HomePodcastCyber Security HeadlinesCyber Security Headlines - March 23, 2021

Cyber Security Headlines – March 23, 2021

SCOTUS: Facebook’s still on the hook for nonconsensual user tracking 

On Monday, the Supreme Court refused to hear Facebook’s bid to pare back a $15 billion class action lawsuit accusing the company of illegally tracking internet users even when they’re logged out. Facebook had appealed a lower court’s ruling that revived proposed nationwide litigation accusing the company of violating a federal law called the Wiretap Act by secretly tracking users as they visit sites that use Facebook features such as the “like” button. The proposed class action suit was proposed by four people and seeks $15 billion in damages. The company stopped the nonconsensual tracking after it was exposed by a researcher in 2011, court papers said.

(Reuters)

Democrats prepare swarm of antitrust bills targeting Big Tech

They’re not preparing a big, hulking antitrust bill to rein in Big Tech. That would be an easy target to defeat. Instead, Democrats are preparing about 10 smaller, narrowly focused bills that should be ready in May. Rep. David Cicilline, who runs the House Judiciary Committee’s antitrust panel, told Axios that narrowly targeted bills have a better chance of gaining bipartisan support and that this approach makes it tougher for the likes of Amazon, Facebook, Apple and Google to quickly flex their lobbying muscles against reforms they don’t like. He’s also taking aim at Section 230 of the Communications Decency Act: also known as online companies’ key protection against liability from users’ posts, 

(Axios)

Microsoft Exchange servers flooded with ransomware

Yet another ransomware campaign—this one is known as “Black Kingdom”—is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Submissions to ransomware identification site ID Ransomware show that Black Kingdom has been encrypting servers since at least as early as March 18th. Michael Gillespie, the creator of ID Ransomware, told BleepingComputer that his system has seen over 30 unique submissions, with many being submitted directly from mail servers. The ransom notes demand $10,000 in bitcoin, but the  Bitcoin address had received only one payment on March 18th.

(BleepingComputer)

GAO says it’s not entirely sure how safe the electric grid is

The U.S. Government Accountability Office—the GAO—says that the electricity grid’s  distribution systems are increasingly vulnerable to cyberattacks, but it doesn’t really know what the potential impact of an attack would be. In a new report, the GAO said that the Department of Energy—the DOE—hasn’t yet outlined what steps it would take to fully address risks to distribution systems, though it did update its plans following a 2019 GAO report on grid cyber-security issues. For one thing, DOE’s plans don’t address weaknesses in supply chains. Officials say that the DOE hasn’t tackled that question because it has instead prioritized risks to the grid’s generation and transmission systems. 

(Security Week)

Thanks to our episode sponsor, Trend Micro

Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.

UK faces ‘catastrophic’ digital skills shortage

The number of students enrolling in IT courses has plummeted, meaning the UK is heading for a “catastrophic” digital skills shortage that will affect the country’s cybersecurity landscape. According to a new report from the Learning & Work Institute, the number of students enrolling in IT courses fell by 40% from 2015 to 2020. 76% of businesses said a lack of digital skills would affect profitability, and 88% of young people said that digital skills will be “essential” for their career. Just filling the pipeline by getting more students to enroll won’t cut it, experts say. Adam Philpott, EMEA president at McAfee, said that to close the gap, we’ll need to also train current employees or run “returnship” programs for career changers. 

(Info Security)

Energy giant Shell says it lost data in Accellion attack

Shell, the fifth-largest company in the world, said last week that it was swept up in the December 2020 attack on Accellion’s File Transfer Appliance (FTA) file sharing service. FTA is a legacy service designed for sharing large files. With only about 300 customers at the time of the attack, FTA was supposed to be retired shortly before cyber criminals exploited zero-day flaws to gain access to customer data. Up to 25 of those customers suffered significant data loss after the incident. Shell lost personal and corporate data but said in a public advisory that as of yet, it hadn’t detected a breach to its core IT systems. 

(Bleeping Computer)

Email encryption app paid for fake reviews

“Super easy privacy,” one review said. “I suggest it all the time to friends,” another said. Well, yes, I’m sure, particularly given that the reviewer is the CEO of the company behind the app. It makes the eponymous pEp email encryption apps for Android and iOS. Thanks to leaked emails, Motherboard discovered that pEp’s CEO  commissioned a marketing company to write the fake reviews that he himself penned last summer. He asked marketing company Mobiaso to post 40 five-star reviews to Google Play, paying $325 for 50 fake reviews, though only 20 were actually posted. Motherboard quoted the Electronic Frontier Foundation’s director of cybersecurity, Eva Galperin, who called it “A novel approach to ‘zero trust,’ I wouldn’t trust them.”

(Vice)

Adobe issues emergency patch for critical ColdFusion flaw

Adobe has issued an emergency update and is urging users to patch a critical Adobe ColdFusion flaw that enables arbitrary code execution attacks. This is an unscheduled security update for the platform, which is used for building web applications. It comes two weeks after Adobe’s regularly scheduled batch of security updates, during which the company issued patches for gobs of critical security vulnerabilities that could likewise allow for arbitrary code execution on vulnerable Windows systems. On Monday, Adobe said that this latest fix is an important one, but fortunately, it hasn’t seen exploits in the wild. 

(Threatpost)

RELATED ARTICLES

Most Popular