Cyber Security Headlines: Towns paying for remote workers, CISA orders agency patch, PLC software delivers Sality

Dozens of cities and towns are paying tech workers to abandon Silicon Valley

A growing number of cities and towns all over the U.S. are handing out cash grants and other perks aimed at drawing skilled employees of faraway companies to live there and work remotely. In October there were at least 24 such programs in the U.S., today there are 71, according to the Indianapolis-based company MakeMyMove, which is contracted by cities and towns to set up such programs. Companies whose employees have participated in one remote worker incentive program in Tulsa, Okla., include Adobe, Airbnb, Amazon, Apple, Dell, Meta, Google, IBM, Microsoft, Lyft, Netflix, Oracle and Siemens. Local governments are offering up to $12,000 in cash, along with subsidized gym memberships, free babysitting and office space.

(Wall Street Journal)

CISA orders agencies to patch new Windows zero-day used in attacks

CISA has added an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) to its list of bugs abused in the wild. This high severity security flaw (tracked as CVE-2022-22047) impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. Microsoft has patched it as part of the July 2022 Patch Tuesday, and classified it as a zero-day as it was abused in attacks before a fix was available. Redmond says the vulnerability, which if exploited could gain SYSTEM privileges, was discovered internally by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).

(Bleeping Computer)

Password recovery tool infects industrial systems with Sality malware

A threat actor is infecting industrial control systems to create a botnet through password “cracking” software for programmable logic controllers. Advertised on various social media platforms, the password recovery tools promise to unlock PLC and human-machine interface terminals from Automation Direct, Siemens, Mitsubishi, LG, and many other manufacturers. Behind the scenes the tool also drops Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster, such as password cracking and cryptocurrency mining.

(Bleeping Computer)

Thousands of websites run buggy WordPress plugin that allows complete takeover

Threat actors have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin. Traced as CVE-2021-24284, the vuln targets Kaswara Modern WPBakery Page Builder Addons and, if exploited, it would allow criminals to upload malicious JavaScript files and even completely take over an organization’s website. Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks — the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers’ sites. Software developers never patched the bug, and the plugin is now closed, which means that all versions are susceptible to an attack.

(The Register)

Thanks to today’s episode sponsor, 6clicks

The 6clicks AI-powered GRC platform with an integrated content library is the most intelligent way to get ISO 27001 certified. It allows you to automate audits, manage risks, track assets, and report in real-time. Join hundreds of businesses that trust 6clicks and start your ISO 27001 journey today. For more information visit

Hive ransomware decryption key released as gang evolves its tactics

A decryption key for malware deployed by the ransomware gang Hive has been released in response to an uptick in activity from the gang in the past three months. Hive has also switched to a more complex coding language called Rust, which is harder to decrypt, making the key even more valuable. The decryption tool for version five of Hive’s malware has been released by a malware analyst and reverse engineer known publicly as reecDeep. The key can be found on Github and was created in order to try and quell recent mounting attacks by the gang. Hive has been ramping up activity in recent months, particularly targeting healthcare organizations. In May, the gang was named by the US Department of Health and Human Services as one of the top-five cybercrime gangs that attacked healthcare services in Q1 2022, with Hive taking credit for 11% of attacks.


Canadian airlines suffer delays and cancellations due to Zayo outage

In another Canadian internet outage story, air travel across Western Canada was impacted Thursday by an internet outage affecting the country’s air navigation service provider Nav Canada. This was due to a disruption in the network of Zayo, a telecommunications provider based in Colorado, that Nav Canada uses in parts of the country’s western region. This was not a cyberattack, but was instead caused by a train derailment that disrupted two key fiber lines managed by one of Zayo’s fiber providers in Canada.

(The Record and the Toronto Star)

LendingTree denies connection to data breach affecting 200,000, but confirms a different one

The financial services giant LendingTree has denied any connection to a reported data breach involving 200,000 loan applications found on the dark web, although the company did confirm that the information of tens of thousands of customers was exposed in a separate breach in February. “Our investigation determined that this [200,000 name] data leak did not originate at LendingTree. In fact, we obtained the full data set and found there to be no match when compared to our consumer database,” a spokesperson said. She added that notifications the company did send out were in response to a “code vulnerability” in LendingTree’s platform that exposed the sensitive information of more than 70,000 customers in February.

(The Record)

Last week in ransomware

Lilith is the name of a new double extortion ransomware that was identified in a recent report by security firm Cyble. The same report also identified manually operated RedAlert, which encrypts virtual files and virtual disks and targets Windows and Linux VMWare ESXi servers. The AlphV/BlackCat ransomware gang has resumed operations – they are believed to be a reincarnation of DarkMAtter, famous for the Colonial Pipelines hack. AlphV/BlackCat recently breached Japanese gaming company Bandai Namco. The gang behind AstraLocker announced this week that they are shutting down and plan to shift to cryptomining, and they provided a zip file with a free decryptor for anyone compromised by their ransomware, as a lovely parting gift.