Eliana Willis

LG Electronics said on Thursday it has acquired Israeli automotive cybersecurity startup Cybellum.Tel Aviv-based Cybellum was founded in 2016 and offers a risk assessment software that can scan software on vehicle components for vulnerabilities and risks.   The South Korean electronics maker signed a deal with the startup to acquire 63.9% of its shares. LG will also acquire additional shares of Cybellum by the year’s end, with the amount to be finalised then.LG has also signed an additional contract, worth $20 million, with the startup for future equity that will see the funds be converted to more shares from the end of 2022 to the first half of 2023.Cybellum’s current management team will continue to run the company independently and work with its existing automobile and component partners, LG said.According to the South Korean company, the importance of security in the automotive industry has become more important as more vehicles connect to networks. Due to this, cybersecurity has become an important barometer for the quality of a vehicle’s life cycle, along with design, development and driving capabilities, the company said.  Through Cybellum’s solutions, LG will look to beef up the security systems on its automotive offerings in the areas of infotainment and telematics, the company said, to preempt security regulations in various countries and become a reliable partner to automobile manufacturers.

LG currently offers various software and components for vehicles. Its affiliate LG Display also supplies display panels to automobile companies.In July, its joint venture with Magna International was formed, which aims to offer electric powertrain components and systems for cars.In March, LG launched a joint venture called Alluto with Luxoft, a subsidiary of DXC Technology that offers connected car solutions based on the webOS Auto platform.Related Coverage More

CISA sent out an advisory on Wednesday centered around the Conti ransomware, providing detailed information for the cybersecurity community about the ransomware group and its affiliates.  Both CISA and the FBI said they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises. The FBI has previously implicated Conti in attacks on at least 290 organizations in the US. CISA offered a technical breakdown on how the ransomware group’s operators typically function and what steps organizations can take to mitigate potential attacks. CISA noted that while Conti operates a ransomware-as-a-service model, they do so a bit differently than others. Instead of paying affiliates a cut of the earnings that come from ransoms, the group pays the deployers of the ransomware a wage, according to CISA. Rob Joyce, director of cybersecurity at NSA, said the cybercriminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB). He added that the advisory highlights actions organizations can take right now to counter the threat.”NSA works closely with our partners, providing critical intelligence and enabling operations to counter ransomware activities. We highly recommend using the mitigations outlined in this advisory to protect against Conti malware and mitigate your risk against any ransomware attack,” Joyce said. On Twitter, Joyce said Conti attacks are increasing and he urged organizations to use MFA, segment their networks and explore using a patch management system to keep networks updated. CISA explained that Conti actors typically use a variety of methods and tools to infiltrate systems, including spearphishing campaigns, remote monitoring and management software and remote desktop software.

The spearphishing campaigns seen by CISA used tailored emails that contain malicious attachments or links. Stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, other malware distribution networks like ZLoader and common vulnerabilities in external assets were all cited as tools Conti actors have used during ransomware attacks. “Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware — such as TrickBot and IcedID, and/or Cobalt Strike — to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware,” CISA explained. “In the execution phase, actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.” The operators of Conti’s ransomware also have been seen using remote monitoring and management software as well as remote desktop software as backdoors to maintain persistence in a victim’s network. CISA explained that sometimes the ransomware group and its affiliates use tools that are already on a victim’s network or add tools like Windows Sysinternals and Mimikatz to “obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks.”The TrickBot malware is also used in some cases as a way to carry out other post-exploitation tasks.The advisory noted that “artifacts from a recently leaked threat actor ‘playbook,’ identify IP addresses Conti actors have used for their malicious activity.” The playbook also shows that Conti operators aim to exploit vulnerabilities in unpatched assets like the 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, the “PrintNightmare” vulnerability and the “Zerologon” vulnerability. “CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims. Conti actors often use the open-source Rclone command line program for data exfiltration,” the advisory said. “After the actors steal and encrypt the victim’s sensitive data, they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid.”As Joyce said, CISA, the FBI and NSA suggested organizations segment their networks, filter traffic, scan for vulnerabilities and stay up-to-date with all patches. They added that unnecessary applications and apply controls should be removed, endpoint and detection response tools should be implemented and access should be limited across networks. Conti made a name for itself after attacking hundreds of healthcare institutions — including a debilitating ransomware attack on Ireland’s Health Service Executive on May 14 — as well as schools like the University of Utah and other government organizations like the city government of Tulsa, Oklahoma and the Scottish Environment Protection Agency.Allan Liska, ransomware expert and member of the computer security incident response team at Recorded Future, said much of what was in the advisory was well-known in the information security community. But he noted that experts are not the target audience of the advisory. “There are a lot of security people who will find this very useful because the tools used by Conti are used by other ransomware groups. For example, rclone is mentioned in the report. I see rclone used by many ransomware groups but rarely by legitimate employees of an organization, so looking for rclone hashes on endpoints could be useful,” Liska said. “I also think a lot of people didn’t know that Conti has infected organizations through phone calls. That may be a new threat model for a lot of organizations and one that they have to consider how to defend against. Overall, while it is not a groundbreaking report, it is nice to have so many of Conti’s TTP in a single location rather than combing through 15 different ZDNet articles to find them.” More

Cloud data protection and management provider Druva has come out with an approach called Curated Recovery to help defend against the rapidly growing ransomware problem.Deployed as in addition to the company’s standard Accelerated Ransomware Recovery module, Druva Curated Recovery mitigates the impact of a ransomware attack by building uncorrupted, unencrypted, and malware-free system recovery points to ensure successful recovery–even before one is needed, Druva VP of Products Prem Ananthakrishnan told ZDNet. Curated Recovery, announced Sept. 21, identifies anomalies as they show themselves in an IT system; when an intrusion is deployed, Druva quarantines the malware and, using intelligent automation, reinstates all system files in a state prior to when the ransomware was detected. By pre-establishing a large set of recovery points, Curated Recovery identifies the latest clean version of each file through its recent changes, replacing a resource-intensive process that can take weeks with a simplified recovery workflow. Thus, IT teams can find the most recent clean version of all their data and return operations to normal in a much shorter time frame, Ananthakrishnan said.Ransomware, a malicious software agent that blocks access to a computer system until a sum of money is paid, is one of the most common hacking methods used by hackers and malicious actors. The average ransomware payment, which only a few years ago was about $15,000, has surpassed $240,000, according to a recent survey from IDC. Its profit potential has incentivized bad actors to expand the scope of their attacks, including the introduction of new variants designed specifically to encrypt or delete backup data. “What’s happening is that these new variants of ransomware are staying on the systems (much longer), and they’re encrypting the data so slowly,” Ananthakrishnan said. “It’s taking months (for them) to actually encrypt the data. So the net result of that is that the cleanest version–or the most recent version of each file–is unencrypted, and those files may be sitting across multiple restore or recovery points of the data. “Unfortunately, files now are not available in one single recovery point (such as a snapshot). Users now have to go into all these different datasets, and keep trying and testing each one of them to see if they can get the latest version of the file. If you’ve got 100,000 files, think of how long that would take.”Druva’s Accelerated Ransomware Recovery platform has a zero-trust architecture that ensures only customers have access to their data, while features such as excess deletion prevention stops ransomware from permanently deleting backups, the company said.  Key features

Druva’s Accelerated Ransomware Recovery is designed to reduce data loss via intelligent automation and orchestration; it also integrates with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools. Key components include:  Access insights: Understand location and identity for all access attempts to gain situational awareness.Anomaly detection: Gain data-level insights on file changes, creation, recovery, and deletion. Users can create alerts for anomalous activity and use anomaly information to identify the timeframe of an attack.Quarantine: Quickly quarantine infected systems and snapshots.Recovery scans: Scan snapshots for known malware and customer-provided indicators of compromise before restoring to avoid reinfection.Curated recovery: Automatically recover the most recent clean version of every file within a specified time frame, reducing recovery time.  Druva Cloud Platform is built on AWS and offered as-a-service that provides globally accessible, scalable, and autonomous enterprise data resiliency. Druva started out in 2008 specializing in protecting data on mobile devices; it has continued to evolve into the cloud data protection and management space. Since those early days, Druva has become known as an early pioneer of edge-computing data protection. More

The Brazilian government has launched a data protection guide as part of efforts to raise awareness on the issue among the general public. The 19-page guide entitled “How to protect your personal data” was developed by the National Consumer Defense Council, in partnership with the National Data Protection Authority (ANPD). Using simplified language and avoiding the excess of technical jargon, the material outlines examples of situations where treatment of data might be possible, and when it is legal to do so. The document also explains what are the principles that underpin data treatment in Brazil, and how these guidelines comply with the country’s General Data Protection Regulations (LGPD), which is also broadly explained. A list of topics summing up how organizations should act in relation to personal data is also provided. Moreover, the document issued by the Brazilian government agencies outlines the rights of data holders, such as knowing whether their personal data will be treated and for what purpose, of accessing their own data if it is being treated, as well as asking for anonymization, revoking authorization to data access, and even the exclusion of data from a database.

The material offers suggestions of how data holders can protect their personal information, including the use of two-factor authentication, data backups and encryption. It also provides the steps that should be taken in case of incidents relating to personal data.Fostering a data protection culture with material aimed at the general public is one of the first objectives of the ANPD, which published its strategy in February. According to the initial plan of the data protection authority, strategic actions will include educational events and workshops around the theme, as well as guides and recommendations relating to the data protection subject, and dialog with actors inside and outside government to build strategic partnerships for the studies to be carried out.

A study published at the end of 2020 by Brazilian credit intelligence company Boa Vista suggested that consumers in Brazil are mostly unaware of the country’s data protection rules and fail to question companies’ personal data management practices. More recently — and especially the emergence of the largest data leak on record in Brazil — there has been a growing concern with relation to personal data security. A report by Datafolha Institute published in July 2021, suggested Brazilians are worried about what happens to their data, despite knowing that companies they interact with keep some type of information about their consumption and leisure habits. More

A new Kaspersky survey found that internet users in the US and Canada increasingly believe the internet to be a stressful place. The findings coincided with a more general increase in internet usage due to the COVID-19 pandemic.In its “Dealing with a new normal in our digital reality” report, Kaspersky researchers found that almost 70% of the 2,500 consumers surveyed said they find news about data breaches to be stressful.More than half of respondents said their use of online services increased during the pandemic and 56% said being online has become a source of stress for them. A quarter of those surveyed said their time online has increased significantly. The numbers were also far higher for millennials, 64% of whom said their internet usage increased compared to just 45% of Baby Boomers. Surprisingly, the figures represent a decrease compared to previous reports released in 2019 and 2018. Nearly 80% of respondents in 2018 said data breaches caused them stress, a 7% increase compared to the findings in 2021. More than 60% also said ransomware was a “top concern.”Despite the stress caused by news of data breaches, there was an increase in the percentage of respondents who said they felt more prepared to protect their digital accounts from attack. Thirty six percent of respondents said they felt more prepared to deal with an attack while 23% said they felt less prepared. Just 30% of those surveyed said they use any kind of security platform to protect their devices and personal information. Kaspersky researchers found that 46% of respondents believe they have a basic understanding of cybersecurity while 17% said they were “experts.” Those figures represented a decrease compared to 2019, when 52% of respondents said they had a basic understanding of cybersecurity. 

As a way to cut down stress, 53% of respondents said they watched TV while 32% used online workout tools and 14% used meditation apps. Despite the stress of the internet and news, 51% of Gen Z respondents and 49% of millennials told the researchers that they used social media as a way to relax.Archie Agarwal, CEO at ThreatModeler, said the report shows a paradox as respondents are extremely worried about security incidents and yet this does not necessarily translate into action. For example, 64% feel having their bank account compromised would be more stressful than losing their job and yet 44% do not use PINs to protect their mobile devices. “With the prevalence of mobile banking this outwardly seems puzzling. As fear may not necessarily be a good motivator to action, organizations should be mindful of using fear to motivate employee behavior regarding good security practices and look for positive reinforcements,” Agarwal said. “The continual slew of cyber security news will not slow down anytime soon and barring desensitization will continue to be a major stressor in our society. From the research it is clear most respondents consider themselves to be under-equipped in terms of cyber security knowhow. Fear is often a consequence of not knowing or understanding and feeling ill-prepared.” More

Minnesota-based farm supply and grain marketing cooperative Crystal Valley has become the latest agriculture business hit with a ransomware attack. The company released a statement on its website Tuesday afternoon, but the website is currently down as of Wednesday. 

On Facebook, Crystal Valley Cooperative confirmed that it had been hit with a ransomware attack on Sunday, September 19.”The attack has infected our computer systems and interrupted the daily operations of our company. Due to this computer breach, all systems of the Mankato-based cooperative have been shut down until they can be restored safely and securely,” the company said. “Due to this, we are unable to accept Visa, Mastercard, and Discover cards at our cardtrols until further notice. Local cards do work. As we continue to navigate through this with the help of experts, we appreciate your patience and understanding. We will continue to update with information as it becomes available.”In messages to ZDNet, a spokesperson for the company confirmed that their phone system is also down. Based in Mankato, Minnesota, Crystal Valley Cooperative is a local full-service agricultural cooperative focused on helping crop farmers and livestock producers in southern Minnesota and northern Iowa. 

The Free Press in Minnesota reported that the company works with 2,500 farmers and livestock producers while employing 260 full-time workers. CEO Roger Kielholz told the newspaper that the company is “working diligently with our internal IT team along with multiple outside technology vendors to restore our data and return to full-service operation in a matter of days, especially now with fall harvest getting underway.”The ransomware attack is the second in the last week targeting an agriculture cooperative. Iowa-based farm service provider NEW Cooperative was hit with a ransomware attack last week. The BlackMatter ransomware group took credit for the attack and was demanding a $5.9 million ransom.In that case, many observers noted what Kielholz mentioned in his statement: that this was a particularly bad time for a cyberattack considering this is when harvests begin to ramp up for farmers. Curtis Simpson, CISO at cybersecurity firm Armis, said the agriculture industry struggles with the sheer fact that every type of technology from today to decades past is part of a larger supply chain. Budgets, technical projects, cybersecurity, and business risk mitigation efforts are all impacted by the spiderweb of integrated old and new technologies, Simpson explained. “Older, larger organizations are often trying to catch up with technical debt across the organization while trying to keep up with acquisitions of smaller, less secure operations — all while running a fundamentally low-margin business. The smaller operations often outsource security and technology efforts,” Simpson said.”Unfortunately, and once again, many attackers are more than aware of the potential impacts and what this may mean to the number of zeros in a potential ransom payment.”Darktrace director of strategic threats Marcus Fowler added that with two attacks on critical grain cooperatives this week so close together, all organizations in critical infrastructure, specifically the food and agriculture sector, should be on high alert. “If these two attacks were both conducted by BlackMatter, this could indicate a broader supply chain attack or campaign targeting the food chain, which means there may be other companies that were breached and don’t know it yet or have failed to report,” Fowler said. “These ransomware attacks forced both companies to take their systems offline, which could have significant and longer-term consequences. Ceasing operations could cut off feed supply for animals and, in turn, cut meat processing, dairy production, and more, creating enormous unintended consequences and potentially food scarcity nationwide.”Earlier this month, the FBI released a notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains.”Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack,” the FBI said. The notice goes on to list multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. JBS ended up paying an $11 million ransom to the REvil ransomware group after the attack caused meat shortages across the US, Australia and other countries. In November, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. More