Cyber Intelligence Weekly (Sept 5, 2021): Our Take on Three Things You Need to Know
Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.
Away we go!
1.Warnings to Business Leaders Ahead of the Long Weekend
After July 4th notched one of the worst holidays from a cyber attack perspective, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarms ahead of the long Labor Day weekend. While they didn’t have any specific intelligence to share, they cited the tendency of threat actors to strike American businesses while we are grilling hotdogs and not staring at computer screens. FBI and CISA reminded American companies of cyber hygiene best practices as well as operational best practices to combat ransomware such as having good offline backups.
Anne Neuberger, the Deputy National Security Advisor, even went so far to mention the same during a White House press briefing on Friday, noting, “…calling on Americans, organizations to do the steps they need to do to be as safe as possible in advance of what may be an increased threat, as we’ve seen in history — for the reasons I noted — during the holiday weekend.”
While it seemed to be a relatively quiet weekend (‘knocks on wood’), I personally thought this was an excellent concerted effort by the US government to raise awareness and give proper attention to the issue of cybercrime ahead of the long weekend. It certainly caught the attention of several businesses that I work with and their management teams. These trends of large scale attacks over holiday weekends, that are now being recognized by the masses, are not new to the InfoSec community especially those that work in incident response. Let’s continue this awareness throughout the upcoming holiday season.
2. Atlassian Confluence Up a River
Atlassian Confluence, the popular workspace collaboration space software, reported a critical security advisory for a vulnerability found in their code. US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday: "Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven't already -- this cannot wait until after the weekend."
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. This vulnerability does not apply to the hosted cloud solution, only the on-premise version.
This is yet another reason to understand your software inventory and have a strong corresponding vulnerability management program to keep these items patched regularly.
3. What’s Up With That WhatsApp?
The popular chat and communication application, WhatsApp, has been fined €225m by the Irish Data Protection Commission for breaching privacy regulations. It is the largest fine ever from the Irish Data Protection Commission (DPC), and the second highest under EU GDPR rules.
WhatsApp Messenger, or simply WhatsApp, is a cross-platform centralized instant messaging and voice-over-IP service owned by Facebook. It allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other content.
The investigation focused on whether WhatsApp had complied with its personal data transparency obligations under the GDPR, particularly regarding the sharing and processing of personal data by and with other Facebook companies, Facebook had acquired WhatsApp in 2014. The DPC identified breaches of Articles 12-14 of the GDPR, with respect to both users and non-users of its services, determining that WhatsApp had failed to provide appropriately clear, transparent or sufficient information concerning its processing activities.
Compliance with GDPR is not a simple check the box exercise where one can download some quick policies and say that they are fully compliant by default. Organizations must truly understand how they use personal data once collected and ensure their decisions to use that data in certain ways are clearly outlined and accepted by the data owners. In this case, the DPC concluded that WhatsApp did not follow these axioms and must pay the price.