Cyber Security Headlines: State-backed attacks not insured, LockBit hit with DDoS, Cozy Bear gets around MFA

State-backed attacks excluded from cyber insurance

The insurance marketplace Lloyd’s of Lond will introduce exclusions for cyber insurance policies to not cover “catastrophic” state-backed attacks. These exclusions will begin in new policies in March 31, 2023. Lloyd’s warns that all insurance underwriters need to make it extremely clear in policies that state-sponsored attacks fall outside of coverage. This applies regardless of any declared war between two countries. This reflects that state-sponsored attacks often aren’t directly after financial gain, but often are the result of geopolitical consideration.  This also comes as insurance providers shy away from ransomware coverage as costs increase. 

(CSO Online)

LockBit hit with DDoS

Last month, the security company Entrust disclosed threat actors exfiltrated data from it’s network. Bleeping Computer’s sources said this represented a ransomware attack. Last week, LockBit too credit for the attack and began posting data on its leak site. That information proved hard to find, because security researchers found it unavailable due to a DDoS attack. The security research group VX-Underground reports that LockBit believes the attack is from someone connected to Entrust. The attackers added a message to the site’s browser user agen demanding removal of the stolen data. In response, LockBit’s site now says it plans to upload all of ENtrust’s data as a torrent for anyone to download. 

(Bleeping Computer)

Cozy Bear using Microsoft accounts to bypass MFA

Security researchers at Mandiant released a report detailing this new technique by the Russian-backed threat group. This exploits the self-enrollment process for applying MFA, where organizations allow users to enroll a device the next time they log in. Since there is no additional verification to this enrollment, anyone with a username and password can enroll their own device into MFA as long as they are the first to try it. This can be useful for obtaining access to deactivated or test account, which Mandiant observed. From there, attackers accessed an organizations VPN infrastructure. Mandiant recommends organizations ensure additional protections to verify users when they register accounts. 

(ZDNet)

UK Conservatives go-ahead with online voting

The UK’s Conservative Party will offer internet voting for the first time as part of its leadership election. About 160,000 qualifying party members will receive a ballot pack in the mail that will include a paper mail-in ballot, as well as security codes to vote online. The party used guidance from the UK’s National Cyber Security Centre to build its online voting system. Earlier this month, the NCSC warned against the Conservatives’ plans for online voting. As part of a revised process, the codes in ballot packs will expire as soon as they are used, meaning you can’t log back in. The winner of this election will be the UK’s next prime minister, so pretty high stakes. 

(WSJ)

Thanks to today’s episode sponsor, Code42

Have you been thinking about launching an Insider Risk Management program? You don’t need to be Big Brother to effectively address Insider Risk.
Code42 believes that the Three Es should define any IRM program: expertise, education, and enforcement. Shift your security culture from “watchdog” to “guide dog” and everyone wins. Learn more at Code42.com/showme.

Critical flaw found in ChromiumOS Audio Server

Microsoft security researcher Jonathan Bar Or found a bug in the service, which routes audio to peripherals. This could use audio metadata to cause a local memory corruption. Audio played in a browser or over a pair Bluetooth device could trigger the bug. Ultimately this flaw could open the door to remote code execution. Or reported the issue to Google in April. It was already in the process of patching the flaw, releasing an update in mid-June. 

(ZDNet)

Attackers target travelers with fake reservations

The recent uptick in travel have seen the threat group TA558 ramping up malicious activity. The group operated a 2018 campaign of fake reservations emails with malicious links. It revived the strategy with a new twist. Following a larger malware trend, the group no wuses RAR and ISO files attachments in these malicious emails. This leads to the execution of a PowerShell script, followed by downloading the AsyncRAT. Microsoft’s recent ban on macros by default in Office documents led many threat groups to change tactics. 

(ThreatPost)

Media industry proves slow to patch

A new study by BlueVoyant found that out of almost 500 vendors in the media industry, it observed 28% with critical vulnerabilities on internet-facing systems. Content management providers accounted for 50% of these vulnerabilities. Meanwhile the study found less than 15% of media monetization platforms hosting vulnerable systems. Looking at the recent Atlassian Confluence vulnerability, BlueVoyant found eight of the monitored companies had not patched the high severity issue six weeks after it’s release. 

(Security Week)

NSO Groups shuffles leadership

The Israeli spyware company’s CEO Shalev Hulio stepped down effective immediately, replaced in the role by COO Yaron Shohat on a interim basis. Reuters’ sources say the company will cut 100 employees as part of an overall reorganization. Part of this will see the company “focusing on NATO-member countries” and streamlining operations. 

(Reuters)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.