CISA issues emergency directive to roll out a Windows Server patch

The directive was rolled out on September 18th with a four day deadline. The patch fixes a vulnerability discovered by security researchers at Secura BV, which subverts Microsoft’s Netlogon cryptography and allows attacks to instantly become domain admins. The exploit could easily be triggered by an inside actor or someone with access to an on-premises network port. This is CISA’s fourth emergency directive in 2020. 

(The Register)

93% of organizations suffer data breaches through outbound email

The findings come from Egress’s 2020 Outbound Email Data Breach Report, looking at security incidents over the past 12 months. 70% of respondents believed that remote work increased the risk to sensitive data in outbound email, with 94% reporting increased email traffic since the start of COVID-19 lockdowns. Spear-phishing, sending email to the wrong recipient, and attaching incorrect files were the main vectors of data being leaked. Organizations averaged 180 incidents per year when sensitive data was put at risk.

(Security Magazine)

Facebook threatens withdrawal from EU

This comes from a sworn affidavit filed by Facebook Ireland’s head of data protection, Yvonne Cunnane, in response to a preliminary order issued by the Irish Data Protection Commission earlier this month. This order required Facebook to stop sending Irish user data to the US. Facebook had previously relied on Standard Contractual Clauses as a framework for handling EU user data. However the order opened an investigation into the data transfer practice. According to the affidavit, if the order is upheld, “it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”


Amazon releases Sidewalk technical details

Sidewalk is Amazon’s low-bandwidth, long-distance wireless protocol, meant to extend the distance IoT devices can connect. Echo devices and select Ring products will be able to serve as Bluetooth bridges, with Tile named as the first third-party Sidewalk compatible vendor. On the technical end, Bridges will talk to endpoints over BLE, or over a long-range low-power wide-area network using the 900Mhz band. Amazon says traffic is encrypted between application servers and endpoints, on the network layer itself, and from bridges to the network. And devices have to go through stringent security certification before they’re allowed to use Sidewalk. Devices will be capped at 500MB of bandwidth, with bandwidth used by a Sidewalk bridge and a cloud server not exceeding 80kbps. You can also turn it off. The company also claims the protocol has gone through extensive penetration testing and ran a successful proof of concept trial with the Red Cross for tracking blood collection supplies. 


Thanks to this week’s sponsor, Trusona

Trusona enables enterprises to secure and simplify user access by removing passwords from the Windows 10 login experience. With a single desktop sign-in using Trusona’s passwordless MFA, employees are automatically authenticated into Office 365 or their SSO, giving them secure access to all of their corporate applications. Give your workforce a solution they don’t have to work around.

Microsoft leaks Bing server data

The leak was discovered by security researcher Ata Hakcil, who found an unsecured Bing server hosting 6.5 TB of log files containing 13 billion records. The server was exposed from September 10 to September 16, with Hakcil notifying the Microsoft Security Response Center, who secured the server and acknowledged the error. No personal information was exposed, with search queries, details about the user’s system, geo-location details, as well as various tokens, hashes, and coupon codes included in the logs. 


A new study looks at cyber incident responses from electric utilities

The study was commissioned by the U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation and is based on information from eight electric utilities. The study found incident response and recovery plans varied significantly between the utilities, and looked to establish best practices. The study found the most effective plans used baselines and thresholds to detect and declare incidents effectively, have a clear definition of roles within the utility that are empowered to take action once an incident is detected, and establish a process to integrate lessons learned from cyber incidents into future incident response plans. 

(Security Affairs)

Firefox exploit allows for force launching websites

The vulnerability affects Firefox for Android, and does not require any user interaction. With both parties on the same Wi-Fi network, the attack exploits Android’s Simple Service Discovery Protocol, typically used for discovering network services, generally using UDP multicast to a fixed IP address. An attacker would configure a device as a “ready to cast” device, and replying with an Android intent Uniform Resource Identifier rather than a typical XML file, causing Firefox to open a specific URL. Firefox version 79 and newer have patched the vulnerability. 

(Threat Post)

Rampant Kitten malware targets 2FA and Telegram messages

Researchers discovered two new malware strains coming from the threat group. The first exploit for Windows is delivered through a malicious Word doc, which routes to a website impersonating a non-profit, which then installs a second stage to lift Telegram messages, and steal information from the KeePass password-management application. The researchers also found a malicious Android app tied to the group that forwards SMS messages and is designed to steal 2FA keys, specifically targeting ones from Google authenticator. The attackers then use the information to launch a phishing attack against Google accounts. 

(Threat Post)