This week’s Cyber Security Headlines – Week in Review, May 17-21, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Ty Sbano, CISO, Sisense

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Insurer AXA hit by ransomware after dropping support for ransom payments

Branches of insurance giant AXA have been struck by a ransomware attack. The Avaddon ransomware group claimed on their leak site that they had stolen 3TB of sensitive data from AXA’s Asian operations. In addition, there was a DDoS attack against AXA’s global websites making them inaccessible for some time on Saturday, and the attack comes just a a week after AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France. 

(Bleeping Computer)

CEOs could face jail time for IoT attacks by 2024

Gartner has warned that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT), stating that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023. Katell Thielemann, research vice president at Gartner, states that many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT. Technology leaders in the organization must step up to help CEOs understand the risks that CPSs represent, and why more budget needs to be allocated to operational resilience management (ORM) in order to secure them, she says.

(Infosecurity Magazine)

Double encryption ransomware attacks on the rise

These attacks have occurred in the past, typically from separate ransomware organizations compromising the same victim simultaneously. But the antivirus company Emsisoft reported it has seen dozens of examples of threat actors deploying two types of ransomware in an attack. In some instances the operator will disclose the double encryption scheme up front, in other cases, victims will pay to remove an initial encryption only then to be informed of the other. Attackers can either simply re-encrypt the encrypted data, or take a side-by-side approach, with the different ransomware strains used on different bits of data. Security researchers say though that double encryption doesn’t further complicate efforts to remediate using backups. 

(Wired)

Senate to introduce breach notification legislation

A bipartisan group of US Senators, led by Senate Intelligence Chair Mark Warner and Senator Marco Rubio, plan to introduce new legislation in the coming weeks mandating cyberattack reporting by critical infrastructure operators, major IT service providers, and other companies doing business with the government. Lawmakers reportedly began drafting the legislation in the wake of the SolarWinds Orion supply chain attack, with the recent Colonial Pipeline ransomware attack adding urgency to the process. 

(Politico)

Thanks to our episode sponsor, Trend Micro

Want to discover new ways to simplify and strengthen your security? Join Trend Micro Perspectives on June 16, where industry experts and practitioners will share deep insights and real-world examples on how security can play a pivotal role in accelerating your digital transformation. Featuring speakers from Gartner, Forrester, ESG, AWS, and Microsoft. Visit TrendMicro.com/Perspectives today to register.

Tech audit of Colonial Pipeline found ‘glaring’ problems in 2018

An outside audit three years ago found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” according to The Associated Press. Consultant Robert F. Smallwood, stated in his 89-page report in January 2018 after a six-month audit, “an eighth-grader could have hacked into that system.” Colonial said last Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%, although it would neither specify an amount nor identify the firms involved.

In a brief follow-up to the Colonial story, its internal server that runs the communication system that shippers use to track fuel shipments experienced intermittent disruptions on Tuesday. Colonial blamed this on “hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection.”

(Associated Press and Bloomberg)

Russian spy chief places SolarWinds blame on US and Britain

In an interview with the BBC broadcast yesterday, Sergei Naryshkin, head of the SVR spy agency said he was flattered by the accusation of Russian involvement in SolarWinds, due to the sophistication of the hack, but referred to articles by Edward Snowden that “proved” that American spies deliberately weakened a default random number generation algorithm used in RSA products about a decade ago. Observers of the interview suggest this is more a practice of Soviet-era disinformation techniques, now known collectively as the Gerasimov Doctrine. Kaspersky Lab made findings after the SolarWinds attack that the Turla malware crew, which is thought to have links to SVR sister agency the FSB, might have been involved. On top of that, FireEye itself made public some of Russia cyber unit’s tactics, techniques, and procedures, a move echoed post-attribution by the UK’s National Cyber Security Centre.

(The Register)

Qlocker ransomware operators shut down

Bleeping Computer reports that all Qlocker Tor sites are now no longer accessible, leaving victims with no way to pay any ransoms. The sites had recently been displaying “This site will be closed soon” banners. Since April 19th, Qlocker had been operating a ransomware campaign exploiting vulnerabilities in QNAP NAS devices. Initially the operators asked for .01 Bitcoin to unlock files, with researchers estimating the operators collected $350,000 in a month. Perhaps an indicator of the approaching shutdown, the operators recently changed to a bait-and-switch approach, asking victims for a further .02 Bitcoin after the initial ransom was paid. 

(Bleeping Computer)

Florida water plant compromise came hours after worker visited malicious site

An employee for the city of Oldsmar, Florida, visited a malicious website targeting water utilities just hours before someone broke into the computer system for the city’s water treatment plant and tried to poison drinking water, security firm Dragos said Tuesday. Ultimately, the site likely played no role in the intrusion, but the incident remains unsettling, the security firm said.

(The Hacker News)