Week in Review: Emergency Alert flaws, Twilio confirms hack, Rebuild CISA – Krebs

This week’s Cyber Security Headlines – Week in Review, June 6-10, is hosted by Rich Stroffolino with our guest, Jack Kufahl, CISO, Michigan Medicine

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com

Critical flaws found in US Emergency Alert System

The US government is warning of critical vulnerabilities in its Emergency Alert System (EAS) that, if exploited, could enable intruders to send fake alerts out over television, radio, and cable networks. The Department of Homeland Security (DHS) said in an advisory it was recently informed about the flaws in EAS encoder and decoder devices, adding that they were successfully exploited by Ken Pyle, a security researcher at cybersecurity firm CYBIR. There is a sense of urgency to the advisory because the exploit “may” be presented, with proof of concept code, at the DEF CON conference in Las Vegas next week. The DHS is urging organizations that operate the EAS to ensure that their devices and supporting systems are updated with the most recent software versions and security patches, are protected by a firewall, and are monitored, with audit logs being regularly reviewed to ensure there is no unauthorized access.

(The Register)

Twilio confirms hack

The communications integration company confirmed that unauthorized actors gained access to customer data as of August 4th. This appears to be a result of social engineering, with several employees tricked into handing over login credentials. This used SMS phishing messages purportedly from the company’s IT department. The company was aware of these phishing messages and contacted carrier to stop the messages. But the threat actors rotated through carrier and hosting providers to continue the campaign. This indicates an operation that is “well-organized, sophisticated and methodical.”  Twilio informed impacted customers directly. TechCrunch reports it learned of the same threat actor using a similar campaign against other companies. It’s not clear if these campaigns succeeded.  

Cloudflare confirmed it got hit too. The company said three employees fell for a similar phishing scam. However its use of hardware-based MFA keys prevented intruders from accessing its internal network. The details again show the attackers as being methodical and sophisticated, obtaining work and home numbers of Cloudflare employees and family members in an effort to make phishing successful. It’s estimated at least 76 Cloudflare employees received phishing text messages within the first minute of the attack, with the phishing domain only registered 40 minutes prior.  

(TechCrunch and Ars Technica)

Deepfake cybercrime increasing

VMware released its annual Global Incident Threat Response Report, looking at the landscape of cybersecurity threats across its large client-base. Unsurprisingly, the report found that ransomware and business email compromise attacks showed a continued steady climb in frequency, representing a combined 70% of security incidents over the past twelve months. However cyberattacks using deepfake tools showed a 13% increase on the year, with 66% of respondents reporting at least one incident. VMware also noted that outside of direct cyberattacks, the FBI reported an increase in complaints of people using deepfakes and stolen identity information to apply for remote work positions. The report also found a surge in zero-day attacks, up 51% on the year.

(CSO Online)

Thanks to today’s episode sponsor, Edgescan

Edgescan simplifies Vulnerability Management by delivering a single full-stack solution (SaaS) integrated with world-class security professionals. Instead of managing a plethora of point scanning tools for each layer of the attack surface and squandering precious staff resources manually removing false positives, Edgescan offers automated and accurate contextualized alerts across the entire attack surface into a single source of truth.

Introducing the Open Cybersecurity Schema Framework

At Black Hat, Amazon Web Services, IBM, Cloudflare, Splunk, Palo Alto Networks, Okta, CrowdStike, and several other cybersecurity companies announced the formation of the Open Cybersecurity Schema Framework to create a common data standard for sharing security information. The idea is to create a set of specifications for product and services to standardize alerts from different tools and speed interpretation of data. Currently vendors offer proprietary dashboards that require manual labor and custom code to move it to other tools. OCSF standards will be available on GitHub. Companies expect to integrate these specifications into products within the next few months. 

(WSJ)

Cisco admits corporate network compromised by gang with links to Lapsus$

Cisco disclosed this fact on Wednesday, stating that an employee’s personal Google account had been compromised. The disclosure of the months-old incident also happed to occur after a list of files accessed during the incident appeared on the dark web. Their Security Incident Response (CSIRT) and Cisco Talos specified the data exfiltration was from an account with cloud storage locker Box that was associated with a compromised employee’s account. The ransomware gang “Yanluowang” has claimed responsibility for the leak.

(The Register)

CISA should split from DHS says Chris Krebs

Former CISA director Chris Krebs called for significant adjustments to the U.S. government’s approach to cybersecurity on Wednesday. During a keynote address at the Black Hat conference in Las Vegas, Krebs proposed the creation of a “U.S. Digital Agency,” which would incorporate elements of CISA, the National Institute of Standards and Technology, the National Telecommunications and Information Administration, the Department of Energy as well as parts of the Federal Trade Commission and the Federal Communications Commission. The goal he says is to add privacy, trust, and safety issues to the existing security priorities.

(The Record)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.