Cyber Security Headlines: Lockbit operator extradited, Twitter CISO quits, NotPetya insurance shakeup

Alleged LockBit operator to be extradited from Canada to U.S.

An alleged member of the notorious LockBit ransomware group is being extradited to the United States, according to a statement from the Justice Department. Mikhail Vasiliev – a 33-year-old Russian and Canadian national living in Bradford, near Toronto, is currently in custody in Canada and is facing charges related to his involvement with LockBit. The Justice Department unsealed a criminal complaint filed in the District of New Jersey charging Vasiliev with participating in LockBit’s attacks. FBI Deputy Director Paul Abbate noted that Vasiliev was arrested on Wednesday following a nearly three-year investigation into the ransomware gang, which has quickly taken over as one of the most lucrative ransomware operations in the world. 

(The Record)

Musk’s ends remote work and promised to fight spam. CISO Kissner quits. 

Less than two weeks after taking over Twitter, Elon Musk addressed the company’s employees for the first time in a series of emails. According to a report from Bloomberg, the new CEO asked workers to be ready for “difficult times ahead.” At the same time, he told them that working at the office was now mandatory unless an employee received a personal exemption. The report also said that the employees will have to put in at least 40 hours per week working from the office and these policies are effective immediately. One person who will not be coming back to the office is Twitter’s CISO, Lea Kissner, who used the platform to post: They later posted, “I’ve loved this job and we got *so* much done, but here we are.” KIssner follows Chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty who are also said to have exited. 

(TechCrunch and The Register)

Insurance giant settles NotPetya lawsuit, signaling cyber insurance shakeup

The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses suffered by Mondelez International from NotPetya may very well reshape the entire cyber insurance marketplace. Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world. It appears instead that what Mondelez endured was not an act of war, but “collateral damage” in a much larger cyberconflict. James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, said, “We’re going to need to rethink what act of war means in cyberspace when it comes to insurance,” said Lewis. “The current definitions come out of the 19th century when we had pirates, navies and privateers.”

(Cyberscoop)

New StrelaStealer malware steals Outlook, Thunderbird accounts

A new information-stealing malware named ‘StrelaStealer’ is actively stealing email account credentials from Outlook and Thunderbird, and its behavior deviates from most info-stealers. The previously unknown malware was discovered by analysts at DCSO CyTec, who report that they first saw it in the wild in early November 2022, targeting Spanish-speaking users. StrelaStealer arrives on the victim’s system via email attachments, currently ISO files with varying content such as an executable (‘msinfo32.exe’) that sideloads the bundled malware via DLL order hijacking. It is also capable of delivering polyglot files that can be treated as different file formats depending on the application that opens it. Currently this malware is spread using Spanish-language lures and focuses on very specific software.

(Bleeping Computer)

And now a word from our sponsor, AppOmni

Did you know that over half of companies have sensitive SaaS data exposed on the public internet? And many breaches making headlines now involve SaaS apps? AppOmni can help.
AppOmni identifies misconfigurations and guides remediation to keep your SaaS data secure. We help Security teams make sense of data access permissions, third party app visibility, and threat detection across their entire SaaS ecosystem. Get started at AppOmni.com.

Thousands of bogus Twitter accounts push NFT scams to steal cryptocurrency

A fraud network made up of thousands of Twitter accounts has been impersonating legitimate NFT stores to swindle users out of cryptocurrency, according to research published Thursday. Researchers at the threat intelligence firm Nisos found that between July 26 and Oct. 11 more than 3,000 Twitter accounts produced nearly 6,000 tweets linking to sham storefronts that offered to mint new NFTs for free. Thousands of other bogus accounts amplified those tweets, according to researchers. The fake NFT stores prompted victims to share access to their wallets under the guise of minting a new NFT, allowing scammers to deplete the owner’s collection of NFTs along with other virtual currency funds.

(Cyberscoop)

FTX’s Bankman-Fried scrambles for funds after Binance deal collapse

Following up on a story we brought you yesterday regarding the possible purchase of FTX by rival Binance, which did not happen, FTX Chief Executive Sam Bankman-Fried launched yesterday an urgent push to raise funds to save his firm as the crypto exchange looks to plug a reported $8 billion hole in its finances, according to tweets and a memo to employees. Bankman-Fried said he was in talks with “a number of players” in the crypto sector, including Justin Sun who is the founder of crypto token Tron. The problems at FTX, one of the world’s largest crypto exchanges, have triggered a broader crisis of confidence in cryptocurrencies, with bitcoin falling below $16,000 overnight for the first time since late 2020.

(Reuters)

Apple limits AirDrop ‘Everyone’ option to 10 minutes in China

A change in the iOS 16.1.1 update for Chinese users is turning some heads. Apple is restricting the “Everyone” option in AirDrop to ten minutes on iPhones purchased in mainland China, according to online user reports. Apple says it is improving the AirDrop experience by automatically reverting the receiving setting back to “Contacts Only” after 10 minutes to help mitigate unwanted file sharing. Some argue that this feature should have long been an option for all Apple users but others interpret the decision as Apple’s response to recent incidents in China in which AirDrop was used to spread protest content.

(TechCrunch)

Grand Prix Silverstone circuit hit by ransomware

The iconic home of the British Grand Prix of auto racing is investigating a ransomware attack after a gang added it to its list of victims this week. “We are aware of this posting and are investigating this matter,” a spokesperson for Silverstone Circuit told The Record on Thursday. The circuit – home of the British Grand Prix since 1950 – was allegedly attacked by the Royal ransomware gang, which took credit for the alleged incident on Tuesday. Emsisoft threat analyst Brett Callow said the Royal ransomware group is a relatively new gang following the encrypt-and-exfiltrate model. 

(The Record)