Feds Have a Busy Two Weeks, British Tween Takes On TikTok, & More Facebook Woes… – PSW #691
Full episode and show notes
This week in the Security News, U.S Formally Attributes SolarWinds Attack to Russian Intelligence Agency, FBI Clears ProxyLogon Web Shells from Hundreds of Orgs, Justice Dept. Creates Task Force to Stop Ransomware Spread, Facebook faces mass legal action over data leak, and more!
We have officially launched SW Labs with our first set of product reviews on Attack Surface Monitoring. To see an overview of the category definition, our testing methodology, or the actual product reviews, please visit https://securityweekly.com/reviews
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
VP, Product at Living Security
- 1. Justice Dept. Creates Task Force to Stop Ransomware Spread
- 2. British Tween Takes On TikTok
- 3. 7 Old IT Things Every New InfoSec Pro Should Know
- 4. NSA: 5 Security Bugs Under Active Nation-State Cyberattack
- 5. FBI Clears ProxyLogon Web Shells from Hundreds of Orgs
- 6. Hackers Set Up 100,000 Websites Delivering Malware Via Malicious PDFs
- 7. US government strikes back at Kremlin for SolarWinds hack campaign
- 8. US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
- 9. Facebook faces mass legal action over data leak
- 10. Facebook Messenger users targeted by a large-scale scam – Help Net Security
- 11. GEICO Alerts Customers Hackers Stole Driver License Data for Two Months
- 12. Nigerian email scammer sent down for 40 months in the US, ordered to pay back $2.7m to victims
Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems
- 1. Pulse Secure Critical Zero-Day Security Bug Under Active ExploitA critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.
- 2. How to Obtain PCI DSS Compliance and Why It’s ImportantI didn't write this!!!
- 3. Cyberattacks and Security Breach Disclosures: U.S. Federal Law Coming?The U.S. intelligence apparatus is pressing Congress to propose measures that require private industry to share security breach information and other threat intelligence to the federal government.
- 4. Google and Apple grilled on app store policies in tense Senate hearingRivals including Match Group and Spotify accuse the tech giants of retaliation and anticompetitive behavior.
Product Security Research and Analysis Director at Finite State
- 1. Becoming N-able
- 2. In epic hack, Signal developer turns the tables on forensics firm CellebriteOne example of this lack of hardening was the inclusion of Windows DLL files for audio/video conversion software known as FFmpeg. The software was built in 2012 and hasn’t been updated since. Marlinspike said that in the intervening nine years, FFmpeg has received more than 100 security updates. None of those fixes are included in the FFmpeg software bundled into the Cellebrite products.
- 3. Re: [PATCH] SUNRPC: Add a check for gss_release_msg – Greg KH
- 4. Felix Wilhelm on Twitter
- 5. grep.app
- 6. Bash Uploader Security Update – Codecov
- 7. Vulnerability Spotlight: Remote code execution vulnerabilities in Cosori smart air fryer
- 8. Airstrike Attack – FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316)
- 9. Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Com
- 10. ‘Master,’ ‘Slave’ and the Fight Over Offensive Terms in Computing
- 11. Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild
- 12. Dutch supermarkets run out of cheese after ransomware attack
- 13. Justice Department announces court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities
- 14. IoT bug report claims “at least 100M devices” may be impacted
- 15. Security researcher drops Chrome and Edge exploit on Twitter
- 16. Identity Management Day: Cybercriminals No Longer Hack in, They Log In – Security Boulevard
Information Assurance APL at Lawrence Livermore National Laboratory
- 1. China-linked APT used Pulse Secure VPN zero-day to hack US defense contractorsA new zero-day vulnerability (CVE-2021-22893) affecting PulseSecure VPN equipment is being exploited by two China-linked hacking groups in order to breach networks belonging to U.S. defense contractors as well as government organizations around the world.
- 2. Zero-day vulnerabilities in SonicWall email security are being actively exploitedSonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities (CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023) in its email security solution that are being actively exploited in the wild.
- 3. REvil gang tries to extort Apple, threatens to sell stolen blueprintsThe REvil/Sodinokibi operators published a post on their shaming website on April 20, 2021, claiming to have stolen information from Quanta Computer Inc who refused to pay. Now turning to Apple for ransom.
- 4. Russia-linked APT SVR actively targets these 5 flawsNSA, FBI, and CISA issued a joint alert warning on April 15 that Russia-linked APT group SVR ("Cozy Bear, The Dukes, APT29) has been spotted actively exploiting five vulnerabilities affecting Fortinet FortiGate VPN (CVE-2018-13379), Synacor Zimbra Collaboration Suite (CVE-2019-9670), Pulse Secure Pulse Connect Secure VPN (CVE-2019-11510), Citrix Application Delivery Controller and Gateway (CVE-2019-19781), and VMware Workspace ONE Access (CVE-2020-4006) in attacks targeting U.S. companies and the DIB.
- 5. Security Bug Allows Attackers to Brick Kubernetes Clusters – The Open SecurityVulnerability (CVE-2021-20291) affecting one of the Go libraries on which Kubernetes is based that is triggered when a cloud container pulls a malicious image from a registry could be exploited by attackers to cause a denial-of-service (DoS) condition on the CRI-O and Podman container engines, effectually bricking Kubernetes clusters.
- 6. Domain Name Security Neglected by U.S. Energy Companies: ReportA majority of the largest energy companies in the United States appear to have neglected the security of their domain names, according to CSC it found that the 80 percent of energy firms neglecting their domain names do not use registry locks.
- 7. Arrest Made Over California City Data BreachNearly every member of the Huntington Park, Calif. finance department has been placed on leave and one was arrested following a probe into a "large-scale security breach of electronic financial records at Huntington Park City Hall" on April 14 that resulted in a criminal investigation by the Huntington Park Police Department (HPPD).
- 8. ParkMobile Data Breach: 21Million User Data ExposedAtlanta, Ga.-based smart parking and mobility solutions provider ParkMobile has disclosed that account details belonging to 21 million customers using its ParkMobile app were compromised and are now being sold online following a March 2021 security incident caused by a vulnerability affecting third-party applications used by the company. ParkMobile recommends changing your password.
- 9. Vulnerabilities in OpENer Stack Expose Industrial Devices to AttacksMultiple vulnerabilities (CVE-2021-27478, CVE-2020-13556, CVE-2021-27482, CVE-2021-27500, and CVE-2021-27498) in the OpENer stack are being exploited in attacks aimed at supervisory control and data acquisition (SCADA) and other industrial control systems.
- 10. Popular Codecov code coverage tool hacked to steal dev credentialsCodecov platform used to host code testing reports and statistics has disclosed that an unknown threat actor managed to modify its Bash Uploader on April 1 and expose sensitive information located in customers' CI environments as part of a supply-chain attack that took place in late January.
- 11. NAME:WRECK vulnerabilities could impact 100 million servers, IoT devicesSecurity researchers say they have discovered nine vulnerabilities affecting the FreeBSD, Nucleus NET, IPnet, and NetX TCP/IP stacks, collectively dubbed "NAME:WRECK," that could be leveraged to target a variety of servers, medical devices, and industrial devices.
- 12. Hundreds of electric utilities downloaded SolarWinds backdoor, regulator says – CyberScoopNERC has revealed that 25 percent of approximately 1,500 electric utilities sharing data with the North American power grid say they have installed the malicious SolarWinds software.
- 13. NSA discovers critical Exchange Server vulnerabilities, patch nowMicrosoft today has released security updates for Exchange Server that address a set of four vulnerabilities with severity scores ranging from high to critical. CVE-2021-28480 and CVE-2021-28481 being rated as High-risk due to the possibility of remote code execution without the need for authentication or user interaction.
- 14. Indian Brokerage Firm Upstox Suffers Data Breach Leaking 2.5 Millions Users’ DataOnline trading and discount brokerage firm Upstox has disclosed it suffered a data breach that resulted in more than 2.5 million users' PII being exposed on the dark web.
- 15. Dutch supermarkets run out of cheese after ransomware attackNetherlands-based logistics and food network operator Bakker Logistiek reportedly suffered a ransomware attack last week during which attackers encrypted devices on its network, disrupted food transportation and fulfillment, and caused cheese and other food shortages in supermarkets throughout the Netherlands.
- 16. Joker Android Trojan Lands in Huawei AppGallery App StoreTen variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, the Joker variants are disguised as apps such as virtual keyboards, camera apps, launchers, online messengers, sticker collections, coloring programs, and a game.
- 17. Pokies shut down by hacker ransomware attackTasmania's lone casino operator has confirmed it is being held to ransom in a cyber attack that has impacted its pokies machines and hotel bookings system for more than one week.
- 18. Incident at Natanz not an accident, damage worse than Iran revealingThe incident at Natanz on Sunday morning was not an “accident” and the damage is much graver than what Iran is presenting to the public, Western sources quoted in Israeli media said the attack, which was initially referred to as an “accident” by Iran, was carried out by the Mossad.
- 19. Attackers deliver legal threats, IcedID malware via contact formsHackers have been spotted leveraging legitimate corporate contact forms in spear-phishing campaigns that threaten enterprise targets with lawsuits and attempt to infect their systems with the "IcedID" modular banking Trojan.
- 20. Researchers uncover a new Iranian malware used in recent cyberattacksIran-linked APT group "OilRig" (APT34) has been identified leveraging a new backdoor dubbed "SideTwist" in a spear-phishing attack against a possible Lebanese target in order to exfiltrate sensitive information from the compromised system.
- 21. 330K stolen payment cards and 895K stolen gift cards sold on dark webIn February 2021, a hacker reportedly began selling 895,000 gift cards and more than 300,000 payment cards on a top-tier Russian-language hacking forum that were stolen during a breach of Cardpool.com.
- 22. Vulnerability in ‘Domain Time II’ Could Lead to Server, Network CompromiseA vulnerability residing in the “Domain Time II” network time solution can be exploited in Man-on-the-Side (MotS) attacks, cyber-security firm GRIMM warned. Exploit relies on intercepting a UDP update providing a new URL for software update.
- 23. Windows 10 hacked again at Pwn2Own, Chrome and Zoom also fallContestants hacked Microsoft's Windows 10 OS twice during the second day of the Pwn2Own 2021 competition, together with the Google Chrome web browser and the Zoom Platform. Note Pwn2Own discovered vulnerabilities are reported to vendors with a 90 day fix window.
- 24. Hackers Hack Hackers as Underground Carding Site is BreachedPII belonging to thousands of cyber criminals using the "Swarmshop" underground forum was leaked online to another underground forum on March 17, 2021. The database was posted on a different underground forum and contained 12,344 records of the card shop admins, sellers, and buyers including their nicknames, hashed passwords, contact details, history of activity and current balance.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element