Cyber Security Headlines – November 10, 2021

Robinhood breach impacts millions of customers

Robinhood Markets, Inc. disclosed that it suffered a data breach on November 3, affecting  approximately 7 million customers. A threat actor tricked a customer service representative into providing access to internal support systems from where the attacker then accessed email addresses of five million users and full names of approximately two million more. For 310 users, details including name, dates of birth, and zip codes were exposed while extensive details for approximately 10 more customers were also disclosed. The attacker then attempted to blackmail the company demanding payment. In an apparent attempt to help its customers avoid falling victim to a social engineering scam such as the one that worked on its own employee, Robinhood is directing concerned customers to its website Help Center stating, “we’ll never include a link to access your account in a security alert.”

(Security Affairs)

Meta shares bullying and harassment numbers for the first time

The company formerly known as Facebook published reports on Tuesday, covering widely-viewed content and content banned for violating its rules. The reports indicated that hate speech now accounts for 0.03 percent of overall Facebook content while bullying and harassment, which it is being newly reported, accounts for 0.14 to 0.15 percent on Facebook and 0.05 to 0.06 percent on Instagram.  While Facebook is trying to use the reports to show that harmful material does not dominate its platform, critics and experts argue that numbers can obfuscate the fact that the small number of people who are most vulnerable to misinformation, bullying, and radicalization are repeatedly exposed to the same harmful content and can be severely damaged by it. 

(The Washington Post)

Meta to remove sensitive ad-targeting categories as new bill takes aim at online platform algorithms

Meta said on Tuesday it plans to eliminate advertisers’ ability to target people with promotions based on thousands of factors including health, race and ethnicity, political affiliation, religion, and sexual orientation. The move, which takes effect on Jan. 19, affects advertisers on Meta’s apps such as Facebook, Instagram and Messenger. While Meta relies on targeted advertising for the bulk of its $86 billion annual revenue, it said the changes will help limit abuse of its targeting tools. And although the move may not be popular with advertisers, Meta has decided to continue forward as it faces intense scrutiny over use of its algorithms which have been found to lead to harmful and discriminatory advertising.

Meta’s move may have come just in time as a bipartisan group of House lawmakers has introduced a bill that takes aim at internet platform algorithms. The Filter Bubble Transparency Act would require internet platforms to allow users opt out of having personal data-driven algorithms select the content they see. House Republican sponsor Ken Buck stated, “Consumers should have the option to engage with internet platforms without being manipulated by secret algorithms driven by user-specific data.” Of note, the bill would exempt smaller companies with fewer than 500 employees,with annual gross receipts lower than $50,000,000, and those that gather data on fewer than one million users annually.

(The New York Times and Axios)

Thanks to our episode sponsor, Vulcan Cyber

Matt Hurewitz is the associate director of application security at Best Buy. Matt has a theory that a risk-based approach to application security is more effective than a faith-based approach. We agree. Attend the Vulcan Cyber virtual summit on December 9th to hear how Matt and the Best Buy team approach application security. Learn from the best. Registration is free for your entire team. Go to vulcan.io and click the button at the top of the screen to register for the event.

Microsoft Patch Tuesday fixes 2 zero-days 

Microsoft’s November Patch Tuesday security updates address a total of 55 vulnerabilities across a host of Microsoft products including fixes for two zero-day flaws. The first is a post-authentication vulnerability in Exchange 2016 and 2019 which Microsoft has indicated is under active exploit while the other is a code execution issue triggered by a victim opening a malicious file with an affected version of Excel. In total Microsoft has fixed six Critical severity bugs and 49 which are rated as Important. Zero Day Initiative posted, “Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed.”

(Security Affairs)

Hacking campaign now targeting Docker servers

In an ongoing campaign which began last month, poorly configured Docker servers are being actively targeted by the TeamTNT hacking group. According to a report from TrendMicro, the campaign uses exposed Docker REST APIs to install Monero cryptominers, scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network. The container image used is based on the AlpineOS system and configured to allow root-level permissions on the underlying host. TrendMicro has seen over 150,000 pulls of malicious Docker Hub account images during the campaign.

(Bleeping Computer)

Iranian hackers targeting telecoms and ISPs

Researchers published a report on Tuesday revealing that the Iranian APT group, Lyceum, is now focusing on infiltrating the networks of telecom companies and internet service providers (ISPs). According to the report, Lyceum’s campaign operated between July and October, targeting ISPs and telecoms across Israel, Morocco, Tunisia, and Saudi Arabia as well as an attack against the African ministry of foreign affairs. Lyceum’s initial attack vectors include credential stuffing and brute-force attacks, seeking subscriber data and to surveil other targets of interest. The researches indicate that several of the compromises identified remain active at the time of publication. 

(ZDNet)

Angling Direct’s website hijacked and redirected to porn site

The U.K.’s largest fishing retailer, Angling Direct, was hacked on November 5 resulting in their domain being redirected to Pornhub. The attackers obtained login credentials for Angling Direct’s Twitter and other social-media accounts,which they used to alert the company and its customers to the breach through a tweet on November 7. The @anglingdirect Twitter feed also falsely announced that the fishing gear seller was sold to MindGeek, the company behind Pornhub, adding that Angling Direct customers were entitled to a free subscription to the adult site. Angling Direct’s Board has appointed external cybersecurity specialists to investigate while its stock price has dipped more than 11% since the incident.

(Threatpost)