This week
New EU-US Data Privacy Framework agreement
- Three years after a European court deemed the EU-US Privacy Shield agreement inadequate (vol. 3, iss. 29) to protect personal data transferred outside the EU bloc, a new agreement has been formally adopted by the European Union and the United States of America.
- The EU-US Data Privacy Framework follows lengthy negotiations over the disparities between the protections afforded to EU citizens under GDPR and the US’ lack of meaningful Federal regulation of data use. In particular, the US is establishing a new data protection review court as a safeguard for EU citizens seeking redress if they believe their data has been collected illegitimately. (Given the secretive nature of espionage, I’m not sure how the individual is meant to know that the US surveillance apparatus has been collecting and processing their data.)
Under the agreement, U.S. tech companies are obligated “to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties,” according to a European Commission press release.
- Max Schrems, the privacy lawyer that brought the case leading to Privacy Shield (and Safe Harbor) being struck down, is quoted as saying he will appeal the decision, saying “We would need changes in US surveillance law to make this work and we simply don’t have it”.
Chinese attackers breached Microsoft Exchange Online
- China gained access to US Commerce Secretary Gina Raimondo’s email account, according to Microsoft, who say the breach occurred after the threat actors forged authentication tokens.
- The attack affected 25 organisations in total, and used an ‘acquired’ consumer key (used for Outlook.com emails) against enterprise AzureAD system that should have rejected it as invalid.
- Microsoft didn’t provide details on how the Chinese APT group acquired the consumer key nor how the separation between consumer and enterprise systems was breached. Presumably, they weren’t entirely as separate as thought. Microsoft has also come under fire for the lack of transparency around the vulnerabilities in its code or infrastructure that were exploited, and for ‘pay-to-play’ security: the logs required to detect the intrusion are only included in the top-end E5 licence.
- The breach occurred in the second half of May and early June, ahead of a US diplomatic trip to China and was presumably for intelligence purposes.
- British Members of Parliament (MPs) were warned that Chinese state-sponsored attackers ‘frequently’ target them in a 207-page report this week, which described resources devoted to the problem as “completely inadequate”.
Interesting stats
3x increase in attacks using infected USB sticks, say Mandiant, though they neglect to say from what base. (I’m assuming pretty low, in the grand scheme of things).
Other newsy bits / in brief
-
PoisonGPT: Researchers uploaded a proof-of-concept AI model to highlight how such models could be used to spread disinformation. The model used a similar name to another project and was trained to answer incorrectly about who was the first man on the moon.
-
Barts Health NHS Trust has become a victim of the BlackCat (aka AlphaV) ransomware gang. The cybercriminals claim to have stolen 7TB of data from the NHS trust, which operates five hospitals and serves around 2.5 million people in and around East London. It’s not clear if the stolen data includes patient records. However, some personal information of staff has already been leaked.
-
Meanwhile, US healthcare firm HCA Healthcare has announced that around 11 million patients’ data may be have stolen after a post offering it for sale appeared on a cybercrime forum. HCA, which also operates in the UK, runs 180 hospitals and a further 2,300 ‘ambulatory care sites’ (emergency rooms, surgeries and GP clinics). The data reportedly was stolen from an email automation system and did not include clinical, payment or other sensitive information.
-
Spotify users are reporting that privacy settings on their playlists have been changed and that private playlists are now shown publicly.
-
Russia’s APT29 group has been sending used car ads as lures to Ukrainian diplomats.
-
’ Decoupling’: Large consulting firms and multinationals are ‘accelerating’ plans to stand up copies of systems for Chinese employees that are separate from wider company environments following new data and anti-espionage legislation.
-
Fortinet is warning of another critical vulnerability in its FortiOS and FortiProxy products that allow attackers to execute arbitrary code.
-
SonicWall’s ‘Global Management System’ has four critical vulnerabilities that allow an attacker to bypass authentication on affected firewall management and analytics platforms running GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier.
-
OT/ICS: Honeywell Experion, a distributed control system used in operational technology (OT) environments of critical infrastructure providers, contains seven critical vulnerabilities, according to researchers from Armis. Rockwell’s ControlLogix modules, also used in electricity and oil & gas sectors, are also being targeted by an APT group with a remote code execution exploit.
-
Parts of the BlackLotus UEFI malware source code have leaked on GitHub. Less skilled threat actors may now use the rootkit and boot kit code could be combined with other malware to bypass Secure Boot.
-
Google is (finally) expanding its Play Store verification requirements to try and curb malware submissions. Organisation’s submitting apps will now need a ‘D-U-N-S’ number and more details about the developer will be displayed in the Play Store to users.
-
Silk Road second in command, Roger Thomas Clark, has received a 20-year prison sentence for his role in building the world’s first dark-web drug market. BreachForums administrator Conor Fitzpatrick is facing a 30-year sentence after he pleaded guilty to three charges of running the site and having child pornography.
-
Investments, M&A: Cyber insurance firm Coalition has acquired privacy app Jumbo, seemingly for the team as the app itself will be shut down next year. Secure Code Warrior has closed a $50 million Series C funding round for its developer education tool.
And finally
- Authentication incidents haven’t slowed down Microsoft’s product marketing team, who has renamed AzureAD to Entra ID to ‘simplify and unify’ their identity and authentication product family. The announcement also introduced a pair of zero trust offerings in the secure web gateway and secure access service edge (SASE) categories, called Entra Internet Access and Entra Private Access, respectively.
