September 3, 2021

Top cybersecurity stories for the week of 8-30-21 to 9-3-21


Below are the top headlines we’ve been reporting this whole week on Cyber Security Headlines.

If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week’s stories. Our guest this week is Marnie Wilking, Global Head of Security & Technology Risk Management, Wayfair.

If you want to get involved you can watch live and participate in the discussion on Crowdcast ([register](https://www.crowdcast.io/e/cyber-security-headlines)), or you can just [subscribe to the Cyber Security Headlines podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.

Here are some of the stories we’ll be covering.

## “Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

[Extended story] Cloud security vendor Wiz announced that it had found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, which granted read/write access for every database on the service to any attacker who found and exploited the bug. Although Wiz only found the vulnerability—which it named “Chaos DB”—two weeks ago, the company says that the vulnerability has been lurking in the system for “at least several months, possibly years.” Although all the details have not been released, it appears to involve a misconfiguration in Microsoft’s open-source Jupyter Notebook which was intended for machine learning algorithms stored in Cosmos DB.

Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers’ databases, then notified some users Thursday to change their keys. However the Wiz researchers are now urging all users to change their digital access keys, not just the 3,300 notified last week. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used stronger language in a bulletin Friday, making clear it was speaking not just to those notified. “CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key,” the agency said. Experts at Wiz, founded by four veterans of Azure’s in-house security team, agreed. One of the founders went on record as describing the bug discovery as “terrifying.”

([Ars Technica](https://arstechnica.com/information-technology/2021/08/worst-cloud-vulnerability-you-can-imagine-discovered-in-microsoft-azure/) and[ Reuters](https://mobile-reuters-com.cdn.ampproject.org/c/s/mobile.reuters.com/article/amp/idUSKBN2FT0K8))

## Cyber Fellowship program to train attorneys on cyber threats

The US Department of Justice announced the new program, which is being run through the Criminal Division’s Computer Crime and Intellectual Property Section. This will train federal employees across departments which are focused on cyber defense, going into detail about cybersecurity-related cases such as operations of state-sponsored threat actors and cybercrime organizations. The goal is to create a “new generation of prosecutors and attorneys equipped to handle emerging national security threats.” Candidates will need to obtain a Top Secret security clearance and commit to the three-year program.

([Security Affairs](https://securityaffairs.co/wordpress/121646/security/us-doj-cyber-fellowship-program.html?utm_source=feedly&utm_medium=rss&utm_campaign=us-doj-cyber-fellowship-program))

## Intermittent encryption hopes to make ransomware worse

Security researchers with Sophos identified a new ransomware called LockFile, which employs a novel intermittent encryption technique. LockFile encrypts every 16 bytes of a file, which helps the ransomware to evade security detections, using memory-mapped input/output to encrypt a file that allows the attackers to target cached documents in the compromised system’s memory. LockFile also leaves no ransomware binary for analysis and clean up. The LockFile operators have been using recently disclosed ProxyShell and PetitPotam vulnerabilities to compromise Microsoft Exchange servers.

([CISO Mag](https://cisomag.eccouncil.org/new-ransomware-lockfile-targets-victims-with-intermittent-encryption-technique/))

## CISA adds single-factor authentication to the list of bad practices

Single-factor authentication, the use of username and password to log in to a system, was added to CISA’s short list of “exceptionally risky” cybersecurity practices that could expose critical infrastructure, government and private sector entities to cyberattack. The rest of the list currently includes: Use of unsupported (or end-of-life) software, use of known/fixed/default passwords and credentials, and, use of single-factor authentication for remote or administrative access to systems. This list will soon get longer with CISA considering adding weak cryptographic functions, flat network topologies, mingling of IT and OT networks, lack of least privilege, use of previously compromised systems without sanitization, transmission of unauthenticated traffic over uncontrolled networks, and poor physical controls

([The Hacker News](https://thehackernews.com/2021/08/cisa-adds-single-factor-authentication.html))

## Zoom-call gaffes led to someone getting axed, 1 in 4 bosses say

Nearly 1 in 4 executives have fired a staffer for slipping up during a video or audio conference, and most have levied some sort of disciplinary action for gaffes made in virtual meetings, a survey of 200 managers at large companies found. The survey, commissioned by Vyopta Inc., which helps companies manage their workplace collaboration and communication systems, identified the top four career ending mistakes as joining a call late, having a bad Internet connection, accidentally sharing sensitive information, and of course, not knowing when to mute yourself.

([Bloomberg](https://www.bloomberg.com/news/articles/2021-08-31/zoom-call-gaffes-led-to-someone-getting-axed-1-in-4-bosses-say))

## Fired employee deletes customer data on the way out

A former New York credit union employee pleaded guilty to accessing the financial institution’s systems without authorization. Angry over a recent firing, the employee said she deleted over 21GB of data as an act of revenge, impacting mortgage loan applications and other sensitive information. The employee worked part-time remotely, but didn’t have her remote access credentials disabled by the credit union’s IT department for over two days. Logged on for forty minutes, she deleted 20,000 files and around 3,500 directories. Though the institution was able to restore most deleted files from backups, it estimated the recovery cost $10,000.

([Bleeping Computer](https://www.bleepingcomputer.com/news/security/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/))

## The Cost of Ransomware to Schools

Education has been one of the sectors increasingly targeted by ransomware, providing a tempting target with a large campus network with multiple vectors to infiltrate. Comparitech published a report looking into the scale of these attacks and how much it cost the education sector over the last year. In 2020, 77 ransomware attacks impacted over 1,740 schools and colleges, potentially reaching up to 1.36 million students. The cost of just downtime from the attacks was estimated at $6.62 billion. The report also found that the number of individual attacks decreased 20% in 2020, but the overall impacted number of schools was up 39%. This came as each individual attack targeted larger school systems. Texas and California saw the most number of ransomware attacks, although Nevada saw the most students impacted with over 328,000.

([Comparitech](https://www.comparitech.com/blog/information-security/school-ransomware-attacks/))

## FBI, CISA warns ransomware attacks surge over holiday weekends: 6 things to know this Labor Day weekend

The FBI and Cybersecurity and Infrastructure Security Agency are warning companies of the increased risk of ransomware attacks over Labor Day weekend.

The FBI and CISA said there are surges in ransomware attacks on holidays and weekends when offices are traditionally closed, according to an Aug. 31 CISA report. The federal agencies observed ransomware attacks consistently on holiday weekends, such as the Fourth of July, Mother’s Day weekend and Memorial Day weekend. The FBI and CISA said there is no indication that a ransomware attack will occur over the weekend, but wanted organizations to be aware of the increased threat level.

* Colonial Pipeline: Mother’s day weekend
* JBS: Memorial Day Weekend
* Kaseya: July 4th weekend

[(BeckersHealth IT](https://www.beckershospitalreview.com/cybersecurity/fbi-cisa-warns-ransomware-attacks-surge-over-holiday-weekends-6-things-to-know-this-labor-day-weekend.html))

# SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) all settled with the SEC in three separate lawsuits [PDF: [Cetera](https://www.sec.gov/litigation/admin/2021/34-92800.pdf), [Cambridge](https://www.sec.gov/litigation/admin/2021/34-92806.pdf), [KMS](https://www.sec.gov/litigation/admin/2021/34-92807.pdf)], the agency announced this week.

According to court documents, the three companies were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.

([The Record](https://therecord.media/sec-fines-three-companies-over-hacked-employee-email-accounts/))

Comments

AmputatorBot

It looks like OP posted an AMP link. These should load faster, but Google’s AMP is controversial because of [concerns over privacy and the Open Web](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot). Fully cached AMP pages (like the one OP posted), are [especially problematic](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot).

You might want to visit **the canonical page** instead: **[https://www.reuters.com/article/us-microsoft-security-idUSKBN2FT0K8](https://www.reuters.com/article/us-microsoft-security-idUSKBN2FT0K8)**

*****

^(I’m a bot | )[^(Why & About)](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot)^( | )[^(Summon me with u/AmputatorBot)](https://www.reddit.com/r/AmputatorBot/comments/cchly3/you_can_now_summon_amputatorbot/)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.