The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software (Krebs on Security, Mar 05 2021)
“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.”
2. A Basic Timeline of the Exchange Mass-Hack (Krebs on Security, Mar 08 2021)
“Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.”
3. Four Microsoft Exchange Zero-Days Exploited by China (Schneier on Security, Mar 04 2021)
Microsoft has issued an emergency Microsoft Exchange patch to fix four zero-day vulnerabilities currently being exploited by China.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Deepfake videos of Tom Cruise went viral…to boost awareness. (NBC News, Mar 05 2021)
The creator of a series of deepfake Tom Cruise videos that garnered more than 11 million views on TikTok said he never wanted to trick people.
5. Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers (SecurityWeek, Mar 05 2021)
Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.
6. 10 Google Play Apps Found Containing Banking Malware (Infosecurity Magazine, Mar 09 2021)
Malicious dropper also loaded RAT onto victim devices
*Cloud Security, DevOps, AppSec*
7. Cloud has put security configuration errors in the spotlight (SC Media, Mar 04 2021)
Capital One was hit with an $80 million fine because of a cloud misconfiguration. Today’s columnist, Carolyn Crandall of Attivo Networks, offers insights on how to identify and prevent these errors.
8. Malicious NPM packages target Amazon, Slack with new dependency attacks (BleepingComputer, Mar 08 2021)
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using the new ‘Dependency Confusion’ vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.
9. Introducing Cloud Code Secret Manager Integration (Google Cloud Blog, Mar 09 2021)
“Storing secrets like database credentials and passwords in code is never secure. Wouldn’t it be great if your IDE tool could help you write more secure code? That’s why we’re excited to announce the new Cloud Code integration with Secret Manager!
Today, many applications require credentials to connect to a database, API keys to invoke a service, or certificates for authentication. Managing and securing access to these secrets is often complicated by secret sprawl, poor visibility, or lack of integrations. To help you build more secure applications, without the hassle of figuring out complicated ways to store you secrets, we built Secret Manager.”
*Identity Mgt & Web Fraud*
10. Verkada Workers Had Extensive Access to Private Customer Cameras (Bloomberg, Mar 10 2021)
More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.
11. Virginia Passes New Data Protection Law (Infosecurity Magazine, Mar 08 2021)
Virginia Consumer Data Protection Act signed into law
12. Facial Recognition Company Sued by California Activists (SecurityWeek, Mar 11 2021)
Civil liberties activists are suing a company that provides facial recognition services to law enforcement agencies and private companies around the world, contending that Clearview AI illegally stockpiled data on 3 billion people without their knowledge or permission.
13. On Not Fixing Old Vulnerabilities (Schneier on Security, Mar 09 2021)
“How is this even possible?
…26% of companies Positive Technologies tested were vulnerable to WannaCry, which was a threat years ago, and some even vulnerable to Heartbleed. “The most frequent vulnerabilities detected during automated assessment date back to 20132017, which indicates a lack of recent software updates,” the reported stated.
26%!? One in four networks?”
14. Chinese hackers targeted SolarWinds customers in parallel with Russian op (Ars Technica, Mar 08 2021)
New data suggests that Russia wasn’t the only nation state hacking customers.
15. Warning the World of a Ticking Time Bomb (Krebs on Security, Mar 09 2021)
“Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.”