This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Alexandra Landegger, Global Head of Cyber Strategy & Transformation, RTX
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Google responds to “most sophisticated” voice phishing attack
Last week, Hack Club founder Zach Latta published details about “the most sophisticated phishing attack I’ve ever seen.” This saw attackers posing as the Google Workspace team in a call to Latta, claiming to investigate a suspicious login attempt overseas. The call came from a genuine number associated with Google Assistant with a caller ID of “Google.” Still suspicious, Latta asked for an authenticated email to confirm identity and received one from workspace-noreply@google.com. The attackers appeared to get access to a Workspace g.co subdomain, which was used to create an account for Latta to send the password reset. Latta said this attack method gets around two fundamental best practices for identity verification. Google said it found no widespread use of this tactic but hardened its defenses “against abusers leveraging g.co references at sign-up” going forward.
DeepSeek’s exposed database leaks sensitive data
Researchers from cloud security firm Wiz uncovered an exposed database belonging to China’s new AI tool DeepSeek, which has been leaking sensitive data including chat histories, API keys and backend operational details. The exposed database was in ClickHouse, “a column-oriented database management system designed for online analytical processing when handling large volumes of data.” It is intended to be accessible only internally by the firm using it. DeepSeek has since secured the exposure.
Most ransomware victims shut down operations
A new report from the Ponemon Institute found that 58% of organizations hit by ransomware last year were forced to shut down operations as part of their recovery process, up from 45% of victims in 2021. The report also found organizations seeing significant revenue lost due to an attack up from 22% to 40% in the same span, while those experiencing brand damage jumped from 21% to 35%. While those metrics are trending in the wrong direction, the report also found that the average time to recover from ransomware decreased 30% to 132 hours, while the average recovery cost fell 13%. 51% of respondents paid a ransom. For paying victims, 32% said attackers demanded further payment.
Edge rolls out Scareware protections
Ever visit a website that immediately displays a pop-up claiming it detected a virus and offers a download of free antivirus software? Then you’re familiar with scareware. The latest preview of Microsoft’s Edge browser introduces a new opt-in Scareware blocker feature, which uses locally running computer vision to compare sites against known scareware sites for similarities. If it detects a malicious site, it automatically exits fullscreen mode, stops any audio from the page, and gives users the option to report the site to Microsoft. Windows already offers some scareware protection with its Defender SmartScreen tool, but this is only effective against already flagged sites.
(ZDNet)
Huge thanks to our sponsor, Conveyor
What are you going to do? Here’s a better question: what would Sue do?
Sue is Conveyor’s new AI Agent for Customer Trust. She handles the entire security review process like answering every customer request from sales, completing every questionnaire or executing every communications and coordination task in-between.
No more manual work. Just a quick review when she’s done.
Ready to let Sue take the reins? Learn more at www.conveyor.com.
North Koreans clone open-source projects to plant backdoors, steal credentials
North Korea’s Lazarus Group carried out a large-scale supply chain attack, dubbed Phantom Circuit, compromising hundreds of victims by embedding backdoors in cloned open-source software, according to SecurityScorecard‘s latest report. The campaign began in late 2024 and targeted cryptocurrency developers and tech professionals by distributing malware-laced repositories on platforms like GitLab. Stolen data included credentials, authentication tokens, and system information, with the attackers using obfuscation techniques and VPNs.
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Oasis Security discovered a critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA), allowing attackers to bypass it and gain unauthorized access to Office 365 accounts, including Outlook, OneDrive, and Azure. The flaw exploited session creation and TOTP code tolerance, enabling attackers to brute-force MFA codes undetected within 70 minutes. Oasis reported the issue to Microsoft, which implemented a stricter rate limit, permanently fixing the vulnerability by October 2024. The research highlights the importance of strong MFA implementations and improved alerting mechanisms for failed second-factor attempts.
DARPA seeks to create firmware that can respond and recover from cyberattacks
Red-C, is a new project from the Defense Advanced Research Projects Agency, which is seeking to give networks the ability to repair themselves after a cyberattack. As described in Cyberscoop, “the forensic sensors in your device’s firmware spring to life. They begin healing your network, restoring locked files, and communicating with other systems to collect forensic data. The firmware then analyzes the data to identify how the attackers entered and exploited system weaknesses, then blocks those vulnerabilities to prevent future breaches through the same entry points. The project “seeks to build new defenses into bus-based computer systems, which are firmware-level systems used in everything from personal computers to weapons systems to vehicles.” A more complete description of the project is available in the show notes to this episode.