This week’s Cyber Security Headlines – Week in Review, February 8-12, 2021 is hosted by Steve Prentice (@stevenprentice) with our guest, Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes Research.

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.”

New phishing attack uses Morse code to hide malicious URLs

A novel new phishing approach uses a fake invoice email complete with an HTML spreadsheet attachment that includes the victim company’s name in the file name for greater credibility. The malicious script, written in Morse code is located within the HTML code of the spreadsheet along with a decodeMorse() instruction that converts it back into JavaScript. This then generates a realistic looking Microsoft session time-out screen, complete with the victim company’s logo, retrieved from logo.clearbit. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials. According to Bleeping Computer, this is the first recorded instance of the use of Morse code in this fashion.

(Bleeping Computer)

Florida water treatment plant hacked to distribute harmful chemicals/Used TeamViewer

Pinellas County Florida sheriff Bob Gualtieri said Monday that someone gained remote access to the Oldsmar, Florida water treatment plant at 8 AM February 5th, attempting to increase sodium hydroxide, otherwise known as lye, to a dangerous level. A plant operator first thought a supervisor had accessed the system from home. After the intruder raised the lye level, a monitoring operator immediately reduced it, with the remote access system now disabled. The Sheriff noted other fail-safes and alarm systems would have also prevented the dangerous adjustment had the operator not noticed. 

(AP News)

Office 365 will help admins find impersonation attack targets

In addition to the nation state warning we mentioned on yesterday’s podcast, Microsoft is also going to make it easier for Defender for Office 365 customers to identify impersonation-based phishing attacks including intentionally misspelled email addresses and domain names. Security admins will be able to use new filters dubbed Impersonated user and Impersonated domain together with the Threat Explorer and real-time detections to detect organization users and domains targeted in impersonation attacks. The new information will be available for security team admins via the Impersonation insight pages as well as on a newly added Email Entity page and will be more widely available to end users by the end of February.

(Bleeping Computer)

Mount Sinai study finds Apple Watch can predict COVID-19 diagnosis up to a week before testing

The study, published in the peer-reviewed Journal of Medical Internet Research found that wearable hardware like the Apple Watch can effectively predict a positive COVID-19 diagnosis up to a week before current PCR-based nasal swab tests. The researchers focused on heart rate variability (HRV), which is a key indicator of strain on a person’s nervous system and combined this with patients’ self-reported symptoms. The study is ongoing and will expand to examine what else wearables like the Apple Watch can tell about other impacts of COVID-19 including the relationships between sleep and physical activity and the disease.

(TechCrunch)

Thanks to our episode sponsor, Altitude Networks

Imagine an employee just left and went to a competitor: did they take proprietary documents or critical roadmaps with them? Did they add a backdoor access via personal accounts to documents? You’re a cloud-forward company on G Suite, how would you know your data is at risk? Altitude Networks can automatically tell you who is trying to steal your critical cloud data from G Suite and Office 365. Check it out at AltitudeNetworks.com and be sure your sensitive data stays when your employee leaves!

Activists complain of weakened voting security standard

The US federal agency overseeing election administration has quietly tweaked a key element of proposed security standards for voting systems, removing language that would ban any voting machines that had wireless modems or chips. This has raised concern among voting-integrity experts and computer security specialists who suggest the mere presence of such wireless hardware poses risks. The election administration officials state that their rules require manufacturers disable wireless functions present in any machines, although the wireless hardware can remain.

(Associated Press)

Google pays $6.7 million in bug bounties

2020 marked the third consecutive year that Google increased its bug bounty payouts, up 3% to $6.7 million on the year. These bounties went to 662 security researchers across 62 countries. Chrome’s Vulnerabilities Rewards Program handed out the most bounties, getting over 300 bug submissions and paying out $2.1 million. Android bugs paid out $1.74 million, including the first-ever Android 11 developer preview bonus, while Google Play bugs accounted for $270,000.

(ZDNet)

SIM swapping gang targeting celebrities arrested

Eight men were arrested by the UK National Crime Agency in the past week across England and Scotland as part of a coordinated crackdown against the group. This group targeted well-known sports stars, musicians, and influencers, tricking mobile operators to change the victims phone number to a new SIM they controlled, resetting passwords and bypassing two-factor authentication on accounts. Europol said the gang stole more than $100 million worth of cryptocurrency using this method.

(ZDNet)

Researcher demonstrates the vulnerability of open source to supply chain attacks

Security researcher Alex Birsan was able to breach 35 major companies’ internal systems using a novel software supply chain attack on open source repositories. Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber were among the companies demonstrated as vulnerable. Birsan uploaded malware to several open source repositories including PyPI, npm, and RubyGems, which were then downstreamed to the companies. Birsan noticed that a manifest file for an internal npm package had private packages listed. The researcher created identically named packages that contained malware to the public npm repository, with the public package always taking priority. Birsan disclosed the packages he added to GitHub were for security research and has been paid over $130,000 in bug bounties for the research. 

(Bleeping Computer)

FDA appoints its first acting director of medical device cybersecurity

The U.S. Food and Drug Administration has appointed Kevin Fu to fill this role through its Center for Devices and Radiological Health. Mr. Fu has been an associate professor of electrical engineering and computer science at the University of Michigan since 2013, and has been an adviser to a range of government agencies including the National Institute of Standards and Technology. His key priorities are medical device safety, imparting security training to manufacturers of both IoT and medical devices, and ensuring software security experts start to be included in the process of building cybersecurity into the design of medical devices, which the currently are not.

(CISOMag)

Virginia on the brink of passing brawny data privacy act

Once the governor signs a proposed bill, hefty data privacy legislation will finally arrive on the East Coast of the US. Similar to privacy laws in California, the proposed law will allow Virginians to opt out of data targeting and data sale. And similar to the European Union’s General Data Protection Regulation (GDPR), state residents will also be able to obtain the data that companies collect about them and have it corrected or deleted. Privacy advocates aren’t 100% pleased with the bill, given that it lacks provisions for suing companies. As well, the bill underscores an increasing patchwork of data privacy laws in the absense of Federal action from Congress.(Washington Post)