Below are the top headlines we’ve been reporting this whole week on Cyber Security Headlines.
If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Thursday at 4pm PT/7pm ET. Each week I welcome a different cyber practitioner to offer some color to the week’s stories. Our guest this week/tonight is Olivia Rose, CISO and VP of IT & Security, Amplitude.
If you want to get involved you can watch live and participate in the discussion on Crowdcast ([register](https://www.crowdcast.io/e/cyber-security-headlines)), or you can just [subscribe to the Cyber Security Headlines podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.
Here are some of the stories we’ll be covering.
## Israeli firm uses Windows zero-days to deploy spyware
Microsoft and Citizen Lab have linked Israeli spyware company Candiru (also tracked as Sourgum) to new Windows spyware dubbed DevilsTongue deployed using now patched Windows zero-day vulnerabilities. “Candiru is a secretive Israel-based company that sells spyware exclusively to governments,” explained Citizen Lab, and their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Citizen Lab also tied over 750 websites to Candiru’s spyware infrastructure, finding that many of these domains mimicked domains representing media companies and advocacy organizations including Amnesty International and Black Lives Matter.
## Cyberattacks increased 17% in Q1 of 2021, with 77% being targeted attacks
This, according to a new Positive Technologies Cybersecurity Threatscape Q1 2021 report. Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Other findings in the report include: Ransomware is still the malware that is most often used by attackers. The most popular vulnerabilities for attackers this quarter were Microsoft Exchange Server, Accellion and SonicWall VPN, and more cybercriminals are developing malware to conduct attacks on virtualization environments.
## Saudi Aramco data breach sees 1TB of stolen data for sale
The world’s largest oil producer and possibly the biggest company in the world, has been informed that its stolen data is now available for sale by a group named ZeroX at a starting price for the entire dump of $5 million. The hackers claim to have performed a “zero-day exploitation,” on Aramco’s “network and its servers,” sometime in 2020, and the group says it includes documents pertaining to Saudi Aramco’s refineries located in multiple Saudi Arabian cities, and including employee IDs and PII, project specs for electrical and other infrastructure, network layouts mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices, location maps and precise coordinates. Saudi Aramco has pinned this data incident on third-party contractors and states that the incident had no impact on Aramco’s operations.
## China fires back at US after Exchange hack accusations
Following up on a story Cyber Security Headlines covered[ yesterday](https://cisoseries.com/cyber-security-headlines-july-20-2021/), where US and its allies pinned a Microsoft Exchange attack on hackers affiliated with China’s Ministry of State Security, Chinese foreign-ministry spokesman Zhao Lijian rejected the accusations and proceeded to accuse the US of being the largest purveyor of cyberattacks targeting Chinese aerospace, science and research institutions, oil industry, government agencies, and internet companies over the last 11 years. He accused the US of carrying out targeted attacks on Chinese devices, wiretapping its competitors and allies and pushing NATO for a cybersecurity alliance that Zhao claims will, “undermine international peace and security.”
## Ransomware negotiation logs published
Over 100-pages of ransomware negotiation transcripts from the now defunct Egregor operators were analyzed by IBM Security X-Force and its partner company Cylera, accounting for 45 different negotiations. While Egregor operated as a ransomware-as-a-service model, it is believed negotiations were handled by its core team. These chats revealed potential roles by the internal Egregor team and how the operators derived initial ransom demands. The chats showed occasional empathy, like offering to decrypt a charity’s systems without a ransom, but otherwise always leaked stolen data if a ransom wasn’t paid. Overall analysis showed that negotiating with the operators resulted in lower ransoms overall. ([CyberScoop](https://www.cyberscoop.com/egregor-chat-logs-ibm-ransomware-negotiations/))