This week’s Cyber Security Headlines – Week in Review, Aug 30-Sep 3, 2021, is hosted by Rich Stroffolino with our guest, Marnie Wilking, Global Head of Security & Technology Risk Management, Wayfair

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.

“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

[Extended story] Cloud security vendor Wiz announced that it had found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, which granted read/write access for every database on the service to any attacker who found and exploited the bug. Although Wiz only found the vulnerability—which it named “Chaos DB”—two weeks ago, the company says that the vulnerability has been lurking in the system for “at least several months, possibly years.” Although all the details have not been released, it appears to involve a misconfiguration in Microsoft’s open-source Jupyter Notebook which was intended for machine learning algorithms stored in Cosmos DB. 

Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers’ databases, then notified some users Thursday to change their keys. However the Wiz researchers are now urging all users to change their digital access keys, not just the 3,300 notified last week. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used stronger language in a bulletin Friday, making clear it was speaking not just to those notified. “CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key,” the agency said. Experts at Wiz, founded by four veterans of Azure’s in-house security team, agreed. One of the founders went on record as describing the bug discovery as “terrifying.”

(Ars Technica and Reuters)

FBI, CISA warns ransomware attacks surge over holiday weekends

The FBI and Cybersecurity and Infrastructure Security Agency are warning companies of the increased risk of ransomware attacks over Labor Day weekend.

The FBI and CISA said there are surges in ransomware attacks on holidays and weekends when offices are traditionally closed, according to an Aug. 31 CISA report. The federal agencies observed ransomware attacks consistently on holiday weekends, such as the Fourth of July, Mother’s Day weekend and Memorial Day weekend. The FBI and CISA said there is no indication that a ransomware attack will occur over the weekend, but wanted organizations to be aware of the increased threat level.

Examples: Colonial Pipeline: Mother’s day weekend, JBS: Memorial Day Weekend, Kaseya: July 4th weekend

(BeckersHealth IT)

Intermittent encryption hopes to make ransomware worse

Security researchers with Sophos identified a new ransomware called LockFile, which employs a novel intermittent encryption technique. LockFile encrypts every 16 bytes of a file, which helps the ransomware to evade security detections, using memory-mapped input/output to encrypt a file that allows the attackers to target cached documents in the compromised system’s memory. LockFile also leaves no ransomware binary for analysis and clean up. The LockFile operators have been using recently disclosed ProxyShell and PetitPotam vulnerabilities to compromise Microsoft Exchange servers.

(CISO Mag)

Zoom-call gaffes led to someone getting axed, 1 in 4 bosses say

Nearly 1 in 4 executives have fired a staffer for slipping up during a video or audio conference, and most have levied some sort of disciplinary action for gaffes made in virtual meetings, a survey of 200 managers at large companies found. The survey, commissioned by Vyopta Inc., which helps companies manage their workplace collaboration and communication systems, identified the top four career ending mistakes as joining a call late, having a bad Internet connection, accidentally sharing sensitive information, and of course, not knowing when to mute yourself.

(Bloomberg)

Thanks to our episode sponsor, Semperis

One thing we’ve learned from attacks like SolarWinds: Cybercriminals can lurk in your Active Directory environment for weeks or months before dropping malware. How do you root them out? First, you need to uncover security gaps in Active Directory that can lead to a breach. Download Purple Knight, a free security assessment tool from Semperis that scans your environment for pre-attack and post-attack indicators of exposure and compromise. Check it out at Purple-Knight.com.

The cost of ransomware to schools

Education has been one of the sectors increasingly targeted by ransomware, providing a tempting target with a large campus network with multiple vectors to infiltrate. Comparitech published a report looking into the scale of these attacks and how much it cost the education sector over the last year. In 2020, 77 ransomware attacks impacted over 1,740 schools and colleges, potentially reaching up to 1.36 million students. The cost of just downtime from the attacks was estimated at $6.62 billion. The report also found that the number of individual attacks decreased 20% in 2020, but the overall impacted number of schools was up 39%. This came as each individual attack targeted larger school systems. Texas and California saw the most number of ransomware attacks, although Nevada saw the most students impacted with over 328,000. 

(Comparitech)

SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) all settled with the SEC in three separate lawsuits [PDF: Cetera, Cambridge, KMS], the agency announced this week.

According to court documents, the three companies were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.

(The Record)