This week’s Cyber Security Headlines – Week in Review, March 29-April 2, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, James Dolph, CISO, Guidewire Software

“Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.”

Senators offer to let NSA hunt cyber actors inside the US

A bipartisan group of senators offered to help expand the National Security Agency’s authority allowing the spy agency to hunt domestically for signals intelligence against foreign adversaries that U.S. officials have said are behind a string of recent attacks, like SolarWinds and the Microsoft Exchange Servers hacks. Gen. Paul Nakasone, who leads both the NSA and U.S. Cyber Command told senators that the U.S. was unable to keep up with the threat in large part because laws prevent NSA and Cyber Command from adequately observing adversaries operating on U.S. networks. “They’re no longer just launching their attacks from different parts of the world. They understand that they come into the United States, use our infrastructure, and there’s a blind spot for us not being able to see them.”

(DefenseOne)

FatFace hides ransomware attack, bargains down and gets tech support from pirates

UK fashion retailer FatFace, which made headlines last week by appearing to ask its customers to keep its cyberattack “strictly private and confidential”, has reportedly paid a $2 million ransom. Conti, the gang behind the attack, initially demanded an $8 million ransom based on its assessment of what FatFace’s insurance would cover, but the company talked them down after explaining revenues had tumbled due to the Coronavirus lockdown. In accepting the payment, Conti offered advice to FatFace’s IT team about how to harden its defenses against future attacks.

(Graham Cluley)

New York launches blockchain based Covid passports

New Yorkers will now be able to pull up a code on their cell phone to prove they’ve been vaccinated against COVID-19 or recently tested negative for the virus that causes it. The first-in-the-nation certification, called the Excelsior Pass, will be useful first at large-scale venues like Madison Square Garden, as well as at dozens of event, arts and entertainment venues statewide, and even weddings and catered events. The data will come from the state’s vaccine registry and also will be linked to testing data from a number of pre-approved testing companies. It is built on IBM’s digital health pass platform and is provided via blockchain technology, so neither IBM nor any business will have access to private medical information.

(USA Today)

Emails from DHS officials obtained in SolarWinds hack

The Associated Press’ sources say as part of the SolarWinds Orion supply chain attack, threat actors obtained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security Chad Wolfe and members of the department’s cybersecurity staff. The intelligence value of the emails is unknown. Officials say following disclosure of the attack, DHS officials switched to clean phones and used the messaging app Signal to communicate. One official speaking to AP said the agency’s response was hampered by outdated technology and struggled for weeks to identify how many servers it had running SolarWinds software.

(AP News)

Thanks to our episode sponsor, Remediant

Remediant is a fast growing Gartner Cool vendor focused on the concept of precision Privileged Access Management and a Fortune 100 company calls “the world’s best protection against major incidents.”

Remediant uniquely deploys & inventories thousands of privileged accounts in hours, locks down lateral movement & ransomware spread by removing standing privilege with a single action, and administers privileges just-in-time with MFA.

To learn more, visit remediant.com

Ziggy ransomware gang announces shutdown: returns keys and offers refund

Voicing concerns about recent law enforcement activity and guilt for encrypting their victims, the gang has released all victims’ decryption keys, and has now offered to refund the money they extorted. In an interview with Bleeping Computer, the ransomware admin said they created the ransomware to generate money as they live in a “third-world country.” Threat analyst Brett Callow suggests that the recent arrest of individuals associated with the Emotet and Netwalker operation could be causing some actors to get cold feet. The admin at Ziggy has posted contact information for victims to receive their ransoms back in bitcoin. (CISOMag)

Whistleblower: Ubiquiti breach “catastrophic”

On January 11 of this year, Ubiquiti, a vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras, disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now, according to Krebs on Security, a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication. According to the whistleblower, “the breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” The full story is available at Krebsonsecurity.com.

(KrebsOnSecurity)

MobiKwik suffers major breach: KYC data of 3.5 million users exposed

Popular Indian mobile payments service MobiKwik came under fire on Monday after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. What is significant about this breach is the fact that the leak shows that MobiKwik does not delete card information from its servers even after a user has removed them, in what’s likely a breach of government regulations. MobiKwik officials vehemently denied the breach, blaming a “media-crazed so-called security researcher,” but numerous independent users have confirmed the breach, specifically by finding their personal details on the leak site.

(The Hacker News)

Gibberish tweet from US nuclear-agency was from unattended child

An unintelligible tweet of random keyboard letters posted on the Twitter account of the US Strategic Command on March 28 was sent by a young child of the agency’s Twitter manager. According to a document posted following a Freedom of Information Act request, the manager had been working from home and had left the Twitter account open and unattended temporarily, at which point, “his very young child and started playing with the keys and unknowingly, posted the tweet.” The agency is responsible for safeguarding America’s nuclear weapons.

(BBC News)

PayPal launches crypto checkout service

PayPal Holdings Inc. announced yesterday that it has started allowing U.S. consumers to use their cryptocurrency holdings to pay at millions of its online merchants globally, a move that could significantly boost use of digital assets in everyday commerce. Customers who hold bitcoin, ether, bitcoin cash and litecoin in PayPal digital wallets will now be able to convert their holdings into fiat currencies at checkouts to make purchases, the company said. The company will charge no transaction fee to checkout with crypto but only one type of coin can be used for each purchase.

(Reuters)

Scam iOS app steals Bitcoin

iPhone user Phillipe Christodoulou claims that a scam iOS app imitating the Trezor wallet stole 17.1 Bitcoins from his wallet, the equivalent of roughly $600,000. The app featured the Trezor logo with numerous five-star reviews. Apple says it got through the App Store review process using “a bait-and-switch” technique, initially categorized as a “cryptography” app for storing passwords and not involved in cryptocurrency, although when submitted it did use the Trezor name and logo. Once submitted, it changed itself into a cryptocurrency wallet. Trezor, a hardware cryptocurrency wallet company, itself does not have a smartphone app, saying its been warning Apple and Google about fake apps “for years.” Apple said it removed the fake app and banned its developer. 

(MacRumors)