Busy Week in Ransomware, Apache Vulnerabilities, & UEFI bootkit
Posted by: GuidePoint Security
Published 10/14/21, 9:30am
Cybersecurity News for the Week of 10/04/21
There is never a dull moment when it comes to threats, vulnerabilities, and breaches, and last week was no exception. Ransomware continued to make the news, with increased gang activity, attacks on multiple hospitals, the announcement of a possible infant death related to ransomware, and new ransomware regulations. The Apache Software Foundation issued a patch for a critical vulnerability currently being exploited in the wild. And industry researchers announced a newly discovered bootkit threat active since 2012 affecting Windows systems.
- Busy week in ransomware: gang activities, more hospitals targeted, and legislation proposed
- Organizations urged to immediately patch Apache zero-day
- Newly discovered bootkit threat used to backdoor Windows systems since 2012
Cybersecurity News Final Thoughts
There is an old midwestern saying that goes “If you don’t like the weather, wait a few minutes.” Cybercrime sometimes feels that way too, with an ever-changing landscape of sun, clouds, thunder, and tornados.
Alongside a spate of ransomware attacks and zero-days this week, news came of several new cybersecurity regulations and laws designed to better protect organizations and disrupt the cyberattack cycle. One of the laws, signed on Friday 10/8, is intended to strengthen cybersecurity protection for K-12 educational institutions. The bipartisan K-12 Cybersecurity Act calls upon the Cybersecurity and Infrastructure Security Agency (CISA) to develop recommendations and tools for schools. Other pending legislation includes the Ransom Disclosure Act and a bill that would direct Homeland Security’s cyber branch to identify U.S. digital infrastructure that, if attacked, could severely incapacitate national security, economic operations, or public safety. The cryptocurrency problem also seems to be on the government radar as congressional leaders this week urge the Departments of State, Homeland Security, Justice, and the Treasury to pursue stronger interagency coordination on the issue of cryptocurrencies. And finally, DOJ issued a statement indicating they would pursue all government contractors that failed to report cybersecurity incidents.
It remains to be seen whether this legislation and regulation will have the intended effect. Some cybersecurity experts speculate that the more disciplinary-focused legislation is designed more to encourage organizations to take the appropriate steps to protect themselves than it is to actually discourage cybercriminals. What is obvious, though, is that no single regulation or bill is going to stop threats and attacks. Fighting cybercrime can’t be left just to IT, security, and government entities. Organizations are being called upon to step up to the plate and recognize that no company is immune. And employees—from legal and marketing to HR and finance need to assume responsibility for increasing vigilance. Cybersecurity is a team sport, and everyone needs to be in the game for a win.
GuidePoint Security