From a cyberattack on Barnes & Noble to Zoom rolling out close-to-end encryption, Threatpost editors crack down the best security tales of the 7 days.
The Threatpost editors split down the prime security stories of the 7 days ended Oct. 16, which include:
- Patch Tuesday madness, with Microsoft and Adobe releasing fixes for severe vulnerabilities – including a critical, probably wormable distant code execution bug identified as the “Ping of Death”
- Barnes and Noble staying hacked – and why some viewers are unhappy with how the reserve purveyor introduced the cyberattack
- DDoS extortion email threats hitting different corporations throughout the world – such as Travelex
- Zoom finally rolling out stop-to-end encryption on the online video conferencing system – and why this is unique than the collaboration giant’s earlier “full encryption” statements
Obtain the podcast right here or listen beneath.
Below uncover a lightly edited transcript of the podcast.
Lindsey O’Donnell-Welch: Welcome back again to the Threatpost news wrap podcast. This is Lindsey O’Donnell Welch with Threatpost and I am joined by Tara Seals, withThreatpost to split down the major news from the week ended Oct 16. Tara, how was your 7 days?
Tara Seals: Oh, really good, Lindsey. It was tremendous occupied as factors in cybersecurity generally are. But this 7 days was a very little busier than most with Patch Tuesday and every thing.
LO: Yeah, we experienced a ton of news coming out of Patch Tuesday, no matter whether it was Adobe Flash flaws that were being staying patched or Microsoft’s Patch Tuesday security updates. And I know there was a good volume that arrived out from the Microsoft standpoint, which you covered, Tara, what had been you acquiring there?
TS: So it was an interesting Patch Tuesday, mainly because it had much less than 100 CVEs this month, which that was the to start with time in 7 months that has took place. So that was form of remarkable I assume for IT directors just about everywhere, not to have to fear so much about so a lot of. But there are also a pair of notable bugs nicely, initially of all, there had been 6 bugs that were listed that had been previously disclosed in some way, form or kind, but did not have patches. And so those people clearly are of problem. And there’s already a handful of proof-of-principle exploits for those that are laying around. And they [Microsoft] never generally have beforehand disclosed bugs that they have to fix. So that was really noteworthy that they had six of them.
And then there had been a few of critical bags that truly stood out to most of the scientists that I talked to. One particular of which they are calling the “ping of demise,” which I think is form of hilarious, but it’s correct. It’s essentially a bug in Outlook, Microsoft Outlook, and it can be activated, effectively, just by sending an email to someone. And simply because the attack vector is the Preview Pane, which is the default watch – Outlook people just about everywhere will be common with us, when you receive an email, it just pops up in this Preview Pane that you can see – and so this certain bug, in order to be exploited, any person can just send an email, it pops up in the Preview Pane, and then [the exploit] turns into activated. And it lets attackers to execute distant code. So naturally, it is regarding. And it’s also very exploitable and trivial to to have out.
LO: Right. Well, it certainly appeared like there had been a ton of Microsoft bugs to occur out this week. But as you described, a lot less than what we commonly see. And that was the exact with Adobe. I indicate, I consider in prior months, Adobe has had way extra than the one flaw that it patched this 7 days. So not confident what is the reasoning powering that. But as you stated, it’s generally less of a headache for system admins to have to offer with.
TS: Yeah, for positive. Nicely, and I think specially specified the truth that we’ve experienced so a lot Zerologon news, that terrible bug that security teams are rushing to patch even as most people from country-point out actors to monetarily determined folks in their basement are looking to exploit it. So, you know, I consider it’s it is possibly excellent to not include also significantly insult to injury this thirty day period.
LO: Ideal. Providers have so a great deal on their plates already in conditions of like ongoing hacks and cyberattacks. For occasion, you just on Thursday protected a freshly introduced Barnes and Noble hack, which as a person who shopped at Barnes and Noble a whole lot I like to study that was not fantastic to read through about.
TS: Yeah, that story’s a minor bit crazy. So we also obtained the email notice. And it came in the wee hours of the morning. I imagine my husband’s arrived at like, 1:30 or anything in the morning, Thursday morning, so they kind of sent this out underneath go over of darkness, which I’m sure they want to lessen the publicity all-around it, but that is not going to happen due to the fact it is Barnes and Noble.
So the issue is that, what was genuinely appealing about this, is that nobody is familiar with, they haven’t verified but, what form of cyberattack. Only that there was one particular. But over the weekend, the Nook e-e book reader – which my mom has a person of those people and they’re kind of wonderful – but the syncing aspect for that went down and there was this outage that continued and it just form of trended on a small degree, no person definitely understood what was going on. And that stretched throughout the 7 days. And then they appear out Thursday, properly Wednesday night time into Thursday morning, indicating that there had been a cyberattack.
So individuals started out putting two and two jointly, considering, “hmm, probably this might be a ransomware attack.” All over again, unconfirmed, but I’m positive we’ll get a lot more facts. Sme of the methods that have been impacted by this contained a ton of particular shopper details. Luckily, not financial details, but certainly points like obtain histories, the lists of publications that men and women have acquired in the past, together with their email, phone quantities and other own information and facts like that, that in essence it would be a aspiration for a phisher to mount some rip-off emails that are customized and really convincing.
LO: Appropriate? Yeah, I was gonna request, I imply, if an attacker has the actuality that another person reads, you know, say, Stephen King novels and their email address, what sort of phishing lures could most likely be strung together from this? I’m absolutely sure that there’s a great deal of unique avenues that cyber criminals could could go there.
TS: Oh, surely. I suggest, can you consider, especially, you know, all around Halloween and the Stephen King reference, I mean, you could generally say, “Hey, I know that you just purchased Health care provider Slumber. So you might be interested, here’s some other recommendations.” And they could use some Barnes and Noble graphics and make it pretty convincing and search like, “because you read this, you may like this, simply click here to order” and then they can harvest all the data.
LO: Ideal, they did not but verify that the info was really stolen but I’m certain that this could unquestionably be significant if it had been.
TS: Well, right. And that delivers up yet another issue close to this incident, the truth that they do not know if the knowledge is stolen, what kind of IT personnel do they have working above there? It is a [almost] Fortune 500 corporation. It’s mystifying to me, the total of information and facts they really do not surface to truly know. And also, the economical details was all encrypted, which is excellent. So the credit history cards, payment cards are all tokenized. And they stated they could not really be lifted. But the personal details, I imply, what was it, just still left out there in basic textual content in the database somewhere? I essentially emailed them to question about some of these facts. So hopefully, they’ll get back to me, and I’ll be capable to do a observe-up tale. Due to the fact it really is concerning that the IT workers a), doesn’t seem to know what occurred. And b), they have been not protecting client facts in the way that most people would believe that they would be.
LO: I know that other viewers experienced kind of taken to Twitter, as you experienced pointed out in your report, to air their grievances about, as you said, the late night time email recognize – it does appear to be a small skeevy.
TS: Yeah. It was a little bit like, “oh nothing to see below. Maybe you are going to overlook this mainly because it came in at 1:30 in the morning.”
LO: Yeah, specifically.
TS: And also it was type of humorous, mainly because some of the folks on Twitter far too, are indicating, what are cybercriminals heading do with my looking at listing? So I think it’s actually important to stress to folks that, you know, they can do quite a whole lot with a reading through list as witnessed in our Stephen King illustration. It’s important to maintain in brain for certain.
LO: Appropriate, ideal. It is just a further piece of info that can be used for a entice for spear phishing, or phishing attacks. So which is definitely critical to observe.
Well wanting at some of the other massive tales from this 7 days, a person that definitely stuck out to me that I wrote about was a new exploration report on how organizations have ongoing to acquire these extortion e-mail that are threatening to launch a DDoS attack on their network except if they pay out up. So this is aspect of this overarching DDoS extortion marketing campaign that’s been heading on since August. But I guess the marketing campaign started in mid-August and has ramped up at the end of September and the get started of Oct. So it’s really been on the raise as of lately. And what was the type of the big news there is that Travelex, the British International Trade organization, was reportedly a person of their latest higher-profile menace recipients of this sort of marketing campaign.
TS: Yeah, for certain. Perfectly, and I mean, I think it’s actually fascinating too, that this is just another type of – I signify, I never want to say ransomware because it is not ransomware – but, you know, the extortion makes an attempt, the ransom attempts, certainly it is labored from the encryption malware standpoint. So now they’re shifting to making an attempt unique strategies to extort companies, you know, with their details. And I consider that is definitely, genuinely fascinating. Just yet another way to make techniques inaccessible, appropriate?
LO: I assume the important difference is that ransomware attacks have now happened. While in this circumstance, businesses, the attackers are going to organizations and saying, if you never shell out up, we’re heading to start this attack in the upcoming. So it can make you wonder if this is a very little significantly less significant, or probably impactful in that organizations have that chance to harden their security. On the other hand, I did talk to researchers with Radware. And they had been telling me that these threats are not hoaxes. And the actors have followed up with assaults. So that will make it all the much more critical to make certain that firms have the suitable security actions in area.
There had been also a couple of interesting factors that stuck out to me about this marketing campaign. And very first of all, the 1st one particular was that attackers had been proclaiming that if victims really don’t pay up, I imagine it was, you know, the equal of $230,000 in Bitcoin, then they would have the capability to launch an attack, that would peak at 2 terabytes per next. And that’s a substantial assert. I mean, just to give some context there, I imagine the biggest volumetric, DDoS attack on report, as of February, at minimum, was on an Amazon Web Solutions shopper. And that attained the levels of 2.3 terabytes for each next. So I suggest, that is which is a very huge assert. And one more detail to know is that there is no proof that the claims that the cyber criminals are building about this level of volumetric attack are accurate. Researchers with Radware explained to me they hadn’t noticed the two terabyte for each 2nd attack threatened in the letter in the report, however, orgs have noticed attacks ranging up to 300 gigabytes for each second, that blended several attack vectors, so the danger is there, but it could not be at the identical degree that they are saying they can attain.
TS: That’s fascinating, truly, because you never know. Do you want to exam those people waters? Are you gonna call the bluff? And even if it is not even that huge of an attack, if it however will take out your systems, who cares [how big it is]? I question if aspect of that declare and boasting has nearly anything to do with the truth that they are making an attempt to pose as these advanced danger teams, these APTs that are identified to be really effectively-resourced. You know, they’re masquerading as groups like Extravagant Bear and Lazarus. So probably they’re making an attempt to declare that they have the very same forms of abilities that those people groups have.
LO: I imagine they are making an attempt to faux to be these APT groups, and truly check out to type of engage in into the feelings there of different firms in different sectors. For occasion, I believe it was relying on the vertical, they would have a preference of distinct APT. So you know, when they were being concentrating on economic orgs, they were purporting to be Lazarus group. So I assume they’re really hoping to perform into that dread factor there.
And yet another strategy that they use as properly is that they threatened to up their ransom by 10 bitcoins for each individual working day that it is not paid out. And they do not have any other way for the victims to arrive at out to them, other than the Bitcoin handle to deliver the payments also so there is no, there’s no way to respond to them or try out to negotiate. I signify, the threats just there. I think that there is kind of a level of anxiety there that companies will probably have when they get these types of threats. And I necessarily mean, these attacks, DDoS attacks can be fairly harming for corporations. I try to remember, I consider it was in 2016 the DDoS attack of DYN that disrupted the internet. And you know, I’ll by no means neglect striving to get on to Netflix that early morning and currently being disappointed that I was down. So I believe these do have form of a authentic environment influence.
TS: Oh, yeah, for guaranteed that attack was completely insane. And, yeah, let us hope that this does not snowball into a thing that gets as endemic as ransomware attempts. It is rather frightening for corporations right now, I assume.
LO: Yeah. And I necessarily mean, this has also been likely on, I was type of undertaking some investigation into DDoS extortion assaults, and I imply, this has been likely on for a lot of, quite a few years, much too. It’s not that new, even back again in 2015, the FBI was saying it observed an enhance in the quantity of companies being focused by these sorts of scammers who are threatening to start these assaults if they do not fork out a ransom. So I think that what this reveals is that attackers are continue to upping their recreation and switching up their methods and innovating to come across new means to goal providers. And I feel it is doing the job as we observed with Travelex, which, by the way, which has experienced some terrible juju with security this previous calendar year.
TS: Yeah, which is the previous detail they need for positive. Okay, effectively, Lindsey, the other factor that you covered this 7 days that really stood out to me – when I saw it I was like, aha, eventually – was Zoom last but not least debuting their stop to finish encryption assistance. What,s that all about? How’s the rollout heading to development?
LO: Yeah, so I consider it was still or Wednesday when Zoom introduced is rolling out a technical preview for its close to end encryption into its system. So what that suggests is, it is going to have 4 phases of the rollout. And the 1st a person will be mainly to solicit suggestions from users for the duration of the initial 30 times, so they can kind of roll it out and flush out any any issues and try to stomp out any, any troubles there. And what’s interesting below, way too, is that sort of the background below with Zoom and finish to stop encryption. It is faced a good deal of issues all over its encryption policies, such as the simple fact that there was a ton of backlash all-around Zoom, telling end users that it made available full encryption as a internet marketing time period. That received a large amount of backlash from type of privacy and security experts who claimed that there is a distinction between encryption and stop to finish encryption. And then there was a further incident in Could when Zoom announced it would truly supply close to conclude encryption but only to compensated end users, which as you can envision, also garnered lots of controversy from privacy advocates who ended up expressing that security measures should really be free of charge to all, so it absolutely has experienced its fair share of issues all around encryption major up to this.
TS: Yeah. And which is kind of appealing, mainly because I went to a roundtable dialogue that experienced the CISO for Zoom on there, a couple weeks in the past, and I really asked him what the plans had been for this and whether or not his firm is nonetheless wrestling with some of the backlash effects from not only the encryption debacle, but also just all the other challenges. And, he dodged the dilemma, which was rather comprehensible. I imply, they did not want to open up the kimono, so to speak, on their plans ahead of they ended up completely ready to pull the induce, which I absolutely get. But, you know, he did say that they’ve experienced some expanding pains, and they absolutely were not well prepared for the spike in use all over the pandemic. And so yeah, that is kind of it’s variety of appealing. I suggest, this is like watching increasing pains in action. But with any luck , this rollout will go effectively. And I know a whole lot of persons that use Zoom for small business, specifically I’ve bought some health-related-specialist people today in my circle, medical doctors and whatnot, that use it all the time. And I often I normally kind of cringe like, are you confident you want to use Zoom, but it’s possible with this, all the things will be a small little bit far more protected. And people today can rest a tiny much easier when they use that service.
LO: Yeah, you have to give Zoom some credit listed here for actually going ahead and rolling this out. And I will say, even with all the security issues that they’ve had – and they have experienced a lot due to the fact the pandemic began – I assume they have been performing a good career of type of stepping up to the plate and making an attempt to address these different issues. And, they obtained Keybase, to type of bolster their encryption there and are now form of rolling this out. So I consider there is two issues to take note that I considered was vital for Zoom end users to imagine about, to start with of all, this isn’t on by default, so end users will want to transform the attribute on manually. And then the 2nd issue is that there is an enabling the feature may disable specified other characteristics in Zoom. And I just assumed that was type of fascinating to notice, but some of the other capabilities that could possibly be disabled are the skill to join ahead of the host and cloud recording and streaming and stay transcription, breakout rooms, and so on, and so on. So just sort of two tiny tidbits there to hold in head for Zoom customers.
TS: Yeah, it’s type of exciting how getting things offline from Zoom servers, using the conversation type of away from flowing through the Zoom servers, impacts technically, from a technology viewpoint, all these other sorts of bells and whistles, so people today will have to make a value judgment, I guess, or a risk assessment and determine out what they like far more. You know: personal chats or encryption.
LO: Well, yeah, so that rolls out subsequent 7 days. So we will be holding an eye on the the launch there. And ideally that rollout goes properly. But, Tara, I think we, we have achieved the close of the information wrap below. So thanks for coming on to discuss about the most significant cybersecurity information stories of the 7 days.
TS: Yeah, for positive. Thanks for obtaining me, Lindsay, as often, and I hope you have a very good weekend and capture you next 7 days.
LO: You as very well and that to all of our listeners. Thanks for tuning in to the Threatpost information wrap. If you favored what you listened to currently, feel cost-free to go away a remark or query about nearly anything that we covered these days on our Twitter webpage, which is @threatpost. Thank you so a great deal, and have a wonderful weekend.
For a lot more Threatpost podcast episodes – including exceptional interviews and guiding-the-scenes coverage of breaking information, verify out Threatpost’s Podcast webpage.
Some elements of this report are sourced from: