Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Improve your knowledge of ransomware
Ransomware is one of today’s biggest cybersecurity threats to organizations big and small. But how well do you understand what it is? TechTarget has published a comprehensive guide to ransomware, defining the four primary types of ransomware (locker, crypto, double/triple extortion, and ransomware-as-a-service), how they work, and a timeline of some of the world’s highest-profile ransomware attacks and methods of responding to them.
Ontario government investigating potential vaccine portal data breach
According to a November 19 report by CityNews in Toronto, the Ontario government is investigating a potential data breach after learning that spam text messages are being sent to some people who have recently booked vaccination appointments through Ontario’s vaccine booking system.
“The government says a small number of individuals who have scheduled appointments through the system have received the scam messages, which reportedly ask for financial information,” according to the report.
Alexandra Hilkene, the Press Secretary to Ontario’s Deputy Premier and Minister of Health, warned people to be wary of potential text-based phishing attacks, and confirmed that an investigation is underway: “Ontarians should be aware these texts are financial in nature and that the government will never conduct a financial transaction through these methods. The government takes allegations of fraud very seriously and is aggressively investigating these reports, but has found no connection between the booking tool and the texts at this time. The booking site remains open and available for use.”
Philips and CIS issues multiple advisories on IoMT devices
On November 18, global technology company Philips and the Cybersecurity and Infrastructure Security Agency (CISA) issued advisories about a number of security vulnerabilities in certain of Philips’ patient monitoring and medical device interface products. Successful exploitation of the vulnerabilities could allow attackers to access patient data and launch denial of service attacks, as the software affected provides interfaces between point-of-care medical devices and other healthcare information systems.
The advisories focus on vulnerabilities in Philips’ Patient Information Center iX (PIC iX); Efficia CM Series patient monitoring software; and the IntelliBridge EC40 and EC80 systems (C.00.04 and prior versions). Philips provides specific details about these vulnerabilities – and others affecting other Philips’ products – on their security advisory portal. CISA has published three separate advisories regarding the vulnerabilities on its Industrial Control System (ICS) advisory portal.
Due to the low attack complexity of these vulnerabilities, healthcare organizations are strongly encouraged to assess their exposure and follow the mitigation strategies outlined in the advisories. Philips expects to have patches available for the bugs by the end of 2021.
U.S. banking organizations face new cyber attack reporting rules
On November 17, U.S. financial regulators approved a new final rule that requires banking organizations to report any “computer-security incident” that rises to the level of a “notification incident” as soon as possible, and at least within 36 hours of discovery. The final rule also requires bank service providers to notify each affected banking organization customer as soon as possible when “the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours”.
The rule provides a detailed definition of a “notification incident”, broadly, however, it is considered to refer to a computer-security incident that negatively affects the organization’s ability to operate and provide products and services; creates a material loss of revenue; or pose a threat to the financial viability of the United States.
The final rule – approved by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) – will take effect on April 1, 2022, with full compliance required by May 1, 2022.
Wind turbine manufacturer suffers cyber attack
In a statement November 20, Danish wind turbine manufacturer Vestas Wind Systems A/S advised that it has shut down its IT operations across multiple business units and locations in response to an emerging cybersecurity incident.
A suspected ransomware attack occurred on November 19, and the resulting shutdown is expected to affect “customers, employees and other stakeholders,” according to the press release. Fortunately, however, the attack does not affect the operation or support of wind turbines already in service.
NCSC releases annual cybersecurity report
On November 17, the U.K.’s National Cyber Security Centre (NCSC) released “Annual Review 2021“, a report summarizing “key developments and highlights” from cyber trends and key threats seen by the organization from September 2020 to August 2021. The NCSC, now in its fifth year of operation, pointed to three key threats faced by the U.K. in the reporting year:
+ cyber criminals exploiting the COVID-19 pandemic as an opportunity (e.g., by targeting vaccine and medical research organizations, and using focused malware attacks)
+ an increasing number of attacks targeting the supply chains, creating heightened third-party risks
+ the continuing rise of ransomware threats, including more “ransomware-as-a-service” offerings from criminal enterprise
The report also outlines the NCSC’s Active Cyber Defense (ACD) program, which is formed on three basic tenets:
+ prevent ransomware from getting in
+ prevent ransomware from working
+ enable investigation and incident response
The report sets the stage for the U.K. Government’s new five-year National Cyber Strategy, which is set to be released later this year. The new report is expected to take a holistic view of cybersecurity in society, outlining how the public and private sectors can work together with the general public to build cyber defenses and resilience. The current 2016-2021 national cyber strategy document saw its last progress report in 2020.