In today’s cybersecurity news…
White House prioritizes secure internet routing, using memory safe languages
Speaking at a Recorded Future event on Wednesday in Washington, D.C., National Cyber Director Harry Coker said that “the White House is focused on securing two foundational aspects of the tech landscape: how information packets are routed across the internet and computer programming languages that can be susceptible to memory-related errors.” Specifically he pointed out how the White House is looking at “next steps to secure Border Gateway Protocol, including the adoption of security mechanisms known as Resource Public Key Infrastructure (RPKI), which it plans to have in place in more than 60% of the federal government’s advertised IP space by the end of the year. Coker also spoke of “shifting from languages, like C or C++ to memory-safe ones like Go or Rust.” He identified this as a key priority of the Biden administration and a way to avoid known bugs. This correlates to a Microsoft report from July 2019 that found that more than 70% of the vulnerabilities that are assigned a CVE in any given year are related to memory safety.
(Cyberscoop and Microsoft)
Federal Trade Commission and CISA warn of hurricane-related data scams
As they have done with previous hurricane situations, the two agencies released guidance this week “warning residents across several states to be wary of scams targeting both people who need assistance and people trying to provide it.” They specifically mentioned “fraudulent charities soliciting donations for disaster victims that often imitate the names of charities linked to the disaster,” adding there will also be scammers impersonating government officials, offering disaster relief in exchange for money or personal data, including phony offers being made to purchase flood-damaged homes at too-good-to-be-true prices. Stephen Kowski, field CTO at SlashNext Email Security, told Recorded Future News that “he lives in the Tampa Bay area and his family has been receiving phone calls to their personal devices with attempted voice phishing scams.”
Mozilla warns of Firefox zero day: patch now
This critical security flaw has apparently already been exploited in the wild and is being described as a use-after-free bug in the Animation timeline component. An advisory published Wednesday said, “an attacker was able to achieve code execution in the content process by exploiting the vulnerability. Users are being advised to update to the latest version of Firefox to stay protected against active threats.
Thanks to today’s episode sponsor, Vanta
Internet Archive suffers data breach
The breach occurred on September 28 and according to Troy Hunt of Have I Been Pwned, it exposed 31,081,179 unique records, including email addresses, screen names and bcrypt password hashes. The breach of the organization best known for its Wayback Machine, was then followed by a website defacement “via JavaScript library” and then a DDoS attack this past Tuesday, October 8. A hacktivist group called BlackMeta has claimed to have had some involvement in the DDoS attacks on the Internet Archive, the first one having occurred in in May of this year. BlackMeta’s social media account has claimed several attacks on companies linked to the U.S. or “supporting Israel,” but proof of who is behind the breach is still unknown.
CISA adds critical Fortinet flaw to its KEV
On Wednesday, the Agency added to its Known Exploited Vulnerabilities (KEV) catalog, a critical security flaw that impacts Fortinet products, citing evidence of active exploitation. The vulnerability, which has a CVSS score of 9.8), “relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. According to an advisory about the flaw published in February, “it may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.” As is the case with KEV additions, Federal Civilian Executive Branch agencies are mandated to apply the vendor-provided mitigations quickly, in this case by October 30.
Mamba 2FA bypass service targets Microsoft 365
Mamba 2FA is a phishing-as-a-service platform that has already been seen targeting Microsoft 365 accounts in adversary-in-the-middle attacks using spoofed login pages. Offered for $250 per month, the platform also offers a mechanism to “capture the victim’s authentication tokens and bypass multi-factor authentication (MFA) protections on their accounts. The platform has been specifically designed to target users of Microsoft 365 services, including corporate and consumer accounts, and provides phishing templates for various Microsoft 365 services, including OneDrive, SharePoint Online, generic Microsoft sign-in pages, and fake voicemail notifications that redirect to a Microsoft login page.
Casio suffers cyberattack that caused system failure
A year after Casio suffered an attack on its education web application ClassPad.net, the Japanese manufacturer of watches and many other digital tools for consumers has announced an “intrusion” onto its network that occurred last Saturday, October 5. The company describes it as “a system failure that resulted in some services being unavailable to customers,” although no answers have yet been given to media inquiries as to which customer systems were knocked offline by the system failure, whether it was a ransomware attack, if data had been stolen or if the hackers had identified themselves. This is a developing story.