Company hacked via webcam, Toronto Zoo update, federal contractor obligations
In today’s cybersecurity news…
Ransomware gang bypasses EDR via a webcam
The Cybersecurity firm S-RM team discovered the unusual attack method conducted by the Akira ransomware gang during a recent incident response to one of their clients. The gang had initially accessed the victim’s corporate network by way of an exposed remote access solution, then they used AnyDesk and stole data for use as part of the double extortion attack. Attempts to deploy encryptors on Windows were blocked by the victim’s EDR solution. Akira then scanned the network for other devices that could be used to encrypt the files and found a webcam and fingerprint scanner. The attackers chose the webcam because it was vulnerable to remote shell access and unauthorized video feed viewing. It also ran on a Linux-based operating system compatible with Akira’s Linux encryptor and did not have an EDR agent. “Akira was subsequently able to encrypt files across the victim’s network.” S-RM told BleepingComputer that “there were patches available for the webcam flaws, meaning that the attack, or at least this vector, was avoidable.”
Toronto Zoo updates January 2024 attack damage
Following up on a story we covered in January of 2024, officials say that “everyone who purchased a general admission ticket or zoo membership between 2000 and April 2023 had their personal data stolen in the heist, and that includes PII but also “for people who made credit card transactions between January 2022 and April 2023, card details such as the last four digits of the number and expiration dates were also lifted.” Details of “all current and former staff members going back to 1989” were also stolen in the heist, which has also been attributed to Akira.”
House bill requires federal contractors to implement vulnerability disclosure policies
The bill is named the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 and it “instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a VDP that is consistent with NIST guidelines.” The same is required of the Defense Department. A letter signed by representatives of proponents of the bill including HackerOne, Bugcrowd, Microsoft, Infoblox, Rapid7, Trend Micro, Tenable, and Schneider Electric, state that “contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices.”
Two arrested for Taylor Swift ticket resale scheme
Two residents of Queens, New York are now facing grand larceny, computer tampering and conspiracy charges for their role in a ticket reselling scam. Queens District Attorney Melinda Katz stated that the pair, along with another accomplice, worked for the contractor, Kingston, Jamaica-based Sutherland Global Services (SGS), and “between June 2022 and July 2023 used their access to StubHub’s system to find a backdoor into a secure area of the network where already-sold tickets were given a URL and queued to be emailed to the purchaser to download.” The co-conspirators took possession of these tickets and then resold them on StubHub for a profit of $635,000. Most of these tickets were for the Taylor Swift Eras tour with others for Adele, Ed Sheeran, NBA games and U.S. Open tennis.
Huge thanks to our sponsor, ThreatLocker
Public school employees impacted by cyberattack on retirement plan administrator
The attack, which occurred in December 2024, targeted an administrator for retirement plans, and this has exposed the information of more than 40,000 teachers and school employees of public schools across the U.S. The victim organization, Carruth Compliance Consulting, provides third-party administrative services to public school districts and non-profit organizations for their 403(b) and 457(b) retirement savings plans. “A new cybercriminal operation named Skira Team took credit for the attack on Thursday, claiming to have stolen data from 36 public schools.”
Congress sees bigger cyber role for NTIA amid telecom attacks
A bipartisan bill cleared a key House panel Tuesday – one that aims to create a more cyber-focused role for the federal agency focused on wireless networks, the National Telecommunications and Information Administration (NTIA). Under this bill, the NTIA, which already advises the president on telecommunications and information policy issues, would establish an Office of Policy Development and Cybersecurity. Jennifer McClellan, of two representatives championing the bill connects it directly to the ongoing Salt Typhoon attacks.
1Password introduces location-based passwords
This new feature allows users to add a specific physical location to password items, allowing them to automatically appear in a new “Nearby” section of the app’s home tab. The intention of the feature is to simplify the list of available passwords without searching such as health card data at the doctor’s office or travel documents at the airport. Locations can be added to new or existing items saved in 1Password.
Cybercriminals sped up their attacks last year
Two security companies, CrowdStrike and ReliaQuest, are reporting separately that “in the past year ransomware groups achieved lateral movement within an average of 48 minutes after gaining initial access to targeted environments,” with the fastest breakout time recorded being 51 seconds. This is an improvement – for the threat actors – from 2023 when the average breakout time for interactive cybercrime intrusions was 62 minutes. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, in making his company’s announcement, added, “not only are these adversaries using different techniques, different capabilities, they’re doing it faster, and they’re iterating faster than many of the enterprises that they’re targeting.”