CVE-2021-35587, Meta and more: first officer's blog - week 28

CVE-2021-35587 on CISA's radar, Meta fined, and the evolution of threat actors. Here are the latest stories from the world of cyber risk.

Mike Parkin | December 05, 2022

First Officer’s log, Terrestrial date, 20221205. Officer of the Deck reporting.

As we finished up our system integration work on Frontier Station [REDACTED] the 3D Chess tournament was coming into its final rounds. With the honor of the ship at stake, at least if you asked some of the crew members who’d become fanatical 3D Chess fans over the course of the tournament, there was a great deal of pride on the line with Ensign [REDACTED] making it into the final stages.

To be fair, there was a great deal of pride throughout the crew, just seeing one of our own doing so well in a relatively high-profile, if local, event.

The [REDACTED] had also advanced into the finals, to the ongoing surprise and consternation of some of the other competitors.

Accusing him of cheating could have caused an incident between the [REDACTED] and the Federation, which none of us wanted. Trade with them here on the Frontier was vital, if sometimes challenging, to make sure you hadn’t accidentally sold off large parts of the station, your family, or parts of your body.

The trouble was, he was cheating, and we had been able to prove it. The [REDACTED], while known for their acumen as traders, were also known for some of their physical traits. The most obvious of which was their extraordinary ears. But hearing, and their unique brain structure which supported it, wasn’t the specific issue. Rather it was their hearing in combination with the ornate jewelry they often wore on said ears.

With observation and a range of passive sensors borrowed from our Science and Engineering teams, we were able to figure out what they were doing.

Each move was relayed back to their ship as it was made where, as far as we could tell, a dedicated program on their ship’s central computer would process the board and determine the next appropriate move. The move was being sent back to the traveling companion who then relayed it to the player, relying on their acute hearing and a touch of phase shifting from the jewelry to keep it outside the normal ranges the other species could hear.

Convoluted to be sure, but genius on some levels.

Now that we knew how they were doing it, we knew how to stop it without causing an interstellar incident.

We are fairly sure that keeping a member of another star-faring culture from cheating at 3D Chess is not a violation of the Prime Directive. Probably not, at least.

CVE-2021-35587 flagged by CISA

What happened

The Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability in Oracle Access manager, CVE-2021-35587, to the Known Exploited Vulnerabilities (KEV) Catalog on November 28th. CVE-2021-35587 is being actively exploited in the wild, and CISA has set 19 December 2022 as the due date for remediation.

Why it matters

CISA has become more proactive lately in pushing organizations that are mandated to follow their guidance to get ahead of common attacks. While a lot of vulnerabilities are discovered and given CVE numbers, many of them are never actively exploited in the wild. With CISA’s KEV catalog, the vulnerabilities are being exploited, which makes them a far greater risk.

It’s a good idea to patch against any known vulnerability, but when there’s a known exploit it goes from a “you should patch this” to “this needs to be patched.”

What they said


CISA’s additions always get some attention, and CVE-2021-35587 is no different. 

Infosecurity Magazine

The Meta privacy breach

What happened

Facebook’s parent company, Meta, was fined €265 million ($274 million) for a user privacy data breach that involved malicious actors skimming over half a billion user records from Facebook’s servers. The breach was found to violate the European Union General Data Protection Regulation (GDPR) standards by Ireland’s Data Protection Commission.

Why it matters

European Union countries take user data privacy very seriously and have no qualms about leveling large fines against US technology companies when they run afoul of the EU’s regulations. The takeaway from this case though is that the breach was largely due to third parties skimming data from the site. Which, ultimately, should be a reminder that if someone can access your data, they WILL access your data, whether you want them to or not.

While US restrictions aren’t as broadly legislated, comprehensive, or effective, there is still an ongoing push towards more personal privacy and more accountability for tech companies that might abuse it.

What they said

With Meta playing such a major part in the digital lives of so many people, it’s no surprise to see the buzz this story’s getting. 

The evolving strategies of threat actors

What happened

A recent report showed a trend for threat actors to use more complex and sophisticated techniques to bypass security filters in major email security tools. Specifically, these techniques rely on using encrypted archives to deliver the payload rather than the previous favorite of MS Office documents.

Why it matters

Threat actors are constantly evolving their techniques to circumvent the defenses we put in place to stop them. Office documents are a major vector for malicious code for a long time, and they still are, but they’ve been overtaken by encrypted archives. At least according to one organization’s research data.

There are a couple of implications in the findings. The first is that we still have room for improvement in our email security and file verification tools. The other is that attackers often need user interaction even with their more sophisticated attack vectors. Going to the malicious website, or opening the email attachment, or whatever. Threat actors still target the users to gain access.

What they said

Naturally, these new and improved threat actors have a lot of people talking



Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy