White House Order Mandating Software Breach Notifications Could Come Next Week

CISA warns of two new Microsoft Exchange web shells, Google fails to mention that Western governments were behind eleven flaws it discovered, Security hole that allowed SMS rerouting plugged, more

Don’t wait for the next issue of Metacurity. Stay on top of important infosec news by following Metacurity on Twitter!

Follow Us on Twitter

A draft Biden administration executive order that could be released as early as next week would require many software vendors to notify their federal government customers when the companies have a cybersecurity breach. The disclosure requirement intends to override non-disclosure agreements, which vendors have said limited information sharing, and allow officials to view more intrusions.

The order would require organizations to preserve more digital records and work with the FBI and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, known as CISA when responding to incidents.

The order would also include requiring multi-factor authentication and encryption of data inside federal agencies. It would impose additional rules on programs deemed critical, such as requiring a “software bill of materials” that spells out the supply chain. (Joseph Menn, Christopher Bing, Nandita Bose / Reuters)

Related: Dark Reading: Attacks/Breaches, ReutersiTnews - Security, Silicon Angle

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) updated its guidance for dealing with the Microsoft Exchange server attacks to include two new Malware Analysis Reports (MARs).

Each of the reports identifies a Web shell seen in post-compromised Microsoft Exchange servers. CISA also updated seven existing MARs to include YARA rules developed by CISA to help organizations detect the malware seen so far in these attacks.  (Dark Reading)

Related: Tech InsiderTechTargetMicrosoft Security, CISA, Security Affairs

The OpenSSL project issued an advisory for two high-severity vulnerabilities, CVE-2021-3449 and CVE-2021-3450, hiding in OpenSSL products.

The first flaw can cause the server to crash if, during the course of renegotiation, the client sends a malicious ClientHello message. The second flaw is a Certificate Authority (CA) certificate validation bypass vulnerability that can cause OpenSSL instances to fail to check that non-CA certificates must not be the issuers of other certificates. (Ax Sharma / Bleeping Computer)

Related: The Register - SecurityReddit-hackingSecurity AffairsExploit OneArs Technica

Paul Nakasone, the head of the U.S. National Security Agency and U.S. Cyber Command, said during a hearing by the Senate Committee on Armed Services that U.S. intel agencies have blind spots for detecting attacks on U.S. infrastructure.

Nakasone’s statement is consistent with the government's push to require private sector organizations to share more information with government agencies. Most recently, DHS’s Cybersecurity and Infrastructure Security Agency has been floated as the government arm that would serve as the repository for this information. (Adam Janofsky / The Record)

Related: Fifth Domain | CyberCBSNews.comCNN.comSecurityWeek, Breaking DefenseInsideDefense.comThe SIGNAL BlogDefense Daily NetworkThe Mainichi, CyberscoopNextgov, The Hill: Cybersecurity

Aerialink, a communications company that helps route text messages, said that all major U.S. carriers, including T-Mobile, AT&T, and Verizon, had made changes to how their text messages are routed to fix a security flaw that allowed outside companies to reroute text messages for nominal costs.

"Be aware that Verizon, T-Mobile, and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile, or AT&T wireless numbers which had been text-enabled as BYON [bring your own number] no longer route messaging traffic through the Aerialink Gateway," the Aerialink statement read. (Joseph Cox / Motherboard)

Related: Aerialink

An “expert” hacking group exploiting 11 powerful vulnerabilities to compromise devices running iOS, Android, and Windows discovered by Google’s Project Zero and Threat Analysis Group teams turns out to be Western government operatives actively conducting a counterterrorism operation.

Google’s omission of this key detail in their public reports of the vulnerabilities has caused one security expert to criticize the report as a “dark hole.” (Patrick Howell O’Neill / Technology Review

Related: Security Conversations

Researchers at Crowdstrike say that a previously unknown threat actor has targeted three victims in the transportation, consumer products, and manufacturing sectors with the Hades ransomware.

Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions imposed by the Treasury Department's Office of Foreign Assets Control (OFAC). (Sergiu Gatlan / Bleeping Computer)

Related: DataBreachToday.comCrowdstrike

Breach notification service HaveIBeenPwned reports that Carding Mafia, a forum for stealing and trading credit cards, has exposed almost 300,000 user accounts following a hack.

The breach, which happened last week, allegedly exposed the email addresses, IP addresses, usernames, and hashed passwords of 297,744 users. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: HaveIBeeenPwned

Malicious hackers posted the personal and vehicle details of millions of Dutch car owners for sale on a well-known cybercrime forum following a data breach of RDC, a Dutch company that provides garage and maintenance services to Dutch car owners. The reported price of the data package is $35,000.

The stolen data include company/individual names, home addresses, email addresses, telephone numbers, dates of birth, but also vehicle registration numbers, car makes & models, and license plates. (Catalin Cimpanu / The Record)

Photo by Tabrez Syed on Unsplash

Correction: An earlier version of this newsletter attributed the discovery of the threat actor deploying the Hades ransomware to Accenture. The item has been corrected to say Crowdstrike made the discovery.