LANtennas, ESXi & Python, Twitch Leaks, Facebook BGP, & iPhone Is Always On – PSW #713

CISA has produced/released a free self-assessment tool that can be used to gauge a company/agency’s risk posture by answering a series of questions. CISA especially recommends their tool be used by small to medium-sized businesses to identify cybersecurity shortcomings that could devastate their company should a disgruntled employee go rogue.

The Deputy Director stated that the DOJ is ready to sue government contractors and any U.S. company who receives U.S. government grant money if they fail to notify the U.S. government of their computer network being breached. They will also be sued if they misrepresent their company’s cybersecurity processes. The DOJ will leverage the “False Claims Act” for their lawsuits.

The Transportation Security Administration will introduce regulations that compel most U.S. railroad and airport industries to do three things: (1) improve their cybersecurity processes; (2) identify a chief cyber official and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident.

Telecommunications provider Syniverse, which routes text messages for hundreds of telecom customers, has disclosed it was the target of a five-year data breach that has been ongoing since May 2016 and resulted in the exposure of personally identifiable information (PII) belonging to more than 200 Electronic Data Transfer (EDT) customers.

Cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs. The Guidance: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF

An unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. According to Sophos researchers, attackers gained access to the targeted network by first logging into a TeamViewer account running on a device on which a domain admin was already logged in, and then leveraged the Advanced IP Scanner to scan the network and identify other potential targets. After identifying potential targets, attackers then used the "Bitvis" SSH client to log onto an ESXi server.

Coinbase experienced a breach in the spring of 2021. Nearly six months later, now their customers are being targeted with phishing emails that contain fake embedded URLs to inform the customer that their cryptocurrency account had been locked out and required immediate action. To date, nearly 6000 customers have lost money to this phishing scam, which leveraged flaws in the password recovery, when using SMS, which didn't fully authenticate the request.

Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the "entirety of Twitch.tv." Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details. It doesn't appear that information like user passwords, addresses and banking information were revealed, but that can't be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can't log into your account if your password has been stolen.

FB Engineering's report on what happened. In layperson's terms. BGB/DNS/Physical Access fails - oh my! During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command. Our primary and out-of-band network access was down, so we sent engineers onsite to the data centers to have them debug the issue and restart the systems. But this took time, because these facilities are designed with high levels of physical and system security in mind. They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them.