TSA issues cybersecurity regulations
The US Transportation Security Administration announced new regulations meant to improve cyberthreat defenses for aircraft owners and operators. Aviation operators under the TSA’s purview must now develop approved implementation plans describing measure to improve its cyber security posture. These plans need to outline how operations can safely proceed even in the event of a compromise of IT or operational technology. The plan must also outline how it will prevent unauthorized access to critical system, implement continuous monitoring, and keep up with system patching. This follows the Biden administrations release of its National Cybersecurity Strategy. We’ve seen other agencies, like the EPA, already release similar plans to comply with it.
Lazarus Group deploys zero-day
Security researchers at Asec report that the pernicious North Korean threat group targeted an unnamed South Korean finance firm twice last year, in May and October. Both seemingly relied on the same zero-day vulnerability on “a certificate program that was commonly used by public institutions and universities.” This appears to have impacted the most up-to-date version of the software, as after the first attack, the organization updated all their software. Asec disclosed the zero-day to Korea Internet & Security Agency but it remains under verification and unpatched.
Ransomware gang uses video ransom note
The MedusaLocker ransomware group posted a demand for a $1 million ransom from the Minneapolis Public Schools district. The group published a 51-minute video showing data allegedly stolen in its attacks. It claims it will delete this data if paid in a typical ransomware-extortion scheme. The school district disclosed the attack on March 1st, saying it suffered an “encryption event” on February 21st. The district says it plans to restore from internal backups and didn’t find evidence of unauthorized access to personal information.
TikTok announced security initiatives for Europe
The popular Chinese-owned social network recently announced security initiatives to allay concerns about how it uses data from its users. In the US, this came wrapped up as Project Texas. Now TikTok revealed a new set of security measures for Europe called Project Clover. This will see a third-party security company audit its data controls and practices, and setting up “security gateways” that determine which employees can access Europea user data. The company also announced plans for two new data centers in Ireland, along with a previously announced one in Norway. TikTok will migrate European user data to these servers, aiming for completion in 2024. This initiative comes as the US and Canada banned use of TikTok on government devices.
And now a word from our sponsor, Packetlabs
End-of-life DrayTek routers under attack
Researchers at Black Lotus Labs report the Hiatus malware group began hijacking DrayTek Vigor routers, specifically models 2960 and 3900. Despite reaching end-of-life status in December 2021, over 4,000 of these routers remain exposed on the internet. Researchers found at least 100 routers compromised by the attackers so far. It’s not clear how the attackers compromised these devices. DrayTek did patch a remote-code injection vulnerability in these models in 2021, so it may be an instance of the routers running old firmware. The researchers say Hiatus appears to target midsize businesses running their own mail servers. They found pharmaceutical companies, IT services, and local governments included in the campaign.
The impact of AI-tools on email attacks
The security firm Darktrace reports its seen an increase of threat actors using artificial intelligence tools to operate sophisticated scams and operations since the general release of OpenAI’s ChatGPT. While the number of email attacks against its clients remained consistent since then, it say a decrease in emails attempting to get users to click on malicious link, while linguistic complexity of malicious messages increasing. Darktrace did not see these tools lowering the bar of entry for new threat actors. Rather it seems to be existing actors shifting tactics to use them.
Coinbase launches wallet service
The popular cryptocurrency exchange introduced a new Wallet-as-a-Service offering, which will support companies creating customized web3 wallets in their own apps. The idea is companies can integrate web3 wallets without sending users to another site to set up a wallet. The service uses a cryptography technique called Multi-Party Computation, which effectively splits wallet keys between the user and Coinbase. This means no one party controls the keys to the wallet. But it also makes wallet access recovery much simpler for end-users, more akin to resetting a typical account password.
Google expands VPN availability
The search giant previously bundled its Google One VPN, but limited access to users on its $9.99 a month and higher tiers. The company announced it will start rolling out VPN access to all paying Google One subscribers over the next few weeks. Google also announced it will roll out a new “dark web report” feature for Google One, which will scan for personal information on dark web site. Users need to set up a “monitoring profile” on their Google account, and can add and remove information for scanning purposes.