Below are the top headlines we’ve been reporting this whole week on Cyber Security Headlines.
If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week’s stories. Our guest this week is John Overbaugh, VP, security, CareCentrix.
If you want to get involved you can watch live and participate in the discussion on [LinkedIn Live](https://www.linkedin.com/video/event/urn:li:ugcPost:6863874461758750720/)
(register), or you can just [subscribe to the Cyber Security Headlines podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.
Here are some of the stories we’ll be covering:
# Feds likely to fall short of deadline for strengthening encryption, multifactor authentication
President Joe Biden’s ambitious May cybersecurity executive order is widely expected to miss a deadline today affecting a much desired improvement: the implementation of multifactor authentication and encryption at all civilian federal agencies. The task of implementing MFA and encryption is complicated because agencies have so many information systems to protect, many have legacy systems that make deployment difficult, and others are struggling with the cost. The executive order requires agencies that don’t meet the deadline to explain why in writing, giving officials a blueprint on the challenges still to overcome.
# Facebook outage a prime example of insider threat by machine
An opinion piece published by Christopher Burgess in CSO Online suggests that the October 4, 2021 outage at Facebook was a self-inflicted wound caused by its own network engineering team. He points out how Facebook, on its own blog, stated “a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all connections in our backbone network, disconnecting Facebook data centers globally.” Despite having fail-safe processes in place to prevent this type of mistake, “a bug in that audit tool prevented it from properly stopping the command.” Burgess states this is a result of the Peter Principle, in which network leaders in IT and security are promoted despite lacking adequate hands-on experience, paired with an internal architecture that failed the most basic of network tenets: do not allow for a single point of failure.
# US infrastructure bill includes cybersecurity provisions
Late last week the US House passed the bipartisan Infrastructure Investment and Jobs Act, approved by the Senate back in August and now awaiting the President’s signature. There are a lot of programs within the bill, but the biggest for this show is a $1.9 billion boost in government cybersecurity spending. This includes a $1 billion grant program from FEMA to help state, local, tribal and territorial governments modernize systems to protect sensitive data, information, and public critical infrastructure over the next four years. The bill also includes $65 billion for broadband expansion.
# Drone loses battle against power station
According to a joint security bulletin from DHS, the FBI, and the National Counterterrorism Center, in July 2020 a DJI Mavic 2 drone approached a Pennsylvania power substation in what was an attempt to “disrupt operations by creating a short circuit” using a thick copper wire connected to the drone. This is the first known incident of using an unmanned aircraft system to “specifically target” US energy infrastructure. The drone crashed on a roof before reaching its target but the operator has not been found. The operator removed several sensors and cameras from the drone in order to avoid detection, meaning it had to be flown by line of sight, likely causing the crash.
# Robinhood breach impacts millions of customers
Robinhood Markets, Inc. disclosed that it suffered a data breach on November 3, affecting approximately 7 million customers. A threat actor tricked a customer service representative into providing access to internal support systems from where the attacker then accessed email addresses of five million users and full names of approximately two million more. For 310 users, details including name, dates of birth, and zip codes were exposed while extensive details for approximately 10 more customers were also disclosed. The attacker then attempted to blackmail the company demanding payment. In an apparent attempt to help its customers avoid falling victim to a social engineering scam such as the one that worked on its own employee, Robinhood is directing concerned customers to its website Help Center stating, “we’ll never include a link to access your account in a security alert.”
# Hacking campaign now targeting Docker servers
In an ongoing campaign which began last month, poorly configured Docker servers are being actively targeted by the TeamTNT hacking group. According to a report from TrendMicro, the campaign uses exposed Docker REST APIs to install Monero cryptominers, scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network. The container image used is based on the AlpineOS system and configured to allow root-level permissions on the underlying host. TrendMicro has seen over 150,000 pulls of malicious Docker Hub account images during the campaign.
Docker containers represent the worst of third party software composition. Pulling a docker container off the Internet is like sipping a from a soda you found on the beach. Unless you know what makes up your third party components, you are always at risk, that doesn’t mean containerization is bad – unlike soda – it just means you have to be purposeful about how you approach using it.
# Trend Micro details long running hacker-for-hire group
According to a new 46-page report from the security company, Void Balaur has advertised its services and offered on-demand intrusions since the mid-2010s, targeting IT companies, telecoms, and activists, journalists, and religious leaders. The group has only been observed advertising on Russian-language sites, and was initially believed to be a subgroup of the Russian-back APT28 due to target overlaps. Initially the group began offering the ability to break into specified email or social media accounts, before shifting to advertising the sale of private data from individuals in Russia in 2019. In 2020 the group began targeting presidential candidates in the Belarus elections, before targeting politicians and government officials in Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France, and Italy in 2021.
# BazarBackdoor now abuses Windows 10 app feature in social engineering ‘call me back’ attack
On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm’s own employees were targeted with spam emails sent by a “Sophos Main Manager Assistant,” one non-existent “Adam Williams,” which demanded to know why a researcher hadn’t responded to a customer’s complaint. To make resolution easier, the email helpfully contained a link to a PDF complaint report. The fake PDF triggers the Microsoft’s Edge browser on Windows 10, to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever’s on the other end of that link.”