News Wrap: Barnes & Noble Hack, DDoS Extortion Threats and More

  • From a cyberattack on Barnes & Noble to Zoom rolling out end-to-conclusion encryption, Threatpost editors crack down the prime security tales of the week.

    The Threatpost editors split down the leading security stories of the week ended Oct. 16, which includes:

    • Patch Tuesday madness, with Microsoft and Adobe releasing fixes for critical vulnerabilities – together with a critical, most likely wormable remote code execution bug regarded as the “Ping of Death”
    • Barnes and Noble getting hacked – and why some viewers are not happy with how the book purveyor declared the cyberattack
    • DDoS extortion email threats hitting many providers across the world – together with Travelex
    • Zoom lastly rolling out conclude-to-end encryption on the movie conferencing platform – and why this is various than the collaboration giant’s previously “full encryption” claims

    Obtain the podcast right here or pay attention under.

    Down below uncover a flippantly edited transcript of the podcast.

    Lindsey O’Donnell-Welch: Welcome back to the Threatpost news wrap podcast. This is Lindsey O’Donnell Welch with Threatpost and I am joined by Tara Seals, withThreatpost to split down the major news from the 7 days ended October 16. Tara, how was your 7 days?

    Tara Seals: Oh, really great, Lindsey. It was super busy as things in cybersecurity commonly are. But this week was a very little busier than most with Patch Tuesday and all the things.

    LO: Yeah, we experienced a ton of news coming out of Patch Tuesday, no matter whether it was Adobe Flash flaws that ended up becoming patched or Microsoft’s Patch Tuesday security updates. And I know there was a fair sum that came out from the Microsoft standpoint, which you included, Tara, what have been you finding there?

    TS: So it was an interesting Patch Tuesday, because it had fewer than 100 CVEs this thirty day period, which that was the very first time in 7 months that has occurred. So that was form of enjoyable I consider for IT directors almost everywhere, not to have to stress so a great deal about so quite a few. But there are also a pair of notable bugs effectively, initial of all, there ended up six bugs that had been mentioned that experienced been formerly disclosed in some way, condition or sort, but did not have patches. And so all those clearly are of worry. And there is currently a handful of proof-of-idea exploits for those people that are laying close to. And they [Microsoft] never often have previously disclosed bugs that they have to deal with. So that was very noteworthy that they experienced six of them.

    And then there had been a pair of critical baggage that actually stood out to most of the researchers that I talked to. A single of which they’re contacting the “ping of loss of life,” which I feel is form of hilarious, but it’s correct. It’s fundamentally a bug in Outlook, Microsoft Outlook, and it can be triggered, primarily, just by sending an email to a person. And because the attack vector is the Preview Pane, which is the default perspective – Outlook people in all places will be common with us, when you acquire an email, it just pops up in this Preview Pane that you can see – and so this certain bug, in buy to be exploited, anyone can just send out an email, it pops up in the Preview Pane, and then [the exploit] gets activated. And it permits attackers to execute remote code. So clearly, it is concerning. And it’s also extremely exploitable and trivial to to have out.

    LO: Proper. Nicely, it definitely appeared like there were being a ton of Microsoft bugs to come out this week. But as you talked about, less than what we ordinarily see. And that was the identical with Adobe. I mean, I imagine in past months, Adobe has experienced way much more than the one particular flaw that it patched this week. So not sure what’s the reasoning powering that. But as you stated, it’s always less of a headache for process admins to have to offer with.

    TS: Yeah, for certain. Properly, and I consider particularly provided the fact that we’ve experienced so a lot Zerologon news, that terrible bug that security teams are speeding to patch even as most people from country-state actors to financially motivated folks in their basement are hunting to exploit it. So, you know, I feel it’s it is most likely good to not add way too a lot insult to injury this month.

    LO: Appropriate. Businesses have so a lot on their plates previously in terms of like ongoing hacks and cyberattacks. For occasion, you just on Thursday coated a recently introduced Barnes and Noble hack, which as a person who shopped at Barnes and Noble a great deal I adore to examine that was not great to examine about.

    TS: Yeah, that story’s a minor bit ridiculous. So we also obtained the email discover. And it arrived in the wee several hours of the morning. I consider my husband’s arrived at like, 1:30 or a thing in the early morning, Thursday morning, so they type of sent this out under protect of darkness, which I’m sure they want to lower the publicity all-around it, but that is not heading to take place mainly because it is Barnes and Noble.

    So the issue is that, what was genuinely attention-grabbing about this, is that no one is aware, they haven’t confirmed but, what kind of cyberattack. Only that there was a person. But about the weekend, the Nook e-e-book reader – which my mom has just one of individuals and they are type of wonderful – but the syncing characteristic for that went down and there was this outage that ongoing and it just form of trended on a low level, nobody seriously realized what was going on. And that stretched throughout the 7 days. And then they come out Thursday, well Wednesday evening into Thursday early morning, stating that there had been a cyberattack.

    So people today begun putting two and two collectively, pondering, “hmm, most likely this may be a ransomware attack.” Once again, unconfirmed, but I’m sure we’ll get extra details. Sme of the systems that were impacted by this contained a great deal of particular shopper facts. Fortuitously, not monetary data, but definitely items like buy histories, the lists of guides that folks have acquired in the past, together with their email, telephone quantities and other personal data like that, that fundamentally it would be a aspiration for a phisher to mount some rip-off e-mail that are personalized and incredibly convincing.

    LO: Suitable? Yeah, I was gonna request, I imply, if an attacker has the point that another person reads, you know, say, Stephen King novels and their email handle, what type of phishing lures could perhaps be strung collectively from this? I’m certain that there’s loads of various avenues that cyber criminals could could go there.

    TS: Oh, undoubtedly. I signify, can you imagine, in particular, you know, about Halloween and the Stephen King reference, I signify, you could in essence say, “Hey, I know that you just bought Physician Snooze. So you might be intrigued, here’s some other suggestions.” And they could use some Barnes and Noble graphics and make it incredibly convincing and look like, “because you examine this, you might like this, simply click right here to order” and then they can harvest all the information and facts.

    LO: Suitable, they did not however affirm that the information was essentially stolen but I’m guaranteed that this could definitely be major if it experienced been.

    TS: Well, proper. And that provides up a different issue around this incident, the truth that they don’t know if the data is stolen, what type of IT workers do they have performing more than there? It’s a [almost] Fortune 500 corporation. It is mystifying to me, the sum of information they really don’t surface to in fact know. And also, the economic facts was all encrypted, which is very good. So the credit playing cards, payment cards are all tokenized. And they stated they could not definitely be lifted. But the personal facts, I signify, what was it, just still left out there in basic textual content in the databases someplace? I actually emailed them to request about some of these specifics. So with any luck ,, they’ll get back to me, and I’ll be in a position to do a observe-up tale. Because it truly is about that the IT staff a), does not surface to know what happened. And b), they were not protecting customer information in the way that most individuals would assume that they would be.

    LO: I know that other viewers had type of taken to Twitter, as you experienced outlined in your write-up, to air their issues about, as you claimed, the late night email see – it does look a minor skeevy.

    TS: Yeah. It was a very little bit like, “oh absolutely nothing to see in this article. Probably you will miss this simply because it came in at 1:30 in the early morning.”

    LO: Yeah, specifically.

    TS: And also it was form of funny, mainly because some of the men and women on Twitter also, are indicating, what are cybercriminals heading do with my reading through checklist? So I feel it’s definitely vital to tension to people that, you know, they can do very a ton with a studying list as observed in our Stephen King case in point. It’s crucial to retain in brain for absolutely sure.

    LO: Appropriate, ideal. It is just a further piece of information that can be used for a entice for spear phishing, or phishing assaults. So that is unquestionably significant to note.

    Perfectly looking at some of the other huge tales from this week, 1 that genuinely stuck out to me that I wrote about was a new investigate write-up on how companies have ongoing to receive these extortion e-mail that are threatening to start a DDoS attack on their network except if they shell out up. So this is component of this overarching DDoS extortion campaign that’s been likely on because August. But I guess the marketing campaign started in mid-August and has ramped up at the finish of September and the begin of October. So it is definitely been on the increase as of not long ago. And what was the form of the big news there is that Travelex, the British Foreign Exchange corporation, was reportedly a single of their current large-profile risk recipients of this kind of campaign.

    TS: Yeah, for confident. Properly, and I mean, I believe it’s genuinely exciting too, that this is just a different type of – I signify, I never want to say ransomware for the reason that it’s not ransomware – but, you know, the extortion makes an attempt, the ransom attempts, naturally it’s worked from the encryption malware standpoint. So now they are shifting to hoping unique strategies to extort firms, you know, with their details. And I assume that is really, genuinely interesting. Just a further way to make systems inaccessible, correct?

    LO: I believe the crucial big difference is that ransomware attacks have currently occurred. Whereas in this situation, corporations, the attackers are going to corporations and declaring, if you really don’t spend up, we’re heading to launch this attack in the long run. So it helps make you ponder if this is a tiny a lot less major, or maybe impactful in that organizations have that option to harden their security. Even so, I did chat to scientists with Radware. And they had been telling me that these threats are not hoaxes. And the actors have adopted up with assaults. So that tends to make it all the additional critical to make confident that businesses have the ideal security measures in location.

    There have been also a pair of interesting issues that caught out to me about this marketing campaign. And initial of all, the initially one particular was that attackers ended up professing that if victims really don’t pay up, I think it was, you know, the equal of $230,000 in Bitcoin, then they would have the skill to start an attack, that would peak at 2 terabytes for every 2nd. And that is a significant claim. I indicate, just to give some context there, I think the premier volumetric, DDoS attack on document, as of February, at minimum, was on an Amazon Web Solutions client. And that reached the degrees of 2.3 terabytes per next. So I imply, that’s that’s a rather substantial declare. And one more issue to know is that there’s no evidence that the promises that the cyber criminals are generating about this stage of volumetric attack are genuine. Scientists with Radware informed me they hadn’t noticed the two terabyte per second attack threatened in the letter in the report, nonetheless, orgs have noticed attacks ranging up to 300 gigabytes per second, that mixed several attack vectors, so the menace is there, but it may not be at the exact level that they are proclaiming they can arrive at.

    TS: That’s fascinating, truly, since you don’t know. Do you want to exam these waters? Are you gonna connect with the bluff? And even if it’s not even that substantial of an attack, if it nevertheless requires out your devices, who cares [how big it is]? I wonder if portion of that assert and boasting has just about anything to do with the point that they are striving to pose as these state-of-the-art threat groups, these APTs that are identified to be really nicely-resourced. You know, they’re masquerading as groups like Extravagant Bear and Lazarus. So perhaps they are hoping to declare that they have the similar sorts of capabilities that all those teams have.

    LO: I feel they are attempting to fake to be these APT groups, and really consider to type of engage in into the thoughts there of unique providers in different sectors. For occasion, I think it was based on the vertical, they would have a choice of distinctive APT. So you know, when they had been concentrating on fiscal orgs, they had been purporting to be Lazarus group. So I imagine they are genuinely striving to enjoy into that worry factor there.

    And another system that they use as nicely is that they threatened to up their ransom by 10 bitcoins for just about every working day that it’s not compensated. And they really do not have any other way for the victims to get to out to them, other than the Bitcoin deal with to ship the payments much too so there is no, there is no way to answer to them or attempt to negotiate. I suggest, the threats just there. I feel that there is type of a level of panic there that businesses will in all probability have when they get these types of threats. And I imply, these attacks, DDoS assaults can be pretty harming for providers. I recall, I think it was in 2016 the DDoS attack of DYN that disrupted the internet. And you know, I’ll in no way fail to remember seeking to get onto Netflix that early morning and being discouraged that I was down. So I believe these do have type of a true earth effect.

    TS: Oh, yeah, for positive that attack was absolutely crazy. And, yeah, let us hope that this doesn’t snowball into a little something that gets to be as endemic as ransomware tries. It is quite scary for companies today, I believe.

    LO: Yeah. And I necessarily mean, this has also been heading on, I was type of doing some investigation into DDoS extortion assaults, and I mean, this has been heading on for a lot of, many yrs, as well. It’s not that new, even again in 2015, the FBI was saying it noticed an increase in the amount of providers becoming specific by these varieties of scammers who are threatening to launch these attacks if they really don’t spend a ransom. So I assume that what this displays is that attackers are nevertheless upping their recreation and shifting up their tactics and innovating to discover new methods to goal organizations. And I assume it’s operating as we noticed with Travelex, which, by the way, which has experienced some negative juju with security this past year.

    TS: Yeah, that’s the final matter they have to have for absolutely sure. Ok, well, Lindsey, the other factor that you protected this week that truly stood out to me – when I saw it I was like, aha, at last – was Zoom eventually debuting their stop to conclusion encryption assistance. What,s that all about? How’s the rollout likely to progress?

    LO: Yeah, so I consider it was nonetheless or Wednesday when Zoom introduced is rolling out a technical preview for its stop to stop encryption into its platform. So what that means is, it’s going to have four phases of the rollout. And the 1st a person will be mainly to solicit feedback from customers through the initial 30 times, so they can type of roll it out and flush out any any issues and try out to stomp out any, any complications there. And what’s interesting right here, way too, is that kind of the background below with Zoom and conclusion to end encryption. It is confronted a lot of issues all over its encryption procedures, which includes the truth that there was a great deal of backlash close to Zoom, telling customers that it offered entire encryption as a marketing phrase. That gained a great deal of backlash from kind of privacy and security gurus who mentioned that there is a distinction between encryption and conclusion to close encryption. And then there was an additional incident in Might when Zoom declared it would basically provide stop to conclude encryption but only to paid out end users, which as you can envision, also garnered a good deal of controversy from privacy advocates who have been expressing that security actions must be free to all, so it absolutely has experienced its honest share of issues close to encryption major up to this.

    TS: Yeah. And which is type of intriguing, for the reason that I went to a roundtable discussion that experienced the CISO for Zoom on there, a couple months ago, and I really questioned him what the plans had been for this and regardless of whether or not his firm is even now wrestling with some of the backlash results from not only the encryption debacle, but also just all the other challenges. And, he dodged the issue, which was relatively comprehensible. I suggest, they didn’t want to open up the kimono, so to communicate, on their plans just before they have been all set to pull the bring about, which I entirely get. But, you know, he did say that they’ve had some developing pains, and they absolutely had been not organized for the spike in utilization all over the pandemic. And so yeah, that’s variety of it’s kind of attention-grabbing. I suggest, this is like observing growing pains in motion. But with any luck , this rollout will go very well. And I know a whole lot of individuals that use Zoom for company, in particular I have obtained some medical-expert people in my circle, medical practitioners and whatnot, that use it all the time. And I always I constantly variety of cringe like, are you guaranteed you want to use Zoom, but it’s possible with this, anything will be a small little bit a lot more secure. And individuals can relaxation a minimal simpler when they use that support.

    LO: Yeah, you have to give Zoom some credit in this article for in fact going in advance and rolling this out. And I will say, in spite of all the security issues that they’ve experienced – and they have had plenty because the pandemic begun – I believe they have been performing a fantastic work of form of stepping up to the plate and striving to handle these distinctive issues. And, they obtained Keybase, to form of bolster their encryption there and are now sort of rolling this out. So I feel there is two items to observe that I considered was vital for Zoom people to imagine about, first of all, this isn’t on by default, so people will require to change the attribute on manually. And then the next matter is that there is an enabling the feature may disable specified other features in Zoom. And I just assumed that was kind of appealing to notice, but some of the other attributes that could possibly be disabled are the potential to sign up for ahead of the host and cloud recording and streaming and are living transcription, breakout rooms, etcetera, and many others. So just variety of two tiny tidbits there to keep in mind for Zoom consumers.

    TS: Yeah, it is sort of fascinating how having issues offline from Zoom servers, getting the communication form of away from flowing by the Zoom servers, impacts technically, from a technology perspective, all these other kinds of bells and whistles, so folks will have to make a benefit judgment, I guess, or a risk assessment and determine out what they like much more. You know: non-public chats or encryption.

    LO: Well, yeah, so that rolls out up coming week. So we will be preserving an eye on the the start there. And hopefully that rollout goes effectively. But, Tara, I consider we, we have achieved the end of the information wrap below. So thanks for coming on to talk about the largest cybersecurity news stories of the week.

    TS: Yeah, for guaranteed. Thanks for possessing me, Lindsay, as generally, and I hope you have a good weekend and catch you next 7 days.

    LO: You as perfectly and that to all of our listeners. Thanks for tuning in to the Threatpost news wrap. If you liked what you listened to today, really feel free to go away a comment or question about something that we included these days on our Twitter site, which is @threatpost. Thank you so significantly, and have a wonderful weekend.

    For more Threatpost podcast episodes – which includes exclusive interviews and at the rear of-the-scenes coverage of breaking information, look at out Threatpost’s Podcast website page.