Cyber Security Headlines – Week in Review, March 15-19, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Jesse Whaley , CISO, Amtrak

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.”  (https://www.crowdcast.io/e/cyber-security-headlines)

DearCry ransomware using ProxyLogon exploits

Microsoft security researcher Phillip Misner has confirmed that DearCry, also known as DoejoCrypt, is being installed in human-operated attacks using the new Microsoft Exchange exploits. McAfee’s Head of Cyber Investigations has confirmed that they are seeing victims in United States, Luxembourg, Indonesia, Ireland, India, and Germany. DearCry creates a Windows service named ‘msupdate’ which is later removed when the encryption process is finished. Tens of thousands of Microsoft Exchange servers have been patched over the last three days, but Palo Alto Networks states that there are still approximately 80,000 older servers that cannot directly apply the recent security updates. All organizations are strongly advised to apply the patches as soon as possible and to create offline backups of their Exchange servers.

(Bleeping Computer)

Security agencies leak sensitive data by failing to sanitize PDF files

In a research paper published this month, the French National Institute for Research in Computer Science and Automation (INRIA) said security agencies are doing a poor job at sanitizing PDF documents they publish on their official websites and are leaking troves of sensitive information that could be collected and weaponized in malware attacks. INRIA collected and analyzed almost 40,000 PDF files published on the websites of 75 security agencies from 47 countries, and were able to recover sensitive data from 76% of the files they analyzed, including the author’s name and email address, device details and file path information. The research also revealed that 19 of these security agencies had not updated their software for over two years.

(Recorded Future

Cyber criminals impacted by OVH data center fire

A fire in the Strasbourg data centers of OVHcloud disrupted a number of organizations, including cyber criminals. The analysts at Kaspersky Lab found that 36% of the 140 known C2 servers tracked at OVH were taken offline by the fire. This included servers used by several APT, like Charming Kitten, APT39, Bahamut and OceanLotus. Overall sites hosted on the .fr top level domain were the most impacted, with 1.9% of all .fr domains in the world temporarily taken offline as a result of the fire. 

(InfoSecurity Magazine)

Thanks to our episode sponsor, Trend Micro

The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO

Hackers steal NFTs

If you haven’t been following the crypto art world, NFTs, or non-fungible tokens, have taken off as a way to sell unique pieces of digital art. So of course now that they have value, someone figured out how to steal them. The NFT marketplace Nifty Gateway confirmed some users had digital artwork stolen from accounts, although maintained there was no evidence that its platform was breached. The company suggested that users without two-factor authentication were hit with credential stuffing attacks using previously leaked login info. Some users also reported having credit cards stored with Nifty Gateway used to make other NFT art purchases. Nifty Gateway recommends users enable two-factor authentication.

(The Verge)

Telcos targeted by Chinese attackers

Researchers at McAfee report that a hacking group known as Mustang Panda and RedDelta, known to operate out of China, has targeted at least 23 telcos across Southeast Asia, Europe and the United States since August 2020. Initial vectors for attacks are still unknown, but the campaign appears to direct employees at the telcos to a malicious phishing domain, where the Cobalt Strike backdoor is installed. It’s believed the attackers are attempting to steal sensitive information around 5G technology. The phishing site appears as a Huawei career site, but the researchers were clear that Huawei was not associated with the campaign. 

(ZDNet)

Telemarketers fined for a billion robocalls

The US Federal Communications Commission issued a record $225 million fine against two Texas-based telemarketers, Rising Eagle and JSquared Telecom, for being responsible for roughly 1 billion robocalls to falsely sell short-term health insurance plans. The FCC also said the companies were tied to scams involving IRS imposter calls, calls that pretend to be from Apple, false COVID-hardship programs, and fictional refunds from Amazon. The FCC also announced the formation of a “Robocall Response Team” to better coordinate efforts to reduce robocalls. 

(CNBC)

Dropbox Password manager comes to free users

The company will open its Dropbox Password manager to free Dropbox Basic accounts in April, although this will be limited to 50 passwords. Free users will be able to sync passwords across three devices, with access through browser extensions, desktop and mobile apps. The service was first introduced to paid accounts last year, and allows for unlimited syncing and storage of passwords. 

(The Verge)

Detecting deepfakes by analyzing light reflections in the eyes

A new AI tool developed by computer scientists from the University at Buffalo looks at analyzing the corneas, which have a mirror-like surface that generates reflective patterns when illuminated by light. The tool was 94% effective at detecting deepfake images in portrait photography mode, including from the This Person Does Not Exist repository of generated images. The developers acknowledge that there are still limitations such as the need to be able to see both eyes straight on. The technique cannot work whet the face in the picture isn’t looking at the camera.

(TheNextWeb.com)

China slaps LinkedIn with 30-day suspension over lax censorship

China says LinkedIn—the sole social network allowed to operate in the country—hasn’t been censoring its posts strenuously enough. Its internet regulator is punishing the Microsoft-owned platform for failing to control objectionable posts circulating in the period around an annual meeting of China’s lawmakers, according to three people briefed on the matter, which hasn’t been made public. It’s unclear exactly which material got LinkedIn into trouble. As punishment, Chinese officials are requiring LinkedIn to perform a “self-evaluation” and to offer a report to the internet regulator and to suspend new-user sign-ups inside China for 30 days.

(New York Times)