Cyber Security Headlines – Week in Review – Nov 8-12, 2021

This week’s Cyber Security Headlines – Week in Review, Nov 8-12, is hosted by Rich Stroffolino with our guest, John Overbaugh, CISO, Alpine Software Group

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.

Feds likely to fall short of deadline for strengthening encryption, multifactor authentication

President Joe Biden’s ambitious May cybersecurity executive order is widely expected to miss a deadline today affecting a much desired improvement: the implementation of multifactor authentication and encryption at all civilian federal agencies. The task of implementing MFA and encryption is complicated because agencies have so many information systems to protect, many have legacy systems that make deployment difficult, and others are struggling with the cost. The executive order requires agencies that don’t meet the deadline to explain why in writing, giving officials a blueprint on the challenges still to overcome.

(Cyberscoop)

Facebook outage a prime example of insider threat by machine

An opinion piece published by Christopher Burgess in CSO Online suggests that the October 4, 2021 outage at Facebook was a self-inflicted wound caused by its own network engineering team. He points out how Facebook, on its own blog, stated “a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all connections in our backbone network, disconnecting Facebook data centers globally.” Despite having fail-safe processes in place to prevent this type of mistake, “a bug in that audit tool prevented it from properly stopping the command.” Burgess states this is a result of the Peter Principle, in which network leaders in IT and security are promoted despite lacking adequate hands-on experience, paired with an internal architecture that failed the most basic of network tenets: do not allow for a single point of failure.(CSO Online)

US infrastructure bill includes cybersecurity provisions

Late last week the US House passed the bipartisan Infrastructure Investment and Jobs Act, approved by the Senate back in August and now awaiting the President’s signature. There are a lot of programs within the bill, but the biggest for this show is a $1.9 billion boost in government cybersecurity spending. This includes a $1 billion grant program from FEMA to help state, local, tribal and territorial governments modernize systems to protect sensitive data, information, and public critical infrastructure over the next four years. The bill also includes $65 billion for broadband expansion. 

(CSO Online)

Drone loses battle against power station

According to a joint security bulletin from DHS, the FBI, and the National Counterterrorism Center, in July 2020 a DJI Mavic 2 drone approached a Pennsylvania power substation in what was an attempt to “disrupt operations by creating a short circuit” using a thick copper wire connected to the drone. This is the first known incident of using an unmanned aircraft system to “specifically target” US energy infrastructure. The drone crashed on a roof before reaching its target but the operator has not been found. The operator removed several sensors and cameras from the drone in order to avoid detection, meaning it had to be flown by line of sight, likely causing the crash. 

(Wired)

Thanks to our episode sponsor, Vulcan Cyber

The fact that CISA felt the need to release the massive “Known Exploited Vulnerabilities Catalog” recently says everything we need to know about the state of our collective cyber debt. Attend the Vulcan Cyber virtual summit on December 9th and learn how your peers are working to take on cyber risk and mitigate known vulnerabilities at scale. Go to vulcan.io and click the button at the top of the screen to register for the event.

Robinhood breach impacts millions of customers

Robinhood Markets, Inc. disclosed that it suffered a data breach on November 3, affecting  approximately 7 million customers. A threat actor tricked a customer service representative into providing access to internal support systems from where the attacker then accessed email addresses of five million users and full names of approximately two million more. For 310 users, details including name, dates of birth, and zip codes were exposed while extensive details for approximately 10 more customers were also disclosed. The attacker then attempted to blackmail the company demanding payment. In an apparent attempt to help its customers avoid falling victim to a social engineering scam such as the one that worked on its own employee, Robinhood is directing concerned customers to its website Help Center stating, “we’ll never include a link to access your account in a security alert.”

(Security Affairs)

Hacking campaign now targeting Docker servers

In an ongoing campaign which began last month, poorly configured Docker servers are being actively targeted by the TeamTNT hacking group. According to a report from TrendMicro, the campaign uses exposed Docker REST APIs to install Monero cryptominers, scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network. The container image used is based on the AlpineOS system and configured to allow root-level permissions on the underlying host. TrendMicro has seen over 150,000 pulls of malicious Docker Hub account images during the campaign.

(Bleeping Computer)

Trend Micro details long running hacker-for-hire group

According to a new 46-page report from the security company, Void Balaur has advertised its services and offered on-demand intrusions since the mid-2010s, targeting IT companies, telecoms, and activists, journalists, and religious leaders. The group has only been observed advertising on Russian-language sites, and was initially believed to be a subgroup of the Russian-back APT28 due to target overlaps. Initially the group began offering the ability to break into specified email or social media accounts, before shifting to advertising the sale of private data from individuals in Russia in 2019. In 2020 the group began targeting presidential candidates in the Belarus elections, before targeting politicians and government officials in Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France, and Italy in 2021. 

(The Record)

BazarBackdoor now abuses Windows 10 app feature in social engineering ‘call me back’ attack

On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm’s own employees were targeted with spam emails sent by a “Sophos Main Manager Assistant,” one non-existent “Adam Williams,” which demanded to know why a researcher hadn’t responded to a customer’s complaint. To make resolution easier, the email helpfully contained a link to a PDF complaint report. The fake PDF triggers the Microsoft’s Edge browser on Windows 10, to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever’s on the other end of that link.”

(ZDNet)