This Cybersecurity news recap for October 2022 will dive into a few more varied topics than previous months’ focus on high-profile data beaches. While there are still plenty of cyber incidents to cover over the start of Q4, the past month proved (and continues to prove as of this writing) to be more give-and-take when it comes to cyber news. While there remain plenty of reasons to be pessimistic about the significant amount of bad news this cycle, there is still room to be optimistic on the ability of the private and public sectors to adapt and respond to the growing cyber crisis, and improve upon these efforts.
Continue reading below to see some of the top cybersecurity news topics from October 2022 and how they may affect your business:
October is Cybersecurity Awareness Month
Since 2004, the White House has designated every October as Cybersecurity Awareness Month, in which the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations provide education and resources promoting better cyber hygiene and network security. A lot of the information delivered via public channels is typically inundated with only basic tips and pitches, but CISA offered a significant amount of materials and guidance to both individuals and businesses. The Biden administration also took advantage of the month to quantify and reaffirm its continued focus on nationwide cybersecurity improvements (more on this below).
Recap of Government Cybersecurity Efforts in October 2022
Since even before Biden’s May 2021 Executive Order on improving security standards in the public sector, the current White House has maintained a steady momentum in steering legislation and partnerships towards building a better cybersecurity net across the US. This has culminated in many proposals and agreements brought up for negotiation even while new directives are rolled out from the White House.
Airport Hack & New TSA Rules
A coordinated series of cyber attacks against multiple US airports prompted the TSA to impose stricter cybersecurity requirements for key aviation systems within only days. Though most of the victims recovered systems shortly (some within minutes), the speed of the regulatory response itself seems unprecedented, and was followed shortly by similar rule updates for critical rail systems. With the Biden administration also promising the arrival of new security standards for healthcare and other infrastructure sectors, businesses in these and similar industries should expect stricter compliance obligations in 2023.
National Cybersecurity Strategy
The White House released preliminary documentation for its national cybersecurity strategy in October 2022, the first publication of its kind since 2018, and which will be followed up by a finalized release by National Cyber Director Chris Inglis. The Director responded to rumors of the expanded role the federal government will be granted over private sector security standards by this final document, defending the perceived “toughness” of the new rules. At the same conference where he was questioned on the strategy, Inglis also expressed new optimism in the country’s direction for cybersecurity, citing Ukraine’s response to cyber attacks as a proof-of-concept for best practice.
Vulnerability Updates as of October 2022
October 2022 was another month of critical vulnerabilities being uncovered across key systems, exploits found being used in the wild, or vendors rushing to patch bugs.
Microsoft did not have the best month for cybersecurity, with several vulnerabilities and a potential breach uncovered recently (more on this below). Most of the critical vulnerabilities were discovered during a regular “Patch Tuesday” and were ostensibly being addressed by Microsoft; however, Ars Technica discovered an ever bigger flaw hidden in Windows OS for years. The bug essentially would let hackers get past a blocklist for external drivers and use it to download malware that give them greater control over more secure parts of the system – a technique that has been deployed in the real world by some of the most notorious ransomware strains.
Other vulnerabilities or exploits discovered in October 2022 include:
- RCE flaw in Apache Commons Text
- VMware vCenter Server bug (patched)
- Multiple CVEs for Fortinet
- Critical flaw found in Microsoft Azure (patched)
- Vulnerabilities in Hitachi Energy APM Edge & Advantech R-SeeNet
- List of exploits used by Chinese hackers, including Log4J & F5 Big-IP
Data Breaches & Exposures Continue into Q4
While there may be slightly less headline-dominating breaches as the Uber and Optus hacks this news cycle, there were still plenty of noteworthy incidents impacting a wide range of organizations, including:
- Palms Casino of Las Vegas
- The Church of Jesus Christ of Latter-day Saints (i.e., the Mormon church)
- Defense Health Agency
- Advocate Aurora Health
- CommonSpirit Health
- MultiCare Health System
- Keystone Health
- Technoserv of Russia
Breach Penalties & Lawsuits (+ Criminal Charges)
Besides more recent breaches, quite a few past exposures are appearing in the news again for penalties and lawsuits brought against companies that were accused of failing to notify customers their data was compromised in time (or at all). In at least one high-profile story as well, an executive was convicted of criminal charges for failure to report on a breach, along with a few other arrests of hackers and even a resignation over cybersecurity rule breakage.
Here are some of the more noteworthy case headlines:
- EyeMed fined $4.5 million by NYDFS
- Zoetop fined $1.9 million by NY Attorney General
- Office of Personnel Management ordered to pay $63 million settlement by court
- The Home Secretary of the UK was forced to resign over violating security rules
- Two Massachusetts residents arrested for stealing cryptocurrency
- Another suspected Lapsus$ hacker arrested in Brazil
- Ex-CISO of Uber is convicted of covering up the 2016 breach
Other Cyber News Stories
Here are some of the other cybersecurity news stories from October 2022:
Open Phishing Toolkit for Microsoft 365
A Phishing-as-a-Service (PhaaS) platform dubbed “Caffeine” specifically targeting Microsoft 365 accounts was discovered this year in the wild, and research on its capabilities and background confirm that it is effective at producing a spoofed Microsoft login page while avoiding detection. What is more concerning, however, is that it is relatively easier to access than other PhaaS toolkits for amateur cybercriminals who only need to sign up and pay a subscription instead of being vetted. The good news is that it seems to be mostly focused on victims in Russia and China currently, but there remains a possibility it could be modified for US targets in the future.
Russia & Ukraine
The conflict over the Russian invasion of Ukraine earlier this year continues to spill over both locally and internationally, with cyber attacks such as the previously mentioned campaign against US airports being claimed by or attributed to pro-Russia hackers. Here are of some of the top cyber stories around the war and its impact:
- Pro-Russia hacktivists urge supporters to hit US targets, prompting the airport hacks & other attacks
- The same Russian hacking group also targets the websites of several state governments
- Bulgaria is also targeted in retaliation for supporting Ukraine
- Germany fires its cybersecurity chief over allegations of links to Russian spies
- Microsoft attributes ransomware attacks against Ukraine & Poland to Russian hackers
- Russian dissidents leak 1.2TB of data belonging to Russian security contractors
Cybersecurity for Gen Z & Millennials
A survey by Ernst & Young LLP (EY) revealed that employees from the digital native generations – “Gen Z” and “Millennials” – are more likely to disregard best practices and corporate guidelines for IT security, including when using work devices. The study’s results highlighted both an increased level of complacency among those who were more exposed to cyber risk growing up, and a failure of current cyber policies to match human behavior and make education personable.
Google Privacy Concerns & Response
The Texas Attorney General has filed a lawsuit against Google for the second time in 2022 over privacy concerns, riding a wave of increased scrutiny against tech giants and the data they collect. While Google has called the Texas AG’s suite “breathless,” it has taken note of these concerns among it user base in the US and seeks to address them with updated and new services such as My Ads Center that ostensibly introduced new data security controls.
Get More Cybersecurity News from SWK
2022 has been a heavy year for cybersecurity news and it can be difficult to wade through all the noise to uncover developments that could impact your business the most. Get in touch with SWK Technologies and we will help you sort through the chaos to narrow down the most important updates and changes that will affect how and where you need to protect your critical data.
Contact SWK today to get more specific cybersecurity updates and discover what you need to do to ensure you are protected against the latest threats.
Get in Touch with Our Cybersecurity Experts