Ukraine ISP taken down by cyber attack
The attack was descived as the most severe since Russia’s invasion of the country, disrupting service of the country’s largest fixed line operator ISP Ukrtelecom across the country. It’s estimated service is operating at 13% of pre-war levels. At this time it’s unclear if this is the result of a coordinated DDoS attack or a more sophisticated intrusion. Ukraine’s Computer Emergency Response Team reported last week that telecoms and other tech companies have been hit with four cyber attack campaigns since the start of the invasion, though these mostly focused on information gathering.
(Forbes)
Windows can now block drivers
Windows user can now prevent the installation or operation of drivers with known vulnerabilities through Windows Defender Application Control. This is part of a new Core Isolation security feature set designed for devices with virtualization-based security. The feature is available on Windows 10, 11, and Windows Server 2016 and above. Microsoft will maintain a vulnerable driver blocklist, working with independent hardware vendors and OEMs to keep it up to date. Security researchers can also submit drivers for analysis to Microsoft. Because this feature will potentially cause legitimate programs to not work, Microsot recommends validating the blocked driver policy in audit mode before implementing.
Deepfakes take a turn for the banal
An investigation by the Stanford Internet Observatory discovered thousands of faked LinkedIn profiles using AI-generated imagery. The investigation started almost by accident. Researcher Renee DiResta received the dreaded LinkedIn cold call message that quickly turned into a software pitch for RingCentral. Renee noticed that the profile picture just looked slightly off, with one earing, bits of hair disappearing and eyes too perfectly aligned in the image. This led to an investigation that found a trove of AI-generated profiles. As part of this investigation, NPR found that if someone replies to one of these messages, they are put in contact with a real person. 70 businesses were listed as employers on these profiles, with several saying they hired outside marketers to help with sales, but hadn’t authorized computer generated images. After being alerted by the researchers, LinkedIn said it investigated and removed accounts that broke its policies on fake profiles.
(NPR)
Biden’s budget calls for increases in cyber spend
The White House’s 2023 fiscal budget proposal called for a 11% increase in spending on cybersecurity, up to $10.9 billion for civilian agencies. The Defense Department would get an additional $11.2 billion for cyber operations. Of this CISA would received 96% of the funds earmarked for Homeland Security, with $2.5 billion. The budget would also expand DoD’s Cyber Command’s Cyber Mission Force with five more teams, bringing totals up to 142. The budget also calls for $682 million in cybersecurity aid to Ukraine from the State Department.
Thanks to our episode sponsor, Varonis
Ransomware attacks doubled in 2021
This finding comes from a new analysis from the law firm RPC, which found that the UK’s Information Commissioner’s Office saw ransomware reports increase from 326 in 2020 to 654 in 2021. Finance, insurance and credit, and education and childcare were the industries most frequently hit with attacks. The firm warned that this comes as many organizations will increasingly come into a gap in insurance protection for ransomware, as non-specialized insurance increasingly doesn’t cover ransomware at while, while specialist companies reduce coverage and tighten policy requirements.
Emotet returns
Remember back in the heady days of early 2021 when we reported that coordinated efforts by Interpol, Eurojust, and Microsoft took down the Emotet botnet? Well researchers at Ciscoreport that Emotet rose from the ashes in November 2021, and has shown increasing activity in early 2022. While the resurgence of Emotet activity happened at almost the same time as the Log4J vulnerability was discovered, there is no evidence they are related, although use of CobaltStrike is common with both. Cisco recommends blocking emails with suspicious attachments, restricting the use of PowerShell and remote tools, and using 2FA as mitigations for more Emotet activity.
(CISCO)
Lapsus$ shows that not all MFA is created equal
One of the table stakes recommendations for shoring up security usually involves implementing multifactor authentication. But recent cyber attacks by both Lapsus$ and APTs like Nobelium show that older forms of MFA offer substantially weaker security protections. Both used a technique known as MFA prompt bombing to get around these protections, effectively spamming an end user’s legitimate device with push notification authentication prompts until the user accepted the authentication and gave the attackers access. Researchers note this isn’t a new or novel approach, just an effective one. Using FIDO2-compliant MFA, while not impervious to the approach, would prevent one device from giving access to a different one.
Google ordered Russian translators not to use “war”
According to emails obtained by The Intercept, Google informed contractors working to translate for the Russian market not to refer to the ongoing conflict in Ukraine as a war, but as “extraordinary circumstances.” This applied to translations of corporate texts and app interfaces. The move was meant to keep Google in line with the recently enacted Russian censorship law. A Google spokesperson said this policy does not apply to information services like Search and YouTube and that “we remain focused on the safety of our local employees. As has been widely reported, current laws restrict communications within Russia.”