Ransomware attack sends US county back to 1977

In brief Somerset County, New Jersey, was hit by a ransomware attack this week that hobbled its ability to conduct business, and also cut off access to essential data.

"Services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Title searches are possible only on paper records dated before 1977," the county said in a statement.

The attack, which happened on Tuesday, took down email services for county government departments as well as leaving the county clerk's office "unable to provide most services which are reliant on internet access." Somerset County residents were asked to contact government offices via Gmail addresses set up for various departments, or via phone. 

For Somerset's 911 system, and its jails and courts, business continued as usual, though at a bit slower rate. New Jersey's primary elections, which are scheduled for June 7, will also continue normally in the county, as "digital records and voting machines for the upcoming Primary Election are never connected to the county system and are unaffected."

According to Somerset County Administrator Colleen Mahr, the outages were likely to remain in effect for at least the rest of this week. "We have an outstanding IT department that is working around the clock to evaluate our situation, prevent further damage, and ultimately recover," Mahr said. 

The county government has not responded to a request for an update on their status, but they're probably a bit busy.

Unknown APT attacking Russia may be Chinese

Malwarebytes has discovered an advanced persistent threat (APT) group attacking Russia, and in a bit of a twist said that the organization shows signs of being from China.

Starting in February, the unknown group launched four separate spear-phishing campaigns against Russian government entities, including the state-controlled Russia Today television network. The attacks themselves aren't novel: one launched days after Russia's invasion of Ukraine contained malware designed to look like an interactive map of Ukraine, a second contained a fake patch for Log4j, and another contained a .doc file with a fake job offer in it with some embedded malicious macros.

The fourth campaign involved attackers impersonating Russian firm Rostec and pushing fake software patches. The inclusion of state-owned defense company Rostec in the phishing campaigns is of particular interest, as Chinese cyberspies were recently found waging a phishing campaign against some of Rostec's subsidiaries.

Malwarebytes said attributing the attacks to anyone is tough, in part because "threat actors are known to use indicators from other groups as false flags." The infrastructure of the attack is what clued researchers off to its Chinese origin, who wrote that much of the way the attack is structured reflect previously identified Chinese actors. 

Of their assessment, Malwarebytes said they have "low confidence," we note.

AI can 'catch and kill malware' in 0.3 seconds

Boffins in Cardiff University, Wales, recently published a paper in which they claimed to have devised a novel AI that can "successfully prevent up to 92 percent of files on a computer from being corrupted, with it taking just 0.3 seconds on average for a piece of malware to be wiped out."

The team approached AI detection of malware from the perspective of figuring out not what's written in a malware's binary, but what malware typically does as it infects and begins attacking a system.

Traditional antivirus, said study co-author Pete Burnap, suffers from the fact that malware makers simply modify and obfuscate their code, rendering previous antivirus definitions obsolete.

"We want to know how a piece of malware behaves so once it starts attacking a system, like opening a port, creating a process or downloading some data in a particular order, it will leave a fingerprint behind which we can then use to build up a behavioral profile," Burnap said. 

Detection of malware behavior isn't novel in and of itself, as endpoint detect and response software works similarly. What the team said their design does differently is add real-time malware killing to the mix that eliminates the need to send data to administrators for verification, losing valuable seconds to stop an infection.

Don't expect to see this in your environment anytime soon, though: it has a 14 percent false positive rate that "remains too high to adopt this approach as-is," the researchers wrote.

Patch time: Google plugs dozens of Chrome security holes

Google Chrome version 102 was released this week, and if you were thinking of delaying that update, don't: it contains 32 security fixes for desktop devices.

Of the fixes, Google said a use-after-free vulnerability in Indexed DB was rated as critically severe, and it may have been the impetus for this particular patch release, as it was reported to Google on May 12. Use-after-free() attacks involve exploiting buggy code to make it alter or read memory that has been released for use in other purposes, which can result in the software inadvertently executing malicious arbitrary code.

According to vulnerability cataloging site Vuldb, this particular bug is easy to exploit, can be done remotely, and doesn't require any authentication. 

Additionally, 12 of the vulnerabilities in the patch were considered highly severe, 13 were rated medium severity, and six were rated low. Twelve of the vulnerabilities involve use-after-free() bugs in Chrome's Bookmarks, tablet mode, ANGLE, Messaging, sharing, and more. 

Chrome 102 will be rolling out over the coming days and weeks, Google said, and is part of Chrome's new extended stable release channel for Windows and macOS. Google describes extended stable release as doubling Chrome's version lifecycle "by backporting important security fixes to create an extended stable channel, where a new milestone is shipped every eight weeks." 

Phishing attack nets $144k from Chinese tech company employees

Twenty-four employees at Chinese internet portal Sohu recently fell victim to a phishing attack to the tune of $6,000 each, reinforcing, yet again, the importance of good cybersecurity awareness training. 

The victims each received an email from a previously-compromised Sohu employee account telling them that if they provided bank account details and some additional personal information they would receive an additional allowance from the company. Instead of getting said allowance, they each saw more than 40,000 Yuan drained from their accounts. 

The fact the email came from an internal address is what tricked the victims, Sohu said in a statement. The address used to launch the scam was compromised in another successful phishing attack the company faced earlier, it said. The company said in a statement that the attack didn't affect its consumer-facing email services. 

Sohu shared news of the phishing attack on Weibo, facing plenty of snark from users. "How can a tech company make such a low-level mistake," one commenter asked. Getting around the human element in cybersecurity is a well-established problem, and one without an easy solution. 

In its 2022 Data Breach Investigation Report, Verizon said that cybersecurity training helps, but it's difficult to quantify its effectiveness. One would hope it wouldn't take much training to convince employees not to give their bank account information out in an email, internal or not. ®