NSC asks governments not to pay ransoms
The Record’s sources say the U.S. National Security Council will ask for commitments to countries attending the International Counter Ransomware Initiative to not pay ransoms in cyberattacks. The summit will take place on October 31st, and the NSC will push for a joint statement from the 47 members. This commitment would apply to government bodies, not organizations in those countries.
CISA’s open source software security roadmap
This week the Linux Foundation’s Open Source Security Foundation hosted the Secure Open Source Software Summit. This event brought together federal agencies, tech groups, and non-profits. Coinciding with this, CISA released its open source software security roadmap. This identified two major concerns: cascading risk of vulnerabilities and the downstream effects of a compromised repository. The roadmap calls on CISA to support open source development, with an eye toward hardening it for better resilience from the federal government. Some critics point out that without funding, this could be an issues for many maintainers that are otherwise volunteers.
Save the Children hit with ransomware
The non-profit organization confirmed to The Register that it “experienced an IT incident involving unauthorised access to part of our network.” The attack did not impact operations for the organization. The BianLian ransomware group took credit for an attack on “the world’s leading nonprofit,” understood to be Save the Children. It claims it stole 6.8 terabytes of data, including 800 gigabytes of financial records.
Pegasus spyware found on Russian targets
The non-profit organization Access Now and Citizen Lab confirmed they discovered the NSO Group spyware on the phone of Galina Timchenko, the owner of the outlawed Russian news outlet Meduza. Timcehnko previously received a notification from Apple about a spyware infection back in June. The Washington Posts’ sources say the Russian government is not a client of NSO Group. NSO claims it only works with governments to license the spyware for legitimate law enforcement. Timcehnko believes the phone became infected in February when Timchenko met with other Russian journalists in Germany.
(WaPo)
Thanks to our sponsor, Conveyor
Your infosec friends are making the switch from outdated RFP and compliance tools to Conveyor – the most accurate security questionnaire automation software on the market.
The proof is in the AI. Customers are seeing 80-90% accurate answers and decreasing the time spent on questionnaire answering by 91%.
We’re excited about the success customers like Lucid and Carta have seen using Conveyor. Try a free proof of concept at www.conveyor.com.
Musk may have violated Twitter’s FTC order
Back in 2011, Twitter and the Federal Trade Commission reached a consent decree that it would noti mislead investors on its data privacy protections. In 2022, it agreed to pay a $150 million settlement over misuse of user information in ads. Now a legal filing by the US Department of Justice alleges that the company, since renamed to X, raises “serious questions” about compliance to the order. The filing said information shows a “chaotic environment” at the company that would make it hard to stay compliant with the order.
Government report on deepfake risks
The FBI, NSA, and CISA issues a cybersecurity fact sheet on the security implications of synthetic media. The agencies suggested attackers could use deepfakes for brand manipulation, social engineering attacks, or for identity theft. The agencies pointed to real word examples from May, where a malicious actor used a deepfake to impersonate executives in two instances. The sheet highlighted industry efforts to authenticate media and to start planning ways to minimize the impact of synthetic media as it becomes more readily available.
Mozilla releases patch for exploited zero-day
The zero-day impacted both its Firefox browser and Thunderbird email client. The vulnerability allows for a heap buffer overflow in the WebP code library when opening a malicious image, which can lead to arbitrary code execution. We don’t have much details other than threat actors began exploiting it in the wild. Mozilla released patches. The flaw also impacts other software that uses the WebP library, including Google’s Chrome browser.
Linux malware distributors left online for three years
Researchers from Kaspersky report that the Download Manager site began intermittently redirecting users to a malicious domain that downloads an executable for a malware backdoor to Linux machines. The site began as a benign download site but began doing redirects in 2020. The site installs an updated version of the Bew backdoor, first published in 2014. Kaspersky published file hashes and IP addresses to find compromised machines.
CoinEx loses million in hack
The cryptocurrency exchange disclosed that attackers broke into its hot wallets that it used to fund its operations. Analysts estimate losses of between $43 million to $53 million worth of cryptocurrency, with a remaining $72 million in assets transferred to cold wallets. CoinEx said the attack did not impact user assets. No word from CoinEx on the attacker, but blockchain investigator ZachXBT says one of the wallets used in the attack was linked to the North Korean group Lazarus.