Cyber Security Headlines: Google email authentication, SEC data breaches, Clop asks victims to email

Google improves brand email authentication 

Brand impersonation with email is a tail as old as time. Last month, Google thought it cracked the nut with its Brand Indicators for Message Identification. Effectively this would provide a blue authentication check mark for brands enrolled in the program. 

Security professional Chris Plummer raised alarms that Google’s original approach could be open for abuse, saying it makes users much more likely to act on content of erroneously verified messages. He cited an email verified as coming from UPS that hit his inbox but was in fact a scam. This pairs with the advice of security researcher Alex Liu, who noted malicious actors generally quickly adopt these types of new protocols in hopes of slipping through the cracks. In response to Plummer’s findings, Google now requires brands to use more robust DomainKeys Identified Mail authentication standards to qualify for its verification system.  

(CyberScoop)

SEC drops cases due to data protection failures

The US Securities and Exchange Commission dismissed 42 cases due to its staff access documents only intended for judges. This came after a review that began back in April 2022, when it disclosed two other cases that broke similar legal rules. Due to insufficient safeguards within the agency, staffers could download restricted databases and share access through internal memos. The SEC said it found “no evidence that the control deficiency resulted in harm to any respondent or affected the Commission’s adjudication in any proceeding.”

(The Register)

Clop asks victims to contact it for a ransom

Usually in the all-too-common ransomware dance, the organization behind an attack will leave a ransom note or otherwise contact a victim with payment demands. However the Clop ransomware gang is trying a new tactic. The group took credit for the recent breach of the MOVEit managed file transfer service. It posted a notice on its leak site advising impacted organizations to email the group for ransom demands by June 14th or it will publish data stolen in these attacks. Victims allegedly include the BBC, British Airways, and the Nova Scotia Government. Some security experts suspect this new approach may be a result of Clop exfiltrating so much data that it would be easier for impacted organizations to contact it instead. 

(BBC)

GPT comes to Azure Government

We’ve seen concerns from various organizations about generative AI leading to data leaks. In response some organizations banned using things like ChatGPT. And we’ve heard Microsoft plans to offer private ChatGPT servers as a response. Now Microsoft also added the popular OpenAI language models GPT-3 and GPT-4 to its Azure Government service. Various US government departments use Azure Government. The Defence Department’s Defense Technical Information Center confirmed it will be experimenting using the models in Azure. This offering won’t include ChatGPT, although Microsoft says customers can access the models through a chat-like interface. 

(Bloomberg)

And now a word from our sponsor, Trend Micro

Hybrid work, cloud adoption, and shadow IT have introduced new cybersecurity risks to organizations. Security leaders are left asking, “How can I manage our expanding attack surface?”

Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities in their “Risk to Resilience World Tour.

Hear from experts on the latest threat landscape trends, solutions, and platform strategies to manage risk and defend your organization with speed and accuracy. Find the closest city to you and register today to take a leap towards a more resilient future.

Head to trendmicro.com/cisoseries

CISA publishes remote access security guide

The US Cybersecurity and Infrastructure Security Agency published the guide along with several partners including the NSA, FBI, and Israel National Cyber Directorate. It highlights ways the agencies observed threat actors abusing remote access software, from spearphishing campaigns to weak passwords. It also sets out how and why organizations should establish security baselines for remote access software in order to better spot malicious actors. 

(InfoSecurity Magazine)

ByteDance accused of giving China activist data

In a US court filing, former ByteDance executive Yintao Yu claimed the company granted the Chinese Communist Party members superuser credentials. This allowed them to identify and monitor users uploading “protest-related content” in Hong Kong. ByteDance did not employ these officials, although they allegedly operated out of ByteDance’s offices. According to Yu, most senior executives knew about this access. ByteDance denied these claims, calling them “baseless.” 

(BBC)

North Korean threat group expands social engineering

Security researchers from SentinelOne outlined these new tactics from the North Korean-linked APT Kimsuky in a recent report. These attacks focus on attempting to steal Google and subscription credentials from a news and analyst service. The group used detailed email correspondence, faked URLs, and recon malware known as ReconShark in the approach. In one instance, the attackers directly impersonated the founder of a Korean news outlet, sending draft articles for review. With correspondence established, the attackers lured victims to faked URLs to steal the credentials. The researchers note this type of focused and detailed social engineering marks a new turn for the group. 

(InfoSecurity Magazine)

Senegal continues daily internet shutdowns

Last week, the popular Senegal politician Ousmane Sonko was sentenced to two years in prison on charges related to “corrupting” the youth.” In response, protests erupted in the country, leading to the arrest of over 500 people. The country’s Interior Minister announced it would limit internet access to stop the spread of so-called “fake news” around the protests. NetBlocks and Cloudflare both confirmed the government imposed a curfew-like shutdown of internet service. Currently blocks remain in place from 1pm to 2am across the country. The government initially tried to block access to specific social media platforms, but expanded blocks to wider internet access when users turned to VPNs. 

(The Record)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.