This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino with guest, Jon Oltsik, distinguished analyst and fellow, Enterprise Strategy Group
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Ford says cars with WiFi vulnerability still safe to drive
The Ford Motor Corporation is alerting consumers of a buffer overflow vulnerability in its SYNC3 infotainment system that is built into many Ford and Lincoln vehicles, but it says that vehicle driving safety isn’t impacted. The vulnerability is tracked as CVE-2023-29468 and is in the WL18xx MCP driver for the WiFi subsystem incorporated in the car’s infotainment system, which allows an attacker in WiFi range to trigger buffer overflow using a specially crafted frame. The vulnerability affects a range of vehicles from the 2021-2022 model years. Ford says it will make a software patch available soon, which customers will be able to load on a USB stick and install on their vehicles.
LockBit struggles to publish leaked data
Analyst1 Chief Security Strategist Jon DiMaggio published a report showing that the pernicious ransomware group shows signs of “critical operational problems” impacting its ability to run its criminal enterprise. He points to a recently announced update to its infrastructure that seems to cover up that it still “cannot consistently host and publish large amounts of victim data through its admin panel.” It also seemingly failed to publish victim data for refusal to pay in several instances and missed a promised window to ship updated ransomware. DiMaggio reports several affiliate clients left LockBit in favor of competitors as a result.
67% of government agencies claim confidence in adopting zero trust
According to a new report from Swimlane, quoted in Security Magazine, “67% of government agencies are confident or very confident they are prepared to meet the zero trust requirements laid out by the U.S. government’s Memorandum M-22-09.” Almost two-thirds of thirds of the agencies who responded to the Swimlane researchers stated that they are choosing low code security automation as their primary tool for meeting the Memorandum’s guidelines. Additional statistics of interest from the report: An equal number, 64% of federal agencies report it takes longer to fill a security position now than it did two years ago, with one-third believing they will “never have a fully staffed security team with the proper skills.”
Experts ask FTC to modernize health breach notification rules
The window for public comments regarding the Federal Trade Commission’s proposed changes to its health breach notification rules closed Tuesday. A number of consumer protection and privacy organizations asked for the adoption of these changes, mentioning the inadequacy of current health privacy regulations. Numerous apps collect health data and share it with third parties for marketing and other purposes, the agency said in a press release, and many of these practices are not covered by the narrowly defined Health Insurance Portability and Accountability Act. Changes proposed by FTC has proposed include revising several definitions to “clarify that the health breach notification rule can be applied to health apps and similar technologies not covered by HIPAA; clarifying that a ‘breach of security’ under the rule includes the unauthorized acquisition of identifiable health information triggered by a data security breach or an unauthorized disclosure; and expanding requirements for what consumers whose data has been breached should be told.”
Thanks to today’s episode sponsor, Veza
China claims it will disclose US “global reconnaissance system”
The Chinese state newspaper The Global Times reported that Chinese authorities will disclose evidence of US military intelligence agencies targeting civilian infrastructure, particularly targeting seismological data. This comes from a joint investigation by China’s National Computer Virus Emergency Response Center and the security firm Qihoo 360. Officials claim this activity disrupted seismographic monitoring capabilities, but it’s unclear if this indicates use of malware. As the Record’s Alexander Martin points out, while overwhelming evidence shows China engages with cyber espionage as part of its statecraft, it does not publicly avow its agencies, unlike the US.
The attackers are coming from inside the app
According to an analysis of over 400 malware families by Recorded Future’s Insikt Group, attackers increasingly find ways to blend into legitimately used services as a way to breach networks. At least 25% of the malware families did this in some capacity over the last two years. Cloud storage proved the most commonly abused services, followed by messaging apps, email services, and social media. Telegram proved the most common single app in this approach, followed by Discord. Infostealers represented the most commonly deployed malware in this approach.
Clorox takes servers offline following ‘unauthorized activity’
On Monday, cleaning product giant Clorox reported in its annual 10-K filing to the Securities and Exchange Commission (SEC), that it fell victim to a cybersecurity attack. The incident forced the company to take some systems offline and implement workarounds to continue servicing customers. Clorox has hired a cybersecurity firm to help with recovery and an investigation which is “in its early stages.” Clorox also noted it has seen a rise in cyberattacks since shifting to a remote work model.
LinkedIn accounts hacked in widespread hijacking campaign
On Tuesday, a wave of LinkedIn user reports surfaced indicating their accounts had been locked out or hijacked by attackers and also that they were having difficulty resolving their issues through LinkedIn support. Cyberint researchers said the attackers are using leaked credentials or brute-forcing to take over poorly protected LinkedIn accounts and then swapping the associated email address with one from the “rambler.ru” service. Cyberint also said that the threat actors were pressuring some users to pay a ransom to regain control of their accounts. Targeted accounts that were protected by strong passwords and/or two-factor authentication were temporarily locked by LinkedIn as a protection measure. Account owners were then prompted to verify ownership and update their passwords before being allowed to sign in again.