Expel's Bruce Potter, who once worked as a senior technical advisor for President Obama’s Commission on Enhancing National Cyber Security, discusses the challenges and opportunities of being a CISO during the COVID-19 pandemic.

On the COVID-19 pandemic: "As a company, we are much more reliant on our technology than we were before the pandemic, particularly with respect to collaboration and communication tools."

On the biggest security threats: "From the latest Twitter hack to some of the earliest attacks on the Internet, social engineering is still the number one way companies get compromised."

On the evolving role of the CISO, he observed: "I expect CISOs to be elevated in organizational charts and be responsible for broader swaths of risk, not just cyber."

 Click here to upgrade to premium and read the full interview!

President Donald Trump has approved a deal that would result in Oracle and Walmart teaming with TikTok to form a U.S. company. Under the agreement, Oracle would take a 12.5% stake and Walmart would take a 7.5% stake in the new TikTok, as part of an initial public offering of stock within the next year. Oracle would take over responsibility for hosting all TikTok's U.S. user data and securing computer systems to meet U.S. national security and data security requirements.

More:

• As reported by Inside Security, the Department of Commerce issued an order Friday that would have banned TikTok and WeChat from U.S. stores beginning Sunday. Commerce said Saturday that it would delay the order for TikTok until the end of day Sept. 27.
• A California court judge has temporarily blocked the Commerce Department's ban of the WeChat app 
• President Trump said that TikTok would be making a $5bn contribution to fund U.S. educational efforts as part of the deal, a claim that TikTok's parent company ByteDance disputes. 
• ByteDance said it will retain an 80% stake in TikTok under the agreement. However, Oracle and Walmart issued a joint statement that U.S. investors will own a majority stake in a new company called TikTok Global that will emerge from the deal.

CYBER BREACH MONDAY:

Every Monday, I summarize the most important breaches, so you stay up-to-date on the latest cybersecurity incidents. In today's issue:

College of Nurses of Ontario (Ontario, Canada): 195,000 breach victims; personal information on nurses who are members of the college may have been compromised in a ransomware attack. 

Children's Minnesota (Minn.): 160,268 breach victims; network server hacking incident.

To read more, click here to upgrade to premium!

Fileless malware is the most common attack method used by hackers against enterprises, making up 30% of all attacks. The second most popular attack vector is dual-use PowerShell tools (24%), followed by credential dumping tools (21%), ransomware (8%), worms (7%), remote access trojans (4%), and banking trojans (3%). The data was compiled by Cisco from its endpoint security product during the first half of 2020.

More from Cisco:

• Fileless malware is malicious code that runs in memory after the initial infection, instead of through files stored on the hard drives. Examples include Kovter, Poweliks, Divergent, and LemonDuck.
• Dual-use PowerShell tools can be used for legitimate purposes, such as penetration testing, as well as malicious activity. Examples include PowerShell Empire, CobaltStrike, Powersploit, and Metasploit.
• Credential dumping tools are used by attackers to scrape login credentials from a compromised computer. In the first half of 2020, the most popular of these tools was Mimikatz.
• Cisco also detected ransomware such as Ryuk, Maze, BitPaymer, and others; worms such as Ramnit and Qakbot; RATs like Corebot and Glupteba; and banking trojans such as Cridex, Dyre, Astaroth, and Azorult.

CYBERSECURITY MASTERCLASS:

Joseph C. Pucciarelli, IDC group vice president and IT executive advisor, recommends that CIOs and CISOs take the lead in advising the organization's C-suite and board in the transition to the "new normal" work environment...

To read the rest of today's piece and receive this feature weekly, start your FREE 14-day trial of Inside Security Premium! 

Google's App Engine subdomains can be exploited to launch phishing attacks without being detected by enterprise security products. Marcel Afrahim, a cybersecurity researcher with JPMorgan Chase, found that the App Engine's subdomain generator could be abused to bypass security controls and send victims to malicious landing pages. 

More:

• Cloud-based Google App Engine enables application developers to build web and mobile backends in any programming language on a serverless platform. 
• Afrahim explained that an attacker could set up many invalid subdomains that direct victims to a central malicious app while hiding from security tools.
• Another researcher, Yusuke Osami, identified a list of more than 2,000 subdomains generated by App Engine that could be used as phishing landing pages disguised as a Microsoft sign-in portal.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the Netlogon remote protocol vulnerability in Windows Server by 11:59 pm EDT Monday. The bug could enable an attacker with network access to a domain controller to compromise all Active Directory identity services. Microsoft issued a patch for the bug on Aug. 11.

More:

• CISA is also giving federal agencies until 11:59 pm EDT on Wednesday to verify that the patch has been applied.
• As reported in Inside Security, Dutch security firm Secura discovered that attackers could exploit the Netlogon bug to become a domain administrator of an enterprise network "with one click."
• The attack, dubbed Zerologon by Secura, exploits a weak algorithm used in Netlogon's authentication process.

Maze ransomware attackers are using a technique developed by the Radnar Locker hackers, which distributes ransomware inside of a virtual machine (VM) to avoid detection. The Maze attackers distributed ransomware on the VM's virtual hard drive, which was delivered inside of a Windows .msi installer file larger than 700MB, explained Sophos' Managed Threat Response team.

More:

• In the Radnar Locker incident, the attackers deployed the ransomware inside an Oracle VirtualBox Windows XP virtual machine.
• The Ragnar Locker ransomware group conducts reconnaissance on its target's network and steals sensitive data before encrypting systems.
• The Maze group demanded a $15M ransom, but the victim did not pay it. 

Distributed denial-of-service (DDoS) attackers targeted Tutanota, a German-based encrypted email service provider. The DDoS threat actors launched two attacks: one against the company's website and another against its Domain Name System providers. The second one caused the most disruption, taking down the service for millions of users for several hours last week.

More:

• Tutanota said it could not change the DNS entries for its domain quickly enough to prevent the shutdown.
• Other leading encrypted email service providers include ProtonMail, Posteo, Kolab Now, Mailfence, and mailbox.org.
• As Inside Security reported last week, DDoS attacks surged 151% year-over-year in the first half of 2020.

QUICK HITS:

• Federal government and private sector organizations are urging power companies to adopt security best practices in their incident response and recovery plans. 
• The Mozi botnet has led to a spike in Internet of Things botnet activity, according to IBM.
• A bug in Mozilla's Firefox browser could enable a hacker to hijack nearby mobile browsers using Wi-Fi.
• Iranian group Rampant Kitten is targeting anti-regime organizations in a cyberattack campaign.
• Brands see 18.5% of e-commerce revenue from SMS marketing. See 6 top SMS campaigns here.* 

*This is sponsored content.