This week
Trojan Source
This was a ‘huh, well yeah, I guess that is a thing’ moment: great research from Ross Anderson et. al on how compilers treat Unicode characters, especially where they come across conflicting, bi-directional (e.g. both left-to-right and right-to-left languages) characters. The answer is that things that look like code comments to the human reader may be interpreted and compiled into the final application.
Apparently, basic versions of this technique are already being used to help disguise malware from email gateways, and I think we are a long way from “you can’t trust anything written” but it’s certainly a novel class of vulnerability that I’m sure has raised a few eyebrows within the intelligence communities.
tronjansource.codes, lightbluetouchpaper.org, krebsonsecurity.com
Interesting stats
$9M-$12M expected reduction in revenue for bandwidth.com following recent DDOS attack therecord.media
77% of rootkits are used for cyber espionage, with 44% of attacks being targeted at government agencies, according to Positive Technologies zdnet.com
57% of ICO penalties issued by the Information Commissioner’s Office since January 2020, totalling £5.1M remain unpaid, as many firms use appeals to delay the process or go into liquidation theregister.com
Other newsy bits
Meta shutters Facebook’s facial recognition features
Meta (the new name for Facebook’s parent company) has announced that it is disabling facial recognition features that saw it settle a case brought under Illinois’ Biometric Information Privacy Act last year for $650 million.
Citing ‘complex social issues,’ around facial recognition technology the social network will delete the ‘faceprints’ it had generated of 1 billion users, though will continue to work on technology that may have ‘positive use cases’, such as for the visually impaired or fraud prevention.
cyberscoop.com, therecord.media,
Thoughtful things
The ‘increasingly sophisticated threat’
… may more likely be our biases towards future uncertainty and complexity, according to the former head of MI5 Lord Evans. @ciaranmartinoxf
Security ‘sludge’ vs usability
I’ve never been a fan of ‘EXTERNAL EMAIL’ banners and labels on emails. They detract and desensitise the user from the threat, rather than long-term increase awareness. (Not to mention the environmental impact of storing all those extra characters in every reply and user’s inbox.) A good example here from a presentation by Richard Thaler.
“Cognitive detritus… often seems the default design in infosec.” — Kelly Shortridge
Beg bounties
A play on bug bounties and chuckle-worthy concept.
“I’ve identified a vulnerability in your web application. Waiting for your positive response.”
In brief
Attacks, incidents & breaches
- National Bank of Pakistan suffers a ‘destructive’ cyber-attack, preventing computers from booting, as the government issues a statement to calm fears of a run on all banks therecord.media
- UK Labour Party supplier seemingly suffers ransomware attack as party supporters receive notifications saying the data held by the third-party has been ‘rendered inaccessible’ theguardian.com
- Toronto’s transit system disrupted by ransomware attack cyberscoop.com
- Kaspersky has Amazon SES token compromised, used to send spear-phishing emails appearing to come from the company bleepingcomputer.com
- More popular npm packages (co and rc) have been compromised with similar code to those last week (dnd the week before). They really need to enforce MFA on developer accounts therecord.media
Threat intel
- Groove ransomware gang was a hoax… or was it? krebsonsecurity.com
- FBI warns of ransomware attempts targeting ‘sensitive financial events’ such as mergers and acquisitions ic3.gov (PDF)
- BlackMatter ransomware group allegedly ‘shutting down’ … or rebranding due to law enforcement pressure… affiliates move victims to LockBit techrunch.com, bleepingcomputer.com
- ProxyShell vulnerability being used to compromise Exchange servers and deploy Babuk ransomware bleepingcomputer.com
- Be on the lookout for delivery phishing and smishing lures this holiday season lrebsonsecurity.com
- BlackBerry report on ’Zebra2104’ initial access broker (IAB) supplying ransomware and APT groups zdnet.com
Vulnerabilities
- GitLab vulnerability patched in April is still present in over 50% of deployments and is being actively exploited bleepingcomputer.com
Security engineering
- Google has bugged auto-enrolling 150 million accounts to multi-factor authentication arstechnica.com
- Microsoft announces ‘Defender for Business’ endpoint detection and response tool aimed at organisations with fewer than 300 users, included with Business Premium plans, or as a $3/user/month add-on (this may make a huge difference to SMBs below the ‘security poverty’ line) theregister.com, microsoft.com
Internet of Things
- MITRE highlights ’Most Important Hardware Weaknesses’ in new list bleepingcomputer.com
Privacy
- More on China’s Personal Information Protection Law (PIPL) wired.com
Public policy
- CISA orders US government agencies to patch 300 known, and exploited, vulnerabilities within the next six months cyberscoop.com
- US puts Pegasus spyware company NSO Group on export blacklist ft.com, arstechnica.com
- The US is also offering a $10 million reward for information leading to the identification or arrest of Darkside ransomware group members therecord.media
Mergers, acquisitions and investments
- CrowdStrike to acquire SecureCircle in an all-cash deal that will boost data loss prevention capabilities of the firms Falcon endpoint agent zdnet.com
- IBM acquires Extended Detection & Response (XDR) outfit ReaQta to expand Radar capabilities and provide “continuous monitoring and rapid response as part of a zero-trust approach” zdnet.com
And finally
“When God closes one door, he opens another”
H/T: @sshell_