Jen Easterly warns AI may be the ‘most powerful weapon of our time’
CISA Director Jen Easterly, speaking on Friday at a security summit at Vanderbilt University in Nashville warned, that artificial intelligence may be both the most “powerful capability of our time” and the “most powerful weapon of our time.” She highlighted a scenario in which how-to guides, AI-generated imagery, auto-generated shopping lists are available for terrorist and for criminals, providing the capability to develop things like cyber weapons, chemical weapons, bio weapons,” adding that those are not even the worst case scenario. She suggested that AI companies should break that “decades-long vicious cycle of technological innovation at the expense of security.”
Ex-Uber CSO gets three-year probation sentence, with no prison for guilty verdict
Joe Sullivan, former Uber chief of security for Uber, received three years probation from a U.S. federal judge on Thursday in relation to a conviction last year over his handling of a data breach. According to The Record, “a federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.” Sullivan had paid off the hackers with $100,000 and had them sign nondisclosure agreements but did not inform the FTC as required, describing the payments as a “bug bounty.: U.S. District Judge William Orrick noted Sullivan’s significant past work in protecting people from the sort of crime he later concealed. He also said that Sullivan’s steps had succeeded in keeping the stolen data from being exposed.
(Washington Post and The Record)
Ransomware group behind Oakland attack hits Massachusetts city
The cybercrime group that attacked the city of Oakland has now made Lowell, Massachusetts its latest victim. The city, situated near Boston, announced a “cyber-related incident” on April 24 that disrupted its network and impacted “a variety of systems.” Despite segmenting the affected technology, servers, networks, phones and other systems throughout the city became inaccessible. The city’s 9-1-1, fire and emergency phone systems were not affected. The Play ransomware group has taken responsibility for the attack, and according to The Record, they are “claiming to have stolen an undisclosed amount of data that includes personal data, passports, government IDs, financial documents, budgets, departmental files and more.” The gang said it would release the stolen data on May 10.
Windows admins can sign up for ‘known issue’ email alerts
Microsoft announced last week that Windows administrators can now opt to be emailed when “new known issues are added to the Windows release health section of the Microsoft 365 admin center.” The emails will alert admins to known issues that are added or updated with new information such as changes in status, workarounds, or resolutions. Microsoft emphasizes this service is only available for people “with admin roles in organizations with eligible Windows or Microsoft 365 for Business subscriptions that provide access to Windows release health in the Microsoft 365 admin center.”
Thanks to this week’s episode sponsor, Trend Micro
Dragon Breath APT group targets gambling industry with using double-clean-app technique
Dragon Breath, an advanced persistent threat (APT) actor, is adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. “The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” said Sophos researcher Gabor Szappanos, quoted in The Hacker News. “The latest campaigns add a twist in which a first-stage clean application ‘side’-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload.”
Fortinet warns of a spike in attacks against TBK DVR devices
FortiGuard Labs is warning of a spike in attacks targeting TBK DVR devices. According to Security Affirs, “TBK Vision is a video surveillance company that provides network CCTV devices and other related equipment, including DVRs for the protection of critical infrastructure facilities.” The core of the activity is the exploitation of a five-year-old authentication bypass issue, tracked as CVE-2018-9995 (CVSS score of 9.8), in TBK DVR devices, which points to “an error when handling a maliciously crafted HTTP cookie.” A remote attacker can obtain administrative privileges and gain access to camera video feeds. According to the company, they have over 600,000 cameras and 50,000 recorders installed all over the world in multiple sectors such as banking, retail, and government under a range of brand names.
Decoy Dog malware targets enterprise networks
The appropriately named Decoy Dog is evasive and according to The Hacker News, “employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion.” In an an advisory published late last month, Infoblox described Decoy Dog as a “cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level,” adding that its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure.
Last week in ransomware
Last week’s ransomware news was been dominated by a Royal ransomware attack on the City of Dallas as well as extortionists that taunted Western Digital by leaking emails and documents of their response to its cyberattack. Pediatric mental health provider BrightLine disclosed they suffered a Clop GoAnywhere breach. ALPHV/BlackCat claiming to have attacked Constellation Software. AvosLocker hijacked Bluefield University’s emergency campus alert system to send SMS texts and email alerts to staff and students about their data being stolen.