This week’s Cyber Security Headlines – Week in Review, May 16-20, is hosted by Rich Stroffolino with our guest, Jerich Beason, CISO, Commercial Bank, CapitalOne
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
VMware bugs abused to deliver Mirai malware, exploit Log4Shell
Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability. “Researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960”says a report from Barracuda. CISA has released an emergency bulletin that requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates or remove the affected software from their network until the updates can be applied.
(Threatpost and CISA)
93% of orgs have suffered a data-related business disruption
The 2022 State of Ransomware and Disaster Preparedness survey from the International Data Corporation (IDC), found that, last year, 60% medium and large organizations in North America and Western Europe suffered irrecoverable data loss, up from 43% the previous year. Seventy-nine percent of organizations indicated they activated a disaster recovery response over the last twelve months, with nearly two thirds (61%) attributing these incidents to ransomware or other malware. Respondents reported an average of 19.3 attacks (all types) and 2.3 ransomware attacks in the past year, with 93% of organizations suffering a data-related business disruption over the same period.
Phishing attacks surge in Q1
Security researchers from Kroll found that phishing emails as an initial attack vector increased 54% on the year in Q1. This rise caused incidents tied to email compromises to surpass ransomware for the first time in a year. Kroll pins this uptick on a rise in activity from both Emotet and IceID malware. Once attackers used phishing for this initial beachhead, attack methods varied widely, from dropping ransomware and malware, to in some cases attempting extortion just based off stolen data without any backing encryption attempt. Generally attackers did not only attempt phishing emails as an initial attack vector, but also attempted to exploit vulnerabilities like ProxyLogon and Log4Shell.
Thanks to today’s episode sponsor, Torq
False. You should automate routine, repetitive tasks that are not subject to much conditional variance. But workflows that can’t be reliably managed by automation tools, such as assessing the financial consequences of a breach or determining whether a security incident should trigger an application rollback, should remain the domain of humans. To learn more about the realities of automation, head to torq.io.
North Korean devs pose as US freelancers to aid DRPK govt hackers
The U.S. government is warning that the Democratic People’s Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions. To get into the desired position, the North Korea’s IT workers often pretend to be teleworkers located in the U.S. or other non-sanctioned country. To obfuscate their true identity and pass as an individual from a non-sanctioned country, North Korean IT workers often change their names, use virtual private network (VPN) connections, or use IP addresses from other regions. The US Treasury has published an advisory that helps organizations identify these workers. A link to the advisory is included in the shownotes to this episode at CISOSeries.com: https://home.treasury.gov/system/files/126/20220516_dprk_it_worker_advisory.pdf
Costa Rican ransomware rhetoric somehow gets uglier
The Conti ransomware group posted messages on their leak site notifying the Costa Rican government it raised its ransom demands to $20 million worth of cryptocurrency, and threatening to “overthrow” the government of newly elected President Rodrigo Chaves. Conti already leaked 97% of 670GB of data stolen from government agencies, leading the government to declare a state of emergency. Conti’s ransomware attacks have had significant impacts on digital services from the government, leading the Finance Ministry to tell citizens to calculate taxes by hand and pay them at local banks, rather than through an online portal.
Trying to fix open source supply chain security
After meeting with officials in the Biden administration, the Linux Foundation and Open Source Security Foundation announced plans to invest over $150 million over the next two years to make the open source software supply chain more secure. This comes as part of an overall 10-point plan to boost open source security. A group of tech companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware already pledged $30 million in initial funding. As part of this, Google Cloud said it would launch an Open Source Maintenance Crew, a dedicated team of engineers who will work directly with upstream open source maintainers.
D-Wave deploys first US-based Advantage quantum system
Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US. D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service. The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.