Cyber Security Headlines – September 10, 2021

US considers limiting CISA director’s term

Bipartisan House lawmakers have introduced legislation this week proposing a limit on the term of the Department of Homeland Security’s CISA director to five years. If passed into law, the proposed CISA Cybersecurity Leadership Act would also reaffirm that the role of CISA director requires Senate approval after presidential nomination. Representative Andrew Garbarino, who is a ranking member on Homeland Security’s cybersecurity subcommittee, stated, “This bipartisan bill will remove any uncertainty from the CISA Director role so that the Director can focus squarely on strengthening our cyber posture.”

(Infosecurity Magazine)

‘Azurescape’ Kubernetes attack allows cross-container cloud compromise

Researchers have uncovered a critical security vulnerability allowing attackers to perform cross-account container takeover in Microsoft’s public cloud, dubbed “Azurescape.” The issue exists in Azure Container Instances (ACI), which is Microsoft’s container-as-a-service (CaaS) offering. Researchers from Palo Alto Networks’ Unit 42 team explained, “A malicious Azure user could have exploited these issues to execute code on other users’ containers, steal customer secrets and images deployed to the platform, and possibly abuse ACI’s infrastructure for cryptomining.” Microsoft has rolled out a patch to ACI, but users are advised to revoke any privileged credentials deployed to the platform before August 31, and to review access logs for any irregularities.

(Threatpost)

Hackers leak VPN account passwords from 87,000 FortiGate devices

Network security solutions provider Fortinet confirmed that a malicious actor had disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. In a statement issued on Wednesday, Fortinet said “These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.” The threat actor leaked the credentials for free on a new Russian-speaking forum called RAMP as well as on Groove ransomware’s data leak site, with Advanced Intel noting that the listings allow raw access to top companies spanning across 74 countries.

(Bleeping Computer)

Canadian-US national sentenced to prison for cybercrime schemes

Ghaleb Alaumary, a 36-year-old Canadian and U.S. dual-national residing in Mississauga, Ontario has been sentenced to 11 years in prison for laundering illicit funds from cybercrime schemes. In one scheme, Alaumary crafted emails to a Canadian university, purporting to come from a construction company demanding payment for a major building project, resulting in the university wiring $11.8 million CAD (roughly $9.4 million USD) to a bank account controlled by Alaumary and his co-conspirators. Another scheme involved Alaumary’s co-conspirators making several trips to Texas to steal hundreds of thousands of dollars by impersonating wealthy bank customers, while yet another scam involved recruiting individuals to withdraw stolen funds from ATMs. In addition to his prison sentence, Alaumary was ordered to pay more than $30 million in restitution.

(SecurityWeek)

Thanks to our episode sponsor, Semperis

One thing we’ve learned from attacks like SolarWinds: Cybercriminals can lurk in your Active Directory environment for weeks or months before dropping malware. How do you root them out? First, you need to uncover security gaps in Active Directory that can lead to a breach. Download Purple Knight, a free security assessment tool from Semperis that scans your environment for pre-attack and post-attack indicators of exposure and compromise. Check it out at Purple-Knight.com.

Stress and burnout affecting majority of cybersecurity professionals

According to CIISec’s 2020/21 State of the Profession report, 51% of cybersecurity professionals are kept up at night by job stress and work challenges. More than two-thirds (69%) believe that risks to their organization’s data have increased due to staff working from home. 80% of respondents said that staff have become more anxious or stressed during the pandemic, which is concerning due to numerous studies demonstrating that people are more vulnerable to being duped by cyber-criminals while feeling stressed or burnt out. The study also showed 65% of respondents feel that the pandemic made security reviews, audits, and overseeing processes more difficult, while two-thirds (66%) agreed that the forced cancellation of education events and training has widened the skills gap in the sector. Some encouraging results from the survey show 59% of cybersecurity pros think the industry has improved at defending systems and data and 62% said the sector had improved its response to security incidents and breaches.

(Infosecurity Magazine)

CISA warns of actively exploited Zoho ManageEngine ADSelfService vulnerability

Earlier this week, CISA issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild. ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps. The flaw, tracked as CVE-2021-40539, concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted. In an independent advisory, Zoho cautioned that the issue is critical and that it’s “noticing indications of this vulnerability being exploited.”

(The Hacker News)

New botnet breaks DDoS speed record 

Anew distributed denial-of-service (DDoS) botnet, named Mēris (Latvian for ‘plague’), has continued to pick up steam over the summer, hammering the Russian internet giant Yandex for the past month.On September 5, the Mēris botnet attack broke the DDoS rate record, peaking at an unprecedented rate of 21.8 million requests per second. The botnet gets its power from tens of thousands of compromised devices, the majority of which researchers believe to be powerful networking equipment. Yandex researchers have seen indications that the number of compromised devices may be close to 250,000.

(Bleeping Computer)

ProtonMail under fire over police data handover

Encrypted-email company ProtonMail, which sells itself on letting users take control of their personal data, is now facing criticism after handing over user details to the authorities. The company was legally obliged to collect data from an account said to be linked to a “climate activist” who was arrested by French police. ProtonMail’s website stated encrypted emails cannot be shared with third parties. ProtonMail has removed this statement from its website and said it would be updated to clarify its obligations “in cases of criminal prosecution – and we apologise if this was not clear.”

(BBC)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.