Cyber Security Headlines – December 8, 2021

AWS outage impacts Ring, Netflix, and Amazon deliveries

On Tuesday, Amazon’s AWS US-EAST-1 Region suffered an outage beginning at approximately 12 PM EST, affecting numerous online services, including Ring, Netflix, Amazon Prime Video, and Roku. Many Ring customers reported that they could not access their cameras while Amazon employees were unable to access their package scanning apps and delivery routes, or see their upcoming schedule. The outage was caused by problematic network equipment which feeds a good portion of the connectivity for people in the northeastern part of the United States. Amazon issued workarounds to customers attempting to log into their services as they worked throughout the afternoon to roll out a fix. As of 6 pm EST on Tuesday, Amazon indicated that many services had been restored.

(Bleeping Computer)

Google announces lawsuit against Glupteba blockchain botnet 

Google announced Tuesday that it disrupted the command and control infrastructure of Russia-based Glupteba, a blockchain-backed botnet used to target Windows machines. Google wrote in a blog post that the company’s Threat Analysis Group had tracked Glupteba for months, adding, “Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.” Google filed what they describe as a first of its kind lawsuit against two Russian operators of the blockchain-enabled botnet hoping to “create legal liability for the botnet operators, and help deter future activity.”

(ZDNet)

Microsoft seized domains used by cyberespionage group

Microsoft announced that it obtained a court warrant allowing it to seize 42 domains used by the China-linked APT15 group (aka Nickel, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) to target organizations in the US and 28 other countries across multiple industries, including defense, high tech, energy, government, aerospace, and manufacturing. The group’s sophisticated attacks typically entailed a hard-to-detect implant to spy on the victims and exfiltrate data. APT15 has also been observed compromising third-party virtual private network (VPN) suppliers, using stolen credentials obtained from spear-phishing campaigns and targeting on-premises Exchange and SharePoint systems with known exploits. Microsoft was able to sinkhole the seized domains to gather information about victims and redirect traffic from infected systems to prevent further data exfiltration and infections. Microsoft also claims to have blocked registration of 600,000 additional sites that the threat actors planned to use in its attacks.

(Security Affairs)

NSA and CISA release final 5G cybersecurity guidance

Experts from the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) led a public-private cross-sector working group to produce and publish their third installment of guidance to protect data within a 5G core cloud infrastructure which explains how to protect data in transit, at rest, or in use through the use of encryption, cryptographic keys, and secure protocols. The Chief of NSA’s Cybersecurity Collaboration Center, Morgan Adamski, said, “Data in a network as vast as 5G cloud infrastructures cannot be secured by a solitary entity. It takes the collaboration of government agencies and our industry partners.”

(Security Magazine)

Thanks to our episode sponsor, Tines

Tines was founded by experienced security practitioners who cared about their teams. When they couldn’t find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com.

Twitter bots pose as support staff to steal your cryptocurrency

Threat actors have been abusing Twitter APIs to monitor all public tweets containing requests for support on MetaMask, TrustWallet, and other popular crypto wallets. After identifying the tweets, the scammers leverage Twitter bots to simulate support agents that automatically reply seconds later with links appearing to offer technical support. Once the victim clicks on the link, they’re directed to a fake support form on Google Docs or other cloud platforms to steal recovery phrases allowing attackers full access to their cryptocurrency wallet.

(Bleeping Computer)

Conti ransomware hits Nordic Choice Hotels

Nordic Choice Hotels announced a ransomware attack on its IT systems by the Conti gang leaving hotel staff unable to access the hotel’s reservation systems to manage check-in, check-out, payments and bookings and having to resort to manual procedures to continue operations. While there is no indication that passwords or payment information was affected or accessed, guest booking information may have potentially been leaked. The hotel indicated it has not yet received a ransom demand and that they have opted not to contact the attackers. They have also warned guests to be wary of any suspicious communications they may receive.

(IT Security Guru)

Flaws in USB-over-network SDK affect millions of cloud users

Researchers from Sentinel Labs have discovered 27 vulnerabilities in Eltima SDK, a library used by numerous cloud providers to remotely mount a local USB device. The rising trend of working from home has increased cloud providers’ use of Eltima’s SDK and the implications of the issues are significant as threat actors could remotely exploit the flaws to steal credentials and gain elevated access on a cloud desktop to run code in kernel mode. The vulnerabilities have been responsibly disclosed to Eltima, who has already released fixes for affected versions. However, it is now up to cloud services to upgrade their software to utilize the updated Eltima SDK.

(Bleeping Computer)

Burnout can lead to security threats, insider risk

1Password has released “The Burnout Breach” report studying the rising burnout rates across all industries throughout the COVID-19 pandemic. The report found that more than 80% of professionals are feeling burned out leading to serious backsliding related to security protocols. Burned out employees are a third less likely to follow their company’s security guidelines and are 60% more likely to create, download or use software at work without IT’s permission. Security professionals are twice as likely as other workers to indicate that they are “completely checked out” and “doing the bare minimum at work.” Security professionals are also more likely than other types of workers to work around their company’s policies in order to solve their own IT problems or because they dislike the software their company provides.

(Security Magazine)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.