Here are the top news stories of the week of April 19th to 23rd, 2021, as reported by *Cyber Security Headlines* on CISO Series. I post these stories here because every Thursday at 4pm PT/7pm ET, CISO Series hosts a short 20-minute show summarizing the top cybersecurity news stories for the week. The show is hosted by reporter Steve Prentice and we welcome a cyber practitioner to offer some color to the week’s stories. Our guest this week/tonight is George Finney, CISO, Southern Methodist University.
If you want to get involved you can watch live and participation in the discussion on Crowdcast ([register](https://www.crowdcast.io/e/cyber-security-headlines)), or you can just[ subscribe to the Cyber Security Headlines podcast](https://cisoseries.com/subscribe-podcast/) and get it into your feed.
And now, some of the stories we’ll be covering.
## Codecov discloses 2.5-month-long supply chain attack
Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools. The impacted product is named *Bash Uploader* and allows Codecov customers to submit code coverage reports to the company’s platform for analysis. Codecov said the breach occurred “because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.” The breach is already drawing comparisons to SolarWinds due to the potential for follow-on effects at companies who use Codecov as a supplier.
([The Record](https://therecord.media/codecov-discloses-2-5-month-long-supply-chain-attack/) and[ Reuters](https://www.reuters.com/technology/us-investigators-probing-breach-san-francisco-code-testing-company-firm-2021-04-16/))
## Major BGP leak disrupts thousands of networks globally
A large Border Gateway Protocol (BGP) routing leak that occurred on April 16 disrupted the connectivity for thousands of major networks and websites around the world. Although it happened in Vodafone’s autonomous network based in India, it impacted several U.S. companies, including Google. Although lasting for just 10 minutes, BGP leaks are serious occurrences as they can lead to users being moved to an internet route with suboptimal performance or piracy activities such as eavesdropping and traffic analysis.
## WordPress says FLoC is a security concern
The company announced it will treat Google’s third-party cookie alternative Federated Learning of Cohorts, or FLoC, as a security concern, and proposed blocking the technology by default starting with WordPress 5.8, and considering backporting the block to earlier versions. This block could be overwritten in code by site admins, and WordPress is considering adding a setting to enable FLoC directly. WordPress said its concern is that enabling FLoC by default would make site owners accept it without fully realizing what FLoC is storing and collecting about users. The update to block FLoC is expected by July 2021, although WordPress is currently taking user feedback on the decision.
## Medtonic partners with Sternum on pacemaker security
The medical device maker announced it will work with the IoT cybersecurity startup Sternum to help prevent its pacemakers from getting hacked through their internet-based software updating systems. Medtonic’s previous solution to the problem was simply to disconnect the pacemakers from the updating system, but did not consider that a long-term solution. Sternum claims to offer “autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities.” A spokesperson said this would mitigate risks not just to patients, but also prevent pacemakers from being used as an attack vector on a medical systems overall network.
## Biden administration unveils plan to defend electric sector from cyberattacks
The Department of Energy (DOE) yesterday announced a 100-day plan to help shore up the U.S. electric power system against cyber threats. The plan, rolled out with the private sector CISA, is meant to help owners and operators develop more comprehensive approaches to detection, mitigation and forensic capabilities. The plan, will focus on getting industrial control system (ICS) owners and operators to select and use technologies that will help gain real-time awareness of cyber threats, and response capabilities, and will also be encouraging the deployment of technologies that boost visibility into threats in both ICS and operational technology networks.
## Pulse Secure VPN zero-day used to hack defense firms, govt orgs
Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure SSL VPN appliance actively exploited against US Defense Industrial base (DIB) networks and worldwide organizations. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers to upgrade their server software. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in their security advisory.