Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.
Email scammers posed as DOT officials in phishing messages focused on $1 trillion bill
Shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials, researchers say. The ploy included layers of attempts to disguise the malicious appeals as authentic government solicitations, and even eventually led the would-be victims back to the actual Department of Transportation website. “In what may be an ironic twist, the phishers also copied and pasted in a real warning about how to verify actual U.S. government sites,” security researcher Roger Kay of the firm INKY stated. “The victim might have noticed that something was up if they had realized that the phishing site domain ended in .com rather than .gov or .mil.”
Epik confirms it got hacked
Following an alleged hack by the hacktivist group Anonymous, the web host Epik confirmed an “unauthorized intrusion” to its systems. The 180GB of leaked data from the hack includes over 15 million email addresses belonging to both Epik’s customers and non-customers. Non-customer emails were obtained by Epik when it scraped WHOIS records of domains it didn’t own. These emails have been obtained by the data leak alert service HaveIBeenPwned. Other data in the leak includes names, phone numbers, physical addresses, purchases and passwords stored in various formats. Ars Technica reports that some of these records contained dated information that is no longer accurate. Epik did not confirm if credit card info was included in the breach, but encouraged customers to contact card issuers as a precaution.
Ransomware hammers banking
According to a new report by Trend Micro, the banking industry was disproportionately impacted by ransomware in the first half of 2021. Overall the industry saw attacks up 1,318% on the year, with analysts saying this is likely due to a perceived higher likelihood of a payout for the attackers. While ransomware was a dominant threat in the first half of the year, Trend Micro also found that business email compromise attacks increased only 4%, a slight 2% drop in the number of exploited zero day attacks, and hundreds of malicious apps trying to exploit COVID-19 scams. Overall the most detected malware in the 6-month period was crypto miners.
Farming group warns of supply chain chaos after ransomware attack
An Iowan agricultural group hit by ransomware over the weekend suggests that the impact of the attack on the US public could be worse than the Colonial Pipeline incident. The attack has been traced to BlackMatter, a group that some believe has links to the DarkMatter outfit responsible for the Colonial Pipeline outage in May. This attack targeted New Cooperative, a major US grain producer, with a $5.9m ransom demand. The outage threatens public disruption to the grain, pork, and chicken supply chain since 40% of grain production is running on the software. ADDENDUM: Second farming cooperative, Minnesota-based Crystal Valley, also shut down.
Thanks to our episode sponsor, Kanu Solutions
Key lawmakers to CISA: Let us send you more money, power
Two separate House committees have this year advanced legislation to give CISA a total of $800 million more to add to its current $2 billion total budget. Those proposed funds come on top of another extra $650 million that Congress and President Biden provided to CISA in March through the American Rescue Plan. Both chambers of Congress are also contemplating legislation that would make CISA the hub where vital companies would report major cybersecurity incidents, following the string of monumental cyberattacks that began with the SolarWinds breach in December, as well as extending the CISA director’s tenure a five-year term, to insulate the department against politics.
Now we have to worry about PhaaS
Microsoft’s security team announced it discovered a Phishing-as-a-Service organization dubbed BulletProofLink, that provides phishing services to cybercriminal organizations. Clients pay BulletProofLink $800 to register, after which it provides built-in hosting for phishing URLs, email-sending services, and collecting credentials from attacks. BulletProofLinks also maintains a separate store for new phishing email templates. Interestingly, Microsoft also saw signs that the organization is keeping copies of compromised credentials for its own purposes. Microsoft described the group as “technically advanced,” evidenced by the group using hacked sites to host phishing pages.
REvil double-crosses ransomware affiliates using sneaky backdoor tactics
New reports confirm that the REvil ransomware-as-a-service (RaaS) operation has been scamming its affiliates out of their ransom payments. In REvil’s ransomware model, developers create the malware and maintain the underlying infrastructure, and then recruit affiliates to attack victims, dividing the proceeds between the two parties with affiliates taking the larger cut (typically 70-80%). Yelisey Boguslavskiy, head of research at Advanced Intel, said that when talks reached a critical point, REvil would use a backdoor in its software to take over the chat, posing as the victim refusing to pay, and would then continue the negotiations with the victim in order to obtain the full ransom payment.. Boguslavskiy added that since at least 2020, claims of REvil’s scam have been made by various actors on underground forums.
Who watches the watchers? iOS 15 evidently
Apple released iOS 15 this week, and one of the new features in the Privacy settings is “Record App Activity.” Users can either wait a few days for the OS to generate a report in settings, or export a JSON file with the data any time. According to developer documentation, this feature will show if an app accesses the photo library, camera, microphone, contacts, the media library, location, screen sharing, and what domains an app reaches out to.