Cyber Security Headlines: Windows Nokoyawa ransomware, LinkedIn pushes verification, Russia’s Ukraine cyberwar

Windows zero-day exploited in Nokoyawa ransomware attacks

Yesterday’s summary of Patch Tuesday included CVE-2023-28252, which has been described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver. According to Kaspersky, a known ransomware cybercrime group has been exploiting this vulnerability to deliver the Nokoyawa ransomware. Nokoyawa is a ransomware family designed to target Windows systems, and emerged in February 2022. Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, disrupted recently by law enforcement. Kaspersky plans on releasing additional information nine days after Patch Tuesday. 

(Security Week)

LinkedIn and Microsoft Entra introduce a new way to verify professional contacts

Microsoft has announced a new verification feature for LinkedIn members who will be able to verify their place of work with a Microsoft Entra Verified ID credential. This, they state, will allow people to be more confident that those with whom they collaborate are authentic and that work affiliations on their profiles are accurate. Verified ID is built on open standards for decentralized identity, which operates on a “triangle of trust” model involving an issuer – usually an employer, a holder – the individual, and a verifier that can cryptographically authenticate that the digital employee ID is genuine and was issued by the place of work the employee claims. The service is currently being field tested with a full rollout expected at the end of the month.


Russian places Ukraine internet infrastructure clearly in its sights, both high tech and low

Two reports from Cyberscoop this week reveal two sides of the cyber war that Russia is conducting against Ukraine. One shows how tactics are becoming lower-tech. Whereas in February 2022, Russia disabled the satellite internet provider Viasat with a wiper malware, it has now turned to stepping up its missile and artillery attacks on Ukraine’s energy infrastructure, to cause localized internet outages. This is according to findings released by Cloudflare, however, Microsoft’s Digital Threat Analysis Center stated that although it “does not necessarily think that Russia will launch a stream of cyberattacks […] we are currently seeing patterns of targeted threat activity in Ukraine similar to the early days of the invasion.” Clint Watts, general manager of Microsoft’s Digital Threat Analysis Center, told CyberScoop in a statement that “Russian state actors are working to gain accesses in Ukrainian and European networks and refining their malicious toolkits, further suggesting preparations are underway for espionage or destruction.”

(Cyberscoop and Cyberscoop)

Eliminating 2% of exposures could protect 90% of critical assets

Only 2% of all exposures enable attackers seamless access to critical assets, while 75% of exposures along attack paths lead to “dead ends.” This statement is among the findings from the latest report by XM Cyber, which analyzed over 60 million exposures in over 10 million entities on-premise and in the cloud. “Instead of focusing on a list of 20,000 vulnerabilities to address, focus on identifying the quickest wins in your external-facing infrastructure, then work to reduce the scope of permissions that your user and service accounts have,” said Tanium security director of endpoint security research, Melissa Bischoping, commenting on the findings. The XM Cyber report comes weeks after a Microsoft paper suggested that just 1% of all cloud permissions are actively used.

(InfoSecurity Magazine)

Thanks to this week’s episode sponsor, AppOmni

Can you name all the third party apps connected to your major SaaS platforms, like Salesforce,  Microsoft 365, or Google Workspace? What about the data these apps can access? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. With AppOmni, you get visibility to all third party apps and SaaS-to-SaaS connections — including which end users have enabled them, and the level of data access they’ve been granted. Visit today to request a free risk assessment.

Over 40% of cybersecurity teams told to keep breaches confidential

A new report from Bitdefender suggests that 42% of the total IT/security professionals surveyed said they have been told to keep a breach confidential when they knew it should be reported and 30% said they have kept a breach confidential. The U.S. had the highest rate with 71% of IT/security professionals being told to keep quiet, followed by the U.K. at 44%, Italy, Germany, and Spain in the mid 30 percents. In addition, 52% of global respondents said they have experienced a data breach or data leak in the last 12 months. 

(Security Magazine)

SAP fixes two critical bugs

SAP’s April 2023 security updates include a total of 24 notes, 19 of which are new vulnerabilities. The most critical being: CVE-2023-27267: missing authentication and insufficient input validation in the OSCommand Bridge of SAP Diagnostics Agent, and CVE-2023-28765, affecting SAP BusinessObjects Business Intelligence Platform. The complete list of the notes is reported in the latest security bulletin, and of course, SAP administrators are urged to apply the available security patches as soon as possible.

(Security Affairs)

Malicious Android apps sold for up to $20,000 on Darknet

Kaspersky describes these findings in an article published on Monday, in which it said its team collected examples from nine different darknet forums where these apps are being sold. “To publish a malicious app, cybercriminals need a Google Play account and a malicious downloader code (Google Play Loader).” Developer accounts can be bought for $60–$200 each, Kaspersky explained. On the other hand, the cost of malicious loaders ranges between $2,000 and $20,000, depending on the complexity of malware and malicious code, as well as additional functions. These tools are usually disguised as cryptocurrency trackers, financial apps, QR-code scanners or dating apps.

(InfoSecurity Magazine)

Minnesota school district cancels classes after alleged cyberattack

A public school system in Rochester, Minnesota announced this past weekend that it was canceling classes for all 42 schools it operates after it was hit by a suspected cyberattack that began late last week. On Friday, Rochester Public Schools released a message explaining that it “discovered irregular activity on its network” and needed to “shut down district-wide internet connection to review and address the issue.” The incident comes weeks after the school district in Minneapolis was hit with a ransomware attack that exposed troves of sensitive student information. It’s not yet clear if the incidents are related.

(The Record)