AT&T customers hit with malware
Researchers at Qihoo 360 discovered the EdgeMarc Enterprise Session Border Controller offered by AT&T to SME customers in the US has been infected with new malware, letting them be used in DoS attacks, or turned against internal networks. The researches observed 5700 active devices on an infiltrated C2 server, but detected more than 100,000 devices accessing the same TLS certificate, indicating a lot more compromised devices. These networking devices were compromised with a command-injection flaw that was discovered in 2017, which was ultimately possible due to a default username and password. It’s unclear if AT&T or EdgeMarc disclosed the vulnerability, although a patch was issued in 2018, but it had to be manually applied. AT&T acknowledged the issue, said its taking steps to mitigate it, and said there was no evidence that customer data was accessed.
CISA announces advisory panel
The Cybersecurity and Infrastructure Security Agency named members to the new panel, which will make recommendations across the agency’s purview. The 23 members on the panel range from leaders in social media, cybersecurity, infrastructure, journalism, finance, and energy. The body was formed based on a recommendation from a 2020 report by the Cyberspace Solarium Commission. The panel will first meet on December 10th, and will address subjects like critical infrastructure protection, information sharing, public-private partnerships, and disinformation.
Palo Alto Networks looks at speed of compromise in the cloud
Researchers at the security company set up a could honeypot made up of 320 nodes around the world, each with multiple misconfigured instances of cloud service stalwarts, things like RDP, SSH, SMB, etc. Accounts were also configured to have default or weak passwords. The researchers found 80% on the instances were compromised within 24 hours, while all had been compromised within a week. Some only lasted minutes before being found and exploited. SSH was the most commonly targeted, with each honeypot compromised 26 times a day on average. One attacker compromised 96% of Palo Alto’s Postgres honeypots with a single 90-second window.
(ZDNet)
Twitch to use machine learning to spot banned users
Twitch will use a new machine learning tool called Suspicious User Detection to identify users evading bans on a streamer’s channel. This system compares the behaviors and characteristics of unknown viewers with a list of banned ones. Users categorized as “likely” evading bans would not be able to chat, with mods and streamers seeing them as flagged. Those ranked as “possible” will appear in chat, but mods can opt to block their messages. This feature will be on by default, but can be modified or turned off by streamers.
Thanks to our episode sponsor, Votiro
Microsoft releases standalone version of Teams
The company introduced Microsoft Teams Essentials, which provides access to core meeting feature of Teams, but doesn’t include bundled Office apps like a Microsoft 365 plans. It’s priced at $4 per user per month. This appears to be more aimed to compete with Zoom rather than Slack directly, as Microsoft dropped it’s channels functionality in Teams in favor of a more simple chat interface. Compared to the base Microsoft 365 Business Basic plans, storage on Essentials is limited to 10GB vs 1TB, and doesn’t offer meeting recordings, transcripts, translations, or breakout rooms. Microsoft frames this as being designed specifically for small businesses.
Dell offers air-gapped AWS solution for ransomware
Dell launched Dell EMC PowerProtect Cyber Recovery for AWS on the AWS Marketplace. This provides an air-gapped vault to physically and logically isolate data in the event of a ransomware attack, providing a rapid recovery path. In an attack, Dell would provide an untouched duplicate of customer data behind a secured interface, protected by multi-factor authentication before establishing a physical connection to any user data. This is designed to integrate with existing AWS assets and automatically deployed through the Marketplace.
(ZDNet)
BlackByte hitting Exchange servers
The ransomware organizations is using ProxyShell vulnerabilities to target corporate networks. These are the same vulnerabilities that were patched in April and May this year. BlackByte is using the exploits to install web shells on compromised servers, letting them gain persistence on the machine and drop a Cobalt Strike beacon and further install a remote access tool. From there BlackByte installs its ransomware. Researchers at Trustwave released a decrypto for BlackByte ransomware back in August, but researchers have observed “fresh” variants of it in the wild.
Microsoft integrates third-party loans into Edge
Microsoft has spent the better part of the last ten years successfully rehabilitating its image from the Evil Empire of proprietary software lockin to something like the lovable uncle of Big Tech. But old habits seemingly die hard. Last month, Microsoft announced it would integrate the 3rd party Buy Now, Pay Later service Zip into Edge, letting users split any online purchase between $35 to $1000 into 4 installments over six weeks. This initially came to Canary and Dev builds of the browser, with Microsoft starting to roll it out to all users with Edge 96. Users will have to be in the US and logged into a Microsoft account to use it. Microsoft said it “does not collect a fee for connecting users to loan providers,” but a spokesperson declined to say if it receives other forms of remuneration from Zip. This is the latest e-commerce integration in Edge, which includes price tracking and discount tools.