Ransomware gang launches bug bounty
Bug bounty programs have become increasingly common with tech companies in recent years, offering monetary rewards for security researchers who disclose vulnerabilities. Now it seems that cybercrime organizations are following suit. With the launch of the LockBit 3.0, the ransomware-as-a-service organization also introduced its own bug bounty program, offering rewards between $1000 and $1 million for submitted vulnerabilities, including things like web site bugs, locker bugs, and Tor network vulnerabilities. Lockbit will also pay bounties for “brilliant ideas” on improving its operation and its top reward will be for doxxing its affiliate manager known as LockBitSupp. Needless to say, trusting a criminal enterprise to reliably pay you is perhaps dubious, and helping them is illegal in many countries.
KillNet claims DDoS on Lithuania
The Russian-linked hacking group claimed responsibility for a DDoS on the Baltic State country earlier this week. It says the action came in response to Lithuania’s decision to block goods sanction in the EU from reaching the Russian exclave of Kaliningrad. The group says the attack will continue until the government lifts the blockade. Earlier this month we covered KillNet threats against Italy for similar political reasons.
(Reuters)
ICS security bill passes House
Introduced last month, the Industrial Control Systems Cybersecurity Training Act seeks to amend the Homeland Security Act to authorize CISA to establish free training initiatives for ICS systems across the industry. This includes virtual and in-person sessions and courses across skill levels. If passed into law, Congress will receive annual reports on courses and industry participants. The bill specifically calls out the threats from Russia-back actors to ICS systems as requiring an increased training regiment in both the public and private sectors.
NIST releases macOS security guidance
The National Institute of Standards and Technology released a final version of this guidance for securing endpoints running the OS. The guidance derived from the open source macOS Security Compliance Project. NIST, CISA, and other federal agencies hope this guidance will eliminate the need to issue new cybersecurity guidance with each new macOS release, and introduce the work of the Security Compliance Project to a broader audience of organizations. The project’s GitHub page provides secure baselines and rules that can serve as practical, actionable recommendations for properly configuring and managing macOS endpoint device security.
Thanks to today’s episode sponsor, Optiv
Optiv’s Advanced Detection and Response (ADR) works with your organization to comb through the D&R clutter and find the ideal security solutions for your business. ADR delivers tailored detection and response backed by technology, real-time intel and deep expertise applied at touch. Bottom line: ADR finds and neutralizes threats fast, so you can focus on what matters.
If you’d like to learn more about Optiv ADR, please visit Optiv.com/adr.
Carnival fined for data breach
The cruise company agreed to pay a $1.25 million fine as a result of the 2019 breach, which saw information leaked on 180,000 customers and employees in the US. Carnival discovered the breaching in May 2019 but did not disclose it until March 2020. The breach exposed names, social security numbers, drivers’ license numbers, and credit card information, resulting in a lawsuit from 46 attorneys general. As part of the fine, Carnival also agreement to implement a breach response plan, and undergo independent security assessments.
The power of DAOs are surprisingly concentrated
Decentralized autonomous organizations, or DAOs, have been touted by web3 advocates as a way to democratize management of organizations of all sizes, providing voting power using distributed governance tokens on organizational decisions. These tokens can subsequently be traded on a secondary market. As part of its State of Web3 report, Chainalysis found that among ten major DAO tokens, less than 1% of all holders had 90% of voting power. While this certainly has an impact on how much voting power a token holder has, it also impacts how proposals get made within DAOs to be voted on. Chainalysis found that between 0.1% and 0.01% of token holders had enough holdings to create a proposal. The report said this concentration of power likely led to the temporary vote on the Solend lending protocol to drain the account of a large whale account, something that proved extremely unpopular with the majority of token holders.
Contractor loses a city’s worth of personal data
The Japanese news source NHK reports that an unnamed contractor working to distribute pandemic subsidies in the city of Amagasaki lost a USB stick containing personal information on the city’s 460,000 residents after passing out from a night on the town. This included names, tax details, social security records, and addresses. The data was encrypted on the stick. After waking up and reporting the loss, the USB stick was found and officials did not find evidence anyone attempted to access the information.
Sky Mavis to reimburse victims of Ronin bridge hack
Sky Mavis, the developer of the blockchain game Axie Infinity, will start reimbursing victims of the cyber attack that stole $617 million in crypto assets earlier this year. On June 28th, players will be able to withdraw one ether token for each one lost in the attack. Notably, this will reimburse users in kind of ether lost in the hack, not the value at the time it was stolen. Given the drop in crypto prices as of late, this means Sky Mavis will return around $216.5 million worth of crypto to users. The company will also restart the Ronin software bridge that was targeted in the attack. It’s unclear if the reimbursement will change the games fortunes, Bloomberg reports that as of May, daily active users have dropped to a quarter of its 2.7 million peak in November 2021.
(Engadget)