Breaking News-Industry Observations

Monthly AppSec News Round Up — August 2021 Edition

With Black Hat 2021 now in the rear-view mirror, August netted-out to be another busy month in cybersecurity news thanks to a handful of high-profile breaches. NTT Application Security continues to be at the forefront of these conversations, sharing their unique viewpoint and giving critical insight on the topics shaping the cybersecurity landscape.

Below is a peek into some of the events that impacted the security industry in August 2021:

AUG. 4: Recapping Black Hat 2021

Channel Futures’ on-the-ground reporting at Black Hat 2021 included NTT Application Security’s announcement regarding the appointment of Vlad Nisic as vice president of sales for EMEA.

Dave Gerry, chief revenue officer at NTT Application Security spoke with the publication about the significance of the announcement:

“The NTT brand carries a tremendous reputation and a tremendous amount of weight in Europe, and the U.K. and Ireland,” he said. “And as we look at our next phase of expansion, EMEA is incredibly important to us. It’s an incredibly strategic part of our business and having somebody of Vlad’s caliber on board is going to be critical for that. So as we start to identify new channel partners, we’re going to do that here in North America as well as we already have, but really our greenfield opportunity is really the EMEA market and leveraging the channel partners. EMEA as we all know is almost 100% channel-focused. So that’s where we’re going to double down to make sure we have the right programs for them, that they have a predictable path to revenue, that they have the right level of field support and that we help guide them in the sale, and most importantly, that we jointly are a united front going in front of a customer.”

 

AUG. 9: Android Trojan hits 140 countries, 10,000 victims via social media hijacking

A new Android Trojan named FlyTrap was identified by Zimperium researchers, who had found it to be quickly spreading through “social media hijacking, third-party app stores, and sideloaded applications” since March 2021.

“These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details,” the Zimperium researchers wrote.

Setu Kulkarni, vice president at NTT Application Security, said FlyTrap was a “nifty combination” of a handful of vulnerabilities and took advantage of the abundance of meta-data open to access, like location, as well as the implicit trust that can be gained by clever yet dubious associations with companies like Google, Netflix and others.

“This is not even the most concerning bit — the concerning bit is the network effect this type of trojan can generate by spreading from one user to many. Moreover, as the summary of Zimperium’s findings state — this trojan could be evolved to exfiltrate significantly more critical information like banking credentials,” Kulkarni said.

“The what-if scenarios don’t end there unfortunately. What-if this type of trojan is now offered as-a-service or what-if this transforms quickly into ransomware targeting 100s of thousands of users. The bottom line does not change. It all begins with a user who is enticed to click a link. This begs the question – shouldn’t Google and Apple be doing more to address this for their entire customer base?”

 

AUG. 19 – BlackBerry Finally Admits Vulnerability Affected 200M Cars

Security Boulevard uncovered that BlackBerry for months sat on a vulnerability in its software that put 200 million cars as well as systems at hospitals and factories at risk.

The integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier and QNX OS for Safety 1.0.1 earlier “could potentially allow a successful attacker to perform a denial of service or execute arbitrary code,” BlackBerry said, underscoring that there was no evidence the flaw had been exploited.

Setu Kulkarni, vice president, strategy at NTT Application Security, shared his insight on the breach:

“This does spur a new debate. Is there any circumstance where keeping such widespread vulnerabilities under wraps is beneficial?” said Setu Kulkarni, vice president, strategy at NTT Application Security. “After all, unlike physical adversarial threats, cyberthreats cannot be seen or contained by borders or treaties. In this case, the earlier the disclosure is, the earlier preventative measures can be rolled out.”

Acknowledging that BlackBerry might have perceived disclosures “as painting a target on devices that use QNX,” Kulkarni contended that assuming “cybercriminals wait for disclosures in this day and age is naïve.”

 

Since President Biden signed an executive order (EO) on supply-chain risk mitigation, “there is a heightened impetus on information sharing—and that should be the go-forward approach on most, if not all, disclosures especially when there is no comprehensive way to privately reach out to thousands of manufacturers who have hundreds of millions of systems using their components,” Kulkarni said.

BlackBerry’s pivot from private to public disclosure ‘suggests that BlackBerry determined that it could not fully estimate the extent of the proliferation of their QNX system,” he said. “In addition, given that the BadAlloc disclosures were already public, an earlier disclosure could have accelerated preventative steps to prevent exploits on and through QNX based systems.”

AUG. 19 – T-Mobile’s Latest Security Blunder

The fallout from T-Mobile’s latest data breach— it’s fifth (publicly acknowledged) in the last three years—continues to grow. On Aug. 19, the company confirmed that the personal data of at least 54 million people were exposed and stolen. Hackers, on the other hand, claim that number is actually more than 100 million customers.

SDxCentral spoke with Setu Kulkarni about the event, noting:

Moreover, many organizations haven’t yet recognized, or at least fail to communicate, that they are reacting to these massive data breaches as one should for critical infrastructure, according to Setu Kulkarni, VP of strategy at NTT Application Security. “It is one thing to be deemed critical infrastructure, it is another thing to act as one,” he wrote in response to questions.

T-Mobile and other businesses that sell access to critical infrastructure need to proactively reach out to affected individuals and enterprises quickly and consistently as more details are uncovered.

“Telecom companies provide infrastructure for every conceivable utility that we need as a society,” Kulkarni explained. “These kinds of data breaches erode trust among the general public and, as a result, the reliability and effectiveness of the communications provided through telecommunications networks dwindles.”

 

AUG. 26 – White House Cybersecurity Summit

Security Magazine – Some of the country’s leading technology companies have committed to investing billions of dollars in strengthening cybersecurity defenses and in training skilled workers, the White House announced, following President Joe Biden’s private meeting with top executives.

After issuing a widely-discussed Executive Order aimed at improving cybersecurity across both private and public sectors, President Biden hosted a private meeting with executives from the nation’s largest tech companies

Commenting on the news, David Gerry, chief revenue officer at NTT Application Security, told Security Magazine:

“This summit, and resulting commitments and initiatives, mark a positive step in raising awareness of the national cybersecurity attacks proliferating our nation’s private sectors. The summit allows for ideas, best practices, as well as transparency to be shared between technology vendors and government organizations. It’s great to see leaders within the financial and utility sectors specifically, which have been hit hard this past year, come together to create actionable plans around proactive security strategies.”