Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.
REvil closed down
The ransomware group REvil has been hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Law enforcement and intelligence cyber specialists were able to hack REvil’s computer network infrastructure, obtaining control of at least some of their servers. Some, including Bleeping Computer believe this might be the end of REvil.
Ransomware hackers reportedly targeted 3 different US water facilities this year alone
A joint advisory, published Thursday by CISA, the FBI, the NSA, and the EPA, reveals three previously unknown incidents involving malware attacks on water systems throughout the country. Unbeknownst to the public, most of the incidents have taken place over the past several months, the advisory states. The attacks occurred in Nevada, Maine, and California, and in all cases targeted the facilities’ supervisory control and data acquisition system, or SCADA—the pivotal operational IT commonly used by large organizations to remotely monitor and manipulate industrial systems.
Google gives away 10,000 free security keys to high-risk users
10,000 high-risk users are being provided with free hardware security keys by Google, with the aim of better protecting their accounts from hackers. Google says it is sending out the free Titan two-factor authentication (2FA) security keys – that provide a phishing-resistant layer of protection – to groups such as politicians, journalists, and human rights activists, who are considered to be particularly at risk from state-sponsored attackers. Users who enable Google Advanced Protection (APP) and use a hardware security key, will need both their password and the physical key to log into their account. Meanwhile, existing Google authentication services which are less secure than a hardware key will no longer work. Google’s announcement comes in the wake of the technology giant displaying alerts to approximately 14,000 users that their accounts had been targeted by Russia-backed hackers.
Twitter suspends accounts used for cyberattacks against security researchers
According to Google Threat Analysis Group analyst Adam Weidermann, accounts @lagal1990 and @shiftrows13 were suspended for being used by North Korean hackers posing as security researchers, who, “leaned on the hype of 0-days to gain followers and build credibility.” First documented in January 2021, the campaign includes the creation of fake profiles across platforms including Twitter, LinkedIn, Keybase, and GitHub. The group used the accounts to establish communication with security researchers and then lure their targets to a blog which ironically contains zero-day browser exploits or, alternatively, sending a malicious Visual Studio project file containing a backdoor. Twitter has now suspended the accounts on their platform.
Zerodium solicits VPN zero-day vulnerabilities
On Tuesday, Exploit broker Zerodium announced its intention to buy zero-day vulnerabilities in the Windows clients of VPN providers ExpressVPN, NordVPN, and Surfshark. Founded in 2015, Zerodium purchases zero-day exploits in a variety of applications and then resells them to government and law enforcement agencies. The company runs a bug acquisition program on its site, where security researchers can sell their exploits for up to $2.5 million. The bug acquisition drive was precipitated by increased use of VPN services by cybercriminals to hide their real-world location when connecting to victim networks.However, privacy-conscious users who use VPN apps to browse the web from oppressive countries, may not be so excited about the announcement as it’s not clear to whom and which countries Zerodium peddles its exploits.
Thanks to our episode sponsor, Tessian and the Human Layer Security Summit
FCC takes aim at spam texts
As the federal government has worked to crack down on robocalls, a report from RoboKiller highlights that more than 47 billion spam texts have been sent so far in 2021, up 55% from the year before. The FCC received roughly 14,000 complaints about unwanted text messages in 2020, up 146% from the year prior. In 2021, the commission has already received nearly 10,000 such complaints, many of which relate to Covid-19 scams. On Monday, the FCC’s acting chairwoman, Jessica Rosenworcel, announced she will ask the commission to create a new set of federal rules that would govern spam texts and could include requiring phone providers to block spammers at the network level. Rosenworcel noted, “In a world where so many of us rely heavily on texting to stay connected with our friends and family, ensuring the integrity of this communication is vitally important.”
US to ban export of hacking tools
The US Commerce Department announced new rules that would require a special license from the Bureau of Industry and Security to export or resell any hacking software and hardware to China and Russia, as well as other countries of concern. According to Commerce Department officials, these rules are not intended to prevent American security researchers from working with colleagues overseas. The department already has similar rules in place on products containing encryption. Software to be used for cyberdefense purposes does not require a license. The new rules go into effect in 90 days.
Decline in ransomware claims could spark change for cyber insurance
New research indicates that ransomware attack and payment claims are in decline as resiliency takes priority for organizations. Corvus Insurance’s Risk Insights Index, shows that while there was a rise in ransomware claims from Q2 2020 through Q1 2021, they dropped by 50% in Q2 2021, a trend that largely sustained through Q3 2021. The firm surmised that the changes were due to improved focus on preparedness and resiliency by policyholders, with strategies such as effective data backup management allowing for better and more efficient ransomware recovery. The report noted also that a company with 250 or more employees is 216% more likely to sue their tech vendor than a company with 10 or fewer employees.
Research finds consumer-grade IoT devices showing up on corporate networks
Increasing numbers of “non-business” Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations’ threat models. The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org’s networks, including smart lightbulbs, heart rate monitors, gym equipment, coffee machines, and even pet feeders.
FIN7 tries to trick pentesters into launching ransomware attacks
The group, famous for its ATM hacking malware, as well as for its role in the Colonial Pipelines incident, is attempting to join the highly profitable ransomware space by creating fake cybersecurity companies that conduct network attacks under the guise of pentesting. It set up a new firm to lure legitimate IT specialists, offering between $800 and $1,200 per month to recruit programmers, Windows system administrators, and reverse engineering specialists, who would have the ability to map compromised corporate systems, perform network reconnaissance, and locate backup servers and files.