US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers

This follows the attack which prompted the shutdown of the key East Coast pipeline last month. The Justice Department is expected on Monday to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, people briefed on the matter said. Though paying the ransom to restore operations, behind the scenes, the company had taken steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. CNN earlier reported that federal agencies are adept at tracing currency used to pay ransomware groups, but its ability to effectively do so “situationally dependent” and relies a great deal on how the ransomware organizations manage their operational network.  

(CNN)

US Energy chief cites risk of cyberattacks crippling power grid

In a related story that predates the ransomware recovery, Energy Secretary Jennifer Granholm on Sunday called for more public-private cooperation on cyber defenses and said U.S. adversaries already are capable of using cyber intrusions to shut down the U.S. power grid. Without mentioning Colonial Pipelines by name, she suggested that private and public sector organizations should not pay ransoms, because it “only encourages the bad guys,” and she spoke of being personally in favor of a law that would ban their payment. Asked whether American adversaries have the capability now of shutting down the U.S. power grid, she said: “Yes, they do.”

(SecurityWeek)

Researchers discover first known malware targeting Windows containers

Dubbed Siloscape, the malware targets Windows Server containers to infect Kubernetes clusters in cloud environments. According to Unit 42 researcher Daniel Prizmant, “its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers such as, but not limited to, cryptojacking. Unlike most cloud malware, which mostly focuses on resource hijacking and denial of service (DoS), Siloscape doesn’t limit itself to any specific goal, instead, it opens a backdoor to all kinds of malicious activities,” he said.

(The Hacker News)

New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions

In April, as we reported, the Washington DC Police department was hacked by the Babuk gang, who shortly afterwards announced they were quitting ransomware encryption to instead focus on data theft and extortion. At the end of May, the Babuk data leak site had a design refresh and rebrand, now calling itself “payload bin.” It now appears that to circumvent sanctions imposed upon Evil Corp by the US government regarding ransomware payments, Evil Corp is now distributing ransomware called PayloadBIN, which will likely just add PayloadBIN to the same sanctions list. This will likely be a continuing story.

(Bleeping Computer

Thanks to our episode sponsor, Trend Micro

Banner: Trend Micro
Want to discover new ways to simplify and strengthen your security? Join Trend Micro Perspectives on June 16, where industry experts and practitioners will share deep insights and real-world examples on how security can play a pivotal role in accelerating your digital transformation. Featuring speakers from Gartner, Forrester, ESG, AWS, and Microsoft. Visit TrendMicro.com/Perspectives today to register.

New South Wales Health confirms data breached due to Accellion vulnerability

The file transfer system owned by Accellion is widely used to share and store files by organizations around the world, including NSW Health, the government entity said on Friday afternoon. A spokesperson for the Australian state entity said medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health, however different types of information, including identity information and in some cases, health-related personal information, were included in the attack.”

(ZDNet)

Fujifilm refuses to pay ransomware demand, restores network from backups

The Japanese multinational said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and is instead relying on backups to restore operations. The company’s computer systems in the US, Europe, the Middle East and Africa are now “fully operational and back to business as usual”, a Fujifilm spokesperson said. Fujifilm would not comment on the amount demanded by the ransomware gang.

(Verdict)

Apple updates AirTags after stalking fears

AirTags were released in April and were promoted as a way for people to keep track of their belongings. However, critics warned that the coin-sized tracker could be easily used to monitor someone’s real-time location by slipping it into a person’s bag or pocket. Following the update, an AirTag will beep at a random time between eight and 24 hours if it is away from its owner’s iPhone.

(BBC News)

Model sues law firm over data breach

A fashion model is suing Baltimore-based law firm Goldberg Segalla for allegedly exposing her personal data when filing records in a different data breach lawsuit. Stephanie Hoffman claims the firm leaked her information twice on the Public Access to Court Electronic Records (PACER) service. Goldberg Segalla is representing Hoffman’s former modeling agency, Major Model Management Inc (MMMI), in an ongoing proposed class-action lawsuit concerning an alleged data breach. That suit, which was also brought by Hoffman, accuses MMMI of failing to adhere to state laws, when collecting and storing the personal information of the models it contracted with. The model said that she has been told by prospective employers and third-party credit institutions that her Social Security number “is being used for fraudulent criminal activity.”

(InfoSecurity)