Cyber Security Headlines – December 30, 2021

Defense bill includes cybersecurity provisions for private-sector

President Biden signed the National Defense Authorization Act of 2022 into law this week, which includes new cybersecurity provisions for the private-sector. This includes requiring CISA to biennially update incident response plans, as well as consult with agencies and the private-sector on sector-specific exercises to determine effectiveness. The law also codifies the CyberSentry program, which includes public-private partnerships with CISA to offer continuous monitoring of industrial control systems. All industry participation in the bill is voluntary, and does not include mandatory incident reporting requirements. 

(NextGov)

Server firmware rootkit discovered

The Iranian cybersecurity firm Amnpardaz released a report detailing a first-of-its-kind rootkit that was discovered in the firmware of HP iLO devices, an add-on board for servers that’s part of HP’s remote management suite, able to do maintenance and updates on systems even when turned off. Named iLOBleed, this rootkit survives OS reinstalls with persistence on the network, disguised as a module for the iLO firmware, even including a fake update UI to fool admins. When discovered, the attackers wiped the server’s disks, setting it to repeatedly do so at intervals. The researchers described this as an advanced rootkit, likely from an APT. It’s not clear how it was initially deployed.

(The Record)

Microsoft Defender showing Log4j false positives 

The popular security software is currently showing “sensor tampering” alerts, primarily seen on Windows Server 2016 systems, warning that this was created by an OpenHandleCollector.exe process. The issue appears to date back to December 23rd, based on customer reports. Microsoft’s Tomer Teller, a Product Manager with the Enterprise Security Posture team, confirmed these are false positives and there is nothing to worry about from those specifically. The issue is related to the newly deployed Log4j scanner and how it detectsLog4J instances on disk. The company is working on a fix for the issue, although it didn’t provide a timetable.

(Bleeping Computer)

T-Mobile confirms it was hit with SIM swap attacks

The company confirmed it informed a “very small number of customers” that they may have been hit with a SIM swapping attack, although it did not provide an exact number of impacted users or how the attacker pulled off the attacks. T-Mobile says these attacks have been mitigated and the root cause has been resolved. T-Mobile suffered a data breach impacting over 50 million customers over the summer, and announced it was entering into a long-term partnership with the security firm Mandiant to help shore up security. 

(Bleeping Computer)

Thanks to our episode sponsor, Lookout

Complexity is the enemy of security. With an integrated Zero Trust platform, Lookout makes things simple. Whether data is on employees’ smartphones or in the cloud, Lookout enables organizations to protect sensitive information no matter where it goes. Discover why IDC named the Lookout CASB a major player in its latest MarketScape at lookout.com/idc.

Iranian group behind ransomware attack on Cox

The Record’s Catalin Cimpanu’s sources say the ransomware attack that impacted IT systems and live streams of Cox radio and TV stations in early June has been attributed to threat actors code named DEV-0270, an APT with ties to Iran. Cox initially downplayed the attack, later admitting it suffered a ransomware attack in October. According to a Microsoft threat intelligence report on the group, the group has engaged in both intelligence gathering operations and financially-motivated attacks in the past.

(The Record)

Log4j hits academia

Researchers at CrowdStrike observed a Chinese hacking group dubbed Aquatic Panda used the major vulnerability in Log4j to target a large academic institution, looking to harvest credentials for further exploitation. The group has been active since at least May 2020, focusing on industrial espionage and intelligence collection. The researchers believe the group used the exploit to gain access with VMWare Horizon. Crowdstrike disrupted the attack before it was completed, so the exact intent of the group is unknown. Microsoft previously said it observed the Chinese group Hafnium using the exploit against virtualization infrastructure. 

(CyberScoop)

Encryption software flaws impact storage devices across vendors

Western Digital recently updated its SanDisk SecureAccess encryption solution to fix vulnerabilities that could have let an attacker gain access through brute force and dictionary attacks. Security researcher Sylvain Pelissier discovered that this isn’t limited to Western Digital. The bug is actually found in the DataVault encryption software from ENC Security, and found in storage devices from Sony and Lexar as well. ENC was informed of the flaws in May and released fixes in early December. While Sony and Western Digital have published advisories on the issue, Lexar did not respond to disclosure attempts. 

(Security Week)

Tumblr on iOS sees further censorship

An update to Tumblr’s iOS app added a list of tags that will not appear in search or on a users’ dashboard. Tumblr said it had to  “extend the definition of what sensitive content is” to remain on the App Store, although it said it’s working on “additional features for a less restricted iOS app experience.” Users report tags related to sexual, violent, and harmful content are now blocked, but also tags like  “girl,” “sad,” “single mom,” “selfie,” and “me.” Tumblr has been trying to keep ahead of Apple’s content requirements since 2018, when Apple temporarily delisted its app after discovered child pornography on it, resulting in Tumblr banning all adult content on its platform. 

(The Verge)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.