Cyber Security Headlines – November 18, 2021

CISA releases cyber response playbooks

The Cybersecurity and Infrastructure Security Agency released these response plans for federal civilian executive branch agencies, designed to streamline how they mitigate security vulnerabilities and respond in a consistent way. These include easy-to-read decision trees and sets of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents. CISA hopes future versions of these plans will be useful to outside organizations to standardize incident responses. These plans were created in response to President Biden’s May 12th executive order to modernize the cybersecurity defenses of the federal government’s infrastructure against cyberattacks.

(Bleeping Computer)

Exec pleads guilty on internet address fraud

Amir Golestan, an executive at the company Micfo, pleaded guilty to using fraudulent means to obtain thousands of IP addresses from the American Registry for Internet Numbers. This is one of the first cases in federal court involving IP address fraud. Golestan acknowledged creating 10 fake personas to pose as heads of shell entities in order to obtain IP addresses. These addresses were valued at about $14 million. Golestan can face up to 20 years based on the charges, although likely will receive far less. Micfo catered its business to VPN operators and was suspected of hosting servers used for criminal purposes, although that issue was not the target of Golstan’s prosecution. 


Iranian ransomware targeting US organizations

A joint advisory from CISA, the FBI, the Australian Cyber Security Centre (ACSC), and the U.K’s National Cyber Security Centre (NCSC) claims that Iran-backed attackers have been exploiting vulnerabilities in Fortinet network appliances since at least March, as well as an Exchange ProxyShell vulnerability since October. The actors have been using these to gain access to critical US infrastructure organizations around transport and public health, ultimately planning to exfiltrate data and launch ransomware attacks. A separate report from Microsoft outlines the evolution of Iranian APTs, with one particularly aggressive group called Phosphorus shifting to social engineering to ultimately launch BitLocker attacks. The advisory urges organizations to update operating systems, segregate networks, and use multi-factor authentication. 


UK cyber response sees record number of intrusions

Over a 12-month period ending in September, the U.K. National Cyber Security Centre responded to a record number of cybersecurity incidents. On the year, the NCSC saw a 7% increase in incidents up to 777. Unsurprisingly, ransomware saw a huge surge in the year, with the agency responding to the same number of ransomware incidents in the first four months than it did for all of 2020. This continued a trend, as 2020 numbers were triple that of 2019. The NCSC said ransomware represented “the most significant cyber threat facing the U.K. this year,” yet found that businesses weren’t taking it seriously enough. 20% of all incidents were linked to the health sector, including COVID-19 vaccines. 


Thanks to our episode sponsor, Vulcan Cyber

Vulnerability scanners are commoditized. Cloud service providers provide free scanners. Open source scanners are plentiful. Your team doesn’t need another scanner, but they need to get better at identifying and prioritizing the risk that is buried in that scan data. Attend the Vulcan Cyber virtual user conference and learn how to assess and mitigate risk across all of your surfaces. Go to and click the button at the top of the screen to register for the event.

DDoS attacks up 35% in Q3

This finding comes from a new report from the VOiP provider Lumen, with the increase seen on the quarter. The largest attack it saw during that period was 612Gbps, 49% bigger than the largest attack it saw in Q2. Telcoms and tech companies were the most commonly targeted, followed by retail. The longest attack in Q3 lasted two weeks. Attacks also appeared to be getting more complex, with 28% involving a combination of four different attack types, DNS amplification, TCP RST, TCP SYN-ACK amplification and UDP amplification. DDoS attacks have been around for 25 years now, yet the report notes they remain relatively cheap, easy and effective at disrupting organizations. 

(InfoSecurity Magazine)

A look into the exploit economy

It’s no secret that there are online marketplaces out there that traffic in security exploits. Bleeping Computer put together a look into the budgets and vulnerabilities individuals are looking to buy on these marketplaces. They profiled an offer in early May to pay up to $25,000 for a proof-of-concept exploit for a critical-severity bug in a Pulse Secure VPN, as well as up to $3 million for a no-interaction remote code execution exploit in Windows or Linux. In comparison, the exploit acquisition company Zerodium offers up to $1 million for a similar exploit in Windows, with overall payouts maxing out at $2.5 million. Prices of up to $10 million for zero days have also been observed, and these offers are no longer restricted to APTs, with ransomware groups increasingly able to afford them. 

(Bleeping Computer)

Sending email from your watch somehow gets worse

Security researcher Tommy Mysk discovered that emails sent through the Apple Watch Mail app do not use Apple’s Mail Privacy Protection. This feature on mobile or a Mac downloads remote content in the background by default rather than when an email is opened, and routes all remote content downloaded by Mail through proxy servers to mask IP addresses. This makes things like tracking pixels particularly ineffective for tracking mail recipients. On the Watch, the watch’s real IP address is used. It’s unclear if this is a bug in the Apple Watch Mail app or a limitation of the platform.


Firefox expands Relay service

Mozilla announced a paid version of its Firefox Relay service, offering one subdomain address that can be used to create an unlimited number of email aliases. Users on this tier get access to a full dashboard to see mail across all aliases, and can reply to emails directly from an alias. The free version provides five email aliases, which will forward to a primary account. Based on feedback from initial free tier customers, Mozilla created the features of the premium service. The service currently costs $0.99 a month, although this is listed as a limited promotion.


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.