Cyber Security Headlines – May 20, 2022

Greenland health services limited from cyberattacks

The government of Greenland confirmed that recent cyberattacks have impacted its overall hospital system, which caused the healthcare system’s digital network to crash. It’s unclear if this is related to ransomware, but the attacks began on May 9th. IT admins were forced to restart all systems and servers in the hospital system, with healthcare practitioners unable to access medical records. The government said a technical analysis showed no impact on personal data. It appears the attackers attempted other cyberattacks last month, and Greenland’s parliament was forced to cancel all meetings during the week of March 25th as a result of a cyberattack. 

(The Record)

Phishing attacks surge in Q1 

Security researchers from Kroll found that phishing emails as an initial attack vector increased 54% on the year in Q1. This rise caused incidents tied to email compromises to surpass ransomware for the first time in a year. Kroll pins this uptick on a rise in activity from both Emotet and IceID malware. Once attackers used phishing for this initial beachhead, attack methods varied widely, from dropping ransomware and malware, to in some cases attempting extortion just based off stolen data without any backing encryption attempt. Generally attackers did not only attempt phishing emails as an initial attack vector, but also attempted to exploit vulnerabilities like ProxyLogon and Log4Shell. 

(Dark Reading)

Google details 2021 zero-days

In 2021, Google’s Threat Analysis Group reported nine zero-day exploits across Chrome, Android, Apple, and Microsoft products. In July 2021, it outlined four of these, and the group just published details on the other five. Four of these impacted Chrome, one was specific to Android. Google claims these were likely sold as a group by the commercial surveillance company Cytrox to government-backed actors. Across these different campaigns, these exploits were used to imitate URL shortener services to targeted Android users through email, always looking out for various Samsung phones in the campaigns. 

(Google TAG)

CISA warns of big trouble in BIG-IP

The Cybersecurity and Infrastructure Security Agency published an advisory this week that attackers are actively exploiting patched vulnerabilities in VMWare F5’s BIG-IP. The advisory warned that the attackers were able to reverse engineer the updates for existing vulnerabilities into new exploits within 48 hours of their release.  US federal civilian agencies are ordered to patch or remove VMWare immediately. VMWare issued a patch April 6th and BiIG-IP issued a patch May 10th. This comes as a separate vulnerability with a 9.8 severity rating hit BIG-IP last week, opening the door to root access and remote code execution. 

(Ars Technica)

Thanks to today’s episode sponsor, Torq

Myth 5: You Should Automate All Security Processes
False. You should automate routine, repetitive tasks that are not subject to much conditional variance. But workflows that can’t be reliably managed by automation tools, such as assessing the financial consequences of a breach or determining whether a security incident should trigger an application rollback, should remain the domain of humans. To learn more about the realities of automation, head to torq.io.

India warns VPNs to follow the rules

The Indian Computer Emergency Response Team clarified that virtual private server providers, cloud service providers, and VPN providers must abide by the country’s Cyber Security Directions when they go into effect in June or “will have to pull out” of the market. These rules require services to store customer names, email addresses, IP addresses and financial records for five years, but don’t apply to corporate or enterprise VPNs. Indian officials say there won’t be any comment or consultation on these new rules. These changes come as part of the same package that will require reporting significant security incidents to regulators within 6 hours. 

(TechCrunch)

Texas asks SCOTUS to uphold social media law

Texas Attorney General Ken Paxton filed a petition with the Supreme Court to reject an emergency application filed by tech industry trade groups to block the state’s law regulating content moderation decisions on social media platforms. Lower courts issued an injunction on the law, as well as a similar one in Florida, arguing it violates the First Amendment protections of the platforms. Paxton argues the law focuses on business conduct and that these platforms should be treated as common carriers like telephone companies of old. Eleven other Republican attorneys general and the solicitor general of Iowa filed an amicus brief supporting the law. 

(WaPo)

Twitter announces crisis misinformation policy

This new policy establishes standards for blocking the promotion of certain tweets if they contain misinformation during designated events. This will place greater scrutiny on false reporting on events, allegations involving force, or misinformation regarding atrocities. This will not automatically delete tweets or ban users, rather Twitter will algorithmically block promotion of the tweet and add a warning label, requiring a click through to view content. This policy will initially apply to content around the ongoing Russian invasion of Ukraine, and will be limited to specific “situations in which there is a widespread threat to life, physical safety, health, or basic subsistence.”

(Twitter)

Fronton botnet does more than just DDoS

Researchers at the security firm Nisos published a new report on the unusual Fronton botnet. It first made headlines back in 2020 after a hacktivist group claimed to have stolen documents about it from Russia’s FSB intelligence service. Based on those documents, it was believed Fronton would preliminary focus on its DDoS capabilities, a classic for any botnet. But Nisos found the botnet developed a system for “coordinated inauthentic behavior” with a software packages dubbed SANA. This web-based dashboard includes a wide variety of functions like tracking news trends, managing large groups of bots, creating behavior models for bots including response models, and how many friends a bot account should maintain. SANA also supported users creating mass social media accounts using automatically generated emails and phone numbers.

(ZDNet)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.