A Review of the Best News of the Week on Cyber Threats & Defense

Apple’s Ransomware Mess Is the Future of Online Extortion (Wired, Apr 23 2021)
This week, hackers stole confidential schematics from a third-party supplier and demanded $50 million not to release them.

Justice Dept. Creates Task Force to Stop Ransomware Spread (Dark Reading, Apr 21 2021)
One goal of the group is to take down the criminal ecosystem that enables ransomware, officials say.

Hackers are exploiting a Pulse Secure 0-day to breach orgs around the world (Ars Technica, Apr 20 2021)
Exploits allow state-backed hackers to bypass 2FA and breach defense contractors.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Lazarus Group Uses New Tactic to Evade Detection (Dark Reading, Apr 19 2021)
Attackers conceal malicious code within a BMP file to slip past security tools designed to detect embedded objects within images.

Hackers found leveraging three SonicWall zero-day vulnerabilities (Help Net Security, Apr 21 2021)
Attackers that seem to have “intimate knowledge” of the SonicWall Email Security product have been discovered leveraging three (at the time) zero-day vulnerabilities in the popular enterprise solution.

Over 580 WordPress Vulnerabilities Disclosed in 2020: Report (SecurityWeek, Apr 21 2021)
More than 580 WordPress vulnerabilities were disclosed in 2020, but a vast majority of them impact third-party plugins and themes rather than the WordPress core, according to a new report from website security company Patchstack (formerly WebARX).

Linux team in public bust-up over fake “patches” to introduce bugs (Naked Security – Sophos, Apr 22 2021)
Embarrassed overreaction or righteous indignation? An academic research group has provoked the Linux crew to ban their whole university!

QNAP NAS devices under ransomware attack (Help Net Security, Apr 26 2021)
QNAP NAS device owners are once again under attack by ransomware operators, who are exploiting a recently fixed vulnerability to lock data on vulnerable devices by using the 7-Zip open-source file archiver utility. According to Lawrence Abrams, the ransomware gang has managed to “earn” $260,000 in five days, as many unfortunate victims decided to pay the ransom of 0.01 Bitcoins (around $550) to receive the password that would unlock their files.

Uninstall Command Completes Emotet Botnet Cleanup Operation (SecurityWeek, Apr 26 2021)
Roughly one million computers are getting rid of the Emotet malware after law enforcement agencies served them an update meant to trigger an uninstall process on April 25.

Millions of web surfers are being targeted by a single malvertising group (Ars Technica, Apr 19 2021)
Tag Barnakle is using infected ad servers to go “straight for the jugular,” firm says.

Chinese threat actors extract big data and sell it on the dark web (SC Media, Apr 19 2021)
The stolen data ranges from lottery and stock data to commercial databases of Canadian and U.S. businesses.

Dept. of Energy Launches Plan to Protect Electric Grid from Cyberattack (Dark Reading, Apr 20 2021)
Over the next 100 days, the DoE will work with electric utilities to improve visibility, detection, and response for industrial control systems.

Securing vehicles from potential cybersecurity threats (Help Net Security, Apr 21 2021)
Organizations in the automotive industry are no stranger to demands and mandates regarding car and passenger safety, so addressing the issue of cybersecurity of computerized, connected vehicles should, in theory, not be a huge problem.

Nearly Half of All Malware Is Concealed in TLS-Encrypted Communications (Dark Reading, Apr 22 2021)
Forty-six percent of all malware uses the cryptographic protocol to evade detection, communicate with attacker-controlled servers, and to exfiltrate data, new study shows.

Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities (Help Net Security, Apr 22 2021)
The recent Microsoft Exchange Server vulnerabilities might have initially been exploited by a government-backed APT group, but cybercriminals soon followed suit, using them to deliver ransomware and grow their botnet. One perpetrator of the latter activities is Prometei, a cross-platform (Windows, Linux), modular Monero-mining botnet that seems to have flown under the radar for years.

AV Under Attack: Trend Micro Confirms Apex One Exploitation (SecurityWeek, Apr 22 2021)
Anti-malware vendor Trend Micro is warning that attackers are attempting to exploit a previously patched vulnerability in its Apex One, Apex One as a Service, and OfficeScan product lines.

New CISA Advisories Warn of ICS Vulnerabilities (Dark Reading, Apr 22 2021)
The vulnerabilities exist in Cscape control system application programming software and the Mitsubishi Electric GOT.

Prometei Botnet Adds New Twist to Exchange Server Attacks (Dark Reading, Apr 22 2021)
Attackers are using the well-known Microsoft Exchange Server flaw to add machines to a cryptocurrency botnet, researchers say.

Vendors are getting better at spotting malicious execution techniques (SC Media, Apr 22 2021)
Cybersecurity enterprise solutions are getting better at recognizing malicious activity conducted via APIs and Windows Management Instrumentation tools.

Connected medical devices brought security loopholes mainstream (Help Net Security, Apr 26 2021)
The increasing demand for self-health management, coupled with the digitalization of the modern healthcare ecosystem, translates into a medical connected devices market that is predicted to grow 20% every year, according to Infoholic Research.