Cyber insurer predicts a rise in critical CVEs
A new Cyber Threat Index from the insurance firm Coalition predicts 2023 will see an average of 1,900 monthly critical CVEs, up 13% on the year. Of these it forecasts 14% will be high-severity and 8% will be critical-severity. Coalition derived this estimate based on underwriting and claims data, internet scans, and its network of honeypots aggregated over the past ten years. The Index also found that 95% of organizations it scanned in 2022 exposed at least one unencrypted service to the internet. Remote Desktop Protocol remain the most scanned for protocol by attackers
British steel supplier hit by “cyber incident”
The engineering company Vesuvius confirmed that a “cyber incident” “involved unauthorized access to our systems.” The company produces ceramics used by the steel industry with over 10,000 employees. Vesuvius said it began an investigation into the incident and shut down any impacted systems. No indication what specifically was impacted or who orchestrated the attack. This marks the second attack on this sector this year, with Morgan Advanced Materials filing a cyber security incident notice with the London Stock Exchange last month.
Microsoft pins recent attack on Charlie Hebdo
A new report from the company claimed the Iranian-based Neptunium threat group carried out the attack on the French satirical magazine last month. This comes after the threat group claimed it obtained personal information on 200,000 Charlie Hebdo subscribers, including names, phone numbers, and home addresses. Microsoft warned that given a recent cartoon content from the magazine based around Iranian Supreme Leader Ali Khamenei, the information could be used for mass doxing.
India cracks down on gambling and loan apps
Indian-state media reports that the Ministry of Electronics and Information Technology began enforcing an emergency order that will ban 138 gambling and 94 loan services apps in the country, many from Chinese publishers. Some apps were banned for violating rules from the Reserve Bank of India, which requires lenders to receive user consent to increase credit limits and explicitly disclose annual loan rates. Others were banned over concerns about them being used for espionage and propaganda. While India does not specifically say it suspects China in that activity, the source of the published apps strongly indicates it.
And now a word from our sponsor, US, yes, CISO Series
Twitter still struggles with CSAM
After purchasing Twitter, CEO Elon Musk said in late November that “removing child exploitation is priority #1” for the platform. To that effect, Twitter’s head of safety, Ella Irwin, said the company moved rapidly to combat child sexual abuse material, or CSAM, reiterating that Twitter 2.0 would handle it different. Twitter claims it suspended over 700,000 accounts in December and January for violations, with a focus on those claiming to further sell and distribute it. An investigation by the New York Times found that the material still persists on the platform, including widely circulated CSAM considered the easiest to detect.
It cited recommendation engines suggesting accounts tied to CSAM and an abusive video with over 120,000 views, left up for over a month. Alex Stamos of the Stanford Internet Observatory said “it is surprising they are not doing the basics.” Twitter uses software from the anti-trafficking organization Thorn to find CSAM, but it failed to pay the organization since the Musk takeover. It also stopped working with Thorn to improve the technology.
(NYTimes)
Background check services confirm data breach
The firm PeopleConnect, which operates the background check services TruthFinder and Instate Checkmate, confirmed the incident. Threat actors exposed an April 2019 backup database with information on over 20 million customers across the two services last month. Information exposed impacted customers from 2011 to 2019, including emails, hashed passwords, names, and phone numbers. PeopleConnect began an investigation, but said it appears likely an “inadvertent leak or theft of a particular list.” A third-party audit found no signs of a network breach. Troy Hunt added the leaked list to Have I Been Pwned, and PeopleConnect warned to be on the lookout for phishing attempts.
OpenSSH pre-auth double free vulnerability
Back in July 2022, security researcher Mantas Mikulenas disclosed a bug in OpenSSH that occurs in the unprivileged pre-auth process, resulting in a a double free memory corruption in the sshd process. This could theoretically result in the ability to execute arbitrary code, but would be quite sophisticated to pull off. Qualus researcher Saeed Abbasi privilege separation and sandboxing in OpenSSH would make exploitation difficult, while OpenSSH maintainers said it did not believe it was exploitable. The flaw was patched in the latest 9.2 build.
Royal ransomware adds Linux support
The ransomware gang joins a growing group of encryptors now able to attack Linux hosts, including Black Basta, LockBit, and Hive. Researcher Will Thomas discovered the Royal Linux variant, which runs in the command line. It offers a number of flags to aid in malicious activity, like the ability to stop all running VMs and a filter to only encrypt VMs. This largely aligns with the larger trend of ransomware targeting ESXi virtual machines. Unsurprisingly this comes as thousands of ESXi servers reached end-of-life in October. 37% of malware scanners were able to detect the new variant based on VirtusTotal samples.