News Corp was the recent victim of a cyberattack, with intruders breaking into email accounts and compromising the data of journalists. The main suspect is a group of Chinese hackers.

News Insights:

According to new analysis from Ric Longenecker, CISO at Open Systems: “China being suspected of the attack on News Corp serves as an example of what enterprises should be wary of with foreign tensions being high. Businesses and government agencies need to heed the recent warnings from the U.S. Department of Homeland Security and take proper precautions. It is of paramount importance that organizations execute mature, repeatable security missions to protect assets in real time, leveling up security posture for tomorrow. Even more important in a situation developing as quickly as this one is having a global team of security analysts who are monitoring for threats around the clock and ensuring a minimal attack surface.”

Toby Lewis, Global Head of Threat Analysis at Darktrace: “Groups associated with the Chinese gov have long been accused of targeting journalists – often those that report on human rights. However, from my experience, when attacks against media corps are purely for espionage purposes, the real target is not the journalist but their in-country sources.

News Corp have referred to this as a ‘persistent’ nation state attack – a term used in the industry to describe attacks where hackers have very specific objectives. Targets will be hit by low and slow attacks and if the attackers fail to gain access with one method, they will reattempt access until they are successful. The problem is the methods used by these groups are always changing. Traditional defenses that have been used by many media corporations, newspapers, online magazines and broadcasters for the last 20 years can only stop known attacks – attack techniques that have been seen before.

The reality is that media corporations will be under constant attack from the most sophisticated attackers every minute or every day. Reliable and trustworthy sources of media and information are essential and that is why we have seen an uptick in media organizations partnering with artificial intelligence to defend journalists and critical systems. The urgent challenge to be tackled is how to spot, and stop novel attacks quickly before sensitive data gets into the wrong hands and before normal business operations are disrupted.”

To address privacy and security concerns related to the IRS’s plan to use facial recognition on millions of Americans who use the agencies website, lawmakers urged the agency to reverse its decision and halt its work with facial-recognition identity verification provider, ID.me

https://lieu.house.gov/media-center/press-releases/reps-lieu-eshoo-jayapal-and-clarke-urge-irs-halt-plan-use-facial.

Policy Insights:

Lecio DePaula Jr., VP of Data Protection, at KnowBe4:

“Requiring American citizens to submit a government issued ID as well as a video to verify to the IRS portal is extremely privacy intrusive as that data would then be stored and processed by the third party contractor — which may be using data for a variety of other purposes (potentially sharing to law enforcement). This is one of those cases where the ends do not justify the means. The portal can be just as secure by leveraging strong password requirements as well as two-factor authentication for the end users, which is a much more inexpensive, less intrusive and unbiased way to secure the portal without needing to leverage a third party. I hope the portal begins to head in the right direction because once one government agency adopts a standard, others begin to follow. If the United States had a robust privacy law which protected the biometric information of individuals, that would be a different situation. However, without any protection for the data of American citizens, adopting this technology at this scale would be privacy malpractice.”

Tim Erlin, VP of Strategy, at Tripwire:

“Facial recognition technology is polarizing in general, and for many the concept of the government trusting a third-party to manage such personal data is unacceptable. For many others, the concept of the government itself having facial recognition data is equally unacceptable.

It’s clear that there are a number of potential and unresolved issues with the selected vendor. While the immediate emphasis is on stopping the process from moving forward, time should be spent on how a vendor was selected with all these apparent issues.”

The attack on Vodafone Portugal shut down all of its services and though ransomware has not yet been confirmed, the Vodafone Press Release calls the attack “a deliberate and malicious cyberattack intended to cause damage and disruption.”

News Insights:

Ron Bradley, VP, Shared Assessments:

“Technology is a double-edged sword. We love it when it works, and literally can’t live without it in other situations. The latest attack on Vodafone Portugal is a prime example of the serious impact (potentially life threatening) the loss of technology can have when it’s disrupted. While the details of the attack remain largely unknown, the downstream effects of losing the ability to communicate is crippling. The need for resiliency, especially for critical infrastructure, cannot be overstated. Building in redundancy and having the ability to fail over to alternate systems is an absolute must. As painful as this attack must be for Vodafone, one can only hope a series of lessons learned will be made and potentially shared with others to avoid a similar situation.”

Garret Grajek, CEO, YouAttest:  

“Communications are one of the 16 components of the US CISA Critical Infrastructure component – sectors identified as crucial to operations of a functional modern society. An attack on any of these sectors is an attack on the country itself. The methods and operations of this attack must be analyzed, quantified and the mitigation must be communicated and repeated to other communication enterprises. The attackers are looking for any and all vulnerabilities and the seriousness of the events cannot be underestimated.”

https://www.yahoo.com/news/u-n-report-says-north-045437404.html

The FBI is asking US businesses to report any uptick in Russian hacking threats — the latest effort to prepare for potential Russian cyberattacks on US organizations amid Russia’s troop buildup on Ukraine’s border.

https://www.cnn.com/2022/02/02/politics/fbi-ukraine-cyber-russia/index.html

The White House’s Office of Management and Budget (OMB) today announced that it wants to move the U.S. Government toward a “zero trust” architecture for cybersecurity Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture | The White House and M-22-09 Federal Zero Trust Strategy (whitehouse.gov).

News insights:

Tim Erlin, VP or strategy at Tripwire:

“The published memorandum represents a substantial step forward for cybersecurity across the US government. Moving the whole of government in a single, forward direction is incredibly difficult, and the efforts of OMB and all of the participating agencies should be applauded.

Implementing a Zero Trust Architecture is a proven way to reduce cybersecurity risk, but it is by no means an easy solution. The OMB memorandum lays out a set of foundational steps that agencies must take in order to begin this journey to Zero Trust, but it’s just a beginning.

It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for Zero Trust: integrity monitoring. Documents from both CISA and NIST include integrity monitoring as a key component of Zero Trust, but the OMB memorandum doesn’t include similar treatment. Integrity monitoring is foundational to a successful Zero Trust Architecture.

This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology. EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response (XDR). The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.”

The BlackBerry Research & Intelligence and Incident Response (IR) teams have found evidence correlating attacks by the Initial Access Broker (IAB) group Prophet Spider with exploitation of the Log4j vulnerability in VMware Horizon. This article highlights the recent indicators of compromise (IoCs) that we’ve observed.

Defenders concerned that they may have been a victim of these attacks can make use of these IoCs and detection methods to identify evidence of compromise within their environment.

https://blogs.blackberry.com/en/2022/01/log4u-shell4me

This is a follow-up to our previous blog posts covering the Log4j vulnerability and the Deep Scan tool we made available to help identify vulnerable systems. 

As we close the first month of 2022, we looked into the activity related to the Log4Shell vulnerability CVE-2021-44228 observed across our 2,300+ customers.

Many of you will empathize with the struggle to find all instances of the vulnerable Log4j component, especially at the scale that comes with having a large customer base. It’s from this necessity of scale that we were able to focus on providing the Deep Scan tool to the community (available on GitHub).

https://arcticwolf.com/resources/blog/log4shell-in-the-field-brief-analysis-through-january-2022

For years, idealistic hacktivists have disrupted corporate and government IT systems in acts of protest. Cybercriminal gangs, meanwhile, have increasingly held hostage the same sort of enterprise networks with ransomware, encrypting their data and extorting them for profit. Now, in the geopolitically charged case of a hacktivist attack on the Belarusian railway system, those two veins of coercive hacking appear to be merging.

https://www.wired.com/story/belarus-railways-ransomware-hack-cyber-partisans/?utm_source=pocket-newtab