Security News in Review: Bugs, Trains, and Private Banks

Vulnerability in Lasso Library Impacts Has Major Consequences 

Lasso is an acronym for Liberty Alliance Single Sign On. It is a C library that implements Liberty Alliance and SAML (Security Assertion Markup Language) standards which processes federated identities, single sign-on (SSO), and other protocols. Lasso also has a vulnerability, tracked as CVE-2021-28091, that was initially reported to Akamai because it was discovered in the company’s Enterprise Application Access (EAA) product.

Cisco has also confirmed the use of the Lasso library and the networking behemoth is working on determining which of its products are impacted. Currently, Cisco’s advisory lists Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being vulnerable. Of course, other vendors and Linx distributors may be impacted as well--read more at SecurityWeek.

Pulse Secure VPN Products Have Been Infected With Malware From 16 Chinese “Families”

Someone has it out for Ivanti Pulse Connect Secure VPN appliances. FireEye Mandiant, collaborating with the Cybersecurity and Infrastructure Security Agency and Ivanti, reported details of 16 malware families exclusively designed to infect Pulse products--they’re believed to be affiliated with the Chinese government. The potential compromises are vast and spread across the defense, government, high tech, transportation, and financial sectors in the United States and Europe. The researchers said that the espionage activity by UNC2630 and UNC2717 supports important Chinese government priorities. Read more about the CISA-FireEye attack here.

A “Fancy” WordPress Plug-In Leads To Vulnerabilities 

Fancy Product Designer, a WordPress plug-in installed on more than 17,000 websites, has been compromised. The plug-in contains a recently discovered critical file upload vulnerability that WordPress has addressed. Researchers from Wordfence, which develops security solutions to protect WordPress, say they found the vulnerability on Monday.

The Wordfence Intelligence Team contacted the plug-in's developer on that very day and received a response within 24 hours. "As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available," Wordfence says in a statement. Read more about the vulnerability here.

NYC IS UNDER ATTACK

Ok, not really. Or, at least, not physically. Threat actors with suspected ties to China penetrated the New York transit agency’s computer systems in April, an M.T.A. document shows. Transit officials say the intrusion did not and does not pose a risk to riders. However, the breach was the third — and most impactful — cyberattack on the transit network. While no one is certain why the M.T.A. was a target of the campaign, investigators have several theories.

One focuses on China’s push to dominate the multibillion-dollar market for rail cars. Stolen information could bring about knowledge of the inner workings of a transit system that awards lucrative contracts. Following the breach, the M.T.A. required five percent of its total workforce to change its passwords. The M.T.A. also reset other digital certificates that — similar to passwords — enable access to the authority’s network and migrated its systems from Pulse Connect Secure to a different virtual private network. The response to the intrusion cost the agency an estimated $370,000. Read more about the MTA attack here.

Here’s Another Argument For MFA

No, not the creative degree: Multi-factor authentication. As cybersecurity providers have grown smarter, so have threat actors. Multi-factor authentication, which has become the “gold standard” in online identity protection has significantly increased security for online consumer transactions. While true, a highly targeted attack can spell millions in losses. It’s no surprise that a malicious scheme has emerged to potentially defeat the two-factor authentication variety. The hack is called a SIM Swap or SIM-Jacking and it exposes a major flaw in any 2FA security system that depends on SMS reliably delivering one-time verification codes. 

Those responsible for an organization’s security must rethink any secure transactions that rely on a mobile number for 2FA. They must now consider new threat scenarios that emerge in the event that our customer doesn’t control that mobile number. Read more about the old hack with new tricks here.

Morgan Stanley Has Struck A Deal With Microsoft’s Azure Cloud Computing Platform

Morgan Stanley is shifting some of its core workloads to Microsoft Corp.’s Azure cloud platform in order to accelerate the modernization of its IT environment. It is also working with Azure to roll out new cloud features that executives of the two companies said will benefit its clients and the highly regulated financial services industry. Leadership at Morgan Stanley says the move to the cloud is “absolutely necessary.”

Bank of America Corp. and IBM forged a similar partnership just months before the COVID 19 pandemic struck. Still,  Jerry Silva, a research vice president at research firm IDC, doesn’t see banks migrating all of their workloads to the cloud: “But they will create operating environments that span on-premise, private, and public cloud, probably with multiple cloud services providers.” Read more about the partnership here.

adversaries Are Creating (More) Fake Apps 

That sense of security you might feel when browsing an app store is now false. A new malware campaign has been discovered by Bitdefender where cybercriminals develop spoofed versions of real apps. When installed on mobile devices, it can steal your personal data and sensitive information. At least five apps were discovered that mimic their real-life counterparts, and they are packed with the highly infectious TeaBot banking trojan. Also known as Anatsa malware, hackers can take complete control of an infected device in some cases. Read more about the fake apps, and how to spot them, here.

Nobelium launches spearphishing campaign

The threat actors behind the SolarWinds supply chain attack are at it again. Microsoft has observed an ongoing spearphishing campaign launched by Nobelium, also tracked as APT29 or Russia's SVR. Volexity has also been tracking the campaign and attributes it "with moderate confidence" to APT29. This new, wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL. 

Martha’s Vineyard Ferry Has Experienced A Disruption  

A ransomware attack has disrupted ferry services in Cape Cod, Martha’s Vineyard, and Nantucket. The region’s Steamship Authority announced that it has “been the target of a ransomware attack that is affecting operations” and said passengers might experience service delays, although no ferries have been canceled. Details are still forthcoming, but the attack has been compared to the JBS and Colonial Pipeline hacks. To learn more about Martha’s Vineyard Ferry attack, click here.