In today’s cybersecurity news…
Snyk mysteriously deploys apparently malicious packages
The security company is facing some damage control after a researcher at SourceCodeRed.com discovered what seemed to be malicious packages that appeared to be targeting Cursor, an AI code editor company. The packages were uploaded to the open-source JavaScript package library NPM, and their metadata indicated that they were authored by an individual using a Snyk.io email address. Although conspiracy theories are already circulating, The Register points out that “NPM has a reputation for behaving in unpredictable ways when it detects public and private packages with the same name,” while others pointed out Snyk may have just been trying to test and later report a bug to Cursor.”
Baltic sea cable cuts can’t be accident, says EU tech chief
Henna Virkkunen, the European Union’s new digital chief with the title of the European Commission’s executive vice president for technological sovereignty, security and democracy, has told Bloomberg News that incidents resulting in damage to undersea data and power cables are happening too frequently to be purely accidental. As leaders from the Baltic region prepare to gather for a NATO summit devoted to the topic, he echoes the sentiments of Lithuanian President Gitanas Nauseda who said “there is a very high probability that those are deliberate actions of hostile countries.” Last week we reported on the tanker Eagle S, whose anchor has been recovered from the sea bed by Finnish authorities. This ship, and others are believed to be part of a Russian shadow fleet that transports Russian petroleum products despite sanctions and other restrictions.
(Yahoo News, quoting Bloomberg)
CISA warns of second BeyondTrust vulnerability
CISA is “urging federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) enterprise solutions, based on evidence of active exploitation.” This new flaw, which has a CVE number, is described as a medium-severity command injection issue that was discovered during the investigation into the U.S. Department of Treasury incident disclosed on December 31, and attributed to Chinese hackers Silk Typhoon. This second flaw “can be exploited by an attacker with existing administrative privileges to upload a malicious file.” It has now been added to CISA’s KEV catalog, giving federal agencies until February 3 to patch it.
Huge thanks to our sponsor, Dropzone AI
UK mulling public sector ransomware payment ban
This proposed payment ban is part of a Home Office consultation, essentially a survey, launched yesterday, January 14, and running until April 8. The proposed ban is intended to “protect hospitals, schools, railways and other essential public services from the growing ransomware threat, by “making these critical services unattractive targets for ransomware.” The proposal would also offer guidance to ransomware victims on how to respond and would also help “block payments to known criminal groups and sanctioned entities.” The proposals “follow guidance issued by the Counter Ransomware Initiative in October 2024, which encourages organizations to consider other options before making ransomware payments to cybercriminals.”
Russia’s largest procurement platform hit by cyberattack
Roseltorg, one of the largest electronic trading operators used by the Russian government to conduct “public procurement, including contracts in the defense and construction industries” for some of its largest companies, announced via Telegram that it had been targeted last Thursday by “an external attempt to destroy data and the entire infrastructure of electronic trading.” A pro-Ukraine hacker group named Yellow Drift has claimed responsibility for the attack, stating they had deleted 550 terabytes of data, including emails and backups.
Draft of second cybersecurity EO on President Biden’s desk
According to Cyberscoop who obtained a copy of the draft executive order, it ranges from cyber defenses in space to the U.S. federal bureaucracy, to its contractors, and “addresses security risks embedded in subjects like cybercrime, artificial intelligence and quantum computers.” The document is a follow-up to one published in the first year of the Biden presidency, and gives agencies 53 deadlines, stretching in length from 30 days to three years.
Microsoft’s Patch Tuesday fixes 8 zero-days, 159 flaws
Yesterday was Patch Tuesday, and this one saw security updates for 159 flaws, including eight zero-day vulnerabilities, with three actively exploited. Also fixed are twelve “Critical” vulnerabilities, including information disclosure, privileges elevation, and remote code execution flaws. The actively exploited zero-day vulnerability in yesterday’s updates are sequential and all related to a Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerability. Among the publicly disclosed zero-days are a Windows Themes spoofing vulnerability and a Microsoft Access remote code execution vulnerability. Other companies also released updated in this same peris, These include adove, Cisco, Ivanti and many more. A link to a summary from BleepingComputer is available in the shownotes to this episode.