Bear Security – Security News for Week of June 12th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of June 12th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
FBI Ran Encrypted Communications App to Catch Criminals in Global Operation
Vice reported on Monday that for years, the FBI has been running a covert operation that involved operating an encrypted messaging system called Anom since 2018. Anom came on devices distributed by organizations that were known for primarily serving criminal organizations. The app was built to include a master key that was used by law enforcement to decrypt and store every message as it was transmitted with the user being unaware. In newly unsealed court documents, the operation netted more than 20 million messages from over 11,800 devices across 90 countries. So far the information honeypot has led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of “20” threats to kill. Though they say any messages from US users are not reviewed by the FBI.
Read the full breakdown of this investigation and what Vice uncovered over on their website.
Microsoft Patch Tuesday Resolves 50 Vulnerabilities, 6 of Which Currently Being Exploited
The Register is reporting that Microsoft’s Patch Tuesday for June was another major one. This month’s updates address 50 different flaws including 6 of which currently being exploited that include the potential for remote code execution, elevation of privilege, and a single information leakage issue. While critical vulnerabilities in Microsoft Defender and the VP9 codec will update without Administrator intervention, the remaining ones in Remote Desktop Services for Windows 7 and the Windows MSHTML platform will need the monthly roll-ups to be applied.
The Register also noted in the Patch Tuesday story that Adobe has also released a patch bundle that addresses more than 39 vulnerabilities in their software across MacOS and Windows, but none of those are currently known as being exploited in the wild.
Read the full story over on The Register.
Chrome Zero-Day Actively Being Exploited – Update Now!
The Hacker News is reporting that on Wednesday Google published an update to Chrome to address 14 newly discovered security issues, including one zero-day that’s currently being exploited in the wild. Users are urged to update immediately. The critical vulnerability addressed is a heap buffer overflow and type confusion issue in Chrome’s V8 open-source JavaScript engine. Google’s Threat Analysis Group believes the same actor abusing this vulnerability is also abusing the Windows MSHTML platform one that Microsoft patched this Tuesday and that both of these zero-days may be getting used against targets in Eastern Europe and the Middle East.
Read the full story over on The Hacker News.
Hackers Breached EA and Stole Source Code
PC Magazine is reporting that Electronic Arts has confirmed that they were breached after Vice reported that hackers were allegedly selling the company’s stolen code on an online forum. A spokesperson for EA told PC Magazine that “No player data was accessed, and we have no reason to believe there is a risk to player privacy”.
Hackers claim to have stolen 780 GB of data including source code for EA’s Frostbite gaming engine, FIFA 21’s matchmaking server, software frameworks for many of EA’s proprietary games, and API keys for the upcoming FIFA 22 game. EA has already begun to bolster its IT security as it continues to investigate the incident along with support from law enforcement.
Read the full story over on PC Magazine and the initial report over on Vice.
New Attack against TLS Known as ALPACA
Researchers announced a new way to exploit TLS communication that they called ALPACA, which is short for “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in tls Authentication”. The attack is dependent on several factors so the exact benefit for attackers leveraging it may vary. For example, a malicious actor could, under the right circumstances, redirect traffic from one subdomain to another without breaking session validity, steal cookies, or perform cross-site scripting exploitation. Though in most cases, a man-in-the-middle would be necessary to be able to intercept and divert the victim’s traffic.
The attack exploits defects in the configuration of TLS services and the lack of protection of Source and Destination IP and port which leave open the potential for manipulation. Researchers say that the use of ALPN and SNI extensions to TLS, if available, can provide some protection provided SNI is configured to terminate connections when there is a mismatch of hostnames and avoiding insecure fallback to a default server.
Vendors are already responding to the research with efforts to remove vectors for exploitation or add countermeasures in the application layer and/or their implementation of TLS. The researchers plan to formally present findings at Black Hat USA 2021 and USENIX Security Symposium 2021.
View the full research paper and more information on the ALPACA Attack website.
ITPro.TV Hacker Free Weekend!
(promotional) Our friends over at ITPro.TV are allowing you to check out their hacker/security-oriented courses for free through Sunday. This includes their CompTIA PenTest+, CEHv10 training, and more. Sign-up for a free account today or get a paid account and use our code, SYNTAX30 to get 30% off the lifetime of your membership. By being a part of ITPro.TV, you help support our efforts here at Syntax Bearror. Click here to learn more.
Things Not Included in This Week’s Episode
- The National Institute for Standards and Technology (NIST)’s comment period for HIPAA implementation guidance is open through June 15th.
- CircleCityCon is going on this weekend!
- Next week is Wild West Hackin’ Fest!
That’s all for this week’s security news. Come back every Saturday for the next rendition or check it out over on YouTube or on podcast. Stay safe out there friends.