Cyber Security Headlines – November 4, 2021

CISA creates exploited bug catalog

The US Cybersecurity and Infrastructure Security Agency continues its efforts to shore up security within the federal government. It published a catalog of software vulnerabilities known to be exploited in the wild, issuing a binding operational directive requiring federal agencies to patch these within specified deadlines. The catalog currently includes 306 vulnerabilities across vendors, including Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, and IBM, with some dating back to 2010. For vulnerabilities discovered this year, agencies have until November 17, 2021 to apply patches. Older vulnerabilities must be patched by May 3, 2022.

(The Record)

Bots used to scam 2FA codes

Vice reported on fraudsters using automated bots to steal multi-factor authentication codes or one-time passwords to authorize cash transfers. Services impacted include Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Speaking to sellers of these bot services, these cost a few hundred dollars, and lowers the barrier to entry for engaging in this behavior. Typically these services call a victim posing as a fraud alert system, asking them to verify their identity with a two-factor code sent to a phone. This code actually comes from the fraudster attempting to login to the victims account. Services for these bots operate on Telegram or Discord, where “customers” enter in a victims phone number, and the service provider users a platform like Twilio to place the automated call. 

(Vice)

US sanctions companies selling hacking tools

The US Commerce department announced the sanctions, which will impact NSO Group, Candiru, the Russian security firm Positive Technologies, and Singapore-based Computer Security Initiative Consultancy.  NSO Group and Candiru were specifically called out for supplying “spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” The sanctions now require any US companies to obtain a license from the Bureau of Industry and Security before buying, exporting, or transferring cyber tools to these companies. 

(The Record)

Clearview AI ordered to delete Australian faces

The Office of the Australian Information Commissioner ordered Clearview AI to destroy all images and facial templates belonging to individuals living in Australia. The order came after a joint investigation with the UK’s Information Commissioner’s Office (ICO)  found Clearview’s database breached citizens’ privacy. The ICO has yet to determine Clearview’s legality in the UK. Clearview intends to appeal the decision, arguing that the images it scraped were public, and that they were published in the US, so Australian law would not apply. 

(The Verge)

Thanks to our episode sponsor, Trend Micro

Reimage your Cloud! That’s the theme for CLOUDSEC 2021, a 3-day global event that will be held virtually starting on November 16th. Learn the latest trends in cloud and cybersecurity with global keynotes and session tracks tailored to your role’s unique challenges. Test your skills and win prizes in the 24-hr CLOUDSEC Challenge, a hands-on immersive experience that has something for everyone – from novice application coders to experienced security practitioners! Join for FREE on November 16th, for free. Sign up at cloudsec.com

BlackMatter goes dark

The operators of the BlackMatter ransomware organization announced its shutdown operations, citing increased pressure from authorities. The group published a notice of the shutdown on its ransomware-as-a-service portal on October 1, 2021, saying its infrastructure would be shutdown within 48 hours. Researchers at Microsoft had previously tied BlackMatter to the FIN7 cybercrime group. It was also reported last month that Emsisoft created a decryptor tool for BlackMatter’s ransomware strain, likely eating into its profits. 

(The Record)

Azure OpenAI Service brings GPT-3 to businesses

OpenAI’s GPT-3 language model has been available for a few years. Initially API access was limited to select testers, before the company slowly rolled out access to an API as a service. Now Microsoft is leveraging its partnership with OpenAI to offer Azure OpenAI Service. This bundles the same language model access, but includes things required by large corporate customers, including “access management, private networking, data handling protections [and] scaling capacity.” Microsoft said the service will be extended to customers on an invitation-only basis. The company will vet individual use cases for GTP-3 and provide “filtering and monitoring tools to help prevent inappropriate outputs or unintended uses of the service.”

(The Verge)

Git commit -m “New CEO”

GitHub CEO Nat Friedman will step down from that role on November 15th, becoming Chairman Emeritus of the Microsoft subsidiary. Friedman had been in the role since 2018 when Microsoft acquired GitHub, bringing developer and open source bonafides to reassure users the platform would stay independent and platform-neutral. Current chief product officer Thomas Dohmke was named the new CEO. Dohmke was previously the co-founder and CEO of HockeyApp, before it was acquired by Microsoft in 2015. 

(TechCrunch)

Nobody noticed Australian police could use spyware to surveil phones

Our final story today comes courtesy of the cybersecurity subreddit, where a post linked to a 2015 Supreme Court of Victoria ruling in Australia. A warrant had authorized the use of surveillance devices against a suspect in the case. Using this justification, the police covertly installed software onto the suspects phone, using it to activate the microphone on the device. In an appeal of that action, the judge ruled that the phone qualified as a listening device under the Surveillance Devices Act of 2004, and that police were within their bounds to install the software, as the “use” of it as a listening device was authorized by the warrant, even if it was not the property of the investigators.  

(Reddit)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.