This week was super exciting for me. I got to join two exercises in "analogue" incident response (think fires and chemical leaks, not hacks). It's amazing to see how many things line up with the digital version that I am more familiar with. Especially how much effort goes into communication and documentation.
One unfortunate thing that stood out though, was how often infosec came up as a blocker. Some folks even brought their personal laptops as backups because the too restrictive security policies get in the way of actually saving lives.
Yes, shadow IT is everywhere, but often for good reason. It reminded me of a wonderful quote: "make rivers not walls". Try and make the right path easy to follow, instead of saying no all the time. Something to ponder.
Enjoy the read!
Among other things, it:
- Directs leading AI labs to notify the U.S. government of training runs that produce models with potential national security risks. (I'm not sure how they'll validate that but interesting.)
- Instructs NIST to develop frameworks for how to adversarially test AI models.
- Wants to harness AI to automatically find and fix software vulnerabilities, building on an ongoing DARPA competition.
- Requires the Department of Commerce to develop guidance for “content authentication and watermarking” to show clearly labeled marks for AI-generated content, especially with the upcoming US elections in mind.
Depending on where you stand, this is quite a heavy-handed move, or way overdue. Personally I'm pretty happy that they are trying to provide at least some guard rails and a legal framework.
The SEC plans to charge SolarWinds CISO Timothy Brown with fraud, for his role in allegedly lying to investors by "overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks."
This, together with the previous occurrence where Uber CISO Joe Sullivan was sentenced for his handling of Uber's data breach, seems to mark a clear changing of the times to where CISO's can be personally held accountable for painting the picture of their security posture a little too bright.
Microsoft's security posture hasn't been getting a lot of great press this year, I suppose this is their plan to counter that. Their "Secure Future Initiative" is a pledge to improve the built-in security of its products and platforms.
From the article: "It will have three pillars, focused on AI-based cyber defenses (ofc), advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats."
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
This is the third Counter Ransomware Initiative (CRI) gathering, bringing together 48 countries, the European Union and Interpol. Some items on the agenda were:
- Set up an initiative to incorporate AI and blockchain analysis into the ransomware fight.
- Set up a new information sharing platform for member countries.
- Create a shared blacklist of crypto wallets used by ransomware groups.
- Commit to assisting other members with incident response if government or lifeline sectors are hit with ransomware.
- Provide a shared statement that member countries will no longer pay ransomware demands.
It sure sounds ambitious, especially that last one. And I'm a bit sceptical. There are a lot of articles on what the gathering -will- do, but since the event already happened at the time of writing, I'm looking for articles that say what actually happened but can't find much. Except for this Whitehouse statement that is still sort of vague on the non-payment policy. I'm curious to see if it will actually become law in the member countries.
Impacted companies could be mortgage brokers, motor vehicle dealers, investment firms, insurance companies, and asset management firms. It doesn't apply to cases where consumer information is encrypted as long as the attackers did not access the encryption key.
I'm very curious to see what the impact of the new scoring system will be. Speaking as someone who has been in the triaging trenches, I'm mostly hoping that "Critical" now actually means -critical-, and never "meh".
It's always a fascinating read when articles go into detail on a threat actor. We don't see quite often that they are native English speaking, for example. They also have a very wide range of attack vectors, including social engineering, duplicating voice patterns, and even actually threatening violence.
One thing that surprised me is that they've been seen using corporate data pipelines in Azure Data Factory to extract data while blending in with regular enterprise patterns, and even taking out subscriptions for legitimate Microsoft 365 backup solutions. Not an easy group to detect.
Interesting research on Prolific Puma, a malicious party that has been registering tens of thousands of domains and readying them to provide link shortening services to cybercriminals, to hide the final landing pages which are usually scams or phishing pages. They've been operating for at least four years while keeping a sufficiently low profile to operate undetected.
The article does a great job of explaining everything, the full report by Infoblox can be found here.
When configuring a CI/CD pipeline you'll usually have to copy over secrets to make it work. It always feels a bit icky, but necessary. That is until now, because now you can connect 1Password directly to the workflow instead. There's already a guide for CircleCI, Github Actions and Jenkins. (Sponsored)
Breaches and leaks
- Massive ransomware attack hinders services in 70 German municipalities: link.
- Okta hit by third-party data breach exposing employee information: link.
- Boeing confirms cyberattack amid LockBit ransomware claims: link.
- California city warns of data breach after ransomware attack claims: link.
- Stanford University investigating cyberattack after ransomware claims: link.
- Toronto Public Library facing disruptions due to cyberattack: link.
- British Library knocked offline by weekend cyberattack: link.
- California community college Río Hondo dealing with cybersecurity incident: link.
- Dallas County ‘interrupted’ data exfiltration, prevented encryption after attack: link.
- Major Mexican airport confirms experts are working to address cyberattack: link.
- Hackers email stolen student data to parents of Nevada school district: link.
- Connecticut AG demands answers from 23andMe after data breach: link.
Issues and fixes
- Atlassian: "Take immediate action" to patch your Confluence Data Center and Server instances: link.
- Apple patches a raft of vulnerabilities: link.
- Apache ActiveMQ servers vulnerable to RCE attacks exposed online: link.
- Hackers exploit recent F5 BIG-IP flaws in stealthy attacks: link.
- RCE exploit for Wyze Cam v3 publicly released: link.
- Exploit released for critical Cisco IOS XE flaw, many hosts still hacked: link.
- Hackers use Citrix Bleed flaw in attacks on govt networks worldwide: link.
- Microsoft temporarily disables SketchUp support after discovery of 117 vulnerabilities: link.