Cyber Security Headlines: LockBit dominates ransomware, CISA on voting integrity, ransomware reporting

LockBit dominates ransomware

According to Deep Instinct’s 2022 Interim Cyber Threat Report, Lockbit accounted for 44% of all ransomware campaigns in the year so far. This compares to 23% of campaigns attributed to Conti and 21% to Hive. The report also corroborated trends we’ve seen in 2022, like threat actors increasingly turning away from the use of document files to spread malware to using LNK and other archive email attachments. This comes as a result of Microsoft disabling macros by default in office documents. The report also predicted a rise in so-called “protestware” over the next 12-months, with organizations self-sabotaging its software to weaponize it as malware. 

(InfoSecurity Magazine)

CISA on voting integrity 

The Cybersecurity and Infrastructure Security Agency said the agency and Biden administration has done “everything we can” to protect election infrastructure ahead of Election Day. Director Jen Easterly said CISA received “no information credible or specific about efforts to disrupt or compromise” election systems, saying that any information out there is disinformation meant to sow discord among Americans. Easterly also said the administration remained “concerned about Russia, and Iran, and China trying to influence our elections.” She cautioned there will be errors or glitches in some places, but that such things happen in every election. 

(CyberScoop)

A call for more ransomware reporting

If you listen to cyber security headlines every day, it may seem like quite a few ransomware attacks get reported. But according to the National Cyber Security Centre Annual Review for 2022, many ransomware events required a “nationally coordinated” response in the year. But getting a handle on the true scope of ransomware remains problematic due to spotty reporting. A lack of reporting gives attackers more leverage to demand payment for not leaking exfiltrated data, even with little guarantee that cyber criminals will keep their word. Rather than something to be hushed up, the report recommends that “organizations treat cyber security as a genuine, board-level risk to be managed.” 

(ZDNet)

Twitter content moderation teams limited ahead of elections

Bloomberg’s sources say that many Twitter employees on its Trust and Saftey team are unable to alter or penalize accounts breaking rules around misinformation and hate speech. The only exception appears to be for high-impact violations involving real-world harm, which received manual review. Some workers received access to internal tools over the weekend to enforce policies around Brazil’s presidential election, but only in a limited capacity. Twitter’s automated tools remain in effect, but taking action on them requires human input. Twitter partner Dataminr noted that over the weekend, the site saw a 1700% spike in the use of a racist slur on the platform. 

(Bloomberg)

Thanks to today’s episode sponsor, Votiro

UFOs are everywhere.They’re in your applications, cloud storage, endpoints, and emails.

That’s right – UFOs – Unidentified File Objects – are hiding in files across your organization. UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can’t be detected by traditional scanning solutions like Anti-Virus and Sandboxing. That’s where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business.

Do you believe? Learn more at Votiro.com/UFOs

UK intel helping defend Ukraine

The British government confirmed that its GCHQ intelligence agency contributes to Ukraine’s defense against ongoing Russian cyberattacks. The Foreign Office provided £6.35 million as part of the Ukraine Cyber Programme support package back in February. Part of GCHQ’s support includes providing incident response support for Ukraine’s government, as well as accessing hardware and software solutions. The US Cyber Command previously confirmed it deployed staff in Ukraine ahead of Russia’s invasion to provide similar support. 

(The Record)

OpenSSL patches out

The widely-used internet standard OpenSSL released versions 1.1.1s and 3.0.7 to address security vulnerabilities. The 3.0.7 version patches a highly publicized security flaw, although OpenSSL downgraded the severity from critical to high after discovery. However in the process of patching it, developers discovered a second high severity bug. This also received a patch in the release. Both bugs were exposed during TLS certificate verification, vulnerable to malformed TLS certificates to create a stack overflow. These would be hard to exploit for remote code execution, but could easily be weaponized into a denial of service attack. 

(Sophos)

SandStrike spyware hits Android 

Researchers at Kaspersky highlighted this new spyware, which focuses on Persian-speaking practitioners of the Baháʼí Faith. Attacks began spreading a malicious VPN app on social media accounts, marketed as a way to get around religious censorship. Ads link back to Telegram channels to download the app. The app actually operates its own VPN infrastructure, but also installs the spyware, exfiltrating sensitive data like call logs and contact lists. It’s unclear what specific threat group operates SandStrike. 

(Bleeping Computer)

CISA publishes MFA guidelines

The agency published two fact sheets on the subject, urging all organizations to implement multi-factor authentication as a way to protect against phishing and other advanced cyber threats. One fact sheet deals with ways threat actors get around more limited MFA implementations, like phishing, push notification fatigue, and SIM swapping. It recommends using MFA solutions based on FIDO and public key infrastructure. The other further outlines how to defend push notification-based MFA if its the only options, specifically highlighting number matching. CISA says this approach held mitigate MFA fatigue in users. 

(InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.