Hello and welcome back to GlobalSign's weekly cybersecurity news round-up. Here's my recap of some of the world's top cybersecurity stories.
Just this morning, it is being reported the websites of Finland's defence and foreign affairs ministries are down due to a cyber attack. A Denial of Service (DoS) attack is purportedly to blame.
Another big hack this week took place at United Kingdom retail chain, The Works. The discount retailer operates 530 stores in the UK and Ireland, and has an annual revenue of approximately $300 million. The Works was forced to shut down several stores due to a cybersecurity incident involving unauthorized access to its computer systems. According to Infosecurity, it is believed card transactions were not affected since they’re processed by a third party. What's unknown is whether employee and/or customer personal information has been exfiltrated and if the attackers are seeking a ransom.
There was also an incident this week at Spanish energy giant, Iberdrola. The attack at Iberdrola, which is the parent company of Scottish Power, led to a data breach impacting more than a million customers. The information leak included details such as customer ID numbers, home and email addresses, and phone numbers. Fortunately, financial information such as bank account details and credit card numbers appear to be safe.
Cloud computing giant VMware is urging its enterprise software customers to install a patch to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access. In a security advisory published Wednesday, the company warned users about vulnerabilities in VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager. In its warning, VMware said it is possible malicious actors may be able to "bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework."
According to The Washington Post, back in February executives from Berkshire Hathaway Energy (BHE) met with U.S. energy and homeland security officials to draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia. BHE is one of the largest electricity companies in North America. If say, Russian hackers successfully infiltrated its systems, officials fear the impact would be substantial.
The U.S. state of Connecticut made quite a startling discovery when it learned that 44 data breaches at a statewide health insurance exchange went unreported for four years to the auditors of public accounts and the state comptroller. A March 2022 state audit revealed the breaches at the Connecticut Health Insurance Exchange - also known as Access Health CT - occurred between July 2017 and March 2021. It should be noted that although Access Health CT reported the 44 breaches to the U.S. Department of Health and Human Services, it failed to comply with state-level breach notification requirements.
Top Global Security News
YLE (April 8, 2022) Finnish foreign affairs and defence ministry websites hit by cyber attacks
Finnish foreign affairs and defence ministry websites hit by cyber attacks
The denial of service attacks were announced at just before 1pm on Friday.
The websites of Finland's defence and foreign affairs ministries were out of service on Friday, the ministries announced in separate tweets at just before 1pm.
The defence ministry said its website was taken down by a denial of service (DoS) attack and that it was investigating the matter.
ZDNet (April 7, 2022) VMware warns of critical remote code execution bug in Workspace ONE Access
VMware is urging customers to update their software to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access.
On Wednesday, the tech giant published a security advisory warning of vulnerabilities in its enterprise software. The products impacted are VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
The first vulnerability is CVE-2022-22954, impacting VMware Workspace ONE Access and Identity Manager. CVE-2022-22954 is described as a server-side template injection RCE and has been issued a CVSS severity score of 9.8. The vulnerability could be exploited by attackers as long as they have network access. VMware has also developed patches to resolve CVE-2022-22955 and CVE-2022-22956; both issued a CVSS score of 9.8, impacting VMware Workspace ONE Access. The vulnerabilities were found in the OAuth2 ACS framework.
According to the vendor, "a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework."
The Washington Post (April 6, 2022) U.S. government and energy firms close ranks, fearing Russian cyberattacks
In February, as Russian troops massed on Ukraine’s border, executives with a major energy firm here worked with U.S. energy and homeland security officials to draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia.
Berkshire Hathaway Energy officers were among the small group that wrote the guidelines, which stressed the importance of quickly sharing cyberattack information between industry and government.
With President Biden warning last month of evolving intelligence that Russia is exploring possible cyberattacks against American critical industries, companies such as Berkshire Hathaway Energy and the U.S. government are on high alert. After years of what critics saw as lip service, cybersecurity collaboration between the federal government and some critical industries has taken root, officials and industry leaders say, and it could be put to the test as Russian government hackers probe the defenses of American power plants, banks and telecommunications networks.
Bleeping Computer (April 6, 2022) UK retail chain The Works shuts down stores after cyberattack
UK retail chain The Works announced it was forced to shut down several stores due to till issues caused by a cyber-security incident involving unauthorized access to its computer systems.
The discount retailer operates 530 stores in the United Kingdom and Ireland, selling books, toys, stationery, art, and craft materials, and has an annual revenue of about $300 million.
The announcement doesn't go into many details about the nature of the incident, but it appears to have interrupted replenishment deliveries, extended online order fulfillment times, and compromised the safety of payments.
The Works has since switched to new third-party credit and debit card payment processors to address this last problem, which the company claims are safe.
Portswigger (April 6, 2022) Authorities seize Hydra servers in bust against darknet cybercrime marketplace
Servers have been seized in Germany as part of a takedown operation against darknet marketplace Hydra Market.
German police have seized servers powering the infamous darknet marketplace Hydra and confiscated the equivalent of $25 million in bitcoin as part of a US-led crackdown on cybercrime and money laundering.
The Russian-language darknet forum offered a venue for the trade in illicit goods and services, including illegal drugs, stolen financial information, fraudulent identification documents (passports and driving licences), and money laundering and mixing services.
These latter so-called ‘cash-out’ services made the cybercrime marketplace a particularly useful resource for ransomware peddlers.
Numerous vendors also sold hacking tools and malicious hacking services through Hydra. The online marketplace made money by charging a commission on sales.
HealthIT Security (April 5, 2022) CT Health Insurance Exchange Failed to Report 44 Breaches, Audit Finds
A state audit discovered that the Connecticut Health Insurance Exchange, known as Access Health CT, failed to report 44 data breaches to the auditors of public accounts and the state comptroller between July 2017 and March 2021.
Access Health CT is Connecticut’s official health insurance marketplace aimed at reducing the number of uninsured individuals in Connecticut. The exchange also allows low-income individuals to apply for Medicaid.
Although Access Health CT reported the 44 breaches to HHS as required by the HIPAA Breach Notification Rule, it failed to comply with state-level breach notification requirements. In addition, 34 of the breaches involved a single contractor.
InfoSecurity (April 4, 2022) Scottish Power Parent Company Hit by Data Breach
Spanish energy giant Iberdrola has been hit by a cyber-attack that led to a data breach impacting over one million customers, according to local reports.
The Bilbao-headquartered parent company of UK provider Scottish Power and others said the attack occurred on March 15 this year.
It reportedly resulted in the theft of customer ID numbers, home and email addresses and phone numbers, but not financial information such as bank account details or credit card numbers.
However, that’s still enough information for scammers to craft convincing follow-on attacks to elicit more data, including bank details. Iberdrola reportedly warned customers to be on the lookout for potential phishing attempts seeking financial information and passwords.
Other Industry News