Cyber Security Headlines – Week in Review – August 2-6, 2021

This week’s Cyber Security Headlines – Week in Review, August 2-6, 2021, is hosted by Rich Stroffolino with our guest, Sandy Dunn, Blue Cross of Idaho

Cyber Security Headlines – Week in Review is live every Friday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Remote print server gives anyone Windows admin privileges on a PC

A researcher has created a remote print server that allows any Windows user with limited privileges to gain complete control over a device simply by installing a print driver. This follows on the heels of the zero-day Windows print spooler vulnerability known as PrintNightmare. Microsoft released a security update for this but researchers figured out ways to bypass the patch. This new method effectively allows anyone, including threat actors, to get administrative privileges simply by installing the remote print driver. Once they gain administrative rights on the machine, they can run any command, add users, or install any software, effectively giving them complete control over the system.

(Bleeping Computer)

Iran leak hints at second tier targets as next terror gateway

Following up on a story we brought you in May, a recent report by Sky News exposed a trove of documents appearing to be from a branch of the Islamic Revolutionary Guard Corps (IRGC), Intelligence Group 13. They show a coordinated attempt to collect information on the vulnerabilities of second-tier targets, including those that can capsize merchant vessels, remotely control electrical controllers in building management systems, and tamper with fuel pumps triggering spills or explosions. Michael Langer, a cyberwarfare expert and CPO of Radiflow, says, “Iran is looking to expand the outreach and objects of their cyber-attacks. The mapping of Building Management Systems vulnerabilities may indicate a shift to target more easily exploitable sites.”

(CISOMag)

Pegasus spyware confirmed on journalist phones

French intelligence investigators say Pegasus spyware has been found on the phones of three journalists, including a senior staff member at the country’s international television station France 24. This is significant because it’s the first time an independent authority has corroborated the findings of Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International, both of who initially had access to a leaked list of 50,000 numbers that are believed to have belong to people of interest by clients of the Israeli firm NSO Group since 2016, and shared access with their media partners.

(The Guardian)

Someone is spoofing military ship locations

According to an analysis by the nonprofit SkyTruth and Global Fishing Watch, since August 2020, over 100 warships from at least 14 European countries, Russia, and the US have had locations faked using the automatic identification system or AIS. These faked locations were often in disputed or into territorial waters of another country and lasted up to days at a time. Researchers were not able to tie the faked signals to any country, organization, or individual, but shared common characteristics indicating they came from the same actor. Part of the problem is that AIS is an unencrypted system, with some in the security community calling for adding digital signatures to each AIS transmission.

(Wired)

Thanks to our episode sponsor,
PlexTrac

Level up your team’s capabilities with PlexTrac. Regardless of size, resources, or maturity, every team can take steps to improve defenses against imminent threats like ransomware. PlexTrac is the perfect platform to make the most proactive engagements by tracking tactics, visualizing metrics, supporting communication, and measuring remediation. Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!

Now we have to worry about pneumatic tubes

The security firm Armis published details on a series of nine security vulnerabilities called PwnedPiper impacting the TransLogic Pneumatic Tube Systems, currently used in over 3,000 hospitals to move things like lab samples and medicine. An attacker on a hospital’s internal network could effectively use the vulnerabilities to take over the entire tube network. Given the recent rash of ransomware attacks against healthcare organizations, this widely used system could open the door for further threat actors. TransLogic says a software update for all but one of the vulnerabilities has been developed, with a mitigation technique available for the unpatched vulnerability. 

(The Record)

Federal agencies are failing to protect sensitive data, Senate report finds

Of eight federal agencies audited for their cybersecurity programs, only the Department of Homeland Security showed improvements in 2020, according to a report from the Senate Homeland Security and Governmental Affairs Committee. Released by the panel yesterday, the report underscores the increased scrutiny of federal cybersecurity by lawmakers in the aftermath of the SolarWinds supply chain attack. It found that seven of the eight agencies reviewed still use legacy systems that no longer have security updates supported by their vendor, which can leave agencies vulnerable to foreign hacking, the report notes.

(Cyberscoop)

Spear phishing attackers increasingly targeting non-C-suite employees

According to a report from Barracuda, an average organization is targeted by over 700 social engineering attacks each year, and 77% of BEC attacks target employees outside of financial and executive roles, including personnel working in sales, project management, human resources, and administration. Different from regular spam, these non c-suite spearphishing attacks show that middle and lower levels of an organization are now becoming easier targets. Findings in the report, entitled, Spear Phishing: Top Threats and Trends Vol.6, include that 43% of phishing attacks impersonate Microsoft brands, and that 1 on 5 BEC attacks are aimed at the sales team.

(CISOMag)

Google and Amazon patch DNS-as-a-Service bugs

At Black Hat, security researchers from the cloud security company Wiz demonstrated a vulnerability in hosted DNS service providers that can be used to take over a platform’s nodes, access incoming DNS traffic, opening the door to map[ing customers’ internal networks. The researchers found that some providers, including Amazon and Google did not blacklist their own DNS servers inside their backends, letting the researchers add those servers inside the backend and point it to their internal network. While not all DNS traffic was visible, the approach did expose dynamic DNS updates. Amazon and Google subsequently released updates to resolve the issue, with an unnamed provider currently working on a fix. 

(The Record)

Ransomware operators recruiting insiders to breach corporate networks

No, that headline wasn’t algorithmically generated based on cybersecurity buzzwords. The LockBit 2.0 ransomware operators are actively recruiting insiders to breach networks. This effectively cuts out the middleman for many ransomware-as-a-service schemes, which typically uses affiliates to breach networks for a share of the ransom. Since relaunching in June, LockBit has added new wallpaper to encrypted Windows machines, promising millions for access to RDP, VPN, and corporate email credentials to gain network access, promising to send willing accomplices a virus to install on a work machine. Bleeping Computer believes these messages are targeted at external IT consultants who work for multiple clients. (Bleeping Computer


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.