AMNESIA:33 IoT device vulnerabilities. Mexican police alleged to pass spyware to cartels. The US NDAA nears passage. Hacking lockers.

Dateline

The ‘New Normal’ is Here to Stay for Some Time: New Survey Reveals Organizations’ Security Priorities for 2021 and Beyond (Check Point Software) As 2020 draws to a close, we are approaching a milestone on the pathway through the Covid-19 pandemic. While cases and deaths continue to rise globally

Turning the Tide: Trend Micro Security Predictions for 2021 (Trend Micro) The seismic events of 2020 have created long-lasting changes in work environments across the globe, and opened up new attack avenues for cybercriminals. Cybersecurity will help enterprises and ordinary users adapt safely to these new conditions.

User Education, Cloud Security and XDR Are Critical for Cybersecurity in 2021 (PR Newswire) Trend Micro Incorporated (TYO: 4704; TSE: 4704), the leader in cloud security, predicts that home networks, remote working software and cloud...

Identity Fraud Report 2020: COVID is Changing the Face of the Fraud Economy as Amateur Attacks Surge (Onfido) Unsophisticated fraud attacks increased 23% year-over-year, suggesting more first-time fraudsters

6 new ways threat actors will attack in 2021 (CSO Online) Cyber criminals will leverage improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks.

()

Cyber Attacks, Threats, and Vulnerabilities

U.S. National Security Agency warns of Russian hacking against VMware products (Reuters) A new cybersecurity alert from the U.S. National Security Agency warns that Russian "state-sponsored" hackers are actively exploiting a software vulnerability in multiple products made by cloud computing company VMware Inc.

NSA Warns of Russian Hackers, Urges Patching of Defense Systems (Bloomberg) The U.S. National Security Agency warned that Russia’s hackers are exploiting a flaw in products made by the software company VMware Inc.

The NSA Warns That Russia Is Attacking Remote Work Platforms (Wired) A vulnerability in VMWare has prompted a warning that companies—and government agencies—need to patch as soon as possible.

NSA Warns: Patched VMware Bug Under Active Attack (Threatpost) Feds are warning that adversaries are exploiting a weeks-old bug in VMware’s Workspace One Access and VMware Identity Manager products.

Russian state-sponsored hackers exploit VMware vulnerability (SearchSecurity) According to a National Security Agency advisory, Russian state-sponsored malicious cyber actors exploited a well-known VMware vulnerability in the vendor's virtual workspaces. While the vulnerability was disclosed and patched by VMware, the NSA said threat actors are exploiting unpatched systems.

Microsoft O365 Fails to Block Spoofed Emails Sent from Microsoft.com (IRONSCALES) The 200 million Microsoft Office 365 (O365) users worldwide are now being targeted by a new global spear-phishing attack spoofing Microsoft.com.

Wormable, Zero-Click Vulnerability in Microsoft Teams (SecurityWeek) Microsoft has quietly patched a wormable, zero-click vulnerability in the widely deployed Microsoft Teams application.

Cross-platform browser data leak flaw could be applied to attack reconnaissance (The Daily Swig) Medium risk vulnerability patched by Mozilla – but not Google or Microsoft

Amnesia-33 vulnerabilities affect 158 vendors, millions of devices (SC Media) Manufacturers affected by the 33 vulnerabilities in open-source TCP/IP stacks often buried deep in the supply chain may not immediately know their devices are at risk.

Research: Millions of smart devices vulnerable to hacking (KOB 4) Researchers at a cybersecurity firm say they have identified vulnerabilities in software widely used by millions of connected devices - flaws that could be exploited by hackers to penetrate business and home computer networks and disrupt them.

AMNESIA:33 – Foresout Research Labs Finds 33 New Vulnerabilities in Open Source TCP/IP Stacks (Forescout) What Is AMNESIA:33? AMNESIA:33 is a set of 33 vulnerabilities impacting four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net), which collectively serve as the foundational connectivity components of millions of devices around the world. The details of these vulnerabilities are described in our technical report and will be presented at Black Hat Europe […]

AMNESIA 33: How TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices (Forescout) Forescout Research Labs has launched Project Memoria, an initiative that aims at providing the community with the largest study on the security of TCP/IP stacks.

The Unseen Risk Facing the Enterprise of Things (Forescout) Over the last several years, we’ve seen an escalation in attacks leveraging connected devices. The world is just beginning to understand, though, that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk. The proliferation of agentless IoT, OT and other connected devices will create a potentially far greater […]

Digital Defense, Inc. Discloses Zero-Day Vulnerabilities in D-Link VPN Routers (Digital Defense) Work From Home Use of Popular VPN Routers Increases Immediacy of Critical Patch

Hacker opens 2,732 PickPoint package lockers across Moscow (ZDNet) PickPoint says this is the world's first targeted cyberattack against a post-gateway network.

UAE Says It’s Weathering ‘Cyber Pandemic’, Facing Hack Attacks in Wake of Israel Normalization Deal (Sputnik) In August, the United Arab Emirates and Bahrain became the third and four Arab League member states to normalize ties with the State of Israel, with Washington...

Foxconn says internet connection back to normal after ransomware attacks (Reuters) Apple supplier Foxconn said on Tuesday the internet connection in its facility in Americas has gradually returned to normal after it was attacked by ransomware.

Foxconn electronics giant hit by ransomware, $34 million ransom (BleepingComputer) Foxconn electronics giant suffered a ransomware attack at a Mexican facility over the Thanksgiving weekend, where attackers stole unencrypted files before encrypting devices.

Foxconn Ransomware Attack Reportedly Damages Servers, Backups (CRN) A ransomware attack against Taiwanese electronics manufacturer Foxconn resulted in stolen files, encrypted files and deleted servers at the company’s Mexican facility, according to BleepingComputer.

Update to Recent Schneider Electric M221 PLC Vulnerabilities (Claroty) Schneider Electric disclosed today another vulnerability uncovered by Claroty researchers in its Modicon M221 PLC and EcoStruxure Machine Expert Basic.

Computer Network Incident Update (GBMC) On the morning of Sunday, December 6, 2020, GBMC HealthCare detected a ransomware incident that impacted information technology systems. Although many of our systems are down, GBMC HealthCare has robust processes in place to maintain safe and effective patient care. We are collectively responding in accordance with our well-planned process and policies for this type of event.

Ransomware operators have adopted a dastardly new strategy (TechRadar) Victims of ransomware attacks are being harassed over the phone

Understanding BEC Scams: Supplier Invoicing Fraud (Proofpoint) BEC supplier invoicing scams are sophisticated and complex schemes to steal money by either presenting a fraudulent invoice as legitimate or by re-routing the payment to a bank account controlled by the attacker.

Don’t get hooked by GDPR compliance phishing scams (ITProPortal) A fresh spate of GDPR compliance scams highlights how cybercriminals are consistently developing their tactics to take advantage of human error and capitalise on fear and confusion.

Hackers Allegedly Steal 81,000 Facebook Accounts, Selling Them for as Low as 10 Cents Each (Tech Times) Around 81,000 Facebook accounts were allegedly stolen by hackers and the information sold for as low as just $0.10/account!

Baltimore County schools shut down after a cyberattack. The same could happen in Philly. | Opinion (Philadelphia Inquirer) What if colleges with advanced cybersecurity expertise were to step up to protect Philadelphia and other schools from cyberattacks?

Investigation in cyber attack stretches into second week, as students return to class (WAFF) As the investigation into the possible ransomware attack continues, HCS administrators are still asking students to keep their laptops off and stay away from school platforms.

Steelcase cyberattack serves as warning for manufacturers, experts say (MiBiz) As details on a recent cybersecurity attack against Grand Rapids-based office furniture giant Steelcase Inc. begin to surface, local manufacturers of all industries and sizes may want to take notice. As details on a recent cybersecurity attack against Grand Rapids-based office furniture giant Steelc...

Long Beach Computer Network Shut Down After Cyber Attack Found (Long Beach, NY Patch) The city's IT workers found unusual activity and shut down the city's systems to prevent the attack. So far, it seems no data was stolen.

Saint John network will continue to be offline until 2021 after cyberattack (CBC) The holiday break means Saint John's network, including online payments, won't be back until at least January of next year after a ransomware attack caused the city to shut down its systems.

Vulnerability Summary for the Week of November 30, 2020 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Security Patches, Mitigations, and Software Updates

Tripwire Patch Priority Index for November 2020 - VERT (The State of Security) Tripwire's November 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, and Oracle.

Cyber Trends

COVID is Changing the Face of the Fraud Economy as Amateur Attacks Surge (Onfido) Rate of identity fraud increased 41% over the previous year. Unsophisticated fraud attacks increased 23% year-over-year, suggesting more first-time fraudsters. INTERPOL contributes to benchmark report; links ID fraud to “organized crime, money laundering and terrorism.”

Security vs. User Experience (87% Say User Experience Is What Counts) (Menlo Security) Cloud-delivered security prevents organizations from having to make a security vs. experience decision to support a hybrid IT model.

SMB employees are scared they’ll be blamed for data breaches at work (ITProPortal) Staff more likely to keep quiet than flag a potential threat.

Synopsys Study Shows Open Source Security Top-of-Mind but Patching Too Slow (PR Newswire) Synopsys, Inc. (Nasdaq: SNPS) today released the report, DevSecOps Practices and Open Source Management in 2020. Produced by the Synopsys...

DevSecOps Practices and Open Source Management in 2020 (Synopsis) As software relies more and more on open source components, organizations must be proactive in managing the associated security, license, and operational risks.

Verizon Report Finds Cyber Espionage Attacks Aimed Mostly at Endpoints (Security Boulevard) Verizon has published a 2020 Cyber Espionage Report that finds the bulk of these types of attacks are aimed at endpoints such as desktops and laptops.

Firms reel from social engineering attacks (Gulf Business) Call to realign IT security budgets to match BEC-dominated threat landscape

Marketplace

Dragos Announces Record-Setting $110M Investment in Industrial Cybersecurity with Series C Funding (BusinessWire) ICS/OT cybersecurity firm Dragos has secured $110 million in Series C funding from investors representing some of the world’s largest corporations

Cybersecurity Firm Dragos Raises $110 Million as Industrial Facilities Face New Threats (Wall Street Journal) Cybersecurity firm Dragos has raised $110 million in new funding.

Salt Security Raises $30 Million in Series B Funding, Cementing Leadership Position in API Security (BusinessWire) Salt Security announces that it has raised $30 million in Series B funding led by Sequoia Capital.

Beyond Identity Raises $75 Million to Take Customers Beyond Passwordless to the Identity Platform of the Future | Beyond Identity (Beyond Indentity) Funds Will be Used to Advance “Passwordless” Into the Era of Continuous Authentication and Meet Exploding Demand for the Company’s Advanced Passwordless Identity Platform

Here's the 11-slide pitch deck a startup that analyzes consumers' digital behavior to fight fraud used to raise a $7 million Series A (Business Insider) Neuro-ID analyzes behavioral data like how users tap, type, and scroll, to fight fraud and help financial services companies boost conversion.

Skyflow Raises $17.5 Million Series A for Data Privacy API (BusinessWire) Skyflow today announced a $17.5 million Series A to drive growth of its data privacy vault. The round, led by Canvas Ventures, brings the total amount

Northrop Grumman to Sell Federal IT and Mission Support Business to Veritas Capital for $3.4 Billion (Northrop Grumman Newsroom) Northrop Grumman Corporation (NYSE: NOC) and Veritas Capital, today announced that Peraton, an affiliate of Veritas, has signed a definitive agreement to acquire Northrop Grumman’s federal IT and mission support...

Raytheon Technologies Board of Directors Authorizes $5 Billion Share Repurchase Program (PR Newswire) Raytheon Technologies' (NYSE: RTX) Board of Directors authorized today the repurchase of up to $5 billion of the company's outstanding common...

Cisco reveals San Jose layoffs months after announcing $1B in cost cuts (Silicon Valley Business Journal) The networking giant announced plans for $1 billion in cost cuts in August. The hammer has apparently dropped on details of how many employees are affected.

Is Huawei leaving its US customers high and dry? (Light Reading) Some companies have suggested that Huawei is no longer supporting its existing US customers amid government actions against the Chinese vendor. But others say that's not true.

Cybersecurity & Privacy Group Of The Year: DiCello Levitt (Law360) DiCello Levitt Gutzler LLC helped consumers impacted by Equifax's massive data breach secure a deal that requires the credit reporting giant to shell out more than $1 billion and scored a ruling that kept alive multidistrict litigation over a cyberattack at hotel chain Marriott, earning it a spot among Law360's 2020 Cybersecurity & Privacy Practice Groups of the Year.

Sumo Logic Expands Board of Directors with Addition of Industry Go-To-Market Veteran Tracey Newell (StreetInsider) Sumo Logic (Nasdaq: SUMO), the pioneer in...

Allegion Announces Tim Eckersley as Leader of Allegion International (BusinessWire) Allegion plc (NYSE: ALLE), a leading global security products and solutions provider, today announced the appointment of Tim Eckersley as senior vice

SlashNext Appoints Veteran Technology Sales Executive Robert Amaral as CRO (iCrowdNewswire) Searching for SlashNext Appoints Veteran Technology Sales Executive Robert Amaral as CRO . We got you covered at iCrowdNewswire

Products, Services, and Solutions

Belgium Federal Public Service of Foreign Affairs Transforms Global ICT Environment With Orange Business Services (BusinessWire) The Belgian Federal Public Service of Foreign Affairs (FPS FA) has signed a new agreement with Orange Business Services to transform its global commun

BlackBerry Spark Suite and Android 11 – Security, Privacy and Productivity (BlackBerry) BlackBerry Spark® Suite® is proud to be recognized as an Android™ Enterprise Recommended solution. BlackBerry and Android customers benefit from a partnership that provides a versatile and secure platform for enterprise mobility.

IBM Works With Port of Los Angeles to Help Secure Maritime Supply Chain (PR Newswire) IBM (NYSE: IBM) Security announced a new agreement with the Port of Los Angeles to design and operate a Port Cyber Resilience Center (CRC)....

StackHawk Brings Application Security to Developers with New Free Plan (PR Newswire) StackHawk announced today that it has introduced a free Developer Plan for its dynamic application security testing platform. The all-new free...

BICS selects Infradata and BroadForward to deliver Next Generation STP (PR Newswire) Infradata, a leading provider of state-of-the-art cyber security and cloud networking solutions and services, announced today they have...

Checkmarx Delivers Containerized AppSec Solution to DoD’s Platform One to Secure DevOps Initiatives (Checkmarx) Checkmarx, the global leader in software security solutions for DevOps, today announced that it has been accepted into the U.S. Department of Defense’s (DoD) “Iron Bank” repository and is now available through the U.S. Air Force Platform One application portal.

DT ASIA PTE LTD and Versasec Announce Strategic Partnership (Versasec) Versasec, a leader in credentials management systems (CMS), today announced it partnered with reseller DT ASIA PTE LTD, an IT security solutions provider, to assist with the growing demand for Versasec's award-winning security identity and access management solutions in the Asia-Pacific (APAC) region.

Stealthbits Helps Educators Thwart Hackers and Reduce Ransomware (PR Newswire) Stealthbits Technologies, Inc., a cybersecurity software leader that protects sensitive data and credentials from attackers, is giving...

Axis Security Delivers One Secure Access Solution for All Users and Applications (PR Newswire) Axis Security, the leader in Zero Trust Network Access, has expanded the capabilities of its Application Access Cloud to simply and securely...

ZeroNorth and ShiftLeft Integrate to Empower Developers to Improve Application Security at the Speed of DevOps (ZeroNorth) New integration helps make application security transparent and friction free for developers so they can deliver secure applications without disrupting DevOps workflows Boston, December 8, 2020 – ZeroNorth, the only company to unite security, DevOps and the business for the good of software, today announced support for ShiftLeft’s NextGen Static Analysis (NG SAST), a modern …

Technologies, Techniques, and Standards

Google Launches XS-Leaks Vulnerability Knowledge Base (SecurityWeek) Google this week announced the launch of a knowledge base with information on a class of vulnerabilities referred to as cross-site leaks, or XS-Leaks

How Can Manufacturers Stop Damaging Cyber Attacks? (IndustryWeek) Privileged access security might be the route to addressing manufacturing's current cyber attack trend.

Interview: Forcepoint explains how to better respond to data risk (ITBrief) What is the current state of play in terms of data risk from both a broad business perspective and specialist SOCs/security teams?

Banks need to hire chief risk officers to deal with cybercrimes: Deloitte (Business Standard) The banking industry needs to upgrade its IT infrastructure and appoint experienced chief risk officers to effectively deal with incidence of cybercrimes, says a report by Deloitte India

In Battle Against Hackers, Companies Try to Deceive the Deceivers (Wall Street Journal) The idea is to convince the attackers they have been successful, so that they will then reveal their methods.

Why Companies Should Stop Scaring Employees About Cybersecurity (Wall Street Journal) If they want workers to be more vigilant, fear doesn’t work. Fortunately, there are alternatives.

Academia

Malwarebytes Finds Schools and Students Vastly Underprepared for Pandemic Cybersecurity (Malwarebytes Press Center) Malwarebytes announces the results of their latest report, “Lessons learned: How education coped in the shift to distance learning,” detailing the state of cybersecurity in education during the COVID-19 pandemic.

Hume Center, Diplomacy Lab to support future student opportunities with the U.S Department of State (VT News) The Ted and Karyn Hume Center for National Security and Technology collaborates with Virginia Tech's Diplomacy Lab to fund mentorship and increase the amount of students able to present National Security related research to State Department officials in a post-COVID-19 setting.

Legislation, Policy and Regulation

UPDATE 1-Finland approves law to ban telecoms gear on security grounds (Reuters) Finland's parliament on Monday approved a law that would allow authorities to ban the use of telecom network equipment when they have "serious grounds for suspecting that the use of the device endangers national security or national defense".

Home of Nokia Passes 5G Security Law Banning Suspect Gear (Bloomberg) The home of 5G network-maker Nokia Oyj is introducing a telecommunications law which may be used to exclude China’s Huawei Technologies Co. and ZTE Corp. from its networks.

US expands list of ‘Communist Chinese military companies' (Janes.com) The US Department of Defense (DoD) has identified four additional Chinese corporations that it claims have links to China’s military. The companies’ inclusion on the...

Techno-nationalism isn't going to solve our cyber vulnerability problem (Help Net Security) Techno-nationalism is fueled by a complex web of justified economic, political and national security concerns, according to Darktrace.

House poised to pass defense bill under threat of Trump’s veto (Washington Post) The House is poised to pass the annual defense authorization bill Tuesday, throwing down the first of two gauntlets before President Trump, who has threatened repeatedly to scuttle the $741 billion legislation.

Congress prepares to move on NDAA, which is loaded with cyber provisions (CyberScoop) Congress this week is slated to pass what just might be the most significant cybersecurity legislation ever.

()

The Cybersecurity 202: Securing the electric grid should be priority for Biden's first 100 days, expert says (Washington Post) The Energy Department announced this month the creation of a subcommittee dedicated to finding a new approach to tackle the growing threats to America's electrical grid. One of its first tasks: Coming up with a plan for President-elect Joe Biden's first 100 days.

The NDAA’s National Cyber Director: Justifications, Authorities and Lingering Questions (Lawfare) We may soon have a national cyber director. What problems is this office meant to address, what authorities will it have and what questions will remain?

Krebs: U.S. Needs To Do More On Vaccine Disinformation (KURV) Chris Krebs believes the United States needs to do much more to counter coronavirus vaccine disinformation.

The Expanded Private Right of Action under the CPRA (JD Supra) On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into...

Litigation, Investigation, and Enforcement

Leading Mexican journalist targeted by Israeli NSO's spyware, global investigation reveals (Haaretz) Despite repeated scandals, the global cyber-surveillance industry continues to supply Mexico with more and more invasive technologies. Multiple journalists have been targeted by these tools, including by NSO's Pegasus

'It's a free-for-all': how hi-tech spyware ends up in the hands of Mexico's cartels (the Guardian) Mexico has become a major importer of spying kit but officials are accused of colluding with criminal groups – and innocent individuals are often targeted

Florida police raid house of fired data scientist who alleged state manipulated covid-19 stats (Washington Post) Florida police officers with guns drawn raided the home of an ousted health department data scientist Monday morning, searching for the former agency employee’s most powerful tools: her computer, her phone and other hardware that supports the coronavirus website she set up after accusing the state of manipulating its official numbers.

11th Circ. Won't Let Reality Winner Out Of Jail For Pandemic (Law360) The Eleventh Circuit on Monday denied Reality Leigh Winner's bid for home release due to COVID-19, finding a Georgia federal court did not abuse its discretion when it decided not to reduce the former defense contractor's sentence for leaking a report on Russian interference in U.S. elections.

Italy Says Two Arrested for Defense Data Theft (SecurityWeek) Two people have been arrested for stealing defense data from the Italian aerospace and electronics group Leonardo, the interior ministry said Dec. 5, 2020.

Russian Sentenced to French Prison for Bitcoin Laundering (SecurityWeek) Russian bitcoin expert Alexander Vinnik was sentenced in Paris to five years in prison for money laundering and ordered to pay 100,000 in fines in a case of suspected cryptocurrency fraud.

DOJ Crypto Framework Signals Escalating Enforcement (Law360) The U.S. Department of Justice’s recently released cryptocurrency enforcement framework provides a thorough overview of relevant law and regulations, ongoing challenges, and future strategies, but above all it puts the industry on notice that enforcement activity in this space will increase, says Daniel Stabile at Shutts & Bowen.

U.S. Diplomats and Spies Likely Targeted by Radio Frequency Energy, Long-Withheld Report Determines (Foreign Policy) A scientific study that was long kept under wraps by the State Department finally provides some—though not all—of the answers to mysterious health problems of…

Students Sue Snapchat For Faulty Violence Threat Response (Law360) A pair of college students on the receiving end of a string of violent threats sent via Snapchat filed suit in Pennsylvania state court on Friday alleging that the popular messaging app was defectively designed to protect users who engage in harassing behavior.

South Korea investigates Netflix for customer data breach (Telecompaper) Netflix Korea is facing a government investigation...