The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Skeletons in the closet. SEC asks companies impacted by SolarWinds hack to disclose all breaches since October 2019.
- 2021 OWASP Top 10. OWASP release an updated list of the Top 10 most dangerous vulnerabilities.
- An Apple a day. Two more zero-day vulnerabilities patched by Apple.
- 503 Yandex unavailable. Russia’s largest search engine provider hit with DDoS attack.
- And, it’s Patch Tuesday! Microsoft, Apple, Google, and Adobe all release critical updates to install.
1. SEC asks companies impacted by SolarWinds hack to disclose all breaches since October 2019
The US Securities and Exchange Commission (SEC) has reportedly sent letters to hundreds of companies suspected of being affected by the SolarWinds supply chain attack. The SEC is requesting that companies that used the compromised SolarWinds software disclose information about any other data breach or ransomware attack they may have suffered since October 2019.
Given that many companies are often hesitant to publicly disclose cyber incidents, the SEC investigation could reveal details of numerous unreported breaches. According to a SEC official, the investigation aims to uncover other SolarWinds-related incidents.
While the SEC has said it will not penalise companies that disclose information related to the SolarWinds hack voluntarily, it has not offered the same assurance for other cyber breaches.
SO WHAT? This development in the SEC investigation comes amid increasing pressure in the US for companies to disclose cyber breaches when the occur. Organisations should plan for how they would manage communications about a breach, and ideally practice it ahead of time through crisis simulations.
2. Top 10 most dangerous vulnerabilities in 2021
Broken access control vulnerabilities are now ranked as the most dangerous vulnerabilities affecting web applications. The Open Web Application Security Project (OWASP) Top 10 is a list of the most critical web application security risks and is compiled from data collected from bug bounty programmes and penetration testing firms.
Injection vulnerabilities, which previously held the top spot for 10 years, has been merged with cross-site scripting issues and is now recorded as the third most dangerous security risk. This fall is likely due to web applications becoming more complex and relying more on APIs that bring new security challenges.
SO WHAT? A comprehensive penetration test, that covers the OWASP Top 10, will help provide organisations assurance that they are protected from the most common and dangerous web application vulnerabilities. Find out more about S-RM’s penetration testing services.
3. Apple patches two zero-day vulnerabilities
Apple has released an update to patch two zero-day vulnerabilities that allow attackers to execute commands on a device.
One of the vulnerabilities (CVE-2021-30860) exploits a flaw in iMessage to compromise a device without any user interaction and is known to have been used to deploy the now-notorious Pegasus spyware to vulnerable devices. The other (CVE-2021-30858) allows attackers to execute commands on devices when they visit a maliciously crafted web page.
These are just the latest of many zero-day vulnerabilities that have targeted Apple products this year.
SO WHAT? Apple users should ensure their products are updated and running the latest available software.
4. Russian search engine giant defeats DDoS attack
Yandex, the Russian internet company, was the victim of the largest attempted Distributed-Denial-of-Service (DDoS) attack ever recorded, peaking at 21.8 million requests per second (RPS) on 5 September. The incident, which started in early August, was successfully repelled by Yandex.
The attack is believed to have been launched by the Meris botnet. Meris, which has previously targeted financial institutions, and other entities in the UK, New Zealand and the US, is known to demand a ransom from its victims in return for not launching a DDoS attack against them.
SO WHAT? Ensure your organisation has suitable protection against a DDoS attack, particularly if you have a low tolerance for service downtime. If a threat actor threatens you with a DDoS attack, consider proactively engaging a cyber security specialist.
5. It’s Patch Tuesday, and several zero-day vulnerabilities need patching
Microsoft, Adobe, and Google all urged users to update their products.
Microsoft has released patches for over 60 vulnerabilities. Four of these have been marked as critical. However, users have started to report significant problems with printing to network printers after installing the security updates.
SO WHAT? Patch Tuesday should be an important part of the patch management lifecycle for any company. However, sometimes updates can have unintended consequences and it may be advisable to first test updates on a smaller set of devices before rolling them out across an entire organisation.