EU gets closer to US-data sharing agreement
The US and EU used to have the Privacy Shield agreement to allow companies to move data back and forth between the two regions while maintaining the privacy protections of the citizens of the two regions. But challenges to the agreements have meant that companies have had to each negotiate their own Standard Contract Clauses. However the EU published a draft approval this week to re-establish a framework for all companies. In October, the US began implementing new safeguards on how its intelligence agencies can access such data. EU citizens will be able to appeal data handling to an arbitration panel and the US has agreed to limit intelligence agency data collection.
Microsoft signed malicious drivers
A coordinated disclosure from Microsoft, Mandiant, Sophos, and SentinelOne revealed that malicious actors used drivers certified by Microsoft’s Windows Hardware Developer Program to perform kernel-mode operations like terminating security software, deleting protected files, and acting as rootkits to hide other processes. Microsoft noted the attackers already needed to gain admin access on the systems to exploit the drivers. The disclosure notes the toolkits used in the drivers appear consistent with “bring your own vulnerability driver” attacks. Microsoft revoked several hardware developer accounts in early October for submitting the drivers. Sophos attributed the attack with “high confidence” to the Cuba ransomware operation, with SentinelOne saying it saw one case of Hive ransomware operators using the attack.
InfraGard data for sale on dark web
Security researcher Brian Krebs reported that the user database for the US FBI’s InfraGard program appeared for sale on a cybercrime forum on December 10th. The program was designed to build information sharing partnerships between the FBI and private firms, including operators of critical infrastructure. Krebs contacted the seller, who said they obtained access by creating a new InfraGard account posing as the CEO of a major US financial corporation. The seller said he used a faked email but listed the actual CEOs phone number in the application. The impersonated CEO said the FBI never contact them by phone to verify the application. The dataset mostly reveals emails and phone numbers, but also allows for direct messaging other InfraGard members, opening the door to potential social engineering.
Senate introduces Digital Asset Anti-Money Laundering Act
Senators Elizabeth Warren and Roger Marshal introduced the bipartisan bill, which seeks to give new legal authority to limit the use of cryptocurrency for money laundering. If it goes into law, the bill would bring know-your-customer, or KYC, rules to wallet providers and miners. It would also prohibit financial institutions from making transactions with digital asset mixers that can be used to hide the origin of funds. The act would also require institutions to report some transactions from wallets that aren’t hosted on an exchange or another third-party.
Thanks to today’s episode sponsor, Fortra
US crackdown on Chinese semiconductors continues
This news comes in two pieces, both from the Financial Times. Its sources say the US commerce department will place the Chinese chipmaker Yangtze Memory Technologies, or YMTC, on it’s entity list. This would bar US firms from selling technology to YMTC without a license. On October 7th, the US placed YMTC on an “unverified list.” This designated entities that it was unable to conduct end-user checks on to make sure US-based technology wasn’t being diverted for military use.
We’re also seeing the impact of existing US sanctions. The Financial Times’ sources also say the chip designer Arm determined that it cannot sell its latest Neoverse V series designs to Alibaba. It concluded internally that the UK and US would not approve licenses to export its technology. The chips fall under the Wassenaar multilateral agreement. This requires a license to export dual-use technology that could be diverted for military use.
Royal ransomware uses novel encryption
The Royal ransomware gang made a name for itself with sophisticated tactics and rapidly expanding scope. A new report on the group from the Cybereason Security Research & Global SOC Team outline one item in its toolkit, partial encryption. While not new, Royal expanded on the tactic with flexible-percentage encryption that appears designed for specific targets. It uses multiple threads to further speed encryption time, and uses a variety of tactics to stop and start encryption. The US Department of Health and Human Services warned last week of Royal targeting healthcare providers. But the report found the group operating fairly agnostically across regions and industries. The researchers note that Royal doesn’t use affiliates and may have extensive membership drawn from the defunct Conti group.
Automated attacks create a flood of malicious packages
A new report from Checkmarx and Illustria outlines a new automated attack campaign, targeting user of npm, NuGet, and PyPI. The attack appears to automatically generate malicious packages, which pose phishing links as offers for free resources. The report marks the scale of the attack as unique, creating over 144,000 packages by the same threat actor. The scale makes it difficult for security teams to identify and takedown each offender. This kind of spam tactic against the open source software supply chain means malicious packages can stay available for longer, increasing chances of clickthrough.
CISA warns of Veeam vulnerabilities
The US Cybersecurity and Infrastructure Security Agency added two flaws impacting Veeam’s popular Backup & Replication software to its Known Exploited Vulnerabilities list. These vulnerabilities received critical ratings, exploitable by a remote unauthenticated attacker for arbitrary code execution. Positive Technologies disclosed the vulnerabilities and both received patches in March. CISA did not state if threat actors actively targeted either vulnerability. But the firm CloudSEK reported earlier this year a tool using the vulnerabilities being advertised as a “fully weaponized tool for remote code execution.”