Canadian Electric Utility Hit by Cyberattack – Source: www.securityweek.com https://ciso2ciso.com/canadian-electric-utility-hit-by-cyberattack-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #NovaScotiaPower #securityweekcom #securityweek #Cyberattack #Electric #FEATURED #Utility #Canada #Emera

NIST released revision 3 of their security incident response document, the amazing 800-61r3 in April. I haven't read it yet, but I poured over the initial public draft a few months ago and it's really solid.

If you're interested in cybersecurity incident response, it's definitely worth a read:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf

#Cybersecurity #IncidentResponse #InformationSecurity

Canadian Electric Utility Hit by Cyberattack https://www.securityweek.com/canadian-electric-utility-hit-by-cyberattack/ #IncidentResponse #NovaScotiaPower #cyberattack #electric #Featured #utility #Canada #Emera

Let’s get your #BoF submission in for #FIRSTCON25, submissions run until April 30th, so hurry on over! https://go.first.org/8PmGl #annualconference #incidentresponse #secconf

A Fan Favorite...The One Where FIRSTCON25's Agenda is Released https://go.first.org/LV4lq #incidentresponse #secconf #FIRSTCON25 #annualconference

We hope you are as excited as we are for the release of FIRSTCON25's agendaTake a glance here https://go.first.org/LV4lq #incidentresponse #secconf #FIRSTCON25 #agendaoutnow

Drum Roll! Join us for the 37th Annual FIRST Conference from June 22-27, 2025 in Denmark, Copenhagen. Save the date for your favorite annual conference #annualconference #incidentresponse #secconf #savethedate https://go.first.org/Nz2u9

from our archives: "Training to Become a Savable Victim"

Just as rescue scuba divers learn to be cooperative victims, executives need to know how to support cybersecurity teams during incidents.

This reader-favorite post explores how leadership teams often become "unsavable victims" by disrupting response efforts, and what CISOs can do about it.

Read the full post: https://discernibleinc.com/blog/empowering-business-leaders-to-be-savable-victims-drawing-incident-response-insights-from-rescue-scuba-diving

Launching today: Discernible Drills - our new weekly security/privacy communication training delivered via Slack!

Based on 20 years of experience in, this new service helps security and privacy professionals practice communication skills through weekly 60-minute drills.

- Covers 12 different incident types
- Text-based with multimedia elements for auditory learners
- No PO required - individual subscriptions
- Currently runs Wednesdays 12-1pm ET with more times coming soon
- Two tiers: $50/mo or $100/mo

Security incidents are more than breaches, and communication is more than media statements. Practice makes perfect.

Learn more at https://discernibleinc.com/blog/introducing-discernible-drills

@hacks4pancakes (@dragosinc) will join us on March 19 for our Foundations of DFIR panel!

While that's a few weeks away, you can check out Lesley's blog post on The Shifting Landscape of OT Incident Response which illustrates the importance of specialized incident response and digital forensics in maintaining the security and integrity of OT systems.

Find it here: https://www.dragos.com/blog/the-shifting-landscape-of-ot-incident-response/

If you want to catch Lesley along with panelists @danonsecurity, David Bianco, and Sarah Sabotka for unique insights on bolstering your DFIR foundations, save your spot here: https://www.domaintools.com/webinar-getting-back-to-the-foundations-of-dfir/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DFIR-To-You

I've had quite a few outrageous responses to my alerts, this is another one of those, sent by teammateapp.com CEO.

After my initial alert and follow up email, I get a reply lying about the severity of the exposure and telling me to stop harassing the company.

This CEO also didn't know what Proton is and thought I work for them and threatened to report me to them in case I didn't stop.

Read about it here: https://jltee.substack.com/p/new-zealand-companys-impossible-to-hack-security

I've had to analyze several MS Quick Assist compromises and found challenges during each one. Threat Hunting for malicious activity thru QA is not easy either.

So I wrote a blog post on what to look for: https://inversion6.com/resources/blog/january-2025/microsoft-quick-assist-an-it-security-primer

Nine months after discovering a ransomware attack, Teton Orthopaedics notifies patients: https://databreaches.net/2025/01/12/nine-months-after-discovering-a-ransomware-attack-teton-orthopaedics-notifies-patients/

Some folks may get confused by PowerSchool saying that if they have medical records on students, they may have to notify under HIPAA.

Most student medical/health records are not covered under HIPAA. They are covered under FERPA.

If the district is billing the student's health insurance for services like speech therapy, physical therapy, or occupational therapy, then there's a HIPAA issue. Or if the school has arrangements with an actual clinic that is providing medical/health services to students. But most things like doctor's absence notes or even allergy action plans or school medication orders are not under HIPAA.

If the district has a health plan for employees that it administers, there's also a HIPAA issue there.

#PowerSchool #databreach #incidentresponse #HIPAA #FERPA

@douglevin @funnymonkey

Wondering if anyone else has seen this behavior.

We received an alert from MS Defender for Cloud that a suspicious IP had downloaded from a storage blob using a SAS token. It turned out that someone was misusing the SAS token feature and had sent the URL via email.

Since then, we've determined that every URL sent via email (O365) is being downloaded immediately by... someone. We brought in someone for IR but they haven't seen anything similar and we can't find a cause. We even set up two secops mailboxes (which are supposed to bypass all MS security) and sending an email between them still triggers the downloads.

The source IPs so far have all been in the US, and Spur tags most with "Oculus Proxy" and most ASNs are "Constant" or "HostRoyale". User agents match Chrome 125 or 131.

The only thing I've found online is complaints on Reddit about this causing a 100% click rate in KnowBe4. No real resolution there though.

We're thinking it's something automated/enterprise, but I want to be sure. Has anyone seen anything similar? TIA.

Edit: forgot one important detail. This only happens on outbound messages. So corp to gmail triggers the download, gmail to corp does not.

Bolton Walk-In Clinic in Ontario: lock down your backup already!

DataBreaches hates reporting on an incident when the entity has not yet secured misconfigured storage, but after four months of futile efforts to get a Canadian clinic to respond to responsible disclosures, maybe publication will help get them off the dime.

Do any personal injury lawyers in Ontario, Canada, or folks in the Information and Privacy Commissioner of Ontario follow me? Maybe they can get something done.

Read more at:
https://databreaches.net/2024/12/03/bolton-walk-in-clinic-in-ontario-lock-down-your-backup-already/

#misconfiguration #error #healthsec #dataleak #databreach #exposure #incidentresponse
#DontCallMeHoney

@brett

The University of Maribor (UM), 2nd largest Slovenian university, has been compromised on Wednesday 8pm CEST.

Supposedly all files are locked by ransomware including the daily backups that were supposedly on the same or a connected server and not offline or separate enough.

The official site, school emails, student systems where they get and submit tasks, and more are all down. This affects all of the 17 faculties in Maribor. MS Teams works with the current session but you cannot log in if you get logged out. School Wi-Fi eduroam is also down.

School work currently is continuing normally for now via other communication channels.

They are in contact with SI-CERT and police is also involved.

Official site
https://www.um.si

Slovenian news sources
https://vecer.com/maribor/aktualno/univerza-v-mariboru-smo-zrtev-obseznega-kibernetskega-napada-10368401
https://www.delo.si/novice/slovenija/kibernetski-napad-ohromil-univerzo-v-mariboru
https://www.24ur.com/novice/slovenija/kibernetski-napad-na-mariborsko-univerzo-spletne-strani-ne-delujejo.html

@campuscodi

No better way to tell me you don’t want to learn from what happened than calling it a “perfect storm.” #IncidentResponse

Mini Blue Team Diaries Story:

It was a springtime Saturday many years back, and all was right in the world. I was mowing the yard, which at the time, meant a very small patch of grass that could be mowed by an electric mower plugged in with a tiny extension cord. All of a sudden, the perfect spring time in suburbia came to a screeching halt. The on-call phone was going off.

At the end of the line, an engineer from our hosting ops department, who was taking advantage of a maintenance window to do some patching on VMWare ESX hosts. He was actually updating the hypervisors in person, at the datacenter, so he could be quick to respond if something went sideways.

Alas, something had gone sideways. The ESX machines, appeared to have all been compromised! The engineer had called in a panic.

Upon reboot of the machine, an ominous message never before seen by the engineer just after the POST screen.

"All your servers are belong to us!" read the message, in an apparent nod to Zero Wing.

Clearly this was the calling card of some malicious actor who had rooted the hypervisor and was now deep enough into the system that they could own our entire stack. So he'd called SecOps for our take.

I had two thoughts. 1) Run the compromise checklist, and see if there was anything strange going on, and 2) ring the engineer who'd worked there the longest to see if they'd ever seen this message before.

1) was well underway, and found no evidence of a breach. 2) took a bit longer to get ahold of the right person, but when we did, we had our answer.

"Oh, that was just Don who used to work here. He put that message on all the servers he set up as a joke. He's a great guy."

And just like that, the incident was over, and I returned to the yard work.

Incidentally - I made a very big deal out of making sure that the engineer who'd rung the on-call for that knew that he'd done 100% the right thing. What I didn't want to happen was, although this time turned out to be nothing, was for him to be worried about raising the alarm again in future, and missing something real.

Want more, slightly less mini stories like this? Check out: https://www.infosecdiaries.com/

Some security tools provide "isolated browsers" for analysts to interact with malicious web sites. For example Proofpoint Isolation Browser is part of Proofpoint TAP.

Are there any highly usable isolation browsers available as a standalone service?

I have a few sandboxes that allow me to run an interactive session, but usability is lacking.

I've built my own disposable EC2 linux instance accessible via VNC-over-SSH, but I don't want to maintain it. I want to buy a service.

Does what I want exist? I want it isolated, disposable, interactive, and NOT a pain to use.