Cyber Security Headlines – March 10, 2021

Microsoft March Patch Tuesday fixes 82 flaws, 2 zero-days

Yesterday was Microsoft’s March 2021 Patch Tuesday. With this update, Microsoft has fixed 82 vulnerabilities, with 10 classified as critical and 72 as important. These numbers do not include the 7 Microsoft Exchange and 33 Chromium Edge vulnerabilities released earlier this month. There were also two zero-day vulnerabilities patched that were publicly disclosed and known to be used in attacks. Last week, Microsoft released out-of-band security updates for the ProxyLogon vulnerability that are actively being used by threat actors worldwide to compromise Microsoft Exchange servers. Numerous industry writers strongly suggest that while installing the updates will prevent the server from being compromised, the attacks have been so pervasive that admins should analyze all Exchange servers for attacks that may have occurred before the patches were installed.

(Bleeping Computer)

Hackers access surveillance cameras at Tesla, Cloudflare, banks, more

Hackers gained access to live surveillance cameras installed at Tesla, Equinox, healthcare clinics, jails, and banks, including the Bank of Utah. In addition to images captured from the cameras, the hacker also shared screenshots of their ability to gain root shell access to the surveillance systems used by Cloudflare and at Telsa HQ. Know as OperationPanopticon the hackers gained access to 150,000 cameras belonging to Verkada, a surveillance company who works with all of these organizations. The hackers found hardcoded credentials for a Verkada super admin account in exposed DevOps infrastructure. This is being considered a major breach for Verkada as well as a demonstration of how easy it is to hack security cameras. 

(The Verge)

CISA urges people get serious about Exchange Server exploitation

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging “ALL organizations across ALL sectors” to address Microsoft Exchange Server vulnerabilities. CISA has provided a set of guidelines designed to walk IT security staff and organizations’ leaders through the process of fixing the vulnerabilities. Exploitation is ongoing, attackers may have established themselves in their victims’ systems, and there’s more to an effective response than simply patching.

(Cyberwire)

Reproducing the Microsoft Exchange Proxylogon exploit chain

With the severity of the Proxylogon attack continuing to grow, Praetorian Labs has announced that it has reverse engineered the initial security advisory and subsequent patch and successfully developed a fully functioning end-to-end exploit. Their blog points out that while they have elected to refrain from releasing the full exploit, they recognize a complete exploit will be released by the security community shortly, but that the hours or days in between will provide additional time for people to patch the critical vulnerability. Praetorian recognizes that Microsoft has developed and published scripts and emergency patches to aid in the mitigation of these vulnerabilities but points out the exploitation of Proxylogon has been so widespread that operators of externally facing Exchange servers must turn to incident response and eviction.

(Praetorian Labs)

Thanks to our episode sponsor, Trend Micro

With organizations rapidly migrating to the cloud, CISOs have new challenges to address. Trend Micro Cloud One(tm) is a connected SaaS platform comprised of six solutions that address all your cybersecurity needs from workloads, to file storage, containers and more. Empower your IT teams to do more with less with Trend Micro Cloud One. Visit us at Trendmicro.com for more info.

9 Android apps on Google Play caught distributing malware

Researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploy a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. Dubbed Clast82, “the dropper avoids detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT,” Researchers from Check Point said. The apps that were used for the campaign include Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. The research findings were reported to Google on January 28, and the apps were removed from the Play Store on February 9.

(The Hacker News)

COVID-19 Vaccine-related phishing scams on the rise

Recent analysis from Barracuda conducted between October 2020 and January 2021 found that threat actors are leveraging vaccine-related emails in targeted spear-phishing attacks. This has increased by 12% after some pharmaceutical companies announced the availability of vaccines in November 2020. The attacks come in three main forms: brand impersonation attacks which mimic popular pharmaceutical companies and advertise early access to vaccines in exchange for payment, impersonation of health care professionals that trick users into revealing their personal information, and more traditional business email compromise (BEC) attacks.

(CISOMag)

DoJ warns about fake unemployment benefit websites

The U.S. Department of Justice (DoJ) is warning users and organizations about targeted attacks from cybercriminals driving victims to fake websites that mimic those of the State Workforce Agency (SWA). These websites are designed to trick consumers into thinking they are applying for unemployment benefits and disclosing personally identifiable information. The DOJ reminds users that companies generally do not contact people to ask for usernames and password. 

(CISOMag)

iPhone Call Recorder bug gave access to other people’s conversations

An iOS call recording app has patched a security vulnerability that gave anyone access to the conversations of thousands of users by simply providing the correct phone numbers. The application’s name is “Automatic call recorder” or “Acr call recorder” and has thousands of user reviews in App Store amounting to a rating above 4 stars; it has also been listed among the top call recording apps for iPhone. Security researcher Anand Prakash found the app’s cloud storage on Amazon along with host names and some sensitive data that it used. Because the responding API did not run any authentication, it returned the recordings associated with the phone number passed in the request and leaked that user’s entire call history, Prakash says.

(Bleeping Computer

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.