Cyber Pulse: Edition 129 | 15 September 2020

Here is our cyber security news round-up of the week:

Zoom to improve security with 2FA

Video conferencing platform Zoom this week announced that all user accounts can now benefit from improved protection, courtesy of support for Two-Factor Authentication (2FA). With 2FA enabled on their accounts, users should be protected from security breaches, including those that originate from the Zoom platform itself, the company claims. For 2FA, Zoom supports authentication apps that use a Time-Based One-Time Password (TOTP) protocol (such as Google Authenticator, Microsoft Authenticator and FreeOTP), but can also deliver authentication codes via SMS or phone calls.

2FA, Zoom says, should: deliver improved security to all organisations using its platform by reducing the risk of identity theft and breaches; ensure compliance when the security of sensitive data and customer information is involved; and reduce costs associated with the use of a Single Sign On (SSO) service. The new layer of security can prevent bad actors from compromising accounts by simply guessing passwords, and should also make password management an easier task, the video conferencing platform says. The company says:

“Zoom offers a range of authentication methods such as SAML, OAuth, and/or password-based authentication, which can be individually enabled or disabled for an account."

Major industrial control system (ICS) vendor release security advisories

A major industrial control system (ICS) vendor released security advisory in response to the recently disclosed vulnerabilities affecting the CodeMeter licensing and DRM solution made by Germany-based Wibu-Systems. CodeMeter provides license management capabilities and it’s designed to protect software against piracy and reverse engineering. It’s used for a wide range of applications, including various types of industrial products. Industrial cybersecurity firm Claroty reported earlier this week that CodeMeter is affected by six critical and high-severity vulnerabilities that can be exploited to launch attacks against industrial systems, including to deliver malware and exploits, and shut down devices or processes. The company’s researchers showed how an attacker can launch attacks by setting up a malicious website and luring targeted users to it, or by creating their own CodeMeter API and client and sending commands to devices running CodeMeter.

macOS malware variant in the wild

Researchers have discovered a new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine. Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners. Notably, ZShlayer heavily obfuscates Zsh scripts to disguise itself. Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.

A blog post from Phil Stokes, threat researcher at SentinelOne, who discovered the strain, reads: “Although bypassing Apple’s Notarization checks is obviously a headline grabber, this new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.”

Stokes discovered the variant while threat hunting on Virus Total, he said. The post explains in more detail how the Zsh eventually unpacks into Shlayer malware. Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019. The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization stamp of approval. Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.

NIST Cyber Security Framework continues its global adoption

Cyber threats have evolved to become increasingly complex and catastrophic as the years go on. The National Institute of Standards and Technology (NIST), in the United States, saw a need to develop a framework of cybersecurity standards that could be applied to critical infrastructure, such as power plants, hospitals and telecommunication. That need was fulfilled by the invention of the NIST Cybersecurity Framework.

As global adoption continues, Steven Cockcroft MSc MBCS MCQI CQP explains the origins and rise in popularity of the NIST Cyber Security Framework, its relevance and implications for organisations and individuals alike.

“The world now sees a need for everyone to be on the same page when it comes to developing and enforcing policies, managing risk and continually improving cybersecurity arrangements throughout their networks and organisations. It would appear governments, regulators and organisations, globally, are turning to the NIST Cybersecurity Framework to enable that.” Says Steve.

According to the NIST, there are eight use cases that organisations can target to leverage the implementation of the cybersecurity framework. These use cases are areas in which the framework can be applied to integrate seamlessly with already existing cybersecurity policies and procedures. They include:

• integrating enterprise and cybersecurity risk management;
• evaluating organisational cybersecurity;
• reporting cybersecurity risks;
• managing cybersecurity requirements;
• maintaining a comprehensive understanding of cybersecurity risk;
• integrating and aligning cybersecurity and acquisition processes;
• managing the cybersecurity programme;
• informing the tailoring process.

Gaming manufacturer suffers data leak

Gaming hardware manufacturer Razer suffered a data leak, an unsecured database managed by the company containing gamers’ info was exposed online. This discovery made by the security researcher Bob Diachenko of an unsecured database that exposed the information of approximately 100,000 individuals who purchased items from Razer’s online store. Razer is the world leader in high-performance gaming hardware, software and systems. The unsecured database was discovered on August 19, it contained customers’ info, including a name, email address, phone number, order numbers, order details, and billing and shipping addresses.

“The exact number of affected customers is yet to be assessed, as originally it was part of a large log chunk stored on a company’s Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines,” Diachenko wrote in a post on LinkedIn.

Exposed data could be abused by threat actors to carry out spear-phishing attacks against the gamer and obtain other info, including financial data. People that have ever purchased products from Razer’s online store must be vigilant about any unsolicited message from the gaming firm. The NCSC issued security advice this week for online gaming for families and individuals.

Cloud and datacentre services firm Equinix investigates Ransomware attack

Cloud and datacentre services firm Equinix is investigating a ransomware cyberattack that has left an undisclosed number of its internal systems offline, but has moved to reassure its customers that the incident is not affecting its customers or service levels. Currently, there is no indication of what strain of ransomware has been used or precisely what systems were affected. In a brief statement posted to its website, Equinix said its teams took “immediate and decisive” action to address the incident, including notifying law enforcement.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.