Skip to Content

Cybersecurity and Infosec News Headlines Update on February 27, 2022

IRS abandons facial recognition plan after firestorm of criticism

And just like that, plans by the IRS to use third-party identity verification have been pulled after a “firestorm of criticism.” (AP has a non-paywalled story.) The planned roll-out of on the IRS’ website was meant to take effect later this year, but critics say the service would amass a huge database of identity documents that could be targeted. Senate Finance chair Ron Wyden said bluntly that “no one should be forced to submit to facial recognition to access critical government services,” which seems entirely fair. After all, the tax-collection service is a taxpayer-funded service. Meanwhile, the Post notes just how problematic the service can be, after scammers found a way to trick the company into accepting fake face scans (see below, and yes, it’s a wig). also collects location data and uses Palantir’s software to process it.

IRS abandons facial recognition plan after firestorm of criticism


Microsoft’s small step to disable macros is a huge win for security

Macros are, and have been, a major thorn in the side of network defenders for a decade-plus. While these little bits of programmable code are helpful for automating tasks, they’re also great for planting malware, and these days are said to account for about 25% of all ransomware entry routes. Now, Microsoft said it will block internet macros by default in Office, making the macro attack route far more difficult. Microsoft is taking what @lilyhnewman calls a “diplomatic approach” by blocking macros in documents that have been downloaded from the internet, while allowing macros in spreadsheets and documents that have only been shared on an internal network and have never moved across the internet.


Lawmakers allege ‘secret’ CIA spying on unwitting Americans

The U.S. government is still spying on Americans, according to two senators who went public this week. Sens. Wyden and Heinrich, who sit on the Senate Intelligence Committee, said the CIA is secretly collecting data on Americans, years after the NSA was caught out doing much of the same thing. We don’t know what the CIA is collecting or why. But, what’s important here is the authority that’s used, an executive order (EO) called 12333, which is the government’s catch-all authority for secret collection of data. It’s complicated, but read this thread from national security expert @lizagoitein for more. The CIA’s data collection apparently skirted accountability for years using this authority. It was only last month that the senators found out for themselves; apparently the program was “withheld even from” the senators on the Intelligence Committee, which oversees these programs! This will be a story to watch…


Decryptor released for Maze, Egregor, and Sekhmet ransomware strains

ZDNet: Some good news this week after the master decryption keys for three ransomware strains, Maze, Egregor, and Sekhmet, were published, allowing the creation of decryption tools. The keys were posted on a forum used by Bleeping Computer. It seems like the linked gangs, which are no longer active, are rattled by recent events — including U.S. threats to find ransomware actors and Russia’s unexpected arrests against REvil. Maze, if you recall, was one of the first gangs to publish stolen files, rather than just encrypt them.


LockBit 2.0: The Sequel No One Wanted

There is a long history of sequels being worse than the first installment. The Exorcist II. Tron: Legacy. And now cybersecurity professionals are getting another sequel that will be worse than the first version – LockBit 2.0.

LockBit 2.0: The Sequel No One Wanted

Developed by the same ransomware gang behind LockBit, LockBit 2.0 is the new and improved version of the infamous 2019 ransomware. Known for being evasive, ever-changing, and self-spreading, this piece of malicious software has not only extorted businesses through ransom notes but also turned employees into inside attackers. As you can expect, no one in the cybersecurity world is particularly pleased to hear about its return.

Understanding Ransomware as a Service (RaaS)

Everything is available as a service these days, so it’s no surprise that threat actors found a way to cash in on malicious software. For would be cybercriminals that don’t have the technical know-how to build their own malware, RaaS products are an easy way to launch ransomware attacks and extort money.

Understanding the LockBit Ransomware Attack

The LockBit 2.0 ransomware is the hardened form of the original LockBit ransomware. Although the ransomware group behind the attacks remains anonymous, the remotely loaded LockBit ransom note (which appears as the wallpaper on all affected systems) clearly shows this is the same team.

In the wake of the FBI Flash document expanding on LockBit’s IOCs, here is a quick technical guide on how your organization can find evidence of the LockBit. As an inside attack is a possibility, automated response to these IOCs can stop the malware from gaining initial access, pulling down your security software, and removing all backups.

Language codes

In order to presumably not infect systems in the LockBit gang’s home country, the ransomware runs a check on installed language packs. These languages all come from Eastern Europe/Central Asia and include Russian, Belarussian, Tajik, Armenian, Azeri (Latin & Cyrillic), Georgian, Kazakh, Kygrz (Cyrillic only), Turkmen, Uzbek (Latin & Cyrillic), and Russian – Moldova.

In theory, installing at least one of these packages would offer protection.

Command Line Activity

Because the LockBit 2.0 attack runs through many stages, it will run a series of commands that can be clearly identified. Some of these will destroy valuable data like the security log (cmd.exe /c wevtutil cl security) or tell your systems to ignore boot failures (cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures).

Others, however, contain invalid syntax and error out. Although these commands aren’t directly damaging, they may serve as a last-minute warning before the ransomware runs wild on your network.

Three different files are created after infection:

Files Created

These files together give the user all the information they need to pay the ransom and communicate with the malware gang. Promising a decryption key, the now infamous wallpaper also offers would be cybercriminals a chance to become insider attackers and threatens permanent data loss if the victims don’t follow instructions.

And of course, the most notable aspect of LockBit is the file extension – .lockbit will be appended to all encrypted files. If you see that on your systems, get ready for the long journey to restoring backups.

How do I defend my network against LockBit 2.0?

When your network is dealing with an infected machine, you may already be too far down the infection chain to stop the ransomware from spreading. However, healthy cybersecurity practices always help teams to survive network disabling attacks instead of becoming victims. To avoid weaponized encryption, here are some best practices that will help you mitigate the risk:

  • Employ strategies that stop malicious emails from making their way into your organization, including effective staff training.
  • Implement strong passwords that are regularly rotated.
  • Use multi-factor authentication wherever possible to avoid privileged user accounts from becoming compromised.
  • Run effective Group Policies that stop unwanted PowerShell commands, registry changes, system recovery disabling, system recovery file deletion, and Group Policy changes.

Joint Advisory Warns of Ransomware Attacks Targeting Critical Infrastructure

A joint advisory issued by cybersecurity authorities in the UK, the US, and Australia that they have “observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” The advisory includes technical details about the observed attacks as well as suggested mitigations.


  • While the targets change as we deploy new services and technologies, the mitigations remain essentially the same – keep devices updated; MFA all the external entry points; segment systems, particularly OT and legacy systems which are running older applications and operating systems; turn off or disable insecure or unnecessary services; train the users; use immutable backups; monitor for maleficence.
  • It’s fantastic to see countries working together to address ransomware. Global challenges require global solutions. Keep in mind that ransomware is not a new type of attack, it is simply a new way to monetize a successful attack. The reason we have seen an explosion of ransomware is because it is so profitable – fast (and relatively safe) return on investments. According to the report, and no surprise here, the three steps to mitigating ransomware are focusing on the fundamentals – phishing, passwords and updating.


DoJ Seizes $3.6B in Cryptocurrency

Two people have been arrested in New York; Ilya Lichtenstein and Heather Morgan allegedly conspired to launder $4.5 billion in cryptocurrency that was stolen in 2016. The US Department of Justice (DoJ) has so far managed to recover $3.6 billion worth of the cryptocurrency.


  • The use of crypto currencies often comes with the promise of anonymity. But this anonymity is lost as soon as cryptocurrency is converted in to “real money.” With few non-criminal services accepting cryptocurrency, the actual value of cryptocurrency is very limited. In particular, currencies focusing on anonymity need to be at least converted into more traceable currencies like bitcoin.
  • There are so many aspects to this story, but one we should definitely not lose sight of is the fact that it is difficult to launder significant amounts of cryptocurrency when exchanges follow know your customer (KYC) regulations. Many have traditionally relied on cryptocurrency mixers, but when law enforcement seizes mixing operations (as happened in the AlphaBay takedown), those transactions are relatively trivially to deanonymize. Even without law enforcement actions against mixing operators, it’s clear the Department of Justice is getting much better at tracking the flow of cryptocurrency. This certainly won’t be the last large-scale recovery we see.
  • Good to see the FBI has the tools for tracing crypto transactions. While the couple did use options such as “chain-hopping,” mixer or tumbler services and “privacy coins,” which are intended to make tracking the digital transactions difficult, the investigators were still able to “follow the chain” to the couple. They had the address of the wallet funds were exfiltrated to from Bitfinex in 2016 ultimately working back to the couple, not only leveraging transactions from identified wallets, but also data discovered in the AlphaBay takedown which allowed wallets to be connected to their owners.


SEC Proposed Cybersecurity Risk Management Rules

The US Securities and Exchange Commission (SEC) has proposed new rules that would require registered investment advisers, companies, and funds to report cybersecurity incidents to the SEC. The proposed rule would also require those entities to disclose cybersecurity risks and incidents to clients and prospective clients. The rule is open for public comment.


  • I think the SEC issued its first cybersecurity guidance in 2011 and since then has slowly increased disclosure and incident response requirements across the financial food chain. While there will be the usual negative reactions to the burden this may place on small advisors and funds, bringing registered investment advisors and funds up these basic minimum requirements is a good thing. The impact to their customers of lax information security processes and controls can be catastrophic and not just via breaches. Stock market volatility means attacks causing very short duration outages can be used to manipulate stock prices and trading with serious financial impact.
  • Disclosure of incidents in SEC filings has provided visibility into issues otherwise obfuscated by business practices. With the current threat environment having transparency on cyber security posture should help raise the bar, much as the increased requirements from cyber insurance providers seeks to do. One hopes this also becomes one more tool for savvy investors to leverage when considering their wealth management strategy.


Android February Security Update

The Android Security Bulletin for February 2022 includes a fix for a critical flaw in Android 12. The vulnerability could be exploited to remotely gain elevated privileges with no user interaction.


  • This update addresses multiple issues, and there is a separate set of patches from February 5th which address a high-severity flaw in System. If you don’t see the update for your devices, your Android hardware vendor may not have finished qualifying these updates for your platform, don’t forget to check again. Note this is also the final official update for Google’s Pixel 3 smartphones, launched in October 2018. Keep an eye on the support lifecycle for your smartphones, Android devices typically only get OS updates for two years and security updates for three, don’t wait until the end of year three to start your update process.


Microsoft Patch Tuesday for February 2022

On Tuesday, February 8, Microsoft released security updates to address dozens of vulnerabilities. The maximum severity rating for the flaws in “important.” Just one of the vulnerabilities was previously disclosed, and none are being actively exploited.


  • You should have these queued to push this weekend, even though there are only 51 flaws addressed. Notice there are fixes for DNS and SharePoint server RCE flaws as well as for a Win33K privilege escalation flaw.
  • Interesting to not have a critical (or an already exploited) vulnerability this month. The lack of an emergency may give you some time to hone your patching / vulnerability management process.


Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker