Happy Holidays! I hope you’re all set for a relaxing and enjoyable end to 2023.
This week
The SEC’s new 4-day reporting requirements came into force
- The SEC’s new data breach disclosure rules came into effect this week. Publicly traded US companies must report cyber security incidents on Form 8-K reports within four business days, in the same way that significant disruption — think fire, flood — to operations would. It includes incidents at third parties, meaning notification clauses will be needed in outsourcing and service contracts.
- Pushback from companies has led to an exception to the deadline where disclosure of a vulnerability or incident can be granted if the US attorney general determines that it “would pose a substantial risk to national security or public safety.”
- Smaller companies, such as those with less than $100 million in annual revenues or a float (shares traded on the open market) of less than $250 million, get a 180-day disclosure extension. (That seems a significant jump, but I understand it aligns with other reporting requirements.)
- What is material? That is the question worth spending some time establishing, if you’re regulated by the SEC. Their guidance doesn’t make the distinction between cyber and non-cyber incidents:
“Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available to investors.” — Broad definition of materiality from US securities law.
- In November, ALPHV tried to turn the rules into leverage with a ‘triple extortion’ attack: encrypting data, threatening to leak it, and writing to the SEC about the lack of disclosure. The cybercriminals had jumped the gun though, as the rules hadn’t taken effect. I don’t buy it as a viable tactic, though, because increasing regulator and law enforcement involvement increases pressures not to pay the ransom, and drastically reducing the share price may make it more difficult to raise or release the funds demanded. (Interestingly, while companies that suffer data breaches underperform markets by around -4.2%, they generally were already underperforming by -1.7% (vol. 3, iss. 20). Poor governance and risk management typically lead to poor company performance.)
Interesting reads
-
Stolen Device Protection is coming to iOS 17.3, and this interview with an iPhone thief explains why you should turn it on when it’s released in the second half of January 2024.
-
Group-IB explains how it goes about infiltrating ransomware gangs to gather threat intelligence about the cybercriminals.
Interesting stats
4/5 Apache Struts 2 downloads are of versions susceptible to the recent critical remote code execution vulnerability (CVE-2023-50164), according to Sonatype.
443 e-commerce sites were notified by Europol over the presence of card skimming JavaScript on their checkout pages.
Other newsy bits / in brief
-
Israel-linked group Predatory Sparrow claimed responsibility for disrupting the “majority of gas pumps” in Iran. Iranian state TV reported that the incident had disrupted 70% of the country’s fuel stations. Analysts are suggesting the attacks are part of retaliation for Iran’s support of Hamas. The group is notable for how it approaches attacks, warning emergency services and leaving some stations unaffected for the same reason. However, the group claimed it has “access and capability to completely disrupt their operation.”
-
Authorities seize ransomware gang ALPHV’s dark web site and created a decryption tool, and then, hours later, the cybercriminals ‘unseized’ the site and said it was lifting rules prohibiting affiliates from targeting critical infrastructure. The back-and-forth, or “tug of Tor” continued as both parties knew the private key required to make changes to the dark web site (and which cannot be changed).
-
Rhysida ransomware group has dumped 1.67TB of Insomniac Games files after the game developer refused to pay the $2 million ransom. The data from the Sony-owned studio behind popular PlayStation titles like Ratchet & Clank and Spider-Man, includes assets and roadmaps of unreleased games, internal communications and personal information, including passport scans and compensation information. Ubisoft is also investigating claims of a “data security incident”, which may have exposed 900GB of data.
-
The British teenager arrested for being part of the Lapsus$ group has been sentenced to an indefinite hospital order. Arion Kurtaj suffers from acute autism, and broke into Rockstar Games (using a hotel TV, Amazon Firestick and his mobile) while on bail for compromising Nvidia and BT. The court determined Kurt was not fit to stand trial (vol. 6, iss. 35) and ordered the jury to consider if he had committed acts rather than assigning guilt. Sentencing relied, in part, on a mental health assessment which said he “continued to express the intent to return to cyber-crime as soon as possible” and had been violent during his custody.
-
Porsche is withdrawing its best-selling Macan crossover SUV because it is unable to meet upcoming EU cyber security regulations. H/T Simon, who has “been saying for ages that cyber security will help save the planet”.
-
Terrapin attacker-in-the-middle vulnerability allows downgrade of SSH protocol, compromising integrity and even confidentiality of communications.
-
AI image dataset removed following discovery that it contains child sexual abuse material. Large-scale Artificial Intelligence Open Network, or LAION, is a non-profit organisation creating tools for machine learning. Popular AI image generation tools like Stable Diffusion use the LAION-5B data set. Researchers at the Stanford Internet Observatory found 3,226 suspected instances of child sexual abuse material in the dataset. The finding highlights the dangers of indiscriminate internet scraping to build training data for generative artificial intelligence and machine learning purposes.
-
Ivanti (formerly MobileIron) has released security updates to address 13 critical vulnerabilities in the firms Avalanche mobile device management (MDM) system, which allows unauthenticated attackers to gain remote code execution through low-complexity attacks.
-
Waiting nine days to patch critical Citrix vulnerability allowed attackers to make off with username, password and other sensitive data of 36 million Comcast/Xfinity customers.
-
US mortgage lender Mr Cooper says that almost 14.7 million people were affected by a breach seven weeks ago. While the company says it has seen no evidence of identity theft, affected customers will receive two years credit monitoring. Costs relating to the breach incurred this quarter have been revised from “$5 to $10 million” to “$25 million”.
-
First American Financial Corporation has taken systems offline following a cyber-attack. It’s the second attack on a leading title insurance provider in as many months, with ALPHV claiming responsibility for an attack against Fidelity National Financial last month (vol. 6, iss. 48).
-
Qakbot is back, three months after FBI takedown. Multiple sources say a new campaign and version of the malware started to be distributed on the 11th of December.
-
APT33 (aka Peach Sandstorm, HOLMIUM, Refined Kitten) is targeting defence contractors globally with new FalseFont malware. Microsoft says that the cyber-espionage campaign, linked to Iran, revolves around this new backdoor malware that supports remote access, file execution, and file transfer, from affected systems.
-
Android malware is disabling fingerprint unlock so it can steal device PINs.
-
UK Payment Systems Regulator (PSR) set out new rules that could see romance, investment scam victims repaid up to £415,000 ($525,000). The proposed changes would come into effect in October 2024 and, contentiously, raise the bar on what is considered “gross negligence” from customers, citing alert fatigue as a factor to consider rather than relying on arguments that customers fundamentally authorised transactions.
-
Interpol’s Operation HAECHI IV has resulted in the arrest of 3,500 suspected ‘low tier’ cybercriminals and seizure of $300 million in illicit proceeds between July and December 2023.
-
Investments, mergers & acquisitions: Cyber training company SimSpace has closed a $45 million funding round to expand its virtualised “training ranges” used by the US Department of Defense and large financial institutions. Anti-ransomware outfit Halcyon has announced a $40 million Series B funding round, led by Bain Capital Ventures.
And finally
- Pit yourself against GCHQ’s Christmas Challenge to see how you fare against the puzzles set by the contemporaries of the Government Code and Cypher School. (Technically, it’s aimed at schools, so it should be a doddle for all of you!)
- Iron Maiden opening act, or cyber attack? Test your knowledge of heavy metal and newsworthy cyber security incidents in this quiz (h/t Z). I got 93%, mainly confusing bands for potential threat actors or campaigns (and reaffirming that we should celebrate people who defend, not fetishising adversaries!)