Axios Codebook

September 02, 2022
๐ TGIF, everyone. Welcome back to Codebook. Thanks to the team for holding down the fort while I was away.
- Let's get one last newsletter in before you all shut down the WiFi and escape into the long Labor Day weekend. ๐๐๐ปโโ๏ธ
Today's newsletter is 1,256 words, a 5-minute read.
1 big thing: Cyberattack simulations get real

Illustration: Brendan Lynch/Axios
Cyber defense training for businesses is evolving to create immersive scenarios putting board members and C-level executives in the crosshairs of simulated attacks.
The big picture: As ransomware attacks and nation-state cyber espionage campaigns ramp up, more executives and board members find themselves making key decisions about how their companies respond to cybersecurity incidents.
Driving the news: Israeli cybersecurity company Cyberbit released a new training module last month that allows security teams and C-level executives to operate a full-scale simulation together against some of the most popular cyberthreats.
- Similar products cater more to training security teams, rather than executives and board members.
Details: Hours-long simulations include attacks that exploit the Log4j vulnerability and recent Microsoft critical vulnerabilities, as well as a North Korean nation-state hack.
- Cyberbit chief marketing officer Sharon Rosenman tells Axios the company typically adds new simulations each week based on the findings of its in-house threat intelligence team.
- But in high-risk situations, it can have a new simulation up in one day. The training for the Log4j vulnerability, which impacted millions of devices, was live within one day, Rosenman says.
How it works: I participated in a recent Cyberbit product demo to get a sense of what training looks like now.
- Each simulation operates on live cloud networks from Amazon Web Services and Microsoft Azure to make the experience as close to reality as possible.
- Once the scenario starts, people are taken through a tabletop simulation where they see signs of an attack on a network and answer a series of questions about what they should do and whom they want to contact at what point.
- The trainings are hours long to mirror the real thing.
- Team managers are able to compile findings from all trainings in one dashboard as well.
The intrigue: Cyberbitโs customers include FS-ISAC, a nonprofit that shares cyberthreat intel among major financial institutions, and a few major retail and higher-education institutions, said CEO Adi Dar.
Between the lines: Regulators have been pushing executives and board members to take a more proactive role in cybersecurity strategies.
- The Securities and Exchange Commission is considering rules that would require public companies to file reports documenting cyber incidents as well as their strategies for protecting themselves.
- Other organizations, including RangeForce and CISA's National Initiative for Cybersecurity Careers and Studies, also offer training for boards and C-level executives.
Yes, but: Because Cyberbit wants the simulations to be as close to real life as possible, the training can take hours to complete.
- This means itโs still a huge investment for some companies that are low staffed or struggling to implement basic security measures like multifactor authentication.
2. Newest ransomware gang on the block

Illustration: Aรฏda Amer/Axios
A new ransomware gang is starting to ramp up its operations โ and its exploits focus on a programming language that makes it harder for researchers to crack.
The big picture: Ransomware hackers have had to get creative to avoid detection as companies have become increasingly aware of the threat and cost these file-encrypting cyberattacks pose.
Whatโs happening: Researchers at cybersecurity firm Redacted said in a report Thursday that the BianLian ransomware gang tripled its known operational infrastructure in August, indicating that more attacks from the gang could be coming soon.
- Operational infrastructure includes the servers a ransomware gang is using to deploy malicious code and the IP address it owns for phishing emails.
- BianLian writes its ransomware code using Go, an open-source language that emerged from inside Google and is adaptable to most machines.
Details: BianLian has been targeting American, Australian and British organizations across the health care, education, insurance and media industries since at least December.
- The gang focuses on so-called โdouble extortionโ attacks, where hackers demand a payment both to unlock the files they encrypted and to stop data leaks of stolen information.
- So far, BianLian has posted information on about 20 victims on its data leak sites โ suggesting those organizations declined to pay a ransom.
Threat level: The ransomware gang is targeting a popular security flaw in Microsoft Exchange servers known as ProxyShell, which allowed hackers to target more than 2,000 servers in just two days in August 2021.
Between the lines: BianLian is just the latest ransomware group to turn to the Go language, which may be less widely known among threat intelligence researchers and which also can be harder to reverse-engineer.
3. Apple's new malware scanning regimen for Macs

Image: Apple
Apple has quietly beefed up the malware-fighting capabilities of the Mac by tweaking the system software to scan for malicious apps more proactively, as noted by Ars Technica and others, Axios' Ina Fried reports.
Why it matters: Like all elements of computer security, fighting malware is a cat-and-mouse battle.
- While the Mac has traditionally had fewer security problems than Windows, the Mac also gets less attention from commercial anti-spyware software, putting more pressure on Apple to keep its systems clean.
Catch up quick: Apple doesn't have user-visible malware scanning like Defender, which is built into Windows, but it does have some features that work behind the scenes to detect and block unwanted software.
- One of those, XProtect, is designed to scan, often at startup, for certain malware, while a separate Malware Removal Tool can delete unwanted code.
- These efforts date back at least to 2009's Snow Leopard, though other features have been added over the years.
What's new: The latest version of XProtect that began showing up earlier this year goes further, both remediating and scanning for malware, and doing so more frequently, perhaps as often as every hour or two, according to Howard Oakley, who closely monitors what Apple does on this front and wrote about the changes in a blog post.
What they're saying: "In the last six months, macOS malware protection has changed more than it did over the previous seven years," Oakley wrote. "It has now gone fully preemptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later."
4. Catch up quick
@ D.C.
๐ House Speaker Nancy Pelosi (D-Calif.) said she can't support a recent bipartisan privacy bill, halting the legislation's progress indefinitely. (Axios)
๐ต๐ปโโ๏ธ The State Department has banned three former intelligence operatives from working with military tech firms for at least three years after their involvement in a surveillance campaign for the United Arab Emirates. (CyberScoop)
๐ Police forces in California have been using a tool that allows them to track people's cellphone locations and movements without a search warrant. (Associated Press)
@ Industry
๐ Cloudflare suggested it doesn't plan to terminate services for discussion forum Kiwi Farms, despite the abusive content and harassment the forum's discussions facilitate. (Bloomberg)
๐ CISA, Dell and other large tech companies are partnering to create new cybersecurity programs at a handful of historically Black colleges and universities. (The Record)
โ U.K. regulators formally cleared the $8.1 billion merger of cyber companies NortonLifeLock and Avast. (TechCrunch)
@ Hackers and hacks
๐ฒ Microsoft researchers detected a vulnerability in TikTok's Android app that could have easily allowed attackers to hijack someone's account. (The Verge)
๐ Reminder to bring your iOS devices up to date with Apple's fix, released last month, for serious security flaws discovered earlier this summer. (Wired)
๐ The San Francisco 49ers confirmed that personal information tied to nearly 21,000 people was accessed or stolen during a ransomware attack in February. (BleepingComputer)
5. 1 fun thing

Photo: Courtesy of John Kreuzer/Lumina Communications and Court White/Highwire PR
I asked you all for pet pics on Twitter for today's 1 fun thing โ and boy, oh boy, did y'all deliver. I'm swimming in a sea of 50-plus pet pics, and I love it.
- Special shoutout to those who sent photos of pets in costumes, pets on patrol and pets in the barn.
See y'all on Tuesday! โ๏ธ
If you like Axios Codebook, spread the word.