By the CyberWire staff
At a glance.
- Reddit breached.
- Top US cyber diplomat says his Twitter account was hacked.
- LockBit says ION paid ransom.
- New ransomware exploits VMware ESXi vulnerability.
- War-floating.
- UK and US issue joint sanctions against Russian ransomware operators.
- Latest trends and reports.
- Threat actor movements observed and reported over the week.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
Reddit breached.
Reddit has disclosed that it sustained a data breach on February 5th after an employee fell for a phishing attack, BleepingComputer reports. Reddit said in a statement that an attacker set up a website that impersonated the company’s intranet gateway and was designed to steal credentials and two-factor authentication tokens. After an employee fell for the ruse, the attacker “gained access to some internal docs, code, as well as some internal dashboards and business systems.” The company added, “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).” Reddit also hasn’t found any signs that the attacker accessed user data. For more on the Reddit breach, see CyberWire Pro.
Top US cyber diplomat says his Twitter account was hacked.
Nate Fick, US ambassador-at-large for cyber and head of the State Department's Bureau of Cyberspace and Digital Policy, tweeted Saturday, "My account has been hacked. Perils of the job..." It's a personal account, used for posts about "weather, mountain biking, and backcountry skiing," which probably accounts for the refreshing shrug-off. Ambassador Fick communicates officially through an official account, @StateCDP.
LockBit says ION paid ransom.
The UK-based ION Trading Group, hit by a LockBit-claimed ransomware attack that began on Tuesday, has reportedly paid the ransom asked of them by the threat group, Bloomberg reported Friday. Bloomberg News cites a LockBit group representative, who told them “that the ransom was paid and that the gang provided a decryption key to unlock the compromised computers.” The person or entity behind the ransom payment, as well as the monetary amount, was not disclosed to the outlet. Reuters said last week that the attack could take days to fix, though if the “group representative” is reliable, the decryption key provided may expedite the process. The United States Federal Bureau of Investigation has begun their own search for information on the attack, in addition to UK regulators conducting individual investigations, Bloomberg wrote Friday.
New ransomware exploits VMware ESXi vulnerability.
France's Computer Emergency Response Team (CERT-FR) and Italy's National Cybersecurity Agency (ACN) have both warned of a widespread ransomware campaign that’s exploiting a vulnerability in VMware ESXi servers. The ransomware is exploiting CVE-2021-21974, which VMware patched in February 2021. BleepingComputer says at least 3,200 servers around the world have been infected. CERT-FR recommends that organizations apply all patches for ESXi hypervisors, and also verify that they haven’t already been compromised. The ransomware appears to be based on Babuk source code. The ransomware, which is being tracked as “ESXiArgs,” appears to be a new strain. SC Media reports that Europe is the hardest-hit region, followed by North America. Reuters quotes the US Cybersecurity and Infrastructure Security Agency (CISA) as saying, “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed.”
VMware published the following statement:
“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves.
“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs). You can sign up for email and RSS alerts when an advisory is published or significantly modified on our main VMSA page.
“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”
CISA has released a script that can, in some cases, rebuild virtual machines from flat files and recover data encrypted by ESXiArgs. BleepingComputer explains that the ransomware “failed to encrypt flat files, where the data for virtual disks are stored.” SecurityScorecard has published a report looking at potentially vulnerable ESXi servers, and cases in which these servers have recently communicated with malicious IP addresses. The Washington Post notes that the ESXiArgs campaign appears to have had a somewhat muted impact compared to earlier widespread ransomware or pseudo-ransomware campaigns, such as WannaCry or NotPetya. Italy's National Cybersecurity Agency (ACN) says, according to Reuters, that it’s unclear who’s behind the campaign. In particular, there’s no obvious involvement of a state-actor. For more on ESXiArgs, see CyberWire Pro.
War-floating.
Examination of debris from the Chinese balloon the US Air Force shot down off Myrtle Beach earlier this week continues, but the US State Department has announced that the balloon was a surveillance system, the New York Times reports. Specifically, it was engaged in collection of signals intelligence, a capability that became known to the US before the balloon was shot down and its wreckage recovered. Close flyby inspections by U-2 aircraft were able to determine that as the balloon made its leisurely trip from Montana to South Carolina. The balloon's payload included antenna arrays “likely capable of collecting and geo-locating communications,” US statement said, and the craft packed enough solar panels to drive a large set of electronic sensors.
UK and US issue joint sanctions against Russian ransomware operators.
Thursday morning the US Treasury Department’s Office of Foreign Asset Control and the UK’s National Crime Agency jointly sanctioned seven members of a gang that’s operated the Trickbot malware. The individuals sanctioned are also involved with the Conti and RYUK ransomware strains. The National Crime Agency says, “The seven cyber criminals are now subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system.”
The US Treasury Department drew particular attention to the way the Russian government has long provided a safe haven for cyber criminals. Treasury’s statement said, in part, “Russia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners. These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K. Last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) identified a Russia-based virtual currency exchange, Bitzlato Limited, as a ‘primary money laundering concern’ in connection with Russian illicit finance.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented, commending CISA and US federal agencies for their impact on ransomware:
"This is just the latest salvo in successfully fighting ransomware. It and all the other challenges recently facing ransomware cybercriminals can be traced back to the May 2021 Colonial Pipeline ransomware attack. Somehow, long overdue, ransomware finally reached an overreach tipping point event that I'm sure even they themselves wished they could take back. I think nearly everyone had thought that ransomware was causing far too much damage to continue to be the threat that it was for over a decade. I mean we had average ransomware payments lurching over $100,000 and many organizations were routinely paying multi-million dollar ransoms. It was pretty bad. And I don't think any of us understood why it continued to be worse and worse each year without something being done about it. But then they attacked a gasoline pipeline company (not even the pipeline itself, just the admin side of it) and it changed everything.
"CISA and all their partners (e.g., FBI, DOJ, NSA, business councils, foreign agencies, etc.) got involved. Even the President of the United States got involved. Ransomware finally crossed a bridge too far. The defenders figured out what it would take to mitigate ransomware. It's really the kitchen sink approach. CISA started better educating everyone about ransomware and putting out notices of the latest attacks and indicators of compromise. We started to go after the money. We started to identify and even sometimes arrest ransomware group members. We started to sanction or threaten to sanction legitimate organizations that allowed ransomware gangs to cash out their ill-gotten gains. "Victims started saying no to paying the ransom. After over a decade of most victims...say 40% to 50% of them, usually paying the ransom, today most don't. And that's despite the potentially costly consequences, such as private data being publicly published. So, you've got law enforcement hot on their trail (even if they can't be arrested) and it's harder for them to make money doing what easily worked for over a decade. For the first time in the fight against ransomware, they didn't just exponentially expand their attacks and profit. Ransomware isn't gone and might not ever be, but the good guys are in the game fighting back. It isn't as one-sided as it used to be. And we need to recognize that CISA and the U.S. government did this. It isn't often that you can point to a government and say they made a difference in cybersecurity, but this is one of those times and I'm glad we have CISA in the fight."
Redacted's VP of Intelligence, Adam Flatley, noted the functionality of sanctions such as these, but stresses the need for a collaborative approach:
"Sanctions like these can be surprisingly effective against criminal enterprises like Trickbot, though that may not seem obvious at first. But it's important to view this as just one tool in the toolbox, and sanctions need to be layered with other diplomatic, law enforcement, and intelligence community capabilities in a coordinated campaign to target cybercrime gangs operating from sanctuary countries like Russia in order to maximize disruption and dismantling efforts."
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Latest trends and reports.
Proofpoint describes a spike in Super Bowl-themed spam over the past weeks, and Synopsys casts a skeptical eye on sports book apps.
Proofpoint observed an 860% increase in smishing attacks during the playoff period. The vast majority of the text messages contained a shortened link leading to a malicious website. The messages contain phony offers for iPads giveaways or free betting money. The researchers expect these scams to increase as the Super Bowl approaches.
Synopsys has published a report looking at the security of the top ten sports betting apps for Android devices. The researchers found that all of the apps use outdated open-source components that contain vulnerabilities. The vulnerabilities aren’t necessarily exploitable in the apps, but Synopsys says their presence indicates that developers and app stores should refine their security practices. For more about the risks of the Super Bowl, see CyberWire Pro.
DataDome has published a report on e-commerce bot traffic during the 2022 holiday season, finding that bots are growing increasingly capable of imitating human users. Most of the traffic observed by DataDome came from IP addresses in the United States. This doesn’t necessarily mean the spammers are in the US, since they intentionally use IP addresses in the region they intend to target (and the researchers note that most of DataDome’s customers are located in the US.) 98% of the bots were designed to scrape online retailers’ inventory and buy items to be scalped. The two most targeted sectors were electronics and footwear. The bots were particularly focused on gaming consoles and luxury or limited-edition clothing merchandise. For more on bots and e-commerce, see CyberWire Pro.
Security researcher EatonWorks claims the ability to breach Toyota's Global Supplier Preparation Information Management System (GSPIMS), which the company uses to manage its global supply chain, BleepingComputer reports. EatonWorks explains that “[a]ny user could be logged into just by knowing their email, completely bypassing the various corporate login flows,” and he was able to gain “full access to internal Toyota projects, documents, and user accounts, including user accounts of Toyota’s external partners/suppliers.”
The researcher found that the user service would generate a JSON Web Token (JWT) after simply entering an email address with no password. JWTs are session tokens used to validate authenticated users. He logged in by guessing a Toyota employee’s corporate email address, then used this access to discover employees with more access. EatonWorks eventually gained full control over more than 14,000 users, as well as access to thousands of confidential documents.
EatonWorks responsibly disclosed this issue to Toyota, and it was patched in November 2022. (He notes that he wasn’t offered a bug bounty for his efforts.) For more on the research, see CyberWire Pro.
Researchers at Otorio have discovered thirty-eight vulnerabilities affecting industrial internet-of-things (IIoT) devices from four separate vendors. Three of the vulnerabilities affect ETIC Telecom’s Remote Access Server (RAS), two of the flaws impact Sierra Wireless AirLink Router, and five affect InHand Networks InRouter 302 and InRouter 615. The rest of the vulnerabilities are still in the disclosure process. The researchers note that attackers can use publicly available apps, such as WiGLE, to identify these types of vulnerabilities: “Our scanning uncovered thousands of wireless devices related to industrial and critical infrastructure, with hundreds configured with publicly known weak encryptions. For more on Otorio's research, see CyberWire Pro.
Scammers have been observed participating in “romance fraud” campaigns as the Hallmark holiday of love nears. Scams have been seen targeting users of dating apps, utilizing pig butchering fraud techniques, and increasingly using “sextortion” scams, the Register wrote. The US Federal Trade Commission assesses the amount of sheer financial damage romance scams caused in 2022 at $1.3 billion, stolen from almost 70,000 individuals. And, of course, there’s no accounting for the toll they took in sadness, humiliation, shame, despair, and deeper loneliness. For more on romance scams, see CyberWire Pro.
Proofpoint reported Wednesday on the activities of a threat actor they’re tracking as TA866. They call the activity, first observed in October of last year, “Screentime,” and Proofpoint says it “starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some cases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer.” Proofpoint designates TA866 as an “organized actor” able to perform efficient and effective tasks given the resources at the group’s disposal.
Get more depth with CyberWire Pro content.
Did you know that CyberWire Pro offers five tailored briefings to help you focus in on your area of cybersecurity speciality? With daily Privacy and Policy briefings and weekly Research, Business and Disinformation briefings, you can dive right into topics that interest you the most. PLUS, get ad-free listening of all of our public podcasts and exclusive CyberWire Pro podcasts like CSO Perspectives and extended Interview Selects. Subscribe today for only $99/year and get all of this content and more! Subscribe today. Subscribe today.
Threat actor movements observed and reported over the week.
Charlie Hebdo, a French satire magazine, was hit with a cyberattack that saw customer data stolen and leaked, Reuters reported Friday. Microsoft researchers are attributing the activity to the Iranian threat group NEPTUNIUM (which appears as Emennet Pasargad in the US State Department’s Rewards for Justice program). Microsoft’s Digital Threat Analysis Center (DTAC) has attributed the attack to Iran-affiliated actors Redmond tracks as NEPTUNIUM, also known as “Emmenet Pasargad” or “Holy Souls.” Security Affairs wrote that the group claimed in early January to have stolen the personal data of over 200,000 Charlie Hebdo customers, sharing a data sample that included the full names, telephone numbers, and home and email addresses of people who’d either subscribed to or purchased something from the magazine. Microsoft says that the data were offered for sale at the price of 20 BTC, or approximately $340,000 at Friday’s exchange rates. For more on the Charlie Hebdo incident, see CyberWire Pro.
TechCrunch reports that the threat actor known as “Roasted 0ktapus” is now targeting the technology and video game sectors. This threat actor compromised more than 130 organizations last year using simple phishing kits. According to a report obtained by TechCrunch, Roasted 0ktapus is launching phishing attacks against video game companies, as well as business process outsourcing companies and cellular providers. Some of the targeted companies include Roblox, Zynga, Mailchimp, Intuit, Salesforce, Comcast, and Grubhub.
SentinelOne reports that the operators of the Cl0p ransomware have expanded the scope of their operation to include Linux systems. The ELF (Executable and Linkable Format) variant is out and active in the wild. There's good news as well, however: "The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom." And bravo, SentinelOne, which has made a free decryptor available.
BlackBerry blogged about a new threat actor they’ve called “NewsPenguin,” seen targeting Pakistani organizations. Using the upcoming Pakistani Navy’s International Maritime Expo & Conference as a phishing lure, the actor attaches a malicious document utilizing “a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution,” say the researchers. The eventual payload contains an XOR-encrypted “penguin” encryption key, as well as the content-disposition response header name parameter set to “getlatestnews” during the HTTP response, both of which contributed to the name given to the actor by the researchers. “NewsPenguin is a previously unknown threat actor relying on unseen tooling to target Pakistani users and potential visitors of the Pakistani International Maritime Expo & Conference,” BlackBerry says. There’s no attribution so far, but BlackBerry thinks that NewsPenguin’s motivation is espionage, and not profit.
DPRK state-affiliated actors have been observed targeting the healthcare and critical infrastructure sectors with Maui and H0lyGh0st ransomware as a means to extort money to further fund North Korea’s “national priorities,” including cyberespionage, SC Magazine wrote. The US Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency released a joint advisory discussing tactics, techniques, and procedures (TTPs) of DPRK threat actors using ransomware attacks to target both nations’ healthcare and critical infrastructure industrie. They also suggest mitigations for victim organizations. NSA wrote that once the identity and location of the scammers are sufficiently hidden, the attackers will move to common vulnerabilities and exposures (CVEs) to overtake a victim network and release ransomware. The vulnerabilities most exploited by these malicious actors are the “Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances.” For more on Pyongyang's policy of ransomware, see CyberWire Pro.
Don’t pay consulting firm prices for cyber workforce development solutions.
When seeking potential cybersecurity talent from non-tech or non-traditional backgrounds, you should ask yourself three things:
- What baseline cybersecurity skills does the candidate already have?
- Do our current JDs discourage non-traditional but capable talent from applying?
- What training opportunities do we have to elevate them throughout their careers?
If these questions give you pause, CyberVista can help get you started. CyberVista's Professional Services solutions provide evidence-driven insights to transform your workforce.
Updates on cyber activity in the hybrid war against Ukraine.
Med City News last week put the total number of US healthcare facilities affected by KillNet distributed denial-of-service (DDoS) attacks at "at least" seventeen. While much of the activity has remained at a nuisance-level, that hasn't been the case with all of it. Tallahassee Memorial HealthCare, in the US state of Florida, took its IT systems offline Friday, and suspended emergency medical services, diverting most such patients to other hospitals. It announced that for the time being it would "only accept Level 1 traumas from its immediate service area." The hospital said, in its updates on the incident, “We are safely caring for all patients currently in our hospital, and we are not moving patients to other facilities. However, we have rescheduled non-emergency patient appointments. Patients will be contacted directly by their provider and/or care facility if their appointment is affected.” reads the notice published by TMH. “We are also diverting some EMS patients and will only be accepting Level 1 traumas from our immediate service area. All non-emergency surgical and outpatient procedures have been canceled and rescheduled.”
The attribution to Russian auxiliaries is still, as the Record observes, circumstantial, but it seems nonetheless fairly clear: The attack on Tallahassee Memorial HealthCare comes just one day after a group of pro-Russian hackers announced distributed denial-of-service (DDoS) attacks on hospitals in at least 25 U.S. states, knocking several offline for hours." The Russian cyber auxiliaries appear to have ready access to commodity criminal DDoS tools, notably the Passion botnet described last week by Radware. "Passion group, affiliated with Killnet and Anonymous Russia, recently began offering DDoS-as-a-Service to proRussian hacktivists. The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine."
Electronic billboards in Moscow over the weekend displayed large, prominent ads for BlackSprut, a prominent dark web contraband market mostly involved in illicit drug sales. The Record reports that the ads featured a woman in what the Record calls "a futuristic mask" (but which looks more like kinky erotic gear) and the slogan, “Come to me if you’re looking for the best.” It's unclear why the ads appeared, but the competing theories are:
- It was an oversight: someone slipped up.
- The billboards were hacked.
- The ads were permitted.
#3 seems likeliest. BlackSprut is a successor to the now-defunct Hydra illicit market, and it handles a lot of trade, perhaps as much as 28% of the darknet market share globally. Mega and OMG are also-rans at, respectively, 22% and 17%. BlackSprut may be too big to interfere with, and this may simply represent an evolution in the longstanding coziness between the Russian organs and the country's online gangs.
Researchers at Symantec, a Broadcom company, have discovered a new Russian infostealer deployed against Ukrainian targets. "The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine," their report says. The malware is in Go language, and is intended for information harvesting. In addition to being called UAC-0056, Nodaria has also been known as SaintBear, UNC2589, and TA471.
Symantec doesn't link Nodaria with any specific Russian intelligence or security service, but they do say it's been active at least since March of 2021. Nodaria has specialized in collecting against Ukrainian organizations, with some possible work against Georgia and Kyrgyzstan.
CERT-UA has issued a warning that Russian cyberespionage operators are using legitimate remote management tool Remcos to establish a remote surveillance presence in target systems. It's a phishing expedition casting a broad net, with "mass distribution of e-mails,” including an alleged “court claim” against the user with a RAR attachment. CERT-UA attributes the activity to a threat actor tracked as UAC-0050.
Ukraine's State Service of Special Communication and Information Protection State Cyber Protection Centre, or SSSCIP, reports that a Russian cyberespionage campaign known as UAC-0114, or WinterVivern, is phishing for targets in the Ukrainian and Polish governments, specifically the the Ministry of Foreign Affairs in Ukraine, and the Central Cybercrime Bureau of Poland. They are commonly seen using malware scanning email subjects and executing PowerShell scripts.
SpaceX restored connectivity to Ukraine's disrupted networks in the war's earliest days, but the company is now interfering with some of its services to its Ukrainian customer, saying that military uses are outside the scope of what it agreed to. CNN reports that SpaceX president Gwynne Shotwell explained that Ukraine used the technology too creatively. Any loss of Starlink support from SpaceX may be offset by direct targeting information from the US military. The Washington Post reports citing a senior US official speaking on anonymity, who said that US forces provide targeting assistance for HIMARS and other US-supplied weapons.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Patch news.
CISA, the US Cybersecurity and Infrastructure Security Agency, has released an industrial control system (ICS) advisory for EnOcean SmartServer. Additionally, on Thursday, CISA released six more ICS advisories, for Control By Web X-400, X-600M, LS Electric XBC-DN32U, Johnson Controls System Configuration Tool (CST), Horner Automation Cscape Envision RV, Omron SYSMAC CS-CJ-CP Series and NJ-NX Series (Update A), and ARC Informatique PcVue (Update A).
Crime and punishment.
A 25-year-old Finnish man has been arrested in France after extorting a psychotherapy practice and leaking patient notes, Naked Security reports. Julius “Zeekill” Kivimäki, stole personal patient data from patients of the Psychotherapy Centre Vastaamo practice. The practice's Chief Executive reportedly tried to hide and contain the intrusion until a ransom request to the tune of €450,000 hit the company. The company refused the payment and the requests shifted to the patients that were victimized. Kivimäki remains imprisoned in France until the processing of his extradition back to Finland.
Courts and torts.
The attorney general's office for the US state of New York has fined a developer $410,000 for distributing stalkerware. BleepingComputer reports that the Florida-based developer, Patrick Hinchy, runs sixteen companies that operate a number of apps including Auto Forward, Easy Spy, PhoneSpector, and TurboSpy that copy information from a target’s device including call logs, text messages, images and videos, location data, and messaging app records. As the Record by Recording Future explains, some of the apps even allow customers to turn on the device’s cameras and audio recorders or exfiltrate data from the target’s iCloud server. The attorney general also alleges that deceptive marketing was used to mislead customers into thinking they were not violating the law, and that Finchy’s companies faked glowing reviews of the benefits of using spyware. New York Attorney General Letitia James stated, “Snooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law…Today’s agreement will block these companies from allowing New Yorkers to be monitored without their awareness, and will continue our ongoing fight to protect New Yorkers’ rights, safety, and privacy.” In addition to paying the fine, Hinchy has agreed to amend his business practices.
Policies, procurements, and agency equities.
The US National Science Foundation (NSF) and the Networking and Information Technology Research and Development’s National Coordination Office (NITD NCO) published a request for information from the public on the 2023 Federal Cybersecurity Research and Development Strategic Plan. As Nextgov.com explains, the document is the federal government's guide for cybersecurity research and development, and officials are currently seeking input on an update, which is required every four years per the Cybersecurity Enhancement Act of 2014. The NSF and NITD NCO have asked commenters to address a variety of questions including what research topics from the 2019 update should be carried into the next version, and what new innovations could improve the security of the digital ecosystem. The deadline for responses is March 3.
Chris Inglis, the US’s National Cyber Director, is set to retire in under a week on February 15. Kemba Eneas Walden, who joined the Office of the National Cyber Director last spring, will serve as acting director until Inglis’s successor is chosen. Inglis’ departure comes just as his team is set to release a much-anticipated national cybersecurity strategy that will outline a tougher federal approach to digital defense. Lawmakers urged Inglis to stay on until the strategy is released, and while it’s expected to come out soon, a release date has not yet been announced. Inglis told CNN he is confident that Office of the National Cyber Director “is viable and valuable – in its capabilities, its people, and its influence on issues that matter: protecting our Nation’s critical infrastructure, strengthening and safeguarding our technology supply chain, expanding pathways to good-paying cyber jobs, and so many more.”
We also noted earlier this week that Pakistani officials last Wednesday decided to block the free online encyclopedia website Wikipedia in the South Asian market due to the presence of content deemed “sacrilegious” by the government. TechCrunch reports that Prime Minister Shehbaz Sharif issued an order to unblock the site, calling the censorship “not a suitable measure to restrict access to some objectionable contents/sacrilegious matter on it…The unintended consequences of this blanket ban, therefore, outweigh its benefits.” The decision to reverse the blocking comes after public backlash that garnered the attention of the global media. Sharif also established a cabinet committee composed of ministers for IT and Telecom, Law and Justices, Information and Broadcasting, Commerce and Communications that will explore alternative technical measures for removing or blocking access to objectionable content.
Business news.
In updates on cyber and tech business news in the past week, we've seen announcements of a few acquisitions and investments. App development and infrastructure software company Progress has acquired California-based data management company MarkLogic. New Hampshire-based cybersecurity, cloud, and managed services provider GreenPages Technology Solutions has announced their acquisition of Massachusetts-based cybersecurity consulting firm Arcas Risk Management. Industrial control system cybersecurity company Opscura has raised $9.4M in Series A funding, led by Anzu Partners, with participation from Dreamit and Mundi Ventures. Californian software supply chain security management company Lineaje has announced the closure of a $7 million seed funding round, led by Tenable Ventures. Virginia-based cyber defense organization IronNet has also announced the execution of a federal contract serving the U.S. Navy’s Naval Sea Systems Command (NAVSEA). IronNet will provide cybersecurity services in the form of their Collective Defense Platform for NAVSEA.
This week's cyber and tech workforce continues to feel the effects of economic downturn. Splunk announced its plans to cut 325 positions within the company, equating to around 4% of their workforce, the Wall Street Journal writes. The company intends to cut back on their use of outsourced agencies and consultants as well. Crypto company Chainalysis has said that they've laid off less than 5% of their staff, leaving the company with about 900 employees, Bloomberg reports. Dell has intentions to cut 6,500 staff, the Wall Street Journal recounts. Okta has plans to slash around 5% of their staffing and cites overhiring based on prior projections, Cybersecurity Dive explains. The National Security Agency, however, is hoping to posit itself as an attractive potential place of employment for the impacted tech workers, as one in a string of many federal agencies hoping to benefit from the loss in the private sector, says Nextgov. For a more comprehensive view into this week's business news, check out this week's CyberWire Pro Business Briefing.
Research developments.
In this week's research news, Trend Micro says the Iranian threat actor APT34 (also known as "OilRig" or "Helix Kitten") is using a new strain of malware to target government entities in the Middle East. Aqua Security describes a new strain of malware targeting Redis servers. The malware, dubbed "HeadCrab," has compromised at least 1,200 servers so far. While HeadCrab can gain full control over a server, its operator has apparently so far only used it for cryptomining with XMRig. For a deeper excursion into this week's cybersecurity research developments, see this week's edition of the CyberWire's Pro Research Briefing.