-data-privacy-act-8004497/

• On September 11^th, Delaware became the 13^th state to enact a consumer data privacy law, dubbed the Delaware Personal Data Privacy Act (DPDPA). The Act comes into effect on January 1, 2025.
• The DPDPA is written similarly to the other twelve data privacy laws already on the books. Similarities include exceptions already regulated under FERPA, GLBA, HIPAA, and various other regulations. Likewise, the DPDPA requires organizations to maintain reasonable administrative, technical, and physical data security practices, in line with other state data privacy laws.
• The DPDPA applies to persons who conduct business in Delaware or produce products or services targeted for Delaware residents and who, during the preceding calendar year, either: (1) controlled or processed the personal data of at least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data at least 10,000 Delaware residents and derived more than 20 percent of their gross revenue from the sale of personal data.
• Link to the DPDPA: https://legis.delaware.gov/BillDetail?LegislationId=140388

California Passes First-in-the-Nation Data Broker Deletion Bill

Article Link: https://cyberscoop.com/california-data-broker-deletion/

• A California bill, called the Delete Act, has passed through both chambers of the California legislature and currently awaits the final sign-off of the Governor of California.
• The Delete Act has two components to it. The first part is the development of a data broker registration system and consequences for entities that don’t register, something that already exists in Vermont, Texas, and Oregon. The second part is the creation of a process for California consumers to opt-out of the collection of personal information by data brokers and the deletion of any data already collected, which would be a first in the United States.
• The Act would allow for the deletion of data previously defined by the State of California as personal information, such as geolocation data. However, expectations and limitations would exist for certain public records and entities covered by compliance requirements like HIPAA.
• Link to the Bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362
• Link to California’s Definition of Personal Information: https://oag.ca.gov/privacy/ccpa

Feds Hit Penn State with False Claims Lawsuit Over Cyber Compliance

Article Link: https://www.scmagazine.com/editorial/news/feds-hit-penn-state-university-with-false-claims-lawsuit-over-cyber-compliance

• The U.S. government and Matthew Decker, the former interim CIO and CIO of Penn State’s (PSU) research laboratory, are bringing legal action against Penn State under the False Claims Act regarding incorrect claims of NIST 800-171 compliance.
• The suit claims that Decker’s successor as the CIO falsely claimed NIST 800-171 compliance on behalf of PSU.
• A review by Penn State itself highlights that officials at Penn State identified that they never reached actual compliance and had falsely claimed compliance since at least January 1^st, 2018.