This week’s Cyber Security Headlines – Week in Review, December 5-9, is hosted by Rich Stroffolino with our guest, Ken Athanasiou, CISO, VF Corporation
Edit the LinkedIn Live paragraph to: Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
DHS Cyber Safety Review Board to review Lapsus$ attacks
The Department of Homeland Security Cyber Safety Review Board has announced that it will review cyberattacks linked to the extortion gang Lapsus$, a global extortion-focused hacker group that has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas.” The review aims at developing a set of actionable recommendations for how organizations can improve their resilience to these types of attacks. The final report will be transmitted to President Biden through Secretary of Homeland Security Alejandro N. Mayorkas and CISA Director Jen Easterly.
Are we in the age of AI generated malware?
We covered yesterday that Stack Overflow temporarily banned the submission of code created with generative AI, specifically OpenAI’s ChatGPT. Given that the system can write code, computer security researcher Brendan Dolan-Gavitt looked into if it could create malicious code. He asked ChatGPT to solve a capture-the-flag challenge, resulting in an output that contained code exploiting a buffer overflow vulnerability. The challenge posed represented a basic student exercise, and Dolan-Gavitt noted it contained a basic error with character inputs. He cautioned that in its current form, ChatGPT capabilities remain limited now, but another model in the next few years would likely be quite capable.
Watchdog reveals UK agency use of unsupported applications
The UK’s National Audit Office (NAO) has revealed that nearly one third (30%) of applications used by the Department for Environment, Food and Rural Affairs (Defra) are unsupported. The issue, which is commonly referred to as “tech debt”, means that apps can no longer receive security or software updates. Defra provides critical services related to disease prevention, flood protection and air quality and a major cyber incident could have severe consequences. The NAO concluded that while Defra is taking steps to address urgent system risks and vulnerabilities, it lacks an adequate digital transformation plan. The government has provided Defra with £366m ($445m) to make IT investments over the next three years.
Chinese threat group stole COVID-19 relief funds
According to information from the Secret Service, the Chinese-linked APT41 stole at least $20 million in COVID relief benefits. These came in the form of Small Business Administration loans and unemployment insurance funds across over a dozen states. The Secret Service also said it maintains over 1,000 ongoing investigations in criminal actors defrauding public benefits programs. It’s unclear how many of these investigations link back to foreign threat groups, but NBC News’ sources say other investigations point to state-backed actors. Security researchers say APT41, aka Wicked Panda, generally focuses on gathering personally identifiable information for cyber espionage.
(NBC News)
Thanks to today’s episode sponsor, PlexTrac
Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the premier pentest reporting and collaboration platform.
TikTok national-security deal delayed
The Wall Street Journal’s sources say the deal looked set for the end of 2022, but now say the review will likely drag on. Concerns now center on how TikTok could share information related to its vaunted content-recommendation algorithm and the overall level of trust the US would need to place in the company. The Committee on Foreign Investment in the U.S sent no additional conditions on the deal to TikTok, so a path forward remains unclear. Both sides still agree that Oracle will store TikTok’s US user data. Any deal would also need approval by the Chinese government. Sources say TikTok-owner ByteDance did not consult China about any potential US deal yet.
(WSJ)
Pentagon awards cloud deal to four major providers
The Pentagon said Wednesday that Amazon, Google, Microsoft and Oracle received a cloud-computing contract that could total as high as $9 billion through 2028. The approach aligns to the US Defense Department’s strategy of relying on multiple remote technology infrastructure providers to improve resiliency. Back in 2019, the Pentagon awarded a cloud deal to Microsoft, but upon a series of challenges (including from AWS and Oracle), the agency expanded its requests for bids to include the four tech giants.
(CNBC)
FFT and Ransomware account for bulk of cyber insurance claims
According to figures from Corvus, fraudulent funds transfer (FFT) and ransomware caused the most financial damage in 2022, accounting for more than 50% of insurance claims. FFT accounted for an all-time high 36% of all claims this year. There were fewer ransomware claims in H1 2022 compared to H2 2021, however the rate of data exfiltration increased by 25% over the same period. The prevalence of FFT highlights the growing effectiveness of business email compromise (BEC) scams with FFT representing 70% of all BEC-related claims. The average FFT claim was significantly lower than ransomware due to the fact that such incidents typically don’t include costs of data restoration, system recovery, business interruption or breach response efforts.
Firewalls of several major vendors bypassed with generic attack method
Researchers at IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors. They discovered the method following an analysis of Cambium Networks’ wireless device management platform, in which they discovered an SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes. Analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format, which is supported by all major SQL engines and is enabled by default. Firewalls affected by this bypass include products from AWS, Palo Alto Networks, Cloudflare, F5, and Imperva.