NortonLifeLock warns that hackers breached Password Manager accounts
Gen Digital, the parent company of several high profile tech brands, has sent data breach notifications to customers, informing them of a successful breach of password manager accounts.
Hackers accessed Norton Password Manager accounts in credential stuffing attacks. Credential stuffing takes advantage of people reusing username and password combinations across different accounts. Once an attacker has gained valid combinations for one site, they can try them out in bulk on other sites.
In this instance, the firm detected “an unusually large volume” of failed login attempts on 12 December 2022, which can indicate such an attack. By 22 December the company had completed its internal investigation, which revealed that attacks had compromised an undisclosed number of customer accounts.
Customers using the Norton Password Manager feature were warned that attackers might have obtained details stored in the private vaults, which could lead to compromise of other online accounts.
The NCSC supports the use of password managers, and has guidance for individuals on using them, and for system owners choosing one for their organisation.
However, this attack demonstrates that a password manager is only as good as the credentials that allow access to it. Use a strong, separate password for your password manager and turn on 2-step verification/two-factor authentication.
CISA updates best practices for mapping to MITRE ATT&CK®
The US Cybersecurity & Infrastructure Security Agency (CISA) has updated its best practices for MITRE ATT&CK® mapping. The framework allows network defenders to analyse adversary behaviour and provides a common language for threat actor analysis.
The NCSC uses MITRE ATT&CK® in its advisories, including the recent publication covering spear-phishing by the Russia-based SEABORGIUM and Iran-based TA453 groups.
HMRC releases information to the public to identify scam phone calls, emails and text messages
In the build-up to the upcoming Self Assessment deadline, HMRC has released a checklist to help the public decide whether they may have received a spam call, email or text message.
Within the checklist, they detail any contact could be a scam if it: rushes you, threatens you, is unexpected, asks for personal information, tells you to transfer money, or offers a refund, tax rebate or grant.
If members of the public receive a potential scam, they can report it, whether it’s a text, email or call.
Cyber Essentials technical requirements updated for April 2023
The NCSC and its Cyber Essentials delivery partner, IASME, have announced that the technical requirements for Cyber Essentials will be updated in April.
After a major update last year – the biggest update to the scheme since it was first set up in 2014 – the 2023 update will be lighter touch, providing a number of clarifications, alongside some important new guidance.
For more information, see the IASME blog which provides more details on the changes. An updated set of FAQs is also available.