Foreign-Backed Hackers Breached Port of Houston's Computer Networks

Apple fixes zero-day flaw used to hack iPhones and Macs, Microsoft flaw that exposes plaintext credentials discovered, Apps still tracking users on iPhones using fingerprinting, much more

A Coast Guard analysis showed that suspected foreign government-backed hackers last month breached a computer network as part of a broader espionage operation at the Port of Houston. Early detection of the incident stopped the bad actors from disrupting shipping operations.

CISA head Jen Easterly told the Senate Homeland Security and Governmental Affairs Committee during a hearing that she believed a foreign government-backed hacking group was responsible. The intrusion was part of a campaign to exploit Zoho’s ManageEngine ADSelfService Plus that CISA warned about last week. Although the campaign aligns with activity by Chinese APT actors, no security researchers have attributed it to them. (Sean Lyngaas / CNN)

Related: TribLIVE, Slashdot, Associated Press Technology, The Independent, The Hill, The Record

Apple released security updates to fix a zero-day vulnerability (tracked as CVE-2021-30869) exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions.

The flaw was found in the XNU operating system kernel by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero. Apple also backported security updates for two previously patched zero-days, one of them reported by The Citizen Lab and used to deploy NSO Pegasus spyware on hacked devices. (Sergiu Gatlan / Bleeping Computer)

Related: Bleeping Computer, iPhone Hacks, MacRumors, BGR, Macworld, AppleInsider, Tom's Guide, Ubergizmo, Security Week, The Mac Security Blog, US-CERT Current Activity, ZDNet Security, Dark Reading, Security Affairs, MSPoweruser
Reddit - cybersecurity, Reddit - cybersecurity, BGR, Security Week

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft's autodiscover that allows attackers who purchase domains named "autodiscover" such as autodiscover.com, or autodiscover.co.uk to intercept the clear-text account credentials of users who are having network difficulty or whose admins incorrectly configured DNS.

In the four months or so that Guardicore purchased these domains and tested them, it collected 96,671 unique sets of email usernames and passwords in cleartext. The flaw has not been patched and Microsoft and the only mitigation strategy available is to refuse DNS requests for Autodiscover domains. (Jim Salter / Ars Technica)

Related: The Hacker News, Malwarebytes Labs, The Hacker News, Security Intelligence, SearchSecurity, Naked Security, Dark Reading, Security Affairs, Guardicore, Microsoft

National Cyber Director Chris Inglis and CISA chief Jen Easterly told the Senate Homeland Security and Governmental Affairs Committee they support legislation moving through Congress that require critical infrastructure owners and operators, federal contractors, and agencies to report attacks to CISA within 24 hours of detection.

“The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” CISA Director Jen Easterly told the panel. (Tim Starks / Cyberscoop)

Related: Federal News Network, Business Insider, Bloomberg, IT Pro, The Record by Recorded Future, FCW, The Hill: Cybersecurity

Researchers at privacy software makers Lockdown discovered that despite Apple’s introduction of an “Ask App Not to Track” feature in April that is supposed to stop apps from tracking what users do on other apps and the internet, some apps continue to track this activity anyway. They engage in this tracking in various forms, including via “fingerprinting,” which Apple says has long been against its rules.

Fingerprinting takes technical information from a user’s iPhone, such as the volume, battery level, and IP address, and creates a unique profile that can identify a user. Lockdown tested three different gaming apps and discovered that even though they asked the apps not to track, they sent ultra-specific characteristics of the test iPhone to an ad company called Vungle. (Geoffrey A. Fowler and Tatum Hunter / The WashingtonPost)

Related: 9to5Mac, Input, Lockdown

Follow Us on Twitter

According to French security agencies, the phones of five French cabinet ministers bore traces of NSO’s powerful Pegasus spyware underscoring the degree to which the espionage malware has penetrated the top reaches of a powerful democracy.

The cabinet ministers’ phone numbers appeared on a list of more than 50,000 phone numbers that a consortium of 17 media organizations, including The Washington Post, used to investigate potential misuse of the spyware as part of the Pegasus Project. (Michael Birnbaum / The Washington Post)

Related: The Guardian, The Wire

A security researcher who uses the pseudonym of Illusion of Chaos published details on a Russian blogging platform Habr and released proof-of-concept code on GitHub about three iOS zero day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year.

One of the zero days is a vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access. PoC. One is a vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device. The third is a flaw in the nehelper daemon that can also be used from within an app to gain access to a device’s WiFi information. (Catalin Cimpanu / The Record)

Related: Habr

According to a letter by Senator Ron Wyden (D-OR) sent to Federal Chief Information Officer Clare Martorana, the NSA, CIA, and other agencies in the U.S. Intelligence Community (IC) use ad blockers because malicious ads can sometimes hack their devices or harvest sensitive information on them.

"The IC has implemented network-based ad-blocking technologies and uses information from several layers, including Domain Name System information, to block unwanted and malicious advertising content," the CIO recently told Wyden's office, according to the letter. (Joseph Cox / Motherboard)

Twitter avatar for @NSA_CSDirectorRob Joyce @NSA_CSDirector
NSA cybersecurity best practices do indeed recommend utilizing ad blocking. Read more from NSA on blocking unnecessary advertising here:
media.defense.gov/2019/Jul/16/20…

Joseph Cox @josephfcox

New: the online advertising ecosystem is so bad—with risk of hackers and harvesting data on people—that U.S. intelligence community has deployed network-based ad blockers, according to letter sent by Congress. Shows just how malicious online advertising is https://t.co/WgXFM4Uxla

Cisco patched three critical vulnerabilities affecting components in its IOS XE internetworking operating system powering routers and wireless controllers, or products running with a specific configuration, including a vulnerability that could be exploited remotely by an unauthenticated attacker to run arbitrary code with root privileges.

That flaw is in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers. It affects Catalyst 9800 Series Wireless Controllers and Embedded Wireless Controller on Catalyst Access Points. (Ionut Ilascu / Bleeping Computer)

Related: The Hacker News

In a rare finding of cybercrime against Russian targets, researchers at Malwarebytes report that Russian organizations, including a major defense contractor, were targeted in a suspected cyber-espionage operation that is abusing a recently disclosed vulnerability in the old Internet Explorer MHTML.

That flaw can be exploited to use Office files to run malicious code on unpatched Windows systems and install malware. The researchers identified one of the targets as JSC GREC Makeyev, a known developer of liquid and solid fuel for Russia’s ballistic missiles and space rocket program. (Catalin Cimpanu / The Record)

Related: Malwarebytes

Lawyers representing an El Cajon, CA cancer patient filed legal action this week in San Diego against UC San Diego Health over a data breach last winter that potentially exposed sensitive information from nearly a half-million patients.

The suit alleges negligence, breach of contract, and violation of California consumer privacy and medical confidentiality laws. It seeks class-action status and unspecified damages for all individuals whose personal and medical information may have been compromised. (Mike Freeman / San Diego Union-Tribune)

Related: Law360

Internet of things (IoT) security and observability startup Sternum announced that it raised $27 million in a Series B financing round.

Spark Capital led the round with participation from Square Peg Capital, the Hinrich Foundation, Btov, and others. (Kyle Wiggers / Venture Beat)

Related: Business Wire, FinSMEs

Security risk management software company Panorays raised $42 million in a Series B funding round.

Greenfield Partners led the round with participation from Aleph and Oak HC/FT, as well as new investors BlueRed Partners, Greenspring Associates, and Moneta VC. (Kyle Wiggers / Venture Beat)

Related: Globe News Wire, Dark Reading, Silicon Angle, Pitch Book

Portugal’s Jscrambler, which makes products to protect against web data exfiltration, raised $15 million in a Series A funding round.

The round was led by Ace Capital Partners and backed by existing investors Sonae IM and Portugal Ventures. (Carly Page / TechCrunch)

Related: Business Wire, Private Equity Wire, Help Net Security

Photo by Jerome Monta on Unsplash