Digital Expedition: Toronto Zoo's Cyber Resilience Crisis, TPL's Uphill Battle, Turkish Hackers' Global Tactics, and 23andMe's Genetic Crime...

Toronto Zoo Crisis... Why is this happening?

The Toronto Zoo recently experienced a ransomware incident, with the attack detected on January 5. Immediate actions were taken to protect donor, member, and guest records. The zoo confirmed that credit card information is not stored, and online services, including ticket purchases, remain functional. Animal well-being and support systems are unaffected, and the zoo is collaborating with the City of Toronto's Chief Information Security Office, cyber-security experts, and the police to address the issue. The incident reflects the increasing prevalence of such attacks. Meanwhile, the Toronto Public Library (TPL) is still recovering from a ransomware attack detected in October involving the theft of sensitive information, including social insurance numbers and employee details dating back to 1998. (nowtoronto.com)

Can you imagine having to contact previous employees from 1998 to tell them?

My Thoughts: The fact that the zoo doesn't store credit card information can be looked at as positive. Nonetheless Personal Identifiable Information (PII) was compromised. I want to point out here that even if your enterprise is not a typical B2C enterprise, the personal information linked to your employees is still highly valuable and should be treated with care.  Although risk is lowered due to storing less PII, B2B’s have the same level of responsibility as a B2C business. Any time you are collecting, handling and managing PII data, be sure to understand the data flow and life-cycle relative to that data.

Your enterprise may need a privacy impact or privacy risk assessment. Want to talk about increasing your data management strategy? Book me in your calendar.

What’s behind Turkish Hackers' Strategies?

A financially motivated Turkish hacking group, known as RE#TURGENCE, is currently targeting Microsoft SQL (MSSQL) servers globally to execute ransomware attacks using the Mimic (N3ww4v3) ransomware. The attacks, spanning the European Union, the United States, and Latin America, involve compromising MSSQL database servers through brute-force attacks on insecure configurations. The hackers exploit the xp_cmdshell procedure, enabling them to deploy a heavily obfuscated Cobalt Strike payload, inject it into the Windows-native process SndVol.exe, and launch the AnyDesk remote desktop application to collect clear text credentials using Mimikatz. Subsequently, the hackers compromise the domain controller, leading to the deployment of Mimic ransomware payloads, encrypting files, and leaving a ransom note. (bleepingcomputer.com)

My Thoughts: This orchestrated attack by the Turkish hacking group reveals an alarming level of sophistication and persistence. The exploitation of insecure MSSQL servers through brute-force attacks demonstrates the importance of securing configurations and disabling potentially risky procedures like xp_cmdshell. The deployment of Cobalt Strike, in-memory reflection techniques, and the use of legitimate applications like AnyDesk showcase the adaptability and ingenuity of the threat actors.

This also shows the importance of engaging experts to attempt to hack (ethically) your enterprise perimeter and applications. This would potentially uncover any entry points or vulnerabilities in your enterprise. The breach of the domain controller is a textbook use case demonstrating the importance of a multi-layered security strategy, stressing the need for constant monitoring, early threat detection, and strong access controls.

Discover our solutions here.

With us, your cybersecurity journey is simple.

They are Posing as Security Researchers??

Ransomware victims facing business disruption now confront a new threat: follow-on extortion attempts by criminals posing as benevolent security researchers. Arctic Wolf Labs uncovered cases where victims of Royal and Akira ransomware were targeted by a third party posing as a security researcher, offering to delete stolen data or grant access to victims in exchange for a fee of approximately 5 Bitcoin. Despite using different aliases, similarities in communication indicated a common actor. The victims, US-based SMBs in finance and construction, resisted payment. The motives and connection to the ransomware gangs remain unclear, with speculation about the extortionist's access to shared resources. (theregister.com)

My Thoughts: The sophisticated tactics, including offering to delete stolen data and demanding a specific Bitcoin ransom, highlight the evolving nature of cybercriminals. The use of aliases like Ethical Side Group (ESG) and xanonymoux indicates a deliberate effort to obfuscate identity. While the targeted SMBs' resistance to payment is commendable, understanding motives and connections to ransomware gangs is crucial for effective countermeasures. The possibility of the extortionist accessing shared resources is a wake-up call. The narrative of independent threat actors seeking quick gains adds a new dimension to the evolving cyber threat landscape.

Enhance your cyber resilience journey. We have an 18-month or less cyber insurance guarantee.

Discover our comprehensive cybersecurity services and take control of your digital security now.

AssuranceIT.ca

Are we Putting the Blame on Users...?

Genetic testing company 23andMe faces a class-action lawsuit following a data breach affecting 6.9 million users. The legal defense claims the breach isn't a security breach but user negligence, specifically blaming those who reused passwords exposed elsewhere. The exposed data, including genetic information, is argued to lack legal protection under California and Illinois laws. The breach initially reported to affect 0.1% of customers, and later expanded to almost half. The lawsuit questions 23andMe's security obligations, its arbitration terms, and the responsibility for the breach. Cybersecurity experts highlight the need for robust security measures and shared responsibility. (cpomagazine.com)

My Thoughts: 23andMe's defense blaming user negligence and the debate on legal protection for exposed data highlight the trend of user accountability. This incident and in my opinion, more importantly the response, could potentially cause irreparable damage to 23andMe. We, as experts, stress shared responsibility, advocating for robust security measures, strong passwords, and multi-factor authentication.

The lawsuit underscores the need for companies to prioritize cybersecurity and protect sensitive data. The breach's racial and political motivations, combined with financial woes, amplify the company's challenges. They need improved security practices, accountability frameworks, and proactive communication strategies in the face of potential breaches.