Nikk Gilbert shares his thoughts on being a CISO at a large U.S. organization.

• On the COVID-19 pandemic: "From a big picture perspective, we weren't too worried about remote working. It was more about communication with the people in the team using different tools."
• On the biggest security threats: "There are two things that I think are the biggest concerns in the current state of affairs: user awareness and patching."
• On the evolving role of the CISO: "The CISO of the future will need to have a better understanding of the needs of the business."
• Click here to upgrade to premium and read the full interview!

Microsoft has pushed out a new enterprise security tool that enables administrators to update Defender inside Windows installation images. Installation images are often reused for months at a time. As a result, the Defender security package is installed using an out-of-date detection database. The new tool solves this problem by allowing admins to update their installation images with the most recent Defender component.

More from Microsoft:

• The new feature supports installation images for Windows 10 (Enterprise, Pro, and Home Editions) and Windows Server 2019 and 2016.
• The tool updates the anti-malware client, anti-malware engine, and signature versions in the installation images for Platform version 4.18.2008.9, Engine version 1.1.17400.5, and Signature version 1.323.2216.0.
• To utilize the tool, admins should run the DefenderUpdateWinImage.ps1 Powershell script.

CYBER BREACH MONDAY:

Every Monday, I summarize the most important breaches, so you stay up-to-date on the latest cybersecurity incidents. In today's issue:

104 Job Bank (Taiwan): 6 million breach victims; Chinese hackers stole personal data from Taiwan's largest job bank. 

Nuvance Health (N.Y.): 314,829 breach victims; network server hacking/IT incident.

To read more, click here to upgrade to premium!

eResearch Technology (ERT), a Philadelphia-based software provider for clinical drug trials, has been hit by ransomware that has slowed down some of those trials. ERT customers include IQVIA, a research organization managing AstraZeneca's COVID-19 vaccine trials, and Bristol Myers Squibb, which heads a consortium to develop a quick test for COVID-19.

More:

• An ERT spokesman said that the company was hit by the ransomware on Sept. 20 and it is still working to bring systems back online.
• IQVIA and Bristol Myers Squibb said the impact of the ERT ransomware attack was limited.
• Some clinical trial researchers have been forced to track patients using pen and paper. 

Rockwell Automation has acquired Oylo, a Spanish industrial cybersecurity firm, for an undisclosed consideration. Rockwell Automation plans to add Oylo to its Lifecycle Services operating unit. 

More:

• Oylo provides security assessments, incident response, and managed services for industrial control systems and other critical infrastructure.
• Rockwell said its acquisition of Oylo complements the cybersecurity expertise it gained through the recent acquisition of Avnet Data Security earlier this year.
• Israel-based Avnet Data Security provides operational technology (OT) security services ranging from assessments, penetration testing, network security, and training to converged IT/OT managed services.

Cybercrime group Team TNT has added password-stealing and network scanning capabilities to its crypto-mining Black-T malware, according to researchers at Palo Alto Networks' Unit 42. Black-T collects plaintext passwords in the memory of compromised systems and sends them to the group's command and control servers. Team TNT also added the zgrab GoLang network scanner to its arsenal.

More from Unit 42:

• Team TNT is known for attacking AWS credential files on compromised cloud systems and mining Monero cryptocurrency.
• The group is also targeting and stopping other cryptomining malware, such as Crux worm, ntpd miner, and a redis-backup miner.
• TeamTNT employs memory password scraping operations mimipy and mimipenguins, which are *NIX equivalents to the Windows memory password scraper functionality Mimikatz.

Google has set up a new program to spur Android device makers to fix security problems more quickly. The program is called the Android Partner Vulnerability Initiative (APVI), and it identifies security bugs in code not maintained by Google. The company will notify manufacturers before disclosing the bugs so that they have a chance to fix the issues.

More from Google:

Under the APVI program, Google has already pushed Android device manufacturers to fix the following security bugs:

• Permission bypass: In some versions of third-party pre-installed over-the-air updates, a customer system service in the Android framework exposed privileged application programming interfaces directly to the OTA app.
• Credential leak: A popular web browser pre-installed on many devices included a built-in password manager that could leak a user's credentials.
• Overly privileged apps: The checkUidPermission method in the PackageManagerService was modified in the framework code for some devices to allow overly broad permission access to some apps.

Kaspersky Lab researchers have discovered persistent malware that targets a computer's Unified Extensible Firmware Interface (UEFI), which is used to load its operating system (OS). The malware can persist even if the computer's hard drive is wiped because the UEFI is located on the motherboard. Once it infects a machine, the malware deploys spyware that the researchers call MosiacRegressor.

More from Kaspersky:

• The malware is based on VectorEDK, a hacking tool developed by the notorious and now-defunct Hacking Team.
• The UEFI replaces the legacy basic input/output system (BIOS) firmware. 
• Chinese-speaking threat actors appear to be responsible for these attacks, which target diplomats and nongovernmental organizations.

Threat actors have been exploiting zero-day bugs to install malware on Tenda routers and set up an Internet of Things botnet, according to Qihoo 360's Netlab. The botnet, called Ttint, has some unique features, including implementing 12 different remote access methods to the infected routers, employing the routers as proxies to relay traffic, changing the router's firewall and DNS settings, and enabling remote command execution.

More from Netlab:

• The attackers used two Tenda routers zero-days to spread a remote access trojan based on Mirai code.
• They communicate using the WebSocket over TLS protocol to circumvent Mirai traffic detection tools.
• The threat actors first used a Google Cloud service IP and then switched to a hosting provider in Hong Kong. 

QUICK HITS:

• Dating app Grindr fixed a security bug that could enable a hacker to take control of a user's account.
• China's customs authority is probing the possible leak of sensitive data from Chinese car parts makers to a foreign firm.
• Two Long Island school districts were recently hit by distributed denial-of-service attacks that disrupted virtual learning.
• An unidentified attacker has been trying to disrupt Trickbot, which operates a botnet of more than two million infected PCs.
• See how leading sales teams are solving their challenges of selling remotely.*
• Top executives from Netflix, Calm, T-Mobile, and Okta discuss identity access management. Don’t miss the event. Sign up here.*

*This is a sponsored post.

We're hiring! Check out our available positions:

• Business Researcher
• Director of Research
• Growth Marketing Manager
• Sales Representative
• Copy Editor