Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.
IoT
Vulnerabilities
- GitHub will start using code signing for its npm software packages to protect its open-source registry. The move comes after vulnerabilities like Log4Shell raised concerns that there is no guarantee that open source packages on npm are built from the same source code that’s published. Code signing builds will authenticate where the software came from, adding another layer of digital trust.
Malware
- Microsoft discovered new malware, MagicWeb, which comes from the same threat actors as the SolarWinds attack that would enable authentication as anyone. MagicWeb is an evolution of malware FoggyWeb, except that MagicWeb is a backdoored version of “Microsoft.IdentityServer.Diagnostics.dll” which hackers replaced, allowing them to perform a variety of functions, including forcing applications to accept a non-valid client certificate as valid.
- At the Black Hat conference, several active malwares were found on the Black Hat network including Shlayer, NetSupport RAT and SHARPEXT malware, attributed to North Korean attackers. However, researchers expected there to be even more malware, given the 20,000 attendees including cybersecurity researchers and security employees present at the conference.
Data breaches
- LastPass was hacked in August in an attempt to steal source code. LastPass confirmed that the attack came through a compromised developer account but claims that no customer data or passwords were compromised, but the threat actors did steal portions of their source code.
- A U.K. water plant that serves 200,000 customers was breached and attackers may have had access to total control of the facility. The incident highlights how vulnerable the water sector is to data breaches, and the potential damage that could be caused in that sector. In this environment, the U.S. Environmental Protectional Agency (EPA) will develop a plan to improve the cyber protections of water facilities.
- Cisco announced that it was hacked earlier this year. The attacker gained access to Cisco’s network through an employee’s personal Google account, because they had saved passwords stored in the browser. The employee did have MFA enabled, but the attacker was able to use voice phishing attacks to get the victim to accept a push notification, granting the threat actor access. The threat was removed but continued to try to regain access for weeks after the incident, although unsuccessful.
- CapitalOne will pay $190 million to customers as part of a data breach settlement. The data breach occurred in March 2019 and affected over 100 million customers. The plaintiffs claimed that CapitalOne was aware of security vulnerabilities but failed to take steps to protect customers.
- The same hackers who breached Twilio in early August also targeted Cloudflare and over 100 other organizations. The attackers breached Twilio by using SMShing to trick some employees into handing over corporate login credentials. The attackers seemed to target companies using Okta for a single sign-on.
Government standards
- U.S. President Joe Biden signed the CHIPS and Science Act into law in early August. The legislation will provide billions in incentives to CHIP manufacturers and will fund public research to help boost the United States’ competitive edge and solve supply chain issues. “The United States must lead the world in the production of these advanced chips. This law will do exactly that,” Biden said. As CHIP manufacturers move operations to the United States, they should partner with a trusted, compliant leader in digital trust capable of helping them inject trust into their silicon and manage such trust at any stage in the product lifecycle.
- The U.S. House of Representatives has passed a new law, the SECURE Notarization Act (H.R. 3962), which would set federal standards to allow notaries in all states to perform remote online notarization transactions. The bill also allows a notary public to remotely notarize electronic records involving an individual located outside of the United States. It uses e-signatures as defined in the U.S. e-Sign Act. The legislation will now be considered by the Senate, where companion legislation (S.1625) has been introduced.
Ransomware
Quantum