This week’s Cyber Security Headlines – Week in Review, May 3-7, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Mitch Parker (@mitchparkerciso), CISO, Indiana University Health.

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Experian API leaks most Americans’ credit scores

A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections. Bill Demirkapi, a sophomore at Rochester Institute of Technology, identified the tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.” Experian, for its part, refuted concerns from the security community that the issue could be systemic.

(Threatpost)

SAP admits to ‘thousands’ of illegal software exports to Iran

SAP has reached a settlement with US investigators to close a prosecution relating to the violation of economic sanctions and the illegal export of software to Iran. The cloud software vendor admitted to violating existing sanctions and an embargo placed on the country by the United States. From 2010 to 2017, SAP and overseas partners exported US-origin software — including upgrades and security fixes — to users in Iran over 20,000 times. SAP’s Cloud Business Group (CBGs) units allowed over 2,300 users in Iran to access US-based cloud services. SAP voluntarily admitted to the accusations, leading to a settlement worth $8 million to avoid further action and prosecution.

(ZDNet)

Basecamp sees mass employee exodus after CEO bans political discussions

The company, which employs around 60 people, has seen one-third of its staff accept buyouts to leave, many citing new company policies around no longer being allowed to openly share their “societal and political discussions” at work. The departures are significant since they include Basecamp’s head of design, head of marketing and head of customer support, as well as many of its iOS team. Some Basecamp employees state the exodus has more to do with internal conversations about the company itself and its commitment to DEI – diversity, equity and inclusion – issues.

(TechCrunch)

A look at the Project Signal ransomware campaign

Security researchers at Flashpoint identified the ransomware campaign, seemingly organized by Iran’s Islamic Revolutionary Guard Corps using the contracting company ENP. The project began in the late summer of 2020, with malicious actors researching three to four websites per day as potential targets. Project Signal appears linked to the ransomware campaign Pay2Key that targeted a number of Israeli firms in November 2020, which used similar tactics. The researchers noted that Iran has a history of blending its operations with non-state-sponsored malicious cyber activity to give itself plausible deniability.

(CISO Mag)

Thanks to our episode sponsor, Boxcryptor

We think CISOs also have a right to sleep peacefully at night. Therefore, we recommend encrypting your sensitive business data for an extra layer of protection. Now in its 10th year, Boxcryptor offers strong end-to-end encryption for more than 30 cloud providers, NAS, file servers, and local data to organizations of all sizes. Start your free trial now at Boxcryptor.com.

Dozens of apps leaking AWS keys

A new report from the BeVigil search engine, which checks an app’s security ratings and other security issues before installing, found over 40 apps that had hardcoded private Amazon Web Services keys embedded within them. These apps had been collectively downloaded over 100 million times. Adobe Photoshop Fix, Adobe Comp, Hootsuite, and IBM’s Weather Channel were among the apps listed. Analysis found that some of the exposed AWS keys had access to multiple AWS services, including credentials for 88 S3 buckets, ultimately providing access to 5.5TB of data, including source code, application backups, user reports, test artifacts, configuration and credential files. BeVigil owner CloudSEK said they contacted AWS and impacted apps independently to disclose their findings. 

(The Hacker News)

A new set of vulnerabilities may affect 60 percent of the world’s public email servers worldwide

The Qualys Research Team has discovered 21 vulnerabilities in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys has named this group of vulnerabilities “21 Nails”. Bharat Jogi, Senior Manager, Vulnerability and Threat Research at Qualys, said in a statement that “the 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system, allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers. It’s imperative that users apply patches immediately.”

(Cyberscoop)

Hundreds of millions of Dell computers potentially vulnerable to attack

Laptops, notebooks, and tablets made by DELL are at risk of compromise from a set of five high-severity flaws that had been undetected since at least 2009. The flaws allow an attacker who already has some level of initial access on a system to escalate privileges and gain kernel level access on it. Security researchers from SentinelOne discovered the bugs in Dell’s DBUtil, a driver that is installed and loaded during the BIOS update process on Dell Windows machines. Dell was notified of the issue in December 2020 and has issued an update for it. In an advisory and FAQ today, the hardware maker offers measures that organizations can take to identify whether they have been impacted and steps they can take to address the issue.

(Dark Reading)

Phishing for workplace credentials

Some workers in the US received emails from an organization called Workplace Unite, claiming to offer $500 for workplace login credentials and $25 a month as long as those credentials were active, claiming that providing payroll information would give them visibility into their peers. Motherboard reports these emails make HTTP requests to sites linked to the startup Argyle, which claims to act as a  “gateway to access employment records,” with access to 40 million records. Linked domains for Workplace Unite were taken offline after tweeted out by security researchers, although it’s unclear what is it’s exact relationship with Argyle. 

(Vice)

Microsoft open-sources Counterfit

Counterfit is a tool to let devs test the security of ML and AI systems, originally written as a set of attack scripts written specifically to target AI models. In its current form, Counterfit offers an automated system to benchmark a variety of systems at scale for security and used as a part of Microsoft’s AI red team operations. It offers customizable or randomized parameters and logs attacks against models to help document potential failure modes of an AI system. A recent Microsoft survey found that 89% of organizations didn’t feel they had the right resources to secure AI systems.

(VentureBeat)

BazarBackdoor phishing campaign goes fileless and linkless

This malware encourages people to type or copy links, or to call phone numbers rather than clicking on a link. According to Ironscales CEO Eyal Benishti “They know that companies are better protected against malware and have better threat intel capabilities, but that the human link is still a weak link. They know that most current technical controls and filters have a blind spot to social engineering”

(SCMAgazine)