Friday Five 12/11
New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!
1. A look inside Congress' biggest cyber bill ever by Tim Starks
The annual defense policy bill contains numerous provisions that would reshape cybersecurity at the federal level. Notably, the bill would strengthen the capabilities of the Cybersecurity and Infrastructure Security Agency (CISA) and establish a National Cyber Director in the White House. These changes are drawn from recommendations by the Cyberspace Solarium Commission, an intergovernmental body whose purpose is to develop a strategic approach to defense against cyberattacks. The bill is expected to pass both the House and Senate, however, the president is threatening to veto the legislation over certain legal protections for tech companies (Section 230). The vote to override a veto is expected to be close. If it becomes law, the bill is full of proposals that will bolster the federal government’s cybersecurity apparatus.
2. Phishing Campaign Targets 200M Microsoft 365 Accounts by Kelly Sheridan
200 million Microsoft 365 users are being targeted by a large phishing campaign. The campaign’s targets span a wide range of industries including healthcare, manufacturing, financial services, insurance, and many others. The attackers are creating emails that appear to come from Microsoft Outlook and contain urgent language in an attempt to trick users to enter their Microsoft login credentials on a fake authentication page. Researchers stress the importance of configuring defenses for Domain-based Message Authentication, Reporting, and Compliance (DMARC). Though in many ways the phishing campaign uses traditional phishing tactics, their impersonation of an exact name and domain of a specific sender is technically more complex, and the persistent targeting of Microsoft 365 continues to be a concern.
3. COVID data manager investigated, raided for using publicly available password by Katie Cox
Over the past week, there have been continuing developments in the story of Rebekah Jones, a data scientist who is part of an investigation into unauthorized access of a state emergency-responder system in Florida. As part of the investigation, it has been discovered that the emergency-response team in Florida shares one username and password across the entire department. To make matters worse, the login does not change when users resign or are fired, and the account credentials are part of a logistics manual that is publicly searchable and accessible on Florida’s DOH website. This is extremely concerning from a cybersecurity perspective, as it leaves the agency open to exploit. As DOH coordinates public health responses including “triage, treatment, and transportation” access to their emergency alert system in the wrong hands could lead to disastrous consequences.
4. NSA: Russian-linked hackers are exploiting new VMWare product vulnerabilities to steal data by Derek B. Johnson
The NSA issued an advisory this week warning of a command injection vulnerability in VMWare products that can be used to access privileges and steal data. The vulnerability is present in Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. Once gaining access, attackers can set up web shells, create fake authentications, and gain access to sensitive data. In response, the NSA recommends patching, strong passwords, and making sure the interface is not connected to the internet. The advisory from the NSA is the latest example of their effort to increase public notification of security vulnerabilities to the private sector.
5. US antitrust siege of tech widens with lawsuits vs Facebook by Marcy Gordon and Michael R. Sisak
On Wednesday this week, regulators filed landmark antitrust lawsuits against Facebook. The Federal Trade Commission and 48 states are accusing Facebook of using its power in the market to hurt competition and by proxy hurt consumers. To remediate these concerns, the lawsuits seek to reverse some of Facebook’s acquisitions by spinning off Instagram and WhatsApp. In a rare show of consensus, lawmakers of both parties are pushing for stronger oversight, a significant shift from the previous policy of largely leaving tech companies to self-regulate in the name of innovation. While antitrust cases are often hard to win, the unified support behind this lawsuit makes the case a lot stronger, and if successful, could mark a large shift in the government’s future role in regulating tech.