Cyber Security Today, August 14, 2023 — A huge insurance company hack, presentations at the Black Hat conference, and more

A huge insurance company hack, presentations at the Black Hat conference, and more.

Welcome to Cyber Security Today. It’s Monday, August 14th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Over 400,000 Canadian and American customers and current and former employees of insurance broker Hub International are being notified their data was stolen eight months ago. The billion-dollar Chicago-based company, which offers a wide range of products including cyber and errors and omissions insurance, is ranked the world’s fifth-largest brokerage. It has 530 offices across North America. On January 17th Hub detected suspicious activity on its IT network. An investigation into the data breach finished last month. It found that the attacker got into the network sometime between December 2022 and January. Data stolen could have included names, Social Insurance or Social Security numbers, driver’s licence numbers, medical information and more. In a filing with Maine’s attorney general’s office the company said just over 479,000 people were affected. It isn’t clear if that number includes Canadians. In a statement on the company’s Canadian website Hub says a limited number of people here were affected.

The U.S. Cybersecurity and Infrastructure Security Agency has published an additional analysis of the malware used recently to compromise Barracuda Networks ESG email gateways. The report includes a look at the third newly-discovered backdoor that has been used by attackers on these devices. This comes after Barracuda began replacing ESG devices rather than issuing software updates following the revelation in May that a suspected pro-China group had discovered and exploited a zero-day vulnerability. Any network administrator that is still using Barracuda ESG devices bought before May is opening their organization to a lot of risk.

The Cyclops ransomware gang has a new name: It’s now calling itself Knight ransomware (with a “K”). And to kick off the new branding it launched a phishing campaign with emails carrying the subject line, ‘Tripadvisor Complaint.’ It tries to trick people who may have used Tripadvisor into clicking on a file about a complaint that might lead to their suspension of use. If you get a message like this and are worried, contact Tripadvisor directly. Don’t click on the link, which leads to the installation of ransomware.

U.S. President Joe Biden’s administration is working on an executive order giving guidance to federal departments on how to safely use artificial intelligence applications. That’s according to the news site Cyberscoop, which interviewed the director of the White House Office of Science Technology. Meanwhile in Canada, the Innovation department has quietly announced a consultation to develop a voluntary code of practice for companies using generative AI. This was discovered by Internet law professor Michael Geist. How quiet was this announcement? Well, there’s no link to details on the government’s website announcing the consultation. All of those other consultation announcements listed on the site have links to details. So while I can tell you submissions are due September 14th, I can’t yet tell you where to send them.

One of the presentations at last week’s Black Hat USA security conference showed the advantages of setting up a honeypot to lure and then record the activities of hackers. Two researchers from GoSecure said they captured 100 hours of videos over three years showing the techniques threat actors use to access and exfiltrate data. Your IT and security team may want to do the same to learn more about how cyber attacks work. There’s a link here to a blog describing how the GoSecure people did it.

In another presentation, an executive of satellite internet provider Viasat explained how Russia knocked out modems used by European customers prior to its attack last February on Ukraine. It’s been known for a while that the attackers deployed wiper malware. What wasn’t divulged until now is Viasat servers were also impaired so modems kicked off the network couldn’t reconnect.

And there was a presentation about the discovery earlier this year of a hole in Microsoft Defender. Researchers at SafeBreach discovered the vulnerability. It was patched in April. Now that Windows administrators and home users have had four months to install the security update the researchers felt they could discuss the details at Black Hat.

Washington is looking for ideas on how the federal government can improve open-source software security. Topics include how to encourage the use of memory-safe application development languages, reducing vulnerabilities at scale, strengthening the software supply chain and fostering open-source software development best practices. Comments of no longer than 10 pages should be submitted in writing by October 9th to www.regulations.gov.

Finally, the next report of the U.S. Cyber Safety Review Board will be on making cloud computing more secure. It will focus on Microsoft’s admission last month that a threat actor recently forged Exchange authentication tokens to access emails of approximately 25 organizations. The board’s report will include recommendations on how the tech sector and cloud service providers should strengthen identity management and authentication in the cloud. No date for the release of the report was announced. Last week the board released a devastating analysis of how the Lapsus$ extortion gang was so successful.

That’s it for now. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.