CyberCX Security Report | February 2021
There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Boosting Privacy Protections
Whilst the European Union has the General Data Protection Regulation (GDPR) and California has the California Consumer Privacy Act (CCPA), Australia has a range of privacy-related rules.
The Australian Privacy Act dates back to 1988. It covers Commonwealth entities, private corporations with annual turnover exceeding $3 million and other entities that handle specific types of personal information, such as health or financial records. Meanwhile, State Government entities are regulated by various State laws.
More recent initiatives, such as the Notifiable Data Breach scheme, have sought to strengthen data protections.
With levels of data collection now vastly exceeding anything that could have been envisaged back in 1988, and many Australians increasingly concerned about privacy protection, many are calling for a review and streamlining of Australia’s data privacy regulations to ensure they are fit-for-purpose.
As a result of these concerns, some of which were highlighted in the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019, the Australian Government launched a comprehensive review into the nation’s privacy laws.
The review is considering options to expand the scope of the Privacy Act to cover technical data and other online identifiers, as well as strengthening privacy notice and consent requirements. It is thought that the Government will seek to more closely align Australia’s privacy rules with international benchmarks such as the GDPR and CCPA.
Among the submissions to the review, the Office of the Australian Information Commissioner (OAIC) has outlined a range of measures that would strengthen privacy protections. These include:
- Expanding the remit of the Privacy Act to cover smaller business operators with revenues under the current $3 million threshold.
- Strengthening the notice and consent requirements to further protect individual privacy.
- Providing a clearer framework to fully or partially prohibit certain information handling practices, such as screen scraping, profiling of children for advertising purposes, inappropriate surveillance of individuals through mobile devices or the use of certain AI technologies to make decisions about individuals.
- Making organisations more accountable by requiring a ‘privacy by design’ or ‘privacy by default’ approach, as well as a third-party certification scheme to verify compliance with privacy standards.
- Aligning Australia’s privacy regime with those in place overseas, especially considering that data increasingly flows across international borders.
- Providing support for a direct right of action which would allow individuals to seek compensation from an organisation that is found to have breached that person’s privacy rights.
- Harmonising the various Commonwealth, State and Territory privacy laws currently in place in Australia.
In coming months, it is expected that the Attorney-General’s department will issue a report recommending a range of enhancements to Australia’s privacy settings. Many of the enhancements proposed by the OAIC could be officially adopted by the Government.
Now is an ideal time to ensure your organisation’s privacy controls are appropriately set. There are a range of regulatory and commercial benefits to having strong privacy protections.
Contact us for further information and assistance.
Securing Digital Supply Chains
Even organisations with the best security systems can find themselves at risk if other organisations in their digital supply chain are vulnerable.
It was recently revealed that up to 18,000 organisations may have unknowingly installed backdoors into their networks. These organisations all use “Orion”, a network monitoring tool created by American software firm, SolarWinds.
Reports indicate that an advanced persistent threat (APT) group, likely to be originating in Russia, gained access to Orion servers and manipulated scheduled patches. When Orion customers ran system updates in March 2020, they unknowingly installed remote access trojan (RAT) malware that created backdoors into their networks. As Orion is a network monitoring tool, it has extensive network-wide access privileges. This allowed the attackers to deeply penetrate victims’ networks, remaining undetected for many months.
Despite thousands of potential victims, it is thought that around 100 organisations were specifically targeted. This speaks to the highly targeted nature of the campaign, as well as the attackers’ efforts to stay under the radar.
It is believed those behind the breach gained extensive access to emails, user IDs, passwords, financial records, source code, as well as highly confidential files. With SolarWinds customers including numerous US government agencies, including the military, as well as many large enterprises, the potential damage is enormous. It is thought the breach went undetected for over six months.
The seriousness of the breach has led some to label it the Pearl Harbour of American IT.
This case demonstrates the importance of supply chain security. Orion was a known, trusted tool. SolarWinds customers would have had no reason to suspect that an Orion update could contain such malware. However, with ongoing supply chain monitoring and auditing, organisations stand a much better chance of stopping or catching such threats. Even for those that don’t use Orion, a connected third-party may do so. This could also be a risk.
If your organisation uses Orion, you should consider deactivating the software and engaging professionals to investigate whether you have been breached and whether any backdoors into your network can be identified. All organisations should have regular independent assessments of your digital supply chain moving forward to help identify potential third-party risks.
Chrome Updates
Ironically, the most widely used applications are also the ones that many people forget to update.
Few applications are as widely used as Google’s Chrome browser. Chrome usually runs updates automatically in the background approximately every six weeks. Most users don’t think about checking to ensure they are using the latest version.
However, given the recent release of 16 security patches, and the fact that the United States Cyber and Infrastructure Security Agency (CISA) has issued an alert to urgently update Chrome web browsers, it’s worth ensuring that all the computers in your environment are running the latest version.
As mentioned, Google recently released 16 security fixes for Chrome version 87.0.4280.141 for use on Windows, Mac and Linux, 15 of which are High Severity vulnerabilities. These address a range of vulnerabilities that, if left unpatched, could leave the way open for remote code execution in the privilege context that Chrome is running in.
13 of these vulnerabilities were identified by external bug-bounty hunters, with Google awarding more than $110,000 to the researchers:
CVE | Description |
CVE-2021-21106 | Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21107 | Use after free in drag and drop in Google Chrome on Linux prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21108 | Use after free in media in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21109 | Use after free in payments in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21110 | Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21111 | Insufficient policy enforcement in WebUI in Google Chrome prior to 87.0.4280.141 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
CVE-2021-21112 | Use after free in Blink in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21113 | Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21114 | Use after free in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2021-21115 | User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2021-21116 | Heap buffer overflow in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2020-16043 | Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. |
CVE-2020-15995 | Out of bounds write in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
To ensure you’re running the updated Chrome, simply select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right corner of the browser. A tab will open showing the browser version and should automatically run an update if required. Chrome is currently running version 88 for Windows, Mac and Linux. Updated Android and iOS browsers can be found in the Google Play and App Store, respectively.
We strongly urge all Chrome users never to turn off automatic Chrome updates. Security vulnerabilities in browsers can put you at risk, and Chrome has a decent track record of issuing patches on a regular basis to address any identified vulnerabilities.