This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Andy Ellis, operating partner YL Ventures
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Credit unions facing outages due to ransomware attack on cloud provider
Up to 60 credit unions across the US are facing outages resulting from a ransomware attack on the cloud services provider Ongoing Operations, which is owned by credit union technology firm Trellance. According to The Record, “the attack is having larger downstream effects on other credit union technology providers, including FedComp, a company that offers data processing solutions to credit unions.” According to Emsisoft analyst Brett Callow, Ongoing Operations may be another victim of Citrix Bleed.
(The Record and Twitter/X)
Roblox, Twitch allegedly targeted by ransomware cartel
The ALPHV/BlackCat ransomware gang has posted information on its dark web blog about Tipalti, an accounting software fintech company. According to Cybernews, the gang quickly turned to exposing some of Tipalti’s clients, stating, “Tipalti claimed as a victim, but we’ll extort Roblox and Twitch, two of their affected clients, individually.” According to Tipalti’s own website, some of its other customers include Twitter/X, GoDaddy and Canva.
(Cybernews and Tipalti.com)
UK nuclear site attacked by state-linked attackers
The Guardian reports that threat actors linked to Russia and China breached the UK’a Sellafield nuclear site. Sellafield holds the largest store of plutonium on Earth and serves as a large-scale disposal site for nuclear waste. Sources say authorities do not have an exact date of compromise, but initially detected breaches back in 2015. No word if malware still remains on the site’s systems, but sources say it’s likely the attackers already accessed its most sensitive data. The Guardian learned the UK’s Office for Nuclear Regulation, or ONR placed the site under “special measures”’ last year for cybersecurity failings. The regulator only learned of issues after staff at an external site reported they could access Sellafield servers.
EU agreement on Cyber Resilience Act
On December 3rd, the European Parliament and EU Council reached an agreement on the Cyber Resilience Act. The EU Commission first proposed the CRA in SEptember 2022. The law impacts connected devices across sectors, requiring mandatory security issue reporting and at least five years of security updates. While still requiring a formal approval process, the CRA is now set to come into law. Once entered into the EU’s Official Journal, manufacturers will need to meet requirements within 36 months.
Thanks to today’s episode sponsor, Barricade Cyber Solutions
Federal agency breached through ColdFusion vulnerability
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that an unnamed federal agency was compromised by hackers in June and July using a vulnerability (CVE-2023-26360) in Adobe’s rapid web-application development tool, ColdFusion. The agency was running outdated ColdFusion software and CISA had ordered all federal agencies to patch it by April 5. CISA’s log analysis shows the hackers inserted malware mainly for reconnaissance purposes. However, the hackers did also attempt to exfiltrate data but were unsuccessful because the activity was detected and “quarantined.”
Canadian government agencies have access to phone-hacking tools
Documents obtained by the CBC reveal that 13 Canadian government agencies have access to tools capable of extracting personal data from phones or computers. While it’s not surprising law enforcement and national security agencies made the list, some others are sure to raise questions. For example, Fisheries and Oceans Canada, Environment and Climate Change Canada, Canadian Radio and Telecommunications Commission and Shared Services Canada made the list of users. Additionally, those departments’ use of the tools did not undergo a privacy impact assessment as required by federal government directive. Some agencies offered vague regulatory justification for their use of the phone-cracking technology, while others indicated it was used only for internal investigations. One agency indicated it is planning to perform the requisite privacy impact assessment while others said they aren’t required to because using the technology was backed by a court order or warrant.
(Techdirt)
US federal agencies miss incident response deadlines
A new report, published Monday by the US Government Accountability Office (GAO), found that just three US federal agencies have reached the advanced level, or tier three, for cyber event logging. According to 2021 Executive Order 14028, all 23 US federal agencies were required to reach event logging tier three by August 2023. However, 20 agencies have failed to meet the requirement and 17 have not gone beyond the tier zero level. The GAO report said until more progress is made by the agencies, “the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained.” The report identified key challenges that are hindering the agencies include, lack of staff, technical challenges, and limited cyber threat intel sharing.
Wyden warns of spying push notifications
US Senator Ron Wyden sent a letter to the Department of Justice asking it to “repeal or modify any policies” that would inhibit public discussions around push notification spying after his office received an anonymous tip on the practice. The idea being that Google and Apple’s servers receive data to send as push notification, which could give a third-party insight into how users are utlizing apps. The letter doesn’t get into too much detail, but does state the foreign governments allied to the US demanded such data from Google and Apple. In a statement, Apple said that, “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
(Reuters)
UEFI flaw opens the door to bootkits
Security researchers at Binarly detailed LogoFAIL, a vulnerability in UEFI firmware that allows for hijacking image libraries to bypass boot validation systems. This impacts image parsing libraries across firmware from AMI, Insyde, Phoenix, Intel, Acer, and Lenovo,, allowing malicious image files to load at boot. This process doesn’t modify the bootloader or firmware components, making it harder to identify than the BlackLotus bootkit disclosed earlier this year. The researchers plan to release full technical findings at Black Hat Europe on December 6th.