Cybersecurity News: UK ransomware reporting, Project Oscar, ransoms spike

In today’s cybersecurity news…

UK mandatory ransomware reporting gets watered-down

As part of the King’s Speech formally opening the Parliament, the UK government announced it would bring forward its Cyber Security and Resilience Bill, which includes mandatory ransomware reporting requirements. Unlike a previous proposal under the Sunak government that would apply across the private sector, this bill would limit reporting requirements to “regulated entities.” The UK’s current Network & Information Systems Regulations carry some mandatory incident reporting but with a high threshold resulting in low reporting numbers. It’s not clear when the bill will be introduced to parliament. 

(The Record)

Google introduces AI agent to look for software bugs

At its Google I/O Bengaluru developer conference, Google announced an open-source platform called Project Oscar that allows developers to create AI monitoring agents that can be used throughout the software development cycle. These agents interact through natural language. Google’s Go group project manager Cameron Balahan said it deployed Oscar on the programming language project. Project Oscar agents don’t write code but serve to enrich bug reports and interact with people reporting issues to clarify submissions. Google plans to deploy Project Oscare to its other open-source projects. 

(VentureBeat)

Critical infrastructure ransomware costs spike

A new report from Sophos found that the median ransom payment for attacks on critical national infrastructure organizations shot up from $62,500 in 2023 to over $2.5 million in 2024, while the average payment increased 6 times on the year to $3.225 million. Since this data only comes from victims willing to disclose payment details, it doesn’t give a comprehensive picture. Interestingly, average payments for IT and telecom victims saw a much lower payment at $330,000 compared to lower education and government organizations, which paid an average of $6.6 million. Attacks also showed more signs of sophistication, with the organizations able to recover within a week down from 50% to 41% in 2024, while those taking over a month rose from 36% in 2023 to 55%. 

(The Register)

BadPack APKs hide Android malware

Over the past few years, we’ve highlighted a number of banking trojans that managed to find their way onto the Google Play Store. New research from Palo Alto Networks Unit 42 might shed some light on how they keep cropping up. They released a report on maliciously packaged APK files dubbed “BadPack” which alters the header information on compressed application files to prevent reading of the AndroidManifest.xml file, causing errors in downstream static analysis. Unit 42 said in the past year it detected roughly 9,200 BadPack samples in Android apps.  The researchers documented a method to reverse header changes in these APKs so that typical analysis tools can be used. 

(Dark Reading)

And now a word from our sponsor, Conveyor

North Korean malware comes to Macs

Security researcher Patrick Wardle found an updated variant of the North Korean-link infostealers BeaverTail that runs on macOS. This came spoofed as a DMG file for the legitimate Miro Talk video calling service. Palo Alto researchers originally found the Windows version of BeaverTail last November, used as part of a campaign targeting software developers with fake job interview requests. BeaverTail collects browser and crypto wallet data and can serve to install a Python backdoor to gain persistence. Wardle said that while these attacks are not very technically sophisticated, the operators often see success with social media lures. 

(The Hacker News)

The GhostEmpreror’s new groove

Kaspersky Lab first published details about the Chinese-linked threat group GhostEmperor in 2021. Since then, the group has been quiet. That changed with a new report from Sygnia, which found GhostEmperor attacking one of its clients in late 2023. Sygnia’s director of incident response research Amir Sadon said it went public with details to try to find out if the groups dark period was simply from inactivity or a lack of visibility. GhostEmperor uses a sophisticated kernel-level rootkit, a potential sign of state-sponsored activity. In 2021 it conducted supply-chain attacks against organizations in Southeast Asia.  

(The Record)

A look at NullBulge

The self-described hacktivist group NullBulge made news with its data theft from Disney’s internal Slack channels, we covered it on the show earlier this week. SentinelOne published a profile report on the group, which first emerged in April 2024. On X and 4chan the group purports to “protect artists” against AI and not motivated by profit. In May, it began supply chain attacks on AI tools, distributing maliciously modified GitHub code for AI tools on Hugging Face and Reddit that ultimately exports browser logs. NullBulge then sells these logs on illicit forums. The report concludes NullBuldge represents a low-skilled English-speaking group, citing its use of Discord webhooks and commodity malware.  

(Infosecurity Magazine)

Kaspersky says thanks for the memories

Ahead of its formal ban on selling software imposed by the US Commerce Department over concerns that it posed a national security threat, Kaspersky published a farewell note to US customers, thanking them for “choosing and trusting” the company. As a parting gift, the company offered existing customers six months of its security solutions for free, although as the Register noted, it didn’t say what products this included. The company will be formally banned from selling software in the US on July 20th, and prevented from distributing software updates in the US after September 29th, which calendar hawks will note, is less than six months out. Don’t be sad that it’s over Kaspersky, smile because it happened. 

(The Register, Kaspersky)

Yesteryears (DECISION) by Sascha Ende, Free download: https://filmmusic.io/song/244-yesteryears-decision, License (CC BY 4.0): https://filmmusic.io/standard-license