In brief Late last week, President Biden said he brought up the epidemic of ransomware hitting American businesses in a phone call with his Russian counterpart, and hinted the United States may start hitting back.
Biden said he and Vladimir Putin not only discussed the matter, their two countries will apparently try to coordinate some action to tackle the waves of extortionware infections, which seem to be mainly orchestrated by miscreants in Russia and typically avoid compromising computers configured to use the Russian language.
IT management software made by Kaseya was lately exploited to install REvil ransomware in as many as 1,500 businesses. The crew behind that software nasty is said to avoid targeting Russian organizations.
When asked by reporters if it made sense for Uncle Sam to fire back at the systems used in these attacks, Biden responded with a simple "Yes." And when asked what will happen if Putin doesn't do anything about the cyberattacks, the President replied: "Well, we set up a committee — joint committee. They’re meeting on, I think, the 16th. And I believe we’re going to get some cooperation."
It wouldn't be the first time Uncle Sam has publicly gone on the offensive in this way. In 2019 US Cyber Command said it had disrupted internet connectivity for the notorious Internet Research Agency, a Russian misinformation group, to thwart any interference in America's elections.
Biden just the other month was on Putin's case about the ransomware scourge, and said critical infrastructure should be off limits from cyber-attacks.
FBI seeks data center contractors
Earlier this month, the FBI put out a call for contractors to run both its classified and non-classified data centers.
The gig covers facilities in Pocatello, Idaho, Clarksburg, West Virginia, Huntsville, Alabama, Vienna, Virginia, and Washington DC. The FBI’s Data Center Hardware and Operating Systems Section (DCHOSS) is also looking to hire on-site IT managers to keep things running smoothly and securely. The contract has two key demands. Suppliers must be able to run the agency's disparate collection of servers with at least 99 per cent uptime, and be able to procure a technical refresh.
Microsoft bug bounty pays out millions
Microsoft says it paid out $13.6m last year to flaw finders from its bug bounty program.
The biggest chunk of this was a $200,000 reward under Redmond's Hyper-V Bounty Program. In all, 341 developers in 58 countries partook with the average award topping $10,000 from 1,261 eligible vulnerability reports.
"This year, we introduced new challenges and scenarios to award research focused on the highest impact to customer security," the Windows giant said in a blog post. "These focus areas helped us not only discover and fix risks to customer privacy and security, but also offer researchers top awards for their high-impact work."
Coin scams come to the smartphone
A low-tech but high-reward software scam has been uncovered that raked in at least an estimated $350,000 from marks wanting to get into cryptocurrency.
Lookout spotted more than 170 Android apps, including 25 on Google Play, that claimed to mine cryptocurrency on smartphones. Once purchased and downloaded, they displayed an amount of currency crafted, but it was all fake: the generated coins didn't actual exist even though the app claimed they were being mined.
The software then suggested the mining could be done faster if the user bought an upgrade. More than 93,000 people have fallen for the scam, it is said, and while the apps have now been removed from Google Play Store, there are still plenty of examples in third-party markets.
Morgan Stanley cops to data leak
In yet more fallout from security flaws in Accellion's file transfer system, Morgan Stanley has admitted it lost data thanks to the vulnerable software.
Guidehouse, a third-party vendor the financial giant was using to manage its StockPlan Connect business, was caught out by an unpatched Accellion FTA system. Documents containing the social security numbers and account details for Morgan Stanley customers were stolen via a security hole and, while this information was encrypted, the attackers also stole the decryption keys.
"The files obtained from the vendor included the following participant information: name; address (last known address); date of birth; Social Security number (if the participant had one); and corporate company name," Morgan Stanley explained in a letter [PDF] to New Hampshire authorities. "Note that any data within these files did not contain passwords that could be used to access financial accounts." ®