Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.
Israel carries out cyberattack on Iran nuclear facility
Israel appears to have confirmed claims that it was behind a cyber-attack on Iran’s main nuclear facility, the Natanz reactor yesterday, which Tehran’s nuclear energy chief described as an act of terrorism. Israel imposed no censorship restrictions on coverage as it had often done after similar previous incidents and the apparent attack was widely covered by Israeli media. Public radio took the unusual step of claiming that the Mossad intelligence agency had played a central role. Natanz was the location of the infamous CIA-and-Mossad Stuxnet virus attack in 2010 that caused widespread disruption and delayed Iran’s nuclear program for several years, and is part on an ongoing series of recent strikes and counterstrikes between Israel and Iran.
US pins SolarWinds attack on Russia’s Cozy Bear, boots 10 diplomats
US and UK intelligence agencies have pinned the sprawling SolarWinds attack on Russia’s intelligence service. In a joint advisory posted on Thursday, they urged organizations to patch the top five, publicly known VPN and cloud vulnerabilities that are actively being exploited by Russia’s Cozy Bear advanced persistent threat actors: a group that’s also referred to as APT29 and The Dukes by security researchers. The vulnerabilities are in VPNs from Fortinet, Synacor, Pulse Secure, Citrix and VMware. President Biden also issued new sanctions, including expelling 10 diplomats, and blamed Russia for trying to undermine free elections in the US. The Kremlin threatened to retaliate for what it called “illegal” sanctions.
Personal data of 1.3 million Clubhouse users reportedly leaked online
The data was leaked to a popular hacker forum, according to a Saturday report from Cyber News. The leaked data of the invite-only chat app includes names, social media profiles, and other details. Although this type of data seems innocuous compared to addresses or social security numbers, researchers stress that the data can be used in phishing and social engineering scams. Clubhouse has since responded by saying they have not experienced a breach of their systems and said that the data is already publicly available and that it can be accessed via their API.
Zoom exploit shown at Pwn2Own
Security researchers from Computest showed off a remote code execution vulnerability for the popular teleconferencing client at the annual hacking contest. While details of the exploit are still not disclosed as Zoom is patching the flaw, it impacted the Windows and Mac versions of the zoom Chat app, but not in the browser. Zoom confirmed that Zoom Meetings and Zoom Video Webinars were not part of the flaw. The researchers won a $200,000 prize for the exploit.
Thanks to our episode sponsor, Sonatype
Cyberattacks are the number-one threat to the global financial system, Fed chair says
In an interview that aired on CBS’s “60 Minutes” on Sunday, Federal Reserve Chairman Jerome Powell said cyberattacks are now the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis. He cited examples of large firms losing the ability to track payments they are disbursing, thus hamstringing the flow of money from one financial institution to another. That could shut down sectors or even broad swaths of the financial system, he said. The comments were made in the context of his predictions of a rebounding post-pandemic economy balanced against the prospect of additional economic hardships from another resurgence of the COVID-19 virus.
7 new social engineering tactics threat actors are using now
CSO Online has released a list of seven social engineering techniques on the rise in 2021, complied from interviews with industry experts. They are: 1. malicious QR codes, 2. the hacking of the “allow this site to send you notifications” dialog box, 3. requests for collaborations on projects often including Visual Studio files, 4. supply chain partner impersonation including vendor email compromise attack (VEC), as happened with SolarWinds, 5. deepfakes using face or voice, 6.fraudulent text SMS messages, and 7. typosquatting or lookalike domains.
FBI patches Exchange server backdoors
In March, Microsoft released patches for four newly-discovered Microsoft Exchange vulnerabilities that were being actively exploited by an advanced persistent threat group, believed to be Hafnium. The attackers were exploiting the vulnerabilities to install Web shells that gave them access to the targeted networks. The patches closed the vulnerability but would not remove the Web shells. So Tuesday the US Department of Justice announced it received approval from a court in Houston to copy and remove the Web shells from hundreds of Microsoft Exchange email servers. The FBI conducted the removal by accessing the Web shell and issuing a command to the servers to remove it. The method only removed Web shells. It did not remove any other malware that might have been installed through the use of the shell.
IcedID looks to fill the Emotet malware void
The IcedID malware has been spotted in the wild since 2017, originally used as a banking trojan, also called Bokbot. Similar to Emotet and Trickbot, IcedID now operates as a Malware-as-a-Service provider. With the shutdown of Emotet, security researchers have seen a surge in IcedID activity, with researchers at Check Point finding it the second most active malware strain for the month of March 2021, behind Dridex. This follows an increasing sophistication as well, with Microsoft issuing a warning about IcedID’s malware spam campaigns, but also seeing abuse of public contact forms, use of fake software installers, phishing with COVID-19 themes, and other vectors. Researchers are increasingly seeing IcedID used by the REvil ransomware operators as well.
April Patch Tuesday patches 114 bugs including NSA’s two at 9.8 severity
Yesterday, Microsoft revealed 114 vulnerabilities fixed in the monthly security release, over half of which could potentially be exploited for remote code execution by attackers. Four new Exchange Server vulnerabilities were fixed and because of the severity of these issues, Microsoft has joined with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes which carry a CVSS score of 9.8 because of the risk of pre-auth code execution attacks without user interaction. TippingPoint’s ZDI believes these bugs may be wormable between Exchange servers.