Cyber Security Headlines: TikTok sues Montana, US sanctions North Korea’s ‘illicit’ IT army orgs, Fake images on Twitter spook stock market

TikTok sues Montana after state bans app

On Monday, TikTok Inc filed a lawsuit challenging the state of Montana’s new ban on use of the Chinese-owned app. TikTok argues the ban, which would take effect on January 1, violates First Amendment rights of the company and users. The lawsuit also argues the ban intrudes upon matters of exclusive federal concern and violates the Commerce Clause of the US Constitution. A spokesperson from Montana’s Attorney General’s Office said the state is, “fully prepared to defend the law that helps protect Montanans’ privacy and security.”

(Reuters)

US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

On Tuesday, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against four North Korean entities and one individual for their involvement in illicit IT worker schemes and cyberattacks. OFAC said North Korea’s scheme relies on an “army” of thousands of IT workers who use stolen identities, fake personas, and falsified documentation to get hired by companies overseas. While located in China and Russia, the workers are funneling their earnings to fuel the Kim regime’s weapons programs including its unlawful weapons of mass destruction (WMD) and ballistic missile programs.The list of North Korean entities sanctioned includes Pyongyang University of Automation,the Reconnaissance General Bureau (RGB), the 110th Research Center cyber unit and the Chinyong Information Technology Cooperation Company.

(Bleeping Computer)

Fake images on Twitter briefly spook the stock market 

This week a fake photo, some speculate was created using generative AI, surfaced on social media and appeared to show an explosion near the Pentagon. The fake image was shared by several Twitter blue accounts (who paid the $8 blue checkmark fee) including in a post appearing to be associated with Bloomberg News reading, “Large explosion near the Pentagon complex in Washington DC. – initial report.” The false reports were picked up by other media outlets including major Indian network, Republic TV. Just moments after the image began circulating on Twitter, the US stock market took a noticeable dip with the Dow Jones Industrial Average falling about 80 points for about four minutes, but fully recovering several minutes later. Similarly, the S&P 500 went from up 0.02% to down 0.15% during the same period before returning to positive. Though the impact was brief, it’s likely that some people lost and gained a lot of money. It’s also noteworthy that the main vector that made it possible for the image to have even a slight (and temporary) impact is use of the faux Twitter blue “verification” checkmark.

(Techdirt)

Biden nominates new head of NSA Cyber Command

President Joe Biden has tapped Air Force Lt. General Timothy Haugh to serve as the new chief of US Cyber Command and the National Security Agency (NSA). The two organizations have shared a leader since the Pentagon launched Cyber Command in 2009. Haugh will replace Army Gen. Paul Nakasone who is retiring after serving in the same roles for just over five years. Haugh has served in a number of senior roles at Cyber Command, including head of the Cyber National Mission Force, director of intelligence and deputy chief of Joint Task Force-Ares, and he also oversaw the creation of the Sixteenth Air Force (Air Forces Cyber), the service’s first information warfare entity.

(The Record)

And now a word from our sponsor, Sonrai Security

Did you know that 81% of breaches are due to compromised identities? It’s a sobering statistic and one that enterprise organizations cannot afford to ignore. Sonrai Security has made a name for itself by securing enterprise clouds from the inside out, securing every identity, access, and permission in the cloud.
Download Sonrai Security’s new CIEM Buyer’s Guide to learn more about fortifying your cloud from the inside out at sonraisecurity.com.

‘GoldenJackal’ targets governments in the Middle East and South Asia 

An advanced persistent threat (APT) actor named GoldenJackal has been conducting targeted attacks on government and diplomatic entities since 2019. The APT focused on a small number of entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, likely in an effort to stay under the radar. GoldenJackal is using .NET malware to control victim computers and collect information, take screenshots, steal credentials, and exfiltrate data. The threat actor has been spreading a fake Skype installer and a malicious Word document via removable drives. The malicious files were observed exploiting a vulnerability named “Follina” just two days after proof-of-concept (PoC) code was made public.

(SecurityWeek)

SuperMailer abuse bypasses security for super-sized credential theft

According to Tuesday’s report from Cofense, a high-volume credential-harvesting campaign is using the legitimate German email newsletter program, SuperMailer, to blast out  phishing emails designed to evade secure email gateway (SEG) protections. The campaign has snowballed and accounts for 5% of all credential phishes observed in the month of May so far. The campaign is casting a wide net, hitting numerous industries, including construction and consumer goods to utilities, financial services, and technology. SuperMailer is desktop software that can be downloaded for free or for a nominal fee from a number of sites including CNET.

(Dark Reading)

Industrial sector faced highest number of ransomware attacks in April

According to the NCC Group, the volume of ransomware attacks remained at record highs with 352 attacks in April, the second-highest month on record. Lockbit 3.0, BlackCat and BianLian were the top 3 threat actors combining for 58% of overall ransomware activity in April. Meanwhile, ransomware-as-a-Service (RaaS) provider Cl0p reduced their activity by 98% from March to April, likely due to patches being applied for the GoAnywhere MFT day-zero vulnerability which the group leveraged to exploit a high number of victims in March. North America was the target of half of April’s ransomware activity with 172 attacks (50%) followed by Europe with 85 attacks (24%) and then Asia with 34 attacks (10%). In April, industrials was the most targeted sector accounting for one third of attacks (32%).

(Security Magazine)

Netflix’s password-sharing crackdown is here

On Tuesday, Netflix revealed details about how its crack-down on password sharing will affect US viewers. Netflix Standard plan customers will have the option of adding one extra member who can use the service outside their household for $7.99 extra per month. Netflix Premium package subscribers can add up to two extra members, also for the same $7.99 fee per person. Subscribers to Basic or Standard with Ads plans won’t have the option to add extra members. Starting Tuesday, US Netflix subscribers who share the service “outside their household” will get an email about the company’s password-sharing policies. Netflix said it uses IP addresses, device IDs, and account activity, but not GPS data, to determine the physical location of customer devices.

(The Verge)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.