Cyber Security Headlines: North Korea at Black Hat, Ransomware attacks jump, Pentagon software requirements

North Korean malware present at Black Hat

IronNet, a security firm hired to assist at Black Hat’s Network Operations Center discovered several active malware infections on the network including SHARPEXT, which has been attributed as having direct connections to North Korea’s top leadership. The threat hunters stated that during the conference, they observed numerous callouts from four unique hosts to three domains associated with the North Korean malware.” This might have been from someone who had SHARPEXT on their machine, bringing it into the conference, or picking it up while there. The SHARPEXT browser extension is typically installed on a victim’s Windows PC once it’s been compromised via some other vulnerability or infection route.

(The Register)

Ransomware attacks jump as new malware strains proliferate, research finds

Ransomware cases have jumped 47 percent amid a rise in attacks involving newer strains of malicious software infecting targets, according to the cybersecurity firm NCC Group. Reported incidents increased to 198 in July from 135 in June, according to the firm that issues semi-regular reports on ransomware activity by tracking websites that post victims’ details. LockBit alone was associated with 62 incidents in July, according to NCC Group, nearly 20 percent higher than its June total of 52 known incidents. LockBit remains “the most threatening ransomware group, and one that all organizations should aim to be aware of,” the company wrote.


The Pentagon may require vendors to certify their software as free of known flaws

The House of Representative’s software vulnerability provision from within the massive 2023 National Defense Authorization Bill — passed July 14 — continues to divide the cybersecurity community. The debate boils down to whether the requirement is unnecessary and impossible to achieve or is a game-changing move that will begin holding software vendors accountable for selling faulty technology. The Biden Administration’s position is that the software industry should emulate the automotive industry, where “manufacturers retain ownership and responsibility” through the life of the vehicle, said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. But cybersecurity executive Dan Lorenc argues there’s no such thing as vulnerability-free software.


Hackers adopt Sliver toolkit as a Cobalt Strike alternative

A report from Microsoft notes that threat actors are dumping the Cobalt Strike penetration testing suite in favor of Sliver. As defenders learned to how to detect and stop Cobalt Strike attacks, Palo Alto Networks observed threat actors switching to Brute Ratel, an adversarial attack simulation tool designed to elude security products. However, the open-source, cross-platform kit called Sliver has now become an attractive alternative. Microsoft states that hackers from state-sponsored groups and cybercrime gangs, are increasingly using this Go-based security testing tool which had been developed by researchers at BishopFox cybersecurity company. The better news is that malicious activity performed using Sliver can be detected using hunting queries drawn from analyzing the toolkit.

(Bleeping Computer)

Thanks to today’s episode sponsor, Code42

It’s not just about the data leaving your company – what about the data coming in? Along with departing employees, new talent is also actively joining your organization. This poses cybersecurity challenges since they could be knowingly or unknowingly bringing data from their former company into your network.
Code42 Incydr is an Insider Risk Management SaaS that provides a comprehensive understanding of your data exposure and shows which activities require security intervention. Learn more at

Block sued after ex-staffer siphons customer data

The digital payments giant formerly known as Square – faces allegations it failed to take adequate measures to protect customers’ personal information. A lawsuit was filed Tuesday in a federal district court in Oakland, California, on behalf of two users of Cash App, a Block subsidiary, in relation to evidence that a former employee was able to download internal reports containing personal information after leaving the firm. Block disclosed the December 10, 2021 data theft on April 4, 2022, and stated it was contacting 8.2 million current and former customers about the incident.

(The Register)

Google accused of airbrushing carbon emissions in flight search results

This follows a change, first noted by the BBC, to its flight search engine that was, and which shows the estimated carbon emissions of each route. The company flags routes with higher or lower than typical emissions, and also reports the total CO2 emitted per passenger on any given journey. In July, Google made a change that halved the total emission figures by changing from kilograms of “carbon dioxide equivalent” (CO2e) to just the CO2 emitted on each journey. This helped eliminate the mention of the environmental impact of any given flight. Google argues that it is impossible to precisely estimate CO2e for a given flight, but when the change was pushed through, Google made no public acknowledgement of its new figures, save for a single note published to a developer account on Github.

(The Guardian)

VMware Carbon Black causing BSOD crashes on Windows

Windows servers and workstations at dozens of organizations started to crash on Tuesday because of an issue caused by certain versions of VMware’s Carbon Black endpoint security solution. According to some reports, systems at more than 50 organizations started to display the blue screen of death. The root of the problem is a ruleset deployed to a Carbon Black Cloud Sensor. On Microsoft Windows systems impacted by the issue, the stop code may identify the error as “PFN_LIST_CORRUPT.”

(Bleeping Computer)

New ‘Donut Leaks’ extortion gang linked to recent ransomware attacks

A new data extortion group named ‘Donut Leaks’ is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando. Although details from victims was less than forthcoming, the data for these victims have now appeared on the data leak site for a previously unknown extortion gang known as Donut Leaks. Furthermore, the data shared on the Donut Leaks site is far more extensive than that shared on the ransomware sites, indicating that this new threat actor was likely involved in the attacks.

(Bleeping Computer)