Introduction: There is a lot of cyber news chatter out on the internet. Bite size cyber news summary for busy CIOs/CISOs and executives has always been a challenge. We are introducing a weekly newsletter and blog titled “The Week That Was” to solve this specific problem. Each of these will be a numbered bite size news summary with any specific “CALL TO ACTION” that may be needed.

The Week That Was - Week 3, 2021

1. SolarWinds Hack Update

Quick Recap: Attackers gained access to SolarWind’s network and were able to insert vulnerable code into their Orion IT monitoring platform. About 18,000 SolarWinds customers received this vulnerable version of Orion which gave the attackers a backdoor to their systems.  This impacted customers globally. Those affected included U.S. included the Treasury, Commerce, and Homeland Security Departments. The investigation has pointed fingers at Cozy Bear campaign which is traced to Russian. State backed hackers.

What’s new: Security firm Malwarebytes has also been reportedly breached by the same Solarwinds group.

Timeline: September 2019 — Solarwinds network breached. February 2020 — vulnerable code injected into Orion. June 2020 — last evidence of attacker being active on the SolarWinds network. 12th December 2020 — attack detected. 

• How ? Attackers compromised Solarwinds and were able to leverage their CI?CD tool to insert malware (hereby named “sunspot”) during the build process. This is particularly clever because it would easily bypass any automated security checks that may be used viz., source code review, secure coding assessment tools and so on. At this point it is unclear if a misconfiguration in the CI/CD tools lead to this OR a vulnerability.
  

• Learnings: These kind of supply chain attacks are near to impossible to prevent. 3rd party software is everywhere and more often than not, consumers of these software(s) do not have any control over the development process and/or good understanding of the inner workings, leave alone access to source code. On the same note, they are relatively easier to detect. A good defense-in-depth program with a key focus on telemetry collection, early detection and faster IR will go a long way.
  
  

2.WhatsApp Privacy policy change - resulting backlash

Whatsapp had a rough week after widespread backlash against their new privacy policy. They’ve issued explicit clarifications around the policy after it was reported that the new policy allowed for all Whatsapp data to be shared with Facebook. They’ve also pushed back the policy change from February to May to "help everyone understand our principles and the facts.". 

So what’s changed in the new privacy policy?

• Facebook have just started offering secure hosting services to businesses to help them manage their messages on Whatsapp. If a business is using these services then any messages you send them will be shared with Facebook.
  

• Businesses can display their goods on WhatsApp using Facebook Shops and Whatsapp’s users’ shopping activity can be used to personalize ads on Facebook and Instagram.
  

WhatsApp has always shared data with Facebook like phone number, transaction data, IMEI and IP address. The shared data does not include user’s messages, call history or any conversation data. Post announcement users fled to alternative chat apps like Telegram and Signal.

3.Trump Bans Eight New Chinese Apps including Alipay and WeChat Pay.

4.Pfizer-BioNTech Vaccine Data Leaked

In December the European Medicines Agency (EMC) experienced a cyberattack with the attackers accessing documentation about the Pfizer-BioNTech vaccine that was under regulatory review at the time. This documentation has been leaked online by the attackers. The intention of the attackers is unclear as of now. It is widely assumed that the data could be used for spreading misinformation.

5.Ubiquiti Data Breach

Ubiquiti who sells internet connected devices such as routers, security cameras and access control systems (key fobs and locks) been breached. Ubiquiti had been aware of an incident at one of their cloud providers may have exposed customer account information. Credentials for remotely managing Ubiquiti devices may have been exposed - which in some cases could grant bad actors physical access to buildings that use Ubiquiti access control products. 

Response: Ubiquiti has informed its customers that they have to change their passwords and enable Two-Factor Authentication to access their devices.

6.New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

• The “Orbit Fox” Wordpress Plugin has a bug which allows a whole site to be taken over. Wordpress is one of the most popular and simple ways to setup a website or a blog. There’s been a seemingly never-ending stream of vulnerable wordpress plugins over the last few months, so be very careful with what plugins you use. Link.
  

• Adobe patched seven critical vulnerabilities, most notably a bug in photoshop that could enable arbitrary code execution. Allowing an attacker to execute their own malicious code. Link.
  

• Critical Vulnerability in Microsoft Defender: Microsoft released patches for 10 critical bugs, the most serious being a vulnerability in Microsoft Defender. They have evidence that the vulnerability is being actively exploited by hackers. Microsoft no longer provides a great deal of detail when disclosing vulnerabilities. But we know this vulnerability enabled attackers to infect systems with their own malicious executable code and it is believed that it could have been used as part of the SolarWinds attack. Link.

7.Misc

• World’s largest Dark web marketplace, DarkMarket, has been shut down. Records were found of 320,000 transactions worth around £140m. The site sold lots of illegal goods from drugs to stolen credit cards. Link.

• Apple has removed a MacOS feature called “ContentFilterExclusionList” that allowed some of its own apps like maps to bypass firewalls and VPNs. Link.

• Facebook uncovered four malicious chrome extensions that were collecting users profile data. The extensions were disguised as legitimate messaging and keyboard extensions. Facebook is taking legal action. Link.

• Researchers have found a way to find users locations in Telegram. By faking their own location and finding the distance to the user from three distinct points they were able to calculate a users exact location. Link.

• Ring adds end-to-end encryption to its smart doorbells and cameras. However less than 50% of their products will support this, with only more recent releases receiving the update. Link.