This week, cloud security gets an upgrade, large companies take responsibility for past mistakes, and threat actors come up with admittedly innovative ways to steal your data. Keep reading to learn more about this week’s top cybersecurity news.
There’s A New Cloud Security Framework In Town -- This new framework has backing from IBM, Microsoft, and Google. It’s called the Cloud Security Notification Framework (CSNF), and it’s trying to create a new open and standard way of delivering information. This is important because the old way is cumbersome and tedious. Currently, each of the big cloud platforms has its own methodology for passing on security information to logging and security platforms, leaving it to the vendors to find proprietary ways to translate that into a format that works for their tool. If it sounds confusing, that’s because it is. CSNF is relatively new, but they already have big customers like FedEx, Pfizer, and Goldman Sachs.
Many Companies Moved To Cloud-Native Infrastructure In 2020; Security Incidents And Malware Followed -- Many companies have chosen to switch their infrastructure to the cloud in the past year, but with the switch comes an increased chance of compromised data. About 60% of companies say they are more worried about their security now than they have been in the past, according to a report by Snyk. They’re right to be concerned, referencing the same report: “Companies that had high cloud adoption tended to encounter more incidents of specific [threats] compared with companies that had not moved as many business and development processes to the cloud...high cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%).” Organizations with low cloud adoption tended to have higher incidences of malware (14%). This is because attackers have now begun to focus more on cloud technologies.
Dell Security Flaw From 2009 Comes Back With A 2020 Vengeance -- Security researchers recently discovered five, high-severity flaws in Dell’s firmware update driver -- and these flaws have been traced to 2009. “This flaw could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” writes Kasif Dekel, a security researcher that found the vulnerability. Such a privilege could allow attackers to bypass security software or assault the network of an organization that deploys Dell PCs. However, a remedy is already available for people who own Dell desktops, laptops, and tablets.
A Python Developer Tool Turns Into A Malware Accessory -- A group of researchers from the University of Piraeus have discovered that PyInstaller, a tool intended to convert Python code into standalone applications, is capable of creating malware payloads that are able to slip past many of the most widely used antivirus programs and get their malicious code up and running before being flagged and terminated. Therefore, rather than spend the time and money required to muddle a code and create an untraceable malware packer from scratch--threat actors would be able to take advantage of the most popular Python application builder to create packers that are not caught in scans.
The issue lies in how PyInstaller turns Python code into executables. Because Python is a scripting language, PyInstaller does not traditionally compile the code. Rather, it bundles all the libraries and other components the Python code requires into .pyc files and compressed archives. When the bundled application is launched, a bootloader is spun up and those dependencies are unpacked into a temporary folder and called as needed. The .pyc files, as it turns out, are extremely difficult for most modern antimalware tools to effectively scan.
The State Has Gotten Involved In The Scripps Health Ransomware Attack -- The California Department of Public Health (CDPH) has confirmed that it is monitoring the ransomware attack that has severely impacted Scripps Health facilities throughout San Diego County. Due to the attack, the hospital has been using “appropriate emergency protocols” such as diverting patients to other hospitals and securing their networks. While the CDPH has the authority to involuntarily suspend the licenses of facilities it deems unsafe, the fact that a hospital is operating under emergency protocols does not, in and of itself, warrant such action. Still, it is unclear when or if the situation at Scripps Health will stabilize.
A Banking Trojan Evolves -- A trojan that originated in Brazil has migrated to European targets, and switched its tactics as it moved. ESET researchers have named the Trojan Ousaban, and it has evolved from using pornography as a distribution model to phishing emails. The malware is written in Delphi, a coding language commonly used for South American Trojans, and contains an MSI Microsoft Windows installer package. If executed, the MSI extracts a JavaScript downloader that fetches a .ZIP archive containing a legitimate application which also installs the Trojan through DLL side-loading.
Timeline of a Hafnium Attack -- If you’re interested in the Hafnium Attack, i.e., the attacks on Microsoft Exchange servers around the world by Chinese state-sponsored threat group Hafnium that are believed to have affected over 21,000 organizations, there’s a timeline presented at Security Boulevard. The impact of these attacks is growing as the four zero-day vulnerabilities get picked up by new threat actors. By taking advantage of these four zero-days, the attackers are able to conduct remote searches for Exchange Servers that are exposed to the internet to gain access to any Exchange Server through Outlook Web Access (OWA). Again, this post by Security Boulevard has all the details.
These Are The Vulnerabilities That You Need To Patch Now -- Russian threat actors are using new techniques. A joint advisory by the US Department for Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), as well as the UK National Cyber Security Centre looks to warn organizations about updates used by Russia's foreign intelligence service, the SVR -- a group also known by cybersecurity researchers as APT29, Cozy Bear, and The Dukes. The advisory warns that Russian cyber attackers have updated their techniques and procedures in an effort to infiltrate networks and avoid detection, especially when some organizations have attempted to adjust their defenses after previous alerts about cyber threats.