Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines.
B (0:07)
These are the cybersecurity headlines for Friday, November 22, 2024. I'm Steve Prentice. MITRE offers updated List of Most Dangerous Software Vulnerabilities MITRE mitre, the not for profit organization that oversees federally funded R and D centers with an eye to cybersecurity, has updated its Common weakness enumeration top 25 most dangerous software Weaknesses list, reflecting the newest developments in the cyber threat landscape. At the top of the list this year is cross site scripting followed by out of bounds write flaws, SQL injection bugs and missing authorization. Coming in at number 10, CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to review the list and prioritize these weaknesses in development and procurement processes. A link to the list is available in the show Notes to this episode CISOs can now obtain professional liability insurance New Jersey based insurer CRUM and Forster recently unveiled a policy specifically designed to shield CISOs from personal liability. Representatives from the firm pointed out that unlike other members of the C suite, CISOs may not be recognized as corporate officers under a Directors and Officers liability policy, which normally covers executive liability. The firm says their goal is to help CISOs who are in a no win situation. If everything goes right, that's what people expect. If something goes wrong, they're the person that everyone looks at and then they're left holding the bag, the quote continues. There are potentially significant financial ramifications for them because they are often not covered by traditional insurance policies. End quote Bian Lian Group refines its game Warnings have been issued by government agencies in the US and Australia regarding new TTPs being employed by the Bianlian ransomware group, that is Bian Lian. These include shifting exclusively to exfiltration based extortion and leveraging new approaches for initial access, command and control and defense evasion. Thought to be a Russia based group with its Chinese sounding name typical of its practice of misattributing location and languages to throw off its pursuers. Its shift towards exfiltration based extortion means it still steals data and commands a price for it, but does so via file transfer protocol tools rather than ransomware, leaving the victim's systems intact. French hospital suffers cyberattack patient data exposed the name of the hospital attack has yet to be released, but the attack has been claimed by an individual with the nickname NEERS as part of a series of attacks through Mediboard, an electronic patient records solution made by Softway Medical Group and used by hospitals across Europe. This recent attack claims to have involved the medical records of 750,000 patients, although the threat actor claims to have access to more than 1.5 million people overall. Softway Medical Group has confirmed the attack, but stated that this was not the result of a software vulnerability or misconfiguration on their part, but rather through the use of stolen credentials used by the hospital. In addition, they stated that the exposed data was not directly managed by them, but rather hosted by the hospital. Thanks to Today's episode's sponsor, ThreatLocker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is T H R E A T L O c k e r.com FortinetVPN design flaw hides successful brute force attacks According to researchers at Pentera, this flaw is with FortinetVPN Server's logging mechanism and it can be tweaked to conceal the successful verification of credentials during a brute force attack without alerting the security system that is supposed to detect compromised logins. The brute force attack itself remains visible, but only failed attempts are logged, not the successful ones, which generates, in their words quote, a false sense of security. Easily exploitable bugs found in Ubuntu's server utility after 10 years, the researchers at the Threat Research Unit of Qualys say they refuse to release exploit code for five bugs in Ubuntu Server's Need Restart utility. They state that they were able to develop a working exploit but wouldn't release it, describing the findings as alarming. End quote the five vulnerabilities described by the researchers were actually introduced in April 2014. They reside in the Need Restart utility of the Ubuntu server, which is designed to determine if a restart is needed following for example a critical library update or another type of upgrade. All five vulnerabilities have CVE numbers and four of them have a 7.8 CVSS score ultra private phone available for high risk individuals. The mobile technology company Kape has announced their development of an Android based phone that can protect against location tracking, ensure that ads cannot uniquely ID the customer, and protect against SIM swapping all while requiring solely a phone number but no name or address. The company is quote planning on selling the phone to governments and through organizations and other distribution partners. Like consultants who work with high risk people, the quote continues, their technology will adhere to the Communications Assistance for Law Enforcement Act, a regulation that does force the collection of certain types of identifying data. Japan's government suggests putting your usernames and passwords in your will, described as digital end of life planning. Japan's National Consumer affairs center on Wednesday released a collection of suggestions to help avoid the complications in costs associated with passing through the Great beyond. With passwords still hidden, helping loved ones deal with a digital legacy can ensuring family members can unlock your smartphone or computer maintaining a list of subscriptions with user IDs and passwords adding these details to a document intended for the person or persons responsible for managing such affairs and of course, designating someone to have access to the smartphone and to these accounts. As usual, we've got a busy Friday of live streams today. It starts at 1pm with Super Cyber Friday, where the topic will be Hacking e Crime Trends, an hour of critical thinking about staying on top of an ever evolving threat landscape. Then at 3:30pm Eastern, we have our Week in Review show. Jimmy Benoit, VP of Cybersecurity at pbs, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the Events page at cisoseries. I'm Steve Prentice reporting for the CSO series.