Welcome to Cyber Watch series for today, October 6, 2023. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. You can read the full story by clicking on each headline. We encourage you to review these stories and take steps to protect your organization.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially launched the 20th annual Cybersecurity Awareness Month, emphasizing the critical need for cybersecurity resilience in an increasingly interconnected and digital world.
This milestone event, recognized nationally, spotlights the importance of cybersecurity across all sectors. Under the theme “Do Your Part. #BeCyberSmart,” CISA is encouraging individuals, organizations, and government agencies to take proactive measures to enhance their cybersecurity posture.
According to a Security Magazine report, CISA’s Cybersecurity Awareness Month will feature a range of educational resources, events, and initiatives to empower individuals and organizations with the knowledge and tools needed to protect against cyber threats.
The initiative comes at a time when cyberattacks continue to escalate in frequency and sophistication, affecting businesses, governments, and individuals alike. By fostering a culture of cyber resilience, CISA aims to bolster the nation’s collective defenses against cyber threats and promote safer online practices.
The National Security Agency (NSA) has announced plans to establish an AI Security Center, marking a significant step in its ongoing efforts to harness artificial intelligence (AI) for the detection and mitigation of cyber threats. The AI Security Center will serve as a hub for research, development, and innovation in AI-powered cybersecurity technologies.
Cyber Wire reports that the NSA envisions the center as a collaborative space where government agencies, private sector partners, and academic institutions can work together to advance AI-driven security solutions. By leveraging AI’s capabilities, the center aims to enhance the nation’s ability to defend against a wide range of cyber threats, from nation-state actors to cybercriminal organizations.
A recent report by IANS Research and Artico Search reveals a marked deceleration in the growth of cybersecurity spending during the 2022-23 budget cycle. The study, which surveyed 550 Chief Information Security Officers (CISOs), found that cybersecurity budget growth plummeted by 65%, reflecting widespread economic stressors.
Economic uncertainties, inflation pressures, and concerns about a potential future recession led to budget cuts or spending freezes for more than a third of the surveyed CISOs. Notably, technology firms, typically robust investors in security, saw a substantial decline in spending growth, with just a 5% increase on average.
However, amidst these challenges, cybersecurity budgets remained somewhat resilient compared to overall IT budgets. Over the last three years, there has been a gradual increase in the proportion of IT budgets dedicated to security, rising from 8.6% in 2020 to 11.6% in 2023.
According to a report by SC Media, an intriguing finding is that CISOs are prioritizing “people over tools,” with a substantial 38% of security budgets allocated to staffing and compensation expenses. This underscores the recognition of the critical role skilled cybersecurity professionals play in safeguarding organizations against evolving threats.
US Government Agencies Propose New Rules Requiring Federal Contractors to Implement Software Bill of Materials (SBOM)
InfoSecurity Magazine reports that three major US government agencies, including the Department of Defense (DoD), NASA, and the General Services Administration (GSA), have unveiled a set of proposed rules aimed at enhancing the cybersecurity posture of federal contractors. These rules would mandate the development and maintenance of a Software Bill of Materials (SBOM) for all software employed in contract delivery.
The move aligns with President Biden’s executive order from May 2021, emphasizing the need to fortify incident response capabilities. The proposed rules, encompassed within the “Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017),” seek to bolster cybersecurity across federal contracts.
SBOMs are integral inventories encompassing all components of software, encompassing both open-source and proprietary applications, alongside their intricate hierarchical relationships. These SBOMs serve as a pivotal element in mitigating software supply chain risks by enhancing visibility into potential vulnerabilities and expediting the remediation of known flaws.
This initiative underscores the US government’s dedication to fortifying cybersecurity practices within federal contracting, acknowledging that robust incident response begins with comprehensive insight into software components.
According to Cybersecurity News, the FBI has issued a crucial alert highlighting the mounting ransomware threats and urging organizations to take immediate steps to mitigate risks and curb the devastating consequences of these attacks. In July 2023, the FBI observed two alarming ransomware trends, both of which demand heightened attention:
First, threat actors are launching multiple ransomware attacks on the same target in rapid succession. This strategy intensifies the pressure on victims, underscoring the persistence and audacity of cybercriminals.
Second, a concerning development involves the implementation of novel data destruction tactics. These tactics are designed to inflict severe damage, potentially making data recovery a more formidable challenge for affected organizations.
The FBI’s report identifies several ransomware variants, including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal, which have been deployed in these attacks. Threat actors have been utilizing various combinations of these variants to inflict harm, resulting in data encryption, data exfiltration, and substantial financial losses.
Pathward, previously known as MetaBank, has fallen victim to a massive data breach resulting from a third-party compromise involving the MOVEit Transfer software. This breach has left approximately 800,000 individuals exposed, including the disclosure of sensitive payment card details.
Pathward promptly informed its clients, particularly those holding the H&R Block Emerald Card, about the breach, which was traced back to a service provider utilizing the compromised MOVEit Transfer software.
According to a Cyber News report, it is worth noting that MetaBank, now Pathward, played a pivotal role in issuing millions of COVID-19 stimulus debit cards in collaboration with the US Treasury Department during the pandemic. However, this recent breach is unrelated to that effort.
While Pathward asserts that its own systems remained uncompromised, the breach exposed a trove of sensitive customer information linked to the H&R Block Emerald Card. This information includes financial data, which, when combined with personal details, creates a significant risk of financial fraud.
Such incidents underscore the pressing need for organizations to bolster cybersecurity measures and vigilantly safeguard customer data, especially when third-party systems are involved, to protect individuals from potential harm and financial loss due to cyberattacks.
In September 2023, three tech giants—Apple, Google, and Microsoft—found themselves racing to patch multiple zero-day vulnerabilities, underscoring the relentless challenges of cybersecurity.
Wired News reports that Apple addressed a high-severity flaw in iOS and iPadOS that allowed attackers to execute arbitrary code with kernel privileges. Google, on the other hand, grappled with two zero-days affecting the Android operating system. One enabled remote code execution through malicious apps, while the other involved a Bluetooth-related vulnerability.
Microsoft also confronted its own set of zero-days. The company’s Windows Print Spooler service was plagued by a remote code execution vulnerability, a recurring issue that has been a thorn in Microsoft’s side. Additionally, Microsoft worked to remediate a memory corruption flaw in its Edge browser.
Zero-day vulnerabilities are particularly concerning because they are exploited by threat actors before the developers are aware of them, leaving users exposed to potential harm. These incidents emphasize the need for constant vigilance, rapid response, and timely software updates to protect users and fortify the cybersecurity posture of these tech giants’ products.
Sony has revealed insights into two distinct cyberattacks that recently targeted the company. The first attack was associated with the RansomedVC ransomware group, which claimed to have compromised Sony’s entire system.
However, Sony’s investigation, supported by third-party forensics experts, revealed that unauthorized activity was limited to a single server located in Japan. This server, used for internal testing for the company’s Entertainment, Technology, and Services (ET&S) business, did not contain customer or partner data. Sony promptly took the server offline, ensuring no adverse impact on its operations.
Despite RansomedVC’s claims, the actual extent of the breach seemed less severe than initially feared. According to a recent Security Week report, the cybercriminal group later released an archive file allegedly containing stolen Sony data, although issues prevented its download at the time of reporting.
The second incident involved the Cl0p ransomware group exploiting a zero-day vulnerability within Progress Software’s MOVEit managed file transfer (MFT) software. This allowed unauthorized access to files from numerous organizations relying on the software.
According to InfoSecurity Magazine, Police in Northern Ireland have issued a warning to businesses and organizations in the region regarding the rising threat of QR code phishing, commonly referred to as “quishing.” This crime prevention notice, issued by the Police Service of Northern Ireland (PSNI) Cyber Crime Centre, urges local businesses to update their staff’s cybersecurity training to recognize and counter this emerging threat.
QR phishing, or “quishing”, shares a similar goal with traditional phishing scams – tricking victims into divulging personal information or unknowingly installing malware. However, in this case, the victim receives an unsolicited email containing a QR code, often disguised as legitimate brands like Microsoft Authenticator.
This approach allows phishing emails to evade traditional security filters and increases the likelihood of victims trusting the sender. When the QR code is scanned, it leads recipients to URLs that may host malware or credential-harvesting sign-in pages.
QR phishing is not a new tactic, but its use has surged, particularly during the COVID-19 pandemic when QR codes became prevalent in the healthcare and hospitality sectors. These scams are more convincing to users as they lack the usual spelling and language errors found in traditional phishing emails.
A recent Hacker News report revealed that security researchers have uncovered a fresh cybersecurity threat known as BunnyLoader, marking the latest in a string of malware-as-a-service (MaaS) offerings available on the dark web. BunnyLoader presents a multifaceted danger to individuals and organizations alike. For $250, cybercriminals can purchase a lifetime license to this C/C++-based loader, complete with a range of malicious functionalities.
Among its sinister capabilities, BunnyLoader can download and execute secondary payloads, pilfer browser credentials and system data, run remote commands on compromised machines, record keystrokes, and even monitor users’ clipboards, swapping out cryptocurrency wallet addresses with those controlled by the attacker.
What makes BunnyLoader particularly insidious is its fileless loading feature, designed to thwart antivirus defenses. Moreover, this threat has been in constant development since its appearance in September 2023, with periodic updates aimed at evading sandboxes and antivirus solutions. Critical security vulnerabilities in its command-and-control (C2) panel have also been addressed to enhance its appeal to cybercriminals.
While the initial distribution method remains unclear, once BunnyLoader infiltrates a system, it establishes persistence, conducts various checks to evade detection, and communicates with a remote server to execute its malicious activities.
Experts emphasize that BunnyLoader represents an ever-evolving danger, underlining the persistent challenges faced in the cybersecurity landscape. This discovery comes in the wake of the emergence of other malware strains, further highlighting the need for robust cybersecurity measures in today’s digital world.
That’s all for today. Stay tuned for our next episode. See you next week!