.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: The United Nations
The take: 400GB of data including: internal documents and emails, human resource records, database access, commercial information, and Active Directory access.
The attack vector: The threat actors used compromised 42 servers in total when they were able to exploit a known remote code vulnerability in Microsoft Sharepoint. This let the attackers move freely within all of the IT systems. A patch was released a few months prior to the breach, but the U.N’s IT department failed to deploy the patch when it was released, leaving a significant timeframe in which their systems were vulnerable.
This breach highlights the critical importance of maintaining an inventory of internal systems and software, and ensuring those systems are kept up-to-date. Security vulnerabilities can be exploited as soon as they’re identified, underlining the importance of adhering to a regular and frequent patching schedule.
Business Insider: A company that sends out SMSes and emails on Nedbank’s behalf may have been hit by a data breach. The “data security incident” may have released the names, ID numbers, telephone numbers, physical and/or email addresses of 1.7 million Nedbank clients.
CTV: Puerto Rico's government has lost more than US$2.6 million after falling for an email phishing scam, according to a senior official.
The finance director of the island's Industrial Development Company, Ruben Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account.
Reuters: Some of London’s top hedge funds and asset managers are among those that have been targeted by rogue internet operators who clone their names and websites in an attempt to part unsuspecting investors from their cash.
ABC: Federal Parliament failed to develop effective methods for preventing cyber intrusions and did not regularly update some sensitive information systems, according to a draft internal audit dated three months after a major cyber attack was uncovered.
CNN: A security flaw in a mobile app used primarily by Prime Minister Benjamin Netanyahu's Likud party exposed the personal data of every eligible voter in Israel just three weeks before a national election.
BBC: More than 147 million Americans were affected in 2017 when hackers stole sensitive personal data including names and addresses. Some UK and Canadian customers were also affected. China has denied the allegations and insisted it does not engage in cyber-theft.
ZDNet: The FBI received 467,361 internet and cyber-crime complaints in 2019, which the agency estimates have caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report.
The target: Mitsubishi Electric, an electronics company based in Japan.
The take: Personal data of 8000 employees and trade secrets including technical, sales, and client information.
The attack vector: A zero-day vulnerability (a newly discovered vulnerability for which no patch/mitigation has yet been published) in antivirus software used by Mitsubishi compromised accounts and internal systems. Attackers gained access to forty servers and one hundred and twenty computers inside the company.
The unfortunate reality is that every company is potentially vulnerable, and this example only reinforces our position that cybersecurity is not a one-and-done, set-it-and-forget-it domain. While zero-day exploits are rare and extremely difficult to defend against, monitoring and assessment of redundant security measures and the defense-in-depth approach can limit the potential impact of a compromise of one layer of a firm’s defenses.
Evening Standard: Anthony Murrell, 44, siphoned off the money from Legal and General Investment Management over three years, buying non-existent computer cables and paying the money to a fake company in his wife’s name.
