Top 15 exploited security vulnerabilities in 2021
An advisory co-authored by cyber authorities in the US, Australia, Canada, New Zealand, and the UK, details the top 15 Common Vulnerabilities and Exposures (CVEs) exploited by malicious cyber actors last year. The list featured two Log4Shell Remote Code Execution (RCE) bugs, a series of ProxyShell and ProxyLogon RCE, privilege escalation and security bypass flaws, and four ZeroLogon issues. The vulns all affect widely used technologies including Java, Microsoft Exchange Server and NetLogon, Pulse Connect Secure, and Fortinet technologies. Security experts warn these issues are becoming more difficult to detect in hybrid infrastructure models due to requiring adoption of separate security tools for on-prem and cloud deployments.
India gives orgs 6 hours to report cyber incidents
India’s Computer Emergency Response Team (CERT-In), has issued a new directive that requires service providers, corporations, and government entities to report cyber incidents within 6 hours of detection. The mandate also requires virtual asset, exchange, and wallet providers to maintain records on KYC and financial transactions for a period of five years. Additionally, service providers will be required to maintain 180 days worth of system logs and will need to assist India’s CERT with cyber incident remediation activities. Meanwhile cloud and VPN providers will now need to register validated names, emails, and IP addresses of their subscribers.
The White House wants more powers to crack down on rogue drones
The White House has laid out its plans to give authorities more power to respond to nefarious drone activity which poses risks to public safety, privacy and homeland security. The plan proposes to expand the use of technologies that can identify and neutralize rogue drones, for example RF jammers, for federal agencies including Departments of Justice, Defense, State, and Homeland Security as well as the CIA and NASA. In addition, state and local authorities as well as critical infrastructure owners and operators would have expanded authority to use anti-drone technology. Currently, non-federal entities need to seek assistance from authorized entities, like DHS, to respond to drone threats.
(ZDNet)
Child neglect screening algorithm raises concerns
Concerns are being raised in Allegheny County, Pennsylvania over the controversial use of a tool, which leverages a trove of personal and government data, to help social workers identify and protect children at risk of neglect and abuse. A study of the tool’s algorithm in its early years by Carnegie Mellon University, found a pattern of disproportionately flagging Black children for investigations compared with white children and also found that about a third of the time, social workers disagreed with the algorithm’s risk scoring. Additionally, for more than two years, a technical glitch in the tool caused it to produce inaccurate risk scores, but that problem has since been fixed. County officials said that social workers can override the tool but critics are concerned about relying on potentially flawed AI to make decisions that profoundly affect real families. Such algorithms are used in a number of other states while Illinois dropped the use of the technology due to the aforementioned concerns.
(AP News)
Thanks to our episode sponsor, Censys
Last week’s ransomware roundup
While ransomware is starting to become white noise in cyber news, last week was a busy one, reminding us that ransomware remains a prominent threat.
- The Quantum ransomware gang, first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react.
- A new ransomware gang called Black Basta has quickly accumulated victims, including American Dental Association and Deutsche Windtechnik, while flying under the radar until last week.
- Austin Peay State University suffered a ransomware attack and used the unusual tactic of blasting the news on Twitter that students and faculty should shut down their computers.
- New ransomware called Onyx was discovered, and it purposely destroys files larger than 2MB, making it pointless to pay a ransom.
- Onleihe, an app that serves users electronic content from their local libraries, suffered a breach at the hands of a vendor, causing theft and deletion of files encrypted with copy protection. LockBit ransomware gang has released 100% of the stolen data, which likely indicates that Onleihe is attempting to restore its data without paying a ransom.
- Researchers issued a report which found that ransom payment only accounts for roughly 15% of the total cost of ransomware attacks which also includes costs associated with incident response, system restoration, legal fees, monitoring costs, and business disruption.
We can only hope for better news this week on the ransomware front.
(Bleeping Computer and Bleeping Computer)
Amazon uses Alexa voice data for targeted ads
A report released last week from researchers at University of Washington, UC Davis, UC Irvine, and Northeastern University, concludes that Amazon and third parties collect data from your Echo smart speakers and share it with as many as 41 advertising partners, contending that Amazon does this in a manner inconsistent with its privacy policies. An Amazon spokesperson stated, “Many of the conclusions in this research are based on inaccurate inferences or speculation by the authors, and do not accurately reflect how Alexa works.” Alexa customers can opt out of interest-based ads from Amazon on its Advertising Preferences Page.
Texas school district employee “expelled” for crypto mining
An employee of Galveston Independent School District has resigned after getting busted secretly mining cryptocurrency on school premises. Pings picked up by the district’s firewall aroused the IT department’s suspicion who discovered crypto mining machines operating at six different school campuses without authorization. District officials confirmed that no student or staff data has been compromised and that no action has been taken against the individual whose identity has not been released. However, as part of the ongoing investigation, findings could still be shared with the district attorney’s office.