Microsoft sees a rise in business email compromise attacks on schools
The company said it saw a spike in email scams soliciting gift cards towards K-12 school teachers. These emails would pose as friends or colleagues asking the teacher to purchase the gift cards, using a combination of publicly available school and teacher information and free email services to generate the messages. According to Microsoft, the same threat actors attempted similar schemes using COVID-19 related lures last year. Security researchers say they’ve seen the rise in attacks for over a year, with universities also increasingly targeted.
Facebook takes a proactive content stance after Myanmar coup
According to an internal message from Facebook’s director of public policy in the Asia-Pacific region Rafael Frankel, the company outlined news steps to crack down on users trying to spread misinformation and foment further violence. The company has labeled Myanmar a “Temporary High-Risk Location” for two weeks, under which Facebook will remove content that incites violence. Washington DC received a similar designation in the wake of the January 6th Capitol riots. The company pledged to protect posts critical of the military coup, and track accounts hacked or taken over by the military.
SolarWinds CEO says its email systems were compromised for months
SolarWinds is still untangled how threat actors were able to compromise its supply chain. The latest update comes from new CEO Sudhakar Ramakrishna, who disclosed in an interview that a few compromised email accounts were used as a beachhead to compromise the company’s broader Office365 environment. This initial compromise dates back to December 2019. He further said the company is investigating if this was the initial entry of the attackers to its network or if it occurred earlier. He also confirmed that SolarWinds was investigating a single report of a hacker exploiting the separate flaw used in the attack on the National Finance Center we reported on yesterday, when it learned of the larger supply chain attack in December.
Three more SolarWinds vulnerabilities found
Security researchers at TrustWave reported on the three previously unknown Orion vulnerabilities, which were originally reported to SolarWinds in December with patches issued this week. The most serious was a remote code execution flaw that only required remote access, allowing attackers to use an improperly installed Microsoft Messaging Queue to send commands for a server to execute. The other two required local access, with one allowing read write access to SolarWinds Serv-U FTP, while the other preyed on insecurely stored credentials to the Orion local database.
Thanks to our episode sponsor HID Global
Sudo flaw impacts macOS too
Security researcher Matthew Hickey disclosed that a 10-year old vulnerability recently found in the Sudo utility could also impact macOS with very minor modifications. Last week researchers at Qualys found the bug could allow low-privileged users root access, but only tested it on Linux systems. Other security researchers verified that macOS was also vulnerable to the exploit, even after applying the latest security updates from Apple, issued February 1st.
A look at Huawei’s “new” HarmonyOS
When the US banned exports to Huawei in 2019, the company quickly trumpeted its in-house HarmonyOS as a replacement for phones and other smart devices. The company recently released version 2 of HarmonyOS, but after obtaining the SDK, Ars Technica found it to be seemingly identical to Android 10, with the app info screen still showing “Android Services Library” and other apps for the OS. The “remote” SDK obtained by Ars was actually a remote stream from another physical phone in China, and required the reporter to submit a photo of a passport, credit card, and pass a two day background check. All that for a look at an extremely minor fork of Android.
Application Guard for Office released
Microsoft released Application Guard for Office, a new defensive sandbox that prevents untrusted Office documents from accessing trusted resources on a user’s device. Application Guard is available on Word, Excel, and PowerPoint for Microsoft 365, on Windows 10 Enterprise. The feature is available as part of the next cumulative security update for Windows. The feature is enabled and managed under group policies. Untrusted documents won’t be allowed to access disk storage and other system resources, displaying a warning and closing the document if it tries to do so. Admins can allow files to access system resources on a case by case basis.
Bad patching leads to more zero-days
“Patch all the things” is a pretty common security credo. But new research from Google’s Project Zero team finds that the devil is in the details. They found that one in four zero-day exploits it tracked throughout 2020 could have been avoided “if a more thorough investigation and patching effort were explored.” Many patches looked at by Project Zero didn’t identify the root cause of the problem, often just patching Proof of Concept code provided by security researchers, with attackers able to change just a line or two of code to create a new exploit.