Flair Data Systems Cybersecurity News Update 3-06-2024

As yesterday was Super Tuesday - it appears that the Primary's went off without any type of cyber incident.  There seems to be a lot to report back this week on other areas, other than Apple released a new update for both the iPhone and iPad iOS's this week - and there were security updates included. 

With that, let’s jump into this week’s cyber security news update.

Biden signs order limiting the sale of personal data 

This specific EO (Executive Order) is restricting access to "countries of concern" around sensitive data

• The EO affects data brokerages, third-party vendor agreements, employment agreements, investment agreements, and others
  
• Sensitive Data is referring to a broad definition that includes personal identifiers, geolocations and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination
  
• 'omic data refers to data generated from humans that characterizes or quantifies human biological molecules or metabolic data - all of our fancy fitness wearables
  
• One thing to note is that this EO appears to be a 2-phase approach for implementation - "highly sensitive data transactions" will be outright prohibited and other categories will be "restricted" but could proceed on the condition that they comply with certain predefined
  
• Reading through the fact sheet, their appears to be some wiggle room built in to not prohibit businesses from operating - but the goal is to restrict the data from getting into the hands of "concerned countries"
  

Link (1): https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/

Link (2): https://www.whitecase.com/insight-alert/new-executive-order-seeks-protect-americans-sensitive-personal-data

GlobalBlock Service To Prevent Trademark abuse 

Registrars now have the ability (for a cost $$$$) to block threat actors (or competitors or jokesters) from registering domain names that look like on brand names 

• GlobalBlock - being used by GoDaddy, 101domain, and markMonitor allow businesses to pay a subscription fee to reserve a part of the domain space to protect trademarks 
• Traditionally, when someone spun up a "homoglyph" (or similar domain) and it was used for malicious purposes - the organization being mimicked would need to contact the register, provide evidence of malicious activity, and after a period of time the domain was offline, purchase the domain to prevent the attack from occurring again. 
• For others, businesses would issue "Cease and desist" letters to the registration owners 
• The basic plans look to be limiting to other TLD (top level domains) like .com, .us, .mil, etc... but not the character changed versions $5,999 yearly fee 
• The "plus" plans take it a step further and look to block up to the tens of thousands of domain name being registered $8,999 yearly fee 
• Lastly, there is an "AutoCatch" feature that can be used to grab up a domain that falls into the above once the registration expires 

Link (1): https://www.bleepingcomputer.com/news/technology/registrars-can-now-block-all-domains-that-resemble-brand-names/ 

Pharma giant Cencora announces data breach 

Cencora, a global pharma company, reported Feb 27th on their 8-k SEC filing that they discovered that intruders had stolen data from its network 

• The event was first discovered on Feb 21st but the nature has not been disclosed 
• Cencora was formally known as AmerisourceBergen, Pennsylvania based corporation 

Link (1): https://therecord.media/cencora-pharmaceutical-giant-reports-cyber-incident 

GenAI drives surge in BEC attacks 

Note, the above link is gated - to get the report you will have to provide your information 

• Between 2022 and 2023, the BEC type of attacks went from 1% to 18.6% of all attacks in 2023 
• I have personally seen a higher number of BEC attacks occurring, where what appears to be a vendor sending updated ACH/Banking information to an organization with very specially crafted emails and attachments 
• Most of the attacks were thought to be the vendor in questions network being compromised, however, it was found that the organization receiving the emails were actually compromised - mostly due to proxyMFA attacks or no MFA enabled 

Link (1): https://perception-point.io/resources/report/2024-annual-report/ 

Popular video doorbell easy hijacked 

Appears that Chinese manufactures are taking the specs for IoT doorbells and rebranding with different names, but using the same packaging and specifications to build 

• The problem is that they are not 1) meeting the US requirements with a visible ID on the device and 2) low standards (if none) around security 
• These types of devices are not limited to doorbells but also, they are hitting different types of retail stores too - Amazon, Walmart, Sears, and others 
• They are also being controlled through the same mobile app, called Aiwit (owned by Eken) 
• Someone might ask, what's the risk? The risk where a 3rd party is able to see when someone come and go to their home, as well as exposing your home IP address and WiFi network name to the internet without encryption 

Link (1): https://www.consumerreports.org/home-garden/home-security-cameras/video-doorbells-sold-by-major-retailers-have-security-flaws-a2579288796/ 

ALPHV infrastructure goes dark after $22 million payout  

 
Based on Bitcoin Blockchain transactions, AlphV received a $22 million transaction (350 bitcoins in a single transaction) 

• Two days later, an affiliate of AlphV posted on their forums that AlphV had cheated them out of their share of the Change Healthcare ransom 
• Change Healthcare has declined to comment on the payment (not really surprised with this) 
• AlphV site has gone dark and offline, even though their site as of Tuesday pointed to a law enforcement seizure - some experts state that this is from last years takedown 
• This is not the first time this group of threat actors have gone dark and eventually came back under a new name... BlackCat, BlackMatter, and Darkside 

Link (1): https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/ 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!

About the Author: Brent Forrest is a Field CISO with Flair Data Systems. In this role, Brents acts as an advisor to customers that span across different verticals providing guidance to include; developing strategies to reduce risk with existing or modern technology while enabling the business.  With over 20 years of experience in the IT industry, Brent has been able to be a part of multiple groups within the IT field spanning from Telecom, Network, Wireless, Infrastructure, and eventually finding his passion within Security. Roughly 20 years of that time was spent within the Oil and Gas industry working across multiple teams and leading initiatives. Specifically with EnLink Midstream, he spent most of his time building resilience and developing the cybersecurity program. 

Brent has been with Flair Data for 3 years and is CISSP, C|CISO, CvCISO, & Sec+ certified. In his free time, he likes to spend time with family, working out, or staying up with personal development. He lives in Dallas, Texas with his wife and children.

About: Flair Data Systems is a strategically priced IT solutions company, serving clients in the U.S., with offices in Texas and Colorado. Now a technology industry leader, we began in 1916 as the Porter Burgess Company. Flair Data Systems is your Trusted Advisor for: Collaboration, Unified Communications, Networking, Cloud, Infrastructure, Data Analytics, and Cybersecurity, serving the U.S.  We provide trusted cyber security services in Plano, TX.