Cybersecurity News & Trends for June 3, 2022

Read a curated collection of stories about cybersecurity news and trends from major outlets, trade journals, and infosec bloggers.

We found another crop of articles for SonicWall news, with one from Financial Times that reasons the best defense can be identifying vulnerabilities and “blocking digital assault pathways.” And in another article, Insurance Business America wonders how small businesses can protect themselves from cyber threats. Both use SonicWall’s 2022 Cyber Threat Report and are good reads for anyone tracking solid ideas and solutions. It was another week of dizzying details from Industry News, starting with a story from Politico about why politicians’ phones are getting hacked. Next is from Krebs on Security with additional information from Dark Reading about the pawn game between Costa Rica, Hive, Conti, and US sanctions. Next is a story from CNN detailing a confession from US Cyber Command: yes, they have been hacking Russian assets. And another story is about Chinese hackers exploiting new Microsoft vulnerabilities reported by The Verge and Tech Crunch. Finally, from Bleeping Computer, a story about a ransomware group that’s added a new twist: they’re going public by putting the ransom note on your website.

As always, click through to the links in the headlines to see the full stories from our sources. And remember, cybersecurity is everyone’s business. Be safe!

SonicWall News

SonicWall Honors Its Partners and Distributors Who Achieved Outstanding Lines In 2021

IT Reseller (Deut), SonicWall in the News: Cybersecurity specialist SonicWall has honored its most important partners and distributors of 2021. The SonicWall FY2022 Security Awards are awarded to one partner per region and, according to the manufacturer, are based on various factors such as annual sales, portfolio distribution, online activities, project success rate, certification level, the degree of commitment and feedback from their team.

GCHQ Advisor: It’s A Cyberarms Race as Ransomware Builder Emerges

IT Supply Chain (UK), Bill Conner quote: It’s an arms race, because as good as we’ve gotten, the bad guys have gotten even better and more efficient in their threat- actually moving at a faster pace than, than we can defend right now. The bad guys have gotten more sophisticated tools that enable smarter ways to store stock – for example in the cloud and around the world in multiple places.

SonicWall Celebrates Multiple Award Wins, Amidst Outstanding Business Performance in Asia-Pacific

CXOToday, Threat Report Mention: SonicWall today announced that the company has been awarded several prestigious awards on top of its growing list of accolades. SonicWall’s consistent track record and recognition by cybersecurity industry experts over the last few years is a testament to the vision, commitment and innovative spirit of its employees, leaders and partners to continuously deliver value to customers by way of optimizing business efficiencies and enhancing security.

Cyber Attackers: If You Can’t Stop Them, Disrupt Them

Financial Times, Threat Report Mention: Companies in all industries have been targeted. Data from SonicWall show a 105 per cent rise in ransomware attacks in 2021.

How To Ensure the Security of Company Data?

RCN Radio (Colombia), Threat Report mention: According to SonicWall’s 2022 Cyber Threat Report, in 2021 there were more than 623 million ransomware attacks worldwide. And Colombia, with more than 11 million threats detected in that year, is in the top 10 of the most attacked countries worldwide.

Meteoric Rise: Triangle Cybersecurity Startup JupiterOne Reaches ‘Unicorn’ Status With $70M Cash Injection

WRAL.com, Threat Report Mention: Governments worldwide saw a 1,885% increase in ransomware attacks in 2021, according to the 2022 Cyber Threat Report recently released by SonicWall, an internet cybersecurity company. Ransomware also rose 104% in North America, just under the 105% average increase worldwide, according to the report.

An Update from SonicWall on ICSA Certification

Security Brief (Asia), SonicWall in the News: Ken joins us today to discuss SonicWall’s recent ICSA certification and also current threat detection research that is currently taking place.

How Can Small Businesses Protect Themselves from Cyber Threats?

Insurance Business America, Threat Report Mention: Separate data gathered by cybersecurity firm SonicWall has shown that there were almost 421.5 million ransomware attempts against US businesses in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits.

Industry News

Why We Expect More Hacking on Politicians’ Phones – HINT: It’s Politics

Politico: Government officials all over the globe are facing a hard truth: They will have to accept spyware infecting their devices because they don’t want to ban the technology.

Numerous government officials have had their phones hacked over the past few years. These include Spanish Prime Minister Pedro Sanchez and French President Emmanuel Macron. Staffers for Boris Johnson, British Prime Minister, and the EU’s justice commissary. There are also at least nine US diplomats.

Here’s the truth: many governments use the same spyware used against them—the tool of choice: Pegasus software by the Israeli company NSO Group. Pegasus has proven effective in pursuing terrorists planning attacks or pedophiles. Investigators have used tools like Pegasus to catch highly sought criminals such as Joaquin “El Chapo,” a well-known drug lord.

Pegasus can infect the target’s device and allow government agencies or organizations to access personal information, including (but not limited to) turning on microphones and cameras. As a result, anti-spyware activists have asked governments to ban spyware companies or at the very least regulate them. The United Nations Human Rights Office also called for governments to regulate the sale and use of spyware technology last year.

There are no international agreements restricting spyware. Even governments that ban Pegasus face the problem of other, less visible and more regulated spyware companies. As a result, officials are forced to use low-tech methods of protection with varying degrees of effectiveness.

And on it goes.

Costa Rica Pawned by Conti Ransomware Group’s bid to Rebrand and Evade Sanctions

Krebs on Security: The Russian ransomware group Hive hacked Costa Rica’s national healthcare system earlier this week. This intrusion occurred just weeks after Rodrigo Chaves, the Costa Rican president, declared a state emergency to address a ransomware attack by Conti. Cybersecurity experts say that there are good reasons to believe that the same cybercriminals are behind both attacks. Apparently, Hive helped Conti rebrand and avoid international sanctions designed to target ransomware payments to Russian hacker gangs.

Local media reported the Costa Rican Social Security Fund (CCSS) as being taken offline on May 31. However, the extent of the breach is still unknown. The CCSS oversees Costa Rica’s public healthcare sector. Worker and employer contributions are required by law.

The Dark Reading newsletter reports ransomware hackers sanctioned in the United States have learned how to rebrand their software and avoid the sanctions. This is a strategy to make victims pay more. Example: The Evil Corp gang was already subject to sanctions when the Department announced that it was responsible in part for a ransomware strain called WastedLocker. Evil Corp quickly stopped using WastedLocker software and created variants with different names and graphics. These ransomware variants were the most popular in the last two years. However, it was not always clear if Evil Corp was behind them.

Microsoft Disallows Iran-Linked Hacker Groups Targeting Israeli Companies

The Jerusalem Post: Microsoft’s Threat Intelligence Centre (MSTIC) detected that an Iran-linked hacking group was using their OneDrive cloud storage platform to command and control (C2) purposes. The hacking group was identified as “Polonium” and found to be targeting more than 20 Israeli companies and one intergovernmental organization with operations in Lebanon.

MSTIC assessed the group’s location and observed them creating and using legitimate OneDrive accounts, then utilizing those accounts to execute part of their attack operation.

Microsoft noted that the activity does not represent a vulnerability or cybersecurity issue on the OneDrive platform. However, Microsoft added that it has deployed security intelligence updates that will “quarantine” tools developed by Polonium operators. The story goes on to report that as part of their enforcement process, MSTIC suspended more than 20 malicious OneDrive applications.

US Confirms That Military Hackers Conducted Cyber Operations to Support Ukraine

CNN: The US Cyber Command made a rare public acknowledgment about hacking operations often shrouded in mystery. The hacking unit of the US military conducted cyber operations to support Ukraine in its defense against Russia’s invasion. Cyber Command admitted that they had conducted operations across all facets of the spectrum, including offensive, defensive and information operations.

This disclosure highlights how crucial projecting cyber power – to support Ukraine’s defenses and possibly deter Russia from conducting cyberattacks on US infrastructure – is to the Biden administration. This admission suggests that the Biden administration is comfortable in cyberspace and can counter Russia without fear of escalation. So long as the US and its allies don’t attack Russia, President Joe Biden has promised not to engage with Russia militarily in the Ukraine war.

This is the fullest example of foreign relations brinksmanship.

Chinese Company Accused NSA Hacking Has Global Ambitions

Washington Post: The US government and American cybersecurity firms have long claimed that China is responsible for brazen hacks that absconded troves worth of sensitive documents. Chinese officials denied the allegations and accused the US repeatedly of cyber-espionage without providing any evidence. In February, a well-connected Chinese cybersecurity company made public what it claimed to be a US National Security Agency campaign targeting computers in 45 countries and areas, including China. At the time, US officials did not respond to inquiries for comment.

This disclosure suggests that China takes a firmer stance against foreign hacking attempts. It also revealed the increasing influence of Qi An Xin Technology Group Inc., a Chinese technology company established in 2014 with ambitions to become a global cybersecurity leader.

The company’s headquarters are located a 10-minute drive from the Forbidden city. They have been part of a three-year plan to grow China’s cybersecurity sector to more than 250 billion Yuan ($39.3B) by 2023. This plan involves increasing investment in the industry and simplifying regulation.

China-Linked Hackers Exploit a New Vulnerability Within Microsoft Office

The Verge: According to threat analysis research by security firm Proofpoint, hackers are already exploiting a newly discovered Microsoft Office vulnerability.

TechCrunch also shared details about how a hacker group called TA413 used the “Follina” vulnerability to create malicious Word documents that purportedly were sent from the Central Tibetan Administration. This is the Tibetan government exiled in Dharamsala in India. The TA413 APT (a designation for “advanced persistent danger”) actor is believed to be connected to the Chinese government. It has previously been used to target the Tibetan exile community.

On May 27, Nao Sec, a security research group, first highlighted Microsoft Word’s vulnerability. They took to Twitter to share a sample they had submitted to the online malware scanner VirusTotal. Nao Sec reported that hackers delivered the malicious code via Microsoft Word documents. The files then executed PowerShell commands, a powerful tool for Windows system administration.

Chinese hackers have used security holes in the software to target Tibetans over the years. Citizen Lab published a report in 2019 that documented widespread targeting of Tibetan politicians with spyware. This included Android browser exploits as well as malicious links sent via WhatsApp. Proofpoint analysis has shown that browser extensions also spy on Tibetan activists.

Ransomware Gang Now Hacks Corporate Websites to Show Ransom Notes

Bleeping Computer: Ransomware gangs are taking extortion to new heights by hacking corporate websites and publicly displaying ransom notes.

Reporters identify Industrial Spy as the new extortion gang behind this new strategy. The group follows the usual expected process of deploying ransomware in their attacks to breach networks, steal data, and deploy malware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid. In one case, the group is now selling data they claim was stolen by a French company called SATT Sud-Est for $500,000-USD.

The new bent to the crime is that the group found a way to hack into the company’s website, vandalized the home page with a message warning that 200GB of data had been stolen. Of course, if the victim doesn’t pay the ransom, the attackers are ready to sell the data. And then there’s the public disclosure for added measure.