Ransomwhere site hopes to provide transparency

Jack Cable, a security architect with the Krebs Stamos Group, noticed that nobody was collecting public data despite the bitcoin ledger being publicly viewable, so he launched a crowdsourced ransom payments tracking website called Ransomwhere. It provides a running total of ransoms paid out in bitcoin, using self-reported incidents of ransomware attacks. Cable reviews submissions for accuracy. The site doesn’t contain any personal or victim-identifying information. Security researchers and law enforcement officials can download the database for free. The site currently lists more than $32 million in ransom payments for 2021.

(TechCrunch)

Microsoft to buy RiskIQ

Microsoft confirmed it intends to acquire the San Francisco startup, which provides threat intelligence and cloud-based software as a service. Bloomberg’s sources say the deal could be worth over $500 million. RiskIQ specializes in finding assets, devices and services that can be accessed outside of a company’s firewall, and its services will be rolled into Microsoft’s flagship security offerings.Microsoft said the acquisition will help its customers keep an eye out for supply chain attack risks. 

(TechCrunch)

The scope of China’s Great Firewall internet censorship

Academics at US and Canadian universities created a tool called GFWatch, which accessed domains from inside and outside China’s internet and looked at how the country’s Great Firewall impacted connections at the DNS level. Overall, 534 million distinct domains were tested, with 411 million domains checked daily. The researchers found that 311,000 domains were blocked overall, although 41,000 domains appear to have been blocked by accident. The accidental blocks appear to be when authorities used a broad DNS filtering regular expression that did not account when a shorter domain might be part of a larger one. About 40% of blocked domains were new and awaiting categorization, with business-related content, pornography, and information technology the most commonly blocked domains after that. 

(The Record)

ByteDance delays IPO over “data-security concerns”

The Wall Street Journal’s sources say ByteDance indefinitely suspended its plans to go public after Chinese government officials advised the company to address data-security risks. The company had reportedly been mulling a listing in the U.S. or Hong Kong, and ByteDance founder Zhang Yiming decided to delay the listing in late-March. This comes as large tech platforms have increasingly come under scrutiny in the country, with the company Didi facing app delistings and security audits in the wake of its recent IPO. The country also recently updated its regulatory laws to require government approval of all foreign stock listings. 

(WSJ)

Thanks to our episode sponsor,
Varonis

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Visit varonis.com/risk to help make sure your data is protected.

Door-to-door Trickbot replacements

The Daily Beast reports that Microsoft worked with ISPs to visit people’s houses in Brazil and elsewhere in Latin America to replace routers compromised by the Trickbot malware. This comes as the cybersecurity firm Bitdefender reports there is evidence of increased Trickbot activity, with malware updating for further intelligence gathering and victim monitoring. Microsoft claimed to have cut off 94 percent of Trickbot’s server infrastructure in 2020 ahead of the US election.

(The Daily Beast)

Microsoft defends its PrintNightmare patch

Microsoft clarified that its patch for the “PrintNightmare vulnerability “is working as designed and is effective.” Last week we reported how security researchers developed a way around the patch. Microsoft says those relied on an insecure configuration of a registry setting related to Point and Print. Microsoft encourages all Windows users to apply the patch and offers guidance on registry settings needed to make sure your system is secure. Microsoft also announced it had awarded $13.6 million in bug bounties to security researchers over the past 12 months, about the same as last year and the highest numbers reported by any vendor for yearly payouts.

(Bleeping Computer)

Emotet compromised emails recovered

The security firm Spamhaus announced over 780,000 email accounts compromised by the pernicious botnet have been recovered. THe company received a list of 1.3 million compromised email addresses from a law enforcement partner, and began reaching out in April to owning organizations and service providers to reset passwords to secure them. After reaching out to 22,000 domain owners, the company was able to secure 60% of the impacted addresses. 

(The Record)

Kaseya starts patch rollout

The company began the rollout of a patch to its VSA remote monitoring software, which had been compromised as part of a supply chain attack and subsequently offline since early July. An initial attempt was made to relaunch SaaS servers on July 6, but pushed back due to further technical problems. 95% of the company’s SaaS customers are now live, with the company pledging to bring the remaining customers on in the coming hours. On-prem customers also have a VSA patch available, and Kaseya is providing technical help to make sure the patch is applied. The patched version does lose API endpoint functionality, as the company is currently working to redesign API calls with “the highest level of security.”

(ZDNet)