This week’s Cyber Security Headlines – Week in Review, March 8-12, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Dan Walsh, CISO, VillageMD
Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.” (https://www.crowdcast.io/e/cyber-security-headlines)
Cloud hosting data centers burn down
Multiple data centers of the Strasbourg, France-based cloud computing company OVH, the largest hosting provider in Europe and third-largest in the world, have been destroyed by fire. The company is advising customers to enact their disaster recovery plans. Those affected include cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, video game maker Rust, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, among others.
Hog ransomware only decrypts victims who join its Discord server
This new strain of ransomware encrypts victims’ files and appends a “.hog” extension. It then launches a decryptor program from the Windows Startup folder that prompts users to enter their Discord user token. A Discord token allows the ransomware to authenticate to Discord’s APIs as the user and check if they joined their server. Discord is a chat and digital distribution service and is increasingly being used by threat actors to distribute malware or harvest stolen data.
REvil ransomware gang uses extended voice calls to pressure victims
The group recently posted a notice on a hacker forum offering to their network of affiliates some new options to put pressure on victims, by contacting the victims’ business partners and the news media. This tactic demonstrates an improvement in the double-extortion tactic, since it is no longer limited to threatening the victims themselves,but focuses on those who might feel indirectly threatened by an infected supplier, or who at least would perceive them negatively. According to Bleeping Computer this is yet one more innovation in the business of ransomware.
New Microsoft tool checks Exchange Servers for ProxyLogon hacks
Microsoft has released a PowerShell script that admins can use to check whether the recently disclosed ProxyLogon vulnerabilities have hacked a Microsoft Exchange server. As we reported last week, Microsoft released emergency security updates to fix four zero-day vulnerabilities used in attacks against Microsoft Exchange, which together were given the name ProxyLogon. and which allow threat actors to perform remote code execution on publicly exposed Microsoft Exchange servers utilizing Outlook on the web. These attacks have been attributed to a China state-sponsored hacking group known as HAFNIUM. The ProxyLogon PowerShell script was released on Saturday on the Microsoft Exchange support engineer’s GitHub repository. Its filename is Test-ProxyLogon.ps1.
Thanks to our episode sponsor, Trend Micro
Report finds sensitive data abounds on GitHub
This report comes from the security firm GitGuardian, which analyzed all public commits made on GitHub since 2017, finding a 20% year over year increase on sensitive data like API keys, private keys, certificates, usernames and passwords in 2020. Overall 15% of leaks on GitHub occur within public repositories owned by organizations with 80% on developers’ personal repositories. Google keys were the most commonly leaked, representing 27.6% of data, followed by development tools and data storage with around 15% each. (GitGuardian)
China’s economic plan looks to end US tech dependency
China made its five-year economic plan public, calling on technology development as a matter of national security, previously identified as important for economic development. Under the plan, China will increase spending on tech R&D by 7% annually across public and private sectors, a higher annual increase than allotted for its military budget. The China Development Bank is preparing $60 billion in loans for over 1000 tech firms, and has raised $30 billion for a new semiconductor investment fund. China hopes to produce 70% of core components needed by domestic chipmakers by 2025.
PayPal acquires crypto security company
The company announced the acquisition of the startup Curv, which uses novel cryptography to secure digital assets. Curv provides a multi-party computation service to secure cryptocurrency and other digital assets, using mathematics and cloud computing to prevent unauthorized access. PayPal began offering customers the ability to buy and sell select cryptocurrencies in November, and plans to use Curv’s assets to secure its own assets, especially for cross-border transactions. Terms of the deal were not disclosed, but Decrypt’s sources say it was worth around $200 million.
Hackers access surveillance cameras at Tesla, Cloudflare, banks, more
Hackers gained access to live surveillance cameras installed at Tesla, Equinox, healthcare clinics, jails, and banks, including the Bank of Utah. In addition to images captured from the cameras, the hacker also shared screenshots of their ability to gain root shell access to the surveillance systems used by Cloudflare and at Telsa HQ. Know as OperationPanopticon the hackers gained access to 150,000 cameras belonging to Verkada, a surveillance company who works with all of these organizations. The hackers found hardcoded credentials for a Verkada super admin account in exposed DevOps infrastructure. This is being considered a major breach for Verkada as well as a demonstration of how easy it is to hack security cameras.
CISA urges people get serious about Exchange Server exploitation
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging “ALL organizations across ALL sectors” to address Microsoft Exchange Server vulnerabilities. CISA has provided a set of guidelines designed to walk IT security staff and organizations’ leaders through the process of fixing the vulnerabilities. Exploitation is ongoing, attackers may have established themselves in their victims’ systems, and there’s more to an effective response than simply patching.