Press "Enter" to skip to content

The latest security warnings, and MSP Vendor Disclosure and Bounty programs listed

This is a warning heavy day.

The FBI is warning about SIM card swaps, now an escalating problem.    The FBI reports that from January 2018 to December 2020, the FBI Internet Crime Complaint Center received 320 complaints related to SIM swapping scams, with the damages totaling $12 million altogether.

CISA is ordering federal agencies to have the latest Apple patches out by February 25th in response to Apple WebKit remote code execution bugs.  

The European Central Bank issued a warning last week to prepare banks for a possible Russian-sponsored cyber-attack related to the rising tensions in Ukraine.  

Proofpoint is warning about “low-skilled attacker using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.”  Tracked as TA2541, this actor is thought to be operating out of Nigeria and uses a known pattern of waves of spear-phishing emails, in English, to download files hosted on cloud storage providers – because those aren’t blocked inside larger companies.     The pattern has been consistent for roughly five years.  

And in high-profile attack news, over Super Bowl weekend, the San Francisco 49’ers were hit by a cyberattack where the Blackbyte ransomware gang claims to have stolen data.     The leaked data is a 292MB archive of files that the threat actors say are stolen 2020 invoices from the 49ers’ network.

The FBI revealed that this same group hit at least three organizations in US critical infrastructure in the last three months.     And, as is the theme today, the FBI has issued an advisory on their comeback.  

China’s rise too is highlighted in Crowdstrike’s eight annual Global Threat Report.   China-nexus threat actors are getting better and quicker at weaponizing and deploying exploits for newly discovered common vulnerabilities and exposures (CVEs). In the past 12 months, leveraged new vulnerabilities at a “significantly elevated” rate compared to 2020.  

SentinelLabs released information about ModifiedElephant, responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India.   Rather than focusing on data theft, the APT’s activities are far more sinister. Once inside a victim’s machine, the group conducts surveillance and may plant incriminating files later to prosecute individuals.

Google reported several pieces of relevant data.   Google’s Project Zero released a report covering its work in 2021. It found that vendors took an average of 52 days to fix reported security vulnerabilities.  Between 2019 and 2021, Project Zero researchers reported 376 issues to vendors under their 90-day deadline. 

Of those 376 issues, more than 93% of these bugs have been fixed, and over 3% have been marked as “WontFix” by the vendors, according to Project Zero.    Microsoft, Apple, and Google account for 65% of the bugs discovered

Separately, the company also announced that it awarded more than $8.7 million to security researchers in the form of bug bounties for thousands of vulnerabilities reported in Google products.

The figure is up from the $6.7 million Google paid to security researchers in the previous year in 2020.

Google has raised the rewards for Linux vulnerabilities, Kubernetes container management, and Google Cloud’s Kubernetes Engine. 

On the criminals’ side, Chainanlsys revealed that Victims of ransomware spent nearly $700 million paying off their attackers in 2020.  That’s up from $350 million in the previous report.   

And in the news for solution providers, Dana Epp, a well-known security researcher in the SMB space and founder of AuthAnvil (now owned by Kaseya), has published a GitHub repository detailing MSP Vendors Vulnerability Disclosure Programs, including vendors in the MSP space who may or may not have published their Vulnerability Disclosure Program (VDP) and Bug Bounty Programs (BBP) publicly.  The methodology includes an automatic check against web crawl data with a human review.  

Why do we care?

Keeping up with this level of risk review is a specific role in any organization now.    I ask, who does it at yours or your customers if you sell any kind of security?  

I have three focus areas today.

First, let’s nod to the range of threats – from both highly specialized attackers specifically targeting individual human rights activists or lawyers with an intentional, planned, malicious outcome to automated persistent bulk threats mining for money.     This is a long way from a happy open internet.

Second is the overall investment from those motivated to provide technology.  Google is the example today – with a significant investment in bug bounties and research linked to the data showing they are also getting some return on that investment in the form of fixes.   It’s an active spend to address the problem.

This leads to the third, and it’s the review of that repository.    If you’re delivering IT services to the SMB, this is a list you should be aware of – and pressure for your vendors to deliver on.