Cyber Security Headlines Week in Review: Thomson Reuters leak, LockBit dominates ransomware, Stripe cuts jobs

This week’s Cyber Security Headlines – Week in Review, October 31-November 4, is hosted by Rich Stroffolino with our guest, Marcos Marrero, CISO, H.I.G. Capital

Cyber Security Headlines – Week in Review is live every most Fridays at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com. There will be no show on Friday, November 11 in honor of Veterans Day, but we will be back the following Friday.

Thomson Reuters leaks 3TB of sensitive data

The research team at Cybernews has found that the media giant left at least three of its databases open and accessible for several hours, including the 3TB public-facing ElasticSearch database, which contains a trove of sensitive, up-to-date information, including Thomson Reuters plaintext passwords to third-party servers, from across the company’s platforms. The company recognized the issue and fixed it immediately, downplaying the issue, saying it affects only a “small subset of Thomson Reuters Global Trade customers.”

(CybersecurityWorldConference.com)

CISA publishes MFA guidelines

The agency published two fact sheets on the subject, urging all organizations to implement multi-factor authentication as a way to protect against phishing and other advanced cyber threats. One fact sheet deals with ways threat actors get around more limited MFA implementations, like phishing, push notification fatigue, and SIM swapping. It recommends using MFA solutions based on FIDO and public key infrastructure. The other further outlines how to defend push notification-based MFA if its the only options, specifically highlighting number matching. CISA says this approach held mitigate MFA fatigue in users. 

(InfoSecurity Magazine)

A call for more ransomware reporting

If you listen to cyber security headlines every day, it may seem like quite a few ransomware attacks get reported. But according to the National Cyber Security Centre Annual Review for 2022, many ransomware events required a “nationally coordinated” response in the year. But getting a handle on the true scope of ransomware remains problematic due to spotty reporting. A lack of reporting gives attackers more leverage to demand payment for not leaking exfiltrated data, even with little guarantee that cyber criminals will keep their word. Rather than something to be hushed up, the report recommends that “organizations treat cyber security as a genuine, board-level risk to be managed.” 

(ZDNet)

LockBit dominates ransomware

According to Deep Instinct’s 2022 Interim Cyber Threat Report, Lockbit accounted for 44% of all ransomware campaigns in the year so far. This compares to 23% of campaigns attributed to Conti and 21% to Hive. The report also corroborated trends we’ve seen in 2022, like threat actors increasingly turning away from the use of document files to spread malware to using LNK and other archive email attachments. This comes as a result of Microsoft disabling macros by default in office documents. The report also predicted a rise in so-called “protestware” over the next 12-months, with organizations self-sabotaging its software to weaponize it as malware. 

(InfoSecurity Magazine)

Threat group rides antivirus software to install malware

Researchers at Kaspersky discovered the China-based threat group Cicada targeting Japanese organizations. The group used a spear-phishing email to prompt the install of the legitimate K7Security Suite. However it also included a malicious DLL to install it’s custom LODEINFO backdoor. Because Cicada effectively uses a legitimate security app to sideload the DLL, other security apps may not detect it. Targeted organizations span across media groups, diplomatic agencies, and public sector organizations, indicating the group plans to use the backdoor for cyberespionage. 

(Bleeping Computer)

Thanks to today’s episode sponsor, Votiro

UFOs are everywhere.
They’re in your applications, cloud storage, endpoints, and emails.
That’s right – UFOs – Unidentified File Objects – are hiding in files across your organization. 
UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can’t be detected by traditional scanning solutions like Anti-Virus and Sandboxing.
That’s where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business.
Do you believe? Learn more at Votiro.com/UFOs

Most customers would leave retailer after data leak

According to an Akamai survey of UK consumers, 59% of respondents would leave a retailer if they suffered a major cyber security compromise. The same amount of respondents said they would advise friends and family to avoid the retailer as a result. Just under half of respondents, 49%, said they don’t trust retailers to keep data safe in general. Customers might not have much of a choice of retailers if this survey carries over into practice. A Sophos survey last month found ransomware attacks compromised 77% of global retailers. 76% of respondents expected retailer  s to approach cybersecurity by focusing on data protection and security tooling, rather than with educational campaigns. 

(InfoSecurity Magazine)

Cyber incident at Boeing subsidiary causes flight planning disruptions

Jeppesen, a wholly-owned Boeing subsidiary that provides navigation and flight planning tools, confirmed on Thursday that it is dealing with a cybersecurity incident that has caused some flight disruptions. A red banner was added to the company’s website on Wednesday, warning that the Colorado-based firm was experiencing “technical issues with some of our products, services, and communication channels.” Although the extent of the disruptions is unclear, the incident is at least impacting the receipt and processing of current and new Notice to Air Missions (NOTAMs) — an industry term for notices filed with aviation authorities to alert pilots of potential hazards along a flight route. Matthew Klint, who runs the Live And Let’s Fly travel blog, reported that the incident was believed to be ransomware.

(The Record)

Stripe to lay off 14% of workforce

The digital payments giant, which was valued at $95 billion in its last funding round, is cutting its headcount by about 14% as startups try to navigate a tough investment market rush to rein in costs. After the job cuts, Stripe will have about 7,000 employees, according to an email to employees from founders Patrick and John Collison on Thursday, adding, “we were much too optimistic about the internet economy’s near-term growth in 2022 and 2023 and underestimated both the likelihood and impact of a broader slowdown.” U.S. technology stocks have been crushed this year as tightening monetary policy and worries of a looming recession soured investor sentiment. The layoffs come months after Stripe cut its internal valuation by 28%, according to a report.

(Reuters)

LastPass warns of security hubris

The password manager released its fifth annual Psychology of Password report, which looked at password behaviors among professionals across age ranges. It found a disconnect between confidence of secure behavior and actual practice in Gen Z. They were the most confident in password management techniques, but were the most likely to use a variation of the same password across sites, relying the most on memorization. 65% of all respondents said they received some cybersecurity education, but of those, only 31% stopped reusing passwords as a result. Almost all respondents, 89%, recognized reusing passwords as a risk, but only 12% used different passwords on different accounts. 

(Dark Reading)

Dropbox breached

The cloud storage provider disclosed the break. It saw threat actors gain access to one of its GitHub accounts through a phishing attack. This led to the theft of 130 code repositories. GitHub notified Dropbox of suspicious behavior on October 14th. Dropbox said the repositories contained credentials like API key used by its developers. The attackers also obtained names and emails from a few thousand “Dropbox employees, current and past customers, sales leads, and vendors.” Stolen code did not include any for its core apps or infrastructure. Attackers never accessed customer accounts, passwords or payment info. 

(Bleeping Computer)