This week’s Cyber Security Headlines – Week in Review, July 19-23, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Shawn M. Bowen, CISO, World Fuel Services

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Akamai goes down, shakes up some big names

An issue impacting Akamai’s Edge DNS service resulted in a number of sites going down in the early afternoon of July 22nd. LastPass, Cloudflare, AWS, and Oracle Cloud were among the many impacted services. The company said it began rolling out a fix to the issue around 1pm ET, with services gradually coming back online. The company said the issue was not the result of a cyber attack, although no underlying cause was announced.


Cyberattacks increased 17% in Q1 of 2021, with 77% being targeted attacks

This, according to a new Positive Technologies Cybersecurity Threatscape Q1 2021 report. Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Other findings in the report include: Ransomware is still the malware that is most often used by attackers. The most popular vulnerabilities for attackers this quarter were Microsoft Exchange Server, Accellion and SonicWall VPN, and more cybercriminals are developing malware to conduct attacks on virtualization environments.

(Security Magazine)

Saudi Aramco data breach sees 1TB of stolen data for sale

The world’s largest oil producer and possibly the biggest company in the world, has been informed that its stolen data is now available for sale by a group named ZeroX at a starting price for the entire dump of $5 million. The hackers claim to have performed a “zero-day exploitation,” on Aramco’s “network and its servers,” sometime in 2020, and the group says it includes documents pertaining to Saudi Aramco’s refineries located in multiple Saudi Arabian cities, and including employee IDs and PII, project specs for electrical and other infrastructure, network layouts mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices, location maps and precise coordinates. Saudi Aramco has pinned this data incident on third-party contractors and states that the incident had no impact on Aramco’s operations.

(Bleeping Computer)

When will infrastructure attacks turn lethal?

The analysts at Gartner estimate that threat actors will have weaponized operational technology environments to harm or kill people by 2025. Gartner classifies these as “cyber-physical attacks,” and includes things like electronic medical equipment or physical infrastructure. The firm estimates that by that year, these attacks will cost companies $50 billion to remediate IT systems, litigation, and compensation. Overall Gartner found that firms should shift focus on threat management to real world harms, rather than information theft.


Thanks to our episode sponsor,

The first time we got hit with ransomware it took us weeks to recover. The second time we got hit, it took us two hours. Why? Because we had Varonis. Varonis reduces the ransomware blast radius and monitors our most important data, automatically. Hear more at

China fires back at US after Exchange hack accusations

Following up on a story Cyber Security Headlines covered yesterday, where US and its allies pinned a Microsoft Exchange attack on hackers affiliated with China’s Ministry of State Security, Chinese foreign-ministry spokesman Zhao Lijian rejected the accusations and proceeded to accuse the US of being the largest purveyor of cyberattacks targeting Chinese aerospace, science and research institutions, oil industry, government agencies, and internet companies over the last 11 years. He accused the US of carrying out targeted attacks on Chinese devices, wiretapping its competitors and allies and pushing NATO for a cybersecurity alliance that Zhao claims will, “undermine international peace and security.”

(The Record)

Ransomware negotiation logs published

Over 100-pages of ransomware negotiation transcripts from the now defunct Egregor operators were analyzed by IBM Security X-Force and its partner company Cylera, accounting for 45 different negotiations. While Egregor operated as a ransomware-as-a-service model, it is believed negotiations were handled by its core team. These chats revealed potential roles by the internal Egregor team and how the operators derived initial ransom demands. The chats showed occasional empathy, like offering to decrypt a charity’s systems without a ransom, but otherwise always leaked stolen data if a ransom wasn’t paid. Overall analysis showed that negotiating with the operators resulted in lower ransoms overall. (CyberScoop)

Unpatched iPhone bug allows remote device takeover

An Apple iOS bug previously believed to cause low-risk denial-of-service issues turns out to be much nastier. The original DoS issue was addressed in iOS 14.6, however, researchers from ZecOps, successfully exploited a Remote Code Execution (RCE) bug they have dubbed “WiFiDemon,” which allows an attacker to set up a rogue Wi-Fi hotspot to take over the phone, install malware and steal data, even on an updated iOS. The researchers explained the vuln is caused by the “wifid” daemon, which runs as root and misinterprets certain strings containing % and @ symbols. The vulnerability is expected to be patched within the next week, until which time users are urged to disable the Wi-Fi Auto-Join feature via their iPhone Settings and avoid connecting to unknown Wi-Fi hotspots, especially any that contain the @ symbol.


US government launches plans to cut cybercriminals off from cryptocurrency

The Treasury Department has announced it will support the implementation of money laundering requirements for virtual currency exchanges and the building of partnerships with the industry to track the currency in real time. The Financial Crimes Enforcement Network will announce a new public-private information sharing group that will include financial institutions, technology firms, third-party service providers and federal government agencies. “The exploitation of virtual currency to launder ransomware proceeds is without question, facilitating ransomware,” a senior administration official told reporters. “There’s inadequate international regulation of virtual currency activity, which is a key factor in how cybercriminals are able to launder their funds, demand ransomware payments and fuel sophisticated cybercrime as a service business model.”