Olympus suffers second cyberattack in 2021
Japanese tech manufacturer Olympus confirmed Tuesday that it was investigating a cyberattack on its IT systems in the US, Canada and Latin America. Olympus indicated they detected the incident on Sunday and have suspended affected systems limiting the impact to the Americas. The company indicated, “We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way.” The latest incident follows a ransomware attack on Olympus back on September 11, prompting them to issue a statement nearly identical to the one it issued on Tuesday.
Microsoft’s Patch Tuesday squashes four zero-day vulns
As part of October’s Patch Tuesday, Microsoft released fixes for 71 security flaws, including four zero-day bugs, three of which are public. One of the zero-day flaws tagged as CVE-2021-40449 impacts the Win32K kernel driver and is being actively exploited in a clutter of activity dubbed MysterySnail. Kaspersky noted that the malware payload used to exploit the vuln was, “detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.” Microsoft’s October update also addresses three critical vulnerabilities and, in total, products affected include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser.
White House directs federal agencies to step up EDR
In a memo released Friday, Office of Management and Budget (OMB) Director Shalanda Young notified federal agencies that they would need to assess the state of their endpoint detection and response controls and coordinate with CISA to help standardize cyber threat response capabilities. The EDR directive is part of a broader effort by the Biden administration to make the federal government more proactive and less reactive to potential cyber attacks. The memo said federal agencies will have 120 days to assess the status of their current EDR capabilities, and then coordinate with CISA to fill any identified gaps.
Bug report leads to mass revocation of SSH keys
Four prevalent code hosting portals, Microsoft, GitHub, GitLab, and BitBucket, initiated mass revocations of SSH keys on Monday after the discovery of a vulnerability in the Git software client named GitKraken.The revocations come at the request of Axosoft, who developed GitKraken and who also identified the security flaw. Axosoft explained that versions 7.6.x, 7.7.x, and 8.0.0 of its GitKraken app used a library named “keypair,” older versions of which generated RSA keys with low entropy, meaning that attackers could potentially use the library to generate duplicate SSH keys. To fix the issue, Axosoft has replaced the keypair library in GitKraken, and has released version 8.0.1. Users are advised to generate new SSH keys using a different Git client or using the updated GitKraken app. Additionally, GitHub asked developers of other software applications to check for the vulnerable keypair library in their apps, and update their code accordingly.
Thanks to our episode sponsor, Bitsight
Study reveals Android phones constantly snoop on their users
Researchers in the UK unveiled a host of privacy issues that arise from using Android smartphones. Their study focused on Samsung, Xiaomi, Realme, and Huawei Android devices, which aim to offer long-term support and a de-Googled experience. The study uncovered that sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, Facebook, and yes, even Google. Additionally, there is no option to opt-out, forcing privacy-conscious users away from vanilla Android installations to forks such as /e/OS. A spokesperson for Google disagrees with the research noting that the behavior is normal for modern smartphones and is explained in the Google Play Services Help Center.
Microsoft Azure fends off monumental DDoS attack
Microsoft has reported that it successfully defended European Azure cloud users against a 2.4 terabits per second (Tbps) DDoS attack. The attack which occurred back in late August, is the biggest DDoS attack on an Azure cloud customer to date more than doubling the previous high of a 1 Tbps attack recorded last year. The attack came from over 70,000 sources orchestrated from the US and multiple countries in the Asia-Pacific region. The attack vector was UDP reflection and lasted over 10 minutes with very short-lived bursts. Microsoft attributed its defense capabilities to Azure’s DDoS protection platform which it claims can absorb DDoS attacks amassing up to tens of terabits.
Biden signs school cybersecurity act into law
Cybersecurity experts hailed the K-12 Cybersecurity Act this week after President Biden signed it into law on Friday. The law, which became one of the rare bills to pass in both the House and Senate, instructs CISA to examine threats facing the nation’s schools and provide cybersecurity recommendations and toolkits. Recently, schools have faced a barrage of ransomware attacks alongside other incidents that leak sensitive data from students and staff, a problem which has worsened since adoption of remote learning during the COVID-19 pandemic. Michael Webb, CTO at Identity Automation, noted that while the bill will increase security awareness and offer guidance for schools to defend against cyber threats, he added, “Most districts lack the capability of managing digital identities, which is the cornerstone of a strong cybersecurity posture today.”
Beers from BrewDog now pair well with data leaks
Pen Test Partners found that BrewDog exposed the details of more than 200,000 shareholders and many more customers for over 18 months. Every mobile app user was given the same hard-coded API token, rendering request authorization useless and allowing any user to access any other user’s shareholder info, bar discount, purchase history and a trove of PII including date of birth, email addresses, gender, phone number, and delivery address. Michael Isbitski, Technical Evangelist at Salt Security, explained BrewDog failed to use dynamic, expiring authorization tokens, instead hard coding static tokens within the application source code which grants access to BrewDog’s back-end APIs. Using the static tokens, attackers could make direct calls to the APIs to extract data. Isbitski added, “Such poorly coded APIs and mobile front end often pass security audits and application scans since the mere presence of an authorization header can give the illusion of proper access control.” He recommends testing API access controls thoroughly, ensuring tokens are dynamic and expire after sufficient time intervals.