SolarWinds Developments ☀, Pfizer-BioNTech Vaccine Details Leaked 💉, Whatsapp's Rocky Week 💬

CyberLite Jan 18, 2021

Welcome to the first issue of CyberLite, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.


News

SolarWinds Hack Update

Quick Recap: Attackers gained access to SolarWind’s network and were able to insert vulnerable code into their Orion IT monitoring platform. About 18,000 SolarWinds customers received this vulnerable version of Orion which gave the attackers a backdoor to their systems. These customers in the U.S. included the Treasury, Commerce, and Homeland Security Departments. With the attack being traced to Russian state-backed hackers it certainly isn’t a good look for the US.

What’s new this week?

  • Timeline: SolarWinds have uncovered evidence that attackers started to access their network in September 2019, waiting until February 2020 to start deploying their vulnerable code into Orion. They continued doing this until the June which is the last time there’s evidence of them being active on the SolarWinds network. But it took until the 12th December for the attack to be detected.
  • How was this possible? The malware used to target Orion and insert vulnerable code into it has been named Sunspot. Investigators are looking at whether a development tool called TeamCity created by JetBrains was exploited to insert the code. TeamCity is used by software teams to automate the testing, building and deployment of apps, known as CI/CD. If the tool was configured incorrectly or if SolarWinds weren’t using an up to date version it could have given the attackers a way to insert code without the developers being aware.
  • Warning to others: Tools like TeamCity are used all across the software industry. SolarWinds are urging other software providers to be mindful of how they manage the building and deployment of their software to ensure they aren’t attacked in the same way.

Stuff you should know

  • Supply Chain Attack: The SolarWinds hack is an example of a supply chain attack. This occurs when someone infiltrates your system through an outside partner or provider that you’ve given access to your systems.

People Aren’t Happy With Whatsapp

Whatsapp has had its back up against the wall this week after widespread backlash against their new privacy policy. They’ve issued explicit clarifications around the policy after it was reported that the new policy allowed for all Whatsapp data to be shared with Facebook. They’ve also pushed back the policy change from February to May to "help everyone understand our principles and the facts.".

So what’s changed in the new privacy policy?

  • Facebook have just started offering secure hosting services to businesses to help them manage their messages on Whatsapp. If a business is using these services then any messages you send them will be shared with Facebook.
  • Businesses can display their goods on WhatsApp using Facebook Shops and Whatsapp’s users’ shopping activity can be used to personalize ads on Facebook and Instagram.

However, it is worth noting that even before these updates Whatsapp has always shared certain data with Facebook. This data includes most notably your phone number, transaction data, mobile device information and IP address. But neither Facebook or Whatsapp have any access to user’s messages, calls or a history of who you have messaged or called.

Big Picture: The changes are very minor and certainly don’t come close to an all-encompassing data sharing agreement between Facebook and Whatsapp. However, due to Whatsapp’s poor handling of a very minor change, and the fact that users are increasingly conscious of their privacy, the whole debacle has cost them users and damaged their reputation. The privacy focused messaging platform Signal added more than 30 million new users last week (although an endorsement from Elon Musk certainly helped).

Trump Bans Eight New Chinese Apps

On his way out the door Donald Trump has signed an executive order banning Chinese apps including Alipay and WeChat Pay. The executive order said that the apps “threaten national security, foreign policy, and economy of the United States”, because “Chinese connected software applications can access and capture vast swaths of information from users, including sensitive personally identifiable information and private information,”

The ban has 45 days to come into affect so we’ll see if the Biden administration follows through on enforcing this.

Pfizer-BioNTech Vaccine Data Leaked

In December the European Medicines Agency (EMC) experienced a cyberattack with the attackers accessing documentation about the Pfizer-BioNTech vaccine that was under regulatory review at the time. This documentation has been leaked online by the attackers. Their intentions are unknown but it is possible that it could be to spread misinformation about the vaccine approval processes and create confusion.

Ubiquiti Data Breach

Ubiquiti who sell internet connected devices such as routers, security cameras and access control systems (key fobs and locks) have been experienced a data breach. They’re a big player in this space and have shipped more than 85 million devices. They became aware that an incident at one of their cloud providers may have exposed customer account information. Credentials for remotely managing Ubiquiti devices may have been exposed - which in some cases could grant bad actors physical access to buildings that use Ubiquiti’s access control products.


Rapid Fire

Some shorter stories…

  • Ring adds end-to-end encryption to its smart doorbells and cameras. However less than 50% of their products will support this, with only more recent releases receiving the update. Link.
  • Worlds largest Dark web marketplace, DarkMarket, has been shut down. Records were found of 320,000 transactions worth around £140m. The site sold lots of illegal goods from drugs to stolen credit cards. Link.
  • Apple has removed a MacOS feature called “ContentFilterExclusionList” that allowed some of its own apps like maps to bypass firewalls and VPNs. Link.
  • Facebook uncovered four malicious chrome extensions that were collecting users profile data. The extensions were disguised as legitimate messaging and keyboard extensions. Facebook is taking legal action. Link.
  • Researchers have found a way to find users locations in Telegram. By faking their own location and finding the distance to the user from three distinct points they were able to calculate a users exact location. Link.
  • A hacker took control of people’s internet connected chastity cages… then demanded a ransom to unlock them. Definitely a reasonable case study that not everything needs to be connected to the internet. Link.

New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

  • The “Orbit Fox” Wordpress Plugin has a bug which allows a whole site to be taken over. Wordpress is one of the most popular and simple ways to setup a website or a blog. There’s been a seemingly never-ending stream of vulnerable wordpress plugins over the last few months, so be very careful with what plugins you use. Link.
  • Adobe patched seven critical vulnerabilities, most notably a bug in photoshop that could enable arbitrary code execution. Allowing an attacker to execute their own malicious code. Link.
  • Critical Vulnerability in Microsoft Defender: Microsoft released patches for 10 critical bugs, the most serious being a vulnerability in Microsoft Defender. They have evidence that the vulnerability is being actively exploited by hackers. Microsoft no longer provides a great deal of detail when disclosing vulnerabilities. But we know this vulnerability enabled attackers to infect systems with their own malicious executable code and it is believed that it could have been used as part of the SolarWinds attack. Link.

Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

Privacy policies have never exactly made for light reading… Researchers in America have developed a browser plug-in to automatically analyze privacy policies for you and the highlight anything you should be aware of. Link.

The fallout from de-platforming Trump and shutting down Parler isn’t going anywhere. The tech community will certainly be talking about it for many week to come. Here’s a discussion I really enjoyed on the all-in podcast that incorporates lots of different viewpoints. Link.

The Register on the impact of SolarWinds for cyber security. Link.

Infosecurity magazine’s top trends in cyber security for 2021. Link.


❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!


🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!

Oli

Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.