Greenland health services limited from cyberattacks
The government of Greenland confirmed that recent cyberattacks have impacted its overall hospital system, which caused the healthcare system’s digital network to crash. It’s unclear if this is related to ransomware, but the attacks began on May 9th. IT admins were forced to restart all systems and servers in the hospital system, with healthcare practitioners unable to access medical records. The government said a technical analysis showed no impact on personal data. It appears the attackers attempted other cyberattacks last month, and Greenland’s parliament was forced to cancel all meetings during the week of March 25th as a result of a cyberattack.
Phishing attacks surge in Q1
Security researchers from Kroll found that phishing emails as an initial attack vector increased 54% on the year in Q1. This rise caused incidents tied to email compromises to surpass ransomware for the first time in a year. Kroll pins this uptick on a rise in activity from both Emotet and IceID malware. Once attackers used phishing for this initial beachhead, attack methods varied widely, from dropping ransomware and malware, to in some cases attempting extortion just based off stolen data without any backing encryption attempt. Generally attackers did not only attempt phishing emails as an initial attack vector, but also attempted to exploit vulnerabilities like ProxyLogon and Log4Shell.
Google details 2021 zero-days
In 2021, Google’s Threat Analysis Group reported nine zero-day exploits across Chrome, Android, Apple, and Microsoft products. In July 2021, it outlined four of these, and the group just published details on the other five. Four of these impacted Chrome, one was specific to Android. Google claims these were likely sold as a group by the commercial surveillance company Cytrox to government-backed actors. Across these different campaigns, these exploits were used to imitate URL shortener services to targeted Android users through email, always looking out for various Samsung phones in the campaigns.
CISA warns of big trouble in BIG-IP
The Cybersecurity and Infrastructure Security Agency published an advisory this week that attackers are actively exploiting patched vulnerabilities in VMWare F5’s BIG-IP. The advisory warned that the attackers were able to reverse engineer the updates for existing vulnerabilities into new exploits within 48 hours of their release. US federal civilian agencies are ordered to patch or remove VMWare immediately. VMWare issued a patch April 6th and BiIG-IP issued a patch May 10th. This comes as a separate vulnerability with a 9.8 severity rating hit BIG-IP last week, opening the door to root access and remote code execution.
Thanks to today’s episode sponsor, Torq
India warns VPNs to follow the rules
The Indian Computer Emergency Response Team clarified that virtual private server providers, cloud service providers, and VPN providers must abide by the country’s Cyber Security Directions when they go into effect in June or “will have to pull out” of the market. These rules require services to store customer names, email addresses, IP addresses and financial records for five years, but don’t apply to corporate or enterprise VPNs. Indian officials say there won’t be any comment or consultation on these new rules. These changes come as part of the same package that will require reporting significant security incidents to regulators within 6 hours.
Texas asks SCOTUS to uphold social media law
Texas Attorney General Ken Paxton filed a petition with the Supreme Court to reject an emergency application filed by tech industry trade groups to block the state’s law regulating content moderation decisions on social media platforms. Lower courts issued an injunction on the law, as well as a similar one in Florida, arguing it violates the First Amendment protections of the platforms. Paxton argues the law focuses on business conduct and that these platforms should be treated as common carriers like telephone companies of old. Eleven other Republican attorneys general and the solicitor general of Iowa filed an amicus brief supporting the law.
(WaPo)
Twitter announces crisis misinformation policy
This new policy establishes standards for blocking the promotion of certain tweets if they contain misinformation during designated events. This will place greater scrutiny on false reporting on events, allegations involving force, or misinformation regarding atrocities. This will not automatically delete tweets or ban users, rather Twitter will algorithmically block promotion of the tweet and add a warning label, requiring a click through to view content. This policy will initially apply to content around the ongoing Russian invasion of Ukraine, and will be limited to specific “situations in which there is a widespread threat to life, physical safety, health, or basic subsistence.”
(Twitter)
Fronton botnet does more than just DDoS
Researchers at the security firm Nisos published a new report on the unusual Fronton botnet. It first made headlines back in 2020 after a hacktivist group claimed to have stolen documents about it from Russia’s FSB intelligence service. Based on those documents, it was believed Fronton would preliminary focus on its DDoS capabilities, a classic for any botnet. But Nisos found the botnet developed a system for “coordinated inauthentic behavior” with a software packages dubbed SANA. This web-based dashboard includes a wide variety of functions like tracking news trends, managing large groups of bots, creating behavior models for bots including response models, and how many friends a bot account should maintain. SANA also supported users creating mass social media accounts using automatically generated emails and phone numbers.
(ZDNet)