Cyber Security Headlines: Polonium targets Israel, CISO-Board relationships, UK Supply chain

Polonium APT targets Israel with a new custom backdoor dubbed PapaCreep

The APT group has been employing custom backdoors in attacks aimed at Israeli entities since at least September 2021. Focusing only on Israeli targets, it has launched attacks against organizations in engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. Microsoft MSTIC researchers believe that the attackers were coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and TTPs. This circumstance is confirmed by revelations that emerged in the last couple of years that the Iranian government is using cyber mercenaries for its operations. MSTIC has observed POLONIUM active on or targeting multiple organizations that were previously compromised by Iran-linked MuddyWater APT (aka MERCURY).

(Security Affairs)

RSA Conference reveals CISO-Board relationships 

The RSA Conference Executive Security Action Forum (ESAF) released a research report on Wednesday, that describes how CISOs are communicating risk, accountability, security maturity and metrics to boards, and the challenges that this can sometimes entail. Among the findings:

• CISOs and boards are generally well  aware of the legal ramifications of a data breach, and the need to document their efforts to adequately managed cyber risk

• There is debate among the CISO community about the types of metrics used in board reports, specifically whether narratives or numbers are better.

• CISOs who have evaluated building a capability to quantify cyber risk in dollar values found that the resources and talent, including actuaries, would be prohibitive for most security teams.  

• Security teams use risk scoring systems internally to prioritize their efforts but do not find it useful to share those numbers with the board.

We have  link to the full report in the show notes to this episode, at


UK government urges action to enhance supply chain security

The UK government has warned organizations to take steps to strengthen their supply chain security. The National Cyber Security Centre (NCSC) has issued guidance in response to an increase in supply chain attacks such as the SolarWinds incident in 2020. Aimed at medium-to-large organizations, the document sets out practical steps to better assess cybersecurity across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organizations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.


Digital license plates legalized in California

California has ended a pilot program and fully legalized digital license plates for private and commercial vehicles. The E Ink digital license plates known as the Rplate, are manufactured by California-based company Reviver. It can reportedly function in extreme temperatures, has some customization features, and is managed via Bluetooth using a smartphone app. Rplates are also equipped with an LTE antenna, which can be used to push updates, change the plate if the vehicle is reported stolen or lost, and notify vehicle owners if their car may have been stolen.

(The Register)

Thanks to this week’s episode sponsor, Noname Security

Prevent API attacks in real-time with automated AI and ML-based detection from Noname Security. Monitor API traffic for data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks. Integrate with your existing IT workflow management system like Jira, ServiceNow, or Slack for seamless remediation. Learn more at

Signal will remove support for SMS text messages on Android

Signal says it will start to phase out SMS and MMS message support from its Android app to streamline the user experience and prioritize security and privacy. While this announcement may surprise those who don’t know Signal can also be used to manage this type of text message, the Signal for Android app could be configured as the default SMS/MMS app since its beginning as TextSecure, an app that used the Axolotl Ratchet protocol. The company stated, in a blog published yesterday, “We have now reached the point where SMS support no longer makes sense.”

(Bleeping Computer)

Australian Insurer Medibank hit by targeted cyberattack

Medibank, a private health insurer in Australia with 3.7 million customers, has confirmed today it is the latest business down under to fall victim to a digital break-in. In a brief statement, the company confirmed it had yanked the ahm and international student policy systems offline, “and we are in the process of methodically and safety restarting systems.” Medibank – which provides insurance coverage for accident, hospital time, optical health, dental work, and more – didn’t explain how the criminals gained access to its network, how long they were there or anything else related.

(The Register)

NHS vendor Advanced confirms patient data loss, but remains tight lipped

Following up on a story we brought you in August, the IT service provider for the U.K.’s National Health Service (NHS), named Advanced, has confirmed that attackers stole data from its systems during the August ransomware attack, but refuses to say if patient data was compromised. The attack downed a number of the NHS services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information. In an update dated October 12, Advanced said the malware used in the attack was LockBit 3.0.


Meta’s VR headset harvests personal data right off your face

Meta’s latest VR headset, the Quest Pro, includes a set of five inward-facing cameras that watch a person’s face to track eye movements and facial expressions, allowing their avatar to reflect their expressions, more realistically. Researcher Luke Stark, an assistant professor at Western University, in Canada, stated in an interview with Wired, that he suspects that the default “off” setting for face tracking won’t last long and that, “It’s been clear for some years that animated avatars are acting as privacy loss leaders,” he said. Eye-tracking and facial-expression privacy notices that the company published this week state that although raw images get deleted, insights gleaned from those images may be processed and stored on Meta servers.