Risky Biz News: NVD backlog unlikely to be addressed by September
09:01 Share

The NVD backlog is unlikely to be addressed by September. An ESXi flaw used in a wave of ransomware. A crypto exchange wants to socialize hack losses amongst its users. And the CrowdStrike lawsuits are coming. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 31st of July, and this podcast episode is brought to you by no-code automation platform, Tynes.

In today's top story, NIST has failed to make any significant progress in processing new entries in the U.S. National Vulnerability Database.

According to research by Fortress and Volncheck, almost 17,000 vulnerabilities are still awaiting processing. NIST announced at the end of May that it had hired a contractor to help address the NVD backlog by September this year. With one month left, the agency is unlikely to address the backlog by then. The number of unprocessed vulnerabilities is expected to reach 30,000 by the end of the year.

In other news, Indian cryptocurrency exchange WazirX says it plans to socialise the losses from a recent mega-hack. The company intends to spread a $230 million loss across all customer accounts in a move that's been intensely criticised by its users.

WazirX was hacked two weeks ago and has yet to resume operations. The company refused to answer questions on why it was not tapping its own profit reserves to make customers whole or at least lessen their losses. Security firm Zscaler says that an unnamed company appears to have paid a $75 million ransom demand to the Dark Angels ransomware group. The payment took place in early 2024 and is now the highest ever recorded ransomware payment.

Zscaler says the Dark Angels group is different from other ransomware gangs because it attacks a single large company at a time. The group typically rents its ransomware from larger platforms and is behind a data leak site known as Dunghill.

The South Korean government is investigating a leak of sensitive data that exposed the identities of undercover agents operating abroad. The leak took place at the Korean Defense Intelligence Command, the country's military intelligence agency. Reports in local media claim the leak contained information on agents and operations related to North Korea. Officials say they have identified the source of the leak as one of its employees' laptops.

It's unclear if the device was hacked or if the employee was the one who intentionally shared the data.

A pro-Ukrainian hacker group named the Cyber Anarchy Squad has hacked Russian security firm Avonpost. The group claims it breached the company over the weekend and encrypted more than 400 virtual machines hosting employee workstations. The hackers claim to have destroyed more than 60 terabytes of data and also leaked 390 gigabytes following the attack. Avonpost confirmed the incident on Sunday.

A pro-Palestinian hacktivist group named Handala Hack is using the recent CrowdStrike outage to lure Israeli companies into running a data wiper on their systems. Handala claimed on X to have successfully wiped terabytes of data at several dozens of Israeli organizations. The group emerged in December last year when it was using a fake F5 security update to trick Israeli organizations into running the same wiper.

Delta Air Lines has hired a prominent law firm to seek financial damages from CrowdStrike and Microsoft in the aftermath of the widespread outages earlier this month. The outage was caused by a buggy update to a CrowdStrike kernel driver that caused Windows systems to crash.

Delta estimated it lost between $350 to $500 million when flights were grounded all over the world. Insurer Parametrics estimates the financial losses from the CrowdStrike outage could reach around $15 billion globally. DigiCert is revoking certificates for roughly 0.4% of its customer base after it learned of an issue in its domain control verification procedures.

Only certificates verified through CNAME DNS entries are affected. The procedure relies on customers proving ownership of their domain by adding a new CNAME record. This record is supposed to be prefixed with an underscore character. The company says it found a bug where the verification record did not include the mandatory underscore character breaking industry rules. DigiCert is now revoking all certificates verified through the faulty procedure.

Microsoft has launched an inexpensive Azure logging plan designed for companies with lower budgets that need to comply with security and risk management requirements. The new plan is called Auxiliary Logs and is currently in public preview. It will be the lowest tier in the Azure Monitor Logging Service below Basic Logs and Analytics Logs.

The Russian government is working on giving its communications watchdog the legal power to take over and manage network traffic on behalf of local ISPs. Russian prosecutors will be able to flag prohibited information and order Roskomnadzor to remove it right away, instead of having Roskomnadzor relay the orders to ISPs and wait for them to implement the ban. The new law effectively cuts ISPs out of the process, so

Several Russian telecommunication providers have quietly opposed the country's fall into a complete dictatorship by delaying or misimplementing internet censorship orders.

The Russian government passed new legislation that limits citizens from owning more than 20 phone numbers or SIM cards. The limit will be 10 phone numbers for foreign citizens. The new law also introduces new rules for the sale of SIM cards designed to prevent anonymous ownership. Foreigners who want to buy a SIM card are now required to visit a telecom operator's store to have their biometrics collected.

Malaysia has passed new legislation that will require all social media sites with over 8 million registered users to obtain a licence from the government.

Officials say the licensing process will require companies to commit to fighting internet crime such as scams, online fraud, cyberbullying and child sex abuse. The new law will enter into effect at the start of next year. In addition, the Malaysian government is also working on a law that will create an internet kill switch system designed to shut down the internet across the country. The new law will be tabled for discussions in the parliament in October.

The Australian government is working on a law that would require companies to disclose when they pay a ransom to hackers. Companies that fail to disclose a payment will face possible fines. The purpose of the new Australian Cyber Security Act is to help the government map the scale of ransom payments. According to the ABC, the Australian government appears to have given up on the idea of a ransomware payment ban.

UK authorities have sentenced a 24-year-old man to three and a half years in prison for computer crime offences. Elliot Gunton pleaded guilty to phishing over 500 Coinbase users and stealing more than $900,000 from their accounts. The offences took place back in 2018 and 2019 when Gunton was aged 17 and 18. Gunton was previously sentenced to 20 months

and released on Time Cert for hacking British ISP TalkTalk in April 2018.

A threat actor has abused a now-fixed Proofpoint vulnerability to send millions of spoofed emails mimicking some of the world's top brands. Named Echo Spoofing, the campaign lasted between January and June this year. The attacker exploited Proofpoint infrastructure to send emails with proper SPF and DKIM signatures that appeared to come from Proofpoint's customers.

The campaign peaked at 14 million spoofed emails per day in early June before Proofpoint fixed the issue.

And finally, several threat actors have abused a VMware ESXi zero-day to deploy ransomware in corporate environments. Microsoft's security team discovered the attacks and worked with VMware to have the issue patched at the end of June. The zero-day was in how ESXi integrated with Active Directory. It allowed threat actors to bypass authentication on domain-joined ESXi servers...

Microsoft says at least four threat actors have exploited the zero day to deploy ransomware such as Akira and Blackbuster. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Tynes. Find them at Tynes.com. Thanks to your company.