At a glance.
- Ransomware continues to trouble the young school year.
- Malvertising hits adult site users via aging IE11 and Abobe Flash.
- Gamer data exposed.
- Third-party software vulnerability exploited in catphishing.
Ransomware eating schools’ lunch.
Public schools in Hartford, Connecticut; Fairfax County, Virginia; and Clark County, Nevada were hit by ransomware attacks as they opened for the fall term, Security Magazine and NBC Washington report. The Connecticut attack affected more than two thirds of the district’s three hundred servers and delayed the start of school; IT is still working to restore critical systems, and officials are refusing to negotiate with the cyberterrorists. In Virginia, hacking group Maze—known for Xerox, Canon, and LG Electronics hacks—has taken credit and posted a sampling of stolen goods online, including some student data, according to Bleeping Computer. The FBI is investigating. Inside NoVa reports that, fortunately, Fairfax schools' distance learning efforts haven't been disrupted. Past and present employee data may have been exposed in the Nevada attack, the Las Vegas Review-Journal says. It’s not yet known if the assaults are related.
The K-12 Cybersecurity Resource Center has recorded nearly a thousand publicly divulged K-12 cybersecurity incidents since 2016. “City officials may wish to consider making cybersecurity, including appropriate budgeting and implementing an incident response plan, a priority, because it is not a matter of if, but when that [a] ransomware attack will occur,” the National Law Review counsels.
Malverts sweep saucy sites.
In a swan song of exploit kits, Hacker group Malsmoke is capitalizing on near-end-of-life software Internet Explorer 11 and Adobe Flash Player, nailing adult site visitors with malicious ads that redirect to malware, Business Standard reports. Ars Technica explains that malvertising can record passwords, pilfer financial information, and snoop on users. The best protection against infected sites is a current, fully-supported browser.
Game over for Razer gamers’ data.
High-end gaming equipment manufacturer Razer accidentally revealed about 100 thousand customers’ names, addresses, contact details, and order information in an unsecured online database, according to BleepingComputer. Security researcher Bob Diachenko discovered the misconfigured Elasticsearch database; Razer thanked him, plugged the leak, and apologized. Customers are advised to be wary of phishing attempts.
Catfishers land vendor attack vectors.
An ethical hacker discovered that compromised software from marketing company Mailfire exposed nearly 400 million records—including names, dates of birth, IP addresses, password information, pictures, and private conversations—from over seventy e-commerce and dating websites with users in more than one hundred countries, vpnMentor reports. Many of these sites appear to be fraudulent, designed to catfish men. Mailfire secured their faulty server, but victims have new reasons to be sleepless in Seattle, namely identity theft, fraud, and blackmail. vpnMentor recommends scrupulously vetting third party software and minimizing data shared with third party platforms.
Looking at a similar case where NorthShore University HealthSystem’s data management vendor Blackbaud suffered a breach impacting donor lists, onShore Security reminds custodial organizations of their legal accountability for data security.