This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Shawn Bowen, CISO, World Kinect Corporation
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Power outage darkens Cloudflare dashboard and APIs
As of this recording, Cloudflare continues to struggle with an outage that has affected its customers’ ability to use Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, Workers. Instead, they are seeing Code 10000 authentication errors and internal server errors. Cloudflare confirms the outage does not affect the cached file delivery via the Cloudflare CDN or Cloudflare Edge security features. According to numerous media sources, the company revealed that the ongoing issues are due to power outages at multiple data centers.
MOVEit breach hits US government
According to documents received from a Freedom of Information Act request, Bloomberg reports that the MOVEit breach over the summer saw the Clop threat group access emails from the government. This saw the threat actors access emails on roughly 632,000 federal employees at the Department of Justice and Defense. The government already disclosed some agencies were compromised from that breach, but this is the first indication of the scope. The breach occurred on May 28th and 29th, but compromised data was of “low sensitivity” and not classified.
DC Board of Elections breach may include entire voter roll
This fact was revealed in a statement released Friday by the District of Columbia Board of Elections. The breach was first revealed earlier in October when voter data was discovered being offered for sale at an online forum. Further investigation reveals the breached database contained a copy of the full voter roll, and it is unknown whether the PII has been accessed. The board has brought Mandiant in to investigate and describes this as an ongoing and active investigation.
Executive order outlines generative AI rules in the US
President Biden signed the order, which outlines eight goals for the emerging tech. NIST will develop standards to “red team” AI models before a public release. Homeland Security and the Department of Energy will investigate threats to infrastructure posed by these new models, and developers must share safety test data. Agencies must also produce reports on potential job displacement from AI models, establish best practices, and build out cybersecurity programs for AI. The order also creates a National AI Research Resource to provide technical assistance to researchers, students, and small businesses. A White House official said the order will not see any already released models recalled.
Thanks to today’s episode sponsor, Hunters
SEC sues SolarWinds for 2020 breach
The US Securities and Exchange Commission filed a lawsuit against the company and executives, including CISO Tim Brown. The lawsuit alleges executives failed to notify investors on specific risks and security practices, instead presenting only theoreticals and generalities. SEC Division of Enforcement head Gurbir Grewal also said SolarWinds and Brown ignored repeated red flags of cyber risks for years. The suit claims Brown knew as far back as 2018 that remote attacks accessing SolarWinds would be hard to detect due to “inappropriate” access and privilege controls. SolarWinds CEO Sunhakar Ramakrishna said SEC action was “misguided and [an] improper enforcement action.”
Wiki-Slack attack is wack
Security researchers at eSentire documented this new attack method. This sees an attacker editing the first page of a Wikipedia entry of interest to a potential victim. This adds a legitimate footnote that contains a formatting error that will cause a link to appear in the Slack preview snippet. Effectively the formatting error can create a link where there would otherwise be a line break. The researchers found this unintentionally occurring in over 1,000 Wikipedia entries. The researchers say a malicious actor could intentionally create this behavior to point to a malicious link on highly traffic pages.
New CVSS v4.0 standard released
The Forum of Incident Response and Security Teams (FIRST) has officially released v4.0 of its Common Vulnerability Scoring System (CVSS) standard which assesses the severity of software vulnerabilities. According to FIRST, the updated standard offers more granular base metrics, removes scoring ambiguity, simplifies threat metrics, while enabling assessment of environment-specific security requirements and compensating controls. In addition, several supplemental vulnerability metrics were added including Automatable (wormable), Recovery (resilience), Value Density, Response Effort and Provider Urgency. One other key enhancement is the added applicability to Operational Technology (OT), Industrial Control Systems (ICS) and IoT devices.