BREAKING NEWS, UPDATES and INSIGHTS
Cybersecurity changes faster than you can read about it.
This page covers and comments on around 10 of the monthly 7000+ news items.
Updated April 24th, 2024.
| April 2024 | Headline | News |
| #043 | ChatGPT-4 Excels at CVE Exploits | Coverage of Generative AI (e.g. ChatGPT variants) is made with caution here. However, when ChatGPT-4 was fed the CVE* database, its success at creating exploits that crack these vulnerabilities was at a staggering 87% as opposed to 7% without the data. Previous versions of ChatGPT and others scored 0%. *CVEs (Common Vulnerability and Exposure) can be found in CISA’s catalog of KEVs (Known Exploited Vulnerabilities). The article covered by Tech Radar goes into the sobering details discovered by the University of Illinois. |
Note that news on Critical Infrastructure incidents is also tracked on the Critical Infrastucture page.
In Depth
Some stories need a closer, sometimes controversial look.
 |
How and why the Securities and Exchange Commission is bringing discipline and accountability globally, helping everyone in cybersecurity. |
 |
NIST’s Cybersecurity Framework “brings organization to cybersecurity implementation.” We explain why we have a very different view from others. |
 |
The now infamous breach of the MGM hotel and casino chain has become a poster child of how not to implement holistic cybersecurity. But what was the real unreported reason behind the attack? |
| April 2024 | Headline | News |
| #042 | VMware Ransomware | According to an FBI advisory, the Akira ransomware group has breached over 250 organizations and has gained approximately $42 million in ransom payments since March 2023. Full story covered in many places including Spiceworks. These attacks exploited vulnerabilities in VMware ESXI virtual machines. |
| #041 | Water, water Everywhere | According to a CNN Report, an attack the water systems in Mulshoe, Texas cause water to overflow from their water tower. While that caused local issues, what’s more interesting from a wider perspective is that the linked report generated by security company Mandiant goes into great details of the Russian linked APT44 group and how they go about such threats. |
| #040 | Ransom-war Plague? | Last month’s report on Change Healthcare (#29) below looks like its going to cost its parent company United Healthcare upward of $1bn! Unsurprisingly despite paying millions in ransoms the threat actor is revealing its stolen information. In Tarrant County, Tx, 300 residents had all of their personal info: SS, DLs etc. put on the dark web in a ransomware attack. There are now well over 1000 articles on the ransomware plague each month. Perhaps it should better be termed RANSOMWAR. |
| #039 | It’s that easy | In a Forbes article, Jay Chaudhry, CEO and Chair of Zscaler, describes how easy it is for threat actors to use Generative AI and their Large Language Models to ask for vulnerabilities of specific organizations and then to write code to exploit them including it seems Advance Persistent Threats. We are living in the beginnings of the Skynet world of Terminator movies but unfortunately there’s no travelling backwards in time to remove the AI. He goes on to cover how Zscaler’s strategy and products use AI, firewall and VPN replacement, hide data and provide Zero Trust SD-WANs. This is not an endorsement of any Zscaler product but the article makes a very interesting/sobering read. |
| #038 | Critical Infrastructure Protection: Water Systems | One of the most targeted critical infrastructure sectors has become water systems with many reports and warnings regarding threat actors from government and other resources. A new bill to establish a Water Risk and Resilience Organization has been introduced in the U.S to strengthen and enforce cybersecurity. Further details are in this Statescoop article. |
| #037 | Who is protecting the protectors? | The problem when leading security software companies (such as Palo Alto Networks self-reporting a critical vulnerability updated 4/13) are (a) what are the development processes that were not in place that resulted in the vulnerability? (b) How can others learn from the mistakes when users are not safe until the problem is fixed (fixes are under-development*), (c) How can others learn from the mistakes even when the problem is fixed, the likelihood of the cause is either too risky or just bad business to reveal? (d) As soon as the problem is fixed will all systems be updated (probably ok in this instance but mostly not) (e) and lastly, if you can’t trust the market leaders then who can you trust? *Update 4/15: Palo Alto says it has fixed the problem and updates will be rolled out shortly. |
| #036 | Ransomware hits home – if you still have one | The Jackson County, Missouri ransomware attack has caused chaos for people buying and selling homes after the ransomware attack disabled the systems and caused offices to close for days. What makes it is a big deal is that with the offices closed, house sales can’t register or be closed, offers expire and loans can’t be enacted, people have moved out and new owners can’t move in. i.e. chaos. |
| #035 | CISA Initiative will have big impact | An initiative by CISA this week will bring regulatory focus on cybersecurity to several hundred thousand business organizations. It follows rules brought by the SEC to publicly traded and regulated companies last December. This process, known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements was initially introduced in 2022. This CISA update will require compliance to incident reporting and will likely, when complete, require companies to show that they have been taking documented, prudent, preventative steps. This document completes its comment phase June 3rd of 2024 and publication will follow. We will no doubt comment to CISA after carefully reading the draft document as we did with previous initiatives. Click here for the link that introduces the work that will apply to more than 20x the number of companies as the SEC. The impact on companies will hopefully be profound since it will become a legal requirement for businesses that continue to be oblivious of the cyberwar to finally take it seriously |
| #034 | The Big Picture | Sometimes we lose track of the big picture. In the first few days of April a fascinating presentation by a key member of the US Government catalogued that big picture. It covered the global economic, population decline impact, climate change and even water and crop shortage forces that make state-sponsored cybersecurity attacking the soft underbelly of first-world economies. It’s such a compelling and chilling reminder that there is a war going on and we are the targets. As it’s become a necessary part of those economies, it’s going to persist. It’s why every small business and large organization must strengthen its weak links and be vigilant permanently. |
| March 2024 | Headline | News |
| #033 | AT&T Breached again | Now the hackers are repeating themselves. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” Bleeping Computer and others reported on the latest AT&T breach. With so many credential breaches it’s easy to see why we are becoming immune to them. |
| #032 | How can they get it so wrong? | As an indication of the influence of form over function or hype over reality, this article from SDXCentral is an example what happens when market leader influence can get in the way of enterprise choice. I seriously doubt that Forrester said anything like what was reported. According to the article, the SSE market is the market of today and Zero Trust is of the past. and SASE is the way of the future. Since Zero Trust is at the heart of all such Gartner inspired derivatives, that SASE was superseded by SSE because supplier and market influence and none of it has any industry technical definition then it’s not difficult to see how journalists get confused. What began as I believe a good intention by Gartner to create an integration between networking and security has descended into a confusing mess for the enterprise. (End of rant). |
| #031 | Water, Water Everywhere | The latest missive from the U.S. Environmental Protection Agency (EPA) is more than hinting that water may be everywhere but there might not “be a drop to drink” unless action is taken to combat cybersecurity threats. The story in Cyberscoop, explains that there are 150,000 water utilities in the U.S. The staggering number is difficult to comprehend until you understand that there are 90,000 dams in the U.S. “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” The EPA is setting up a water sector cybersecurity task force to outline some of the biggest challenges the sector faces and develop strategies to defend against the threats. |
| #030 | One small step | Good Grief. Having spent the best part of a year and a half on a requirement for software companies to self-attest their secure development, CISA just published the work. If you do not conform then you can’t sell to the U.S. government. A very nice idea! However, it gives me no comfort to say that I think they missed critical elements including: (1) use of memory safe languages, (1) use of self-attested third party software elements, (3) requirement for Software Bill of Materials and (4) implementation of secure APIs. I personally submitted all of these to CISA but received no response and wrote an article that covered all the elements. What a missed opportunity. Oh, and if the software you sell was developed before September 2022 and hasn’t had a “major version update” then you don’t have to comply no matter how vulnerable it might be. In addition, also exempt are open source code publicly available. (what could possibly go wrong with that?) Good Grief! |
| #029 | Change Needed | The much-reported breach at Change Healthcare by Blackcat resulted in a staggering $22m ransomware payment. The outage in the billing and prescription arm of United Healthcare that processes 15bn transactions a year touches 1 in 3 patient records. First discovered on Feb 21, Change reports it will not be back online till the middle of this month. This is another Blackcat (RaaS) exploit, though the actual attack was claimed to be performed by “Nochy” – but maybe it’s all a scam? More on this from Cybersecurity Dive. |
| #028 | $12.5bn | Or to put it another way, that’s about $40 per person in the U.S. alone was lost in 2023 to cybercrime. There have been a plethora of reports looking back at last year but this one is an important reality check. According to the FBI as reported by tech.co news, 880,000+ complaints were made – a 22% increase on the previous year. Ransomware jumped 74% to $59m – and that was just what was reported! Investment frauds were the largest proportion followed by business email compromise. |
| #027 | Catch 22 | While it’s probably embarrassing that the US Department of Homeland Security (actually, even worse it was CISA) were breached, it does highlight a general problem. It’s not just that that “if they have been breached what hope is there for the rest of us?” The real issue is that the organization being breached does not want to disclose how it was breached since it reveals possibly systemic weaknesses that others may exploit. This makes it really difficult for others to learn from mistakes. Even disclosures to the SEC likely will not go into such detail publicly. The catch-22 is therefore: “we want you to learn from our experience – but we can’t tell you how!” Update: compounding this was the fact that CISA was using an Ivanti VPN (supposedly) secure gateway rather than ZTNA products and that CISA’s own “self-attestation” initiative can’t have been in place with Ivanti. Apparently the Zero Day vulnerability was breached by an APT(Advanced Persistent Threat) attack and even then the fix was not immediately implemented. Oh dear! (I don’t think I have an egg on the face emoji?) |
| #026 | White House Review | While it is not surprising that the White House is pleased with the progress it is making in cybersecurity, the “one year later” progress report is a useful reminder of the initiatives in play (69 of them apparently). Here’s the update from director Harry Coker. |
| #025 | The first cut is the deepest | Last year, this column covered the report: Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future, showing the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Today, 9 months later, CNN reported that several cables in the Red Sea have been cut impacting 25% of Internet traffic between Asia and Europe. A statement from HGC Communications says it has already mitigated the problem. However, other than a blame game, there is no public statement of who was responsible, or how the cuts had been made or whether it was deliberate or accidental! |
| #024 | Cloud | Following the re-emergence of Lockbit there are indicators of increasing threats aimed out cloud services, the U.K.’s National Cyber Security Centre warned this week. It underlines the importance of understanding the many methodologies required for protection when services and workloads are delegated to multiple clouds providers, application and security suppliers. |
| #023 | CSF 2.0 In-depth | It seems that the points raised in the previous entry covering CSF 2.0 are worthy of in-depth analysis on our Hot Topics Page. |
| February 2024 | Headline | News |
| #022 | CSF 2.0 Published | In January, this column made remarks in entry #004 about the draft of NIST’s Cybersecurity Framework 2.0, published mid 2023. The final version of CSF 2.0 is now published. I just don’t know what actions that could be taken from it. I don’t know if anyone from CISA provided oversight. Oh dear! |
| #021 | White House Ports Security | The White House Announced an Initiative to Bolster Cybersecurity of U.S. Ports. Supporting $5.4 trillion dollars of trade, the investment of $20bn will require the protection of systems, including cranes, 80% of which are of Chinese manufacture. Penalties for non-compliance are yet to be established. |
| #020 | DNS (=Dangerous Narrow Shave?) | A Group of German researchers discovered a very long-standing vulnerability (codenamed “KeyTrap”) in secure DNS, that if it had been exploited could have disabled the entire Internet. Fortunately, this has been responsibility mitigated. Full details are in Feb 20’s Security Now show notes (See page 12). |
| #019 | LockBit Lockdown (or was it?) | When one of the biggest threats of the last 18 months gets disabled by a coalition of 11 countries led by the US and UK, then it’s a big deal. All that’s left of Lockbit is a notice saying the site has been seized! But wait, just a few days later, there are still Lockbit sightings explained either by employees who took the work home with them, a remnant of a persistent threat attack or the use of a Lockbit type tool kit. We shall see. Feb 26th update: Well, that didn’t last for long, Lockbit has brazenly re-emerged – as noted in CybersecurityDive. (Cute graphic) |
| #018 | Weaponizing AI | Just as my daily use of Co-Pilot becomes an accelerator of my work, it gives some comfort that OpenAI (one of Microsoft’s Co-Piot’s AI engines) is shutting down accounts used to generate phishing and malware attacks (article). Dark Reading‘s “proceed with caution” seems prudent but is tempered by the level of sophistication being used by Korean threat actors as they make it difficult to spot phishing attacks from the genuine article and use AI to scale up their activities. This month, Google have announced their own AI Cyber Defense Initiative covered by Silicon Angle. |
| #017 | Clientless and Clueless | Next up in Microsoft’s 2024 woes is the news from Proofpoint that 200 Azure accounts have been compromised. Once the threat actors gain access to an Azure environment they carry out a host of malicious activity, according to Proofpoint, including manipulating MFA, data theft, follow-on phishing attacks and financial fraud. It seems that once you give up your envirnoment to a clientless reliance to Cloud providers such as Microsoft you are in the headlights of attacks. It makes you wonder if relying on unverifiable Microsoft security methodologies and relying on clientless IT, is a viable strategy. More on this from Cybersecurity Dive. |
| #016 | Mixed Bag | After a monster January in terms of important cybersecurity news, February is relatively quiet. However, the stories regarding Critical Infrastructure are hopefully raising awareness. Sentinel One and others are carrying stories regarding CISA, FBI and NSA warning of Volt Typhoon attacks on US, Canadian, UK, Australian Targets. Also, LastPass is back in the news after Apple somehow enabled duplicate postings of the once vaunted security app in their app store. |
| #015 | Big security staff shortages – big cybersecurity layoffs | This doesn’t seem to make sense. Report after report follows massive shortages of cybersecurity staff. At the same time SC Media Magazine is reporting on 110 cybersecurity firms laying off significant numbers of staff since the beginning of last year. Tech Crunch’s end-of-year summary called 2023 “the year of the Layoff.” Most of the tech layoffs are put down to overstaffing during the Covid years – but is there another reason? It may be an indicator that companies are still in denial about cybersecurity and would rather put their head in the sand rather then their hands in their pockets to pay for cybersecurity staff or solutions. |
| #014 | Zero Trust Brings a New Way of thinking | My latest article on Zero Trust in this month’s ISE Magazine takes a different twist on the topic which I hope you find interesting. |
| #013 | SEC creating board level impact | As now widely known, the SEC requires reporting of significant cybersecurity incidents within four days. What’s less well known is that it requires “most” public companies to disclose, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. This, according to a posting by Blackberry, applies to foreign companies seeking funding and listing in the U.S. This is a great step forward since it focuses the executive team on preventative measures and processes. |
| January 2024 | Headline | News |
| #012 | Too many articles | January had so many big stories and articles on cybersecurity. This page deliberately does not cover every Bitcoin, healthcare, ransomware story. However, this month I’ve posted a list of 130 or so articles that were considered and almost made it that may be of interest. |
| #011 | One to watch | Newly discovered malware covered by Bleeping Computer known as NSPX30 is spread by corrupted versions of update mechanisms of the very widely used WPS Office software. (This is not Microsoft Office). Automatic updating is encouraged as an important defense in cybersecurity. It begs the question of when the exploit is fixed how is the update effected if the update mechanism itself is compromised? |
| #010 | Hey, we’re here too! | Not to be upstaged by Microsoft, HP Enterprise also had their email hacked by the same Midnight Blizzard Advanced Persistent Threat attack. Although first noticed on December 12th, it took till the end of January to make it public. So much for the SEC’s 4-day reporting rule. It also makes you wonder if the compromised emails contained details of the then pending HPE purchase of Juniper. I guess the SEC can track suspicious purchases of Juniper stocks. |
| #009 | Microsoft Sprayed | In the second recent instance of Password Spraying, Microsoft CEO’s email was compromised. Covered by various sources such as Hacker News it’s concerning that executives in one of the leading security companies ignored best practices and makes you question the organizations own attitude. The article calls it a sophisticated attack but it isn’t sophisticated. Password Spraying is where an attacker scans accounts looking for weak passwords to access accounts. It beggars belief that Microsoft executives would have elevated privilege to access mission critical secure applications, that they are using non-MFA access and worse still that they are using passwords that are so weak that they can be guessed. I hope I’m wrong about this but it’s another instance of lack of holistic cybersecurity. Oh dear! Now, according to Security Dive Microsoft has announced that it is to review its security practices. (Embarrassment complete!) |
| #008 | CISA | Despite being stuck with a slightly odd name, the US Cybersecurity and Infrastructure Security Agency (CISA) continues to do excellent work. In addition to doing groundbreaking work on self-attestation for software development it tracks new threats and promote updates to avoid Zero Day threats that cause damage, publishes the Common Vulnerabilities and Exposures (CVE) List and issues emergency directives. This week it published directives for Ivanti Endpoint Manager Mobile following new directives on Citrix and NetScaler products. It also issued guidance of the danger to critical infrastructure systems from unmanned Chinese drones. |
| #007 | Fight, Fly or Freeze? | According to Malwarebytes (the Malware detection company) in their recent survey of 1000 users, everyone is scared of the Internet but little is being done in terms of basic protection. You can’t fly to escape the Internet, people do not fight with only 35% using anti-virus software, 27% using VPNs, 24% and less in 8 other categories, so the answer is freeze and hope it all goes away. Bear in mind that many of those interviewed may be working from home using non-corporate devices. |
| #006 | FBI and SEC increase pressure on reporting | Some updates on the SEC and FBI activities. There has been several iterations of the news that the FBI will rarely grant extensions to the four-day disclosure deadline in the SEC’s rule that came into effect in December. At the same time the enforcement re the Solar Winds exploits raises the bar should a company not take cybersecurity precautions seriously. At the same time, SEC Chair Gary Gensler was acknowledging the seriousness of the SEC hack of their Xtwit (my name for this marketing disaster) account that falsely claimed that they had approved a spot bitcoin exchange but claiming that none of their other accounts were impacted. (They received my headless chicken of the month award.) |
| #005 | Don’t Drop It! | Publicly reported on CNN, CBS, with more analysis from TechTarget, a Beijing Forensic Institute says it has “cracked” Apple’s Air Drop encryption. This is in response to protestors sharing information/”propaganda” to obtain the identify the ID of the sender, etc. Interestingly, about a year ago Apple restricted Airdrop to 10 minute sessions to avoid unsolicited information being sent to nearby iPhone users. The questions are: (1) It appears that an unfixed known vulnerability exposed senders ID and key information that led to decryption – this is just supposition. (2) Did they just get sender information and was the claimed encryption just a scare tactic? (3) Did they find a way of using stored keys to effect encryption, was it a real brute-force decryption and has the exploit been known for some time by others and in use elsewhere in the world. This is scary as it comes hot on the heels of the item below regarding Apple vulnerabilities. |
| #004 | Cybersecurity Framework? | Given the plethora “Top 3 tips to ensure your cybersecurity in 2024,” I remembered the NIST Cybersecurity Framework 2.0 issued last August which started with 5 or six categories and then sensibly broke these down into 106 individual subcategories. At least someone got across the complexity of it all. It was only when I started rereading the details that I realized that it’s not really a “Framework” at all. It is a list actions you have taken, or the outcome actions you are taking all in vague terms such as “Systems, hardware, software, and services are managed throughout their life cycle” or “Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded,” and “Cyber threat intelligence is received from information sharing forums and sources.” It goes on in this fashion. Yes it’s good as a reminder not to miss important links in the chain, but there is nothing about the actions to take or how to take them. “A” for effort and getting across the scope of the topic but really “no pass.” Oh, and Zero Trust, Microsegmentation, Critical Infrastructure, Phishing and IoT don’t get a mention. Just a very strange document. |
| #003 | Advance Persistent Threat Problems (2) | Kaspersky, has reported an attack that circumvents/bypasses Apple’s iPhone hardware security by writing to undocumented locations. This is a Zero Touch attack (i.e. no user action is required) that has been reported as NISTs CVE-2023-38606 with extensive commentary by Steve Gibson in the show notes of January 2nd’s Security Now podcast. It seems that only an Apple insider would have knowledge of these undocumented locations since the vulnerability is not externally discoverable. The result being that an attacker can control all aspects of the device and the user is not aware of the incursion. While the origins of the information is not known it has been patched by Apple for those who upgrade their phones. The explanation and the reason for this backdoor remains unanswered. It does beg the question of who instigated the back door, when did first happen, who knew about it and are their similar back doors in other manufacturers devices? |
| #002 | Advance Persistent Threat Problems (1) | This category is the hardest to defend because of its diversity. The latest malware to pry open the door is JinxLoader used as an element of Hacking as a Service. Advance Persistent Threat is the collection of elements that begins with intrusion via phishing or identity theft and then loads malware, Elevates Privilege and explores weaknesses inside a network or system, then uses Lateral Movement to deploy malware at those vulnerable places and then instigates attacks in due course. JinxLoader is the vehicle that hackers can but to begin the process. Further Coverage in this month’s Hacker News article. More coverage on addressing APTs is planned. |
| #001 | My aspirations for 2024 |
|
Last Year on Breaking News