LockBit dominates ransomware
According to Deep Instinct’s 2022 Interim Cyber Threat Report, Lockbit accounted for 44% of all ransomware campaigns in the year so far. This compares to 23% of campaigns attributed to Conti and 21% to Hive. The report also corroborated trends we’ve seen in 2022, like threat actors increasingly turning away from the use of document files to spread malware to using LNK and other archive email attachments. This comes as a result of Microsoft disabling macros by default in office documents. The report also predicted a rise in so-called “protestware” over the next 12-months, with organizations self-sabotaging its software to weaponize it as malware.
CISA on voting integrity
The Cybersecurity and Infrastructure Security Agency said the agency and Biden administration has done “everything we can” to protect election infrastructure ahead of Election Day. Director Jen Easterly said CISA received “no information credible or specific about efforts to disrupt or compromise” election systems, saying that any information out there is disinformation meant to sow discord among Americans. Easterly also said the administration remained “concerned about Russia, and Iran, and China trying to influence our elections.” She cautioned there will be errors or glitches in some places, but that such things happen in every election.
A call for more ransomware reporting
If you listen to cyber security headlines every day, it may seem like quite a few ransomware attacks get reported. But according to the National Cyber Security Centre Annual Review for 2022, many ransomware events required a “nationally coordinated” response in the year. But getting a handle on the true scope of ransomware remains problematic due to spotty reporting. A lack of reporting gives attackers more leverage to demand payment for not leaking exfiltrated data, even with little guarantee that cyber criminals will keep their word. Rather than something to be hushed up, the report recommends that “organizations treat cyber security as a genuine, board-level risk to be managed.”
Twitter content moderation teams limited ahead of elections
Bloomberg’s sources say that many Twitter employees on its Trust and Saftey team are unable to alter or penalize accounts breaking rules around misinformation and hate speech. The only exception appears to be for high-impact violations involving real-world harm, which received manual review. Some workers received access to internal tools over the weekend to enforce policies around Brazil’s presidential election, but only in a limited capacity. Twitter’s automated tools remain in effect, but taking action on them requires human input. Twitter partner Dataminr noted that over the weekend, the site saw a 1700% spike in the use of a racist slur on the platform.
Thanks to today’s episode sponsor, Votiro
UK intel helping defend Ukraine
The British government confirmed that its GCHQ intelligence agency contributes to Ukraine’s defense against ongoing Russian cyberattacks. The Foreign Office provided £6.35 million as part of the Ukraine Cyber Programme support package back in February. Part of GCHQ’s support includes providing incident response support for Ukraine’s government, as well as accessing hardware and software solutions. The US Cyber Command previously confirmed it deployed staff in Ukraine ahead of Russia’s invasion to provide similar support.
OpenSSL patches out
The widely-used internet standard OpenSSL released versions 1.1.1s and 3.0.7 to address security vulnerabilities. The 3.0.7 version patches a highly publicized security flaw, although OpenSSL downgraded the severity from critical to high after discovery. However in the process of patching it, developers discovered a second high severity bug. This also received a patch in the release. Both bugs were exposed during TLS certificate verification, vulnerable to malformed TLS certificates to create a stack overflow. These would be hard to exploit for remote code execution, but could easily be weaponized into a denial of service attack.
SandStrike spyware hits Android
Researchers at Kaspersky highlighted this new spyware, which focuses on Persian-speaking practitioners of the Baháʼí Faith. Attacks began spreading a malicious VPN app on social media accounts, marketed as a way to get around religious censorship. Ads link back to Telegram channels to download the app. The app actually operates its own VPN infrastructure, but also installs the spyware, exfiltrating sensitive data like call logs and contact lists. It’s unclear what specific threat group operates SandStrike.
CISA publishes MFA guidelines
The agency published two fact sheets on the subject, urging all organizations to implement multi-factor authentication as a way to protect against phishing and other advanced cyber threats. One fact sheet deals with ways threat actors get around more limited MFA implementations, like phishing, push notification fatigue, and SIM swapping. It recommends using MFA solutions based on FIDO and public key infrastructure. The other further outlines how to defend push notification-based MFA if its the only options, specifically highlighting number matching. CISA says this approach held mitigate MFA fatigue in users.