LANtennas, ESXi & Python, Twitch Leaks, Facebook BGP, & iPhone Is Always On – PSW #713
This week in the Security Weekly News: Brushing that data breach under the rug? Get sued by the US Government!, all your text messages belong to someone else, beware of the Python in your ESXi, Twitch leaks, when LANtennas attack, zero-trust fixes everything, recalled insulin pumps, Apache 0-day, you iPhone is always turned on, Apple pay hacked, & more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Hosts


- 1. CISA Releases New Tool to Help Organizations Guard Against Insider ThreatsCISA has produced/released a free self-assessment tool that can be used to gauge a company/agency’s risk posture by answering a series of questions. CISA especially recommends their tool be used by small to medium-sized businesses to identify cybersecurity shortcomings that could devastate their company should a disgruntled employee go rogue.
- 2. DOJ Poised to Sue Contractors Who Don’t Report Cyber BreachesThe Deputy Director stated that the DOJ is ready to sue government contractors and any U.S. company who receives U.S. government grant money if they fail to notify the U.S. government of their computer network being breached. They will also be sued if they misrepresent their company’s cybersecurity processes. The DOJ will leverage the “False Claims Act” for their lawsuits.
- 3. U.S. to tell critical rail, air companies to report hacks, name cyber chiefsThe Transportation Security Administration will introduce regulations that compel most U.S. railroad and airport industries to do three things: (1) improve their cybersecurity processes; (2) identify a chief cyber official and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident.
- 4. Text Message Giant Reveals Five-Year BreachTelecommunications provider Syniverse, which routes text messages for hundreds of telecom customers, has disclosed it was the target of a five-year data breach that has been ongoing since May 2016 and resulted in the exposure of personally identifiable information (PII) belonging to more than 200 Electronic Data Transfer (EDT) customers.
- 5. NSA, CISA share guidelines for securing VPNs as hacking groups keep busy – CyberScoopCautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs. The Guidance: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
- 6. Unnamed Ransomware gang uses a Python script to encrypt VMware ESXi serversAn unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. According to Sophos researchers, attackers gained access to the targeted network by first logging into a TeamViewer account running on a device on which a domain admin was already logged in, and then leveraged the Advanced IP Scanner to scan the network and identify other potential targets. After identifying potential targets, attackers then used the "Bitvis" SSH client to log onto an ESXi server.
- 7. Thousands of Coinbase Users Hit by Phishing Attack — Here’s How to Protect YourselfCoinbase experienced a breach in the spring of 2021. Nearly six months later, now their customers are being targeted with phishing emails that contain fake embedded URLs to inform the customer that their cryptocurrency account had been locked out and required immediate action. To date, nearly 6000 customers have lost money to this phishing scam, which leveraged flaws in the password recovery, when using SMS, which didn't fully authenticate the request.
- 8. Twitch’s source code and streamer payment figures have been leaked following hackHackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the "entirety of Twitch.tv." Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details. It doesn't appear that information like user passwords, addresses and banking information were revealed, but that can't be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can't log into your account if your password has been stolen.
- 9. More details about the October 4 FaceBook outageFB Engineering's report on what happened. In layperson's terms. BGB/DNS/Physical Access fails - oh my! During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command. Our primary and out-of-band network access was down, so we sent engineers onsite to the data centers to have them debug the issue and restart the systems. But this took time, because these facilities are designed with high levels of physical and system security in mind. They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them.
