This week’s Cyber Security Headlines – Week in Review, June 5-9, is hosted by Rich Stroffolino with our guest, Joshua Scott, Head of Security and IT, Postman
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com.
AI-automated malware campaigns coming soon, says Mikko Hyppönen
Cybersecurity pioneer Mikko Hyppönen began his cybersecurity career 32 years ago at Finnish cybersecurity company F-Secure, two years before Tim Berners-Lee released the world’s first web browser, and is now the chief research officer at WithSecure. In an interview with CSO Online. He states it is “mandatory for the cybersecurity industry to embrace AI technology…It will only be a matter of months before malicious threat actors use widely available AI source code to perfect their techniques for complete automation of malware campaigns.”
US research agency examines cyber psychology to outwit criminal hackers
A new project at the Intelligence Advanced Research Projects Activity — the U.S. intelligence community’s moonshot research division — is trying to better understand hackers’ psychology, discover their blind spots and build software that exploits these deficiencies to improve computer security. “When you look at how attackers gain access, they often take advantage of human limitations and errors, but our defenses don’t do that,” Kimberly Ferguson-Walter, the IARPA program manager overseeing the initiative, told CyberScoop. Dubbed Reimagining Security with Cyberpsychology-Informed Network Defenses or “ReSCIND,” the IARPA initiative is an open competition inviting expert teams to submit proposals for how they would study hackers’ psychological weaknesses and then build software exploiting them.
Clop blamed for MOVEit attack
Microsoft’s Threat Intelligence team attributed the recent attack against the popular managed file transfer platform to the Clop ransomware organization. It found the zero-day used in the attack followed similar behavior observed with Clop in the past. The attacks used a vulnerability to deploy crafted webshells on servers, providing access to files and credentials. Bleeping Computer and various security researchers observed attacks in the wild with this exploit over Memorial Day weekend. No word on any ransom demands yet. Clop previously used vulnerabilities in the Accellion FTA and GoAnywhere MFT in the past.
New ChatGPT attack technique spreads malicious packages
Vulcan Cyber’s Voyager18 research team described the discovery in an advisory published this week. Based on their proof of concept, researcher Bar Lanyado said the team identified a new malicious package spreading technique they called “AI package hallucination.” The technique involves posing a question to ChatGPT, requesting a package to solve a coding problem, and receiving multiple package recommendations, including some not published in legitimate repositories. By replacing these non-existent packages with their own malicious ones, attackers can deceive future users who rely on ChatGPT’s recommendations.
(InfoSecurity Magazine and Vulcan Cyber)
Thanks to today’s episode sponsor, Trend Micro
Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities in their “Risk to Resilience World Tour. Hear from experts on the latest threat landscape trends, solutions, and platform strategies to manage risk and defend your organization with speed and accuracy. Find the closest city to you and register today to take a leap towards a more resilient future. Head to trendmicro.com/cisoseries
Google Workspace gets passkeys
Google added passkey support for Workspace admins, meaning they can now enable users to sign in to either a Workspace or Google Cloud account using a passkey, no password required. By default, Workspace accounts will still require a password. But even when not allowing passkeys as a sign-in, organizations can still enable them for 2FA. Back in December, Google added passkey support in Chrome, and last month it added passkey login support for standard accounts.
1Password launches its public passkey beta
Password manager 1Password has launched its public beta for passkeys, which will allow users to replace passwords with authentication systems built into their devices. 1Password users can now create, store, and share passkeys for supported websites by installing the 1Password beta browser extension for Chrome, Edge, Safari, Firefox, or Brave. Passkeys can only be created for websites and services that have rolled out their own passkey support. 1Password users will be able to vote on which sites and services they’d like to support passkeys. While it won’t guarantee those platforms will integrate passkey support, the hope seems to be that developers will be motivated to add the feature due to popular demand.
Verizon releases its annual Data Breach Investigations Report (DBIR)
On Tuesday, Verizon issued its 2023 Data Breach Investigations Report (DBIR). The report revealed that three-quarters of data breaches over the last year (74%) involved the human element, caused by employees falling for social engineering attacks, making errors, or using their access maliciously. Credentials accounted for seventy-six percent of the data compromised in social engineering attacks followed by internal organizational information (28%) and personal data. Finally, the report noted that ransomware events held steady accounting for about a quarter of overall incidents, however the median cost of a ransomware attack doubled since the prior year. Verizon noted that in order to rein in these key trends, organizations need to focus on employee security hygiene, implementing true multifactor authentication, and collaboration across organizations to share threat intelligence.
Google improves brand email authentication
Brand impersonation with email is a tail as old as time. Last month, Google thought it cracked the nut with its Brand Indicators for Message Identification. Effectively this would provide a blue authentication check mark for brands enrolled in the program.
Security professional Chris Plummer raised alarms that Google’s original approach could be open for abuse, saying it makes users much more likely to act on content of erroneously verified messages. He cited an email verified as coming from UPS that hit his inbox but was in fact a scam. This pairs with the advice of security researcher Alex Liu, who noted malicious actors generally quickly adopt these types of new protocols in hopes of slipping through the cracks. In response to Plummer’s findings, Google now requires brands to use more robust DomainKeys Identified Mail authentication standards to qualify for its verification system.
SEC drops cases due to data protection failures
The US Securities and Exchange Commission dismissed 42 cases due to its staff access documents only intended for judges. This came after a review that began back in April 2022, when it disclosed two other cases that broke similar legal rules. Due to insufficient safeguards within the agency, staffers could download restricted databases and share access through internal memos. The SEC said it found “no evidence that the control deficiency resulted in harm to any respondent or affected the Commission’s adjudication in any proceeding.”