From a cyberattack on Barnes & Noble to Zoom rolling out end-to-end encryption, Threatpost editors break down the top security stories of the week.
The Threatpost editors break down the top security stories of the week ended Oct. 16, including:
- Patch Tuesday insanity, with Microsoft and Adobe releasing fixes for severe vulnerabilities – including a critical, potentially wormable remote code execution bug known as the “Ping of Death”
- Barnes and Noble being hacked – and why some readers are unhappy with how the book purveyor announced the cyberattack
- DDoS extortion email threats hitting various companies across the globe – including Travelex
- Zoom finally rolling out end-to-end encryption on the video conferencing platform – and why this is different than the collaboration giant’s earlier “full encryption” claims
Below find a lightly edited transcript of the podcast.
Lindsey O’Donnell-Welch: Welcome back to the Threatpost news wrap podcast. This is Lindsey O’Donnell Welch with Threatpost and I am joined by Tara Seals, withThreatpost to break down the top news from the week ended October 16. Tara, how was your week?
Tara Seals: Oh, pretty good, Lindsey. It was super busy as things in cybersecurity usually are. But this week was a little busier than most with Patch Tuesday and everything.
LO: Yeah, we had a ton of news coming out of Patch Tuesday, whether it was Adobe Flash flaws that were being patched or Microsoft’s Patch Tuesday security updates. And I know there was a fair amount that came out from the Microsoft standpoint, which you covered, Tara, what were you finding there?
TS: So it was an interesting Patch Tuesday, because it had fewer than 100 CVEs this month, which that was the first time in seven months that has happened. So that was sort of exciting I think for IT administrators everywhere, not to have to worry so much about so many. But there are also a couple of notable bugs; well, first of all, there were six bugs that were listed that had been previously disclosed in some way, shape or form, but didn’t have patches. And so those obviously are of concern. And there’s already a few proof-of-concept exploits for those that are laying around. And they [Microsoft] don’t always have previously disclosed bugs that they have to fix. So that was pretty notable that they had six of them.
And then there were a couple of critical bags that really stood out to most of the researchers that I talked to. One of which they’re calling the “ping of death,” which I think is kind of hilarious, but it’s accurate. It’s basically a bug in Outlook, Microsoft Outlook, and it can be triggered, essentially, just by sending an email to someone. And because the attack vector is the Preview Pane, which is the default view – Outlook users everywhere will be familiar with us, when you receive an email, it just pops up in this Preview Pane that you can see – and so this particular bug, in order to be exploited, somebody can just send an email, it pops up in the Preview Pane, and then [the exploit] becomes triggered. And it allows attackers to execute remote code. So obviously, it’s concerning. And it’s also extremely exploitable and trivial to to carry out.
LO: Right. Well, it definitely seemed like there were a ton of Microsoft bugs to come out this week. But as you mentioned, less than what we usually see. And that was the same with Adobe. I mean, I think in previous months, Adobe has had way more than the one flaw that it patched this week. So not sure what’s the reasoning behind that. But as you said, it’s always less of a headache for system admins to have to deal with.
TS: Yeah, for sure. Well, and I think especially given the fact that we’ve had so much Zerologon news, that horrible bug that security teams are rushing to patch even as everybody from nation-state actors to financially motivated people in their basement are looking to exploit it. So, you know, I think it’s it’s probably good to not add too much insult to injury this month.
LO: Right. Companies have so much on their plates already in terms of like ongoing hacks and cyberattacks. For instance, you just on Thursday covered a newly announced Barnes and Noble hack, which as someone who shopped at Barnes and Noble a lot I love to read that was not great to read about.
TS: Yeah, that story’s a little bit crazy. So we also got the email notice. And it came in the wee hours of the morning. I think my husband’s arrived at like, 1:30 or something in the morning, Thursday morning, so they kind of sent this out under cover of darkness, which I’m sure they want to minimize the publicity around it, but that’s not going to happen because it’s Barnes and Noble.
So the issue is that, what was really interesting about this, is that nobody knows, they haven’t confirmed yet, what kind of cyberattack. Only that there was one. But over the weekend, the Nook e-book reader – which my mom has one of those and they’re kind of awesome – but the syncing feature for that went down and there was this outage that continued and it just kind of trended on a low level, nobody really knew what was going on. And that stretched across the week. And then they come out Thursday, well Wednesday night into Thursday morning, saying that there had been a cyberattack.
So people started putting two and two together, thinking, “hmm, perhaps this might be a ransomware attack.” Again, unconfirmed, but I’m sure we’ll get more details. Sme of the systems that were impacted by this contained a lot of personal shopper information. Fortunately, not financial data, but definitely things like purchase histories, the lists of books that people have bought in the past, along with their email, telephone numbers and other personal information like that, that basically it would be a dream for a phisher to mount some scam emails that are personalized and very convincing.
LO: Right? Yeah, I was gonna ask, I mean, if an attacker has the fact that someone reads, you know, say, Stephen King novels and their email address, what kind of phishing lures could potentially be strung together from this? I’m sure that there’s plenty of different avenues that cyber criminals could could go there.
TS: Oh, definitely. I mean, can you imagine, especially, you know, around Halloween and the Stephen King reference, I mean, you could basically say, “Hey, I know that you just bought Doctor Sleep. So you might be interested, here’s some other recommendations.” And they could use some Barnes and Noble graphics and make it very convincing and look like, “because you read this, you might like this, click here to order” and then they can harvest all the information.
LO: Right, they didn’t yet confirm that the data was actually stolen but I’m sure that this could definitely be serious if it had been.
TS: Well, right. And that brings up another issue around this incident, the fact that they don’t know if the data is stolen, what kind of IT staff do they have working over there? It’s a [almost] Fortune 500 company. It’s mystifying to me, the amount of information they don’t appear to actually know. And also, the financial data was all encrypted, which is good. So the credit cards, payment cards are all tokenized. And they said they could not really be lifted. But the personal information, I mean, what was it, just left out there in plain text in the database somewhere? I actually emailed them to ask about some of these details. So hopefully, they’ll get back to me, and I’ll be able to do a follow-up story. Because it really is concerning that the IT staff a), doesn’t appear to know what happened. And b), they were not protecting customer data in the way that most people would assume that they would be.
LO: I know that other readers had kind of taken to Twitter, as you had mentioned in your article, to air their complaints about, as you said, the late night email notice – it does seem a little skeevy.
TS: Yeah. It was a little bit like, “oh nothing to see here. Maybe you’ll miss this because it came in at 1:30 in the morning.”
LO: Yeah, exactly.
TS: And also it was kind of funny, because some of the people on Twitter too, are saying, what are cybercriminals going do with my reading list? So I think it’s really important to stress to people that, you know, they can do quite a lot with a reading list as seen in our Stephen King example. It’s important to keep in mind for sure.
LO: Right, right. It’s just another piece of information that can be used for a lure for spear phishing, or phishing attacks. So that’s definitely important to note.
Well looking at some of the other big stories from this week, one that really stuck out to me that I wrote about was a new research article on how companies have continued to receive these extortion emails that are threatening to launch a DDoS attack on their network unless they pay up. So this is part of this overarching DDoS extortion campaign that’s been going on since August. But I guess the campaign started in mid-August and has ramped up at the end of September and the start of October. So it’s really been on the increase as of recently. And what was the kind of the big news there is that Travelex, the British Foreign Exchange company, was reportedly one of their recent high-profile threat recipients of this type of campaign.
TS: Yeah, for sure. Well, and I mean, I think it’s really interesting too, that this is just another sort of – I mean, I don’t want to say ransomware because it’s not ransomware – but, you know, the extortion attempts, the ransom attempts, obviously it’s worked from the encryption malware standpoint. So now they’re shifting to trying different tactics to extort companies, you know, with their data. And I think that’s really, really fascinating. Just another way to make systems inaccessible, right?
LO: I think the key difference is that ransomware attacks have already happened. Whereas in this case, organizations, the attackers are going to organizations and saying, if you don’t pay up, we’re going to launch this attack in the future. So it makes you wonder if this is a little less serious, or maybe impactful in that organizations have that opportunity to harden their security. However, I did talk to researchers with Radware. And they were telling me that these threats aren’t hoaxes. And the actors have followed up with attacks. So that makes it all the more critical to make sure that companies have the right security measures in place.
There were also a couple of interesting things that stuck out to me about this campaign. And first of all, the first one was that attackers were claiming that if victims don’t pay up, I think it was, you know, the equivalent of $230,000 in Bitcoin, then they would have the ability to launch an attack, that would peak at 2 terabytes per second. And that’s a massive claim. I mean, just to give some context there, I believe the largest volumetric, DDoS attack on record, as of February, at least, was on an Amazon Web Services client. And that reached the levels of 2.3 terabytes per second. So I mean, that’s that’s a pretty massive claim. And another thing to know is that there’s no evidence that the claims that the cyber criminals are making about this level of volumetric attack are true. Researchers with Radware told me they hadn’t observed the two terabyte per second attack threatened in the letter in the report, however, orgs have seen attacks ranging up to 300 gigabytes per second, that combined multiple attack vectors, so the threat is there, but it might not be at the same level that they are claiming they can reach.
TS: That’s fascinating, actually, because you don’t know. Do you want to test those waters? Are you gonna call the bluff? And even if it’s not even that large of an attack, if it still takes out your systems, who cares [how big it is]? I wonder if part of that claim and boasting has anything to do with the fact that they’re trying to pose as these advanced threat groups, these APTs that are known to be extremely well-resourced. You know, they’re masquerading as groups like Fancy Bear and Lazarus. So maybe they’re trying to claim that they have the same types of capabilities that those groups have.
LO: I think they are trying to pretend to be these APT groups, and really try to kind of play into the emotions there of different companies in different sectors. For instance, I think it was depending on the vertical, they would have a preference of different APT. So you know, when they were targeting financial orgs, they were purporting to be Lazarus group. So I think they’re really trying to play into that fear factor there.
And another method that they use as well is that they threatened to up their ransom by 10 bitcoins for each day that it’s not paid. And they don’t have any other way for the victims to reach out to them, other than the Bitcoin address to send the payments too so there’s no, there’s no way to respond to them or try to negotiate. I mean, the threats just there. I think that there is kind of a level of fear there that companies will probably have when they get these types of threats. And I mean, these attacks, DDoS attacks can be pretty damaging for companies. I remember, I think it was in 2016 the DDoS attack of DYN that disrupted the internet. And you know, I’ll never forget trying to get onto Netflix that morning and being frustrated that I was down. So I think these do have kind of a real world effect.
TS: Oh, yeah, for sure that attack was absolutely insane. And, yeah, let’s hope that this doesn’t snowball into something that becomes as endemic as ransomware attempts. It’s pretty frightening for businesses today, I think.
LO: Yeah. And I mean, this has also been going on, I was kind of doing some research into DDoS extortion attacks, and I mean, this has been going on for many, many years, too. It’s not that new, even back in 2015, the FBI was saying it saw an increase in the number of companies being targeted by these types of scammers who are threatening to launch these attacks if they don’t pay a ransom. So I think that what this shows is that attackers are still upping their game and changing up their tactics and innovating to find new ways to target companies. And I think it’s working as we saw with Travelex, which, by the way, which has had some bad juju with security this past year.
TS: Yeah, that’s the last thing they need for sure. Okay, well, Lindsey, the other thing that you covered this week that really stood out to me – when I saw it I was like, aha, finally – was Zoom finally debuting their end to end encryption service. What,s that all about? How’s the rollout going to progress?
LO: Yeah, so I believe it was yet or Wednesday when Zoom announced is rolling out a technical preview for its end to end encryption into its platform. So what that means is, it’s going to have four phases of the rollout. And the first one will be mainly to solicit feedback from users during the first 30 days, so they can kind of roll it out and flush out any any issues and try to stomp out any, any problems there. And what’s interesting here, too, is that kind of the background here with Zoom and end to end encryption. It’s faced plenty of issues around its encryption policies, including the fact that there was a lot of backlash around Zoom, telling users that it offered full encryption as a marketing term. That received a lot of backlash from kind of privacy and security experts who said that there’s a distinction between encryption and end to end encryption. And then there was another incident in May when Zoom announced it would actually offer end to end encryption but only to paid users, which as you can imagine, also garnered plenty of controversy from privacy advocates who were saying that security measures should be free to all, so it definitely has had its fair share of issues around encryption leading up to this.
TS: Yeah. And that’s kind of interesting, because I went to a roundtable discussion that had the CISO for Zoom on there, a couple weeks ago, and I actually asked him what the plans were for this and whether or not his company is still wrestling with some of the backlash effects from not only the encryption debacle, but also just all the other problems. And, he dodged the question, which was somewhat understandable. I mean, they didn’t want to open the kimono, so to speak, on their plans before they were ready to pull the trigger, which I totally get. But, you know, he did say that they’ve had some growing pains, and they absolutely were not prepared for the spike in usage around the pandemic. And so yeah, that’s kind of it’s kind of interesting. I mean, this is like watching growing pains in action. But hopefully this rollout will go well. And I know a lot of people that use Zoom for business, especially I’ve got some medical-professional people in my circle, doctors and whatnot, that use it all the time. And I always I always kind of cringe like, are you sure you want to use Zoom, but maybe with this, everything will be a little bit more secure. And people can rest a little easier when they use that service.
LO: Yeah, you have to give Zoom some credit here for actually going ahead and rolling this out. And I will say, despite all the security issues that they’ve had – and they have had plenty since the pandemic started – I think they have been doing a good job of kind of stepping up to the plate and trying to address these different issues. And, they acquired Keybase, to kind of bolster their encryption there and are now kind of rolling this out. So I think there is two things to note that I thought was important for Zoom users to think about, first of all, this isn’t on by default, so users will need to turn the feature on manually. And then the second thing is that there is an enabling the feature might disable certain other features in Zoom. And I just thought that was kind of interesting to note, but some of the other features that might be disabled are the ability to join before the host and cloud recording and streaming and live transcription, breakout rooms, etc, etc. So just kind of two small tidbits there to keep in mind for Zoom users.
TS: Yeah, it’s kind of interesting how taking things offline from Zoom servers, taking the communication sort of away from flowing through the Zoom servers, impacts technically, from a technology perspective, all these other types of bells and whistles, so people will have to make a value judgment, I guess, or a risk assessment and figure out what they like more. You know: private chats or encryption.
LO: Well, yeah, so that rolls out next week. So we will be keeping an eye on the the launch there. And hopefully that rollout goes well. But, Tara, I think we, we have reached the end of the news wrap here. So thanks for coming on to talk about the biggest cybersecurity news stories of the week.
TS: Yeah, for sure. Thanks for having me, Lindsay, as always, and I hope you have a good weekend and catch you next week.
LO: You as well and that to all of our listeners. Thanks for tuning in to the Threatpost news wrap. If you liked what you heard today, feel free to leave a comment or question about anything that we covered today on our Twitter page, which is @threatpost. Thank you so much, and have a great weekend.