Friday Five 3/3
Zero day exploits, browser extension economics, and the scourge of robocalls - catch up on all of the week's infosec news with the Friday Five!
1. Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks by Kelly Sheridan
Microsoft has released patches for four critical vulnerabilities that were being used to target Microsoft Exchange Server. Gaining access to Exchange server would allow access to any sensitive communications conducted over email within a company. Officials have attributed the attacks to a state-sponsored group out of China, known as Hafnium. Hafnium has a history of targeting US industries, ranging from law firms to NGOs, in an attempt to steal data. Microsoft has urged customers to patch immediately, as now that the information is public, there will be a rush of criminal groups and state-sponsored actors to exploit unpatched systems.
2. Is Your Browser Extension a Botnet Backdoor? by Brian Krebs
In a story examining the growing industry of firms making extensions for popular internet search applications, the lopsided economics involved has led to potentially risky code being installed in extensions. As an extension grows in popularity and increases its users, the costs to maintain support and code can be significant. This opens the door to outside potentially malicious actors, buying the extension, or paying the original owner to include extra code. Between the willingness to sell because of the lack of financial payoff and large download base of certain extensions, there’s a lot of data that someone can glean and abuse by buying one of these extensions. The story serves as a reminder that users should be cautious about what extensions they install, especially as the purpose and design of extensions can change over time.
3. Robocalls keep spamming Americans, in part because of their cyber tools by Tim Starks
After a brief lull, robocalls have increased again and are now mimicking the attack methods of hackers. This includes combining phone calls with tricks to sidestep two-factor authentication. The news is concerning as some estimates have found that there are three to four billion robocalls a month and that phone scams cost US consumers billions of dollars annually. These new techniques are part of the increasing sophistication of phone scams, an example being someone claiming to call from a vendor to fix a problem with technical support, only to install malware. And though people have gotten better about picking up suspicious phone calls, if they receive a text from the same source, they are more likely to think the person is legitimate, even if they are not. The story is a reminder to avoid answering unknown calls, and if you receive multiple messages about a problem, hang up and independently verify with your financial institution or work whether something is real.
4. Policy Group Calls for Public-Private Cyber-Defense Program by Robert Lemos
In a new report, the New York Cyber Task Force has recommended that the U.S. create a National Cyber Response Network. The network would link government and industry groups to respond to cyberattacks either from hostile nation-states or individual hackers. According to the report, the U.S. is not ready to effectively respond to a cyberattack because of the roadblocks that currently exist between the government and the private sector. If created, the network would be managed by an agency designated by a cabinet-level National Cyber Director. The recent hacks in the news and the large number of persistent threats that exist further underscore the importance of creating a network to improve both the offensive and defensive cyber capabilities of the U.S. government.
5. Google beefs up privacy promises as it prepares to upend its ad model by David Meyer
The article examines Google’s phasing out of third-party cookies in its popular search engine. The move is part of a larger trend; Apple’s Safari and Mozilla’s Firefox have already started blocking third-party cookies. The push to remove third-party cookies has understandably faced a backlash from publishers and ad technology firms that have triggered an anti-trust investigation against Google in the UK. To assuage concerns this week about what might replace third-party cookies, Google’s privacy chief stressed that the replacement technology will keep individuals anonymous. As well, with Google’s new federated learning of cohorts, or FLoC, advertisers will not see a significant drop-off in their conversion per dollar spent compared to cookie advertising. It will be interesting to see how this all plays out, but it’s clear Google’s new technology will have implications for the future of users' online privacy.