This week’s Cyber Security Headlines – Week in Review, Jan 24-28, is hosted by Rich Stroffolino with our guest, Gary Hayslip, CISO, Softbank Investment Advisers
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
Ukraine attack update: experts find strategic similarities with NotPetya
Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies while disguised as ransomware has revealed “strategic similarities” to NotPetya, the malware that was unleashed against the country’s infrastructure and elsewhere in 2017. This new malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the campaign targeting government, non-profit, and information technology entities in the nation. Cisco Talos adds, “While WhisperGate has some strategic similarities to the notorious NotPetya wiper, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage.”
Ransomware gangs step up insider recruitment
According to a Hitachi ID survey of 100 large IT firms, 65% of firms report that they or their employees were approached by ransomware organizations in the past year to establish an initial access to an organization’s network. This is up from 48% last year. Of these approaches, 27% were over phone, although the vast majority used email or social media to contact insiders. 57% of the offers involved either cash or bitcoin transfers below $500,000 USD. Interestingly, getting the help of an insider seemed tangential to the ransomware gang’s plans, with targeted organizations attacked 50% of the time anyway. The survey found only 8% of IT executives were more worried about internal threats than external.
Staff negligence is now a major reason for insider security incidents
According to Proofpoint’s 2022 Cost of Insider Threats Global Report published on Tuesday, insider threats now cost organizations $15.4 million annually, an increase of 34% in comparison to 2020 estimates. The report, which surveyed over 1,000 IT professionals worldwide, indicates that 56% of insider-related incidents were caused by staff or contractor negligence totaling losses of roughly $6.6 million, while 26% of insider incidents were linked to criminal activities and 18% were caused by theft of employee credentials costing $4.1 million and $4.6 million respectively. Also notable, it took organizations an average of 85 days to resolve these incidents, an increase from 77 days in Proofpoint’s previous report. Only 12% of reported incidents were contained within 30 days.
(ZDNet)
Thanks to our episode sponsor, deepwatch
Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.
(ISC)² aims to launch entry-level cybersecurity certification
(ISC)² has opened registration for an entry-level cybersecurity certification exam pilot program. The exam evaluates candidates across five domains including business continuity (BC), disaster recovery (DR) and incident response, access controls, network security and security operations. The program aims to help close the cybersecurity workforce gap by assuring employers that new entrants to the field have the needed skills and knowledge to contribute to an organization’s cybersecurity team.
Hactivists target Belarus rail system to stop Russian military buildup
Hacktivists in Belarus said on Monday that they had infected the network of the Belarus Railway system with ransomware and would only provide the decryption key if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. The group posted on Telegram and Twitter that they encrypted the majority of servers, databases and workstations and destroyed backups with the goal of overthrowing Lukashenko’s regime, building a democratic state, and protecting human rights. The attack appears to have affected billing and scheduling systems but the hackers deliberately excluded automation and security systems to avoid emergency situations.
Trickbot gets trickier
Trickbot: it’s not just a clever name. The operators of the pernicious trojan revised it to now include a new set of features to prevent reverse engineering attempts. According to researchers at IBM Trusteer, recent samples show the addition of an anti-debugging script, designed to trigger a memory overload if a researcher performs “code beautifying” techniques to make it easier to read, ultimately crashing the browser. Trickbot also includes Base64 obfuscation, redundant junk script and code, and native function patches to slow down the work of security researchers.
(ZDNet)
Microsoft warns of info reading phishing attack
Microsoft issued a warning that hundreds of Office 365 customers are getting phishing emails trying to trick them into granting OAuth permission that would let attackers create inbox rules, read and write emails and calendar items, and read contacts. The app that requests the permission is called Upgrade and appears to come from a verified publisher. Microsoft has deactivated the malicious app in Azure AD. This is a type of attack called “consent phishing” which tricks the user into granting access without having to hand over passwords. Microsoft says that reports of consent phishing have been on the rise in recent years.
(ZDNet)
US says national water supply ‘absolutely’ vulnerable to hackers
Cyber defenses for US drinking water supplies are “absolutely inadequate” and vulnerable to large-scale disruption by hackers, a senior official said Thursday. “There’s inadequate resilience to even a criminal sector,” the official said. “The threshold of resilience is not what it needs to be.” President Joe Biden has attempted to address infrastructure cybersecurity but is limited by the fact that the vast majority of services are provided by private, not government, companies. US officials who spoke to reporters on condition of anonymity unrolled a plan to get the 150,000 systems that serve 300 million Americans to cooperate with the government by sharing information and hardening defenses.