Articles of interest from the week of March 21, 2022

Browser-in-the-Browser Attack Makes Phishing Nearly Invisible

Can we trust web browsers to protect us, even if they say “HTTPS?” Not with the novel BitB attack, which fakes popup SSO windows to phish away credentials for Google, Facebook and Microsoft, et al. (By Lisa Vaas, Threatpost)

Cyber Insurance and War Exclusions

Cyber-insurance policies typically have "war exclusion" or "hostile act exclusion" language built into them. This language essentially says that insurers cannot defend against acts of war. In the first quarter of this year, cyber-insurance markets were already tightening war exclusion provisions to deny coverage. In light of Russia's invasion of Ukraine — and the anticipated cyber fallout — security professionals should review their cyber-insurance coverage with an eye toward determining coverage gaps. (By Beth Burgin Waller, Dark Reading)

Microsoft and Okta Confirm Breach by LAPSUS$ Extortion Group

Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained "limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. (By Ravie Lakshmanan, The Hacker News)

Hundreds of HP Printer Models Vulnerable to Remote Code Execution

HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. (By Bill Toulas, Bleeping Computer)

FBI: Victims Lost Nearly $7 Billion to Cybercrime in 2021

A new report released by the FBI's Internet Crime Complaint Center (IC3) shows that financial losses due to suspected cybercrime continued to rise sharply over the course of 2021, to a total of $6.9 billion in that year alone, with 847,000 complaints lodged by victims. (By Jon Gold, CSO)