This week
SEC approves breach disclosure rules
- The US Securities and Exchange Commission (SEC) approved rules this week requiring publicly traded companies to disclose cyber-attacks posing a material risk to their bottom lines.
- Once the rules come into force, firms experiencing such an attack will have four days to file an ‘8-K form’ with the regulator that will be made public.
- Broadly, the move has been welcomed, with some warning that such public notices may alert other attackers to weaknesses in the victim’s systems before response and recovery efforts have concluded.
Researchers find TETRA radios built for export have weakened encryption
- Quite a lot of folks are getting worked up this week by the news that the encryption cipher used in TErrestrial Trunked RAdios (TETRA), used by law enforcement, emergency services, critical infrastructure providers and some military or intelligence agencies, contains a deliberate weakness.
- That’s because governments exporting these devices would quite like the ability to intercept these communications. Kim Zetter’s write up for Wired acknowledges this targeting, citing examples from Wikileaks. Restricting encryption ciphers isn’t new, and those on the ‘unfriendly side’ of export requirements will be aware they’re buying a radio with a weakened cipher.
- Authorities also need to make sure they configure the radios correctly: a man was handed a suspended prison sentence in 2016 for ‘attempting to hack’ Slovenian police communicants that were misconfigured to send messages unencrypted over the internet.
- The effort to extract the (until now) secret encryption algorithms is solid research, though, and the researchers will publish technical details will be published at Black Hat in August.
Interview with Clare O’Neil and Ciaran Martin
- A really interesting interview from Risky Business: Patrick Gray speaks to Australia’s Home Affairs and Cyber Security Minister Clare O’Neil and NCSC founding director Ciaran Martin about the Australian government’s upcoming cybersecurity strategy, ‘releasing the hounds’ and lessons learned from the streak of high-profile attacks against Australian businesses.
Interesting stats
40% of Ubuntu users are running vulnerable versions of the operating system, according to Wiz, though both of the kernel vulnerabilities (CVE-2023-2640 (7.8/10) and CVE-2023-32629 (5.4/10)) require local access.
$37,300,000 of cryptocurrency was stolen from Estonian payments service provider CoinsPaid, which the company blames on North Korea’s Lazarus group.
Other newsy bits / in brief
-
MOVEit: US government contractor Maximus has disclosed a breach affecting the personal data of 8 million to 11 million people. Maximus administers health and student loan programmes on behalf of the government. Deloitte, Check E. Cheese, Hallmark Channel are also amongst the 514 victims (and counting) of the zero-day vulnerability in Progress Software’s file transfer system exploited by the Russian Cl0p ransomware gang.
-
NHS ambulance services in the South and South West of the UK have been disrupted by a cyber-attack against electronic patient records vendor Ortivus. South Western Ambulance Service Trust and South Central Ambulance Service Trust are relying on pen and paper while service is restored and signed off.
-
Microsoft briefly configured the wrong certificate for Sharepoint and OneDrive this week: the German certificate for sharepoint.de was briefly used for the main .com domain.
-
North Korea is targeting poorly configured Microsoft IIS web servers to host malware used against other victims.
-
SiegedSec, a group known for politically motivated attacks, has published around 700 documents from an unclassified NATO collaboration portal.
-
Alphv/BlackCat ransomware gang has added an API for querying their leak site which contains files from their cybercrime victims.
-
Apple issued the third patch in a month addressing vulnerabilities in its iMessage system exploited in ‘Operation Triangulation’ (vol. 6, iss. 23) against Russian users.
-
MikroTik RouterOS contains a privilege escalation vulnerability (CVE-2023-30799) that grants full ‘Super Admin’ access to the operating system.
-
Barracuda Networks recently offered to replace ESG (Email Security Gateway) appliances affected by a suspected Chinese-affiliated attack (vol. 6, iss. 25). Now CISA has provided information on the malware used, known as Submarine, and which “lives in a Structured Query Language (SQL) database on [the appliance]”.
-
An interesting graph showing the interrelations of cybercrime groups and associated entities.
-
Secure by Design: US and Australian cyber security agencies are warning about a class of access control vulnerabilities in web applications. The advisory focuses on insecure direct object reference (IDOR) vulnerabilities, which occur when web apps rely on only showing the correct links to users rather than checking permissions for individual requests. For example, a billing system may display links to a particular user’s invoice at a URL like
getinvoice.php?id=1234, but changing the ID to 1235 would not be validated and return a different person’s invoice. -
A Senate committee progressed two pieces of child privacy and safety legislation: The Children and Teens’ Online Privacy Protection Act brings the 1998 Children’s Online Privacy Act (COPPA) up to date, raising the age of consent to 16 years old; The Kids Online Safety Act will place a duty of care on platforms to prevent the promotion of harmful behaviours to those under 17 years old, similar to the UK’s Online Safety Bill.
-
NCSC has published guidance on anticipating the threats and potential mitigations for Shadow IT.
-
Foreign Intelligence Surveillance Act powers, under ‘section 702’, helped to provide “97 per cent” of the “raw technical reporting on cyber actors,” says FBI Director Christopher Wray. FISA is set to expire at the end of 2023, having been introduced in 2008 for national security reasons, and is controversial for catching Americans’ data within the surveillance dragnet.
-
Android now supports a joint Google/Apple specification to provide ‘Unknown Tracker Alerts’ for trackers, including Apple’s AirTags.
-
Group-IB founder Ilya Sachkov has been convicted of treason and given a 14-year prison sentence by Russian authorities. Before the treason charges, Sachkov, a Russian national, had called out the Kremlin for not taking action against cybercriminals like EvilCorp head Maxim Yukabets.
Investments, mergers & acquisitions
A few significant deals this week…
-
Thales is acquiring Imperva from private equity firm Thoma Bravo in a deal worth $3.6 billion. Thoma Bravo took the network and application security outfit private four years ago for $2.1 billion.
-
Protect AI has raised a $35 million Series A (double their seed round) to build tools to secure artificial intelligence and machine learning systems.
-
Crowdstrike is rumoured to be close to acquiring cloud security posture firm Bionic.AI for between $200 million and $300 million.
And finally
- A Florida man faces fresh charges for attempting (and inducing others) to destroy evidence and another violation of the Espionage Act. There is plenty of sass from El Reg on the latest federal prosecutors case against former President Donald Trump. Surprisingly, it’s also a case study in disaster recovery planning: “By some extraordinary coincidence… a Mar-a-Lago employee drained the resort’s swimming pool and somehow flooded “a room where computer servers containing surveillance video logs were kept.””