Cyber Security Headlines – September 29, 2021

Microsoft 365 MFA outage locks users out of their accounts

Microsoft is investigating an ongoing Multi-Factor Authentication (MFA) issue preventing some customers from logging into their Microsoft 365 accounts. According to Microsoft, only customers using on-premises MFA servers and either Network Policy Server (NPS) or Active Directory Federation Services (ADFS) are impacted by the issue, with Cloud Authentication not affected. Microsoft said, “We’ve identified 503 errors from specific processing components and we’re reviewing these errors to identify the source. In parallel, we continue to investigate the underlying root cause so further actions can be taken to ensure the issue does not reoccur.”

(Bleeping Computer)

Exploit released for VMware vulnerability after CISA warning

Following up on a story we brought to you this past Thursday, a working exploit for a vulnerability in VMware vCenter, tagged as CVE-2021-22005, has been released and is reportedly in active use by threat actors. Last week, VMware warned of the critical vulnerability in the analytics service of vCenter Server which is affected by an arbitrary file upload vulnerability which could allow a malicious actor with network access to execute code on vCenter Servers. CISA followed up with its own warning about the vuln on Friday. VMware reiterated that it has released patches and mitigation guidance to address multiple vulnerabilities affecting VMware vCenter Server 6.5, 6.7 and 7.0. VMware has also issued a public security advisory.

(ZDNet)

Crypto developer pleads guilty to North Korean plot

On Monday, 38-year-old Virgil Griffith, a US citizen and former Ethereum developer, pleaded guilty to helping North Korea escape US sanctions by providing technical advice on cryptocurrency. Griffith conspired to violate the International Emergency Economic Powers Act (IEEPA), which carries a maximum term of 20 years in prison. According to the Department of Justice (DoJ), Griffith began developing and funding cryptocurrency infrastructure in the hermit nation as far back as 2018. In April 2019, Griffith and several unnamed co-conspirators allegedly gave a presentation in Pyongyang, in which he explained how cryptocurrency could be used to evade sanctions and how smart contracts could be used in weapons negotiations with the US. US attorney Audrey Strauss said, “In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.”

(Infosecurity Magazine)

FinFisher malware hijacks Windows Boot Manager 

FinFisher, a surveillance solution which was commercially developed by Gamma Group, can now infect Windows devices using a Unified Extensible Firmware Interface (UEFI) bootkit that it injects into the Windows Boot Manager. UEFI firmware allows for highly persistent bootkit malware as it’s installed within SPI flash storage soldered to a computers’ motherboard, making it impossible to get rid of via hard drive replacement or even OS re-installation. Researchers at Kaspersky, who identified FinFisher’s capability, stated that UEFI infections are very rare and the spyware’s developers used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the “hardest-to-detect spywares to date.” While FinFisher’s developer says it’s sold exclusively to government agencies and law enforcement worldwide, cybersecurity firms have also detected it while being delivered via spearphishing campaigns and ISPs.

(Bleeping Computer)

Thanks to our episode sponsor, VMware

PREPARE FOR THE POST-PANDEMIC THREAT LANDSCAPE. At VMworld 2021, you’ll gain fresh insight and actionable knowledge to help keep your focus on building resilient, cyber-vigilant teams that can proactively detect, prevent, mitigate, and remediate these attacks. The Security Track has 150+ breakout sessions with hands-on labs, demos, and interactive experiences. Join thousands of your peers by registering now at vmware.com/vmworld

Hackers target thousands of mailboxes in spear phishing campaign

Security researchers from Armorblox uncovered an ongoing credential phishing campaign exploiting the brand of Zix, who is a provider of email encryption and data loss prevention services. Researchers stated that attackers targeted organizations across multiple sectors by sending emails entitled “Secure Zix message,” which contained malicious links directing victims to download an HTML file. Zix stated the campaign targeted more than 75,000 mailboxes by evading security detections across Office 365, Google Workspace, Exchange, and Cisco ESA. To combat such attacks, security experts from Zix recommended organizations train their workforce to identify social engineering and other phishing tactics, adhere to password management best practices, deploy multi-factor authentication across all accounts and augment native email security with additional controls. 

(CISO MAG)

Ukraine takes down call centers behind cryptocurrency investor scams

The Security Service of Ukraine (SSU) has taken down a network of call centers in Lviv, used by a ring of scammers to defraud cryptocurrency investors worldwide. Fraudsters behind these illegal call centers used VoIP (Voice over Internet Protocol) phone numbers to hide their locations while scamming thousands of foreign investors. Law enforcement officers searched six call centers, seizing computer equipment, headsets, mobile devices and routers, forged accounting records with victims’ bank details and other documents. The SSU said “The operators offered foreigners to invest money in stocks and cryptocurrency. The victims transferred money to offenders’ bank cards and crypto wallets with further conversion into non-observed sector of economy.” 

(Bleeping Computer)

NSA and CISA share guidelines for securing VPNs

On Tuesday, the National Security Agency and the Department of Homeland Security’s cyber wing published guidelines for securing VPNs, cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices. NSA warned that unfortified VPNs are at risk of attacks from advanced persistent threat groups that exploit publicly exposed security flaws in the Common Vulnerabilities and Exposures (CVE) database.The latest recommendations include selecting VPNs from reputable vendors, patching known vulnerabilities and running features that are “only strictly necessary.” The guidance comes as NSA and CISA focus on defenses against threats to federal agency employees who have shifted to working from home as a result of the COVID-19 pandemic.

(Cyberscoop)

Delaware develops cybersecurity education program for senior citizens

According to the FBI 2020 Internet Crime report, people over the age of 60 reported being victims of cybercrime more than any other age group, with losses totaling over $965 million in 2020 nationwide.Now Delaware, the state which dubbed October “Cyber Security Awareness Month,” has introduced an educational cybersecurity program for senior citizens through its Department of Technology & Information. The program will cover the benefits of multi-factor authentication, identifying spam calls and phishing emails and protecting social media and email accounts.

(Security Magazine)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.