Cyber Command urges patching of massively exploited Confluence bug

US Cyber Command issued a rare alert on Friday urging US organizations to patch the massively exploited Atlassian Confluence critical vulnerability immediately, stating, “Please patch immediately if you haven’t already— this cannot wait until after the weekend.” As BleepingComputer reported last week, multiple threat actors had begun scanning for the RCE vulnerability to install crypto miners after a PoC exploit was publicly released six days after Atlassian’s patches were issued. The CYBERCOM warning also tied into National Security Advisor Anne Neuberger’s message regarding extra vigilance over the holiday weekend.

(Bleeping Computer)

DDoS hits New Zealand – back up again in 30 minutes

New Zealand‘s third-largest internet operator, Vocus, went dark for 30 minutes on Friday, triggering a widespread internet outage. According to Reuters, “the company said its systems blocked a denial of service (DDoS) attack on one user but in doing so caused some Vocus customers in the country’s largest cities – Auckland, Wellington, and Christchurch – to suffer outages.” The company quickly restored the operations and apologized for the inconvenience it has caused to the customers, noting that many New Zealand residents work from home and were directly impacted by the outage.

(Security Affairs)

Salesforce email service used for phishing campaign

Cybercriminals are using Salesforce’s mass email service to dupe people into handing over credit card numbers, credentials and other personal information in a novel phishing campaign. According to email security service provider Perception Point, the bad actors are sending phishing emails via the Salesforce email service by impersonating the Israel Postal Service in a campaign that has targeted multiple Israeli organizations. Most email security services are unable to detect attacks using Salesforce’s legitimate platform because they “blindly trust that Salesforce is a safe source,” even to the point of whitelisting the service’s IP addresses to streamline the email process, they wrote.

(ESecurityPlanet.com)

Chinese hackers behind July 2021 SolarWinds zero-day attacks

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild. In a blog post on Thursday, Microsoft revealed that the zero-day was the work of a new threat actor being tracked as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.” Microsoft said the group targeted SolarWinds Serv-U servers “by connecting to the open SSH port and sending a malformed pre-auth connection request,” which allowed it to run malicious code on the targeted system and take over vulnerable devices.”

(The Record)

Thanks to our episode sponsor, Semperis

Do you know your Active Directory security vulnerabilities? Cybercriminals love to exploit Active Directory: It has dozens of security gaps because of misconfigurations and new sophisticated hacking tools. But hang on, help is on the way: Download Purple Knight, a free Active Directory security assessment tool from Semperis that scans your environment for 70-plus indicators of exposure and compromise. Check it out at Purple-Knight.com.

WhatsApp fined €225M over GDPR issues

The Irish Data Protection Commission levied the fine due to a lack of transparency on how it shares data on European Union users with Facebook companies. WhatsApp considers the fine disproportionate because it has already complied with transparency requirements, and reiterates it is “committed to providing a secure and private service.” The Irish agency initially proposed a €50 million fine for WhatsApp ($59.3 million) for violating GDPR, but under the pressure of other European Agencies, such as the German one, it decided to increase the fine.

(CISO Mag)

Scam artists are recruiting English speakers for business email campaigns

A BEC scam will usually start with a phishing email, tailored and customized to the victim and using a spoofed email address. But to appear convincing to executives, CEOs and other employees based in North America, the bad guys need native English speakers. So they are advertising in online forums, offering a partnership – you write the words, I’ll do the tech work. According to Intel471, not only is it becoming more common to search for writers to improve the language of the emails, these threat actors also need mules to launder the proceeds through a technique called tumbling.

(Intel 471.com and ZDNet)

Google locks Afghan government accounts as Taliban seek emails

In the weeks since the Taliban’s swift takeover of Afghanistan from a U.S.-backed government, reports have highlighted how biometric and Afghan payroll databases might be exploited by the new rulers to hunt their enemies. In a statement on Friday, Alphabet Inc’s Google stopped short of confirming that Afghan government accounts were being locked down, saying that the company was monitoring the situation in Afghanistan and “taking temporary actions to secure relevant accounts.” But in an incident late last month a Google employee said that the Taliban had asked him to preserve the data held on the servers of the ministry he used to work for. The employee said he did not comply and has since gone into hiding. Reuters is not identifying the man or his former ministry out of concern for his safety. 

(Reuters)

Eight US states to begin accepting digital driving licenses

Arizona and Georgia will be the first states to allow their residents to use this system, in which driver’s licenses and other state IDs are stored on iPhones and the Apple Watch. They will be followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah. Apple said it has introduced new security features that mean users do not need to unlock or physically handover their phones to police or security officials. The company stated: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it. Users do not need to unlock, show or hand over their device to present their ID.”(InfoSecurity Magazine)