Worldwide campaign targets ZeroLogon exploit

Security researchers at Symantec have documented companies in 17 regions being impacted by this campaign across automotive, pharmaceutical, engineering, and the managed service provider industries. The campaign has been linked back to the Cicada threat group, which has been operating since 2009 and has typically targeted Japanese businesses. While the groups latest attacks have exploited ZeroLogon to spoof domain controller accounts and hijack domains, Symantec has observed the group’s escalated campaign going as far back as October 2019, using a combination of DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, and PowerShell scripts to carry out attacks. 


Brandon Wales takes over at CISA

With the firing of Chris Krebs by President Trump, Brandon Wales was named acting director at the US cybersecurity agency. Wales was brought onto CISA’s leadership team five months ago. His government career goes back to 2005 when he joined CISA’s parent Department of Homeland Security, running the Homeland Infrastructure Threat and Risk Analysis Center from 2009-2014, then heading the Office of Cyber and Infrastructure Analysis until 2017. Colleagues have described him as better versed in DHS’s cyber mission than virtually anyone else. So far the agency’s “Rumor Control” website that disputes election misinformation, the cause of Krebs’ departure, is still online and updating. 


Maybe ransomware operators aren’t trustworthy after all?

Ransomware double extortion schemes, where attackers demand a ransom to decrypt data, then demand further payment to not leak exfiltrated data, have become standard operating procedure for many ransomware operators. However a new report from PhishLabs found that many times, even after payment is received, data held by ransomware groups like Maze, Netwalker, and Conti became available online. Sometimes data is posted online before organizations are even contacted about a ransom, or groups come back to organizations asking for a second payment. The report also points out that many ransomware groups engage in intelligence-sharing and attack coordination, which can result in data being obtained by other actors than the original attackers. 


Senate passes bipartisan cybersecurity bill

The Internet of Things Cybersecurity Improvement Act was passed unanimously in the Senate and was passed in the House in September. It requires all internet-connected devices purchased by the US government to comply with minimum security recommendations issued by the National Institute of Standards and Technology. The bill would also require private groups providing devices to notify the government of any discovered vulnerabilities. The bill now awaits President Trump’s signature. 

(The Hill)

Thanks to our sponsor, Dtex

Remote Workforce Security is a thing. Network detection and web proxy solutions have been rendered nearly useless as employees are working remotely and away from the corporate network. DTEX’s Workforce Cyber Intelligence Platform not only allows employers with visibility to monitor user behavior for cybersecurity best practices, but also to protect the employee from external attack. Learn more at

Firefox adds HTTPS-Only Mode

Firefox 83 comes with this new mode built in. When turned on, the browser will automatically try to connect you to websites securely, even if the link you typed or clicked is not https. If a secure version is not available, Firefox will warn you and ask permission to continue. Users can turn the feature on in Firefox’s privacy and security preferences.


Go SMS Pro exposes message media

Security researchers at Trustwave discovered flaws in the Android messaging app that were exposing files sent privately between users back in August. The researchers provided a standard 90-day window to fix the flaws, but the developers did not reply to the disclosure. The files are exposed when users send attachments to users who don’t already have the app installed on a device. These files are uploaded to Go SMS’s servers until they are pulled down when the app is installed. The researchers found that web addresses were sequential and thus easy to predict. Additionally it appears that files were uploaded regardless of whether the app was installed or not. TechCrunch verified the findings and unsuccessfully tried to contact the developer. 


Ghost users haunting Cisco’s WebEx

Exploits in WebEx that allow these so-called ghost users were discovered by researchers at IBM earlier this year, allowing a third-party to join a call without being on the participant list, but with full access to audio, video, shared files and IP addresses of participants. Ghost users could also remain in meetings even after being expelled. The flaws are in the handshake process WebEx uses, letting attacks with access to WebEx URLs send malformed packets to manipulate a server and gain access. Cisco has announced patches are coming for the vulnerabilities. 


The UK forms the National Cyber Force 

This new group is composed of spies, cyber experts and the members of the military, and is already engaging in offensive cyber operations to disrupt state activities, terrorists and criminals. The group operates separately from the UK’s National Cyber Security Centre, although both operate under the Government Communications Headquarters umbrella. The group builds off of the existing National Offensive Cyber Programme, and includes collaboration between GCHQ and the military on cyber operations. 


Google updates Chrome extension privacy requirements

Starting in January 2021, Google will require all Chrome extensions to show developer-provided information about the data collected by the extension, in clear and easy to understand language, as part of an extension’s detail page. Google’s new privacy requirements also state that the use of data collected be for the demonstrable benefit of the user, reiterates that sale of data is never allowed, and prohibits the use of data collected for advertising or establishing creditworthiness. Developers will have to certify and demonstrate adherence to this policy to submit or update an extension after January 18, 2021.