Cyber Security Headlines – November 11, 2021

Trend Micro details long running hacker-for-hire group

According to a new 46-page report from the security company, Void Balaur has advertised its services and offered on-demand intrusions since the mid-2010s, targeting IT companies, telecoms, and activists, journalists, and religious leaders. The group has only been observed advertising on Russian-language sites, and was initially believed to be a subgroup of the Russian-back APT28 due to target overlaps. Initially the group began offering the ability to break into specified email or social media accounts, before shifting to advertising the sale of private data from individuals in Russia in 2019. In 2020 the group began targeting presidential candidates in the Belarus elections, before targeting politicians and government officials in Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France, and Italy in 2021. 

(The Record)

WP Reset PRO plugin works a little too well

Patchstack security researchers discovered a flaw in the popular WordPress plugin, that allows authenticated attackers to entirely wipe websites. The flaw impacts premium versions of the plugin, impacting all released versions. The flaw is caused by a lack of authorization and token checks, and can be exploited by low-privileged users like subscribers. Deleting all table in a database only requires passing a simply query parameter. Once wiped, an attacker can visit a site homepage and set themselves up as an admin. The plugin claims to have over 400,000 users, and sites with open user registration would be particularly vulnerable. 

(Bleeping Computer)

Zero-day found in Palo Alto Networks security appliances

Researchers at the security firm Randori developed a working exploit for Palo Alto Networks’ GlobalProtect firewall, allowing for unauthenticated remote code execution using a zero-day exploit. The zero-day comes from a buffer overflow, and attackers would need to use HTTP smuggling techniques to use it externally. Attackers would be able to gain a shell on a system, access configuration data, and extract credentials. From there the attacker could move laterally across the network. Randori discovered the exploit a year ago, and worked on the exploit since that time. The researchers coordinated with Palo Alto on the disclosure, and will wait 30 days to provide more technical details to allow for patching. 

(Threatpost)

Meta outlines Oversight Board problems

Meta’s quarterly update on the Oversight Board suggests the 30 day deadline to respond to its recommendations may be too tight. While the Board’s recommendations are non-binding, Meta found that teams took anywhere from 5 to 35 days to assess and respond to them. The current product roadmap for the Facebook product happens every six months, meaning the board’s recommendations are being considered more along that timeline. Of the board recommendations submitted in the last two quarters, 12 were implemented, 23 are in progress, with 17 being assessed for feasibility. Meta also said the method of communication with the board is often inefficient, with formalized lengthy written responses unable to deal with more nuanced discussions. 

(Protocol)

Thanks to our episode sponsor, Vulcan Cyber

Vulnerability scanners are commoditized. Cloud service providers provide free scanners. Open source scanners are plentiful. Your team doesn’t need another scanner, but they need to get better at identifying and prioritizing the risk that is buried in that scan data. Attend the Vulcan Cyber virtual user conference and learn how to assess and mitigate risk across all of your surfaces. Go to vulcan.io and click the button at the top of the screen to register for the event.

Apple Business Essentials launches

Apple announced this new program aimed at SMBs, which will combine device management, 24/7 phone support for IT and end-users, business iCloud storage, and an option for onsite repairs for businesses of up to 500 employees. IT departments will be able to configure settings and apps across individual devices and groups. Signing in with work credentials will push settings like VPN configurations and Wi-Fi information. IT staff can also enforce security settings like FileVault usage on a Mac, including creating cryptographic separation for work data on personal machines. Pricing starts at $2.99 per user per month. A free beta starts today in the US, with a full launch coming in spring 2022. 

(9to5Mac)

Twitter launches crypto team

The company announced it will build a Twitter Crypto team, which will oversee “all things blockchain at Twitter” as a further push to decentralizing the social platform. According to engineering lead Tess Rinearson, the team will initially look to support the use of decentralized apps to manage virtual goods and currencies. Longer term goals including looking at how to “push the boundaries of what’s possible with identity, community, ownership and more.” Twitter rolled out the ability to tip in Bitcoin in September. 

(The Verge)

Judge denies Apple’s motion to stop third-party payment options

Judge Yvonne Gonzalez Rogers denied Apple’s motion for a stay on the injunction ordering Apple to allow developers to add links to external payment options in the App Store. Judge Rodgers said, “Apple’s motion is based on a selective reading of this Court’s findings and ignores all of the findings which supported the injunction.” Apple claimed the injunction was needed to give it more time to prepare policy changes to the App Store, but Judge Rogers expressed incredulity given that it was requested indefinitely. Apple plans to appeal the motion for stay to the Ninth Circuit. The injunction is still scheduled to take effect December 9th.

(The Verge)

Fishing site used for phishing

A hack of Britian’s largest angling outfitter resulted in visitings trying to get to Angling Direct being redirected to PornHub. This appears to be a coordinated efforts rather than just some pranksters, as the attackers also took over the site’s Twitter account, posting that the site had been acquired by PornHub parent company MindGeek, and soliciting email registrations for access to premium memberships to access data. No ransom was listed, but the post did provide a contact email for ANgling Direct to obtain “information and access.” The company said it doesn’t store customer financial data and that it would contact any affected individuals. The attack lasted from November 5th through 10th. (InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.