Congress wants CVE stability, China wants your LinkedIn details, and Adobe wants you to patch Creative Cloud
Also: Belarus barely brushes botnet builder's bankroll
Here’s a bit more of the recent news in security:
Exciting new LinkedIn use case: Chinese spying
Be careful the next time you get an invite to connect on LinkedIn: you might be pitched on something more than a job opportunity.
Reuters reports that Chinese agents have been contacting thousands of users on LinkedIn via fake accounts, trying to find high-value targets who can then be recruited to hand over sensitive information to Beijing.
The report cites counter-intelligence boss William Evanina in claiming that the People’s Republic has been running rampant on the business networking site looking to lure users into giving them valuable intel and, he claims, LinkedIn is doing little to stop it.
Evanina is now calling on LinkedIn to take on a Twitter-esque mass culling of fake accounts.
Satori suspect traced to Toronto
Satori suspect trouvé à Toronto
A 20-year-old Toronto resident has been charged by a US District Court in Anchorage, Alaska with two counts of using malware to damage computers between August and November 2017.
In December 2017, Check Point’s researchers traced the Satori botnet to an amateur who named himself ‘Nexus Zeta’, who regularly visited a web forum for wannabe black hat hackers.
In early 2018, a Pastebin post by rival hackers supposedly revealed Nexus Zeta’s real identity, naming the same Kenneth Schuchman who has been charged by the US court.
I'll be BEC
An analysis of more than 3,000 business email compromise (BEC) attacks reveals that crooks are almost as interested in tricking recipients into visiting dodgy websites as initiating wire transfers.
Although the number one objective of cyber criminal behind BEC attacks was to generate a wire transfer (46.9 per cent), fooling a recipient into clicking on a malicious link was the primary goal in two in five such scams (40.1 per cent), according to Barracuda Networks.
One in eight (12 per cent) of attacks try to establish rapport with the target by starting a conversation. A similar 12 per cent go straight for the jugular by asking for personal information as an opening gambit.
Three in five (60 per cent) of the attacks did not include malicious links, but are a simple plain text email intended to fool the recipient to commit a wire transfer or send sensitive information.
Around half (43 per cent) of such email scams pose as messages from company chief executives. The term ‘CEO fraud’ to describe BEC is therefore borne out by a review of real scan messages sent to 50 randomly-selected companies, the basis of Barracuda’s research.
Creative Cloud cleanup commences
If you’re running Adobe’s Creative Cloud suite, you’ll want to make sure you have the most recent release.
That’s because earlier this week Adobe posted an update for a security patch in the bundle to address a potentially serious security vulnerability.
CVE-2018-12829 is a privilege escalation vulnerability that, while not particularly serious on its own, could be used in combination with other attack methods to give an attacker control over the target machine.
Adobe says you can get that patch by opening the Preferences>General screen in Creative Cloud and getting the latest version.
Belarus takes it easy on botnet crook
It’s often said that crime doesn’t pay. In some countries, it seems that the criminal justice system doesn’t charge much either.
Earlier this month, Sergey Yarets of Belarus was released a free man after posting a $5,500 payment to the government. This despite Yarets having been found to be Ar3s, the controller of the massive Andromeda botnet.
Even though he was found to have been running the massive botnet for years, authorities in Belarus decided that the cash fine and the 8-plus months served from time in custody were enough, and he was released.
While the government has said that the lenient punishment was in large part because most of those affected were not Belarusian citizens, Recorded Future’s Alexandr Solad thinks there’s a bit more going on.
“This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries, where they treat their own cybercriminals differently, allowing them to avoid fair punishment and then using them in the interests of the state, neutralizing the efforts of the international community to combat cybercrimes,” Solad noted.
Huawei sounds alarms over reset bugs
A security hole in Huawei phones could allow some attackers an easy way to compromise Android handsets.
The Chinese phonemaker has put out an advisory explaining how a security bypass function can be used to jailbreak the Mate 10 Pro phone with ease.
The flaw, CVE-2018-7936, is exposed when the handset is being restored to its defaults using the Factory Reset Protection tool. If the phone is connected to a PC, the attacker can send instructions that will disable the boot wizard and allow full access to the OS with the ability to install third-party software.
Huawei recommends Mate 10 Pro owners update their firmware to version BLA-L29 184.108.40.206(C432) to get the fix.
Congress moves to stabilize funding for CVEs
It may come as a surprise to know that the trust CVE program is in fact a US government operation. MITRE, the non-profit that runs the system, gets cash to operate from federal contracts. This means that stability of CVE and its ability to operate depends on the specifics of the contract operating at the time.
Now, the House Energy and Commerce Committee wants to fix that by permanently tying the CVE program to the DHS’ annual budget. The plan is to give the program its own line in the Program, Project, or Activity section of the budget. This would put the CVE database on par with other cybersecurity programs like CERT or EINSTEIN.
The committee has written a letter [PDF] to DHS secretary Kirstjen Nielsen requesting approval of the plan to put CVE into the budget.
“Since the CVE program’s inception in 1999, it has become a critical piece of cyber infrastructure and as such, deserves a dedicated funding stream,” the committee writes.
“Funding this key cybersecurity program through piecemeal, short-term contracts does it a disservice.” ®