Cyber Security Headlines – Week in Review – Nov 15-19, 2021

This week’s Cyber Security Headlines – Week in Review, Nov 15-19, is hosted by Sean Kelly with our guest, Richard Rushing, CISO, Motorola Mobility

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion on LinkedIn. Details at CISO

FBI email system reportedly hacked to send fake DHS cyberattack messages

The hack happened on Saturday morning amid several reports of messages sent from the agency’s email infrastructure purporting to be a warning from the Department of Homeland Security (DHS) about a cyberattack. The agency quickly remediated the vulnerability, and warned partners to disregard the fake emails. An updated statement from the FBI stated there was “a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails…While the illegitimate email originated from an FBI operated server, that server…was not part of the FBI’s corporate email service.”

(Newsweek and Shannon Vavra, The Daily Beast via Twitter)

FBI email hacker blames poor coding

Following up on this FBI story, the person who claims responsibility for the hack, whose Twitter handle is Pompompurin, says the spam messages were sent by abusing insecure code in the LEEP portal. Speaking with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI’s system, which, in the interest of sharing between agencies, allowed anyone to apply for an account. A one-time password that was supposed to be sent by email was also embedded into the HTML of the page. Pompompurin said they were able to send themselves an email from by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields.

(Security Boulevard)

Surveillance firm pays $1 million fine after ‘spy van’ scandal

The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca. In 2019, a Chevrolet van packed with at least $3.5 million worth of equipment that could hack Android smartphones and steal data including WhatsApp and Signal messages, was stationed near the airport. The van had been in the area for months when politicians in Cyprus criticized the government for being passive about the activity of the vehicle after seeing its capabilities in action close to the airport in a video from Forbes.

(Bleeping Computer)

DHS launches program to close cyber talent gap

The Cyber Talent Management System was announced by the Department of Homeland Security, designed to help CISA better fill vacancies. This program has been in development for the past seven years, and designed to cut through bureaucratic red tape in the federal hiring process. Typically federal hiring prioritizes benchmarks like longevity rather than technical skills. Under the program, DHS can hire cyber professions with salaries up to $332,100 in certain circumstances, to better compete with the private sector. While vacancies at CISA are the initial focus, the program will eventually be used to fill gaps at other DHS agencies next year. 

Thanks to our episode sponsor, Vulcan Cyber

Cloudflare stops a giant DDoS attack

The company said it blocked the attack, which peaked at just under 2Tbps, one of the largest DDoS attacks recorded. This attack came from 15,000 bots running a variant of the original Mirai code on exploited IoT devices as well as unpatched instances from GitLab. Rapid7 warned that GitLab instances could be used for such an attack two weeks ago, saying that roughly 30,000 internet-facing instances remained unpatched at that time. Cloudflare said it was the largest attack it’s seen, and comes close to the 2.4 Tbps DDoS attack targeting one of Microsoft’s Azure customers in Europe last month. 


Emotet botnet makes comeback with help from TrickBot

The notorious Emotet botnet has made a comeback nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure. According to researcher Luca Ebach, the infamous TrickBot malware is being leveraged as an entry point to distribute a new version of Emotet which takes the shape of a DLL file. Europol dubbed Emotet the “world’s most dangerous malware” because of its use by threat actors as a precursor to many critical data theft and ransomware attacks. The first deployment was detected this past Sunday and nine Emotet command-and-control servers are currently online.

(The Hacker News)

Leaked Robinhood customer data now up for sale

Following up on a story we brought you last week, the data of approximately 7 million Robinhood customers stolen in a data breach that began by social engineering a customer service rep, is now being sold by the hacker for at least $10,000. Two days after Robinhood disclosed the attack, and after a failed extorsion attempt, a threat actor named ‘pompompurin’ announced on a hacking forum that they were selling the data including email addresses and full names of millions of customers and more extensive details for a small subset of individuals. Pompompurin, is the same threat actor responsible for abusing FBI email servers to send threatening emails over the weekend.

(Bleeping Computer)

2021’s most common passwords revealed

On Wednesday, Nordpass published its annual study of password use across 50 countries, the “Most Common Passwords” report, an evaluation of a database containing 4TB of leaked passwords, many of which originated from the US, Canada, Russia, Australia, and Europe. Of the top 10 most common passwords in 2021, 7 of them were variations on 1234567, with the other three being 111111, qwerty, and the word, password. The researchers also found that a “stunning” number of people like to use their own name as a password. They suggest that many businesses still do not impose the same password security standards as online providers. In addition, ghost and forgotten accounts, hardcoded credentials, and the re-use of username and password combinations are still common problems.