FBI patches Exchange server backdoors

In March, Microsoft released patches for four newly-discovered Microsoft Exchange vulnerabilities that were being actively exploited by an advanced persistent threat group, believed to be Hafnium. The attackers were exploiting the vulnerabilities to install Web shells that gave them access to the targeted networks. The patches closed the vulnerability but would not remove the Web shells. So Tuesday the US Department of Justice announced it received approval from a court in Houston to copy and remove the Web shells from hundreds of Microsoft Exchange email servers. The FBI conducted the removal by accessing the Web shell and issuing a command to the servers to remove it. The method only removed Web shells. It did not remove any other malware that might have been installed through the use of the shell.

(TechCrunch)

IcedID looks to fill the Emotet malware void

The IcedID malware has been spotted in the wild since 2017, originally used as a banking trojan, also called Bokbot. Similar to Emotet and Trickbot, IcedID now operates as a Malware-as-a-Service provider. With the shutdown of Emotet, security researchers have seen a surge in IcedID activity, with researchers at Check Point finding it the second most active malware strain for the month of March 2021, behind Dridex. This follows an increasing sophistication as well, with Microsoft issuing a warning about IcedID’s malware spam campaigns, but also seeing abuse of public contact forms, use of fake software installers, phishing with COVID-19 themes, and other vectors. Researchers are increasingly seeing IcedID used by the REvil ransomware operators as well. 

(The Record)

Draft plan to improve US power grid security

Bloomberg’s sources say a draft plan to shore up US power grid security would see the government set up incentives for power companies to install new monitoring equipment to detect malicious activity, share that information with the government, and identify critical sites that would have an outsized impact on the power grid if attacked. The plan would be voluntary and overseen by the Energy Department, rather than CISA. Incentives for smaller utilities would include funding for new equipment and software, although an exact program has yet to be determined. The plan would also expand the scope of the Energy Department’s CyTRICS program, which scans energy infrastructure for vulnerabilities. A final version is expected to be released as soon as this week.  

(Bloomberg)

Healthcare pricing data cannot be withheld from web searches

This comes as a new guideline from the Centers for Medicare and Medicaid Services. According to new federal requirements, both hospitals and insurance providers have to post the cost of services, including the rates insurance companies pay, with hospitals posting the information in 2021 and insurers required to comply in 2022. The guidance now requires that pages hosting pricing information can’t have “rules such that give instructions to web crawlers to not index the page.” A previous report by the Wall Street Journal found hundreds of hospitals were not having pricing information indexed by search engines. 

(WSJ)

Thanks to our episode sponsor, Sonatype

Ask any software developer, and they’ll tell you the truth about two things:

1. Conventional code analysis and appsec tools are noisy and not well integrated into the dev workflow.
2: Tools that don’t actually make life easier for them just add friction and are ignored.


Rather than slowing devs down with process-heavy security gates or circuitous quality alerts, Sonatype believes developers are better served by gentle, timely, and effective nudges that actually help them improve the quality, and security of the applications they are building.

WhatsApp vulnerable to account deactivation hack 

A WhatsApp loophole lets an attacker lock you out of the app and deactivate your account. An attacker needs to login through your number by requesting authentication codes, wait for WhatsApp to block sending codes after enough attempts, set up a new email address and send a “lost/stolen” phone request, and then repeat the same cycle two more times to successfully lock you out. The method works even if you’ve set up two-factor authentication, but WhatsApp said in response “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”

(The Next Web)

Who unlocked the San Bernardino shooter’s iPhone?

The Washington Post’s sources say the FBI used the Australian security firm Azumuth to unlock an iPhone used by one of the San Bernardino shooters in 2016. The firm used a flaw in the open-source code from Mozilla used to permit Lightning accessories as part of a larger exploit chain to bypass the 10 password attempt limit before the phone would erase its content. At the time, the Justice Department obtained an order directing Apple to write software to allow the FBI to access the phone, with Apple pledging to fight the order. When Azumuth founder Mark Dowd came forward with the exploit to the FBI, the case was eventually dropped. 

(WaPo)

Browser makers balk at FLoC

We reported earlier this week that the makers of the DuckDuckGo search engine planned to block Google’s third-party cookie replacement FLoC. Now Chromium-based browser makers Vivaldi and Brave have also announced they will not support FLoC. Vivaldi said it wouldn’t integrate FLoC as fundamentally it doesn’t “approve tracking and profiling, in any disguise,” and won’t allow the browser to build up local tracking profiles that FLoC requires. Brave has called FLoC a “step in the wrong direction” that could harm user privacy despite Google characterizing it as a privacy-preserving technology.  

(Bleeping Computer)

The deepfake threat to the enterprise

Darren Thomson makes the case for the increasing threat of deepfakes to large organizations in an editorial for Security Magazine. He points out that social engineering attacks have become easier to pull off as trusted relationships for work are increasingly not reliant on physical proximity and dependent on technology like email and messaging platforms. The use of machine learning to generate photo realistic still and video images, or deepfakes, opens the door for abuse on supposedly trusted mediums like video conferencing, services increasingly used since the start of the COVID-19 pandemic. He predicts that by 2024, deepfakes will have significant impacts on politics, the media and large businesses to damage reputations if nothing else.  

(Security Magazine)