Early November 2022 saw a continuation of many of the same trends in cybersecurity news as in late October, with a handful of stories still developing throughout the weeks in-between and even from earlier in the year. SWK’s recap below will consolidate some of the top headlines and ongoing topics from the past two months, and highlight the most noteworthy takeaways:
Top Breach, Malware & Vulnerability News for October – November
There have been many developments across all types of cyber incident between October and November 2022, with quite a few critical vulnerabilities uncovered in addition to more individual and sustained series of cyber attacks revealed. Amongst these incidents are also several retaliatory actions from customers and regulatory agencies in response to episodes that occurred between the past year and as far back as 2020. Here are some of the top stories in these categories from this news cycle:
OpenSSL
In an announcement that threatened to outpace the panic created by the infamous Log4J bug of 2021, the open-source OpenSSL Project alerted the public to a critical vulnerability found in their widely-used software. Thankfully, a follow-up notice confirmed a security patch that would resolve at least part of the issue, but observers have noted that the potential exploit the error remains.
ConnectWise
IT solutions provider ConnectWise gave notice of a critical vulnerability found in two of their backup systems that could allow remote code execution (RCE) by bad actors. They released an update shortly after with a security patch addressing the exploit.
Dropbox
Dropbox reported that their GitHub accounts had been breached after a phishing scam on an employee and 130 code repositories stolen in mid-October 2022. The repositories also included personal data for employees, current and past customers, vendors and more.
Bed, Bath & Beyond
In a SEC filing, Bed, Bath & Beyond alerted authorities that they had discovered that their system had been breached and traced the credentials back to a phished employee. Though they stated they could not find direct evidence that any data had been stolen, their CTO resigned shortly after the breach.
Twilio
Communication tool provider Twilio previously reported on a breach they suffered in August; however, a deeper investigation by the cybersecurity firm they contracted revealed the same attackers were responsible for a previously attempted intrusion and both incidents could be traced to phishing campaigns against Twilio employees.
Multi-Color Corporation
International label printer the Multi-Color Corporation simultaneously reported a breach to authorities and began sending notification letters to all affected parties in late October 2022. Their filing with the California AG’s office reveals that they discovered signs of an intrusion a month prior and brought on a forensic firm to investigate while they quarantined systems.
Facebook and its parent company Meta have come under scrutiny for the privacy implications of their pixel trackers, but it seems that several healthcare organizations who included this tool in their websites have accidentally exposed the data of millions of patients through its misuse. At least three organizations – Advocate Aurora Health, Novant Health, and WakeMed – have had to alert almost 5 million patients cumulatively that their PHI had been leaked to Facebook through tracking pixels, with WakeMed facing two lawsuits as a result at the time of this writing.
Drizly
The Federal Trade Commission (FTC) filed a complaint against alcohol delivery service Drizly and its CEO based on a 2020 breach that exposed the data of about 2.5 million customers. The compliant alleges that the Uber subsidiary was aware of the security gap that allowed the breach yet did not take steps to secure it based on uncovered evidence, and orders both Drizly and the CEO to follow certain data security guidelines which includes a limit on what can be collected from customers as oblige the CEO to follow these guidelines at any future employer.
Chegg
Education solutions provider Chegg, Inc. was sued by the FTC over the exposure of millions of customers and employees in at least four data breaches between 2017 and 2020. Chegg has stated that they intend to comply with the complaint’s orders to improve their data security practices and implement specific cybersecurity tools, including MFA.
SocGholish
A research team discovered that a cybercriminal gang known as TA569 had infected websites belonging to over 250 news outlets across the US with the SocGholish malware. The attackers injected malicious JavaScript code into the files of a company that provided media content to those newspapers, which could also potentially allow them to spread the malware to other victims through those websites.
Daixin Team
The FBI, CISA and HHS issued a joint warning to the healthcare sector on the activities of a ransomware gang called Daixin Team. The group has been specifically targeting servers that host electronic patient records and other files for healthcare organizations through legacy VPN exploits.
Dormant Colors
Security researchers uncovered a data mining malware they termed “Dormant Colors” hidden among dozens of Google Chrome browser extensions, all of which had been downloaded by millions of users. The infection payloads seem to have been part of a larger campaign aiming to create a network of compromised machines.
Regulatory & Other Government Initiatives in 2022
Federal agencies and local governments continued on the regulatory momentum for 2022 from October through November. Here are some of the most noteworthy recent examples:
International Counter Ransomware Initiative Summit
The White House hosted representatives from 37 countries, the European Union member states and 13 private sector companies for the Second International Counter Ransomware Initiative (CRI) Summit from October 31 to November 1, 2022. The Summit produced several agreements and proposals for developing solutions for all participant nations within the next year.
Infrastructure Security Month
CISA and the Biden administration proclaimed the first national Infrastructure Security and Resilience Month on November 1, 2022, following up on previous actions to raise awareness of the cybersecurity needs of the US’s critical infrastructure sectors. CISA announced it would be providing educational resources through channels such as its new Infrastructure Security Month webpage.
Electric Vehicle Cybersecurity Regulation
The Office of the National Cyber Director (ONCD) held a forum on addressing the potential for cyber attack against electric vehicle (EV) charging stations and how this impacted connected systems. Though there is considerable debate between all parties on EV station rollouts, the White House is already looking at directing funds from the Bipartisan Infrastructure Law (BIL) towards building out this ecosystem with cybersecurity in mind.
Chemical Industry Receives Latest Round of Security Goals
CISA is following its “100-day sprints” with the electric, oil and gas, and water sectors with a new initiative for the chemical industry as part of the greater push for improving security standards among organizations that make up the US critical infrastructure.
Guidance on Software Supply Chain
The NSA, CISA and Office of the Director of National Intelligence (ODNI) and their private sector partners in the Enduring Security Framework (ESF) have released updated guidance on security best practices in the software supply chain, which obliges vendors to enforce better standards at their stage instead of relying solely on developers.
NY County Ups IT Budget to $36M After Breach
The government of Suffolk County in Long Island, New York have planned to increase their annual IT budget to a total of $36 million in 2023, up from $25 million in 2022. This proposal is in direct response to a breach that forced several county agencies to shutdown systems and is still being investigated at the time of this writing.
Get More Cybersecurity News for November 2022
There are many stories still developing in November and there will likely be more yet to pop up in the remainder of 2022. Get in touch with the experts at SWK Technologies to stay on top of the latest threats and discover what you can do to fight them.
Contact SWK today to learn more of the latest cybersecurity news from November 2022 and beyond, and ensure your business is prepared against emerging threats and regulations.
Get More Cybersecurity News