A call for formal ban on ransomware payments
The security company Emsisoft published a blog post calling on a legally mandated ban on ransomware payments. It cited that in 2023, the US saw over 300 ransomware attacks against hospitals, schools, and government bodies, costing an average of $1.5 million to mitigate. These figures don’t account for the MOVEit breaches or ones on private third-parties. Some critics say that in the long term a ban may be warranted, if enacted immediately it would prove impossible to enforce and potentially cause more harm for organizations that lack resiliency and IT maturity.
FTC asks for ideas to fight voice cloning
The Federal Trade Commission opened a call for submissions on how to fight fraud with text-to-speech technology. It’s hoping the challenge will receive ideas from across disciplines to better monitor and stop abuse of this tech. It will accept submissions until January 12th with the winner receiving $25,000. Submissions must include ideas on how to prevent malicious parties from accessing voice cloning software, improve real-time voice cloning detection, and provide a way to detect cloned voices in clips. The FTC warned about the potential for this type of abuse back in March, but to date has taken any enforcement action on it.
Cyberattack impacts French township
The attack impacted a midsize township in Brittany. The township’s mayor confirmed to local media it took down all of its IT services, although passport and national ID card networks remain compartmentalized and not impacted by the attack. Community service infrastructure remains open but with degraded service. No word from authorities about the nature or perpetrator of the attack.
China slow on approving data export
Back in September 2022, a data transfer law came into force in China, requiring government approval on cross-border transfers for companies with over 1 million registered users. The Financial Times’ sources say only about 25% of all applications have been approved, with thousands of requests still pending with the Cybersecurity Administration of China even after the legally mandated 57 working day window. That agency initially published figures on approval, but stopped doing so in May 2023.
Huge thanks to our sponsor, NetSPI
Qualcomm warns of voice call vulnerability
The chipmaking giant celebrated New Year’s Day with a security bulletin detailing the vulnerability. This allows for a buffer overflow condition when on a Voice-over-LTE call with a non-standard Session Description Protocol, or SDP. A threat actor could potentially use a maliciously crafted SDP to execute arbitrary code. While listed as a critical vulnerability, Qualcomm contextualized it by saying an attacker would also need control over the LTE network used for the call. The company disclosed the bug to OEMs in July and a patch will roll out in the January Android security bulletin.
(SC Media)
FBI adding cyber agents at embassies
In an effort to improve addressing international cybercrime, the US FBI will start stationing more cyber-focused agents at embassies. Initially this will see a 40% increase in the total deployed cyber assistant legal attaches, stationed at New Delhi, Rome, and Brasilia. The FBI began deploying these cyber-focused roles in 2011, but up until now the number remained fairly stable. This better accounts for the US’s new cybercrime policy, which focuses more on disrupting criminal groups, rather than investigating crimes after the fact.
CISA warns about ParseExcel flaw
The US Cybersecurity and Infrastructure Security Agency added a new vulnerability to its Known Exploited Vulnerabilities catalog, involving the open-source Perl library Spreadsheet::ParseExcel. We previously covered an active exploit for this flaw impacting Barracuda ESG appliances from late December by Chinese-linked threat actors. The flaw opens the door to remote code execution in Excel. CISA gave civilian agencies until January 23rd to patch it. It seems upgrading the library to version 0.66 resolves the issue, so hopefully this can get rolled out within that window.
LastPass updates password requirement
Since 2018, the password manager LastPass recommended using 12-character master passwords, although users could ignore this default. Back in April 2023, the service began requiring new users and those resetting passwords to use a 12-character minimum. Now it began rolling out a hard 12-character master password on all accounts. The company will also start checking updated and new master passwords against previously leaked credentials found on the dark web and notify users before allowing them to change it. This comes after the password manager experienced two breaches in 2022 which resulted in stolen vaults tied back to significant crypto losses.