Cyber Security News and Information from Commonwealth Sentinel

When it comes to cyber security, the most common and effective technique cyber criminals use is Social Engineering. Many imagine a nation-state hacker or a person in a hoodie sitting in a dark room using complex mathematics or technology like magic to commit cyber crimes. However, the truth is that cyber-criminals who use social engineering are more like con artists than hackers.

When covering cyber security, the media uses the terms “hacker” and “cyber-criminal” interchangeably. A hacker is usually a cyber criminal, but not all cyber criminals are hackers. Sometimes, a hacker will use social engineering in addition to technology to commit a crime, but for the purposes of this article, we will use the term like this:

Hacker = Math/Technology
Cyber Criminal = Psychology/Social Engineering

Multi-factor authentication (MFA or 2FA) is one of our best tools for defending against hackers. Passwords alone can be straightforward for hackers to break, but MFA provides an essential layer of protection against breaches. However, it’s important to remember that MFA isn’t foolproof. Hackers can bypass MFA, and they often do.

If a password is compromised, several options are available to hackers looking to circumvent the added protection of MFA. We’ll look at four social engineering tactics hackers use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.

Adversary-in-the-Middle (AITM) Attacks

A spear-phishing email may arrive in an employee’s inbox, posing as from a trusted source. Your boss, a company you (or your organization) do business with, your bank, or another financial institution. Clicking on the link in the email directs you to a website that looks like the one we expect to see where hackers collect your login credentials.

While MFA should prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as ‘2FA pass-on.’ Once the victim enters their credentials on the fake site, the attacker promptly enters the exact details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.

Cyber criminal groups, like Storm-1167, often create fake pages that resemble Microsoft login pages. They use these pages to trick people into giving away their login credentials. Once they have acquired the login information, they use a fake Multi-Factor Authentication (MFA) process that appears to be from Microsoft. The victim is then asked to enter their MFA code, which the attacker then captures to access the victim’s genuine account. Once they have access, the attacker can cause significant damage.

MFA Prompt Bombing

“This technique is called “MFA prompt bombing, and it’s a dangerous tactic that takes advantage of the push notification feature in modern authentication apps. Attackers who already have a compromised password (either from hacking or purchasing from another hacker) attempt to log in, which triggers an MFA prompt to be sent to the legitimate user’s device. Criminals rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This poses a significant threat, and users should be aware of the risks.

The 0ktapus group hacked into an Uber contractor’s account by tricking them with a text message. Then, they continued the login process from their own machine and quickly asked for a multi-factor authentication code. After that, they pretended to be a member of Uber’s security team on Slack and convinced the contractor to approve the MFA push notification on their mobile phone.

Service Desk Attacks

Attackers can deceive helpdesk agents into granting them access by pretending to forget their passwords and using phone calls to bypass MFA. However, if help desk agents fail to follow proper verification procedures, they may unknowingly provide an initial entry point for hackers to infiltrate their organization’s environment.

A hacker group called Scattered Spider fraudulently contacted the MGM Resorts service desk and requested a password reset. They used this to gain access and launch the infamous ransomware attack.

SIM Swapping

Cybercriminals know that Multi-Factor Authentication (MFA) often relies on cell phones for authentication. They can exploit this vulnerability using a technique called ‘SIM swapping.’ This technique involves deceiving the service providers into transferring the target’s services to a SIM card under the hackers’ control. Once they control the SIM card, they can intercept MFA prompts and take over the target’s phone number and cell service. This unauthorized access can grant them access to the target’s accounts.

In 2022, Microsoft released a report that revealed the strategies used by a threat group called LAPSUS$. The report explained that LAPSUS$ relies heavily on social engineering campaigns to access targeted organizations. One of the group’s preferred tactics is to carry out SIM-swapping attacks and use MFA prompt bombing to target users and then reset their credentials through help desk social engineering.

Thanks to Social Engineering password security still matters – MFA isn’t a Magic Bullet

This isn’t a complete list of ways cybercriminals bypass MFA. Several other ways include compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched devices and software. It’s clear that setting up MFA doesn’t mean organizations can forget about securing passwords altogether.
Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can shift their focus towards bypassing the MFA mechanism. Even a strong password can’t protect users if it’s been compromised through a breach or password reuse. And for most organizations, going fully passwordless won’t be a practical option.

Commonwealth Sentinel can assist your organization in staying secure by implementing robust password policies, utilizing effective multi-factor authentication tools, and providing comprehensive cyber training for your entire staff. It only takes one lucky cybercriminal to cause damage, so your team must always remain vigilant. To schedule a consultation, click here or contact us at (502) 320-9885.

3 Million Smart Toothbrushes Used in a DDoS Attack!

According to the Swiss newspaper “Aargauer Zeitung,” three million smart toothbrushes were taken over by hackers to carry out a Distributed Denial of Service (DDoS) attack. This attack caused a Swiss company to go offline for several hours, resulting in millions of euros in damages. It may sound like something out of a sci-fi movie, but these seemingly harmless bathroom gadgets were used as part of a botnet army to carry out the attack.

So, is it true?

Despite widespread reporting, the alleged hacking of millions of smart toothbrushes to create a botnet DDoS army lacks credible evidence. As experts in the cybersecurity field, we have been unable to substantiate this claim and remain skeptical of its validity.

It has been reported that the toothbrushes that were compromised were using Java, a popular language for Internet of Things (IoT) devices. Once infected, a global network of malicious toothbrushes launched their successful attack, but further details are scarce. The repurposed toothbrushes reportedly flooded a Swiss website with bogus traffic, knocking services offline and causing widespread disruption.

Several well-respected industry veterans have come out on social media calling BS on the claim.

The rapid expansion of the Internet of Things (IoT) in our daily lives has brought about an ever-growing threat landscape that cannot be ignored. However, this also gives us an opportunity to take a proactive approach towards securing our privacy and personal information. By being vigilant and taking the necessary precautions, we can not only protect ourselves but also contribute to the security of our national infrastructure and economic stability.

The majority of smart toothbrushes currently available on the market are equipped with Bluetooth Low Energy technology, although some models are also WiFi-enabled. However, the possibility of three million smart toothbrushes being hacked is highly questionable and subject to debate.

It’s important to take the threat from Internet of Things devices seriously as DDoS attacks exploiting these devices have occurred in the past.

What should you do to ensure your IoT devices aren’t compromising your security or being used as weapons against others? A good first step is an independent scan of your organization’s network, looking for vulnerabilities. You’re in luck! Commonwealth Sentinel is here to help. We offer a wide range of services to help. Our dedicated team of experts supports you with software and hardware solutions, training, and policy implementation. Your concerns matter to us, and we are delighted to provide a complimentary and confidential consultation with our advisors to discuss them. This service is entirely free and could provide you with valuable insights. To schedule a consultation, click here or contact us at (502) 320-9885.

When it comes to cyber security, many people feel powerless and vulnerable. We often rely heavily on our IT experts and software to protect our systems from digital threats, whether from international criminal networks or simply curious individuals who might not fully comprehend the consequences of their actions. There are a variety of tools and people, from tech support to firewalls, that contribute to our online safety.

With all the technological advancements, we tend to overlook the fact that we also have a crucial role to play in safeguarding our systems and networks. Regardless of whether we are at home or in the office, we are all responsible for protecting the confidential data under our care.

According to recent studies, human error is responsible for a staggering 95% of all cyber attacks. This means that people making honest mistakes can render even the most advanced security systems ineffective.

The most common forms of human error that lead to cyber security breaches include falling for phishing scams, using weak passwords, failing to update software, and sharing sensitive information online. The consequences of these mistakes can be devastating, ranging from financial losses to reputational damage and even legal action.

Realizing that YOU are the number one threat to your cyber security is essential.

The good news is that you can also be your data’s greatest defense. By practicing good cyber hygiene habits like using strong passwords, avoiding suspicious emails, and keeping software up to date, you can significantly reduce the risk of cyberattacks. Additionally, staying informed about the latest cybersecurity threats and trends is crucial to stay ahead of potential attackers. Investing in protecting your private data is a smart move that goes beyond just being responsible. Safeguarding your personal information can shield you from potential harm and give you peace of mind. Securing your data is a crucial investment that can pay off in the long run.

How can you expose yourself to danger? It could be as easy as clicking on suspicious links, opening attachments from unfamiliar senders, or mistakenly sharing confidential information. If your devices and systems are not adequately prepared to protect themselves, a single incorrect click can have devastating consequences.

Social engineering attacks are cyber attacks that exploit human psychology to deceive people into disclosing sensitive information or carrying out actions that endanger security. These attacks rely on people’s emotional responses, even if they know the dangers, making them vulnerable to falling prey to such attacks. It just takes one moment of weakness to compromise one’s security.

We have a role in safeguarding private data by staying up-to-date with Security Awareness Training. This knowledge enables us to spot and monitor potential threats, thereby preventing them from occurring in the first place. Furthermore, we are accountable for reporting any suspicious activity to the relevant teams, which can assist in identifying and dealing with attacks swiftly before they cause significant harm.

They say, “It takes a village,” which is just as accurate in the digital world of cyber space. Together, we can make the internet a safer place to spend time.

Is your organization worried about safety and security? Commonwealth Sentinel is here to help you reduce risks and ensure everyone’s well-being. Our comprehensive services include software and hardware solutions, training, and policy implementation. To help you take action, we offer a complimentary and confidential consultation with our expert advisors. This service is completely free of charge, and it could provide you with valuable insights to make informed decisions. Don’t wait any longer to safeguard your organization and schedule a consultation today by clicking on the link or contacting us at (502) 320-9885.

Cyber Security compliance standards and guidelines are gaining traction and being implemented in many industries and local and national government agencies. Failing to meet industry standards can have some severe repercussions, including hefty fines. Although some of these standards may seem optional, most are mandatory. Therefore, it’s essential to comply with them to avoid legal or financial troubles later. Remember, following the rules isn’t just about avoiding penalties but building trust with your customers and industry partners.

Popular opinion is that only companies within regulated industries need to worry about cybersecurity, believing that data protection is only a requirement for regulatory compliance. But any organization that receives, stores, or handles consumer or sensitive business data needs to protect that information – it’s always at risk. Hackers never stop looking for the weakest link into a network, and employees can pose threats through negligence or bad intentions.

Tip for Cyber Security Regulatory Compliance

Identify Which Requirements May Apply

First, determine which regulations or laws you and your customers must follow. To start, data breach notification regulations exist in every state in the United States, requiring you to tell customers if their personal information is compromised. For example, if your business deals with the financial information of a New York resident, you would be subject to the New York Department of Financial Services

The California Consumer Privacy Act and the NYDFS Cybersecurity Regulation both impose standards and restrictions that may apply to firms in any state that deal with covered data.

Implement Policies, Procedures, and Process Controls

It’s not only about technology when it comes to cybersecurity regulatory compliance. It’s also critical for both compliance and safety to have risk-mitigation policies and processes in place. There’s no technical precaution in the world that can prohibit a committed employee from downloading malware to company systems or visiting unsafe websites.

Conduct Regular Audits and Technical Reviews

It’s essential to perform regular audits (or technical reviews) of your own IT security and privacy programs, systems, and software to ensure they provide the protection you think they are. Although, there’s still no guarantee against a data breach even if you are doing all the right things correctly.

That’s why it’s essential you maintain ongoing documentation of your own compliance efforts to protect yourself by showing “due care” and side-stepping accusations of negligence.

Invest in the Right Cyber Security Compliance Tools and People

Make your life simpler by investing in the right tools and people. Many robust compliance tools give you the power to reduce IT risk by ensuring compliance with government or industry standards.

A good compliance tool will encompass custom IT requirements included in any business contract, insurance policy, or IT security policies and procedures. It will automate data gathering, issue management, and all the documentation required to prove due care to any internal or external auditor.

But you also need to have the right people using the tools. If you are large enough to have a compliance team, proper training on the tools is all you need. Suppose you have an IT team or IT consultant. It’s best not to have them audit their own work. Would you let your bookkeeper or treasurer audit your books? Bringing in an external auditor doesn’t mean you don’t trust your team, but that fresh set of eyes may see things that your people take for granted.

At Commonwealth Sentinel, we understand how crucial it is to ensure your organization’s security. That’s why we offer a wide range of services to help you minimize risks. Our dedicated team of experts supports you with software and hardware solutions, training, and policy implementation. Your concerns matter to us, and we are delighted to provide a complimentary and confidential consultation with our advisors to discuss them. This service is entirely free and could provide you with valuable insights. To schedule a consultation, click here or contact us at (502) 320-9885.

Cybercrime has reached an all-time high, and hackers are targeting small and medium businesses as they are considered easy targets. To avoid becoming their next victim, it is important to understand the most common ways that hackers gain access and take steps to protect yourself. Here are the most common methods used by hackers.

1. Take Advantage of Poorly Trained Employees: The #1 vulnerability for business networks is the employees using them.
2. They Exploit Device Usage Outside of Company Business: You have either no policy or a policy that sets few or no restrictions on how company-owned devices, software, Internet access, and email may be used by employees.
3. They Take Advantage of WEAK Password Policies: Passwords with fewer than 8 characters and that do not contain lowercase and uppercase letters, symbols, and at least one number are easy to crack. Passwords that are rarely changed also offer greater opportunities to hackers.
4. They Attack Networks That Are Not Properly Patched with The Latest Security Updates: New vulnerabilities are frequently found in operating systems and common software programs you are using, such as Microsoft Office.
5. They Attack Networks with No Backups or Simple Single Location Backups: Not having a solid, reliable backup can leave you with few choices in the event of a ransomware attack.
6. They Exploit Networks with Employee Installed Software: One of the fastest ways cybercriminals access networks is by duping unsuspecting users to willfully download malicious software by embedding it within downloadable files, games, or other “innocent” looking apps.
7. They Attack Inadequate Firewalls: A firewall should act as the frontline defense against hackers. Without proper monitoring and maintenance, the firewall may fail to stop everything you haven’t specifically allowed to enter (or leave) your computer network.
8. They Attack Your Devices When You’re Off the Office Network: It’s not uncommon for hackers to set up fake public Wi-Fi access points to try and get you to connect to THEIR Wi-Fi over the legitimate, safe public one made available to you.  
9. They Use Phishing E-mails to Fool You Into Thinking That You’re Visiting A Legitimate Web Site: A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular web site or to click and download a virus.
10. They Use Social Engineering and Pretend To Be You: This is a classic 21st-century tactic. Hackers pretend to be you to reset your passwords. In 2009, social engineers posed as Coca-Cola’s CEO, persuading an exec to open an e-mail with software that infiltrated the network.

Are You a Sitting Duck to Hackers?

If you run a small business, local government or non-profit are under attack. Right now, extremely dangerous and well-funded cybercrime rings in China and Russia are using sophisticated software systems to hack into thousands of small organizations like yours to steal credit cards and client information and swindle money directly out of your bank account.

Let Commonwealth Sentinel assist in reducing risks and ensuring everyone’s well-being. Our services include software and hardware solutions, training, and policy implementation. We offer a complimentary and confidential consultation with our advisors to discuss your concerns. This service is entirely free and could provide you with valuable insights. To schedule a consultation, click on the link here, or you may contact us at (502) 320-9885.

Unless you have been living under a rock, it shouldn’t be news that cyber attacks and data breaches continue to grow in frequency and impact. The number of data breaches almost tripled between 2013 and 2022. Furthermore, in the United States alone, there were 20% more breaches in the first nine months of 2023 than in any previous 12-month period!

Organizations must acknowledge the harsh reality of data breaches and information exposure. Ignoring the issue will only lead to disaster and further losses. Awareness is the first step toward securing your organization’s sensitive information. Here is a look at the most significant data breaches globally in 2023.

January – T-Mobile (37 Million Customers)

T-Mobile has reported that an unauthorized individual gained access to the personal data of 37 million customers. The breach was limited to certain customer account information, including names, addresses, phone numbers, and account numbers.

February – GoAnywhere (130+ Companies)

Fortra has informed its customers that their GoAnywhere MFT tool was hacked by a zero-day exploit. The Clop ransomware group is responsible for the attack, which affected more than 130 companies that used the same tool.

March – Verizon (7.5 Million Customers)

Breached Forums, a well-known hacker forum, leaked details of over 7 million Verizon users. The information included contract details, device information, encrypted customer IDs, and some additional data. It’s important to note that none of the personal data was unencrypted.

April – Shields Healthcare Group (2.3 Million People)

Shields Healthcare Group has reported a security breach that resulted in the theft of personal data belonging to 2.3 million individuals by a cyber criminal.

May – PharMerica (5.8 Million Patients)

The cyber crime group known as Money Message Ransomware announced that they had hacked into the systems of PharMerica and its parent company, BrightSpring Health Services. They obtained access to 4.7 terabytes from databases that held sensitive information. The breach was reported to the Maine Attorney General and HHS’ Office for Civil Rights, stating that it had affected as many as 5,815,591 people.

June – Oregon Driver and Motor Vehicle Services (DMV) (3.5 Million People)

In June, Oregon discovered that a third-party software called MOVEit had a vulnerability. This software was used to transfer data files, including driver’s licenses and identification card files of around 3.5 million Oregon residents.

July – HCA Healthcare (11 Million Patients)

US-based healthcare giant HCA Healthcare suffered a data breach impacting 11 million patients. The cyber attack was discovered, after patients’ personal data was posted online.

August – Purfoods (1.2 Million Customers)

In August, PurFoods, an American meal delivery service, reported a data breach that exposed the financial and medical information of over 1.2 million customers.

September –  DarkBeam (3.8 Billion Records)

The CEO of SecurityDiscovery, Bob Diachenko, alerted DarkBeam that they had been breached. The breached data contained 16 collections, each housing 239,635,000 records. This resulted in over 3.8 billion records being exposed.

October – Indian Council of Medical Research (815 Million People)

The personal data of 815 million Indian residents was stolen from the ICMR’s Covid-testing database and offered for sale on the dark web by a hacker named “pwn0001”. They got away with 90GB of data, including full names, ages, genders, addresses, passport numbers, and Aadhaar numbers (12-digit government identification numbers).

November – McLaren Health Care (2.2 Millon People)

The healthcare nonprofit McLaren Health Care in Michigan notified 2.2 million people that they had suffered a data breach. The data taken included Social Security Numbers (SSN), health insurance information, dates of birth, diagnostic results and treatment information, prescription/medication information, and more.

December – ???

Just because you’re small doesn’t mean you are not a target.

It is important to note that many data breaches happen in Small and Medium-sized Businesses (SMBs) and local governments. They do not receive as much attention as the highly publicized breaches involving millions of customers and exposed records. These smaller entities have limited resources, which makes it more difficult for them to recover from the impact of such breaches. Despite the lack of headlines, the impact on them is profound.

Is ensuring the safety and security of your organization a top priority for you? If yes, then Commonwealth Sentinel can be your partner in risk reduction and ensuring the well-being of everyone involved. We provide a range of comprehensive services, including software and hardware solutions, training, and policy implementation to achieve complete peace of mind. If you want to learn more about our services, sign up for a free cyber security consultation or contact us at (502) 320-9885.