NewsBites Volume XXIV – Issue 49

Top of the News

2022-06-20

Guilty Verdict in 2019 Capital One Breach

Former Amazon software engineer Paige Thompson has been found guilty of wire fraud and computer intrusion in connection with the 2019 Capital One breach. The incident resulted in the theft of payment card application data belonging to 100 million individuals. Thompson scanned for misconfigured AWS accounts and stole data from at least 30 organizations.

Editor's Note

The key quote is “According to the US Attorney's office, Thompson used a tool to scan AWS accounts in search of misconfigurations.” If Capital One, and the other 29 vulnerable AWS users Thompson found with vulnerabilities, had run that tool first, damage would have been avoided. Even better would be cloud service providers routinely scanning and notifying their customers of vulnerable configurations. Amazon, Google and Microsoft seem very good at targeting advertising (for free) to *potential* cloud service customers – seems like a no-brainer for them to be able to do targeted alerts (for free) to existing customers.

John Pescatore

WordPress Ninja Forms Vulnerability Fixed

A critical code injection vulnerability in the Ninja Forms WordPress plug-in can be exploited to execute arbitrary code or delete arbitrary files. The plug-in has more than one million active installations. The flaw has been fixed in Ninja Forms versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

Editor's Note

Do not patch this plugin. Uninstall it, and while you are at it either uninstall as many of these plugins as you can or move your WordPress site to a hosted/managed solution.

Johannes Ullrich

(This is me, not repeating my usual caution about WordPress plugins.)

William Hugh Murray

Flagstar Bank Discloses Data Breach

Michigan-based Flagstar Bank has disclosed that a cyberattack against its network led to the compromise of personal information belonging to 1.5 million of its customers. Flagstar’s corporate network was breached in December 2021; the bank learned that customer data were exposed on June 2, 2022. Flagstar experienced a previous cyberattack; it was the victim of ransomware in January 2021.

Editor's Note

This is a very good cautionary tale to use with your management: in January 2021, Flagstar had a vulnerable Accellion server get exploited in a ransomware attack, customer information was exposed and Flagstar “…engaged a team of third-party forensic experts to investigate and determine the full scope of this incident.” Any expert engagement should have included recommendations to deal with overall security gaps, not just the Accellion issue. If that was acted on, Flagstar should have at least been much faster to detect this latest compromise – they state the attackers had 4-6 months on target (Date(s) Breach Occurred: 12/03-04/2021, Date Breach Discovered: 06/02/2022) – that is a bad metric for a small business, unacceptable for a bank as large as Flagstar that had over $500M in profits in 2021. Cost to avoid the second breach would have been a small fraction of that profit and likely would have been less than the direct costs Flagstar will see from this latest incident.

John Pescatore

The Rest of the Week's News

2022-06-17

Proposed Legislation in US Senate Would Ban Sale of Health and Location Data

A bill introduced in the US Senate would prohibit data miners from selling location and health data. The Health and Location Data Protection Act would also require the Federal Trade Commission (FTC) to establish rules for implementing the law within 180 days of the bill’s passage.

Editor's Note

The real news here is that the sale of health and location data is a business in the first place. There are many legitimate reasons why applications collect health and location data, but selling the data shouldn't be one of them.

Johannes Ullrich

Even politically neutral national data privacy legislation almost never gets passed by US legislators. The broader data privacy legislation that has been proposed should cover Personal Health Information, vs. have individual data types of privacy-sensitive information have different laws.

John Pescatore

International Effort Disrupts Russian Botnet

The US Department of Justice (DoJ) and law enforcement agencies in the Netherlands, Germany, and the UK, have dismantled the infrastructure of a Russian botnet. The botnet, known as RSOCKS, comprised millions of devices around the world, including Internet of Things (IoT) devices, Android devices, and other computers. The botnet was operating as a proxy service, but was offering IP addresses from devices it had compromised rather than legitimately obtained IP addresses.

Rapid7 Report: Types of Data Most Often Targeted by Ransomware Operators

According to a report from Rapid7, ransomware operators seem to prefer certain types of data over others. According to the report, financial sector organizations more likely to experience ransomware attacks than organizations in other sectors. Ransomware operators target sensitive customer data, employees’ personally identifiable information (PII), and human resources data.

Editor's Note

Since protecting all data to the same level is either ineffective or inefficient, this information can be useful.

William Hugh Murray

BRATA Malware Gains New Features

The BRATA banking trojan has recently added several new features to its capabilities. Analysts from Italian security company Cleafy have detected changes in the ways BRATA, which is an acronym for Brazilian Remote Access Tool Android, conducts its attacks. According to Cleafy, “the [malware’s] modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern.” BRATA threat actors have begun to launch more narrowly targeted attacks, focusing on one financial institution at a time. It also uses new methods of obtaining permissions to access location data, and to send and receive SMS.

Vulnerability in Cisco Small Business Routers

Cisco will not release updates to address a flaw affecting several models of its small business routers because the devices “have entered the end-of-life process.” The vulnerability could be exploited to allow remote code execution or to create denial-of-service conditions. According to a Cisco security advisory, the “vulnerability is due to insufficient user input validation of incoming HTTP packets.” Users are urged to migrate to newer routers.

Editor's Note

One can usually replace these routers for less than the cost of the time to repair, were a patch even available.

William Hugh Murray

Siemens Fixes Flaws in SINEC Network Management System

Researchers from Claroty’s Team82 found more than a dozen vulnerabilities in Siemens SINEC network management system (NMS). The flaws leave vulnerable systems open to denial-of-service attacks, credential leaks, and remote code execution. Siemens released an update that address the vulnerabilities in October 2021.