Hey everybody, and welcome to Byte Sized News—your weekly cybersecurity news roundup.
The SolarWinds / FireEye hack has sent shockwaves through the entire cybersecurity industry, as you’ll see with plenty of followup news this week. Additionally, many big, yet unorthodox players have stepped into the InfoSec news spotlight this week. Who thought ordering a sub sandwich could leave you vulnerable to a cyberattack?
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on the most compelling developments in the field.
If you’re a cybersecurity practitioner who just happened to cut off all communications with the industry this past week, this first article from CSO Online will help fill you in on what you missed.
The recent breach of major cybersecurity company FireEye by nation-state hackers, (believed to be the Russian group Cozy Bear) was a part of a much larger hack that was brought to life by malicious updates to the popular network monitoring product SolarWinds.
This breach just goes to show the massive impact that software in the supply chain can have on an organization’s security posture, and, unfortunately, how unprepared most companies are for something like this. This breach gave the Russian hacking group access to computer systems belonging to multiple US government departments, including the Departments of Treasury and Commerce. This breach was the culmination of a long campaign that began back in March.
What makes this attack even more devastating is how interconnected SolarWinds is with the majority of powerhouse companies in the United States. SolarWinds claims to work with 425 of the US Fortune 500, the top ten telecommunications companies, the top five US accounting firms, all branches of the US military, the Pentagon, the State Department, and hundreds of universities and colleges worldwide.
In a followup article to our previous one, Reuters walks through the Russian group’s efforts to spy on the US Departments of Treasury and Commerce.
Cozy Bear, the Russian hacker group suspected of the SolarWinds and FireEye breach last week, has supposedly used that same attack vector to breach and spy on multiple branches of the US government. Additionally, the hacks uncovered for these departments appear to be just the tip of the iceberg. This attack is so serious that it has led to a National Security Council meeting at the White House scheduled for this Saturday.
While not much has been commented on publicly, US officials have confirmed a breach at one of their agencies and stated that they’ve asked the Cybersecurity and Infrastructure Security Agency and FBI to investigate. Additionally, National Security Council spokesman John Ullyot states that they are “taking all necessary steps to identify and remedy any possible issues related to this situation.”
While the US has not publicly identified those responsible for the attack, it is widely believed that Russia is the culprit.
According to an article from InfoSecurity Magazine, millions of users have been put at risk of compromise from malware hidden in multiple browser extensions.
Avast stated in their discovery that the end goal for these attacks was to monetize traffic by driving users to websites with advertisements that made the attackers money. However, through redirects, users could also end up on spoofed phishing websites. It is currently unknown whether the extensions were built with malware included originally or whether the malware was injected in a later update patch. Another idea is that the extensions were created by someone, then eventually sold off to another individual who injected them with malware.
“The extensions’ backdoors are well hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover,” said Jan Rubin, malware researcher at Avast.
While Avast discovered the threat back in November, the vendor was candid in admitting that the attack could have been active for years.
Our next story is an unlikely headline coming from Threatpost about the world’s most popular sandwich chain — Subway.
Count Subway sandwich enthusiasts as the latest group of victims of cybercrime. Researchers at Sophos have discovered a phishing campaign that was aimed at Subway loyalty-card members in the UK and Ireland. This phishing campaign was designed as an attempt to trick these loyalty members into downloading malware, but according to Sophos, it “wasn’t particularly impressive.”
“As far as phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more sophisticated than the last,” the report said.
Subway spokesperson Shani Shaker Kekati told Threatpost that the company has “no evidence guest accounts have been hacked,” adding, “however, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit-card details. Crisis protocol was initiated and compromised systems locked down.”
While this may be enough information for many to celebrate with a Cold Cut Combo footlong from Subway, don’t be too hasty. A first name and email address is often all it takes for a customer to trust a phishing email, so there may be users who fell for the campaign.
Our last headline from the week from Cyberscoop is an expensive one for Twitter.
Regulators in Ireland have fined Twitter for failing to report a data breach promptly and not adequately documenting the incident, marking the first time the regulator has penalized a “big tech” company for violations of Europe’s data protection law.
The almost $550,000 (450,000 euro) penalty stemmed from a bug that allowed thousands of people’s private tweets to be made public between late 2014 and early 2019, when Twitter reported the problem to European authorities. Twitter states that the only information it had access to was which specific users were affected by the breach from September 2017 onward, a user number totaling around 89,000. The bug only affected users on Twitter’s Android application.
Ireland’s Data Protection Commission issued the fine on Tuesday on behalf of the European Union, under the EU’s General Data Protection Regulation (GDPR). Twitter’s European headquarters is located in Ireland—along with Google, Facebook, and several other tech giants—meaning that Ireland usually takes the lead on this sort of thing.
The DPC later called the fine an “effective, proportionate, and dissuasive measure.” The fine is due in large part to the gap in time from when Twitter knew about the bug and when it finally reported on it. Twitter apparently discovered the bug in December of 2018 but did not notify the commission until January of 2019. In addition to the delay, the fine also took into account Twitter’s failure to comply with rules of full documentation.