This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Allan Cockriel, Group CISO, Shell
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Merck and its insurers settle $1.4 billion NotPetya case
Following up on a story that had the potential to set precedent in the world of cyber insurance, the pharmacy multinational Merck and Co. has settled with its insurers in an eleventh-hour agreement. Merck had originally filed a $1.4 billion insurance claim for a 2017 NotPetya attack that its insurers refused to pay out on, with the insurers claiming the attack was an act of war and thus excluded by the insurance. A judge found in favor of Merck and the insurers appealed. This settlement, whose terms have not been disclosed, occurred shortly before oral arguments were to begin in a New Jersey Supreme Court review of the case.
Google accounts hacked: No passwords required
Simply changing your password is no longer enough thanks to this Google exploit. An analysis from security firm CloudSEK discovered this new malware, which exploits third-party cookies to gain persistent access to Google accounts, even if the password is reset. These hackers are able to retrieve these cookies, which are typically designed to allow users to stay logged in without continuous authentication, effectively bypassing the two-factor authentication. In a statement to The Independent, Google said, “We recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads”, and that they have “taken action to secure any compromised accounts detected.”
GitHub abuse on the rise
A new report from Recorded Future documented how threat actors use GitHub as part of a “living-off-trusted-sites” strategy. This can allow them to blend in with otherwise legitimate traffic to get around network defenses. Threat actors generally don’t run full-fledged C2 servers on GitHub, but do commonly use it as a dead drop resolver, essentially using a repository to point to a C2 URL. Threat actors also use the service for payload delivery, but rarely as a data exfiltration target due to file size restrictions. GitHub isn’t the only legitimate service hosting threat actors activity. We’ve recently covered attacks using Dropbox, Google Drive, and Discord as infrastructure as well.
loanDepot joins growing list of US mortgage lenders attacked
“loanDepot is experiencing a cyber incident.” That is the bulk of information the lending giant offered on their official company website on Monday. loanDepot confirmed the cyberattack in a filing with federal regulators, describing the incident as involving the “encryption of data” although the company would not confirm a ransomware attack. As a result, the company shut down certain systems but said, “Recurring automatic payments are processing as expected, but there may be a temporary delay in your payment history.” loanDepot is the fifth-largest retail mortgage lender in the U.S. and joins a list of other mortgage lenders including Mr. Cooper and Fidelity National Financial to be breached in recent months.
Thanks to today’s episode sponsor, Vanta
Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk. To see Vanta’s platform firsthand and access resources plus a special offer, go to vanta.com/ciso and watch their 3-minute product demo.
Bosch warns of nutrunner vulnerabilities
This is not the name of a malware but instead it is a cordless, handheld pneumatic torque wrench used in automotive and other industries for safety-critical tightening operations. Researchers at Nozomi found security holes in Bosch Rexroth’s NXA015S-36V-B nutrunner, which communicates via a wireless network to send data and receive instructions. The researchers found over two dozen vulnerabilities, which could make the device inoperable, slow down assembly lines or even change tightening program configurations, specifically the torque value, resulting in loose bolts or excessively tightened bolts. A total of 25 CVE identifiers have been assigned to the nutrunner flaws, including 11 that have a ‘high severity’ rating.
Bitcoin price spikes after SEC Twitter account hijack
The US Securities and Exchange Commission’s (SEC) X account was hacked Tuesday. A tweet from the hijacked account stated, “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges.” The tweet also included an image of SEC Chairperson Gary Gensler with a quote promoting the alleged approval. The news quickly spread through the media causing Bitcoin prices to shoot up. However, the price jump quickly receded upon the SEC revealing the fake news was a result of their account compromise. The SEC has not confirmed whether 2FA was enabled on the account. The incident comes amidst a massive wave of X account breaches spreading crypto scams.
(Bleeping Computer and The Register)
New details and developments with high profile X account hacks
The security firm Mandiant published details of its investigation into its recent X account takeover. It said all indications show it as a brute force password attack. Mandiant noted it failed to use 2FA on the account, which would have prevented the incident. In related news, the House Financial Services Committee sent a letter to SEC Chairman Gary Gensler calling on the commission to brief it on its X account hack. Like Mandiant, the SEC also didn’t enable 2FA. The committee referenced the SEC’s new cyber disclosure rules, saying it expects it “to hold itself to the same requirements.”
(Security Affairs, The Record)
Google Cloud upends egress fees
For as long as people have moved to the cloud, they’ve also complained about how hard it is to leave it. AWS, Azure, and Google Cloud all maintained hefty egress fees that often made cloud migrations difficult if not fiscally impossible. Now Google Cloud plans to upend this model, announcing its eliminating fees for leaving to another service. Google VP Amit Zavery said switching fees account for only 2% of a total migration cost. Still it made the move ahead of antitrust investigations in both the US and UK around cloud provider business practices.