This week’s Cyber Security Headlines – Week in Review, Mar 7 – 11, is hosted by Rich Stroffolino with our guest, Anshu Gupta, Investor, Silicon Valley CISO Investments
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
‘Most advanced’ China-linked backdoor ever raises alarms for cyber-espionage investigators
A backdoor in use as recently as November 2021 is the “most advanced piece of malware” ever seen from China-linked spies, according to researchers at Symantec. Dubbed Daxin, the malware forms part of “a long-running espionage campaign against select governments and other critical infrastructure targets,” most of them being of strategic interest to China. The malware “appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” the researchers said. Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, told CyberScoop that for China-linked malware, this is “on another level.”
Hackers allegedly leak Samsung data, source code
Less than a week after releasing a 20GB document archive from 1TB of data stolen from Nvidia, the Lapsus$ data extortion group on Friday leaked a huge collection of confidential data they claim to be from Samsung Electronics. The leak apparently contains “confidential Samsung source code” for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control), as well as algorithms for biometric unlock operations, bootloader source code for all recent Samsung devices, confidential source code from Qualcomm, source code for Samsung’s activation servers, and full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services. This is according to Bleeping Computer, who also state that if these details are accurate, Samsung has suffered a major data breach that could cause huge damage to the company.
Russia says it’s okay to download a car
Faced with many technology companies no longer providing software and services in the country, Russian officials are drafting rules that would establish a “unilateral” software licensing mechanism, effectively renewing expired software licenses without consent of the owners of the IP. This would only apply if the copyright holder resides in a country with sanctions against Russia, and there are no viable Russian alternatives. The Civil Code of the Russian Federation already allows for this practice under specific circumstances, provided that patent holders are notified and a reasonable fee is paid. The proposed amendment to the Civil Code would forgo payment while sanctions are in place. Russia says copyright infringement is still illegal and prosecuted in the country.
DDoS attacks use new record-breaking amplification vector
A new DDoS method, called “reflection,” is being used in attacks that provide a record-breaking amplification ratio of almost 4.3 billion to 1. Reflection attacks start with a small packet which gets reflected inside a closed network, amplifying its size to near maximum capacity, before channeling the traffic to the target. Threat actors were observed using the new DDoS technique on victims across numerous industries in mid-February by abusing a vulnerable Mitel driver found in devices using the TP-240 VoIP interface. Customers using vulnerable devices should follow Mitel’s remediation instructions, enforcing firewall rules to block malicious initiator packets or disable the abused command.
There are many misconceptions about security automation, so Torq is debunking a security automation myth each day this week.
False. You should automate routine, repetitive tasks that are not subject to much conditional variance. But workflows that can’t be reliably managed by automation tools, such as assessing the financial consequences of a breach or determining whether a security incident should trigger an application rollback, should remain the domain of humans. To learn more about the realities of automation, head to torq.io.
Qakbot Botnet sprouts fangs, injects malware into email threads
The 2022 Weak Password Report from Specops takes a look at both the human side and the tech side of why passwords are the weakest link in an organization’s network. The report analyzed 800 million breached passwords and highlighted that 93% of the passwords used in brute force attacks include 8 or more characters and 68% of passwords used in attacks include at least two character types. More than half of organizations do not use password management tools while nearly half of organizations do not have user verification in place for calls to the IT service desk. Interestingly, the Cincinnati Reds top the list of most popular baseball teams found in compromised password lists. The report recommends that organizations block weak and compromised passwords, enforce password length requirements, verify user identities at the service desk and audit their environment for password-related vulnerabilities.
The Qakbot botnet is sinking its fangs into email threads and injecting malicious modules to pump up the core botnet’s powers. On Thursday, Sophos published a report describing how it spreads through “email thread hijacking” – an attack in which malware operators malspam replies to ongoing email threads. Qakbot also devours system information, including configured user accounts and permissions, installed software, running services, and more, after which the botnet downloads the malicious modules.
Big Cloud suspends sales in Russia – sort of
This week we have seen AWS, which has no data centers in Russia, implementing a policy change, preventing customers in Russia and Belarus from signing up for new accounts. TechCrunch reports that Microsoft and IBM have taken action to suspend sales to Russia, while Google states it is “not accepting new Google Cloud customers in Russia at this time.” But Cloudflare, which is not a pure cloud infrastructure vendor, but helps provide secure internet access via hundreds of data centers around the world, says it feels it is important to keep the internet running in the country in spite of calls to shut down service there, stating, “Russia needs more Internet access, not less.”
Google rolling out air raid alerts to Android users in Ukraine
The new feature was announced via an update to a March 1 blog post regarding the actions taken by Google following the Russian invasion of Ukraine. Kent Walker, Google’s President of Global Affairs, stated, the airstrike warning system rolling out to Ukrainians’ Android phones “is supplemental to the country’s existing air raid alert systems” and uses air raid alert info provided by the Ukrainian government.