Russian cybercrime, social media corruption and a tidal wave of malicious app downloads…. ​​Here are the latest threats and advisories for the week of September 30, 2022.

Threat Advisories and Alerts

CISA Issues Warning to OT/ICS Owners and Operators

Operational technology/industrial control system (OT/ICS) assets continue to be an attractive target for cybercriminals, and ICS networks are rife with risk. OT/ICS technology has vulnerable IT components and large attack surfaces—and traditional security measures don’t adequately address modern threats. System owners should assume that they will be targeted. To mitigate attacks, operators and owners can limit the exposure of system information, conduct regular security audits and secure remote access points.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-265a

Zero-Day Vulnerability Exploited in Sophos Firewall

A new critical zero-day vulnerability has been found in Sophos’ firewall product. The vulnerability (CVE-2022-3236 ), which impacts Sophos Firewall v19.0 MR1 (19.0.1) and older versions, has been exploited by attackers and could result in remote code execution. Users are recommended to apply the appropriate hotfixes immediately.

Source: https://www.csa.gov.sg/en/singcert/Alerts/al-2022-054

IRS Warns of an ‘Exponential’ Increase in Texting Scams

The IRS has a new warning for taxpayers: A surge in texting scams is putting personal and financial information at greater risk. This year, the agency has uncovered thousands of fraudulent websites that are connected to text-messaging scams often referred to as “smishing” or “SMS phishing.” The scams have increased over the course of 2022 but have especially surged in the last few weeks. In fact, the IRS says the fraud has “increased exponentially” recently.

Source: https://www.moneytalksnews.com/irs-warns-of-an-exponential-increase-in-texting-scams/

ICO Reprimands UK Organizations for GDPR Failings

The UK’s data protection regulator has taken action against seven public and private sector organizations for failing to meet their obligations under the GDPR and UK Data Protection Act.  UK organizations must respond to requests by members of the public for personal information held on them, known as Subject Access Requests (SARs), within one to three months. However, after receiving multiple complaints about the erring organizations, the Information Commissioner’s Office (ICO) was forced to step in.

Source: https://www.infosecurity-magazine.com/news/ico-reprimands-uk-organizations/

Emerging Threats and Research

Ad Fraud Apps Get 13 Million Downloads from Google Play and Apple Store

Up to 75 apps on Google Play and 10 on Apple’s App store were caught engaging in ad fraud. While the apps have since been removed, they were installed 13 million times. Some of the different types of fraudulent ad activity included spoofing popular apps to deceive advertising SDKs into placing ads, generating fraudulent ad clicks and serving “hidden” and out-of-context ads via off-screen WebViews.

Source: https://thehackernews.com/2022/09/experts-uncover-85-apps-with-13-million.html

Meta Shuts Down Widespread Russian Disinformation Network

Meta claims to have taken down an extensive network of thousands of Facebook and Instagram accounts pushing disinformation. The operation, which originated in Russia, spoofed several legitimate European news sites, posting original articles, memes and YouTube videos that supported Russia while criticizing Ukraine. Some of the news outlets that were impersonated included The Guardian, Bild, ANSA and la Repubblica.

Source: https://www.bleepingcomputer.com/news/security/meta-dismantles-massive-russian-network-spoofing-western-news-sites/

Ukraine Expects Massive Cyberattacks from Russia

This past Monday, the Ukrainian government warned that Russia is planning “massive cyberattacks” on their critical infrastructure facilities. “By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” said Ukraine’s Ministry of Defense. The cyberattacks aren’t expected to be limited to Ukraine. The country’s closest allies—including Poland, Estonia, Latvia and Lithuania—could be hit with DDoS attacks on their critical infrastructure.

Source: https://thehackernews.com/2022/09/ukraine-says-russia-planning-massive.html

$5 million Lawsuit Filed Against Samsung by Customers Upset Over Breach

Samsung customers have filed suit against the Korean tech giant for careless data practices that have led to the theft of their personally identifiable information (PII). The lawsuit alleges that Samsung’s failure to improve its cybersecurity defenses after the Lapsus$ cyberattack in February led to the July cyber-heist, which resulted in a PII data theft. Customers believe that if Samsung must collect PII data, they have a reasonable expectation for the company to protect it. The plaintiffs are expecting a minimum of U.S. $5 million in costs and damages.

Source: https://www.theregister.com/2022/09/27/samsung_data_theft_lawsuit/

UK Government to Fine TikTok £27 Million

The UK’s privacy regulator has announced plans to fine TikTok £27m for breaching data protection laws. The Information Commissioner’s Office (ICO) believes TikTok broke several laws between 2018 and 2020, which include processing the data of minors under 13 without parental consent, lack of transparency with users and processing special data (like racial, genetic and biometric) without legal grounds. How much of a fine TikTok will eventually pay is anyone’s guess. Large organizations have a history of paying significantly less than the amount initially charged. 

Source: https://www.infosecurity-magazine.com/news/tiktok-facing-27m-uk-regulatory/

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.