Was this forwarded to you? Sign up here.
Below: A deepfake of President Vladimir Putin aired in Russia, and Twitter failed to prevent the appearance of dozens of child sexual abuse images on its platform. First:
A smorgasbord of data in Verizon’s annual breach report
When a vulnerability in the ubiquitous open-source tool log4j was discovered in late 2021, it stirred a tornado of dire warnings from government and industry.
Data out today sheds additional light on the scope of the activity from attackers eager to exploit the bug — and from network defenders sprinting to fix it on their systems.
That’s one of the chief insights from the annual Verizon Data Breach Investigations Report, regularly one of the most comprehensive rundowns of breaches and other incidents over a one-year period.
- Verizon’s report analyzed 16,312 security incidents (defined as a compromise of a system) and 5,199 breaches (defined as an incident that leads to the confirmed unauthorized disclosure of data to an outside party) between Nov. 1, 2021, and Oct. 31, 2022.
Let’s talk about the report’s insights on log4j and other topics — including ransomware, costly business email compromise attacks and the ongoing tendency that humans have for being their own worst enemy on cybersecurity.
After the vulnerability in log4j known as Log4Shell became public, everyone seemed to spring into action. Cybersecurity and Infrastructure Security Agency officials warned that it could affect hundreds of millions of devices, given the tool’s popularity as a logging library tool to record activity within systems. Department of Homeland Security Undersecretary of Policy Robert Silvers later said it was one of history’s worst vulnerabilities.
Malicious hackers quickly sought to exploit Log4Shell, Verizon found. Of those attempted exploitations, one-third of the attempts over the report’s time frame happened in the first 30 days, peaking at 17 days.
“As soon as the vulnerability was out, everybody was rushing to exploit,” Alex Pinto, a lead author of the report, told me. “But the interesting thing is that everybody was rushing to patch, too.”
- Everyone was “expecting a larger impact on breaches being initiated by the exploitation of vulnerabilities,” Pinto said, “but that didn’t happen. We prevented something potentially much worse from happening if that response hadn’t happened.”
- “It did happen, and as far as everybody is concerned, it happened a lot,” Pinto said. But, “the scale of this was potentially muted because of the coordinated response. It still got a lot of play, absolutely.”
The human element and business email compromise
Nearly three quarters of breaches involve humans doing something wrong, whether it was falling for a phishing email or errors or — less a mess-up and more about the insider threat — misusing their access to computer systems, according to Verizon.
That’s actually a little better than last year, but it’s a number that fluctuates between 74 percent and 80 percent annually, Pinto said, so the trend tends to be consistent. On the other hand, 83 percent of breaches involved external forces, Verizon found.
One of the associated factors is business email compromise attacks, which is a kind of scam where the criminals try to trick someone at a business into transferring money to them, perhaps by posing as someone else.
Those are some of the most costly kind of scams. According to Verizon’s study of incidents reported to the FBI, the median loss in recent years from business email compromise is $50,000.
While phishing is still a very popular attack method, pretexting — when someone uses a fake story or pretext to trick a victim into doing something — is more popular, the report states. Pretexting now accounts for 50 percent of social engineering attacks that rely on manipulating a victim, compared with 44 percent for phishing.
“It is too simple of an attack to do,” Pinto said of pretexting. “It can be done at scale and sometimes with even less technical expertise than phishing.”
Ransomware incidents held steady at 24 percent of breaches, Verizon found. It was, however, everywhere: 91 percent of industries had ransomware as one of the top issues they dealt with over the 12-month period.
That reverses a long trend of a rapid rise, Pinto said. “It kind of stabilized,” he said. “We might have reached some sort of saturation point.”
It’s a conclusion that mirrors some other organizations’ findings about last year. But opinions vary about the cause of the plateau, and experts expect the ransomware threat to get worse this year.
Over the last two years, the median cost of ransomware has risen, from $13,000 to $26,000, Verizon found.
Putin deepfake declaring martial law aired in Russia
A deepfake video of Russian President Vladimir Putin declaring martial law and ordering a general mobilization aired on Russian TV and radios on Monday, Jenna Moon reports for Semafor.
“The broadcast, which also claimed there was an ongoing Ukrainian incursion into Russia, was aired in Belgorod, Voronezh, and Rostov, cities in close proximity to Ukraine’s border,” Moon writes.
- “Kremlin spokesperson Dmitry Peskov confirmed to state-affiliated news agency TASS that the deep fake video had aired, adding there was no state media address made by Putin on Monday,” Semafor adds.
The deepfake has not yet been attributed to any group.
Deepfakes have become an emerging matter that regulators may have to address in the context of political advertisements and political campaigns, our Technology 202 newsletter previously reported. A deepfake of Indian Bharatiya Janata Party official Manoj Tiwari criticizing incumbent Arvind Kejriwal during India’s legislative assembly elections in 2020 went viral on WhatsApp and marked the debut of deepfakes in election campaigns in India.
Number of companies who were victims of last week’s MOVEit hack grows
The BBC, U.K. health and beauty company Boots, and Aer Lingus are among a growing list of companies that have been subject to the effect of the MOVEit hack disclosed last week, Joe Tidy reports for the BBC.
- “Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen,” Tidy writes.
- Other affected companies include British Airways and U.K.-based payroll service company Zellis.
U.S. company Progress Software last week said hackers broke into its MOVEit Transfer tool that allows for the secure transfer of files. The tool is popular around the world, the report says.
- The U.S. Cybersecutiy and Infrastructure Security Agency last week issued a warning about using MOVEit.
- Separately: “The UK’s National Cyber Security Centre said it was monitoring the situation and urged organisations using the compromised software to carry out security updates,” the BBC report said.
Microsoft this week linked the attack to the Russia-linked Cl0p ransomware group.
- “Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer zero-day vulnerability to Lace Tempest, known for ransomware operations and running the Clop extortion site,” the company’s Threat Intelligence team tweeted Sunday.
Twitter missed dozens of child sexual abuse images, report finds
Twitter in recent months failed to prevent dozens of child sexual abuse images from being shared on the site, Alexa Corse reports for the Wall Street Journal.
Researchers from the Stanford Internet Observatory told Twitter of the matter and resolved it sometime in May, according to the Journal.
- “The researchers said Twitter told them last week it had improved some aspects of its detection system, and asked the researchers to alert the company if they ever notice a spike in such cases in the future,” Corse writes.
Researchers from March 12 to May 20 detected more than 40 images previously flagged as potential child sexual abuse material (CSAM) from a sample of around 100,000 tweets.
- “After acquiring Twitter in late October, Elon Musk placed an emphasis on the issue, vowing in tweets that removing such material from Twitter is ‘priority #1’ and ‘will forever be our top priority,’” the Journal writes. Musk did not return the outlet’s request for comment.
- Twitter said it suspended more than 400,000 accounts that created or engaged with CSAM in January. “Not only are we detecting more bad actors faster, we’re building new defenses that proactively reduce the discoverability of tweets that contain this type of content,” the company said in February.
- But trouble has brewed for researchers wanting to access the inner-workings of the platform, as Twitter under Musk has begun charging hefty amounts for access to its API.
Efforts to weed out CSAM on platforms have faced head winds, as cybersecurity advocates fear that legislation aimed at curbing such material could prompt tech companies to stop offering end-to-end encryption for users.
Officials stress interagency cooperation as key to cybersecurity improvements (Inside Cybersecurity)
Augusta not in contact with ransomware group behind attack, mayor says (The Record)
Cybercriminals target C-suite, family members with sophisticated attacks (Cybersecurity Dive)
Emerging tech, misinformation dominate May transatlantic council talks (Nextgov)
Former ByteDance executive claims Chinese Communist Party accessed TikTok’s Hong Kong user data (Wall Street Journal)
First in space: SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON (CyberScoop)
War crimes committed through cyberspace must not escape international justice, says Estonian president (The Record)
- George Washington University holds a discussion on election security at 1 p.m.
- The Cato Institute holds an event on surveillance reform prospects at 1 p.m.
- The Information Technology and Innovation Foundation and the R Street Institute hold a joint discussion on the prospects for a U.S. AI regulator at 1 p.m.
Thanks for reading. See you tomorrow.