Newsletter
10.12.2021 | 5'' read
Beware of shady VPN corporate ownership
This edition of the newsletter is presented by Egress Software, Symmetry Systems and Process Unity.
* The most clicked link from last week’s newsletter was the Aspen Cyber Summit fireside chat with NSA’s Rob Joyce on the nation-state threat landscape.
Monday blues.
For years, security pros (myself included) have urged the use of VPNs as a data and privacy protection utility. Today, this is slowly becoming bad advice and there are new signs that the entire cottage industry of consumer VPN software needs to be killed off as a matter of urgency.
Have a gander at this alarming report from Restore Privacy:
Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations.
The report goes into the people behind Crossrider, a company that was caught distributing malware and adware and documents how the company pivoted to purchasing VPN services, then changed its name to Kape Technologies. Kape was then observed buying a collection of VPN “review” websites and changing the rankings.
This is slowly becoming one of those parasite industries that will cause a world of hurt in the long run. Time to kill off the VPN entirely.
_ryan
On to the newsletter…
The Patch Tuesday freight train
I’m swamped with work today, tracking a doozy of a Patch Tuesday across the computing landscape. Some highlights and reminders:
- Apple has already rushed out iOS 15.0.2 with cover for an “actively exploited” zero-day flaw (read my story).
- Adobe has slapped band-aids on “critical” security defects its Adobe Acrobat and Reader products.
- Microsoft dropped a 71-vuln strong batch for the Windows ecosystem, including patches for vulnerabilities that have already been exploited in the wild. Kaspersky has the skinny on the 0day exploitation.
- The vulnerability counter for documented 0days in 2021 now stands at 73, dominated mostly by security flaws in code from Microsoft, Apple and Google.
As usual, treat these patches with the highest priority and remember to randomly reboot your iPhones.
- Just hours after the release of iOS 15.0.2, security researcher Saar Amar reversed Apple’s patch to document the vulnerability and release proof-of-concept exploit code.
- A Patchy Server: GreyNoise documents in-the-wild exploitation of CVE-2021-41773, a gaping hole in the widely deployed Apache Server.
Sponsored.
- Egress has built the only Human Layer Security platform that defends against inbound and outbound threats. Using patented contextual machine learning, Egress detects and prevents abnormal human behavior such as targeted phishing attacks, misdirected emails, and data exfiltration. Book a demo.
- Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
- ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.
Nation-state APT activity
- Google TAG’s Shane Huntley said the company has blocked Russian government phishing emails targeting 14,000 users. Google separately announced plans to provide free security keys for its Active Protections Program (APP) to 10,000 high-risk users around the world.
- Microsoft’s new report on global APT activity covers high-end malware from Russia, China, North Korea, Iran and Turkey. No signs of offensive actors in the USA, Israel or Western European nations.
- Redmond has a new report exposing an Iran-linked actor hitting Office 365 tenants with password sprays. Targets are U.S. and Israeli defense technology companies.
- The NSA is warning about the dangers of wildcard TLS certifications and the ALPACA technique.
UEFI bootkits
The Record’s Catalin Cimpanu covers past examples of UEFI bootkits found in the wild:
- FinSpy – a UEFI bootkit component used with the government-grade FinFisher spyware, discovered by security firm Kaspersky.
- Demodex – a UEFI bootkit used by a Chinese cyber-espionage group since July 2020, also disclosed by security firm Kaspersky.
- LoJax – a UEFI bootkit used by Russian state hackers since 2018 in attacks across Europe.
- Hacking Team Vector EDK – a UEFI bootkit part of the now-defunct HackingTeam’s malware arsenal.
- DerStarke and QuarkMatter – UEFI rootkits part of the CIA’s hacking tools leaked in 2016 part of the Vault7 trove.
- ESPecter, a UEFI bootkit that was detailed for the first time in a report published by security firm ESET.
- Full video of panel discussion on CISOs navigating coming SBOM requirements, featuring CISA’s Allan Friedman, JupiterOne’s Sounil Yu, and CycloneDX’s Steve Springett.
- A team of former Google software engineers is behind the launch of a supply chain security startup called Chainguard. No word yet on what exactly they do.
- SPDX is emerging as one of the main standards for SBOMs (software bill of materials).
Leftovers.
- Google has created a new cybersecurity team to help respond to attacks against governments and other critical groups, along with a new program to help strengthen the cybersecurity of businesses.
- The Markup provides fantastic reporting on the multi-billion-dollar market for your phone’s location data.
- Cybereason researchers take us inside the destructive PYSA ransomware, a human-operated operation that use a double-extortion tactic.
Tangentially.