Virtual community and school board meetings have been commonplace over the last two years. Instead of gathering in person, these meetings, often held over Zoom, have been critical to keeping the community involved.

While most meetings have returned in-person, they are often still live-streamed on Zoom. This helps preserve community access.

However, there represents a risk to these live-streamed events. While many might be familiar with Zoom-bombing, that insidious practice of a hacker jumping onto a Zoom and introducing malicious or explicit content, there’s another method that hackers have found to exploit such calls.

Starting in March 2022, Avanan researchers have seen how hackers have spoofed reminders of community and school board invitations, by attaching what looks like a Zoom or other web conferencing invitation. Instead, the attachment is a malicious PDF. In this attack brief, Avanan will analyze how hackers are spoofing important community meetings to spread malware.

Read full article: https://www.avanan.com/blog/local-meetings-under-attack

A Biden administration initiative meant to combat disinformation online — but which seemed poorly thought out from the beginning — is in limbo.

The Washington Post reported on Wednesday that the initiative, run by the Department of Homeland Security and formally known as the Disinformation Governance Board, is being put on hold in the face of relentless (but eminently predictable) attacks, largely but not exclusively from the right. Its leader, Nina Jankowicz, resigned on Wednesday.

Read full article”: https://nymag.com/intelligencer/2022/05/poorly-conceived-biden-disinformation-board-put-on-pause.html

A joint security advisory issued by cybersecurity agencies from the US, Canada, New Zealand, the Netherlands and the UK describe the top 10 attack vectors most exploited by threat actors for breaching networks. These include poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system

Policy Insights:

Chris Clements, vice president of solutions architecture at Cerberus Sentinel:

“As lists go, this is a very good one and enumerates the most common reasons organizations fall victim to cyberattacks.  By following CISA’s recommendations, organizations can drastically improve their security posture and resilience to cyberattack.  That said, many of these items can be difficult to implement, especially at organizations that don’t already have a strong culture of cybersecurity.  It’s also difficult for an organization without an existing culture to know where to begin as well.  For example, the mitigations list starts with “Adopt a zero-trust security model.”  Zero trust can be an incredibly effective approach to network defense but can also be a significant undertaking to implement.  This is particularly true for organizations with large environments, legacy dependencies, or limited resources for staff or budget.  As such, it’s critical for every organization to adopt a true culture of security to evaluate their individual risk, which best practices can be implemented quickly, and form both a short- and long-term strategy for defense.  There should also be a candid assessment of areas where it makes sense to partner with outside organizations for assistance.  A SOC is a great thing to have, but not all organizations will have the resources to build and staff their own.”

Roger Grimes, data-driven defense evangelist at KnowBe4:

“Unfortunately, like most of these types of warnings, it does not tell readers one huge truth that they need to know…and it is that phishing and social engineering are 50% to 90% of the problem. Like most warnings, it mentions phishing and social engineering almost in passing. None of the mitigations mention fighting phishing or social engineering attacks, such as better training employees to recognize and defeat phishing attacks. Social engineering is the biggest threat by far, but it is barely mentioned, so no one who is reading the document would know that defeating it is the single best thing you can do. It is better than firewalls, antivirus, multifactor authentication, zero trust defenses and everything else added up all together. It is clear that if defenders do not concentrate on and do more to defeat social engineering, that they just are not going to be successful in keeping hackers and malware out. Yes, patching and all the other things they mention need to be done, but nowhere does this recommendation indicate that, “Hey, social engineering and phishing is the biggest problem by far” and “Hey, you need to be doing a whole lot more to defeat social engineering and phishing.” Instead, it is treated as just one of the many things that everyone needs to be doing, sure to be lost in the dozens of other, far harder and less helpful things, that defenders need to be doing. It is this continuous fundamental misalignment between how we are attacked (mostly social engineering) and how we are told to defend ourselves (almost barely mentioning it) that allows hackers and malware to be so successful. It would be helpful to tell people which of the dozens of mitigations are more important than others. No one can do everything perfect and right all at once. Everyone can only do a few things right all at the same time, so at least tell them which things need to be concentrated on first and best.”

Costa Rica has declared a state of emergency after ransomware hackers crippled computer networks across multiple government agencies, including the Finance Ministry.

The official declaration, published on a government website Wednesday, said that the attack was “unprecedented in the country” and that it interrupted the country’s tax collection and exposed citizens’ personal information.

The hackers initially broke into the Finance Ministry on April 12, it said. They were able to spread to other agencies, including the Ministry of Science, Technology and Telecommunications and the National Meteorological Institute.

Leon Weinstok, the director of the Costa Rica office of the law firm BLP, who specializes in cybersecurity law, said the attack had severely affected the country’s ability to function.

“The government has been really, really affected. It is impossible to quantify the losses at this time,” Weinstok said.

https://www.nbcnews.com/tech/tech-news/costa-rica-declares-state-emergency-ransomware-attack-rcna28415

May 10 (Reuters) – Russia was behind a massive cyberattack against a satellite internet network in Ukraine which took thousands of modems offline at the onset of the war, Britain, Canada and the European Union said on Tuesday.

The digital assault against Viasat’s (VSAT.O) KA-SAT network in late February took place just as Russian armour pushed into Ukraine, helping facilitate President Vladimir Putin’s invasion of the country, the Council of the EU said in a statement.

“This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States,” the statement said.

Read full article: https://www.reuters.com/world/europe/russia-behind-cyberattack-against-satellite-internet-modems-ukraine-eu-2022-05-10/

Politico reported last week that members of the Senate Armed Services Committee’s cybersecurity subpanel will also dive into how artificial intelligence is being used to advance cyber warfare practices. According to Politico, “While no Pentagon or other Biden administration officials are scheduled to testify, lawmakers will hear from two companies at the forefront of the military’s cyber advances: Google and Microsoft.

Eric Horvitz, a technical fellow and chief scientific officer at Microsoft, plans to focus both on the ways that AI advancements have helped organizations prevent and respond to cyberattacks and the ways that it’s made nation-state hacking groups even stronger. “The DoD, federal and state agencies, and the nation need to stay vigilant and stay ahead of malevolent adversaries,” Horvitz will say in his opening remarks, adding that more investments in research and engineering projects will be needed to do so.

Other witnesses include Andrew Moore, vice president and director of Google Cloud AI, and Andrew Lohn, a senior fellow at Georgetown University’s Center for Security and Emerging Technology. A spokesperson for Sen. Joe Manchin (D-W.V.), who chairs the cyber subcommittee, told MC that the hearing will touch on recommendations from the National Security Commission on Artificial Intelligence, including one calling for a new framework outlining how to defend key AI systems from cyberattacks and another recommending that DoD and the Office of the Director of National Intelligence stand up new hacking teams to test the security of the country’s AI systems.”

Policy Insights: 

Max Heinemeyer, VP of Cyber Innovation from Darktrace:

“Cyberconflict is the new battleground, and we need to take this threat seriously. Attackers will stop at nothing to take down critical infrastructure, hold data for ransom, or worse – launch a nation-state attack that could cause major global disruption. It is excellent news to see increased awareness and calls to action around implementing AI into the nation’s cybersecurity framework.

Our research indicates an increasing use of automation by attackers. Attackers use automation to accelerate their attack paths and ramp up attacks faster for a more substantial ROI. Sophisticated attackers use automation in countless ways to gain entry into an organization’s digital infrastructure to seek out its ‘crown jewels.’ AI is one tool in the automation toolbox available to adversaries. However, when defenders utilize AI, it is much more difficult for attackers to succeed.

AI works with security teams, augmenting their capabilities. AI helps alleviate the pressures already on IT teams, enabling them to be more efficient. AI can handle security tasks, especially at night or on weekends, critical for teams without sufficient human resources or security skills. As threat actors become more aggressive, so too must defenses. Utilizing defensive AI is not a nice-to-have; it is a must-have.”