Cyber Security Headlines – November 8, 2021

Feds likely to fall short of deadline for strengthening encryption, multifactor authentication

President Joe Biden’s ambitious May cybersecurity executive order is widely expected to miss a deadline today affecting a much desired improvement: the implementation of multifactor authentication and encryption at all civilian federal agencies. The task of implementing MFA and encryption is complicated because agencies have so many information systems to protect, many have legacy systems that make deployment difficult, and others are struggling with the cost. The executive order requires agencies that don’t meet the deadline to explain why in writing, giving officials a blueprint on the challenges still to overcome.

(Cyberscoop)

Experts spot phishing campaign impersonating security firm Proofpoint

Cybercriminals are impersonating the cybersecurity firm to trick victims into providing Microsoft Office 365 and Google Gmail credentials. The phishing messages use mortgage payments as a lure, with the subject “Re: Payoff Request.” The email claimed to contain a secure file sent via Proofpoint as a link, according to Armorblox, which took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The phishing message was sent from a legitimate individual’s compromised email account, apparently a firefighter in the south of France.

(Security Affairs)

Facebook outage a prime example of insider threat by machine

An opinion piece published by Christopher Burgess in CSO Online suggests that the October 4, 2021 outage at Facebook was a self-inflicted wound caused by its own network engineering team. He points out how Facebook, on its own blog, stated “a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all connections in our backbone network, disconnecting Facebook data centers globally.” Despite having fail-safe processes in place to prevent this type of mistake, “a bug in that audit tool prevented it from properly stopping the command.” Burgess states this is a result of the Peter Principle, in which network leaders in IT and security are promoted despite lacking adequate hands-on experience, paired with an internal architecture that failed the most basic of network tenets: do not allow for a single point of failure.

(CSO Online)

Microsoft: New Windows driver deployment service coming soon

Microsoft said that the new Windows Update for Business deployment service for drivers and firmware will be available in Microsoft Endpoint Manager and Microsoft Graph as a public preview starting with the first half of 2022. Once launched, it will enable enterprise admins to choose the drivers to deliver via Windows Update in their environment out of an assortment of matching options and schedule them for deployment. This prevents the entire Windows driver catalog from being offered to endpoint users, with only those that receive the admins’ approval being delivered instead.

(Bleeping Computer)

Thanks to our episode sponsor, Vulcan Cyber

Cyber risk isn’t easy to quantify, much less mitigate. Use the same approach endorsed by leading security teams at Honeywell, Zoom, and Wells Fargo to tackle cyber risk. Attend the Vulcan Cyber virtual summit on December 9th and learn how the new Vulcan Security Posture Rating will give you the insights you need to reduce risk and secure your business. Go to vulcan.io and click the button at the top of the screen to register for the event.

Operation Cyclone deals blow to Clop ransomware operation

This past Friday, new information came to light regarding a thirty-month international law enforcement operation that targeted the Clop ransomware gang, leading to the arrests of six of its back in June. The operation involved the search of more than 20 houses, businesses, and vehicles, and the seizure of computers and $185,000 in cash assets. It was assisted by private partners, including Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB. Though the arrested members are linked to the Clop ransomware gang, Intel 471 has previously suggested they were primarily involved in money laundering. The core members of the Clop operation are likely out of harm’s way in Russia.

(Bleeping Computer)

Customer complaint” email scam preys on employee fears of getting into trouble at work

A new spin on the act of spearphishing is making the rounds in Europe in the form of an escalation threat letter. Paul Ducklin, writing for Naked Security, describes how waves of angry emails addressed directly to employees and appear as from customers threatening to take their complaints directly to higher management, or from colleagues implying that dismissal is imminent. These force employees, especially junior ones. to click on a malware link out of panic. In may cases these messages are spoofed in terms of the “from” fields. One of the takeaways of the article is the idea that first names and nicknames should never be used in email addresses, since their presence in a spearphishing letter makes everything appear more real. 

(Naked Security)

BrakTooth Bluetooth bugs: Exploit code, PoC released

BrakTooth is a collection of flaws affecting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices – including smartphones, PCs, toys, internet-of-things (IoT) devices and industrial equipment – that rely on Bluetooth Classic (BT) for communication. On Thursday, CISA urged manufacturers, vendors, and developers to patch or employ workarounds. Researchers from the University of Singapore disclosed the initial group of 16 vulnerabilities (now up to 22), collectively dubbed BrakTooth, in a paper published in September. As of September, some of the bugs were patched, while others were in the process of being patched. But, as researchers said in the paper, “it is highly probable that many other products (beyond the 1400 entries observed in Bluetooth listing) are affected by BrakTooth.” 

(Threatpost)

1.8 TB of police helicopter surveillance footage leaks online

The transparency activist group Distributed Denial of Secrets, or DDoSecrets, posted a 1.8-terabyte trove of police helicopter footage to its website on Friday. Aerial helicopter surveillance footage from the Dallas Police Department in Texas and what appears to be Georgia’s State Patrol. DDoSecrets cofounder Emma Best says that her group doesn’t know the identity of the source who shared the data and that no affiliation or motivation for leaking the files was given. The source simply said that the two police departments were storing the data in unsecured cloud infrastructure.

(Wired