Lack of reporting hurting the ransomware fight
In an interview, CISA’s executive assistant director for cybersecurity, Eric Goldstein, said that the severe lack of ransomware incident reporting to the US government is both hampering its ability to protect organizations, but also to retaliate proportionately to ransomware gangs. Goldstein makes the case that more consistent and comprehensive reporting would let CISA share indicators of compromise and outline unique infrastructure characteristics of ransomware families. CISA currently has no accurate scope of the number of ransomware incidents, leading to a speculative approach to sample data that might not reflect what’s actually occurring on the ground.
CISA warns of China-linked network snooping
A joint advisory from the NSA, CISA, and FBI warn that hacking groups with links to China have been exploiting publically available vulnerabilities in small office and home office routers to gain access to enterprise networks. Once these routers are compromised, the threat actors use them as part of their own attack infrastructure, either as C2 servers or proxy systems. From there, the attackers steal credentials to access SQL databases, using commands to dump credentials from critical Remote Authentication Dial-In Service servers, letting them subsequently authenticate further router commands. It’s believed these tactics have been used since 2020. Routers from Cisco, Citrix, Fortinet, Netgear, and QNAP are among those impacted.
Personal information marketplace taken down
An operation by the FBI, IRS, Department of Justice and Cyprus Police seized the infrastructure of the SSNDOB marketplace including four domains, which listed personal information on roughly 24 millions of Americans for sale. The analyst company Chainalysis estimates the marketplace received $22 million worth of Bitcoin over 100,000 transactions since April 2015, although the DOJ pegs this at a slightly more modest $19 million. The site has been online since 2013. This comes as US law enforcement has ramped up efforts to shut down dark web markets over the past year.
Cybersecurity job postings surge
According to a new report from CyberSeek, a joint initiative between NIST’s National Initiative for Cybersecurity Education, the analytics firm Emsi Burning Glass, and CompTIA, employers added 714,000 more cybersecurity jobs over the last 12 months compared to the year before, up 40%. Of these new job postings 40% came in the first four months of 2022, indicating that this surge is particularly recent. Most jobs were in the finance and insurance industries. Senior positions saw particular growth with IT manager and director listing up 224%, while program manager openings increased 169%. The growth in cybersecurity job listings outpaced demand in the broader labor market, with job listing up 18%.
Thanks to today’s episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn how PlexTrac can help your team deliver results.
Cyberattack takes Palermo offline
Bleeping Computer reports that the city of Palermo, in Italy’s Sicily and the fifth largest city in the country, has been shut down for three days due to what may be a ransomware attack. While the operators of the Killnet hacking group previously threatened Italy with cyberattacks, the group typically has used DDoS attacks in the past. Palermo’s councilor for innovation said all systems were shut down and isolated from the network, which is behavior consistent with combating ransomware. In the meantime, all of Palermo’s services, including its police, can only be reached by phone or fax. Tourists can’t access online bookings for museums, theaters and other public venues. And no one can acquire traffic zone cards for restricted areas like the city center.
Twitter to give Musk firehose access
The Washington Post’s sources say Twitter agreed to give Elon Musk access to the company’s internal firehose of data in order for his team to evaluate the presence of bots on the platform. Access could be granted as early as later this week, providing a real-time record of tweets as they are sent, devices they are sent from, and information on the accounts sending them. Twitter maintains in regulatory filings that bots represent less than 5% of accounts on the platform, but say it is difficult for external parties to validate this figure, as it uses private internal data from its firehose to vet which accounts are bots.
Intel releases security card reference design
At RSA Conference, Intel introduced the NetSec Accelerator Reference Design. This effectively provides a functional x86 compute note on a PCI Express card that can fit into existing servers, using an Intel Atom processor, on-board Ethernet, and up to 32GB of system memory. The card is intended to enable secure access service edge models for cloud access security brokers, secure web gateways, and firewalls. Typically these would run as a containerized or virtualized service on a server, but this card allows for dedicated hardware while still reducing the infrastructure footprint. Intel won’t be making the cards itself, but said it already had OEM commitments from F5 and Silicom to bring products to market.
Cuba ransomware returns
The analysts at Trend Micro report seeing a resurgence in ransomware infections from the group, which had reached its peak last year breaching 49 critical infrastructure organizations in the US. Mandiant noted at the start of 2022, the group seemed to be less active in attacks, experimenting with tactical changes. Since April, the group has listed four victims on its Tor leak site. Trend Micro notes that its encytpor has continued to develop new features, including more process terminations prior to encryption, including apps like Outlook, Exchange, and MySQL. This prevents the apps from locking files. The encryptor also appears to be more selective for filetypes, aimed at keeping a system working enough to incentivize paying the ransom.