Friday Five 2/11
Modernizing HIPAA, online romance scams cost millions, and more - catch up on the infosec news of the week with the Friday Five!
1. Maze, Egregor and Sekhmet ransomware decryption keys published by Carly Page
While there have certainly been some big ransomware wins lately - the recent arrests surrounding REvil for one - the infosec community will always welcome more. Here's another, especially for those who may have had their files encrypted by the ransomware Maze, Egregor, or Sekhmet. While the groups are no longer, that didn't stop someone apparently associated with the groups from releasing decryption keys for the ransomware families. As Techcrunch reports, someone dropped the keys in a Bleeping Computer forum; they were later confirmed by Emsisoft, a New Zealand antivirus firm, to be legitimate. As paralyzing as ransomware can be for businesses - and consumers - for that matter, if possible, it's worth quarantining the files just in case one day a decryptor is released.
2. Apple's Latest Security Update Addresses WebKit Zero-Day by Nathaniel Mott
A heads up via PCMag from Apple about what sounds like a nasty vulnerability in WebKit, a browser engine that's used in Safari but not just browsers, also Mail, App Store, and other apps, including some on Linux. Apple pushed updates for macOs, iOS, and iPadOS to remedy the issue with what calls improved memory management. If you click into Apple's advisory, the key phrase here is that the issue "may have been actively exploited," meaning it's almost definitely been exploited. Best to set time aside to patch this on your devices sooner than later.
3. Online romance scams expand, now with more cryptocurrency by Joe Warminsky
Just in time for Valentine's Day, Cyberscoop digs into some new numbers released by the Federal Trade Commission on online romance scams that reportedly bilked users out of $547 million last year, an 80% increase from 2020's number: $307 million. A big chunk of that money, $139 million, was in cryptocurrency, as scammers have increasingly relied on tricking lovelorn victims into downloading phony cryptocurrency apps, convincing them to deposit money and swiftly stealing whatever's there. Like the FTC's graph from two weeks ago on social media fraud, the graph that goes along with the romance scam statistic - right - is also jarring, showing a steep rise, year over year.
4. CISA urges orgs to patch actively exploited Windows SeriousSAM bug by Bill Toulas
An important update for defenders in case they missed it on a fresh round of vulnerabilities added to the U.S. Cybersecurity & Infrastructure Security Agency's (CISA) list of exploited vulnerabilities. The most pressing issue, a local privilege escalation vulnerability in Microsoft Windows SAM (Security Accounts Manager) should be fixed by February 24, CISA says. The bug was actually fixed last summer (with July's Patch Tuesday updates) but apparently enough organizations never patched it that it's still an issue. In addition to the SAM vulnerability, 14 other bugs, including issues with Apache Struts, Microsoft SMBv1, and Apple OS X, were added to the list. With the additions, the list, technically called CISA’s Known Exploited Vulnerabilities Catalog, clocks in at 367 security vulnerabilities.
5. Senators intro bipartisan effort toward modernizing health privacy laws by Kat Jercich
Another week, another raft of data privacy bills introduced. A highlight from this week is an attempt by senators to modernize health data and privacy policies, namely HIPAA. As Healthcare IT News notes, the goal of the Health Data Use and Privacy Commission Act is to build on HIPAA, which is 25 years old. The bill would formulate a commission to provide Congress with recommendations to update laws like HIPAA to bring it up to date with health technology. The bill, introduced by Senators Tammy Baldwin, D-Wis., and Bill Cassidy, R-La., has some big backers, including athenahealth, Epic, IBM and Teladoc Health.