Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Hackers find 122 vulnerabilities, 27 deemed critical, during first round of DHS bug bounty program
These vulnerabilities were found by more than 450 security researchers who were working through the Department of Homeland Security’s “Hack the DHS” bug bounty program, which started in December 2021. The researchers, who were vetted by the agency before participating, were eligible to receive between $500 and $5,000 for verified vulnerabilities, depending on the severity. The DHS has not disclosed the vulnerabilities that were found, nor did it share any information about fixes for the bugs. Under original plans for the DHS program, the agency would verify the flaws within 48 hours of being notified, and fix them within 15 days — or, for more complex bugs, develop a plan to address them.
AWS’s Log4j patches blew holes in its own security
Amazon Web Services has updated its Log4j security patches after it was discovered the original fixes made customer deployments vulnerable to container escape and privilege escalation. The vulnerabilities introduced by Amazon’s Log4j hotpatch – CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071 – are all high-severity bugs rated 8.8 out of 10 on the CVSS. “We recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately,” the cloud giant said in a security bulletin on Tuesday.
Mandiant finds record zero-days in 2021
According to the security firm’s annual report, disclosed zero-day vulnerabilities exploded in 2021, more than doubling the previous 2019 record with 80. Most of the zero-days tracked by Mandiant were exploited by APT groups. Since it began tracking in 2012, Mandiant reports that China exploited more zero-days than any other nation. The growth in zero-days mirrors a report from Google’s Project Zero, which also saw a record number of zero-days in 2021. However Project Zero believed this was due to better industry disclosure rather than just an increase in zero-days discovered.
Elon Musk’s Twitter takeover could be bad for security and privacy
After this week’s announcement that Twitter has accepted Elon Musk’s $44 billion purchase offer, cybersecurity experts fear that Musk’s open source vision for the platform may make it more susceptible to malicious actors. Experts are expressing concerns about open source vulns such as Log4Shell and also the potential for “gaming” the algorithm to treat people differently based on their personal characteristics. Additional concerns are being raised by Privacy advocates regarding Musk potentially implementing real-name policies, overriding anonymity and pseudonymity which protects the identities of those whose opinions do not align with those in power.
Thanks to our episode sponsor, Feroot
Stormous Ransomware targets Coca Cola
On Tuesday, Coca Cola admitted that some of its systems were potentially hit by a ransomware variant but says it is still investigating the incident. Meanwhile, Stormous Ransomware group released a statement that it has stolen about 161GB of data from Coca-Cola and is intending to sell the data if its ransom demands were ignored. Coke announced last month that it is withdrawing business from the Russian Federation because of Russia’s invasion of Ukraine which some are speculating could have precipitated the attack by the Stormous gang who have been trying to make money through supporting Russia’s political agenda.
Two-thirds of organizations hit with ransomware
According to Sophos’ State of Ransomware 2022 report, 66% of organizations surveyed were hit with a ransomware attack last year, up from just 37% in 2020. This comes as the ransom’s paid by organizations increased nearly five-fold on the year to an average of $812,360. 11% of organizations said they paid ransoms over $1 million, up from 4% in 2020. Organizations paying less than $10,000 dropped to 21%. Overall 46% of organizations that had data encrypted paid ransoms, including 26% of organizations that were able to restore data from backups. 83% of mid-size organizations had cyber insurance policies, with 98% of incidents paying out for costs incurred, including 40% covering ransoms themselves.
French fiber optic cable attacks accentuate critical infrastructure vulnerabilities
A day after what French telecom companies are calling a large-scale coordinated attack which destroyed a large number of fiber optic cables powering the French internet, authorities there are investigating the attacks as a criminal act. The Wednesday incident disrupted Internet service throughout France, and those responsible seem to have known how to do as much damage as possible. “The cables were cut on both sides to complicate the repairs,” an ‘operator’ told newspaper Le Parisien. “The urgency is to re-solder everything, this represents tens of thousands of small, fiber-optic cables.”