Friday Five 1/28
The Linux PolicyKit bug, $770 million lost in social media scams, and more - catch up on the infosec news of the week with the Friday Five!
1. SEC's Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector by Tim Starks
Early warning here via CyberScoop on a potential tweak to how the U.S. Securities and Exchange Commission may handle compliance efforts going forward. Tim Starks recaps a speech given by the SEC's Chairman Gary Gensler at the Northwestern Pritzker School of Law’s annual Securities Regulation Institute conference in which he claims he told staff to look into updating its Reg SCI or Regulation Systems Compliance and Integrity. The request would strengthen the SEC's guidance around backing up data and mitigating risk. The move, like those recently undertaken by the TSA for railway and airlines, would boost the department's breach disclosures and help the industry better handle risk that sometimes gets introduced by service providers.
2. Safari Flaws Exposed Webcams, Online Accounts, and More by Lily Hay Newman
In case you missed it, there were a slew of Apple patches this week but this story, via WIRED, digs into a group of bugs that were fixed a few weeks. The vulnerabilities, if exploited, could have exposed Safari tabs and other settings, which in turn, could have let an attacker snoop through a user’s online accounts, turn on their microphone or take over their webcam. The issues, which relied on exploiting the trust granted to shared iCloud documents, circumvented protections in place on iCloud and Safari, and could have let an attacker behave as if he or she was in your browser already. For those interested in going deeper, the researcher behind the hack, Ryan Pickren, does a great job summarizing the exploit in a lengthy blog on his personal website.
3. Unpacking the rise of BlackCat ransomware: High victim count, high payouts, customized features by AJ Vicens
More news from CyberScoop here, this story on ransomware, specifically BlackCat, a strain that's flown under the radar a bit over the last few months. Despite only being around since mid-November the ransomware, authored in Rust, counts the seventh-most victims of ransomware groups tracked by Palo Alto's Unit 42. The ransomware is "highly customizable, which facilitates the ability to pivot and individualize attacks," the article reads. The ransomware also boasts some high payouts, reportedly: “Ransoms are also an interesting feature of BlackCat’s rise, the researchers note: Affiliates using the malware have been observed asking for as much as $14 million in bitcoin or monero, nearly three times the average ransom demand of $5.3 million asked for in the first half of 2021.”
4. Experts Urge Firms to Patch Trivial-to-Exploit Flaw in Linux PolicyKit by Robert Lemos
A heads up here in case you missed it via DarkReading on a nasty sounding vulnerability in polkit, software that's installed in most Linux distributions, including the big ones - Fedora, Ubuntu, Debian, and CentOS - that could let any user become root. Discovered by Qualys researchers, the vulnerability, which technically exists in polkit's pkexec tool sounds fairly easy to reproduce; Bojan Zdrnja, a pen tester from Croatia, successfully recreated it and called the exploit "100% reliable" in a SANS Internet Storm Center blog on Tuesday. While pretty much all distributions have issued patches, if you can’t patch, Zdnja’s blog has some tips on how to prevent the vulnerability from being exploited by removing the SUID bit from the pkexec tool.
5. FTC: U.S. consumers lost $770 million in social media scams in 2021, up 18x from 2017 by Sarah Perez
Social media scams are up in a big way over the last couple of years, according to new statistics released by the FTC this week. The sum lost to social media scams ($770 million in 2021) is 18 times bigger than the figure in 2017, $42 million, the FTC said Thursday. The number isn't too far-fetched when you consider how sophisticated and targeted attacks have grown over the last few years, combined with the rise of bots, some with robust, believable looking profiles, on both Facebook and Twitter. While cryptocurrency scams and romance scams ensnared the most money, the most reported scams involved consumers getting ripped off after trying to purchase something that looked legitimate on social media. They saw an ad on Facebook or Instagram, got caught up in the moment - bought it - but never received it.