Skip to Content

Cybersecurity and Infosec News Headlines Update on February 27, 2022

Bitfinex Arrest

Arrests of Ilya “Dutch” Lichtenstein and his wife, Heather Morgan for allegedly laundering $4.5B in BTC stolen from the 2016 Bitfinex hack is a fascinating and at times whacky story of FBI’s excellent investigative capabilities. Only 94K BTC were seized out of the total 120K BTC stolen.

Below are select documents which describe the hunt and the eventual arrest:

21-Month Sentence for Cyberattacks Against School, IT Firm

A UK court has sentenced a former IT tech to 21 months in jail for launching cyberattacks against a school and an IT firm. Adam Georgeson had worked for the school, but was fired after they learned of prior fraud convictions. He launched the attack against the school while employed at an IT firm. After he lost his job at that firm, he launched an attack against its network.

Note

  • Good reminder for security teams and IT teams: background checks should be a regular part of hiring anyone who will be given privileged system access. Not a popular topic, but critical. While you’re working with human resources/employment, make sure that when the decision is made to terminate an employee turning off all internal and remote access is part of the process.
  • The employee had two prior convictions for fraud which, when discovered, resulted in his termination. It is better to do background checks up front, even though they may slow the onboarding processes, rather than having to deal with a disgruntled employee who may have privileged access. For those already doing background checks, how many of you are revisiting them at some interval? I have seen good people make bad choices; I’ve seen employers help that employee retain their job and recover from those decisions.
  • A privileged, insider threat is one of the toughest to detect and respond to. I am familiar with only a few organizations that have dedicated insider threat programs and teams. As usual, consider your threat model and maturity level without focusing on only a single type of threat.

Read more in

Google’s Project Zero 2021 Metrics

Google’s Project Zero says that vendors took an average of 52 days to fix reported vulnerabilities. Three years ago, the average time to fix was 80 days. The companies with the shortest average time to fixes were Linux, Mozilla, and Google.

Note

  • Great to see that vendors are responding faster to vulnerabilities, and great to see open-source software leading the pack. Looks like “bullying” by Google with its hard 90-day disclosure timeline works. But as an end user, you will still have to apply these patches to mitigate vulnerabilities.
  • The good news is time to fix has been trending down across the board. However, at Google’s level of data collection, you can’t see the reason for the length of time to fix. In the old days of much longer software life cycles, easy to find/quick to fix bugs happened early and hard to find/long time to fix bugs were expected later in the life cycle. When time to fix is low because input validation errors (and other OWASP top 10 vulnerabilities) are still being built into software, that is not really a good thing.
  • This is a great improvement. One wonders what the trend for vulnerabilities introduced via third-party or local coding flaws looks like. As suppliers get a handle on remediation and we’ve got mad skills testing and deploying updates, emphasis on secure coding and assessing included components needs to increase to reduce the likelihood of flaw inclusion in the first place.
  • This is a great report that is easy to read and understand; highly recommend taking a couple of minutes to read it. I love the transparency and look for more vendors to share this type of data.

Read more in

Adobe Releases Emergency Patches for Commerce and Magento

Adobe has released emergency updates for AdobeCommerce and Magento Open Source to fix a critical law that is being actively exploited. The improper input validation vulnerability could be exploited without authentication to allow arbitrary code execution.

Note

  • Patching may already be too late by the time you read this. Treat any unpatched systems as compromised. This vulnerability was discovered and reported to Adobe after it already had been exploited. Exploitation is pretty straightforward. Web application firewalls will likely not protect you. Magento is the gift that keeps on giving for attackers. Also noteworthy that the patch arrived as an actual “patch” file, and needs to be applied manually. If you can: Take Magento out back and put it out of its misery while replacing it with something… anything… else.
  • This corrects an improper input validation flaw (CVE-2022-24086) with a CVSS base score of 9.8. Note that this is for the 2.4.3-p1 or 2.3.7-p2 and earlier versions of Adobe Commerce or Magento Open Source. If you’re on Magento 1.x, you still need to update to Magento version 2 to get the fix.

Read more in

CISA Adds 15 More Flaws to Known Exploited Vulnerability Database

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its Known Exploited Vulnerability database. The new entries include vulnerabilities in products from Apple, Microsoft, Apache, and Oracle. One of the flaws – a Windows SAM local privilege elevation vulnerability – has a remediation due date of February 24, 2022; the other 14 vulnerabilities need to be remediated by August 10, 2022.

Note

  • Each addition to the database includes a remediation date. Some of these flaws date back to 2017; they are included because they are still being exploited. Don’t forget to capture the due dates as you’re digesting the new flaws.
  • Kudos to CISA for developing the Known Exploited Vulnerability Database. All companies should ensure that they have the Known Exploited Vulnerability Database included as part of their vulnerability management program.
  • One hopes that actual remediation will be measured in days, rather than weeks to months.

Read more in

Missouri Journalist Won’t be Charged with Hacking

The journalist who found and responsibly disclosed a vulnerability in a state government website will not face hacking charges. Josh Renaud viewed the site’s publicly available HTML code and found that it exposed sensitive information of school employees.

Note

  • Viewing the source of a web page and discovering a flaw cannot be characterized as hacking nor committing an illegal act. The journalist is to be commended for responsibly reporting what they found. And while nobody likes being told they have a flaw in their code (particularly me), I would rather learn via a disclosure process than by reading an incident response or data loss report.

Read more in

Spanish Police Arrest Alleged SIM Swappers

Spanish police have arrested eight people in connection with a SIM-swapping scheme. The suspects allegedly impersonated bank officials to gather customer information, which they used to obtain duplicate SIM cards from phone stores and then steal funds from targeted accounts.

Note

  • And this is why SMS as a validator is dangerous. In this scenario, your coverage drops when the duplicate SIM is activated but depending on timing, you don’t notice the interruption, and by then it’s all over. Beyond ensuring all the security for your mobile carrier is in place to prevent unauthorized porting/etc., configure SMS or phone calls for account validation only as a last resort.
  • The carriers have made SIM swapping harder, but as this item points out it is still possible. While SMS messaging does not reduce risk to zero, it is far better than staying at reusable passwords. As Microsoft’s report pointed out, 99.9% of successful phishing attacks would have failed if just SMS messaging was in use. Use authenticator apps and biometrics wherever possible but don’t stay with reusable passwords if those are not options.

Read more in

Moxa MXview Vulnerabilities

Researchers at Claroty have found five vulnerabilities in Moxa MXview web-based network management system. Several of the flaws could be chained together to allow remote unauthenticated users to execute code. Users are urged to upgrade to MXview version 3.2.4 or later.

Note

  • The fixes were made last September and the ICS Advisory (ICSA-21-278-03) was released October 5, 2021. The primary mitigation is to update to version 3.2.4; additionally, use strong passwords rotated regularly and restrict access to the system, particularly port 8883 to known authorized systems. Make sure that you’re properly segmenting these systems away from business systems.

Read more in

State Dept. Orders Staff to Destroy IT Equipment at Embassy in Ukraine

The US State Department has ordered staff at the US embassy in Kyiv, Ukraine, to destroy IT equipment there. The State Department is temporarily relocating its Ukrainian embassy from Kyiv to Lviv. Many embassy staff members have been withdrawn from Ukraine altogether.

Note

  • Should the escalating tensions in that region turn into an outright conflict there will be a cyber dimension to that conflict. That cyber dimension won’t be restricted by borders or regions so I recommend you check your supply chain to see how dependent you are on any providers based in Ukraine and how you can continue your operations in the event they become unavailable. I also recommend you heighten your cybersecurity preparedness to prevent your organisation from becoming a collateral victim by following the guidelines issued by the UK government’s NCSC at www.ncsc.gov.uk: UK organisations encouraged to take action in response to current situation in and around Ukraine.
  • When abandoning, exchanging, or otherwise surrendering equipment, making sure it is fully purged of data is a critical step. Don’t forget copiers, printers, phones, and anything else that has data storage. Additionally, destruction of equipment may be necessary to prevent an adversary from obtaining unwanted technical advantages or insight.

Read more in

Colorado‘s New Election Security Rules

Colorado’s Secretary of State has announced new, temporary rules for voting systems security. “The rules include measures restricting physical and electronic access to the voting system and outline the enforcement mechanisms necessary to ensure election security compliance.” the rules address password and user account security; acceptable use policy; hard drive imaging; trusted build procedures; seal requirements; access to secures areas and voting systems; and access to election management systems.

Note

  • Two Colorado counties have had serious violations of maintaining the integrity of election systems and data. These violations pointed out that politically motivated insider malicious behavior is a bigger threat than external hacking. The temporary rules seems like they should have been in place before and as a part of an overall review would likely become permanent.
  • Much publicity has focused on validating those wishing to cast a ballot; these measures will increase the integrity and security of the systems used to count and process ballots once cast. These measures are appropriate for any system processing sensitive data where integrity is a core requirement. While password complexity is called for, it’s time to phase out passwords in favor of replay and phishing resistant authenticators.
  • As practitioners, we often forget that for the security of systems of public trust, there are two important qualities: actual security and the perception of security. Here’s hoping this commendable move by Colorado brings both!

Read more in

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker