learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: Entrust

      The Target: Entrust, a digital cybersecurity firm focused on identity management.

      The Take: Sensitive corporate internal data from Entrust’s own IT systems.

      The Vector: The attacker used previously compromised Entrust employee credentials to access their internal systems, posing as an authenticated user. 

      This breach is a critical reminder of the importance of credential authentication and password hygiene. Enforced multi-factor authentication could have prevented the Entrust breach, and enforcing this multi-factor authentication, along with reasonably regular forced password resets, password length and complexity rules, are effective strategies to mitigate these kinds of breaches.

      Read more...

      5 Best Practices to Ramp Up Cybersecurity At Private Equity And VC Firms

      2022-07-27

      Forbes: Private equity (PE) and venture capital (VC) firms have become prime targets for cyberattacks. Perhaps unsurprisingly, cybercriminals tend to gravitate toward money, and there’s a lot of it in private equity. The numbers are mind-boggling: The average midmarket fund encounters more than 10,000 cyberattacks daily.

      Read more...

      Average Data Breach Costs Hit a Record $4.4 Million, Report Says

      2022-07-27

      CNet: The average cost of a data breach rose to an all-time high of $4.4 million this year, according to the IBM Security report released Wednesday. That marked a 2.6% increase from a year ago and a 13% jump since 2020.

      Read more...

      LockBit Claims Ransomware Attack on Italian Tax Agency

      2022-07-26

      Bleeping Computer: Italian authorities are investigating claims made by the LockBit ransomware gang that they breached the network of the Italian Internal Revenue Service (L'Agenzia delle Entrate).

      Read more...

      BlackRock-Backed Round Values Cyber Firm Acronis at $3.5 Billion

      2022-07-26

      BNN Bloomberg: Cybersecurity provider Acronis raised $250 million in new funding from institutional investors earlier this year to expand its business, including through acquisitions and hiring.

      Read more...

      ‘Cryptojacking’ Rises 30% to Record Highs Despite Crypto Slump: Report

      2022-07-26

      Coin Telegraph: New research shows that despite falling digital asset prices, cryptojacking has reached record levels in the first half of 2022.

      Read more...

      Hackers Scan for Vulnerabilities Within 15 Minutes of Disclosure

      2022-07-26

      Bleeping Computer: System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

      Read more...

      T-Mobile Agrees to Pay Customers $350 Million in Settlement Over Massive Data Breach

      2022-07-25

      CNN: T-Mobile has agreed to pay $350 million to settle multiple class-action suits stemming from a data breach disclosed last year affecting tens of millions of people.

      Read more...

      Know Your Breach: Morgan Hunt

      The Target: Morgan Hunt, a British recruitment agency.

      The Take: Exposure of Personally Identifiable Information including: names, contact details, identity documents, proof address documents (bank or building statements, national insurance number, and date of birth.

      The Vector: The attackers breached a third-party software developer of Morgan Hunts who were storing access credentials to their database with no authentication or access controls.

      This breach is a stark reminder that authentication controls are a critical piece in an overall robust cybersecurity posture. Furthermore, all steps should be taken by a firm to ensure any third-party vendor who can access their data is employing the requisite methods. Enforcing multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

      Read more...

      Why Data Now Underpins the Future Security of Your Organization

      2022-07-21

      Tech Radar: As the number of different digital touchpoints grows exponentially as hybrid working(opens in new tab) cements itself, so too have the number of attack surfaces available for cybercriminals to exploit. In a world where cybercrime is evolving at a rapid pace and the threat landscape remains unpredictable and constantly shifting, one thing is clear: data increasingly underpins future security.

      Read more...

      China Fines Didi $1.2 Billion for Violating Cybersecurity and Data Laws

      2022-07-21

      CNN: China’s cyberspace regulator fined Didi Global just over 8 billion yuan ($1.2 billion) for violating cybersecurity and data laws, putting an end to a yearlong investigation into the ride-hailing giant.

      Read more...

      EIS Fund Custodian Suffers Data Breach After Cyber-attack

      2022-07-20

      Portfolio Adviser: Hackers have infiltrated a London-based fund administrator and custodian’s IT system, potentially putting customers’ personal data at risk. Mainspring notified clients earlier this week it had suffered a data breach, following a targeted ransomware attack on the morning of 12 July.

      Read more...

      ACCC, ASIC Trials Website Takedowns for Phishing, Crypto Scams

      2022-07-20

      IT News: Australia’s competition watchdog has partnered with the corporate regulator to trial automated takedowns of websites hosting phishing and other scams.

      Read more...

      Atlantic Street Capital Acquires Assets of CyberGuard Compliance

      2022-07-19

      Private Equity Wire: Atlantic Street Capital (ASC), a private equity firm that invests in lower middle market companies, has acquired assets from CyberGuard Compliance, a licensed CPA firm with exclusive specialisation in IT compliance and cybersecurity audit and assessment services, and Elite Consulting Solutions, a provider of IT compliance and cybersecurity consulting and remediation services, collectively known as “CyberGuard”.

      Read more...

      FBI Issues Public Warning Over Fake Crypto Apps

      2022-07-19

      Coin Telegraph: The United States Federal Bureau of Investigation (FBI) has issued a public warning about fraudulent cryptocurrency applications, which have swindled U.S. investors out of an estimated $42.7 million so far. 

      Read more...

      Biden Administration Pushes to Close the Growing Cybersecurity Workforce Gap

      2022-07-19

      CNN: The Biden administration is pushing to fill hundreds of thousands of cybersecurity jobs in the United States as part of a bid to close a talent shortage US officials describe as both a national security challenge and an economic opportunity.

      Read more...

      Know Your Breach: Axie Infinity

      The Target: Axie Infinity, a Decentralized Finance company that runs a “play to earn” game video game.

      The Take: $625 million worth of crypto currency.

      The Vector: The hackers used social engineering and phishing to craft a highly targeted fake job offer email and embedded a malicious program instead a PDF attachment. The Axie Infinity employee believed this was legitimate and opened the PDF attachment, and during the fake recruiting process, also gave away critical personal information which was then used to gain access to the firm’s systems to steal the funds.

      This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee and pivot into other systems. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.

      Read more...

      Cyber Security and Ransomware in Financial Markets

      2022-07

      Bank of Canada: Financial markets face the constant threat of cyber attacks. We develop a principal-agent model of cyber-attacking with fee-paying clients who delegate security decisions to financial platforms. We derive testable implications about clients’ vulnerability to cyber attacks and about the fees charged. We characterize which cyber attacks actors choose.

      Read more...

      DHS Review Board Says it Could Take Years to Fix Government Software Vulnerability

      2022-07-14

      The Hill: The analysis states that a security engineer from the Alibaba Cloud Security team in China first reported the vulnerability to the Apache Software Foundation, a nonprofit organization that provides support for Log4j, the software. 

      Read more...

      $8 Million Stolen in Large-scale Uniswap Airdrop Phishing Attack

      2022-07-13

      Bleeping Computer: Uniswap, a popular decentralized cryptocurrency exchange, lost close to $8 million worth of Ethereum in a sophisticated phishing attack. While the protocol hasn't been compromised by exploiting a vulnerability as initially suspected, the cyberattack has impacted many investors in digital assets.

      Read more...

      Small Cybersecurity Teams Face Greater Risk from Attacks than Larger Enterprises

      2022-07-13

      Dark Reading: Cynet, the world’s first provider of an autonomous, end-to-end, fully automated extended detection and response (XDR) platform, today announced the results of its second annual “CISO Survey of Small Cyber Security Teams." 

      Read more...

      Hackers Posing as Merkel Target ECB's Lagarde - German Source

      2022-07-12

      U.S. News: Unidentified hackers attempted to trick European Central Bank President Christine Lagarde into letting them open a messaging app account in her name by posing as former German chancellor Angela Merkel, a German source said.

      Read more...

      UK Warns Lawyers Not to Advise Ransomware Payments

      2022-07-12

      Security Week: In a letter addressed to UK lawyers dated July 7, 2022, the UK’s National Cyber Security Center (NCSC) and the Information Commissioner’s Office (ICO), have reiterated – with teeth – the official stance on not paying a ransom.

      Read more...

      Brazen Crooks Are Now Posing as Cybersecurity Companies to Trick You into Installing Malware

      2022-07-11

      ZDNet: Brazen cyber criminals are now posing as cybersecurity companies in phishing messages that claim the recipient has been hit by a cyberattack and that they should urgently respond in order to protect their network.

      Read more...

      Know Your Breach: Kaiser Permanente

      The Target: Kaiser Permanente, a U.S based health plan and health-care provider.

      The Take: Personally Identifiable health Information on 69,000 individuals, including: first and last name, medical record number, dates of service, laboratory test results. 

      The Vector: A threat actor gained access to compromised employee email account and acting with all the same permissions as the breached credentials, downloaded and stole the information.

      This breach is a stark reminder of the importance of robust employee credential authentication and password hygiene. Performing regular monitoring on account behaviour is critical to ensure access is kept within the firm. Additionally, locking down appropriate permissions, admin access, and ensuring users only need the tools they need to do their jobs, and no more, will reduce the risk of these attacks.

      Read more...

      Cybersecurity M&A Roundup: 45 Deals Announced in June 2022

      2022-07-07

      Security Week: A SecurityWeek study showed that more than 430 cybersecurity mergers and acquisitions were announced in 2021. SecurityWeek will soon also publish an M&A analysis for the first half of 2022.

      Read more...

      China’s Cabinet Urges Greater Cybersecurity After Mass Data Leak

      2022-07-07

      BNN Bloomberg: China’s cabinet stressed the need to bolster information security, following a huge leak of personal data that could be the largest cyber-attack in the country’s history. 

      Read more...

      Hotel Giant Marriott Confirms Yet Another Data Breach

      2022-07-06

      Tech Crunch: Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data, including guests’ credit card information.

      Read more...

      Greenwich-based Information Technology Company is Acquired

      2022-07-06

      The Middletown Press: Officials with a Foxborough, Mass.-based cybersecurity firm announced their company has acquired Edge Technology Group of Greenwich, which is an information technology company serving financial firms.

      Read more...

      The Cyber-Asset Management Playbook for Supply Chain Modernization

      2022-07-06

      Dark Reading: The recent upheaval in the supply chain is unprecedented, thanks to ongoing disruptions tied to the pandemic, financial and trade sanctions stemming from Russia's war in Ukraine, cyberattacks targeting the supply chain, and other factors.

      Read more...

      US Department of Defense Invites Hackers to Help Harden its Security Systems

      2022-07-06

      Tech Radar: The Chief Digital and Artificial Intelligence Office (CDAO), the Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) jointly launched “Hack US”, a bounty-hunting program aimed at identifying high-severity flaws in government systems.

      Read more...

      Ignoring Cybersecurity Can Sour M&A Deals

      2022-07-05

      Forbes: When a private equity firm had acquired a midsized manufacturer late last year, little did they know that someone else had set on the same target as well. Just two months after it was purchased, a cybercriminal organization launched a crippling ransomware attack that locked up the manufacturer’s systems.

      Read more...