SuperMicro supply chain hack used for counterintelligence for a decade

The California-based manufacturer of computer hardware finds itself embroiled in a controversy involving Chinese infiltration of its products, that resulted, for example, in Department of Defense data being sent to China, a malware driven breach at Intel, and numerous other instances of backdoor and startup codes infiltrating US companies. This, according to a report by Bloomberg. Rather than stop the hack, the FBI chose to use the manipulated products to learn more about China’s capabilities in this area. Neither Supermicro nor any of its employees have been accused of wrongdoing, and China refutes the allegations. But the FBI and in cybersecurity experts point out how much this story amplifies the risks of penetration that exist within global technology supply chains.

(Bloomberg)

Egregor ransomware operators arrested in Ukraine

Members of the Egregor Ransomware-as-a-Service cartel have been arrested this week in Ukraine, the result of a joint investigation between French and Ukrainian police. The arrested suspects are believed to be “affiliates” of the main Egregor gang, but regardless, Recorded Future has observed that Egregor systems, including their extortion site and command and control infrastructure, has been offline since at least Friday, which is unusual for an organization as well-financed as Egregor. A report published by Coveware last month confirmed Recorded Future‘s assessment, listing Egregor as the second most active ransomware gang for Q4 2020.

(ZDNet)

Scammers target US tax pros in ongoing IRS phishing attacks

The IRS has warned US tax professionals of identity thieves actively targeting them in a series of phishing attacks attempting to steal Electronic Filing Identification Numbers. The scammers’ goal is to steal both client data and tax preparers’ identities to illegally file tax returns for refunds by impersonating the targeted professionals. Phishing emails ask tax preparers to email copies of their EFIN (e-file identification number) and Driver’s license as part of a bogus verification process. To convince potential victims to hand over their info, the attackers threaten that the account they use to file tax documents electronically will be disabled.

(Bleeping Computer)

PayPal fixes XSS bug in user wallet currency converter

A reflected cross-site scripting vulnerability was discovered by a bug bounty hunter in the currency converter feature of PayPal user wallets one year ago. According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL, allowing an attacker to inject malicious code that could be executed within the browser. PayPal states that the flaw has now been fixed and paid the bug hunter $2,900.

(Security Affairs)

Thanks to our episode sponsor, Kenna Security

Ready to shift gears to risk-based vulnerability management? Now’s the time. Through Kenna Security’s on-demand educational series Kenna Katalyst, you can learn the six steps needed to start your own risk-based vulnerability management program and make vulnerability management … well, more manageable. And you can earn 1 CPE credit through (ISC)². Learn more at kennasecurity.com/katalyst.

Telegram privacy feature failed to delete self-destructing video files

Telegram has now fixed a security issue in which files were not being deleted from user’s macOS devices as expected. The self-destruct feature was part of its ‘Secret Chat’ mode, but security researcher Dhiraj Mishra, performing a Telegram security audit on macOS, discovered that standard chats would leak the sandbox path where received video and audio files are stored. When the media self-destructed and was removed from the chat, the actual media files were still accessible in the computer’s folder. Dishra reported the vulnerabilities on December 26th, 2020, and they are now fixed in Telegram 7.4.

(Bleeping Computer)

Facial recognition technology purportedly capable of identifying political views

Research led by Michael Kosinski, Associate Professor of Organizational Behaviour at Stanford University, suggests that FCT can accurately identify individuals’ political orientation by comparing their similarity to other faces of known liberals and conservatives using a facial recognition algorithm applied to images of over a million people on Facebook and dating apps. Political orientation was accurately categorized in 72% of liberal-conservative face pairs, which proves more accurate than chance or questionnaire. The study’s findings are facing severe criticism, especially whether the accuracy of the identification comes not from facial topology but from personal grooming and presentation choices.

(Analytics Insight)

New Jersey blames Microsoft for underperforming coronavirus vaccine sign-up website

The US state’s CovidVaccine.nj.gov website, which is supposed to allow people to book appointments for their shots, and uses Microsoft’s Vaccination Management platform, has suffered repeated outages, and double bookings. According to state officials, Microsoft also appears to be using too few support people, many of these offshore in incompatible time zones. Officials admit that the platform has successfully handled thousands of people already, but there are concerns about how the system will scale with increased demand. Governor Phil Murphy defended the program by saying, “we are building the airplane here as we’re flying it.”

(The Register)

Jack Dorsey and Jay Z invest 500 BTC to make Bitcoin ‘internet’s currency’

The duo is putting 500 bitcoin, which is currently worth $23.6 million, in the endowment called ₿trust, to fund bitcoin development initially in Africa and India. The mission of the fund is to “make bitcoin the internet’s currency.” Twitter CEO Jack Dorsey has long supported the adoption of cryptocurrency. Square already supports bitcoin and last year acquired about $50 million worth of bitcoin for its corporate treasury, and Twitter is studying the potential use of bitcoin to pay its employees and vendors.

(TechCrunch)