This week’s Cyber Security Headlines – Week in Review, Sep 27-Oct-1, is hosted by Rich Stroffolino with our guest, Steve Zalewski, co-host, Defense in Depth

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.

New Cooperative ransomware negotiations get hijacked

Following up on a story we brought you last week, less than 48 hours before the deadline arrived for Iowa-based grain organization New Cooperative to pay a ransom to BlackMatter the negotiation chat was hijacked by a troll. The chat, which was occurring on Tor, included defiant and aggressive commentary from the suppose victim’s side, suggesting that BlackMatter actually deposit some bitcoin in their account as a good faith demonstration, and used the catchphrase most often associated with Anonymous, “We are legion,” before adding, “no more chicken, pork and grain for you.” Cybersecurity experts state this is another example of how the hijacking of negotiations is extremely possible and can add complications for victims.

(Cyberscoop)

FBI had ransomware decryption key for weeks before giving it to victims

The effects of the Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, could have been lightened, but wasn’t. A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data but instead of sharing it, the bureau kept it a secret for approximately three weeks. They did this, they said, as part of a plan to “disrupt” REvil, the gang behind the attack, and didn’t want to tip their hand. But before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.

(Gizmodo)

New leak of Epik data exposes company’s entire server

Anonymous has released what it claims to be new data from the controversial web hosting company Epik in a leak it is calling “The B Sides.” This is a follow-on from the breach of Epik earlier this month, and this time, it says it has leaked “several bootable disk images of assorted systems” in a roughly 70GB torrent file. A Texas-based hacker and cybersecurity expert with the handle WhiskeyNeon, who reviewed the file structure of the leak, told the Daily Dot how the disk images represented Epik’s entire server infrastructure, with all the programs and files required to host the application it is serving.” The data includes API keys and plaintext login credentials for not only Epik’s system but for Coinbase, PayPal, and the company’s Twitter account.

(DailyDot)

NSA and CISA share guidelines for securing VPNs

On Tuesday, the National Security Agency and the Department of Homeland Security’s cyber wing published guidelines for securing VPNs, cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices. NSA warned that unfortified VPNs are at risk of attacks from advanced persistent threat groups that exploit publicly exposed security flaws in the Common Vulnerabilities and Exposures (CVE) database.The latest recommendations include selecting VPNs from reputable vendors, patching known vulnerabilities and running features that are “only strictly necessary.” The guidance comes as NSA and CISA focus on defenses against threats to federal agency employees who have shifted to working from home as a result of the COVID-19 pandemic.

(Cyberscoop)

Thanks to our episode sponsor, VMware

ACCELERATE YOUR OWN ZERO TRUST JOURNEY. The strongest defense against modern threats comes from a Zero Trust posture. The trick is getting there — quickly and easily — from where you already are. At VMworld 2021 we’ll show you how we help you operationalize Zero Trust whatever your starting point. Learn how to get the strongest security for your workloads and workspaces across your Multi-Cloud and Edge with solutions that protect inside and cross-cloud — from the API level and up — all the way to the workspace. Strength flows from the convergence of security and the network, distributed everywhere your data and endpoints are. The Networking, Security and Edge Tracks have a variety of value-packed breakout sessions. Join thousands of your peers by registering now at vmware.com/vmworld.

Delaware develops cybersecurity education program for senior citizens

According to the FBI 2020 Internet Crime report, people over the age of 60 reported being victims of cybercrime more than any other age group, with losses totaling over $965 million in 2020 nationwide.Now Delaware, the state which dubbed October “Cyber Security Awareness Month,” has introduced an educational cybersecurity program for senior citizens through its Department of Technology & Information. The program will cover the benefits of multi-factor authentication, identifying spam calls and phishing emails and protecting social media and email accounts.

(Security Magazine)

Now we have to worry about ransomware targeting backups

Conventional wisdom is that good backups, coupled with a good recovery strategy, is critical for combating the threat of ransomware. A new report from the cyber-risk prevention firm Advanced Intelligence shows that ransomware operators are keenly aware of this, with the Conti ransomware operators particularly focusing on backed-up data. Research has shown that the need to restore data is the primary motivator in Conti ransomware negotiations, with extortion over published exfiltrated data a secondary concern. Conti starts its focus on backups from a team building level, recruiting candidates based on that skill. The ransomware gang is particularly focused on compromising backup software from disaster-recovery firm Veeam.

(ThreatPost)

Cybercriminals bypass 2FA and OTP with robocalling and Telegram bots

According to a new report from cybercrime intelligence firm Intel 471, the latest development in 2FA bypassing involves the use of robocalls with interactive messages that are meant to trick users into handing over their one-time passwords (OTPs) in real-time as attackers are trying to access their accounts. All of this is automated and controlled by using Telegram-based bots, much like teams in organizations use Slack bots to automate workflows. At their core these are social engineering attacks with a high level of automation.

(CSO Online)