Raindrops keep falling on the Privacy and Security Weekly Update for January 19th 2021


Tom Jones sings the Burt Bacharach classic, as a tip off to our first story as we move from sunspot, Sunburst, Teardrop onto “Raindrop”.

From there we go X-rated before hurtling into the Good and the Ugly.

Finally we end in outer space were one institute is even starting to realize that Cybersecurity has its place in space too!

This is the best Privacy and Security update yet, so put on your rain macs, buckle up and away we go!!!

Global:Fourth malware strain discovered in SolarWinds incident

Symantec said it identified Raindrop, the fourth malware strain used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop.

Symantec has uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers.

Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike.

Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.

The discovery of Raindrop is a significant step in the investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers. While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers."

So what’s the upshot for you? This is one of the biggest hacks in history and it just keeps unravelling further. This is the fourth installment in a story that is still being written, but that undoubtedly will touch everyone across the world as it unfolds globally.

Global:X-Rated Social Media App Exposes Users in Massive Data Breach

A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted.

A research team discovered the AWS S3 bucket on October 13 last year, tracing it back to Fleek and owner Squid Inc.

Fleek was marketed as an ‘x-rated’ alternative to Snapchat’s “Campus Stories”, with similar photo-sharing functions but almost no censorship or moderation of content.

Fleek was a hit with US college students, it promised to automatically delete photos after a short period, encouraging users to post salacious pics of themselves engaged in sexually explicit and illegal activities. When fleek ceased operating in 2019, it failed to secure a huge amount of undeleted, sensitive data collected from users since it launched in 2016.

While the app closed down in 2019, the person or company paying for the storage of the exposed data could still face legal action or fines from the US government.

So what’s the upshot for you? From now on, never share anything you’d be embarrassed about online – few systems are 100% secure from hacking, leaks, or dishonest people saving incriminating images to cause trouble in the future.

“It’s also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”

EU: GDPR stats… Fines are up 39% year on year.

The third annual DLA Piper GDPR fines and data breach survey which we launched today reflects how the current circumstances have affected the privacy landscape across the 31 European countries surveyed. The report includes key GDPR metrics compiled from data from the 27 EU Member States plus the UK, Norway, Iceland and Liechtenstein.

A 39% increase on the previous 20 month period since the application date of GDPR on 25 May 2018. On average 331 personal data breach notifications were made per day since 28 January 2018 compared to 278 breach notifications per day for the previous year.

The highest GDPR fine to date remains the EUR50 million (about USD61 million / GBP45 million) imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

So what’s the upshot for you? While it may seem onerous, any regulatory oversight that protects the privacy of its citizens is a good thing. GDPR not only sets a precedent for the European Union, but also sets an example of data privacy regulation for other regions to follow.

US: New Intel chip design has Threat detection built in.

If you have been watching the fortunes of Intel of late it seems that they have been missing targeted chip release dates, outsourcing production, and just generally not getting their act together, but with the advent of a new CEO and the announcement of onboard Threat Detection Technology (TDT) things might be turning around…

TDT overview: Telemetry data from the CPU’s performance monitoring unit (PMU) combined with accelerated machine learning heuristics to detect potential threats. Some types of malicious programs impact the performance of the CPU because of the type of tasks they execute. Ransomware programs clearly fall in this category because of their heavy file encryption routines and so do cryptominers—malicious programs that hijack the computer’s CPU or GPU to mine cryptocurrency.

The performance impact is reflected in the PMU telemetry data and machine learning models can use it to identify potentially suspicious or abnormal behavior that could indicate the presence of malware. Security products that run inside the OS can use the signals from Intel TDT to trigger further scanning and remediation workflows. Essentially, this enables behavior-based malware detection at the CPU-level.

Intel TDT is able to detect the most prevalent ransomware strains right from the start of their file encryption and can immediately signal anti-virus and endpoint detection and response software to remediate the attack. “This is an evolution of the technology that allows us to marry OS-level visibility with CPU-level performance counters to really understand if there is ransomware activity.”

So what’s the upshot for you? Get it while it’s hot. We can imagine this might raise lots of false alarms, but is a good step in the right direction. We applaud Intels resolve in bringing a technology like this to market.

Global: The Good. Microsoft turns on Automatic Remediation in Defender for Endpoint

“We are excited to announce that we are about to increase our customers’ protection by upgrading the default automation level of our Microsoft Defender for Endpoint customers who have opted into public previews from Semi - require approval for any remediation to Full – remediate threats automatically.”

“When our automated investigation and remediation capabilities were first introduced, the default automation level was set to semi - require approval for any remediation. Since then, we have increased our malware detection accuracy, added the option to undo remediation actions, and improved our automated investigation infrastructure. Throughout this time, we have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions.”

So what’s the upshot for you? Many of us, family members, or friends, use Windows … as it is often the default operating system shipped with our machines.

Security and patching was often beyond the realm of some of the users (or even, our own patience as we wait for copious numbers of updates to download to our machines). Setting this to auto (which can always be undone) is a good move Microsoft.

Like herd immunity, the more we can reduce the malware in the environment, the safer everyone is.

Global: The Ugly. The downlow on the Freakout botnet exploiting Linux Vulnerabilities

The goal behind these attacks is to create an IRC botnet (a collection of machines infected with malware that can be controlled remotely), which can then be used for malicious activities, such as launching DDoS attacks on other organizations’ networks, or for crypto-mining activity on infected machines, which can potentially shut down entire systems infected.

The attacker appears to be to download and execute a Python script named “out.py” using Python 2, which reached end-of-life last year — implying that the threat actor is banking on the possibility that that victim devices have this deprecated version installed.

“The malware is an obfuscated Python script which contains polymorphic code, with the obfuscation changing each time the script is downloaded.”

The compromised devices are configured to communicate with a hardcoded command-and-control (C2) server from where they receive command messages to execute.

The malware also comes with extensive capabilities that allow it to perform various tasks, including port scanning, information gathering, creation and sending data packets, network sniffing, and DDoS and flooding.

So far Checkpoint software reports that they have seen 185 servers communicating with command and control server behind Freakout, but, it’s early days.

So what’s the upshot for you? The old notion of “hackers don’t hack Linux” is not worth hiding behind any more. Always, keep your servers patched and your applications up to date.

US orders assessment of security risks of Chinese drones

Last month, the U.S. Commerce Department added China’s SZ DJI Technology Co, the world’s largest drone maker, to the U.S. government’s economic blacklist, along with dozens of other Chinese companies. A DJI spokesman declined immediate comment on Monday.

In January 2020, the U.S. Interior Department grounded its fleet of about 800 Chinese-made drones but said it would allow their use for emergency situations.

U.S. Interior Secretary David Bernhardt in October ordered a halt to additional purchases of Chinese-made drones by the department.

The order directed all U.S. agencies to outline the security risks posed to the existing government drone fleet from drones built by Chinese companies or by other countries deemed foreign adversaries, including Russia, Iran and North Korea.

The order also directs agencies to outline “potential steps that could be taken to mitigate these risks, including, if warranted, discontinuing all federal use of covered (drones) and the expeditious removal of (drones) from federal service."

…And while while US government purchases must end, DJI wishes to remind consumers: “customers in America can continue to buy and use DJI products normally.”

So what’s the upshot for you? Fortunately, or unfortunately, DJI drones are about the best out there. The issue is the data they collect is stored offshore and the Chinese government has unfettered access to whatever Chinese company data it wishes. You may say, “I have nothing to hide”. But that’s not the point. Think of the neighbor you really don’t get along with having access to your family photo album. (They probably already do if you are a frequent social media poster). You might not be happy about them with your data and photos. This is no different, except that you are not intentionally posting this detail anywhere.

Outer Space:AIAA White Paper Calls for Cyber Protection in the Aerospace Industry


The American Institute of Aeronautics and Astronautics just released a new report built from data provided by their members which measured the aerospace community’s level of concern with cybersecurity.

Nearly 75 percent of respondents expressed strong interest in AIAA’s efforts to promote cybersecurity awareness. The AIAA Aerospace Cybersecurity Market Study also found:

  • Strong demand exists to increase cybersecurity awareness tailored to the aerospace industry.
  • Cybersecurity is beginning to be included in managing supply chain, development, engineering, and production processes.
  • Academic partners believe cybersecurity curriculum is needed for university students, as well as current industry professionals.

So what’s the upshot for you? We are kicking ourselves for missing the sign up date for an open
“Capture the Flag competition to solve general cybersecurity challenges and progress to aerospace-specific challenges such as decrypting navigation data and finding bugs in satellite ground station systems”,
…but there will be more and we think this is a great initiative helping increase cyber awareness… here and in outer space!

That’s all for this week DAML’ers! Stay safe, stay secure, and see you in se7en!