English 
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
New report scrutinizes ransomware, human failings in cyber, log4j and more
Welcome to The Cybersecurity 202! I’m often recommending TV shows and movies here, but I’d like to recommend the book "Recursion," by Blake Crouch. It would be irresponsible to tell you the plot, but it's equal parts science fiction and thriller. If that description works for you, then you should give it a try.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: A deepfake of President Vladimir Putin aired in Russia, and Twitter failed to prevent the appearance of dozens of child sexual abuse images on its platform. First:
When a vulnerability in the ubiquitous open-source tool log4j was discovered in late 2021, it stirred a tornado of dire warnings from government and industry.
Data out today sheds additional light on the scope of the activity from attackers eager to exploit the bug — and from network defenders sprinting to fix it on their systems.
That's one of the chief insights from the annual Verizon Data Breach Investigations Report, regularly one of the most comprehensive rundowns of breaches and other incidents over a one-year period.
Let's talk about the report's insights on log4j and other topics — including ransomware, costly business email compromise attacks and the ongoing tendency that humans have for being their own worst enemy on cybersecurity.
After the vulnerability in log4j known as Log4Shell became public, everyone seemed to spring into action. Cybersecurity and Infrastructure Security Agency officials warned that it could affect hundreds of millions of devices, given the tool's popularity as a logging library tool to record activity within systems. Department of Homeland Security Undersecretary of Policy Robert Silvers later said it was one of history's worst vulnerabilities.
Malicious hackers quickly sought to exploit Log4Shell, Verizon found. Of those attempted exploitations, one-third of the attempts over the report's time frame happened in the first 30 days, peaking at 17 days.
"As soon as the vulnerability was out, everybody was rushing to exploit," Alex Pinto, a lead author of the report, told me. "But the interesting thing is that everybody was rushing to patch, too."
On the balance:
Nearly three quarters of breaches involve humans doing something wrong, whether it was falling for a phishing email or errors or — less a mess-up and more about the insider threat — misusing their access to computer systems, according to Verizon.
That's actually a little better than last year, but it's a number that fluctuates between 74 percent and 80 percent annually, Pinto said, so the trend tends to be consistent. On the other hand, 83 percent of breaches involved external forces, Verizon found.
One of the associated factors is business email compromise attacks, which is a kind of scam where the criminals try to trick someone at a business into transferring money to them, perhaps by posing as someone else.
Those are some of the most costly kind of scams. According to Verizon's study of incidents reported to the FBI, the median loss in recent years from business email compromise is $50,000.
While phishing is still a very popular attack method, pretexting — when someone uses a fake story or pretext to trick a victim into doing something — is more popular, the report states. Pretexting now accounts for 50 percent of social engineering attacks that rely on manipulating a victim, compared with 44 percent for phishing.
"It is too simple of an attack to do," Pinto said of pretexting. "It can be done at scale and sometimes with even less technical expertise than phishing."
Ransomware incidents held steady at 24 percent of breaches, Verizon found. It was, however, everywhere: 91 percent of industries had ransomware as one of the top issues they dealt with over the 12-month period.
That reverses a long trend of a rapid rise, Pinto said. "It kind of stabilized," he said. "We might have reached some sort of saturation point."
It's a conclusion that mirrors some other organizations’ findings about last year. But opinions vary about the cause of the plateau, and experts expect the ransomware threat to get worse this year.
Over the last two years, the median cost of ransomware has risen, from $13,000 to $26,000, Verizon found.
A deepfake video of Russian President Vladimir Putin declaring martial law and ordering a general mobilization aired on Russian TV and radios on Monday, Jenna Moon reports for Semafor.
"The broadcast, which also claimed there was an ongoing Ukrainian incursion into Russia, was aired in Belgorod, Voronezh, and Rostov, cities in close proximity to Ukraine's border," Moon writes.
The deepfake has not yet been attributed to any group.
Deepfakes have become an emerging matter that regulators may have to address in the context of political advertisements and political campaigns, our Technology 202 newsletter previously reported. A deepfake of Indian Bharatiya Janata Party official Manoj Tiwari criticizing incumbent Arvind Kejriwal during India's legislative assembly elections in 2020 went viral on WhatsApp and marked the debut of deepfakes in election campaigns in India.
The BBC, U.K. health and beauty company Boots, and Aer Lingus are among a growing list of companies that have been subject to the effect of the MOVEit hack disclosed last week, Joe Tidy reports for the BBC.
U.S. company Progress Software last week said hackers broke into its MOVEit Transfer tool that allows for the secure transfer of files. The tool is popular around the world, the report says.
Microsoft this week linked the attack to the Russia-linked Cl0p ransomware group.
Twitter in recent months failed to prevent dozens of child sexual abuse images from being shared on the site, Alexa Corse reports for the Wall Street Journal.
Researchers from the Stanford Internet Observatory told Twitter of the matter and resolved it sometime in May, according to the Journal.
Researchers from March 12 to May 20 detected more than 40 images previously flagged as potential child sexual abuse material (CSAM) from a sample of around 100,000 tweets.
Efforts to weed out CSAM on platforms have faced head winds, as cybersecurity advocates fear that legislation aimed at curbing such material could prompt tech companies to stop offering end-to-end encryption for users.
Officials stress interagency cooperation as key to cybersecurity improvements (Inside Cybersecurity)
Augusta not in contact with ransomware group behind attack, mayor says (The Record)
Cybercriminals target C-suite, family members with sophisticated attacks (Cybersecurity Dive)
Emerging tech, misinformation dominate May transatlantic council talks (Nextgov)
Former ByteDance executive claims Chinese Communist Party accessed TikTok's Hong Kong user data (Wall Street Journal)
First in space: SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON (CyberScoop)
War crimes committed through cyberspace must not escape international justice, says Estonian president (The Record)
View Tweet on Twitter
Thanks for reading. See you tomorrow.