Friday Five 12/2
$31M in digital coin stolen, an insider extortion attack, and a new cybersecurity resource for healthcare workers - catch up on the infosec news of the week with the Friday Five!
1. ‘Mozilla fixes critical bug in cross-platform cryptography library by Sergui Gatlan
If you're like me, you didn't realize how bad this flaw, fixed in NSS by Mozilla this week, was until you saw Tavis Ormandy's tweet on Wednesday. The bug, a major memory corruption flaw, exists deep in its Network Security Services set of cryptography libraries. If exploited correctly the vulnerability could have led to “program crashes and arbitrary code execution to bypassing security software code if code execution is achieved," Bleeping Computer wrote this week. While NSS is included by Mozilla in Firefox, this vulnerability doesn't affect it, according to the write up. Still, any vendor that distributes NSS in their products will want to ensure its updated soon.
2. Nine WiFi routers used by millions were vulnerable to 226 flaws by Bill Toulas
Replacing your home router anytime soon? If you've done it before, you know it can require a fair bit of research ahead of time. Here's some new, concerning research via IoT Inspector and CHIP Magazine on routers commonly used by small firms and home users. If you're looking for a good list of routers not to buy, here's a good starting place. The team looked at nine popular routers and found 226 security issues, think: outdated functionality, outdated Linux kernel, weak password use ("admin"), hardcoded credentials in plaintext and so on. There's also some handy tips for the uninitiated on how to best fortify your router after you get it: Apply the available updates, change the default password, and disable remote access, UPnP (Universal Plug and Play), and the WPS (WiFi Protected Setup) functions if you're not actively using them.
3. Former Ubiquiti employee charged with stealing data, extorting employer by Tonya Riley
Quite the story here and in many ways, news of the week, mostly because of how it portends to the constantly changing face of the insider threat. CyberScoop recaps news, disclosed by the Department of Justice this week that an employee at Ubiquiti, which makes routers and switches, managed to steal data from the company and extort it for nearly $2 million. While the indictment doesn't mention the company's name, the breadcrumbs lead back to Ubiquiti, which told customers to change its passwords in January 2021. According to the DOJ, Nickolas Sharp, a developer at the company, used his privileged access to download confidential data and anonymously asked the company for $1.9 million in Bitcoin to return it and to fix the vulnerability used to access. Compounding matters further, it appears Sharp is also guilty of pretending to be a whisleblower. An anonymous source claiming to work at Ubiquti contacted reporter Brian Krebs and accused the company of covering up the incident, something that drove its stock further down. Based on the DOJ’s description, Sharp fits the bill.
4. Really stupid “smart contract” bug let hackers steal $31 million in digital coin by Dan Goodin
As most things involving blockchain and cryptocurrency tend to be, this is a confusing one. Still, the number is eye-popping: $31 million of tokens apparently stolen from a Blockchain startup, MonoX. In the attack, a hacker exploited a bug in software used to draft smart contracts. It was, as Ars Technica's Dan Goodin writes, an accounting error built into the company's software that allowed the attacker to artificially inflate the price of one of their MONO tokens. After doing so they were able to cash out all the other deposited tokens. The company was started off its recap of the attack on its Medium blog in a sobering tone: “The past 24 hours have been difficult, and we’re simply at a loss for words. No apologies and no amount of words can describe how the team has been feeling since the attack transpired.”
5. HHS launches website for healthcare cybersecurity resources by Jackie Drees
If you're in charge of defending an organization in the healthcare space, you'll want to visit a new website rolled out by the U.S. Department of Health and Human Services (HHS) this week designed to enhance cybersecurity best practices across the industry. The website came about as a response to the HHS 405(d) Aligning Health Care Industry Security Approaches Program, launched in part by the Cybersecurity Act of 2015. The website, which offers tips on protecting patients and organizations, news and awareness resources, and ways to get involved with the 405(d) Task Group, can be accessed at the following link.