This week’s Cyber Security Headlines – Week in Review, June 6-10, is hosted by Rich Stroffolino with our guest, Ariel Weintraub, CISO, MassMutual
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Exchange servers used to deploy Black Cat
Microsoft reported that it’s observed at least one threat actor successfully infiltrated a network through an unpatched Exchange server, exfiltrating information in a typical double-extortion ransomware scheme. However two weeks after the initial compromise, it used that same server to launch BlackCat ransomware payloads across the entire network. Microsoft’s Threat Intelligence Team said that while remote desktop and compromised credentials are typical vectors for ransomware, Exchange servers are being increasingly used by attackers. It’s unclear what Exchange exploit was used or what ransomware affiliate carried out this named attack by Microsoft. (Bleeping Computer)
US defense contractor discusses takeover of NSO hacking technology
L3Harris, a US defense contractor, is negotiating with NSO Group to potentially acquire its controversial Pegasus surveillance technology. The deal would also potentially include NSO transferring personnel to L3Harris. Both US and Israeli governments would need to approve the deal, which could prove challenging since the Biden administration blacklisted NSO last year. A senior White House official said: “Such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government.”
Attack on Kaiser Permanente exposes data of thousands of customers
Kaiser Permanente has warned that threat actors may have stolen sensitive personally identifiable information (PII) of nearly 70,000 customers. The not-for-profit healthcare provider claims to have terminated the unauthorized access just hours after the hack began. Kaiser Permanente reset the password of an employee’s account which was used in the breach and provided the employee with additional security training. While patient names and medical records were potentially accessed, the company believes that social security numbers (SSN) and credit card info was not exposed.
Thanks to today’s episode sponsor, Datadog
Ransomware decryptors now for sale on gaming platform
Last Thursday, researchers identified threat actors selling a decryptor for new ransomware on the Roblox gaming platform using the service’s in-game currency, called Robux. The ransomware referred to as ‘WannaFriendMe’ impersonates the notorious Ryuk Ransomware, but is actually a variant of a strain called Chaos, which is a do-it-yourself ransomware builder for wannabe criminals. The decryptor is being sold for around 1,500 Robux by a user named iRazormind, but only smaller files can be decrypted because WannaFriendMe deletes files larger than 2 MB. (IT Security Guru)
Security leaders rank cyber priorities for 2022
Forgepoint Capital surveyed US security and technology executives to determine C-suite cybersecurity priorities for the remainder of 2022. Three-quarters of respondents indicated they expect security budgets to increase in 2022 with a focus on a combination of traditional and new security controls. Top initiatives included securing cloud infrastructure and application programming interfaces (APIs) (62%), DevSecOps (54%), identity management (41%) and data management (40%). Respondents from small and medium-sized businesses also indicated they are prioritizing addressing supply chain risk, social engineering awareness and talent development.
Ransomware gang creates site for victims to search for their stolen data
On Tuesday, the AlphV/BlackCat ransomware operation began releasing sensitive data that they claim was stolen from guests and over 1,500 employees of a hotel and spa in Oregon. The ransomware gang took its tactics to a new level by creating a dedicated website allowing victims (and anyone else) to confirm whether their data was stolen. The gang will only remove data from the site upon receiving ransom payment from the victims. Emisosft security analyst Brett Callow said, “While it’s an innovative approach, it remains to be seen whether the strategy will be successful – and, of course, that will determine whether it becomes more commonplace.”
Cloudflare repels another record DDoS
Cloudflare mitigated a Distributed Denial-of-Service attack with a record peak traffic of 26 million requests per second. This attack proved 51% larger than its previous record set back in August. What makes this attack unique is its scale. Usually huge DDoS attacks use up to hundreds of thousands of low-power IoT devices. However this attack originated from seemingly hijacked servers of Cloud Service Providers, using a smaller botnet of just over 5000 devices. The DDoS attack targeted a customer of Cloudflare’s Free tier.