Top US cyber official warns AI may be the ‘most powerful weapon of our time’
CISA Director Jen Easterly, speaking on Friday at a security summit at Vanderbilt University in Nashville warned, that artificial intelligence may be both the most “powerful capability of our time” and the “most powerful weapon of our time.” She highlighted a scenario in which how-to guides, AI-generated imagery, auto-generated shopping lists are available for terrorist and for criminals, providing the capability to develop things like cyber weapons, chemical weapons, bio weapons,” adding that those are not even the worst case scenario. She suggested that AI companies should break that “decades-long vicious cycle of technological innovation at the expense of security.”
Ex-Uber CSO given three-year probation sentence, avoids prison after guilty verdict
Former Uber chief security officer Joe Sullivan was given three years probation by a U.S. federal judge on Thursday following a headline-grabbing conviction last year over his handling of a data breach. A federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers. Sullivan paid the two hackers $100,000 and made them sign nondisclosure agreements but did not inform the FTC as required. He justified the payments by calling them a bug bounty. U.S. District Judge William Orrick noted Sullivan’s significant past work in protecting people from the sort of crime he later concealed. He also said that Sullivan’s steps had succeeded in keeping the stolen data from being exposed.
(Washington Post and The Record)
Ransomware group behind Oakland attack targets city in Massachusetts
The cybercrime group that launched a devastating attack on the city of Oakland has taken credit for yet another breach of a local government — this time naming the Massachusetts city of Lowell as its latest victim. The city — home to more than 111,000 people and about a half hour drive from Boston — announced a “cyber-related incident” April 24 that disrupted its network and impacted “a variety of systems.” City officials said they decided to segment the affected technology but admitted that servers, networks, phones and other systems throughout the city became inaccessible. The city’s 9-1-1, fire and emergency phone systems were not affected by the attack. On Wednesday evening, the Play ransomware group took credit for the attack, claiming to have stolen an undisclosed amount of data that includes personal data, passports, government IDs, financial documents, budgets, departmental files and more. The gang said it would release the stolen data on May 10.
Windows admins can now sign up for ‘known issue’ email alerts
Microsoft announced last week that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center. After enrolling, IT admins will receive an email every time known issues are added or updated with new information, including changes in status, new workarounds, or issue resolutions. Microsoft states this is only available for those with admin roles in organizations with eligible Windows or Microsoft 365 for Business subscriptions that provide access to Windows release health in the Microsoft 365 admin center.
Thanks to this week’s episode sponsor, Trend Micro
Dragon Breath APT group using double-clean-app technique to target gambling industry
An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. “The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” said Sophos researcher Gabor Szappanos. “The latest campaigns add a twist in which a first-stage clean application ‘side’-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload.”
Fortinet warns of a spike in attacks against TBK DVR devices
FortiGuard Labs researchers are warning of a spike in malicious attacks targeting TBK DVR devices. TBK Vision is a video surveillance company that provides network CCTV devices and other related equipment, including DVRs for the protection of critical infrastructure facilities. Threat actors are attempting to exploit a five-year-old authentication bypass issue, tracked as CVE-2018-9995 (CVSS score of 9.8), in TBK DVR devices. The flaw is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker can trigger the flaw to obtain administrative privileges and eventually gain access to camera video feeds. According to the company, they have over 600,000 cameras and 50,000 recorders installed all over the world in multiple sectors such as banking, retail, and government under a range of brand names.
New Decoy Dog malware toolkit uncovered: targeting enterprise networks
An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog, targeting enterprise networks. As its name implies, it is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion. “Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level,” Infoblox said in an advisory published late last month, adding that its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure.
Last week in ransomware
Last week’s ransomware news has been dominated by a Royal ransomware attack on the City of Dallas that took down part of its IT infrastructure. Also last week, extortionists taunted Western Digital by leaking emails and documents of their response to its cyberattack. Pediatric mental health provider BrightLine disclosed they suffered a Clop GoAnywhere breach. ALPHV/BlackCat claiming to have attacked Constellation Software. AvosLocker hijacked Bluefield University’s emergency campus alert system to send SMS texts and email alerts to staff and students about their data being stolen.