Below are the top headlines we’ve been reporting this whole week on *Cyber Security Headlines* (a daily 6-minute cyber news podcast).
If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Thursday at 4pm PT/7pm ET. The show is hosted by reporter u/Steve_P_Online and we welcome a cyber practitioner to offer some color to the week’s stories. Our guest this week/tonight is Robert Wood, CISO, Centers for Medicare & Medicaid Services.
If you want to get involved you can watch live and participate in the discussion on Crowdcast ([register](https://www.crowdcast.io/e/cyber-security-headlines)), or you can just[ subscribe to the *Cyber Security Headlines* podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.
Here are some of the stories we’ll be covering.
## Ransomware backup provider Exagrid pays $2.6m to ransomware attackers
The ransom was paid in bitcoin on May 13. Accession to the ransomware attacker’s demands was made more embarrassing when the backup appliance supplier – which makes a big play of its strengths against ransomware – accidentally deleted the decryption tool and had to ask for it again. The ransomware group, Conti, who had lurked inside the Exagrid network for over a month, revealed they had over 800 gigabytes of personal data of clients and employees, commercial contracts, NDA forms, financial data, tax returns and source code. The initial ransom demanded was $7,480,000 but was negotiated down to $2.6 million.
([The Hacker News](https://thehackernews.com/2021/06/tiktok-quietly-updated-its-privacy.html))
## FBI subpoenas info on readers of news story on slain agents
The subpoenas demanded that U.S. newspaper giant Gannett provide agents with information to track down readers of a USA Today story about a suspect in a child pornography case who fatally shot two FBI agents in February. The subpoena asks for information about anyone who clicked on the article for a period of about 35 minutes on the day after the shooting. It seeks the IP addresses — which can sometimes be used to identify the location of a computer, the company or organization it belongs to, and where it was registered — along with mobile phone identification information of the readers.
## US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers
This follows the attack which prompted the shutdown of the key East Coast pipeline last month. The Justice Department is expected on Monday to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, people briefed on the matter said. Though paying the ransom to restore operations, behind the scenes, the company had taken steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. CNN earlier reported that federal agencies are adept at tracing currency used to pay ransomware groups, but its ability to effectively do so “situationally dependent” and relies a great deal on how the ransomware organizations manage their operational network.
## StackOverflow, Twitch, Reddit, others down in Fastly CDN outage
A Who’s Who of major websites around the world also including Amazon, CNN, Shopify, Hulu, Quora, the BBC and many others went down or slowed yesterday. Browsers received a “503 Service Unavailable” notice or CSS-free web pages as content failed to arrive. The outage was traced to San Francisco-based Fastly, a popular content delivery network. Fastly calls the occurrence, which lasted just an hour, a “global CDN disruption.”
([Bleeping Computer](https://www.bleepingcomputer.com/news/security/stackoverflow-twitch-reddit-others-down-in-fastly-cdn-outage/) and[ TechCrunch](https://techcrunch.com/2021/06/08/numerous-popular-websites-are-facing-an-outage))
## 47% phishing increase in first quarter of 2021
PhishLabs identified 47% more phishing sites in Q1 of 2021 than there were in Q1 of 2020. This trend is continuing as Q2 attacks are also up significantly year-over-year. Social media, especially messaging apps, topped the list for the first time, suggesting that threat actors are increasingly drawn to the massive reach and often careless user attitudes toward the security of their social media accounts. Accounts used for single sign-on (SSO) were also heavily targeted in Q1, accounting for 40% of overall phishing volume.
## Survey finds many workers don’t know emergency procedures
Rave Mobile Safety issued the results of its 2021 Workplace Safety and Preparedness Survey, which indicates that employers remain challenged with how to best protect and communicate with employees both on-site and remotely in a year of unprecedented change. Key findings revealed only 28% of traveling and remote workers are involved with safety drills. A third of respondents said they were unsure of emergency plans related to active shooter, cyberattacks/system outages and workplace violence. Finally, survey results showed that email and in-person alerting were the most common communication methods utilized by employers, even though respondents in the 30-44 and 45-60 age groups say their preferred method of communication is mass text message.
([Security Magazine](https://www.securitymagazine.com/articles/95379-survey-finds-many-workers-dont-know-emergency-procedures) and [Rave Mobile Security](https://www.ravemobilesafety.com/whitepapers/2021-survey-workplace-safety-preparedness))
## US brokerage firms warned of ongoing phishing scam leveraging penalty threats
U.S. securities industry regulator, FINRA, has warned brokerage firms of an ongoing phishing campaign threatening recipients with late submission penalties unless they provide the information requested by the attackers. The tactic is designed to induce a sense of urgency, in hopes that victims will respond before validating the legitimacy of the emails. The market regulator, which supervises over 620,000 brokers across the U.S, stated on Monday, “FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA and using the domain name u/gateway-finra.org.”