Cybersecurity Digest #34: 20/09/2021 – 1/10/2021

Cybersecurity news

• New macOS zero-day bug lets attackers run commands remotely. Security researchers disclosed a new vulnerability in Apple’s macOS Finder, which makes it possible for attackers to run commands on Macs running any macOS version up to the latest release, Big Sur.
• Epik data breach impacts 15 million users, including non-customers. Epik has confirmed that an “unauthorized intrusion” did in fact occur into its systems. The announcement follows last week’s incident of hacktivist collective Anonymous leaking 180 GB of data stolen from online service provider Epik.
• The Japanese government adopted a draft cybersecurity strategy for the next three years, naming China, Russia and North Korea as cyberattack threats for the first time. The strategy, expected to be endorsed by the Cabinet soon, said the situation in cyberspace contains the “risk of rapidly developing into a critical situation” and that the three states are suspected of being involved in hostile cyber activities.
• Security researcher Bobby Rauch discovered a stored cross-site scripting (XSS) vulnerability in the Apple AirTag product that can be exploited by attackers to lure users to malicious websites. Apple AirTag is a tracking device designed to act as a key finder, it allows users to find personal objects (e.g. keys, bags, apparel, small electronic devices, vehicles).
• The developers of the Electronic Frontier Foundation announced that they intend to stop developing the famous HTTPS Everywhere browser extension, since HTTPS widely used it, and in many popular browsers HTTPS-only modes have appeared. Even if the user tries to access the unsecured version of the resource, the extension will still redirect it to the HTTPS version, if available.
• A complete exploit for the remote code execution vulnerability in VMware vCenter tracked as CVE-2021-22005 is now widely available, and threat actors are taking advantage of it. Unlike the version that started to circulate at the end of last week, this variant can be used to open a reverse shell on a vulnerable system, allowing remote attackers to execute code of their choice. The vulnerability does not require authentication and allows attackers to upload a file to the vCenter Server analytics service.

Cybersecurity Blog Posts

• Organizations get hacked because there isn’t an obvious way for security researchers to let them know about security vulnerabilities or data leaks. In a bid to minimize these scenarios, a growing number of major companies are adopting “Security.txt,” a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences. Brian Krebs explained in his article how a security.txt file can make it easier to respond to active security threats.
• People often discuss the importance of a strong security culture but fail to define what they mean by security culture, and what is the value culture to an organization’s mission. Lance Spitzner answers the question what the value of security culture to an organization’s mission is in his post.
• Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively and gives 5 tips for achieving better cybersecurity risk management.
• Data breaches and hacking put internet users at risk of account takeover, if cybercriminals successfully gain access to valid login credentials. David Stewart, Approov CEO, lays out six best practices for orgs to avoid costly account takeovers in 2021.

Research and analytics

• Imperva Research Labs released the findings of new threat intelligence research showing that 46% of all on-premises databases globally are vulnerable to attack. A five-year longitudinal study conducted by Imperva Research Labs comprising nearly 27,000 scanned databases discovered that the average database contains 26 existing vulnerabilities. 56% of the CVEs found were ranked as ‘High’ or ‘Critical’ severity, aligned with NIST guidelines.
• According to the data presented by the Atlas VPN team, cryptocurrency miners were the most common malware family, with 74,490 such threats detected in the first half of 2021. In addition to cryptocurrency miners, WannaCry ransomware threats were seen 61,068 times in the first half of 2021. What is more, malware detection infrastructure identified 39,612 webshell threats in H1 2021.
• A new study performed by experts at the Ecole Polytechnique de Lausanne (EPFL) in Paris and University College London (UCL) questions the growing belief that synthetic data can solve the privacy issues that threaten the progress of machine learning. They results demonstrated that Synthetic data drawn from generative models without ex-plicit privacy protection does not protect outlier records from linkage attacks. Given access to a synthetic dataset, a strategic adversary can infer, with high confidence, the presence of a target record in the original data.
• The Ponemon Institute surveyed 597 health delivery organizations (HDOs), including integrated delivery networks, regional health systems, community hospitals, and more. According to the survey, COVID has reduced HDOs confidence in mitigating the risks of ransomware. 61% of HDOs lack the confidence to combat ransomware, up from 55% before COVID. 67% of HDOs have been victims of ransomware attacks, while 33% have been hit twice or more.
• The 2021 State of the Threat Report by Secureworks comprehensively examined the adversary’s ongoing innovation and evolution of tried-and-true TTPs like ransomware, business email compromise, zero-day threats, espionage, and more. The report revealed +8% rise in ransomware threats as a proportion of IR engagements worked in Q1 and Q2, compared to 2019 and 19% of network intrusions featured Cobalt Strike, by far the most popular OST tool used by threat actors.
• 1Password Research Report revealed the scope and complexity of the secrets management problem. The key findings are: 52% of workers say that digital transformation has made managing secrets more difficult and 80% of IT/DevOps organizations admit to not managing their secrets well.
• The State of Ransomware in Manufacturing and Production 2021 Report by Sophos revealed that 36% of manufacturing and production organizations were hit by ransomware in the last year. 49% of organizations hit by ransomware said the cybercriminals succeeded in encrypting their data in the most significant attack and 19% of those whose data was encrypted paid the ransom to get their data back.
• WatchGuard’s Threat Lab Analyzed the Latest Malware and Internet Attacks in their Internet Security Report – Q2 2021. Threats get sneakier with 91.5 percent of malware arriving over encrypted connections.
  

  Major Cyber Incidents

• EventBuilder misconfiguration exposes Microsoft event registrant data. Personal details of registrants to virtual events available through the EventBuilder platform have stayed accessible over the public internet, open to indexing by various engines.
• Russian hackers target Iowa grain co-op in $5.9 million ransomware attack. Cybercrime cell BlackMatter threatened to release New Cooperative’s proprietary business data unless it paid up. Hackers leveled a ransomware attack on an Iowa farming co-op and demanded a ransom to unlock the computer networks used to keep food supply chains and feeding schedules on track for millions of chickens, hogs and cattle.
• The personal details of more than 106 million international travelers to Thailand were exposed on the web without a password, Comparitech researchers report. An unsecured database containing international travel records dating back 10 years was left exposed on the web. The database included full names, passport numbers, arrival dates, and more.
• Hackers hacked the DeFi project Vee Finance, which runs on the Avalanche blockchain, and stole $ 35 million worth of cryptocurrency. In total, 8804.7 ETH ($ 26 million) and 213.93 BTC ($ 9 million) were stolen.
• GSS, the Spanish and Latin America division of Covisian, one of Europe’s largest customer care and call center providers, has suffered a debilitating ransomware attack that froze a large part of its IT systems and crippled call centers across its Spanish-speaking customerbase.
• A user on a popular hacker forum is selling a database that purportedly contains 3.8 billion user records. The database was allegedly compiled by combining 3.8 billion phone numbers from a previously scraped Clubhouse ‘secret database’ with users’ Facebook profiles. The compilation appears to include names, phone numbers, and other data.
• Threat actors hijacked Bitcoin.org, the authentic website of the Bitcoin project, and altered its parts to push a cryptocurrency giveaway scam that unfortunately some users fell for. Although the hack lasted for less than a day, hackers seem to have walked away with a little over $17,000.