Cyber Command urges patching of massively exploited Confluence bug
US Cyber Command issued a rare alert on Friday “urging U..S organizations to patch the massively exploited Atlassian Confluence critical vulnerability immediately.” They were emphatic that the patch should not wait until after the weekend. As BleepingComputer reported last week, “multiple threat actors had begun scanning for the RCE vulnerability to install crypto miners after a PoC exploit was publicly released six days after Atlassian’s patches were issued.” The CYBERCOM warning also tied into National Security Advisor Anne Neuberger’s message regarding extra vigilance over the holiday weekend.
DDoS hits New Zealand – back up again in 30 minutes
New Zealand‘s third-largest internet operator, Vocus, went dark for 30 minutes on Friday, triggering a widespread internet outage. According to Reuters, “the company said its systems blocked a denial of service (DDoS) attack on one user but in doing so caused some Vocus customers in the country’s largest cities – Auckland, Wellington, and Christchurch – to suffer outages.” The company quickly restored the operations and apologized for the inconvenience it has caused to the customers, noting that many New Zealand residents work from home and were directly impacted by the outage.
Salesforce email service used for phishing campaign
Cybercriminals are using the mass email service provided by Salesforce mass email service to trick people into supplying their credit card numbers and other personal information. According to email security service provider Perception Point, the threat actors are taking the innovative route of impersonating the Israel Postal Service while targeting multiple Israeli organizations. They pointed out that most email security services are unable to detect attacks using Salesforce’s legitimate platform because they “blindly trust that Salesforce is a safe source,” even to the point of whitelisting the service’s IP addresses to streamline the email process.
Chinese hackers behind July 2021 SolarWinds zero-day attacks
As reported by The Record, “in mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild.” A subsequent blog post released by Microsoft on Thursday, Microsoft revealed that the zero-day was the work of a new threat actor being tracked as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.” Microsoft said the group targeted SolarWinds Serv-U servers “by connecting to the open SSH port and sending a malformed pre-auth connection request,” which allowed it to run malicious code on the targeted system and take over vulnerable devices.”
Thanks to our episode sponsor, Semperis
Scam artists are recruiting English speakers for business email campaigns
A BEC scam will usually start with a phishing email, tailored and customized to the victim and using a spoofed email address. But to appear convincing to executives, CEOs and other employees based in North America, the bad guys need native English speakers. So they are advertising in online forums, offering a partnership – you write the words, I’ll do the tech work. According to Intel471, not only is it becoming more common to search for writers to improve the language of the emails, these threat actors also need mules to launder the proceeds through a technique called tumbling.
(Intel 471.com and ZDNet)
Google locks Afghan government accounts as Taliban seek emails
In the weeks since the Taliban’s takeover of Afghanistan, reports are showing “how biometric and Afghan payroll databases might be exploited by the new rulers to hunt their enemies.” Google representatives, speaking on Friday, “stopped short of confirming that Afghan government accounts were being locked down, saying that the company was monitoring the situation in Afghanistan and taking temporary actions to secure relevant accounts.” But in an incident late last month a Google employee said that the Taliban had asked him to preserve the data held on the servers of the ministry he used to work for. The employee said he did not comply and has since gone into hiding. Reuters is not identifying the man or his former ministry out of concern for his safety.
(Reuters)
Eight US states to begin accepting digital driving licenses
Arizona and Georgia will be the first states to allow their residents to use a new system in which driver’s licenses and other state IDs are stored on iPhones and the Apple Watch. They will be followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah. Apple said it has “introduced new security features that mean users do not need to unlock or physically handover their phones to police or security officials.” The company stated: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it. Users do not need to unlock, show or hand over their device to present their ID.”