Tuesday Morning Threat Report: Aug 1, 2023
Where the news is always bad, but the analysis is always good.
Good morning all and happy Tuesday!
Microsoft is accused of negligence by a Senator, Norway’s government is hacked, and a cyberattack takes out the U.K.’s ambulance record system. Let’s dive in!
Top Stories:
This week’s biggest headlines. Analysis section below.
Senator Accuses Microsoft Of Negligence: U.S. Senator Ron Wynden wrote an open letter to the U.S. Department of Justice demanding action against Microsoft for failing to prevent a Chinese espionage campaign against the U.S. government.
Norwegian Government Hacked: A vulnerability in the cybersecurity tool Ivanti Endpoint Manager was exploited against twelve Norwegian ministries. At this time it is unclear what the extent of the damage from the hack is.
Deloitte Hacked: Cl0p hacked Deloitte with its MOVEit attack, meaning all of the Big 4 have now been hacked from the same vulnerability. Deloitte disputes Cl0p’s claims that any client data was lost in the attack.
Another One: A new generative AI, dubbed “FraudGPT,” has been rolled out for sale on dark web forums. The tool’s release comes on the heels of the commercial success of WormGPT. Like WormGPT, FraudGPT also assists hackers with scamming and social engineering.
iPhone Zero-Day: Apple has issued a security patch to remediate numerous zero-day vulnerabilities. The fixed bugs include a patch for the vulnerability at the center of “Operation Triangulation,” a spyware campaign Russia alleges the U.S. orchestrated.
Thoma Cashes Out: Thoma Bravo is a private equity company that specializes in cybersecurity. This week, Thoma sold an application security company, Imperva, for $3.6 billion that was acquired in 2018 for $2.1 billion.
TSA Updates Regulations For Pipelines: The U.S. Transportation Security Administration (TSA) has issued new requirements for pipeline operators. Pipelines are now required to act out plans they have developed for if they are hacked.
SEC Strengthens Cybersecurity Reporting: The U.S. Security and Exchange Commission adopted new rules regarding cybersecurity reporting on Wednesday, July 26th. The rules require firms generally to report hacks within four days of their detection.
My Takeaways
Analysis based on this week’s news and my experience in the industry. More headlines below in the Lower Echelon.
Laissez-UNfaire: Coined by Jean-Baptiste Colbert, most people that follow economic regulation are familiar with the “laissez-faire” school of thought. Laissez-faire is a French phrase that roughly translates to “let it be.” A cornerstone of laissez-faire policy is that markets are competitive, and for that reason they will self regulate. Due to self-regulation, the government should not add additional regulation, as it will interfere with productivity.
Laissez-faire certainly has its place, and I recognize over-regulation often kills business. That being said, experiences I have had in cybersecurity incline me to think cybersecurity regulation is generally a good thing. Numerous projects I have worked on have been a result of cybersecurity regulation passed in recent years. In these projects, advanced weapons manufacturers and government organizations do not even have the most basic cybersecurity controls prior to the project’s completion. When I have asked the company what prompted them to prioritize security, the response is always the same: compliance with upcoming regulation.
I have seen a similar, but different phenomena at startups. Frequently, startups have a fixed investment, and are burning through it as they try to launch their product. The risk of the company running out of money is on the forefront of management’s mind. In these scenarios, companies will frequently do the minimum cybersecurity required to ensure their product launches before the cash runs dry. For that reason, the higher we set the bar with common sense regulation, the more customer privacy and data will benefit.
Fundamentally, I like cybersecurity regulation for the same reason I like the FDA. I take comfort in the fact that when I eat a hotdog, there are minimum sanitary requirements the company had to meet (just please don’t tell me what was ground up to produce it). Left to laissez-faire, I am sure these companies I worked for would have eventually been hacked, failed as businesses, and as the result of a competitive market, a company that values cybersecurity would replace them. However, when large, unregulated companies are hacked, we are all the victims. Its our data and privacy that is lost. Personal experience has shown me that many companies are doing the minimum security required. It’s healthy to be skeptical of over-regulation, but in this scenario, raising the bar is a good thing.
The Lower Echelon:
Interesting cybersecurity news that didn’t quite make the cut to be a top story.
Police And Military Encryption Backdoor?: A backdoor has been uncovered in the encryption that police and military radios use. A group of security researchers found that a laptop can crack the encryption in under a minute.
U.K.’s Ambulance Record System Attacked: Ortivus, the software U.K. many ambulances rely on for record keeping, has been taken offline from a cyberattack. While the system is offline, ambulances have been struggling to communicate records to hospitals.
Atlassian Patches Confluence: Software development tools company Atlassian has issued patches for critical vulnerabilities in numerous products, including Confluence. The vulnerabilities could result in Remote Code Execution (RCE).
OneTrust Raises $150M: OneTrust, an internet privacy and security company, has raised $150 million at a valuation of $4.5 billion. OneTrust helps customers remain compliant with internet regulation, particularly with “cookies” and tracking.
Cl0p Takes Another Victim: Government contractor Maximus was hacked by Cl0p’s MOVEit attack. Maximus provides services for the U.S. government, including assistance with Medicare, Medicaid, and student loans.
Common Router OS Vulnerable: Mikro Tik’s RouterOS is a common Operating System (OS) for wifi routers. A vulnerability uncovered in a version of RouterOS with nearly a million downloads has forced Mikro Tik to issue a patch.
Lazarus Steals Another $100M: North Korean based hacking organization “Lazarus Group” is being blamed for two more hacks. Raids on cryptocurrency companies CoinsPaid and Alphpo resulted in $100 million in stolen currency, and analysis points to Lazarus as the culprit.
OSS Bank Hacks: Researchers at Checkmarx have discovered Open-Source Software (OSS) attacks that are targeting banks. The hacks involve adding malicious packages to common software, and then the right victim downloading the software.
On the right side of this page, you can follow and subscribe to receive this newsletter to your inbox weekly (no Medium account needed, just sign in with Google)!
Thanks for reading! See everyone next week!
About the author: Mark is a cybersecurity architect and consultant for leading cybersecurity consultancy Aujas.
