Feds Dig Into Third Supply Chain Hack of the Year With Pulse Connect Secure VPN's Flaws

Experian fixes flaw exposing Americans' credit scores, Microsoft finds 25 flaws affecting IoT and industrial gear, IRS wants to hack into crypto wallet, Hackers exploited SonicWall zero-day, more

Don’t miss out on our special offers and content exclusive to our premium subscribers. Subscribe today!

For at least the third time since the beginning of the year, the U.S. government is investigating a supply chain hack, this time the breach of Pulse Connect Secure’s VPN product, which is used by more than a dozen federal agencies that run Pulse Secure on their networks.

After an emergency cybersecurity directive last week which demanded that agencies scan their systems for related compromises and report back, evidence of potential breaches in at least five federal civilian agencies showed up, according to Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. Pulse Connect Secure said it expects to issue a patch for this problem on Monday. (Christopher Bing, Joseph Menn / Reuters)

Related: iTnews - SecurityCPO MagazineThe Register - Security

Experian just fixed a flaw with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address. The flaw was discovered by Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology.

Demirkapi fears that despite the fix, Experian won’t conduct a more thorough examination of similar leaky APIs used by its other vendors. (Brian Krebs / Krebs on Security)

Related: ThreatpostDark Reading: Vulnerabilities / Threats, Reddit - cybersecurityDataBreachToday.com

Microsoft’s Section 52, the Azure Defender for IoT security research group, has discovered 25 vulnerabilities called BadAlloc, impacting a broad spectrum of smart IoT devices and industrial equipment.

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations,” according to the team. According to CISA, only 15 of the 25 impacted organizations have released security updates to patch the BadAlloc vulnerabilities. (Catalin Cimpanu / The Record)

Related: AndroidHeadlines.comTech InsiderSecurityWeekTechNet BlogsMicrosoft Security Response CenterDark Reading

Give a gift subscription

According to a document posted on the agency’s website, the IRS is looking for contractors to come up with solutions to hack into crypto wallets that could be of interest in investigations.

"The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics laboratory," the document says.  (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: The Mac ObserverSlashdot

FireEye researchers say that a hacking group they call UNC2447 exploited a SonicWall zero-day software flaw before a fix was available to deploy a previously unreported ransomware strain.

The researchers dubbed the malware used FiveHands, which bears similarities to another hacking tool, dubbed HelloKitty, used in a previous exploit against CD Projekt Red. (Tim Starks / Cyberscoop)

Related: CISO MAGNew York TimesSC MagazineThreat Research Blog

Taiwanese hardware vendor QNAP urged customers to immediately update their network-attached storage (NAS) devices to prevent the AgeLocker ransomware gang from getting a foothold on their systems and encrypting their files.

This advisory comes after last week QNAP warned of similar attacks against its NAS systems from the Qlocker and eCh0raix ransomware strains. (Catalin Cimpanu / The Record)

Related: The Register - SecurityBleeping Computer, QNAP

The National Security Agency sent a warning to defense contractors to reexamine the security of the connections between their operational technology and information technology in light of recent alleged Russian hacking.

“To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible,” the NSA’s alert says. (Shannon Vavra / Cyberscoop)

Related: National Security Agency News

After just a few months in existence, the highly disruptive Babuk ransomware operators briefly posted a short message about their intention to quit the extortion business after having achieved their goal.

In a message titled "Hello World 2" on their leak site, the operators said they had achieved their goal and decided to shut down the operation but indicated they would also leave the source code for Babuk file-encrypting malware publicly available once they terminated the “project.” (Ionut Ilascu / Bleeping Computer)

Related: The Register - SecuritySC Magazine

Share Metacurity

Scammers target the gig workers of Shipt, Target's delivery platform, who have been hoping to steal their earnings by stealing their credentials.

These gig workers have reported that scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. (Lauren Kaori Gurley / Motherboard)

Related: The Verge

The U.S. Justice Department announced that Eric Meiggs, a 23-year-old Massachusetts man, pleaded guilty to participating in a plan to steal social media account names and hundreds of thousands of dollars worth of bitcoin.

According to the DOJ, Meiggs and a team of associates used SIM swapping to steal more than $530,000 in cryptocurrency from 10 people. (Jeff Stone / Cyberscoop)

Related: DataBreachToday.com, Department of Justice, Newsweek

Cloud-based threat detection and response start-up Vectra AI raised $130 million in a new venture funding round.

The round was led by Blackstone Growth and was joined by Vectra AI’s existing investors. (Ingrid Lunden / TechCrunch)

Related: VentureBeat, Security Week, Vectra

Follow Us on Twitter

Chicago’s Inspector General Joe Ferguson’s office investigated Chicago’s contact tracing program, which an organization runs under contract with the city, and found the Chicago Department of Public Health “did not consistently remove terminated users’ access” to a system of tracking COVID-19 patients within seven days, which is a standard.

Fifty of the contract workers the city had hired to conduct contact tracing had been fired or resigned since last year. Yet, only eleven of those workers had their ability to access the track of COVID-19 patients removed from them. (Brett Chase / Chicago Sun-Times)

Related: WITF.org6ABCPhilly VoiceDataBreachToday.com

The Dutch Data Protection Authority has fined the eastern city of Enschede for tracking people using mobile phone Wi-Fi signals in a system used to measure crowds.

The watchdog said that Enschede used sensors to register Wi-Fi signals from phones to establish how busy it was in the city center.  The city’s municipality said it is appealing the ruling and 600,000-euro ($730,000) fine. (Associated Press)

Related: Malwarebytes LabsTech XploreYahoo! NewsThe IndependentCTVNews.caDataBreaches.net

Australian software security company Click Studios told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords.

In an advisory posted to its website, Click Studios said that customers are “requested not to post Click Studios correspondence on Social Media.” (Zack Whittaker / TechCrunch)

Related: SC Magazine, ClickStudios

Photo by Hush Naidoo on Unsplash