This week’s Cyber Security Headlines – Week in Review, February 20-24, is hosted by Rich Stroffolino with our guest, Jared Mendenhall, Head of Information Security, Impossible Foods
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Twitter limits SMS-based 2-factor authentication to Blue subscribers only
The company stated, “while historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.” Twitter users who have not subscribed to Blue that have enrolled for SMS-based 2FA have until March 20, 2023, to switch to an alternative method such as an authenticator app or a hardware security key. After this cutoff date, non-Twitter Blue subscribers will have their option disabled.
European airports endure rough week on cyberattack front
A day after a major IT failure at Lufthansa left thousands of passengers stranded, the websites of seven airports including Dusseldorf, Nuremberg, Erfurt-Weimar and Dortmund were hit by a suspected DDoS attack. The websites of Germany’s biggest airports in Frankfurt, Munich and Berlin were not targeted. On Wednesday, the pro-Russian hacker group Killnet told Russian media that it was responsible for the IT outage at Lufthansa, but the airline blamed the outage on damaged broadband cables mistakenly cut on the railway line during construction work. The group “Anonymous Russia” took responsibility for cyberattacks on German airports, and this also follows an attack last week on Scandinavian Airlines (SAS) that knocked its website offline and exposed some customer data allegedly by a group calling itself “Anonymous Sudan.”
Samsung guards against zero-click attacks
One of the things that makes spyware, like NSO Group’s Pegagus, hard to guard against is because they require no interaction from users to exploit, just sending a SMS message with a malicious payload. To guard against this, Samsung introduced Message Guard for Galaxy smartphones and tablets to protect users from zero-click attacks. Message Guard isolates image attachments sent to Samsung Messages or Messages by Google, and then scans them before processing, to help prevent device infection. It’s available on the Galaxy S23 now and will roll out to Galaxy phones running OneUI 5.1 or later. This comes as device makers continue to harden consumer hardware against spyware, after Apple introduced its Lockdown Mode last year in iOS 16.
Ransomware leads to earnings hit
Usually when we talk about ransomware attacks on this show, the impacts we discuss involve downtime or leaked data. This week we found an example of the financial impact of ransomware. Applied Materials is a key company in the semiconductor supply chain, providing tech across the industry. On its earnings call, it disclosed a ransomware attack on an unnamed supplier will cost it $250 million next quarter. While not named, one of its suppliers, the engineering company MKS Instruments, delayed its earnings call after discovering a ransomware attack on February 3rd. MKS reported itself in a “recovery phase” following the attack, still trying to determine the full scope of the attack.
Sensitive US military emails spill online
The U.S. Department of Defense secured an exposed server on Monday that had been spilling internal U.S. military emails to the open internet for the past two weeks. The exposed server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, many pertaining to U.S. Special Operations Command, the U.S. military unit tasked with conducting special military operations. A misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.
Thanks to today’s episode sponsor, Barricade Cyber Solutions
HardBit ransomware gang adjusts demands to fit insurance company
The HardBit ransomware group first appeared on the scene in October 2022, but unlike other ransomware operations, it doesn’t currently use a double extortion model. The gang uses threats of further attacks if their ransom demands are not met. Once infected the network of an organization, the group instructs victims to contact them by email or via the Tox instant messaging platform. According to Varonis, the group requests the victims to share details of their cyber insurance policies so that the cost of the ransom can be completely covered by the insurer company.
Ransomware attack time shrinking rapidly
IBM released its X-Force Threat Intelligence Index. The report found that the time to orchestrate a ransomware attack shrank rapidly in recent years. In 2019 the average ransomware deployment time sat at over 60 days. In 2020 that fell to 9.5 days, further falling to just 3.85 days in 2021. The report also found that ransomware represented 17% of all attack in 2022, while business email compromise represented 6% of attacks. Even when not using ransomware, IBM commonly saw extortion attempts across all attack types, seen in 27% of all attacks. This saw significant regional variability, with Europe seeing extortion attempted in 44% of attacks.
Faked Russian air strike warnings blamed on hackers
This week commercial radio stations in Russia broadcast warnings, purportedly for air and missile strikes. Russia’s largest media company, Gazprom-Media said an “attack on the instrastructure of a satellite operator” allowed the messages to hit several radio stations. The country’s Ministry of Emergency Situations said this came as a result of a “hacker attack.” Its not clear who to blame for the incidents, but Ukranian actors took credit for a DDoS this week that disrupted websites broadcasting a speech by Russian President Vladimir Putin.
Fruit giant Dole suffers ransomware attack impacting operations
One of the world’s largest producers and distributors of fresh fruit and vegetables, Dole Food Company, has announced that it is dealing with a ransomware attack that has impacted its operations. There are few details at the moment and the company is currently investigating the scope of the incident, noting that the impact is limited. A memo leaked on Facebook by a Texan grocery store indicates that the food giant was forced to shut down its production plants at least for a day in North America. It appears that Dole has also halted its shipments to grocery stores.
Stress pushing CISOs out the door
A new report from Gartner states that nearly half of CISOs will change jobs by 2025 due to stress caused by the risk of being breached while trying to retain staff. The firm found that the stressors of the cybersecurity world make the job of a cybersecurity professional unsustainable. This includes the knowledge that there are only two possible outcomes: get hacked or don’t. “The psychological impact of this is profound, directly affecting decision quality and performance of cybersecurity leaders and their teams,” the report states. Notably, “a leader recovering from the stress of a data breach could last less than five years on the job,” which the report identifies as the the average tenure of a cybersecurity leader.