This week’s Cyber Security Headlines – Week in Review, November 28-December 2, is hosted by Rich Stroffolino with our guest, Terrance Cooley, CISO, Air Force JADC2 R&D Center.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Businesses hope to cut cyber turnover by encouraging volunteer work
Companies are encouraging their cyber employees to volunteer at nonprofits, a nudge that managers say can help businesses retain in-demand technical experts despite high turnover in security roles. The CyberPeace Institute, a Geneva-based group that helps nonprofits, humanitarian and healthcare organizations address cybersecurity, set up a program last year to enlist professionals from the corporate world to explain things like email phishing to nonprofits that might lack the budget to hire their own experts. Cyber volunteerism can also bolster the team as a whole, said Clair Rosso, chief executive of (ISC)2. Stepping away from day-to-day work and looking at a different organization as an outsider can give employees a fresh perspective on their own job, she said. “There’s a case that allowing employees to go and volunteer in other organizations is actually going to strengthen the security posture of your own organization,” she said.
Hackers use trending TikTok ‘Invisible Challenge’ to spread malware
Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The scheme is based on a trend called Invisible Challenge, which involves applying a filter known as Invisible Body that just leaves behind a silhouette of the person’s body. This has led to a demand for an unfilter that would allow viewer to see the person within the silhouette. Attackers are now posting TikTok videos with links to rogue software dubbed “unfilter” that purports to remove the applied silhouette. This software deploys WASP stealer malware hiding inside malicious Python packages, and is designed to steal users’ passwords, Discord accounts, cryptocurrency wallets, and other sensitive information.
Sirius XM unlocks smart cars thanks to code flaw
Sirius XM’s Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN). Yuga Labs’ Sam Curry detailed the exploit in a series of tweets and confirmed that the patch issued by SiriusXM has since fixed the security issue. Security researchers at Yuga Labs found the issues and explored attack surfaces in the SiriusXM “smart vehicle” platform used in models made by Hyundai, Toyota, Honda, Fiat Chrysler, Nissan, Acura, and Infinity that allowed them to “remotely unlock, start, locate, flash, and honk” them.(The Register and Bleeping Computer)
Thanks to today’s episode sponsor, Automox
Project Zero warns of “patch gap”
The researchers at Google’s security team warned of this “patch gap” problem across the Android ecosystem. It claims that while Android security fixes often arrive in a timely fashion, downstream vendors lag in delivering fixes to devices. A recent post points to actively exploited vulnerabilities in the ARM Mali GPU driver. These were patched in August 2022, but not pushed out to impacted devices. Project Zero noted Samsung, Xiaomi, Oppo, and even Google’s Pixel team lagged in patches for this exploit. Researchers then looked at five recent ARM vulnerabilities, which were discovered between June and July 2022, and patched within a month. But it did not see the CVE for the vulnerabilities mentioned in any downstream security bulletins since. The Pixel security team said the ARM fixes were scheduled to be delivered “in the coming weeks.”
Businesses found to increase cybersecurity spend without clear strategy
According to a recent Fastly research study, most businesses surveyed were willing to spend more than their current cybersecurity budget. While 71% of businesses were confident in their current budgets, 73% wanted them to increase. In the US, 85% of IT leaders felt their current budget was inadequate and 79% wanted it to increase. Although increasing the budget may not be the solution, many businesses surveyed felt they experienced information overload and were blindly putting faith in the latest technology. Fastly also found that 39% of current cybersecurity tools were not fully deployed and active, and only 42% of those that are fully operational overlap.
Intruders gain access to user data in LastPass incident
Following up on a story we brought you in August, intruders broke into a third-party cloud storage service that LastPass shares with affiliate company GoTo and gained access to “certain elements” of customers’ information, the companies have confirmed. LastPass did not define what it meant by “certain elements,” saying it was unsure what data was looked at. The statement confirmed that the attackers obtained the information to carry out the current intrusion using information stolen in an August attack. It did maintain, however, that services were unaffected and that customers’ passwords remained “safely encrypted” – without ruling out that some of the data was stolen.
Ransomware group may have stolen customer bank details from British water company
In yet another follow-up story, South Staffordshire Water, which supplies water for more than 1.7 million people in England, has said that an attempted ransomware attack in August may have enabled cybercriminals to steal customer bank details. At the time of the incident the company stressed that the water supply was not affected, although its corporate network was experiencing disruptions. The company said in an update on Wednesday that customers who paid by direct debit may have had their bank details stolen. Water suppliers are required to report cybersecurity incidents to The Water Services Regulation Authority (Ofwat) under the U.K.’s Network and Information Systems (NIS) Regulations. However, the reporting obligation only applies to incidents which ultimately impact water supply, which the ransomware attack did not. The government announced yesterday it would update the legislation so that service providers would need to notify regulators “of a wider range of incidents.”