Changelog: There is no silver lining
rc.xyz NFT gallery / Unsplash
Welcome to Changelog for 11/30/2023, published by Synack! README senior editor Nathaniel Mott here amongst the candy canes and mistletoe with the week’s leading stories.
The payload
The password might be the original sin of cybersecurity. People can’t be trusted to come up with their own passwords because they’re often easy to guess and used for multiple accounts. Organizations can’t be bothered to implement sensible policies--some don’t require people to use strong passwords, others come up with arcane requirements that don’t meaningfully improve security and still others make it nigh-impossible to rely on a password manager.
But the biggest problem might be the reliance on default passwords in everything from networking equipment to, as the Cybersecurity and Infrastructure Security Agency warned this week, programmable logic controllers used by the water and wastewater sector. On Nov. 28, the agency urged facilities that rely on Unitronics PLCs to “change the Unitronics PLC default password—validate that the default password ‘1111’ is not in use.” And that’s just… wow.
CISA said PLCs are used to “control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.” So the need to say these devices shouldn’t be secured with a default password didn’t exactly inspire confidence.
Neither did a pair of reports that water facilities in Pennsylvania and Texas had been compromised by two different threat actors. CyberScoop reported that the Iran-linked “Cyber Av3ngers” managed to “gain control of at least one device at the Municipal Water Authority of Aliquippa, Pa.” The Record, meanwhile, reported that a “water utility serving two million people in North Texas is dealing with a cybersecurity incident that caused operational issues.”
Fortunately, neither attack reportedly threatened the availability of water to any of the facilities’ millions of customers. It’s clear that a wide gamut of threat actors are targeting water facilities across the U.S., however, and it seems at least some of them aren’t even bothering to change the password used for a critical piece of equipment. Let’s hope they call a few security experts--and maybe a handful of priests--to help cleanse that particular sin.
The week, compiled
Learning about the sad state of security at water facilities wasn’t the only bummer of the week: the healthcare industry has also been subject to a pair of high-profile attacks on Ardent Health Services and Capital Health, and recent attacks on companies like Mr. Cooper and Fidelity National Financial have created problems for homeowners around the country, too.
CNN reported Monday that the Ardent Health Services attack has forced hospitals in Texas, New Jersey, New Mexico and Oklahoma to divert ambulances to other facilities and reschedule some procedures. The Record reported Wednesday that the attack on Capital Health--which operates fewer hospitals than Ardent-- has caused some surgeries to be rescheduled and disrupted outpatient radiology appointments but is not preventing the facilities it operates throughout Pennsylvania and New Jersey from providing other services.
Erik Mclean / Unsplash
As for the real estate woes, Forbes reported on Nov. 9 that “millions of borrowers who were unable to transfer their November mortgage payments on time due to a massive cyber attack on their home loan servicer, Mr. Cooper, now have a new headache: Their personal data might have leaked.” TechCrunch reported on Monday that “homeowners who have mortgages and prospective buyers who are purchasing properties with FNF or one of its many subsidiaries have been left confused and concerned, not knowing exactly what is happening or what to do.”
These are the kind of “life or death” problems--literally in the case of Ardent and Capital Health, figuratively in the case of Mr. Cooper and FNF--that demonstrate the devastation that can follow ransomware attacks. Not exactly a positive way to end the month, eh?
Here are some other stories from around the web:
Ars Technica: A maximum-severity vulnerability in ownCloud, which Ars Technica described as “a widely used open source file-sharing server app,” is seeing “mass exploitation.” Anyone who hasn’t updated their install should A) rectify that situation as soon as possible and B) do their best to determine if they’ve been compromised as part of these spray-and-pray attacks.
KrebsOnSecurity: Whoops! Brian Krebs reported that Okta believes “attackers also stole the name and email address for nearly all of its customer support users” when they breached its network earlier this year. That attack was already worse than we thought, since it led to follow-on breaches of Okta’s customers, and now it seems it was… even worser?
Reuters: Crime does pay! (But no, you still shouldn’t do it.) Elliptic said this week that the Black Basta ransomware gang, which according to Reuters is “suspected of being an offshoot of the notorious Russian Conti group of hackers,” has received more than $100 million worth of cryptocurrency since 2022. This is said to make Black Basta “"one of the most profitable ransomware strains of all time."
A message from Synack
How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.
Flash memory
Henry Kissinger is dead, which feels like the kind of thing worth mentioning in a section devoted to historically significant events, but I doubt I’m going to top Rolling Stone’s coverage. So instead I’m going to take the opportunity to talk about “Pong.”
Atari released “Pong” on Nov. 29, 1972. Wikipedia hails it as “the first commercially successful video game,” and even though I never had the chance to play “Pong” on a cabinet, I’m glad it took off. Some of the most fun I had as a kid was playing the “Galaga” machine at a local restaurant or being cheated by the “Battletoads” cabinet at a roller skating rink. (I was an incredibly cool kid.) Neither game would’ve existed if it weren’t for “Pong.”
It’s hard to believe the gaming industry, which has taken over practically every device with a screen, owes it all to a massive cabinet featuring a bunch of white rectangles and squares engaged in a two-dimensional take on ping pong. But it does, and that strikes me as a much better legacy than the one left behind by that dude we aren’t gonna talk about right now.
Local files
DFP: The “names, dates of birth, email addresses, phone numbers, medical diagnoses, health insurance information and Social Security numbers” of roughly 1 million Michiganders has been exposed by an attack on Welltok, according to the Detroit Free Press, which said the company offers “communication services” and operates a “healthy lifestyle portal” for its customers.
BleepingComputer: Next up, the “names, dates of birth, and Social Security numbers” of some 1.9 million Dollar Tree and Family Dollar employees were reportedly compromised after one of the parent company’s vendors, Zeroed-In Technologies, was hacked in August. Dollar Tree is said to operate some 23,000 stores throughout the U.S. and Canada.
TJT: The Japan Aerospace Exploration Agency (JAXA) was reportedly hacked earlier this year, and according to The Japan Times, the agency was unaware of the intrusion until it was “contacted by police this fall.” Investigations into the incident are ongoing.
Off-script
These days it’s hard to find a desktop PC that isn’t housed in a massive rectangle featuring a tempered glass window designed to show off all the RGB-LED-adorned components inside. That isn’t cool. AYANEO’s new Macintosh-inspired mini PC, on the other hand, is definitely cool.
AYANEO
I don’t care about the specs. I don’t mind that AYANEO is practically begging Apple to sue it into oblivion. All I care about is this diminutive beige PC combining modern hardware (even if it’s not exactly the most powerful silicon on the market) with a retro look that’ll be hard to top.
And that’s just the first member of the lineup! AYANEO has already shared a look at the successor, which “borrows” just as liberally from the original Nintendo Entertainment System’s design, and damn if I don’t want that one too. I’m gonna have to hide my credit card.