15 Bullet Friday – The Best Security News of the Week – 2021.03.26

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Microsoft One-Click Tool Mitigates Exchange Server Attacks (Infosecurity Magazine, Mar 16 2021)
Tool designed for customers without dedicated IT or cybersecurity resource

2. Exploiting Spectre Over the Internet (Schneier on Security, Mar 18 2021)
“Google has demonstrated exploiting the Spectre CPU attack remotely over the web:

Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector.”

3. The Peculiar Ransomware Piggybacking Off of China’s Big Hack (Wired, Mar 21 2021)
DearCry is the first attack to use the same Microsoft Exchange vulnerabilities, but its lack of sophistication lessens the threat.


Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Can We Stop Pretending SMS Is Secure Now? (Krebs on Security, Mar 16 2021)
SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

5. A Hacker’s guide to reducing side-channel attack surfaces using deep-learning (Elie Bursztein’s blog, Mar 21 2021)
This talk showcases SCALD, our tool that leverages deep-learning explainability and dynamic execution to automatically find which parts of a crypto-hardware implementation is responsible for leaking the information exploited by side-channel attacks

6. Chinese APT Targets Telcos in 5G-Related Cyber-Espionage Campaign (Dark Reading, Mar 16 2021)
Telemetry suggests that threat actor behind Operation Dianxun is Mustang Panda, McAfee says.

*Cloud Security, DevOps, AppSec*
7. New Malware Hidden in Apple IDE Targets macOS Developers (Dark Reading:, Mar 19 2021)
XcodeSpy is latest example of growing attacks on software supply chain.

8. Researchers Discover Two Dozen Malicious Chrome Extensions (Dark Reading:, Mar 22 2021)
Extensions are being used to serve up unwanted adds, steal data, and divert users to malicious sites, Cato Networks says.

9. Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems (SecurityWeek, Mar 19 2021)
A researcher says he has earned more than $50,000 from Facebook after discovering vulnerabilities that could have been exploited to gain access to some of the social media giant’s internal systems.

*Identity Mgt & Web Fraud*
10. Details of a Computer Banking Scam (Schneier on Security, Mar 22 2021)
“This is a longish video that describes a profitable computer banking scam that’s run out of call centers in places like India. There’s a lot of fluff about glitterbombs and the like, but the details are interesting. The scammers convince the victims to give them remote access to their computers, and then that they’ve mistyped a dollar amount and have received a large refund that they didn’t deserve. Then they convince the victims to send cash to a drop site, where a money mule retrieves it and forwards it to the scammers.

I found it interesting for several reasons. One, it illustrates the complex business nature of the scam: there are a lot of people doing specialized jobs in order for it to work. Two, it clearly shows the psychological manipulation involved, and how it preys on the unsophisticated and vulnerable. And three, it’s an evolving tactic that gets around banks increasingly flagging blocking suspicious electronic transfers.”

11. Google Reveals What Personal Data Chrome and Its Apps Collect On You (The Hacker News, Mar 23 2021)
Privacy-focused search engine DuckDuckGo called out rival Google for “spying” on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes.

“After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it,” the company said in a tweet. “Spying on users has nothing to do with building a great web browser or search engine.”

12. Ransomwared Bank Tells Customers It Lost Their SSNs (VICE, Mar 22 2021)
A data breach that already hit bank employees just got much worse

*CISO View*
13. Acer Reportedly Hit With $50M Ransomware Attack (Dark Reading:, Mar 22 2021)
Reports say a ransomware gang has given Acer until March 28 to pay, or it will double the ransom amount.

14. Why SASE matters and what security pros need to know (SC Media, Mar 22 2021)
Think of SASE as an architecture model, although sometimes it’s referred to as a concept or framework. It combines software-defined wide area networking (SD-WAN) with comprehensive security capabilities to support today’s cloud-based computing environments and the realities of a mobile workforce.

15. Accellion Supply Chain Hack (Schneier on Security, Mar 23 2021)
“A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide.

There’s much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software.

The governor of New Zealand’s central bank, Adrian Orr, says Accellion failed to warn it after first learning in mid-December that the nearly 20-year-old FTA application — using antiquated technology and set for retirement — had been breached.”

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn