Each week on the ACDS blog, we explore the biggest news stories of the week to inform and educate security professionals. This week’s round up features stories about potential vulnerabilities in industrial control systems (ICS), notification of new malware-as-a-service threats, and more fallout from the MOVEit hack.
Tech companies and security firms rally against EU vulnerability disclosure rules
Dozens of cyber security experts are urging the European Union (EU) to reconsider the “counterproductive” vulnerability disclosure requirements in its proposed Cyber Resilience Act (CRA), which they say opens the door to misuse by both threat actors and intelligence agencies. It imposes mandatory cyber security requirements and obligations on manufacturers by obliging them to provide ongoing security support and software patches, and to provide sufficient information to consumers about the security of their products. Dozens of cyber security experts from a range of public and private sector organisations said the CRA’s disclosure provisions will create new threats that undermine the security of digital products and the individuals who use them.
Analyst Comments: Essentially, the article presents a compulsory mandate for software providers, necessitating them to promptly report (within 24 hours) any vulnerabilities they become aware of in-the-wild exploitation, to ENISA, the European Union's cybersecurity authority. ENISA will subsequently share this information with national CSIRT teams and financial market regulatory bodies in its member countries.
It is difficult to balance the needs and protection of users and keeping vendors accountable, with the potential risks involved with the risk of more leaks and accidental disclosures.
The main concerns about the CRA involve only having 24 hours to report the vulnerability, which could be before a fix is available. This could, in turn, increase the risk of exploits by malicious actors. The information on actively exploited bugs could land in the lands of some intelligence agencies and be abused for intelligence and surveillance operations. There is also the fear that the new disclosure rules will interfere with current, existing procedures.
There are, however, obvious benefits to the act. These benefits include bolstering cybersecurity due to the introduction of a mandatory requirement for manufacturers and retailers of products with digital components. The act also provides consumer protection by ensuring that products with digital components have adequate security features.
BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground
Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader that's being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week. Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses.
Analyst Comments: The BunnyLoader threat is a feature-rich malware-as-a-service which is making waves across the internet and attracting cybercriminals due to its fileless loader capabilities and host of malicious functions, e.g. clipboard theft. It is reported that it is being sold on underground forums for $250, making it ‘budget friendly’. New malware-as-a-service threats, like BunnyLoader, are continuously evolving tactics to carry out successful campaigns
Researchers Warn of 100,000 Industrial Control Systems Exposed Online
Approximately 100,000 industrial control systems (ICS), which are crucial components of power grids, traffic management, security systems, and water infrastructure, have been detected on the public internet, leaving them susceptible to unauthorised access. The cybersecurity firm BitSight has brought attention to this issue, which affects various sectors and prominent companies across 96 different countries. Notably vulnerable sectors include Education, Technology, and Government.
Analyst Comments: This research from BitSight found a large number of 100,000 industrial control systems on the public web. Although this number is high, their research shows that numbers have improved since 2019. Although this is slow progress, it is still progress that should be recognised as a step in the right direction. For secure remote access to Industrial Control Systems (ICS), organizations should implement at least basic security measures like VPN access, multi-factor authentication (MFA), role-based access control (RBAC), and network segmentation.
Cyberattack on British Telecom Lyca Prevented Customers From Making Calls, Topping Up
Over the weekend, a cyberattack caused disruption in the network of the prominent British telecommunications corporation, Lyca, leading to an inability for customers to purchase additional call minutes. Lyca, which boasts of being the world's largest international mobile virtual network operator with a customer base exceeding 16 million, provides pay-as-you-go SIM cards in 23 countries spanning Europe, Africa, and Asia. In response to customer reports of difficulties in acquiring additional call minutes for both international and domestic calls, the company has initiated an investigation. Lyca Mobile has stated, "The issues impacted all Lyca Mobile markets except for the United States, Australia, Ukraine, and Tunisia."
Analyst Comments: This attack caused severe disruption, preventing customers from making calls, and Lyra also had to hire technical experts to help with the response alongside law enforcement agencies. Although it has not been confirmed whether this was a ransomware attack, telecommunications firms are popular targets for cybercriminals due to the large amount of personal customer information that they hold.
More Than 6,000 Sony Employees Hit in MOVEit Transfer Breach
Sony has admitted that data on more than 6,000 past and present employees has been exposed in a cyberattack. The company experienced the data breach earlier this year as a result of the MOVEit Transfer vulnerability, a flaw in a popular file transfer platform which was exploited by Russian ransomware gang Cl0p to attack businesses around the world. The notification comes weeks after a second alleged cyberattack against the company by the Ransomed.vc gang. Sony has written to those affected by the breach, explaining the risks of the data loss and what mitigatory efforts the company has put in place to minimise the consequences of the incident.
Analyst Comments: A breach like this is bad enough as it is, let alone when it is only a week after another breach on Sony. These two attacks in a short period of time are worrying for customers and suppliers that work with the organisation. It is likely to have a serious impact on brand trust and reputation. The group responsible for the first attack, Ransomedvc, announced that they had planned to release stolen data onto the dark web as the ransom was not paid. Sony needs to rebuild their trust by providing proof that they are doing what they can to increase their cyber security measures and doing their utmost to protect their customer's data.
Data is highly sought after by cybercriminals. Data security management has never been more vital, but how can we best protect it? There are many great tools and technologies for data security management, which can be read about on our blog here.
Royal Family Website ‘Targeted in Russian Cyberattack’
The official website of the Royal Family experienced a temporary outage due to a cyberattack, with Russian hackers claiming responsibility. The incident lasted for approximately one and a half hours on Sunday morning, during which no unauthorised access to the website's systems or content occurred. The attack was a result of a denial of service (DDoS) attack, orchestrated by the Russian hacker group known as Killnet.
Analyst Comments: This attack shows that even the Royal Family can be hit with a cyberattack and do not have sufficient measures in place to protect these types of attack. Although there were no other known consequences other than the website being down for 90 minutes, it is a stark reminder that groups, like the Russian hacker group, have the ability to cause disruption to even the most prestigious groups and should be a warning to increase levels of protection.
As always, it is incredibly important to stay informed with the latest cybersecurity news. By keeping an eye on relevant news, leaders can make well-informed decisions, proactively implement security measures, and effectively protect against cyberattacks. A vigilant mindset, adoption of best practices, and utilisation of cutting-edge technologies are essential components to building a secure digital future.