Cyber Security Headlines – June 9, 2021

StackOverflow, Twitch, Reddit, others down in Fastly CDN outage

A Who’s Who of major websites around the world also including Amazon, CNN, Shopify, Hulu, Quora, the BBC and many others went down or slowed yesterday. Browsers received a “503 Service Unavailable” notice or CSS-free web pages as content failed to arrive. The outage was traced to San Francisco-based Fastly, a popular content delivery network. Fastly calls the occurrence, which lasted just an hour, a “global CDN disruption.”

(Bleeping Computer and TechCrunch)

Hundreds arrested in massive global crime sting using messaging app

More than 800 suspected criminals have been arrested worldwide after being tricked into using an FBI-run encrypted messaging app, officials say. The operation, jointly conceived by Australia and the FBI, saw devices with the ANOM app secretly distributed among criminals, allowing police to monitor their chats about drug smuggling, money laundering and even murder plots. The idea for the operation came after two other encrypted platforms were taken down by law enforcement agencies, leaving criminal gangs in the market for new secure phones. The devices were initially used by alleged senior crime figures, giving other criminals the confidence to use the platform.

(BBC News)

Capitol Hill tech vendor is the latest ransomware victim

An email newsletter provider with dozens of customers on Capitol Hill has suffered a ransomware attack, the U.S. House of Representatives confirmed Tuesday. iConstituent is a platform designed to help government officials reach out to the voting public. House Chief Administrative Officer Catherine Szpindor stated that the office “is not aware” of any House data being impacted by the breach thus far.

(Gizmodo)

47% phishing increase in first quarter of 2021

PhishLabs identified 47% more phishing sites in Q1 of 2021 than there were in Q1 of 2020. This trend is continuing as Q2 attacks are also up significantly year-over-year. Social media, especially messaging apps, topped the list for the first time, suggesting that threat actors are increasingly drawn to the massive reach and often careless user attitudes toward the security of their social media accounts. Accounts used for single sign-on (SSO) were also heavily targeted in Q1, accounting for 40% of overall phishing volume.(Phishlabs)

Thanks to our episode sponsor, Trend Micro

Banner: Trend Micro
Want to discover new ways to simplify and strengthen your security? Join Trend Micro Perspectives on June 16, where industry experts and practitioners will share deep insights and real-world examples on how security can play a pivotal role in accelerating your digital transformation. Featuring speakers from Gartner, Forrester, ESG, AWS, and Microsoft. Visit TrendMicro.com/Perspectives today to register.

Windows Virtual Desktop is now Azure Virtual Desktop

As a result of the pandemic-induced remote work scenario, Microsoft has rebranded its Windows Virtual Desktop to Azure Virtual Desktop. According to Kam VedBrat, Microsoft’s general manager for Azure Virtual Desktop, the chance was done largely in response to interest from large enterprises and small businesses that suddenly had to find ways to better support their remote workers. The Azure Virtual Desktop offers enhanced support for Azure Active Directory that will software vendors to deliver their apps as a SaaS solution. VedBrat also noted that more customers are starting to see Windows in the context of Azure cloud rather than a stand alone brand.

(TechCrunch)

Vulnerability affecting Microsoft Office included in Patch Tuesday

Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents. Three of the four flaws were fixed by Microsoft as part of its Patch Tuesday update for May 2021, with the fourth patch issued in June’s update that rolled out yesterday. Arising out of parsing mistakes made in legacy code found in an obscure Excel 95 graphing format, the vulnerabilities were made to be more serious due to the ability for the entire Office suite to embed Excel objects, thus broadening the attack vector to all Office software, including Word, Outlook and PowerPoint.

(The Hacker News)

Adobe patches major security flaws in PDF Reader, Photoshop

Adobe’s product security response machine revved into high gear this week with the release of multiple patches for gaping security holes in widely deployed software products. This month’s patches address potentially dangerous vulnerabilities in Adobe Acrobat and Reader, Adobe Photoshop, and the Adobe Creative Cloud Desktop Application. The most serious of the vulnerabilities could allow attackers to take complete control of a Windows or macOS machine with minimal user action. In some cases, malicious exploits can be triggered remotely to hijack unpatched machines, Adobe warned.

(SecurityWeek)

Apple continues privacy war with app tracker reports

Apple device users will now be able see when individual apps request to access features such as the microphone, camera and phone gallery, plus which third parties they have connected with in the last seven days. The new “app privacy report” feature was unveiled at the firm’s annual developers’ conference, WWDC. It will allow users to dive deep into when exactly an app used the permissions it has been given – and what third-party websites it contacted or sent data to.

(BBC)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.