Welcome to The Cybersecurity 202! We'll be off tomorrow and Friday for Thanksgiving and then back in your inboxes Monday. Here's Langston Hughes's “Thanksgiving Time.”
Holidays are often a busy and lucrative time for criminal hackers who target companies they suspect will be more vulnerable because they’re operating with bare-bones staff.
Hackers also pepper consumers with digital scams focused on the holidays. Examples include emails and text messages that appear to be from online shops but actually contain malicious software that will infect their phone or computer and steal data.
This year could be especially dangerous.
- The number of holiday-themed phishing text messages this year is nearly double what it was last year, according to a report by the cybersecurity firm Proofpoint. Many of the insidious texts try to con recipients into sharing credit card information to resolve problems delivering a nonexistent package, the company warns.
- The United Kingdom’s National Cyber Security Centre warned more than 4,000 legitimate small businesses that their websites had been compromised by hackers who were stealing customers’ payment information. It implored the companies to install a software update to block the hackers’ access before the crush of online shopping on Black Friday.
Government agencies are also warning companies and consumers to be on guard against holiday attacks.
“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways — big and small — to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” the FBI and the Cybersecurity and Infrastructure Security Agency said in a joint alert.
They urged companies to prepare for the holiday by:
- Identifying IT and cybersecurity workers who can respond rapidly over the holiday if there is a cyber threat
- Giving staffers extra warnings about being wary of phishing emails and other cyber scams over the holidays
- Reviewing plans for responding to cyber incidents
- Making sure software patches are up to date and every computer system requires users to use multiple methods to authenticate that they are who they say they are
Holidays have proved especially damaging this year for companies hit with ransomware attacks.
- The Colonial Pipeline ransomware attack struck just before Mother’s Day weekend.
- Meat processor JBS was hit with ransomware over Memorial Day weekend.
- The Kaseya ransomware attack, which spread to the software company’s clients and ultimately compromised about 1,500 other businesses, hit during the Fourth of July weekend.
“We know that threat actors don’t take holidays,” CISA Director Jen Easterly said. “We will continue to provide timely and actionable information to help our industry and government partners stay secure and resilient during the holiday season.”
More from Easterly:
🍽️🍗 Cybercriminals look for an easy meal during the holidays – Keep your guard up! @CISAgov & @FBI encourage you to protect yourself against cyberattacks this holiday season so that you can spend more time doing what you enjoy: https://t.co/JzHGkpgWha pic.twitter.com/YgWTJTN4pk
— Jen Easterly (@CISAJen) November 22, 2021
And the FBI:
#Cybercriminals don't take the holidays off. The #FBI and @CISAgov created a list of precautions that public and private sector organizations can take this holiday season to mitigate the risks posed by cyber threats like #ransomware. Visit https://t.co/qI1D9RwY3q to see the list. pic.twitter.com/PLjBEC4qsA
— FBI (@FBI) November 22, 2021
Lesley Carhart, an executive at the cybersecurity firm Dragos:
Happy short week, everyone in the US! Admins, apply your patches early enough to deal with it if they fail. SOCs, turn the paranoia to 11 in advance. IR teams, may the odds be ever in our favors 🤷🏻♀️🍸💜
— Lesley Carhart (@hacks4pancakes) November 22, 2021
Schools have also been hit with cyberattacks during holidays. From the K-12 Cybersecurity Resource Center:
PSA: Cyber criminals do NOT take Thanksgiving off and in recent years there have been MAJOR K12 incidents that took root over the holiday. Some quick advice for K12 IT staff to pass on to users before you take your vacation... /1
— The K-12 Cybersecurity Resource Center (@K12CyberMap) November 19, 2021
CISA is taking a novel approach to urging consumers to be wary of cyberthreats during the holiday season. It’s releasing a carol called the “Twelve Days of Shopping” full of cybersecurity tips one verse at a time on its Twitter, Facebook and Instagram accounts.
Check out the first verse below:
We’re here to remind you: few things are free! If something seems too good to be true... it probably is. Don’t get caught phishing for deals. Shop safely this holiday season: https://t.co/MUDwwUjtON #PhightThePhish pic.twitter.com/XoY0Q4ybUP
— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 23, 2021
The keys
Apple sued NSO Group, accusing the spyware firm’s execs of being “amoral 21st century mercenaries”
The tech giant wants a federal court to bar NSO from using Apple software, services and devices, Craig Timberg, Reed Albergotti and Drew Harwell report. WhatsApp filed a similar lawsuit in 2019, which is working its way through the courts.
“The lawsuit accuses NSO of enabling customers to target U.S. citizens, despite the company’s pledge that its spyware ‘cannot be used to conduct cybersurveillance within the United States,’ ” my colleagues write. Apple is suing the company under the Computer Fraud and Abuse Act, which bars people from “intentionally accessing a computer without authorization.” Apple argues that it was victimized because NSO used “Apple services and servers to perpetrate attacks on Apple’s users and data stored on users’ devices.”
But it's not clear if the court will buy such a claim when Apple isn't the direct victim of the attacks.
The spyware company has come under increased scrutiny in recent months after an investigation by The Washington Post and 16 media partners found that its Pegasus spyware was used to target journalists and human rights activists.
NSO spokesman Oded Hershkovitz defended the company: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers. Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”
Apple is also notifying NSO victims and contributing at least $10 million to cybersurveillance research and advocacy organizations, the company announced.
More on the lawsuit from John Scott-Railton, a senior researcher at the Citizen Lab:
3/ NSO poked the hornet's nest for years, and @Apple wasn't satisfied with simply suing the spyware company..
— John Scott-Railton (@jsrailton) November 23, 2021
Apple just pledged millions to groups working cyber surveillance... plus any damages that they extract from NSO.
Apple's wrath is poetic. pic.twitter.com/sTuiqzCW7P
Among the victims hacked with Pegasus via Apple devices were journalists and opposition politicians in El Salvador, the newspaper El Faro reported.
An Ohio county commissioner said he wasn't aware of an attempted election security breach
Somebody plugged a private laptop into a county network inside the office of Lake County Board of Commissioners President John Hamercheck (R) during a spring primary election and data captured from the county networks was later circulated at a a ‘cyber symposium’ on alleged election fraud hosted by MyPillow executive Mike Lindell. But Hamercheck is speaking out now, saying he has no knowledge of any breach.
Hamercheck claimed there had been “much false or misleading information” about the incident but declined to elaborate, Amy Gardner reports.
“To my knowledge, there was never an attempt to access or breach the Lake County Board of Elections computer network that day,” he said. He said he would share more information publicly “as soon as we are finished gathering and verifying the appropriate materials.”
The FBI is investigating the Ohio incident, but Hamercheck said he hasn’t been interviewed by investigators. “State and county officials have determined that no sensitive data were obtained,” Amy writes.
Lindell, an ally of former president Donald Trump has pushed numerous conspiracy theories about the election. Douglas Frank, an Ohio-based scientist who has worked for Lindell, has met with county officials in Lake County and in Mesa County, Colorado, the site of a similar incident.
Senators are massaging a cyber incident reporting bill that irked the FBI
The changes came after FBI Assistant Director Bryan Vorndran told Congress that the FBI was “troubled” by legislative proposals that mandated companies in critical fields report cyber incidents to CISA but did not include the FBI in those reports.
The Senate Homeland Security Committee’s new proposal tells CISA to work with the Justice Department when developing the rules, Politico Pro’s Eric Geller reports, citing a new draft of the legislation.
Lawmakers are trying to include the mandates in an annual defense authorization bill, a version of which has already passed the House. It’s not clear if the House co-sponsors of a similar proposal will endorse the changes.
More from Eric:
Scoop: Senate Homeland has made a few small tweaks to its cyber incident reporting bill in an attempt to appease the Biden administration's concerns about the FBI being left out.
— Eric Geller (@ericgeller) November 23, 2021
My story: https://t.co/KPMJMsd84y
Context: https://t.co/yaQTnsYLlP
Government scan
CISA should update its security plan for the communications sector, government auditors say
The Department of Homeland Security agreed with the Government Accountability Office's recommendation, which it said it would be able to complete by October 2022. Read the full report here.
Global cyberspace
Encryption wars
Cyber insecurity
Industry report
Secure log off
Long covid symptoms linger in 50% of people who survive pic.twitter.com/Vlwp2k607y
— Washington Post TikTok Turkey on Vacation 🦃🌴 (@davejorgenson) November 23, 2021
“When one's appetite craves turkey and will have no other fowl, it's Thanksgiving Time!” Thanks for reading. Have a great Thanksgiving! See you Monday.