Cyber Security Headlines – December 22, 2021

Hack DHS program expanded to include Log4j 

On Tuesday, Homeland Security Secretary Alejandro Mayorkas announced that DHS would broaden its new bug bounty program to incorporate vulnerabilities in its networks caused by the widely-used Log4j software. Mayorkas stated, “In partnership with vetted hackers, the federal government will continue to secure nationwide systems and increase shared cyber resilience.” While DHS officials have seen no signs of threat actors using Log4j to breach federal systems, the agency continues to warn of potential widespread attacks that could exploit the flaw.

(The Record)

Tech companies agree to protect data on undersea cable

The DoJ announced that Google and Meta have entered into national security agreements with the DoJ, and the Departments of Defense and Homeland Security, to protect data traveling on an undersea fiber-optic cable system called the Pacific Light Cable Network (PLCN) that will connect the US, Taiwan, and the Philippines. Under the agreements, Meta and Google will perform annual risk assessments to sensitive data moving through the PLCN and will seek to diversify the system’s interconnection points in other parts of Asia. The companies will also restrict access to information and infrastructure by the cable’s owner, Hong Kong–based Pacific Light Data Communications Co. Ltd (PLCD). The DoJ said, “These agreements enable Google and Meta to take advantage of critical, additional cable capacity while protecting US persons’ privacy and security through terms that reflect the current threat environment.”

(Infosecurity Magazine)

US returns $154 million stolen by Sony employee

The US Justice Department has taken legal action to seize and return over $154 million stolen from a SONY subsidiary in an insider attack. Allegedly, Sony Life Insurance Company Ltd employee Rei Ishii falsified company financial transaction instructions to divert the stolen funds to his own account in California. From there, Ishii converted the stolen funds into more than 3,879 bitcoin and attempted to persuade his supervisor and Sony Life executives not to help investigators by emailing them a ransom note. Unfortunately for Ishii, SONY and Citibank fully cooperated with law enforcement, and the FBI were able to seize the Bitcoin in Ishii’s wallet after obtaining the private key. The 32-year-old Ishii was arrested the same day byTokyo’s Metropolitan Police Department.

(Bleeping Computer)

Another Zoho ManageEngine zero-day under active attack

APT attackers, thought to be based in China, are using an authentication-bypass vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence. According to an FBI Flash alert, APT actors have been exploiting the bug, tracked as CVE-2021-44515, since at least late October. Zoho is urging organizations to update to the latest ManageEngine Desktop Central builds to address the vulnerability. The bug is the third zero-day discovered in Zoho’s ManageEngine suite since September. 

(Threatpost)

Thanks to our episode sponsor, Lookout

Is 2022 the beginning of the end for on-prem security? Two years after remote work became the norm, we’re at an inflection point for both threats and security solutions. Just as you wouldn’t bring a sword to a gunfight, organizations need to take advantage of integrated cloud solutions to tackle emerging challenges. Check out Lookout’s 2022 predictions at lookout.com/predictions.

Desjardins proposes data breach settlement

Desjardins Group, which is Canada’s largest credit union and one of the world’s largest banks, is prepared to pay $155 million to settle a class-action lawsuit filed over a long-running data breach. A joint investigation launched in July 2019 by the Office of the Privacy Commissioner of Canada and its local equivalent in Quebec, found that a malicious Desjardins employee had siphoned the personal information of nearly 10 million current and former customers over a period of 26 months. Data compromised in the incident included names, dates of birth, residential addresses, social insurance numbers, email addresses, telephone numbers, and transaction histories. Under the terms of the settlement, those who were impacted by the breach can claim between C$90-$1,000.  

(Infosecurity Magazine)

Russian hackers made millions by stealing SEC earning reports

On Monday, the Department of Justice announced that 41-year old Russian national Vladislav Klyushin was extradited to the U.S. from Switzerland, on charges of using compromised employee credentials to hack into the networks of two U.S.-based SEC filing agents. Along with four other Russian conspirators who remain at large, Klyushin made millions of dollars by trading on the stolen data starting back in October 2017. Three of the five Russians involved worked for M-13, a Moscow-based IT company, which provides penetration testing services and red team engagements. Klyushin faces a maximum penalty of five years in prison, three years of supervised release, and a $250,000 fine for accessing the computers without authorization, wire fraud, and securities fraud. 

(Bleeping Computer)

Scam network rakes in $80 million per month

Security researchers at Group-IB claim that a sophisticated phishing campaign which targeted 10 million victims in over 90 countries, including the US, Canada, South Korea and Italy, has pulled in an estimated $80 million per month. The campaign includes fake surveys and giveaways from 120 popular brands and leverages digital marketing methods, including contextual advertising, advertising on legal and rogue websites, SMS, mailouts, and pop-up notifications, to generate leads. The ads contain links to a survey on look-alike domains which prompts the victim to provide personal data, including credit card information in order to receive a prize.

(Infosecurity Magazine)

Garrett metal detectors can be remotely manipulated

Two widely used walk-through metal detectors, made by US-based manufacturer Garrett, which are used in security-critical environments such as sports venues, airports, banks, and courthouses, are vulnerable to numerous remotely exploitable flaws that could severely impair their functionality. Security researchers at Cisco Talos discovered nine such vulnerabilities on the Garret iC Module version 5.0, which is the component that provides network connectivity to Garrett’s PD 6500i and MZ 6100 detectors. The vendor fixed the issues on December 13 and urges customers to upgrade their iC Module CMA software to the latest available version.

(Bleeping Computer)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.