This week, Apple released the iOS and iPadOS 14.4 updates. This update addresses 3 CVEs: CVE-2021-1782, CVE-2021-1971, and CVE-2021-1870. According to Apple, those three vulnerabilities may be being actively exploited. This vulnerability was presented on 1/26/2021 as HT212146 and the advisory is available from Apple at https://support.apple.com/en-us/HT212146 . Very little information is known at this point. The limited information is showing that the manipulation with an unknown input leads to a race condition vulnerability, which does have an impact on confidentiality, integrity, and availability. Additional information will become available, according to Apple.
On January 6, 2021, U.S. Cellular detected a data breach in their system by an unauthorized user. The article states that US Cellular believes the attack occurred on January 4th, 2021, when a retail store’s employees were scammed into downloading malicious software onto a store computer. The article did not specify how the employees were scammed, but I would assume it was some sort of social engineering attack. Once the malware was installed the attacker was able remotely access the computer and since the employees were signed into customer retail management (CRM) system the attacker was able to access customer data. This data included names, phone numbers, addresses, pin numbers, billing/usage statements, and service plan information. US Cellular claimed social security numbers and credit card information are masked in the CRM system and were not accessible. This article is an example of why organizations should focus on security awareness training for employees and help employees be able to identify situations where they are being scammed.
The article basically made some very worrisome predictions about cyber security in 2021. Due to the pandemic, there is an abundance of new phishing scams using COVID-19 fears as a driver. These phishing scams will be related to vaccines, new strands of the virus, impersonation of health officials, fake news articles used as click bait. With the increased amount of phishing means more malware and ransomware being installed on company devices. The trend is shifting where customers and lawyers will be hoding c-level executives liable for breach of security. With work-from-home trending due to the pandemic, companies are depending a lot on the cloud, which will raise security concerns as hackers focus more on breaking into security networks to enter files in the cloud. With the new year also comees more advances in IT, 2021 will also introduce AI and Machine lerning to many companies to better secure data, according to a study done, AI/ML reduced the average cost of a data breach by $259,354 which is an increased cost saving when compared to 2019’s $230,000.
66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home
This article pointed out that about two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home. According to the research, 66% of home workers have printed work-related documents since they began working from home. 20% of them admitted to printing confidential employee information including payroll, addresses and medical information. Worse, 24% said they used a home shredding machine but disposed of the documents in their own waste, which did not provide enough security for confidential waste. It’s vital that business leaders should review their current processes and educate their staff based on the appropriate guidelines.
“New CISOs Survey Reveals How Small Cybersecurity Teams Can Confront 2021”
Cyber attacks can be launched against any business, regardless of the size. While the cost, damages and consequences are the same for both larger entities and small to medium size enterprises; there is no surprise that small to medium size entities only have a fraction of the resources necessary to protect their company. Research shows that large global financial institutions have $500M to spend on cybersecurity annually with an IT staff of several thousand employees. On the other hand, small to medium size entities have budgets of less than $1M with five or fewer IT security specialists on staff. A recent survey of CISOs in charge of small companies reveals that to combat the cybersecurity challenges in the face of limited budget & lack of highly experienced staff, small to medium sized entities can; outsource threat detection and response; invest more in automation to allow their teams to do more with less and consolidate security tools and platforms & replacing complex security technologies. This is indeed a herculean undertaking for small to medium entities, but the outlined solutions may potentially improve their cybersecurity challenges given their limited resources.
A ransom attempt was held against the Miss England Beauty Pageant organization’s Instagram account. Angela Beasley, the organizer of the pageant assumed she received an authentic message on the app that there was an app’s rule violation and the phone number of the account needed to be confirmed. Unfortunately, she gave the number to which allowed the hackers access to the account and locked her out. In order to unlock the account she would need to “make a deal”. Action Fraud reporting center and local police were contacted. Subsequently, the account has been secured and restored back to the account owner.
North Korea has been targeting security researchers in a months-long social engineering campaign. The hackers set up accounts across many different social media websites and applications to interact with security researchers in order to steal research. The hackers created fake blogs and pretended to need help figuring out if a flaw was exploitable. They tried to get their targets to download a “research project” that was actually malware or go to the blog, which had malware. Several security researchers admitted to falling for the scheme when Google made it public. The North Korean hackers may have used a Chrome zero-day during the attacks as well.
The newly discovered Azure Functions vulnerability allows attackers to elevate privileges and escape Azure Functions Docker to the Docker host. Microsoft determines that the vulnerability has no security impact on Azure Functions users. Azure Functions is essentially Microsoft equivalent to Amazon Web Services’ Lambda service. It runs as a serverless computing service, allowing users to run code without providing or managing infrastructure. The latest vulnerability emphasizes that sometimes attackers cannot pass vulnerable of third-party software finds a way internally so that vulnerabilities are not controlled by cloud users. Reducing the attack surface is critical, but organizations must prioritize the runtime environment to ensure that malicious code does not lurk in their systems.
Vulnerabilities present in the Department of Defense’s open source library used to exchange, store, and transmit satellite images. These vulnerabilities create the possibility of remote code execution, which would allow hackers to take over the machine or device. The other vulnerabilities could lead to denial of service attacks. However, the organization quickly invested the flaws and had a release out the next day. All stakeholders were informed. I gravitated to this article because it showed a vulnerability being identified before any breach or damage was done. This demonstrates the benefits of consistent research on security systems, as well as the benefits of being proactive. However, it is important to remember that the number of vulnerabilities present in systems will never be zero, and that it is unlikely that your system is 100% protected at any given time.
This article details two new business email compromised (BEC) strategies that have become more popular amongst attackers in recent months.
The first involves manipulation of read-receipt behavior in Microsoft 365. By adjusting headers in malicious emails, the attackers cause Microsoft 365 to send a read-receipt notification email to the target of the attack. This notification email would include the subject and text of the original malicious email which may have been blocked by enterprise security settings. This way, the target would still effectively receive the phishing information and may be inclined to click on the links included in the attack email.
The second new BEC strategy involves manipulation of out of office (OOO) message behavior in Microsoft 365. An attacker will send a malicious email to a member of the organization who has an automatic OOO reply set, but the attacker will set the reply-to address of their attack message to another member of the organization. When they send the malicious message, the OOO reply from the first employee is sent to another employee dictated by the reply-to address, and the OOO message will include the text from the malicious message. This way, even though the malicious attack may have been captured by security measures, the text is included anyway in the automatic reply from the employee.
The article does not indicate if Microsoft plans to implement any measures to mitigate these new strategies, but it is clear that Microsoft 365 both a valuable target for attackers and an attack vector itself.
“Biden hires ‘world class’ cybersecurity team after massive hack”
The article discusses that in the light of a major cybersecurity attack, that Biden has gone on to hire a world class team of cybersecurity experts. The article then continues to say how the move was praised by defense experts. US Intelligence points to Russian actors for the attack but Moscow denies these allegations. The article also highlighted how this move comes after an administration that did not prioritize cybersecurity at all, even firing the cybersecurity chief after he lost the election. Overall, it’s good to see this new administration taking cybersecurity as a necessity because the future of national security is dependent on it.
I believe my article is somewhat linked to the one Panayiotis posted above, but I thought it was relevant for this week because it talked about security policy, which is going to have an impact on the security focus for the new administration. This will likely impact the lens through which risks and priorities are viewed for different government agencies. The article talks about how Biden would likely want to shift from a cyber warfare posture back to risk mitigation and personal privacy. The article outlines several expected focus areas for the Biden administration, all of which could have some impact on cybersecurity and government oversight of this area. At the end, it mentions the American Rescue Plan. It states: “The administration wants Congress to allocate $9 billion to expand and improve the Technology Modernization Fund, authorize a separate program for hiring, and allocate an addition $690m to improve security monitoring and incident response. Independent experts warned that the administration should be careful to avoid falling into the trap of defending against the last big threat.”
It sounds like there has been a past pattern of responding to a major cyber event (SolarWinds in this case, Sony is mentioned as past major event) by focusing on building up defenses against a similar or same attack. I can see how this could be risky to focus protection efforts on the last known threat given zero day threats are something we should always expect to come up as a possibility. All in all, the article highlights a lot of challenges and considerations that will likely come up over the next few years. It will be interesting to see how it all plays out.
“Ransomware payments are going down as more victims decide not to pay up”
In Q4 of 2020, more companies and individuals are refusing to pay criminals who are conduction ransomware attacks. The average payment went from $154,108 to $233,817. This drop can be attributed to users not wanting to pay the ransom as often. This could be due to many factors, such as more awareness around ransomware attacks, more frequent backups etc. The criminals are adapting to this change though and are raising the stakes. There have been an increased number of reports of criminals threatening to leak the stolen data, as opposed to just destroying it or losing it. This change will change the math for a company, as now they will have to consider the reputational risk of not paying a ransom.
According to the new article from Bloomberg, “Cyber Attackers Leaked Covid-19 Vaccine Data after EU Hack”, hackers posted online confidential data regarding the Covid-19 vaccine after a data breach that occurred in 2020. The information hacked is believed to be proprietary data regarding the new type of vaccine known as mRNA vaccines. This hacked could affect negatively the pharmaceutical companies Pfizer and BioNTech. That cyber breach attached the European Medicine Agency, which is based in Amsterdam and is part of the European Parliament. Some of the information hacked were documents that were submitted by Pfizer Inc and BioNTech SE. According to European Medicine Agency, all individuals whose documents or personal data may have been exposed have been notified.
On 12/25/20, Washington State experienced a massive data breach compromising the information of 1.6 million individuals when unauthorized access to numerous files occurred. The source was determined to be a legacy product from a third party software provider, Accellion. Washington State uses the provider to transmit computer files and the compromised files were stored on Accellion’s system. Apparently Acelleon had been advising customers to upgrade to a newer product, which Washington State did not complete.
This week, Apple released the iOS and iPadOS 14.4 updates. This update addresses 3 CVEs: CVE-2021-1782, CVE-2021-1971, and CVE-2021-1870. According to Apple, those three vulnerabilities may be being actively exploited. This vulnerability was presented on 1/26/2021 as HT212146 and the advisory is available from Apple at https://support.apple.com/en-us/HT212146 . Very little information is known at this point. The limited information is showing that the manipulation with an unknown input leads to a race condition vulnerability, which does have an impact on confidentiality, integrity, and availability. Additional information will become available, according to Apple.
Title: USCellular hit by a data breach after hackers access CRM software
URL: https://www.bleepingcomputer.com/news/security/uscellular-hit-by-a-data-breach-after-hackers-access-crm-software/?&web_view=true
On January 6, 2021, U.S. Cellular detected a data breach in their system by an unauthorized user. The article states that US Cellular believes the attack occurred on January 4th, 2021, when a retail store’s employees were scammed into downloading malicious software onto a store computer. The article did not specify how the employees were scammed, but I would assume it was some sort of social engineering attack. Once the malware was installed the attacker was able remotely access the computer and since the employees were signed into customer retail management (CRM) system the attacker was able to access customer data. This data included names, phone numbers, addresses, pin numbers, billing/usage statements, and service plan information. US Cellular claimed social security numbers and credit card information are masked in the CRM system and were not accessible. This article is an example of why organizations should focus on security awareness training for employees and help employees be able to identify situations where they are being scammed.
The article basically made some very worrisome predictions about cyber security in 2021. Due to the pandemic, there is an abundance of new phishing scams using COVID-19 fears as a driver. These phishing scams will be related to vaccines, new strands of the virus, impersonation of health officials, fake news articles used as click bait. With the increased amount of phishing means more malware and ransomware being installed on company devices. The trend is shifting where customers and lawyers will be hoding c-level executives liable for breach of security. With work-from-home trending due to the pandemic, companies are depending a lot on the cloud, which will raise security concerns as hackers focus more on breaking into security networks to enter files in the cloud. With the new year also comees more advances in IT, 2021 will also introduce AI and Machine lerning to many companies to better secure data, according to a study done, AI/ML reduced the average cost of a data breach by $259,354 which is an increased cost saving when compared to 2019’s $230,000.
https://www.securitymagazine.com/articles/94306-security-predictions-for-2021
66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home
This article pointed out that about two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home. According to the research, 66% of home workers have printed work-related documents since they began working from home. 20% of them admitted to printing confidential employee information including payroll, addresses and medical information. Worse, 24% said they used a home shredding machine but disposed of the documents in their own waste, which did not provide enough security for confidential waste. It’s vital that business leaders should review their current processes and educate their staff based on the appropriate guidelines.
https://www.infosecurity-magazine.com/news/workers-printing-docs-home/
“New CISOs Survey Reveals How Small Cybersecurity Teams Can Confront 2021”
Cyber attacks can be launched against any business, regardless of the size. While the cost, damages and consequences are the same for both larger entities and small to medium size enterprises; there is no surprise that small to medium size entities only have a fraction of the resources necessary to protect their company. Research shows that large global financial institutions have $500M to spend on cybersecurity annually with an IT staff of several thousand employees. On the other hand, small to medium size entities have budgets of less than $1M with five or fewer IT security specialists on staff. A recent survey of CISOs in charge of small companies reveals that to combat the cybersecurity challenges in the face of limited budget & lack of highly experienced staff, small to medium sized entities can; outsource threat detection and response; invest more in automation to allow their teams to do more with less and consolidate security tools and platforms & replacing complex security technologies. This is indeed a herculean undertaking for small to medium entities, but the outlined solutions may potentially improve their cybersecurity challenges given their limited resources.
https://thehackernews.com/2021/01/new-cisos-survey-reveals-how-small.html
A ransom attempt was held against the Miss England Beauty Pageant organization’s Instagram account. Angela Beasley, the organizer of the pageant assumed she received an authentic message on the app that there was an app’s rule violation and the phone number of the account needed to be confirmed. Unfortunately, she gave the number to which allowed the hackers access to the account and locked her out. In order to unlock the account she would need to “make a deal”. Action Fraud reporting center and local police were contacted. Subsequently, the account has been secured and restored back to the account owner.
Here is the Title and link to the news article I accidentally forgot to add on:
Miss England Held to Ransom by Cyber-attackers
https://www.infosecurity-magazine.com/news/miss-england-held-to-ransom-by/
North Korea has been targeting security researchers in a months-long social engineering campaign. The hackers set up accounts across many different social media websites and applications to interact with security researchers in order to steal research. The hackers created fake blogs and pretended to need help figuring out if a flaw was exploitable. They tried to get their targets to download a “research project” that was actually malware or go to the blog, which had malware. Several security researchers admitted to falling for the scheme when Google made it public. The North Korean hackers may have used a Chrome zero-day during the attacks as well.
https://www.wired.com/story/north-korea-hackers-target-cybersecurity-researchers/
Azure Functions vulnerability proves cloud users not always in control
https://www.scmagazine.com/home/security-news/azure-functions-vulnerability-proves-cloud-users-not-always-in-control/
The newly discovered Azure Functions vulnerability allows attackers to elevate privileges and escape Azure Functions Docker to the Docker host. Microsoft determines that the vulnerability has no security impact on Azure Functions users. Azure Functions is essentially Microsoft equivalent to Amazon Web Services’ Lambda service. It runs as a serverless computing service, allowing users to run code without providing or managing infrastructure. The latest vulnerability emphasizes that sometimes attackers cannot pass vulnerable of third-party software finds a way internally so that vulnerabilities are not controlled by cloud users. Reducing the attack surface is critical, but organizations must prioritize the runtime environment to ensure that malicious code does not lurk in their systems.
Flaws in open source library used by DoD, IC for satellite imagery could lead to system takeovers
https://www.scmagazine.com/home/security-news/vulnerabilities/flaws-in-open-source-library-used-by-dod-ic-for-satellite-imagery-could-lead-to-system-takeovers/
Vulnerabilities present in the Department of Defense’s open source library used to exchange, store, and transmit satellite images. These vulnerabilities create the possibility of remote code execution, which would allow hackers to take over the machine or device. The other vulnerabilities could lead to denial of service attacks. However, the organization quickly invested the flaws and had a release out the next day. All stakeholders were informed. I gravitated to this article because it showed a vulnerability being identified before any breach or damage was done. This demonstrates the benefits of consistent research on security systems, as well as the benefits of being proactive. However, it is important to remember that the number of vulnerabilities present in systems will never be zero, and that it is unlikely that your system is 100% protected at any given time.
“Microsoft 365 Becomes Haven for BEC Innovation”
This article details two new business email compromised (BEC) strategies that have become more popular amongst attackers in recent months.
The first involves manipulation of read-receipt behavior in Microsoft 365. By adjusting headers in malicious emails, the attackers cause Microsoft 365 to send a read-receipt notification email to the target of the attack. This notification email would include the subject and text of the original malicious email which may have been blocked by enterprise security settings. This way, the target would still effectively receive the phishing information and may be inclined to click on the links included in the attack email.
The second new BEC strategy involves manipulation of out of office (OOO) message behavior in Microsoft 365. An attacker will send a malicious email to a member of the organization who has an automatic OOO reply set, but the attacker will set the reply-to address of their attack message to another member of the organization. When they send the malicious message, the OOO reply from the first employee is sent to another employee dictated by the reply-to address, and the OOO message will include the text from the malicious message. This way, even though the malicious attack may have been captured by security measures, the text is included anyway in the automatic reply from the employee.
The article does not indicate if Microsoft plans to implement any measures to mitigate these new strategies, but it is clear that Microsoft 365 both a valuable target for attackers and an attack vector itself.
https://threatpost.com/microsoft-365-bec-innovation/163508/
“Biden hires ‘world class’ cybersecurity team after massive hack”
The article discusses that in the light of a major cybersecurity attack, that Biden has gone on to hire a world class team of cybersecurity experts. The article then continues to say how the move was praised by defense experts. US Intelligence points to Russian actors for the attack but Moscow denies these allegations. The article also highlighted how this move comes after an administration that did not prioritize cybersecurity at all, even firing the cybersecurity chief after he lost the election. Overall, it’s good to see this new administration taking cybersecurity as a necessity because the future of national security is dependent on it.
https://www.aljazeera.com/news/2021/1/22/after-govt-hack-biden-enlists-world-class-cybersecurity-team
Incoming Biden administration looks to shake up US cybersecurity policy
https://portswigger.net/daily-swig/incoming-biden-administration-looks-to-shake-up-us-cybersecurity-policy
I believe my article is somewhat linked to the one Panayiotis posted above, but I thought it was relevant for this week because it talked about security policy, which is going to have an impact on the security focus for the new administration. This will likely impact the lens through which risks and priorities are viewed for different government agencies. The article talks about how Biden would likely want to shift from a cyber warfare posture back to risk mitigation and personal privacy. The article outlines several expected focus areas for the Biden administration, all of which could have some impact on cybersecurity and government oversight of this area. At the end, it mentions the American Rescue Plan. It states: “The administration wants Congress to allocate $9 billion to expand and improve the Technology Modernization Fund, authorize a separate program for hiring, and allocate an addition $690m to improve security monitoring and incident response. Independent experts warned that the administration should be careful to avoid falling into the trap of defending against the last big threat.”
It sounds like there has been a past pattern of responding to a major cyber event (SolarWinds in this case, Sony is mentioned as past major event) by focusing on building up defenses against a similar or same attack. I can see how this could be risky to focus protection efforts on the last known threat given zero day threats are something we should always expect to come up as a possibility. All in all, the article highlights a lot of challenges and considerations that will likely come up over the next few years. It will be interesting to see how it all plays out.
“Ransomware payments are going down as more victims decide not to pay up”
In Q4 of 2020, more companies and individuals are refusing to pay criminals who are conduction ransomware attacks. The average payment went from $154,108 to $233,817. This drop can be attributed to users not wanting to pay the ransom as often. This could be due to many factors, such as more awareness around ransomware attacks, more frequent backups etc. The criminals are adapting to this change though and are raising the stakes. There have been an increased number of reports of criminals threatening to leak the stolen data, as opposed to just destroying it or losing it. This change will change the math for a company, as now they will have to consider the reputational risk of not paying a ransom.
https://www.zdnet.com/article/ransomware-payments-are-going-down-as-more-victims-decide-not-to-pay-up/
According to the new article from Bloomberg, “Cyber Attackers Leaked Covid-19 Vaccine Data after EU Hack”, hackers posted online confidential data regarding the Covid-19 vaccine after a data breach that occurred in 2020. The information hacked is believed to be proprietary data regarding the new type of vaccine known as mRNA vaccines. This hacked could affect negatively the pharmaceutical companies Pfizer and BioNTech. That cyber breach attached the European Medicine Agency, which is based in Amsterdam and is part of the European Parliament. Some of the information hacked were documents that were submitted by Pfizer Inc and BioNTech SE. According to European Medicine Agency, all individuals whose documents or personal data may have been exposed have been notified.
https://www.bloomberg.com/news/articles/2021-01-12/covid-vaccine-documents-leaked-on-web-eu-drug-regulator-says
Data breach exposes 1.6 million Washington state residents who filed unemployment claims in 2020
https://www.geekwire.com/2021/data-breach-exposes-1-6-million-washington-state-residents-filed-unemployment-claims-2020/
On 12/25/20, Washington State experienced a massive data breach compromising the information of 1.6 million individuals when unauthorized access to numerous files occurred. The source was determined to be a legacy product from a third party software provider, Accellion. Washington State uses the provider to transmit computer files and the compromised files were stored on Accellion’s system. Apparently Acelleon had been advising customers to upgrade to a newer product, which Washington State did not complete.