Full width home advertisement

Post Page Advertisement [Top]

Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.

If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Trina Ford, CISO, iHeartMedia .

To get involved you can watch live and participate in the discussion on YouTube Live
https://www.youtube.com/watch?v=QYNmo8zKd5w or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.

Here are the stories we plan to cover, time permitting:

Express VPN discovered to be leaking DNS requests
This leak, which has been happening since May 2022, is due to a bug in the split tunneling feature of Express VPN. Split tunneling allows users to route some internet traffic in and out of the VPN tunnel, providing local access and secure remote access simultaneously. The bug caused users’ DNS requests to go to their internet service provider and not to Express VPN’s infrastructure, which was kind of the point. Express VPN says the issue only impacted roughly 1% of its Windows users.
(Bleeping Computer)

CISA releases repository security framework
The recent wave of software supply chain attacks clearly shows that hardening the open-source ecosystem remains a tough nut to crack. That’s why it’s big news that CISA partnered with the Open Source Security Foundation Securing Software Repositories Working Group to release a framework. The Principles for Package Repository Security lays out four security maturity levels for package repositories across the categories of command-line tools, authorization, authentication, and general capabilities. These range from level 0 with very little maturity to level 3, which requires things like MFA for all maintainers. The researchers say all package management systems should work to at least level 1 right now.
(The Hacker News)

Researchers exploit ransomware encryption flaw
A group of researchers from the Korean Internet & Security Agency, or KISA, disclosed a flaw in the ransomware encryption scheme used by the Rhysida threat group. Rhysida launched operations in mid 2023, targeting healthcare organizations with intermittent encryption. The researchers found the ransomware’s random number generator used a 32-bit seed value from a system’s current time. This limited scope allowed them to create a valid key to unencrypt data. KISA released an automated decryption tool for Windows as well as full technical documentation.
(Bleeping Computer)

New Jersey law enforcement sues data brokers
Last week 118 class action lawsuits were filed against data brokers who allegedly failed to respond to requests from roughly 20,000 New Jersey law enforcement personnel who asked for their personal information to be removed from the internet. New Jersey law prohibits the disclosure of home addresses and unpublished telephone numbers for current and retired police officers, prosecutors, and judges, along with their family members. The law also requires it be removed within 10 days of a takedown request. The law, known as Daniel’s Law, was passed after a New Jersey federal judge’s 20-year-old son was shot to death at her home in 2020 by a disgruntled attorney. The suits are seeking $1,000 for each violation plus punitive damages and attorneys fees that could cost data brokers at least $20 million and hit the industry with at least $2.3 billion in fines.
(The Record)

QNAP vulnerability disclosures send mixed messages
The Taiwanese network-attached storage (NAS) company has found itself at odds with security researchers after releasing fixes for two new command injection vulnerabilities. QNAP assigned both vulns a severity score of just 5.8-out-of-10. For the first bug (CVE-2023-50358), QNAP indicated that exploitation would require a high-complexity attack that would have a low impact if successful. Palo Alto Networks Unit 42 concluded just the opposite stating the RCE bugs exhibit a combination of low attack complexity and critical impact to IoT devices. The German Federal Office for Information Security (BSI) doubled down on Unit 42’s position on Tuesday, warning that successful exploits could lead to “major damage.”. In the case of the second flaw (CVE-2023-47218), which was identified by security firm Rapid7, QNAP and Rapid7 agreed to a coordinated disclosure date of February 7 for the vulns. However on January 25 QNAP told Rapid7 it had already pushed out patches. Further, QNAP’s vuln disclosure focused heavily on detailing affected devices and versions while Rapid7 provided a detailed technical breakdown showing how the vulnerability can be exploited.
(The Register)

Threat actors using LLMs to improve cyberattacks
Microsoft and OpenAI released a report detailing these efforts, with threat actors seen using ChatGPT and other services to improve scripts, perform research on victims, and refine social engineering approaches. The report found interest in the tools popular across a wide spectrum of threat groups, seen in use by state-affiliated groups from Russia, North Korea, Iran, and China. While the groups continue to experiment with the tools, Microsoft said it didn’t see any “significant attacks” using them yet. Microsoft also warned about future AI-use cases, specifically attacks using AI voice impersonation.
(The Verge)

23andMe blames users for data breach
In the ongoing saga of last October’s data breach that affected nearly seven million people, and which has spawned a class action lawsuit on behalf of certain members of specific genetic heritage groups, the company now states that its members are actually to blame. According to The Guardian, 23andMe sent a letter to the customers who were taking legal action, stating “the information that was potentially accessed cannot be used for any harm,” and then placed blame on users themselves who “negligently recycled and failed to update their passwords.” Experts such as Barbara Prainsack, a professor of comparative policy at the University of Vienna and a 23andMe customer, described the company as having had a long time to establish data breach protocols, continuing, “this is almost a textbook case of how things should not be done.” She added that blaming consumers for their own relatively minor security lapses is “morally and politically very dumb.” It should be noted that 23andMe, which New York Magazine writer Lisa Miller calls “The Google of Spit,” now requires two-factor authentication for all users.
(The Guardian and New York Magazine)

US puts bounty on ALPHV/Blackcat associates
U.S. Department of State yesterday announced reward offers of up to $10 million for information leading to the identification or location of leaders of the group behind the ALPHV/Blackcat ransomware variant, as well as rewards of up to $5 million for information leading to the arrest or conviction of those participating in or conspiring or attempting to participate in a ransomware attack using the ALPHV/Blackcat. This follows up on the December takedown of the group’s operations. The announcement says that “over 1,000 victim entities globally have been compromised by ALPHV/Blackcat actors.”
(Department of State press release and Department of State Reward Notice) submitted by /u/CISO_Series_Producer
[link] [comments]


http://dlvr.it/T2rmX9

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();

Bottom Ad [Post Page]

Copyright 2017, " Vpentest ". All rights Reserved.
| Designed by Colorlib