Hello and welcome to another cybersecurity wrap up. Here's the latest...
One of the big stories this week was Google's acquisition of cybersecurity company Mandiant for $5.4 billion. If the deal goes through, it will be Google's largest acquisition to date. Google believes that by acquiring Mandiant its cloud computing customers will be better protected. Is this the beginning of a new wave of cybersecurity mergers? Some industry analysts believe that's definitely in the cards.
In other Mandiant-related news, investigators there say a Chinese government-backed hacking group has breached local government agencies in at least six US states. The wide range of state agencies targeted include health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems. In two states, hackers broke into networks using Log4j, the exploit that began causing a lot of grief late last year.
New research from security vendor BreachQuest says the Conti ransomware group - responsible for last year's debilitating attack on the Irish Healthcare System - has made enough money to have spent millions on ‘business’ expenses in 2021. BreachQuest says the group has an HR and recruitment lead, developers, pen testers, admins, QA and reverse engineer experts.
Researchers at Forescout’s Vedere Labs and CyberMDX say a dangerous vulnerability exists for users of device management platform Axeda, especially those that manufacture medical devices. According to a March 8th alert from the U.S. Food & Drug Administration (FDA), the vulnerability -- dubbed “Access:7” -- "could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition." The alert goes on to explain "the vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality." As a result, companies such as Bayer, GE Healthcare, Accuray, Elekta Technologies and Varian have issued statements about what products are affected by Access7 and how to mitigate the risks to their customers.
Also this week, Anonymous -- the sometimes vilgiante hackers -- alleges they infiltrated Russian state TV. The group shared footage on Twitter, which showed a TV with images of the conflict between Russia and Ukraine.
In South Korea, at attack at electronics giant Samsung has resulted in the source code theft of its Galaxy devices. The cybercrime group Lapsus$ has claimed responsibility. The group has been busy, as they also recently hacked Nvidia. In the Samsung hack, Lapsus$ allegedly stole roughly 200GB of stolen data, including source code used by Samsung for encryption and biometric unlocking functions.
The U.S. Federal Bureau of Investigation (FBI) says the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors. The FBI says Ragnar Locker is targeting 10 critical infrastructure sectors, including entities in the critical manufacturing, energy, financial services, government and information technology sectors. You may recall Ragnar Locker was behind numerous hacks in the past several years, including Campari in November 2020. It was also during that period the group began running ads in Facebook to force victims into paying ransom. Which makes me wonder how those ads were ever approved.
That's a wrap for this week. Wishing everyone a great weekend.
Top Global Security Stories
Infosecurity Magazine (March 10, 2022) Conti Group Spent $6m on Salaries, Tools and Services in a Year
The infamous Conti ransomware collective spent millions on ‘business’ expenses last year and even tried to develop its own digital currency, according to a new report.
Security vendor BreachQuest analyzed the recent leak of the pro-Russia group’s internal chat logs by a Ukrainian researcher, revealing fascinating details of its operations.
Headed up by an individual named “Stern,” the group has an HR and recruitment lead, someone in charge of its data leak blog, a training specialist and a blockchain lead, as well as individuals in charge of an A, B and C team. Each of these alphabetized teams contains developers, pen testers, OSINT, admins, QA and reverse engineer experts, the report claimed.
Turnover of employees is high as per any criminal organization, although they are well compensated in Bitcoin. An estimated 485 individuals have gone through the Conti system, although this figure also includes potential candidates who have declined roles, as well as victims.
The criminal gang spent millions on remuneration and other internal outgoings, hinting at the huge profits it makes.
Portswigger (March 9, 2022) Critical Axeda vulnerabilities pose takeover risk to hundreds of IoT devices
More than 150 internet of things (IoT) devices used for commercial applications could be at risk of malicious takeover due to critical vulnerabilities in connected device management platform Axeda.
Discovered by security researchers at Forescout’s Vedere Labs and CyberMDX, the trio of remote code execution (RCE) flaws could also allow attackers to access sensitive data or reconfigure affected devices.
A majority of devices affected by these and four other, lower severity bugs – collectively dubbed ‘Access:7’ – are used for medical applications.
Channele2e (March 8, 2022) Google Acquires Mandiant for Cloud Security Push
Google has acquired Mandiant to further accelerate the Google Cloud security business, MSSP Alert reported. The price tag is $5.4 billion, the two technology companies said. Ironically, the deal surfaces roughly one week after Google Cloud laid off some support staff.
Mandiant is well known for its incident response services. The company split from FireEye in 2021 in order to work more closely with third-party tool providers. But now, Mandiant will tuck into the Google Cloud business — which has a rapidly growing portfolio of cybersecurity services.
Indeed, Google Cloud’s security offerings are both home-grown and acquired. Key moves include acquiring Siemplify in January 2022 and investing in Cybereason in October 2021. Those Google acquisitions could set the stage for more MSSP partnerships with the cloud and search giant, MSSP Alert believes.
CNN (March 8, 2022) Cybersecurity firm says Chinese hackers breached six US state agencies
A Chinese government-backed hacking group has breached local government agencies in at least six US states in the last 10 months as part of a persistent information-gathering operation, investigators at cybersecurity firm Mandiant said Tuesday.
The wide range of state agencies targeted include “health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems,” the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN.
For agencies in two states, the hackers broke into networks using a critical software flaw that was revealed in December just as the Biden administration was scrambling to respond to the flaw’s discovery, according to Mandiant.
Bleeping Computer (March 7, 2022) FBI: Ransomware gang breached 52 US critical infrastructure orgs
The US Federal Bureau of Investigation (FBI) says the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors.
This was revealed in a joint TLP:WHITE flash alert published on Monday in coordination with the Cybersecurity and Infrastructure Security Agency.
"As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the federal law enforcement agency said [PDF].
"RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention."
The flash alert focuses on providing indicators of compromise (IOCs) organizations can use to detect and block Ragnar Locker ransomware attacks.
Android Police (March 7, 2022) Samsung confirms massive hack, but says user data is safe
The hacking group Lapsus$ recently targeted Nvidia, demanding the chipmaker eliminate a feature in some GPUs that limits hash rates while mining Ethereum cryptocurrency. The hackers made it clear they had the goods by first leaking internal Nvidia email handles and cryptographically hashed passwords, then setting a deadline of March 4. Lapsus$ isn't stopping there — now Samsung is under the gun, and valuable source code is once again at stake.
The new leak is detailed in a report from Bleeping Computer, which calls Lapsus$ an "extortion gang" and says the group initially posted a screenshot of code for Samsung software, then detailed what has been exfiltrated from the South Korean electronics giant's servers. The stolen info appears to include vital information, including algorithms for all biometric unlocking operations, the source code for the bootloader for newer Samsung products, and all the source code behind the process of authorizing and authenticating Samsung accounts.
Forbes (March 7, 2022) Anonymous claims it hacked into Russian TVs and showed the true devastation of Putin’s Ukraine invasion
Anonymous, the online group of hackers, has claimed that they successfully infiltrated Russian state TV to show citizens the true devastation of Putin's invasion of Ukraine.
The group shared footage of the deed on Twitter which shows a TV streaming the devastation in Ukraine as the war entered its 12th day.
At the end of the video, a written message said that the war was waged by Putin’s authoritarian regime and not ordinary citizens. This alleged hack was intended to keep the Russian people aware of what’s really going on in the global community as the government has stepped up censorship and blocked access to foreign news outlets and Facebook.
Other Top Industry News
Biden signs executive order on digital assets, including security measures
Alleged hacker behind Kaseya ransomware attack extradited, arraigned in Texas - ZDNet
Hapag-Lloyd flags spear phishing attack - Splash247.com
Latin e-commerce giant Mercado Libre hacked - ZDNet
SEC Seeks More Cybersecurity Info From Companies - PYMNTS.com
Why Europe’s energy industry is vulnerable to cyber-attacks - European Council on Foreign Relations
8 More Women in Security You May Not Know but Should - Dark Reading
Utah inches closer to becoming fourth state to pass privacy law - ZDNet
