November 07, 2023
Happy Tuesday! Welcome back to Codebook.
- 🇺🇸 We're off later this week for Veterans Day — see y'all in a week!
- 📬 But first: Have thoughts, feedback or scoops to share? [email protected].
🚨 Situational awareness: A bipartisan group of lawmakers has introduced the first bill to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, a controversial program that expires at the end of the year.
Today's newsletter is 1,561 words, a 6-minute read.
1 big thing: Why "don't pay ransom" pledges are so hard
A government pledge to not pay ransoms will prove difficult for companies and private organizations to replicate.
Driving the news: A group of 48 governments, as well as the European Union and Interpol, signed a pledge last week to not pay hackers if their systems are hit with a ransomware attack.
- The commitment, which was made as part of last week's U.S.-led Counter Ransomware Initiative meeting, also strongly discouraged "anyone from paying a ransomware demand," including private sector organizations and organizations responsible for critical infrastructure.
Why it matters: Government officials are showing a growing appetite for banning ransom payments and cutting off the financial incentive cybercriminals have for launching these attacks.
- But the Counter Ransomware Initiative's decision to focus solely on government ransomware victims underscores how tough the choices are for private sector victims weighing how to respond to such attacks.
The big picture: Ransomware gangs typically demand their victims send a payment to either regain access to their networks or keep hackers from leaking sensitive data stolen during the attack.
- When deciding whether to pay, victims will weigh everything from potential service disruptions to class-action lawsuits if sensitive customer information is leaked.
- Some critical services, including hospitals and water companies, also face life-or-death consequences if certain online systems are locked up for too long.
- In many cases, paying up appears to be cheaper (and safer) than spending days rebuilding key systems and networks.
What they're saying: "There's a lot more to it than just saying we're not going to do it," John Dwyer, head of research at IBM's X-Force threat intelligence group, told Axios. "Faced with the reality that a lot of these organizations are faced with, you realize that there's a lot more in the decision."
- "It's not as black-and-white as I think the public probably appears that it is," he added.
By the numbers: Despite concerted government efforts, the number of ransomware attacks has continued to grow this year.
- The number of ransomware attacks in the third quarter nearly doubled compared to the same period last year, according to cyber policy underwriter Corvus Insurance.
- "The data shows the number of attacks are going up and, frankly, [so is] the disruptive impact," Anne Neuberger, deputy national security adviser for cyber and emerging tech, said during an event Friday.
Meanwhile, the number of companies paying ransoms is starting to drop, by some accounts.
- Both Dwyer and Kurtis Minder, CEO of ransomware negotiation firm GroupSense, told Axios that, anecdotally, they've recently seen fewer victims paying up post-attack.
- Cyber risk group Resilience also estimates that only 15% of its clients paid a ransom in the first half of 2023 — tracking downward from 21% in all of 2022.
Between the lines: Historically, the incentive structure of a ransomware attack has favored those who quietly paid a ransom — but that's slowly starting to change.
- For instance, cyber insurers have started mandating companies meet basic security requirements before approving them for a new policy.
The intrigue: In some cases, the larger ransomware volumes are working to victims' advantage, Minder said.
- In a handful of cases, Minder said, he's seen some ransomware gangs target so many companies that they forget who they're extorting and never return to negotiations over a payment and never leak the data they stole.
Yes, but: Without some larger enforcement mechanism or incentive program, banning ransom payments across the private sector is never going to work, Minder said.
- "Even if you made this illegal, the ransom would still be made," he said. "They just would be largely swept under the rug, or underground. It wouldn't achieve your goal."
Be smart: The best way to avoid ransom payments and cut down on the number of ransomware attacks is for organizations to practice good cyber hygiene, such as implementing multifactor authentication, Dwyer said.
2. Palo Alto Networks' bet on browser security
Palo Alto Networks has unveiled its second acquisition in a week, with its latest purchase potentially giving the company an edge in an up-and-coming vertical: browser security.
Driving the news: Palo Alto confirmed Monday it was buying Talon Cyber Security, an Israel-based enterprise browser provider.
- The deal came after a similar Palo Alto's announcement last week to buy Israeli cloud data security company Dig Security.
The big picture: Palo Alto's acquisition of Talon puts a spotlight on the need to protect against browser-targeted cyberattacks.
- Browsers have long been a blindspot for company security programs, and hackers have found success targeting flaws in employees' personal devices — especially those in the browser — to gain access to a company's systems.
- Many of Palo Alto's competitors offer browser extensions that can help scan for these flaws. But few of its competitors, if any, have their own enterprise browser offering that can protect employees even on personal laptops or phones, Paddy Harrington, a senior analyst at Forrester, told Axios.
Details: Talon was founded in 2021 and has about 130 employees, according to Israeli news site CTech.
- Talon's approach differs from that of other major cyber companies' browser security tools.
- Instead of solely relying on a browser plug-in extension to protect browser data, Talon has built an entirely new browser from the ground up that serves as a secure access point for corporate apps and data.
What they're saying: "Palo's taking a different track," Harrington said. "Some of the other players are trying to do [browser] extensions. No one has gone down this path yet."
Between the lines: Palo Alto's purchase of Talon could inspire competitors — like CrowdStrike or Trend Micro — to go out and buy their own enterprise browser providers.
- "This isn't a small purchase," Harrington said. "It gives validity to that focus in on the browser."
What's next: Palo Alto didn't say when it plans to close either of its new deals, but regulatory reviews can often take a few months.
3. Brokers selling military members' personal info
Sensitive, highly detailed personal data for thousands of active-duty and veteran U.S. military members can be purchased for as little as 1 cent per name through data broker websites, according to a new study published Monday by Duke University researchers, Axios' Jacob Knutson writes.
Why it matters: Researchers warned that the data can be easily obtained and used by malicious actors to target current and former military personnel, their families and acquaintances with a myriad of schemes, including blackmail and misinformation campaigns.
- The data about military personnel purchased as part of the study included full names, physical and email addresses, health and financial information, and details about their ethnicity, religious practices and political affiliation.
- In some cases, the information also included whether the person owned or rented a home, was married, or had children. The children's ages and sexes were accessible too.
How it works: As part of the study, the researchers contacted 12 data brokers about purchasing information on military personnel.
- The researchers found that many of the brokers lacked controls on who could purchase the data or regulations to ascertain the intended uses for the information.
- In making their purchases, the researchers were able to narrow down their data selections to personnel in Maryland, Virginia or the District of Columbia.
- In one data set, the results showed service members living near military installations including Virginia's Quantico and Fort Walker, formerly known as Fort A.P. Hill, and North Carolina's Fort Liberty, formerly known as Fort Bragg.
- Thousands of data brokers, many of which are based in the U.S., collect and sell data on millions of people every year.
- The multibillion-dollar industry collects data on virtually every American, primarily through public records and other businesses — such as mobile app companies and credit reporting agencies — collecting data on their customers and selling it.
By the numbers: The researchers bought data on up to around 45,000 military personnel for between 12 cents and 32 cents per record.
- They also bought data belonging to 5,000 friends and family members of military personnel.
- Larger data purchases of more than 1.5 million service members were available for as little as 1 cent per record from at least one broker the researchers contacted.
4. Catch up quick
🏛️ The U.S. Treasury Department sanctioned a Russian national accused of laundering money for cybercriminals, including an affiliate of the Ryuk ransomware gang. (The Record)
🇨🇳 Chinese technology companies, including Huawei and Tencent, have the largest stockpile of cybersecurity-related patents, according to LexisNexis data. (Nikkei Asia)
🤖 MITRE, in collaboration with Microsoft, has updated its open-source security risks analysis tool to account for generative AI threats. (MITRE)
@ Hackers and hacks
💥 Hackers have started exploiting a critical vulnerability in Atlassian's Confluence enterprise server app, several researchers warned. (Ars Technica)
🇮🇷 Israel's cyber defense chief said he's "very concerned" that Iran will escalate its yearslong string of cyberattacks against Israeli organizations as the war with Hamas carries on. (CNN)
👀 Okta's most recent security breach affected 134 customers and is believed to have started with hackers compromising an employee's personal account credentials. (BleepingComputer)
5. 1 fun thing
Over the weekend, a hacker claimed they had hacked LinkedIn and had a database filled with the personal data belonging to millions of users.
- The claims seemed believable, especially given the track record of past massive hacks and breaches at LinkedIn.
- Yes, but: Turns out, as researcher and "Have I Been Pwned" creator Troy Hunt found, that database was just a compilation of publicly available profile data, including emails and full names, that most users can access already. 🙄
☀️ See y'all next week!
Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.