Friday Five: 10/27 Edition
Catch up on all the week's InfoSec news with this roundup!
Researchers with Cisco said Thursday that Bad Rabbit, a strain of ransomware that hit hundreds of targets in Russia and Ukraine earlier this week, did indeed use the leaked NSA exploit EternalRomance. This isn’t particularly a surprise; many experts compared the ransomware to NotPetya, a strain of ransomware that also exploited EternalRomance, responsible for taking down multiple businesses in June. The news does contradict statements made by many researchers who said earlier this week the ransomware didn't use EternalRomance or EternalBlue. Cisco researchers said Thursday that Bad Rabbit uses a "different implementation of the EternalRomance exploit" to overwrite a kernel's session security context to launch remote services.
Engineers behind SecureDrop, open source software that helps facilitate communication between journalists and sources, were forced to fix a bug last week that could have left users at risk. The software is used by a number of media outlets, namely the New York Times, the Washington Post, and The Intercept. SecureDrop developers said the vulnerability, which could have rendered systems unable to verify key packages, would have been difficult to exploit. Because of its severity – it also could have opened the door to remote code execution against targets – sites like the New York Times and The Intercept said this week they were in the process of updating how SecureDrop is configured.
Nice scoop here from Lorenzo, who reports that a security researcher uncovered a nasty bug in Equifax's site last year that could have let an attacker search for the personal information of millions of Americans. The vulnerability was reported to the company and apparently separate from the Apache Struts vulnerability that ultimately wound up leaking the information of 145M Americans earlier this year. The researcher, who told Franceschi-Bicchierai he wished to remain anonymous, said the bug was essentially a basic "forced browsing" bug. "All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," the researcher said.
Password breaches happen to us all eventually, even major CEOs. According to a new study carried out by security firm F-Secure, thirty percent of CEOs had their passwords exposed by a breach. The staff at DarkReading say researchers at the firm analyzed company email addresses for CEOs representing more than 200 of the biggest companies across 10 countries and found that 81% of the leaders had some form of information - email addresses, phone numbers, birthdates - leaked. The biggest breach culprits? LinkedIn and Dropbox.