Costa Rican ransomware rhetoric somehow gets uglier
The Conti ransomware group posted messages on their leak site notifying the Costa Rican government it raised its ransom demands to $20 million worth of cryptocurrency, and threatening to “overthrow” the government of newly elected President Rodrigo Chaves. Conti already leaked 97% of 670GB of data stolen from government agencies, leading the government to declare a state of emergency. Conti’s ransomware attacks have had significant impacts on digital services from the government, leading the Finance Ministry to tell citizens to calculate taxes by hand and pay them at local banks, rather than through an online portal.
DOJ files its first criminal cryptocurrency sanctions case
Late last week a federal judge disclosed that the US Justice Department launched a case against an American citizen accused of transmitting over $10 million in bitcoin to a virtual exchange located in a sanctioned country, either Cuba, Iran, North Korea, Syria or Russia. In a nine-page opinion about accepting the case, U.S. Magistrate Judge Zia M. Faruqui called cryptocurrency’s claim of anonymity a myth, saying the DOJ “can and will criminally prosecute individuals and entities for failure to comply with OFAC’s regulations, including as to virtual currency.” The defendant was not named and the case remains sealed.
(WaPo)
Trying to fix open source supply chain security
After meeting with officials in the Biden administration, the Linux Foundation and Open Source Security Foundation announced plans to invest over $150 million over the next two years to make the open source software supply chain more secure. This comes as part of an overall 10-point plan to boost open source security. A group of tech companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware already pledged $30 million in initial funding. As part of this, Google Cloud said it would launch an Open Source Maintenance Crew, a dedicated team of engineers who will work directly with upstream open source maintainers.
Twitter CEO outlines the platform’s spam calculation
Twitter CEO Parag Agrawal published a Twitter thread explaining why the company has confidence in its estimate that less than 5% of its users were spam accounts. This comes after a Reuter’s report expressed skepticism of this number, leading Elon Musk to say his acquisition of the company was “on hold.” Agrawal said this estimate relies on private data like IP address, account activity, and browser signatures to help sort accounts that might superficially appear to be spam. He further said the estimate is based on multiple human reviews of thousands of accounts, sampled at random over time from its monetizable daily active users every quarter. The thread further stated Twitter suspends over 500,000 spam accounts daily, usually before they are ever seen by users.
(Twitter)
Thank you today’s episode sponsor, Torq
Wrong. While scanning and testing may be one example of a security automation use case, it’s hardly the only one. Automation can be used to do things like help manage complex security workflows and optimize collaboration between different stakeholders. These are tasks that were not traditionally automated. To learn more about the realities of automation, head to torq.io.
Big Tech asks SCOTUS to stop Texas content moderation law
The tech industry trade groups NetChoice and the Computer Communications Industry Association appealed to the US Supreme Court for an emergency stay on Texas law HB 20, which created liability for large platforms that moderate content based on “the viewpoint of the user or another person.” This request will be reviewed by Justice Samuel Alito, who can either unilaterally decide on the stay, or refer it to the entire court. The law became effective last week after a three judge federal appeals court panel overturned a previous injunction. The trade groups successfully won an injunction on a similar Florida law on First Amendment grounds.
NSA chief says no backdoors in quantum encryption standards
The National Institute of Standards and Technology has been developing quantum-resistant encryption standards for a while now. In an interview NSA director of cybersecurity Rob Joyce said “there are no backdoors” being designed into these new standards that could let spys bypass encryption. He did say the NSA is working with NIST to test the various quantum encryption standards still under development, in order to harden them for the overall industry.
CISA warns about installing a Windows update
Late last year, CISA established its Known Exploited Vulnerability Catalog, a list of known software exploits that Federal Civilian Executive Branch agencies are required to patch within three weeks of being added. However, the agency recently removed the May 2022 Patch Tuesday update from this list, due to Active Directory authentication issues. The issue is that the Windows Update patched an actively exploited Windows LSA spoofing zero-day, that could force domain controllers to authenticate an attacker remotely. For those that have already installed the update, Microsoft recommends manually mapping certificates to a machine account in Active Directory.
Your should have patched Tuesday update
Now that we’re done talking about updates CISA says not to install, let’s rundown some that you should patch. SonicWall released multiple patches for vulnerabilities in its Secure Mobile Access appliances, with one high severity vulnerability open to unauthorized access. Apple released an emergency security update to address a zero-day impacting Macs and Apple Watch devices, involving an out-of-bounds write issue in the Apple AVD to execute arbitrary code. Apple says this may have been actively exploited.