Weekly Cyber Threat Report, July 19-July 23

From the good news:

This week, we’ve learned about a number of security initiatives from Google, IBM, GitHub, and US government, China’s video content ban, and more.

• The US House on Tuesday approved five bipartisan measures designed to strengthen cybersecurity following recent major cyberattacks. The cyber-related package included measures to fund cybersecurity at the state and local level, bolster reporting requirements and test critical infrastructure.
• IBM has added new tools to its FlashSystem family that should help organizations recover from ransomware and other cyberattacks. The new component is called IBM Safeguarded Copy and creates recoverable copies of data stored on flash storage arrays in “immutable snapshots.”
• Google Cloud has expanded its security offerings. Autonomic Security Operations for the managed security services market provides access to products, integrations, blueprints, technical content and an accelerator program to help customers emulate a best-in-class Security Operations Center. New Cloud IDS is a cloud-native, managed Intrusion Detection System that is integrated with Palo Alto Networks technology. And new Adaptive Protection is an ML-based security solution that automatically protects against distributed denial of service attacks (DDoS).
• The DHS’s Transportation Security Administration (TSA) has issued a new security directive jointly developed with CISA. The directive specifically mentions ransomware attacks and lists protection actions. It also orders pipeline operators to “develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review” and requires that all pipeline operators need to create contingency plans and ways they could recover from an attack.
• Google has released Chrome 92 with fixes for several high severity security issues and new privacy features. A new feature in Chrome for iOS now lets users lock incognito tabs with Touch ID, FaceID, and a passcode.
• The Cyberspace Administration of China (CAC) on Wednesday banned children under 16 from appearing in online live-streaming and video platforms. The action was taken in response to soft pornographic images of children appearing on platforms, such as Tencent QQ, Kuaishou, Taobao, Sina Weibo, and Xiaohongshu, the CAC said.
• GitHub has announced a number of security upgrades for Golang modules. One area of improvement is GitHub’s Advisory Database, an open-source repository of vulnerability information that already contains over 150 Go advisories.

From the bad news:

This week has brought news about Pegasus spyware abuse by various governments, exploited Pulse Secure devices, a data breach at Saudi Aramco, and other important stories you can’t miss.

• Researchers from non-profit Forbidden Stories jointly with Amnesty International claimed that spyware Pegasus developed by an Israeli software company NSO Group is systemically abused by various governments to surveil thousands of heads of state, activists, journalists, and lawyers around the world in violation of human rights. Among the leaked names of targets was Emmanuel Macron. NSO denied the allegations.
• The UK National Lottery Community Fund experienced a data breach exposing the sensitive personal data of grant holders and applicants. The data is from between September 2013 and December 2019 and includes names, physical addresses, email addresses, landline and mobile numbers, dates of birth, bank account details, and more.
• WizCase researchers said more than 1,000 GB of data and over 1.6 million files from dozens of US municipalities were exposed online in dozens of misconfigured Amazon S3 buckets managed by mapsonline.net, which is owned by a Massachusetts company called PeopleGIS.
• A new “Peril in a Pandemic” report by CyRC shows over 60% of Android apps have security flaws, and the average number per app is a staggering 39. The bugs are found in various app types, including such sensitive as bank and payment apps.
• CISA found over a dozen malware samples on exploited Pulse Secure devices that was mostly undetected by antivirus products. Attackers exploited multiple vulnerabilities to gain initial entry and place webshells for backdoor access.
• Ermetic introduced new identity governance capabilities of the Ermetic Cloud Security platform to help automatically identify and manage issues with security policies for multi-cloud environments. The feature automatically identifies and alerts about resources that are affected by policy violations, such as unauthorized or suspicious activity.
• CISA & FBI said between December 2011 to 2013 Chinese hackers infiltrated networks of 13 US pipeline companies using used spear-phishing. Their end goal was to develop cyber capabilities for more sophisticated attacks against US pipeline infrastructure.
• Attackers have stolen over a terabyte of data from Saudi Aramco, one of the largest public petroleum and gas companies, and are selling it on the darknet. ZeroX is believed to be bhind this breach.
• A French security researcher reported a new NTLM relay attack he dubbed PetitPotam that allows to take over a domain controller and thus an entire Windows domain. The PoC is available on GitHub.