This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Andrew Wilder, CISO, Community Veterinary Partners
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
EPA rescinds cyber regulations for water sector
The US Environmental Protection Agency has sent a letter to state drinking water authorities that it will be withdrawing its requirements to conduct cybersecurity audits of water utilities that had been announced in a memorandum issued in March. According to Cyberscoop, the EPA stated on Thursday that “litigation from Republican states and trade associations…raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities.” Despite this withdrawal the EPA emphasized its commitment to encouraging cybersecurity in the water system, and organizations such as the American Water Works Association and the National Rural Water Association which were involved in the lawsuit, have “renewed their call for a collaborative approach to cybersecurity measures in the water sector.”
Zero-day attacks affect over 10,000 Cisco devices
Researchers have discovered attackers are exploiting a recently disclosed critical zero-day bug (CVE-2023-20198) affecting at least 10,000 Cisco IOS XE devices including enterprise switches, routers, access points, and wireless controllers. The maximum severity vulnerability targets devices with the Web User Interface (Web UI) enabled and that also have HTTP or HTTPS Server toggled on. Researchers at VulnCheck say that privileged access on the IOS XE could allow attackers to monitor network traffic, pivot to protected networks, and perform man-in-the-middle attacks. While a patch is not available, administrators should immediately disable the web interface, remove management interfaces from the internet, and check for suspicious user accounts.
Signal debunks zero-day report
Over the weekend, posts on Mastodon and Linkedin claimed that a zero-day exploit with the encrypted messaging app could allow for access to a targeted mobile device. In response on X, Signal said “we have no evidence that suggests this vulnerability is real.” It added that it received no word on this vulnerability in its official reporting channels or from the US government. It asked researchers to send any legitimate information on a vulnerability to its reporting email. Zero-day laws in messaging apps remain highly valued commodities. TechCrunch reported earlier this month that flaws in WhatsApp can cost up to $8 million.
ServiceNow data exposure issue identified
Security researcher Aaron Costello released a report identifying a data exposure issue with the popular digital business platform ServiceNow. Costello estimates roughly 70% of instances contain a misconfiguration in a component within the platform’s Simple List feature. The issue could expose information in Simple List tables, like names, emails, and internal documents. This issue isn’t new, apparently in Simple List since it launched in 2015. Another researcher looking into the exposure, Daniel Miessler, saw no signs that threat actors exploited this issue in the wild yet.
UK fines Equifax for 2017 data breach
Britain’s Financial Conduct Authority watchdog agency fined the UK arm of Equifax just over £11 million, about $13.6 million for “allowing hackers to access personal information of millions of people in 2017.” This case is separate from litigation and settlements that Equifax agreed to in the US in 2019. Instead, it focused on the fact that “Equifax Ltd, the firm’s U.K. business, exposed data because it outsourced processing to servers run by its U.S. parent, Equifax Inc.” Equifax Ltd was not aware that U.K. consumer data had been accessed “until 6 weeks after Equifax Inc had discovered the hack.” This case is also separate from one brought by Britain’s Information Commissioner’s Office in 2018 that fined Equifax Ltd £500,000 for violating data protection rules related to the 2017 incident.
Thanks to today’s episode sponsor, Vanta
Vanta’s market-leading trust management platform brings GRC and security efforts together. Integrate information from multiple systems and reduce risks to your business and your brand — all without the need for additional staffing. And by automating up to 90% of the work for SOC 2, ISO 27001, and more, you’ll be able to focus on strategy and security, not maintaining compliance. Join 5,000 fast-growing companies that leverage Vanta to manage risk and prove security in real-time. Our listeners get $1,000 off Vanta. Go to vanta.com/ciso to claim this discount.
CIA leaves information channel open to hijacking
In late September, the US Central Intelligence Agency added a Telegram link to its profile on X. The agency meant for this as a means for potential informants to contact the agency with information. However security researcher Kevin McSheehan noticed that X truncated the visible URL on the CIA profile to an unused Telegram username. McSheehan registered the username to redirect users to a page warning them not to share any sensitive information there. BBC News did not receive a response from the agency, but it fixed the issue within an hour of the outreach.
(BBC)
UAE, US partner to bolster financial services cybersecurity
During the Gitex Global Conference in Dubai, Dr. Mohamad Al Kuwaiti, head of cybersecurity for the UAE government, met with Todd Conklin, deputy assistant secretary of the Treasury, and agreed to cooperate in multiple areas. These areas included sharing cybersecurity incident and threat info, staff training and study visits, and conducting cross-border cybersecurity exercises. This effort is part of the US Treasury’s collaborative approach to improving cybersecurity for the international financial system through public-private partnerships and developing relationships with international partners.
State-backed attackers exploit WinRAR zero-day
Security researchers at Google found evidence that state-sponsored threat actors linked to China and Russia began exploiting a vulnerability in the Windows archive utility WinRAR. Group-IB previously discovered this vulnerability and found signs of exploitation since April. Its developer, Rarlab issued a patch on August 2nd. Google researchers say many users did not yet apply the update, opening the door to attacks from these APTs, including Sandworm and Fancy Bear.
Ex-Navy IT manager jailed for selling people’s data on the dark web
A 32-year-old former chief petty officer in the US Navy’s Seventh Fleet, Marquis Hooper, of Selma, California, opened an account in 2018 with a company that maintains a PII database for millions of people including the US government. Cooper claimed he had been required to do this in order to perform background checks on people. Using this access, Hooper and his wife stole the PII of 9,000 individuals and allegedly made $160,000 in bitcoin through its sale. He was sentenced to five years and five months earlier this week, and his wife is scheduled to be sentenced on November 20.
How Iran’s MuddyWater APT spied on a Middle Eastern government for 8 months
An article in Dark Reading released yesterday and based on a report from Symantec, reveals how the Iran state-aligned group successfully spied on the government of an unnamed Middle Eastern country using new tools largely unknown to the cybersecurity community. The report describes how on February 1, the group deployed an unknown PowerShell script, followed by four custom malware tools as well as two popular open-source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities. MuddyWater, which Symantec tracks as Crambus, and is also known as APT34, Helix Kitten, and OilRig, was at one time thought to have disappeared after suffering a leak of its own in 2019, but as Dick O’Brien, principal intelligence analyst for Symantec, says, “they’re definitely back.”