Welcome back to GlobalSign’s weekly news round-up.
It’s been another active week in cybersecurity land.
The week began with the news that Nvidia agreed to acquired Arm from Softbank for $40 billion. If completed, the purchase will be the largest semiconductor deal of all time by dollar value. This is an important acquisition since Arm-designed chips are at the core most smartphones and in countless other devices. File this under: Why did I sell my Nvidia stock a few years ago???? (Insert very sad face.)
In addition, it was revealed that around 2000 e-commerce stores running the popular Magento software were attacked last weekend. It may be the largest recorded campaign of its kind. Sansec’s Threat Research Team warned that the 1904 Magecart attacks it detected targeted e-stores running the now out-of-date Magento version 1. A total of 10 stores were infected on Friday, followed by 1058 on Saturday, 603 on Sunday and 233 on Monday. The security firm estimates that tens of thousands of customers unwittingly had their payment details stolen by the attackers.
We also learned early in the week that office superstore Staples reported that some customers had been impacted by a data breach. According to Bleeping Computer, the event occurred earlier this month and that Staples alerted affected customers individually via email.
Also this week, The Smithsonian confirmed it was a victim of a ransomware attack back in May. Unfortunately, donor information was stolen. Blackbaud, a third-party vendor that provides fundraising and donor engagement software for the Smithsonian's ventures, notified the museum of the attack in July. It also appears that The Smithsonian was not the only organization impacted by the breach.
In a truly disturbing turn of events, Dusseldorf University hospital in Germany was hit by a ransomware attack which forced them to recommend patients seek alternative care. Unfortunately, one patient forced to go to a more distant hospital passed away. It seems the attackers did not realize they attacked a hospital and when contacted by police, they offered a decryption key. But it was too late for the patient.
In other less upsetting news, the U.S. House of Representatives passed the ‘IoT Cybersecurity Improvement Act’, setting minimum security standards for IoT devices connected to federal networks. The bi-partisan bill would require the National Institute of Standards and Technology to set best practices for device security. The Office of Management and Budget would then create guidance for agencies to meet or exceed those standards. The bill would also require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.
That wraps up another week. For a deeper look at all the week’s stories, check out all the articles included in our round-up. Have a great weekend!
Top Global Security News
Bleeping Computer (September 17, 2020) Ransomware attack at German hospital leads to death of patient
"A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.
On September 10th, the Duesseldorf University hospital in Germany suffered a ransomware attack after threat actors exploited a software vulnerability in "a commercial add-on software that is common in the market and used worldwide."
With their IT systems disrupted, the hospital announced that planned and outpatient treatments and emergency care could not occur at the hospital."
WUSA (September 15, 2020) Smithsonian ransomware attack steals information of museum donors
"The Smithsonian confirmed that its technology system was hacked by a ransomware attack in May 2020, and information of donors to the museum institution was stolen.
Blackbaud, a third-party vendor that provides fundraising and donor engagement software for the Smithsonian's ventures, notified the museum institution of the attack in July. The Smithsonian was not the only organization impacted, with others seeing the same breach that it had, according to Smithsonian officials."
Federal News Network (September 15, 2020) House passes bipartisan IoT security bill to fix ‘glaring gap’ in cyber infrastructure
"A bipartisan bill setting minimum security standards for Internet of Things devices connected to federal networks passed the House Monday. The bill now awaits a Senate floor vote before heading to the president’s desk.
The IoT Cybersecurity Improvement Act would require the National Institute of Standards and Technology to set best practices for device security. The Office of Management and Budget would then create guidance for agencies to meet or exceed those standards.
The bill would also require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors."
Infosecurity (September 15, 2020) Largest Ever Magecart Campaign Hits 2000 E-Stores
"Around 2000 e-commerce stores running the popular Magento software were attacked over the weekend, in the largest recorded campaign of its kind, according to researchers.
Sansec’s Threat Research Team warned that the 1904 Magecart attacks it detected targeted e-stores running the now out-of-date Magento version 1. A total of 10 stores were infected on Friday, followed by 1058 on Saturday, 603 on Sunday and 233 on Monday, it said.
The security firm estimates that tens of thousands of customers unwittingly had their payment details stolen over the weekend in the attacks."
Bleeping Computer (September 14, 2020) Staples discloses data breach exposing customer info
"Giant office retail company Staples informed some of its customers that data related to their orders has been accessed without authorization.
Few details are available at the moment. The company has not disclosed the incident publicly and alerted affected customers individually over email.
BleepingComputer learned that the event occurred earlier this month around September 2 and consisted of unauthorized access to a system belonging to Staples."
Computing UK (September 14, 2020) Nvidia to buy Arm for $40 billion
"American graphics hardware giant Nvidia announced on Sunday that it has entered a definitive agreement with SoftBank Group Corp. (SBG) to acquire British chip and IP design company Arm in a $40 billion transaction.
As part of the deal, Nvidia will pay SBG $12 billion in cash and $21.5 billion in Nvidia common stock. Moreover, SBG may also receive up to $5 billion in cash or common stock under an earn-out construct, provided Arm achieves some specific financial performance targets.
Nvidia will also pay $1.5 billion in equity to Arm employees."
Other Industry News
This security awareness training email is actually a phishing scam
What UK CISOs need to know about the California Consumer Privacy Act
National Guard Cybersecurity Units Ready to Protect Election
FERC, NERC Staff Outline Cyber Incident Response, Recovery Best Practices
As Ransomware Attacks Increase, The SEC Takes Notice
European babycare retailer Windeln.de flags data exposure incident
Ransomware: Huge rise in attacks this year as cyber criminals hunt bigger pay days
Surge in DDoS attacks targeting education and academic sector
Like what you’re reading? Head to the Subscriber form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.
