Cisco Talos: Cyber Security Week in Review (March 8)

Top headlines this week

• Chinese tech company Huawei is suing the U.S. government. The company alleges that the federal government violated the Constitution when it banned government agencies from buying Huawei software. The two sides have been locked in a war of words over the past year as U.S. officials raise allegations of spying and security concerns against Huawei.
• Cisco disclosed 23 vulnerabilities affecting the NX-OS software that could put some switches at risk. The most critical vulnerability, which received a CVSS score of 8.6, lies in the Lightweight Directory Access Protocol (LDAP) in Cisco FXOS and NX-OS. An attacker could exploit this bug to gain the ability to restart the device, resulting in a denial of service. Snort rules 49334 - 49336 and 49350 can protect you from these vulnerabilities.
• The National Security Agency released its reverse-engineering tool, Ghidra, to the public. At the RSA security conference, the agency made the software open source. While there are many reverse-engineering tools on the market, the NSA has spent years refining Ghidra and it’s largely believed one of the most sophisticated decompilers available. 

From Talos

• Information security and operational security teams need to work together to protect IoT. That was the main takeaway from Cisco’s keynote at the RSA conference earlier this week. Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, the head of Cisco’s internet-of-things business group, said that IoT devices have become so entrenched in our society that it’s become more important now than ever to secure them. You can watch a replay of the address here. 
• There are three vulnerabilities in Pixar Renderman that could allow an attacker to elevate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

Malware roundup

• A new, layered malware has popped up on the popular Pirate Bay torrenting website. Known as PirateMatryoshka, the trojan disguises itself as a legitimate torrent. Once downloaded, it has numerous layers to it and acts as a downloader to several other malicious programs. 
• A relatively unknown threat group known as “Whitefly” is allegedly behind an attack on Singapore’s health care database. Security researchers say the group was behind the exposure of 1.5 million patients’ records in July, most likely using DLL load-order attacks.
• “Scarlett Widow,” a hacking group believed to be based out of Nigeria, recently started a new wave of attacks. The actor has sent several malicious to K-12 schools and non-profits, including the Boy Scouts of America. So far the group is believed to have information on 30,000 individuals from 13,000 organizations across 13 different countries. 

The rest of the news

• More than 300 million private messages in China were exposed on the internet. It is widely believed that the messages, which were transmitted on secure messaging apps, had been collected by the Chinese government. The database made personal identities searchable by anyone who found the IP address. 
• U.S. Cyber Command carried out an offensive operation against a U.S. Russian troll farm last year. The attack targeted hacking groups known for spreading misinformation, specifically trying to shut them down on the day of the 2018 midterm elections in the U.S. 
• A new Senate report says Equifax neglected proper cybersecurity practices for years. The credit reporting agency was the victim of a massive cyber attack in 2017 that led to the exposure of 145 million Americans’ personal information. The report states that the attack could have been avoided had the company followed “widely agreed upon” cybersecurity practices.