This week’s Cyber Security Headlines – Week in Review, July 31-August 4, is hosted by Rich Stroffolino with guest, Jeff Hudesman, CISO, Pinwheel
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
CISA, Australia warn of IDOR vulnerabilities after major breaches
These warning relate to a specific brand of vulnerabilities that allow hackers to change or delete data by using the identities of users allowed to access the information. CISA and the Australian Cyber Security Centre stated in an advisory released last week that these insecure direct object reference (IDOR) vulnerabilities, involve hackers issuing requests to websites or APIs that do not require authentication or that do not properly check the authentication or authorization of the user submitting the request. In the last few years, multiple security incidents have involved IDOR vulnerabilities, including a situation affecting a payment plugin for WordPress sites, U.S. electronics giant Eaton, Microsoft Teams, AT&T, and First American Financial.
Israel’s largest oil refinery website goes offline amid cyber attack claims
The website of Israel’s largest oil refinery operator, BAZAN Group, was inaccessible to most parts of the world on Sunday as threat actors claim to have hacked the group’s cyber systems. The website remained accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack. In a Telegram channel, Iranian hacktivist group Cyber Avengers has claimed responsibility and leaked what appear to be screenshots of BAZAN’s SCADA systems. The group states that it breached the petrochemicals giant via an exploit targeting a Check Point firewall at the company.
UK spy agencies want to relax ‘burdensome’ laws on AI data use
UK intelligence agencies including GCHQ, MI6 and MI5 propose weakening safeguards that limit training of AI models with bulk personal datasets (BPDs). These datasets often contain sensitive info about large groups of people, most of whom are unlikely to be of intelligence and security interest. The agencies argue the surveillance laws place a “burdensome” limit on their ability to train AI models which are needed to help analyse the vast and growing quantities of data they hold. Privacy experts have expressed alarm at the move, which would unwind some of the legal protection introduced in 2016 after disclosures by Edward Snowden about intrusive state surveillance. A leading privacy and surveillance expert, Ian Brown, wrote, “‘data scientists’ disappointment they don’t get to play with all their wonderful new toys isn’t a good justification for weakening fundamental rights protection.”
Thanks to today’s episode sponsor, Opal
No link found between cyber insurance and paying ransoms
This finding comes from an independent study published by the UK’s National Cyber Security Centre and Research Institute for Sociotechnical Cyber Security. The conventional wisdom goes that threat actors could specifically target organizations known to carry cyberinsurance to ensure an easier payout. The researchers found no evidence of that, but did see that threat actors did use exfiltrated information on cyber insurance obtained in an attack as leverage in negotiations. The study concluded that the low cost and risks in ransomware played a much larger role in its continuing rise than any change in cyber insurance coverage.
West worried about China’s legacy chip focus
The US and European chip sanctions against China in recent years generally focus on cutting edge technology. This saw export bans impacting cutting edge fabrication machines using extreme ultraviolet lithography. As a result, China began pouring funding into manufacturing so-called legacy chips using older technology. Bloomberg’s sources say this new focus sparked new concerns from US and European policymakers, saying the US wants to prevent chips from becoming a point of leverage with China. The industry trade group SEMI forecasts China will lead all nations in building 26 new chip fabs through 2026.
New malware finds its way into air-gapped systems
Researchers at Kaspersky documented a new malware attributed to the China-linked Zirconium threat group, targeting air-gapped systems at industrial sites across Eastern Europe. The first attacks appeared in April 2022, showing continued development since then. The attack comes in from removable drives, initially gaining persistence. The attackers used a legitimate McAfee executable as a malicious DLL payload, which then loads onto the airgap system with the drive attached. File are eventually exfiltrated from another connected machine using Dropbox.
Fortinet VPN bug tops CISA’s list of most exploited vulnerabilities in 2022
The lesson from a joint advisory published Thursday by the cybersecurity agencies of the Five Eyes countries, it’s this: “Patch your internet-facing systems.” The most exploited vulnerability of last year was actually disclosed back in 2018 – Fortinet’s SSL VPNs and is tracked as CVE-2018-13379. Next on the list is the chain of vulnerabilities affecting Microsoft Exchange servers, popularly known as ProxyShell. This is followed by the Atlassian bug, the issues affecting VMware products, F5’s BIG-IP products, Log4Shell, the Zoho vulnerability, and Microsoft’s Support Diagnostic Tool in Windows.
Piles of unpatched IoT, OT devices attract ICS cyberattacks
New research from Nozomi Networks looked at public IoT/OT cyber incidents over the past six months and found that various threat actors, including ransomware and DDoS cyber attackers, have unleashed a barrage of cyberattacks against ICS systems. The report notes manufacturing, water treatment, food and agriculture, and the chemical sectors were most frequently targeted in early 2023. Nozomi measured an average of 813 unique cyberattacks daily on its honeypots the first six months of this year, hitting a peak of 1,342 on May 1. Melissa Bischoping, endpoint security researcher with Tanium suggests three key reasons for the delay: the need for stability and uptime of these systems, the cost of upgrading ICS systems, and incompatibility between new upgrades and older systems.