CTV reports cyber attack on Simon Fraser University
Burnaby, B.C.’s Simon Fraser University (SFU) has reportedly suffered another cyber attack and potential privacy breach. As many as 200,000 students could be involved, according to a report from CTV in B.C. The school advised that personal financial information was not disclosed in the breach, but also indicated that different types of data were involved depending on each student’s enrolment situation. SFU published a list of data affected, and posted a page for students to login and access a report detailing whether their data had been disclosed.
IDSA releases study on lax IT operations policies
The Identity Defined Security Alliance (IDSA) has released a study on operational issues in the handling of identity and access management. A key finding in the report was the reported delay in provisioning and removing user access to systems. The report, entitled “Identity and Access Management: The Stakeholder Perspective,” summarizes a recent online survey of company personnel with direct involvement in staff on- and off-boarding, including HR personnel, management staff, and IT professionals.
The IDSA, a security research-oriented non-profit organization, reported that a 72% majority of companies surveyed takes one week or longer for a typical worker to obtain access to required systems. More concerning is the length of time taken to revoke privileges: 50% of organizations surveyed took three days or longer to revoke system access for a departing worker. Many companies indirectly blamed the COVID-19 pandemic for some of the problems, with 83% of organizations surveyed indicating that the work-from-home environment made access management more difficult.
The report is reminder of the importance of clear and timely operational procedures. Delays in restricting or removing departing employee, contractor, or vendor access can have significant operational implications and serious IT audit problems.
The IDSA provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies.
Car rental and car manufacturers hit by separate suspected ransomware attacks
Canada’s Discount Car and Truck Rental has been hit with a DarkSide ransomware attack, with the hackers claiming that up to 120Gb of data was exfiltrated. Reports of the attack began to surface in mid-February when the hackers posted screenshots purportedly containing financial data folders from Discount’s servers.
In an email statement, the rental company advised that they had been “subject to a ransomware attack that impacted the Discount headquarters office. A fully-dedicated team isolated and contained the attack quickly. The team is working to investigate and restore service as quickly and safely as possible.” However, over a week later, visitors to www.discountcar.com are still being re-directed to a single landing page at partners.rentalcar.com/discountcarrental, advising that the Discount site continues to experience “technical difficulties”.
Meanwhile, Kia Motors of Irvine, California (a subsidiary of South Korea’s Kia Corporation) suffered widespread systems outages across the U.S. The outages started as early as February 12, with disruptions to their mobile apps, phone services, payment systems, owners’ portal, and internal dealership sites. While Kia denies ransomware is involved, there is wide speculation that the problems are a result of an attack by the DoppelPaymer hacker organization, who are thought to be seeking a ransom of US$20M to release the systems and return stolen data. Similar outages befell South Korean automaker Hyundai at about the same time; they too have confirmed that unspecified IT problems are gradually being resolved, but also said there was no indication that ransomware was involved.
Microsoft replaces two buggy Windows 10 patches
After receiving multiple reports of February 2021 “Patch Tuesday” updates hanging, Microsoft has replaced two of its patches with replacement fixes. KB5001078 (replacing KB4576750) fixes bugs in the servicing stack in Windows 10 Version 1607 and Windows Server 2016. KB5001079 (replacing KB4565911) also fixes bugs in the servicing stack, but only Windows 10 is affected.
Review your patch status and be sure to use the new set of patches in order to avoid O/S patch problems.
U.S. Indicts North Korean Hackers
On February 17, the U.S. Justice Department unsealed indictments against three individuals accused of working with North Korean interests in conducting hacking exercises and high-value thefts over the past decade.
The trio is accused of helping to orchestrate the 2014 hack of Sony Pictures, the global WannaCry ransomware contagion of 2017, the documented theft of roughly US$200 million, and the attempted or suspected theft of an additional US$1.2 billion from banks and other targets around the world.
The indictment outlines links between the conspirators and the North Korean government, even connecting them to activities in China and Russia. It describes how the group’s intrusions often started with spear-phishing messages designed to encourage the targets to download and execute malware developed by the hackers. In other cases, the spear-phishing messages enticed the victims into downloading or investing in crypto-currency software that contained malware, or contained backdoors allowing the software to be compromised after the fact. Also on February 17, the Cybersecurity Infrastructure Security Agency (CISA) issued Alert AA21-048A describing the details of the North Korean cryptocurrency malware scheme.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” according to Acting U.S. Attorney Tracy L. Wilkison for the Central District of California. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
Coincidentally, access to the https://www.statesattorney.org/ website that features Ms Wilkison’s bio and legal credentials has been blocked by a Cloudflare security service in order to protect itself from attack. The site remained inaccessible as late as February 22.