This week’s Cyber Security Headlines – Week in Review, March 1-5, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, John Overbaugh (@johnoverbaugh), vp, security, CareCentrix

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.”  (https://www.crowdcast.io/e/cyber-security-headlines)

Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak

On Friday, top executives at SolarWinds blamed a company intern for a critical lapse in password security that apparently went undiagnosed for years. The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server. SolarWinds representatives told lawmakers Friday that as soon as the password issue was reported, it was corrected within days. Neither the current nor former SolarWinds CEOs could explain to lawmakers why the company’s technology allowed for such passwords in the first place. As hearings continue, this remains a developing story.

(CNN)

Go malware sees 2000% increase, adopted by APTs and e-crime groups

A study by cybersecurity firm Intezer confirms a general trend in the malware ecosystem which reveals malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. Also referred to as Golang, it is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits. The reasons for its popularity include easy cross-platform compilation, it is difficult for security researchers to reverse engineer, and GO was created by Google to be a better programming language for cloud applications.

(ZDNet)

Hackers give websites great SEO before installing malware

According to security researchers at Sophos, malware operators are increasingly using SEO tricks and social engineering to push websites infected with malware up Google’s search rankings. The ultimate goal is to deploy the infection framework for the Gootkit Remote Access Trojan, which researchers estimate requires the operation of hundreds of servers to effectively pull off. Websites hit with this “Gootloader” technique are manipulated to answer specific search queries. Infected message boards have also been seen to subtly tweak content to seemingly answer specific search queries and get them to click through. Once the trojan is installed, it’s used to further deploy Kronos, Cobalt Strike, and REvil ransomware.

(ZDNet)

China reportedly behind massive power outage in Mumbai 

According to a new white paper from the security intelligence firm Recorded Future, a group of China-based threat actors dubbed “RedEcho” injected 10 Indian power sector organisations and a pair of Indian seaport operators with malware. This was the probable cause of a massive power outage in Mumbai back in October. It seems that the outage was only caused by a small subset of malware, with most never activated by the operators. The malware appears to have been injected in May 2020 during a border standoff between India and China.

(The Register)

Thanks to our episode sponsor, TrustMAPP

Maturity Assessment, Profile, and Plan
Learn the MAPP methodology for managing security as a business.
While the information security industry has undergone convulsive change, it is coalescing around maturity-based management of key business processes. The MAPP approach provides practical implementation of the maturity model.
This paper describes a three-step maturity-centric approach—Maturity Assessment, a Profile, and a Plan (MAPP). An information security MAPP empowers the CISO to evaluate, track, report, and strategize the organization’s security priorities.

Tom Cruise deepfake videos rattle security experts

Three mysterious deepfake videos of Tom Cruise that have gone viral on TikTok are the handiwork of Chris Ume, a video visual effects specialist from Belgium. The videos have drawn attention from experts and nonexperts alike for being among the most convincing examples of the genre of fake videos yet produced. Deepfakes are created using artificial intelligence that use a technique that trains two neural networks in tandem to either create or identify facial imagery. While some technologists and security experts fear deepfakes will become a potent weapon for political disinformation, Chris Ume downplays such concerns. Consumers just need to become more skeptical of what they see, he argues.

(Fortune)

Malicious NPM packages target Amazon, Slack with new dependency attacks

Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new ‘Dependency Confusion’ vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers. This flaw works by creating packages that use the same names as a company’s internal repositories or components. When hosted on public repositories, including npm, and RubyGems, dependency managers would use the packages on the public repo rather than the company’s internal packages when building the application. This “dependency confusion” would allow an attacker to inject their own malicious code into an internal application in a supply-chain attack. We first reported this story last month in terms of malicious code being stored on public repositories, but this new report from Bleeping Computer shows that the packages are now being deployed.

(Bleeping Computer)

U.S. unprepared for AI competition with China, commission finds

A comprehensive report released this week by the National Security Commission on Artificial Intelligence states that White House leadership and a substantial investment will be needed to ensure US superiority in artificial intelligence by 2025. Commission Chair and former Google chief executive Eric Schmidt said he believes China is catching the U.S. up on AI. Initiatives proposed by the commission include the creation of a Technology Competitiveness Council within the White House to be chaired by the vice president, a Steering Committee on Emerging Technology within the Defense Department to coordinate and advance implementation of technology, and the creation of an accredited, degree-granting digital services academy to help build a pipeline of civil service tech talent.

(NextGov)

Virginia’s Consumer Data Protection Act signed into law

Virginia governor Ralph Northam signed the act into law, set to take effect Jan. 1, 2023. Companies with data on 100,000 Virginia consumers or that make at least 50% of income on the sale of data on 25,000 Virginians are required to let consumers receive copies, amend, or delete personal data, as well as letting consumers opt-out of using data for marketing purposes. The law follows California’s CCPA as the second consumer data protection law among US states, with Utah expected to pass an identical law later this week. 

(Virginia Business)

Exchange Server zero-days exploited in the wild

Microsoft warned that a group it calls Hafnium is exploiting four previously undisclosed security flaws in Exchange Server in order to steal information from US-based organizations like infectious disease researchers, defense contractors and law firms. The vulnerabilities can be exploited to access email accounts and address books. Microsoft said limited successful attacks have been executed and patches are available now, a week ahead of the usual patch Tuesday. 

(TechCrunch)