Futurum Tech Webcast
Featuring hosts Shelly Kramer and Daniel Newman
The Futurum Tech Webcast is a weekly podcast/webcast covering the latest in tech news, new products and services from leading technology companies, mergers and acquisitions, regulations and policy, and more. From startups to industry leaders, and from emerging tech to the latest in AI and cyber security, our team here at Futurum Research is covering it. The Futurum Research webcast, led by founders and principal analysts Daniel Newman and Shelly Kramer, also features analysts Fred McClimans, Olivier Blanchard, and Ron Westfall, and they can be counted on to have lively discussions on a variety of relevant, timely topics.
You will also find the Futurum Tech Webcast featuring guests from some of the world's most interesting technology companies.
Subscribe now and stay connected to this exciting journey into the world of technology and the future of work.
For inquiries or more information on the show, please email the Futurum Research team at email@example.com. Follow us on Twitter @FuturumResearch or visit us online at www.futurumresearch.com.
As a reminder, the Futurum Tech Webcast is intended as an informational webcast/podcast only. While publicly traded companies and equities are frequently discussed, the analysts on this show are not in any way offering financial or investment advice.
Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack
The News: Enterprise Password manager Passwordstate, an Australian-based enterprise password management app offered by Click Studios alerted customers late last week of a breach that the company said occurred between April 20 and 22nd. Read the advisory from Click Studios here.
Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack
Analyst Take: The compromise of Click Studios’ enterprise password manager Passwordstate involved an automatically delivered in-place upgrade delivered to customers between April 20 and April 22. Hackers inserted a malicious file alongside regular Passwordstate updates, which made its way, largely by way of automatic, in-place updates, onto Passwordstate users’s computers. When customers performed the updates over the course of a two-day period, a potentially malicious fie was downloaded, which then set off a process that extracted a bunch of information. This included all data stored in Passwordstate (think URLs, usernames and passwords), and also included information about the computer system itself.
Supply Chain Dangers and Why Your Password Management App is Targeted
How does a password management app get breached? It’s not as rare as you might think, and Passwordstate isn’t the first password manage to be breached. While password managers can be an important tool for requiring that different passwords are employed by users, they also a represent danger because they can be a single point of failure, especially for enterprise users.
What’s the possible damage? Passwordstate’s parent, Click Studios, claims a Fortune 500 customer base of 370,000 security and IT pros, and a smaller customer base of 29,000. Since IT pros manage credentials across the organization for devices and services, it’s impossible to know at this point what the damage is, even though the breach is claimed to have occurred only during a little more than a 24-hour period.
This is an example of risk at the supply chain level. You can have all the best security practices and procedures at the enterprise level, but have a vendor that you rely on for something like password management services and just like that, you’re in trouble. And this is exactly why threat actors target various players in the supply chain.
My colleague Fred McClimans and I covered the Passwordstate breach as part of our Cybersecurity Shorts edition of the Futurum Tech Webcast this last week.
The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity
The News: A joint advisory was published on Friday, May 7, 2021 by the Cybersecurity & Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre, the FBI, and the NSA focused on Russian Foreign Intelligence Service (SVR) and their tactics, techniques and procedures used to target victims. These reports focus on threats posted by APT29, how its methods have evolved, and provides best practices to defend against the threat actor. Read the Joint Advisory here.
The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity
Analyst Take: This past Friday was a big day for cybersecurity advisories related to Russian Foreign Service (SVR) threat actors. The threat group APT29 has been attributed to Russia’s SVR and have operated since about 2008, largely targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 is also known by the names Dark Halo, StellarParticle, NOBELLIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, and Cozy Duke.
In the recently issued joint advisory, the US and UK governments outlined tactics and techniques that the Russians are using in their hacking efforts and outlined how they are targeting their victims. In an earlier alert issued the week prior, SVR operations were outlined, along with trends and some recommended best practices for network defenders.
These reports also provide more details on the SolarWinds attack spearheaded by those same Russian SVR threat actors. The SolarWinds attack saw malicious updates from compromised SolarWinds systems breaching hundreds of organizations – and we don’t yet know the full scope of the damage. Last year we also saw that same SVR group targeting vaccine R&D operations, which involved malware tracked as WellMesshttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c and WellMail.
What caught my eye here and what is highlighted in the report is that threat actors embrace best practices for digital transformation. They are agile and adaptable. Once they are detected, they pivot. For instance, once the WellMess/WellMail breach was detected, APT29 pivoted.
And this pivot was a really pretty brilliant. The threat actors began using Sliver, which is a security testing tool developed by Bishop Fox, an offensive security assessment firm.
Sliver is a legitimate tool used for adversary simulation. This new report focuses on helping threat hunters detect Sliver, but here’s the rub: just because it’s detected doesn’t necessarily mean it’s malicious. Have a headache yet? I do.
My colleague Fred McClimans and I covered this jointly issued report in our Cybersecurity Shorts series on the Futurum Tech Webcast this past week.
Threat Actors Make It Their Job to Know When Servers Are Vulnerable
The newly published warning report said that threat actors are actively scanning the internet for vulnerable servers, including vulnerabilities affecting VMware’s vCenter Server product and Microsoft Exchange servers, which have already been exploited by many.
There are five vulnerabilities the government warns that need immediate attention in addition to the newest Microsoft Exchange Server updates just made available in mid-April. These five are:
CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here)
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access
A final note that organizations have been slow to apply the available fixes, leaving organizations massively at risk.
Access the full Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian CyberSecurity here: Advisory: Further TTPs Associated with SVR Cyber Actors
The government also released Fact Sheet: Russian SVR Activities Related to SolarWi
Peloton’s Leaky API is Hubris Personified — at Least When It Comes to User Personal User Safety and Data Privacy
The News: Peloton’s leaky API, which exposed private user data, was in the news alongside some other not-so-great news for the fitness brand this last week. The leaky API was first reported by Tech Crunch’s Zach Whittaker, and you can read his story here.
Analyst Take: It has most definitely not been a great few weeks for Peloton. With the recall of all Peloton Tread and Tread+ treadmills after the death of a child and some 70+ injuries after the brand first tried to shake off the concerns of the CPSC, and then later admitting it was wrong, Peloton was already in the spotlight. Adding to the Tread disaster is the that the Peloton API is leaking private customer data and it made a bad period for the brand reputation overall.
Regarding concerns about the Peloton API, this is an important user data privacy issue. Peloton has a community of some 3 million plus members. When setting themselves up in the Peloton system, members can choose to keep their profiles private or make them public, so that their friends can see their stats, workouts, etc. User profiles also include things like height, weight, age, gender, you know …. personal details. Many users, myself included, prefer to have a private profile. That means you still enter in that information, but you keep your settings private, not public. Easy, right?
Except when it doesn’t work. The Peloton API vulnerability was disclosed by Jim Masters, a researcher at Pen Test Partners, a security consulting company and the bug allowed anyone to pull users’ private information directly from Peloton’s servers, even if a profile is set to private.
Pen Test reported that the Peloton APIs required no authentication and that the information was simply available for anyone who went looking. This information included things I. mentioned earlier: User IDs, Instructor IDs, Group Membership, Workout Stats, Gender and Age, Height, Weight, and city where the user is located.
Pen Test Partners published an article last week stating that they reported the issue to Peloton in January and provided a 90-day deadline to fix the bug. Pretty common operating procedure. Masters got a confirmation from the company that the notice was received. Two weeks later, Pen Test noticed that Peloton executed what they observed was a partial fix and said nothing about it. This partial fix meant fixing the API so that the data was no longer available to anyone, but instead only to anyone with a Peloton account. What?
Pen Test Partners tried hard to connect with Peloton about this and were soundly ignored. It was only when Zach Whittaker, writing about the leak for Tech Crunch asked about it that the company decided it was probably a good idea to do something.
Jim Masters published a blog post on this issue that he updated on May 5th following a conversation with Peloton’s new CISO who advised the vulnerabilities were mostly fixed within seven days.
My colleague Fred McClimans and I covered the leaky Peloton API as part of our Cybersecurity Shorts series of the Futurum Tech Webcast. There’s more to the conversation, so check it out.
Cybersecurity Shorts: Google’s 2FA Mandate, Peloton’s Leaky API, and Password Management App Malware
In this episode of the Futurum Cybersecurity Shorts series, I’m again joined by my colleague and fellow analyst, Fred McClimans for a conversation on cybersecurity issues in six quick vignettes. Today, we covered:
Google’s rollout of mandatory 2FA The targeting of Passwordstate, an Australian-based enterprise password management app, by hackers The discovery of over 40 apps with more than 100 million installs between the found leaking API keys Peloton’s leaky API and what that means for user data privacy The massive DDoS attack targeting Belgian ISP Belnet, and the impact of that attack on the government, public, science, and education agencies, including the Belgium Parliament and some law enforcement agencies.
Cybersecurity Shorts - In Hacking News: 3.2B Leaked Passwords Contain 1.5M Records and Ties to Government Emails
Findings from Syhunt, an application security assessment firm that helps organizations actively guard their mobile and web apps, reported recently on the biggest known compilation of password leaks by a hacker on an internet form. The 100GB data set, called COMB21 (a/k/a Compilation of Many Breaches) was published on an online forum on February 2, 2021 and the ties to government emails are, at best, alarming.
Online cybercrime forums are where hackers post passwords, links, and other information related to data breaches, and the COMB21 data set is one gigantic data set. This particular data set is the result of data pulled together from a variety of sources and comes from leaks and breaches of a variety of organizations (and government entities) over a fairly significant period of time. The potential impact is — significant. For starters, there were some 3.2 billion passwords from 2.18 million unique emails and 26 million email domains in the COMB21 data. This includes some 1.5 million world government emails and 625,000-ish U.S. government passwords. Gets your attention, doesn’t it?
In its coverage of this breach, Syhunt pointed out the danger of deep learning tools being applied to the COMB leak, which increases the risk exponentially. Bottom line, 100 gigs of 3.2 billion leaked passwords, leading directly to government entities across the world is about as serious as it gets.
New Cybersecurity Shorts episode: China-linked Hackers use Pulse Connect Secure VPN Flaw to Target Federal Agencies
It was reported last week that at least two groups of hackers linked to China have spent months taking advantage of a flaw in Ivanti’s Pulse Connect Secure VPN suite to break into what was defined as a ‘very limited number’ of customers’ systems — but which included at least five federal civilian agencies and financial institutions in the U.S. and beyond. Hackers were able to break into the devices as they were being used. More from Reuters.
Hackers suspected to be linked to China have exploited vulnerabilities in Ivanti’s Pulse Connect Secure VPN products targeting multiple government agencies, defense companies, and financial institutions in the U.S. and Europe. Cybersecurity company FireEye, (who also discovered and reported the recent SolarWinds hack) reported tracking 12 malware families associated with the exploitation of Pulse Connect Secure VPN devices. All of this malware was related to circumvention and backdoor access and circumvention to the VPN devices.
China-linked Hackers use Pulse Connect Secure VPN Flaw to Target US Defense Industry Researchers
FireEye’s Mandiant reported on April 20th that they believe multiple threat actors are involved in the attack, and that these intrusions targeted government, defense, and financial institutions globally. Each instance of hacker activity was ultimately traced back to the Pulse Connect Secure VPN devices. It’s probably also important to note here that Pulse Connect’s parent, Ivanti, has contracts with the Nuclear Regulatory Commission, the Pentagon, the Bureau of Fiscal Service, and the Coast Guard.
Check Vulnerability and Patch Your Pulse Connect Secure VPN Devices
In acknowledging this attack, CISA issued an advisory on April 20, 2021, advising that Ivanti has developed a checker tool or an ‘Integrity Tool’ that can be used by any agency using the Pulse Connect products to check their vulnerability and strongly encourages all Pulse Secure customers to use the took to check for malicious activity.
While the initial press around this hack has worked to minimize damage, CISA has identified 24 federal civilian agencies that use Ivanti’s Pulse Secure Connect VPN devices and issued a directive last week that every agency using these devices figure out how many VPN devices they have and also that they run Ivanti’s ‘integrity tool’ to determine whether or not they are at risk, and report back to the agency.
It was announced today that Ivanti has released a security update for the Pulse Connect Secure, addressing a new authentication bypass.
Ivanti urges customers using Pulse Connect Secure 9.0RX and 9.1RX to immediately upgrade to Pulse Connect Secure 9.1R11.4, which fixes the vulnerability.