Microsoft was hit again by the Nobelium hackers, the same group who hit Solarwinds, having gotten in through a customer service agent’s machine. The hackers used the access for specific, highly targeted attacks on specific Microsoft customers. The company has also confirmed that they did sign a malicious driver, which is being distributed in gaming environments. Called Netfilter, it’s a rootkit rather than a driver. The company was also hit by a dependency hijacking attack – this time by an ethical hacker.
Also on the target list – NFC readers used in many modern ATMs and point of sale systems. Easy to execute, the attacks allow crashes, locking down in a ransomware attack, and even loss of credit card data to the hacker.
In case you missed it, Western Digital MyBook Live devices were mass deleted by hackers last week. Their firmware hadn’t gotten updates since 2015. It’s also been revealed that Denmark’s central bank was exposed in the SolarWinds hack, leaving a backdoor to its network open for seven months.
Google has released a vulnerability interchange scheme for describing vulnerabilities cross open-source ecosystems. Designed to help with information sharing, it’s built on top of their work on the Open Source Vulnerabilities database.
Cybersecurity literacy is being discussed in Congress – a bipartisan group has introduced legislation to establish a public awareness campaign. That is likely money well spent – in a survey of 2,000 professionals last month, almost 25% of them had not heard about the ransomware attack on Colonial Pipeline.
The Department of Energy has asked Congress for enhancements to its own cybersecurity too, to the tune of two hundred and one million dollars. Secretary of State Antony Blinken has vowed a US response if Moscow targeted the US with a cyber attack, in an interview with an Italian newspaper.
McAfee’s Threats Report shows a shift from mass spread ransomware attacks to more customized, Ransomware-as-a-Service attacks, specifically against larger more lucrative organizations. Verizon’s research adds some additional color. 85% of breaches involve a human element, and 80% are discovered by a third party. Small companies are catching up to their bigger companions – while last year small companies were less than half the breaches of larger ones, now it’s nearing parity.
The good news is that bug bounties are also up – GitHub paid out 1.5 million dollars in 2020 as it’s biggest year yet.
The criminals are reorganizing too – since the ban of ransomware topics on two Russian cybercrime forums, some operators are shifting to new recruitment tactics, including new websites and marketing claims. Others are operating via referral networking to grow, per reporting by Bleeping Computer.
As for cyber insurance, there’s research saying it may be making things worse. In a paper from the defense think tank Royal United Services Institute, paying ransoms not only encourages more cyber criminals and more attacks, funding them to continue operations, but also is an existential threat for the insurers.
“To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organizations’ cybersecurity practices,” RUSI said. And it warned: “Cyber insurers may be unintentionally facilitating the behavior of cyber criminals by contributing to the growth of targeted ransomware operations.“
The paper suggests that insurance should require ‘minimum ransomware controls’ as part of any ransomware coverage.
Why do we care?
Connect something to the internet, it’s going to be exposed. Savvy providers are going to be tracking the install dates of devices, as well as working with customers for life cycle management.
Now to the bigger issue – the insurance industry is wising up fast to their struggles, and are going to be imposing much tighter control in the not too distant future. Their minimum ransomware controls are going to be imposted on IT services companies unless they are advocating for themselves – and don’t wait on the security vendors to do it, because their motivation will be to get their product included, not focusing on the people problem. String those stats together. People are 85% of breaches, and 25% didn’t even know of Colonial Pipeline. You wonder why customers don’t purchase products… this isn’t strictly a product problem. Aircover in the form of literacy from the government should be welcome here.
Don’t think using the same words again will do it – the message isn’t working. So change it – as we learned last week from Microsoft, changing the wording to “eliminate passwords” caused a culture shift over multi-factor authentication versus advocating for policy.
As conditions on the ground continue to change.. and worsen… I’d expect your approach to do the same too.