By the CyberWire staff
At a glance.
- New Lazarus Group activity discovered.
- Chinese operators intrude into infrastructure.
- Cyber action connected with the war between Hamas and Israel.
- Cyber action in Russia’s hybrid war against Ukraine.
- Apache Struts vulnerability exploited in the wild.
- USPS impersonation.
- 5Ghoul: a chip risk.
- Autofill risk.
- MrAnon infostealer and a malicious booking app.
- BatLoader and FakeBat.
- Holiday fraud services for sale in the C2C market.
- BazarCall phishes with Google Forms.
- New threat actor discovered: "GambleForce."
- Malicious ads associated with Zoom.
New Lazarus Group activity discovered.
Cisco Talos says North Korea’s Lazarus Group is conducting a new campaign dubbed “Operation Blacksmith,” targeting companies in the manufacturing, agricultural, and physical security sectors. The threat actor is “employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram Bots and channels as a medium of Command and Control (C2) communications.” The researchers observed overlaps with previous activity by the Lazarus sub-group “Andariel,” noting that “Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of the North Korean government’s national interests.”
Chinese operators intrude into infrastructure.
In what appears to be a staging and battlespace preparation effort, China's People's Liberation Army cyber operators have intruded into infrastructure in several countries, with, the Washington Post reports, special attention to the United states. The incursions, US officials say, are "part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific." The staging forms part of the ongoing Volt Typhoon campaign; the latest US disclosures build on February's annual assessment by the Office of the Director of National Intelligence. The Post quotes CISA Executive Director Brandon Wales, as saying, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis. That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
Volt Typhoon has been found actively exploiting vulnerabilities in SOHO (small office/home office) routers produced by Cisco, Netgear and Fortinet. The routers are at their end-of-life, outdated and no longer supported. Lumen's Black Lotus Labs has found and disrupted Volt Typhoon activity exploiting these devices in the KV-botnet that was used earlier this year to attack infrastructure in Guam. They believe the activity suggests battlespace preparation and staging for further infrastructure attacks against US targets. The researchers also recommend, SecurityWeek reports, replacing vulnerable devices.
Sandman APT linked to a Chinese threat actor.
Researchers from SentinelOne, Microsoft, and PwC have published research outlining links between the Sandman APT and the suspected Chinese threat actor STORM-0866/Red Dev 40. The links include “victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.”
The researchers conclude, “The findings we present are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.”
Build an Effective Endpoint Detection and Response Strategy
Are you ready to simplify your endpoint security? Join the live virtual event to discover how you can safeguard your AWS environment with tools available in AWS Marketplace. Register now.
Cyber action connected with the war between Hamas and Israel.
The US FBI has characterized the exploitation of widely used PLCs, most notoriously by Iran's CyberAv3ngers at the Aliquippa Municipal Water Authority in Pennsylvania, as a "significant escalation" in cyberattacks linked to Iran, the Pittsburgh Post-Gazette reports. The attack on the water systems was apparently a simple defacement attack delivered in support of Hamas (the PLCs exploited were made in Israel), but “It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved."
SentinelOne reported this week on the activity of the Gaza Cybergang, a Hamas-linked threat group that's been active since before the present war. The activity "cluster" has several distinct subgroups: Gaza Cybergang Group 1 (the Molerats), Gaza Cybergang Group 2 (also known as Arid Viper, the Desert Falcons, APT-C-23), and Gaza Cybergang Group 3 (the group behind Operation Parliament). These subgroups show signs of consolidation, especially with respect to their malware supply chain. The Gaza Cybergang has long targeted Palestinian rivals to Hamas, notably the Palestinian Authority, and the ongoing war with Israel hasn't changed that. "These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war. At the time of writing, our visibility into Gaza Cybergang’s activities after the onset of the conflict does not point to significant changes in their intensity or characteristics."
While the Gaza Cybergang, the threat group most closely associated with Hamas, retains its long-standing preoccupation with intra-Palestinian targeting, Iranian groups have been active against Israel. ESET describes the techniques one of them, OilRig (also tracked as APT34, Lyceum, Crambus, and Siamesekitten), has used against Israel since the most recent wave of attacks began in 2022. During that campaign OilRig employed four new downloaders--SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster--all of them relatively noisy and unsophisticated, but often effective nonetheless. The attacks used legitimate cloud services for command-and-control. OilRig is a cyberespionage operation, interested principally in collection as opposed to theft or sabotage.
Israeli law prohibits private companies from attacking international cyber systems, but according to the Jerusalem Post one Israeli company, CyTaka, believes it's found a way to hit back at Israel's enemies in cyberspace without running afoul of the law: engage international partners. "Their efforts target disinformation distribution, psychological warfare, and offensive cyberoperations that fund terrorist organizations." The CyTaka-organized operators are empowered to undertake targeted cyber counterattacks. "By identifying and neutralizing hacker networks," the Jerusalem Post writes, "economic losses from attacks can be mitigated."
Tulsa's Tech Revolution: A Hub for Inclusive Innovation
Through a diverse coalition of public and private partners, led by GKFF, Tulsa Innovation Labs is creating economic development programs that seek to make Tulsa the nation’s most inclusive tech community.
The Tulsa Region has the building blocks to become the nation's leading innovation hub, with a distinct right-to-win in Advanced Mobility, Energy Tech, Virtual Health, and Cyber. As more investment flows into America’s heartland, Tulsa's unique assets distinguish the region from other midsized cities. Learn more.
Kyivstar sustains disruptive cyberattack.
Kvivstar, Ukraine's largest mobile service provider and ISP, has said that it's gradually restoring service in the aftermath of what Reuters calls "the biggest cyberattack of the war." Cell service has been affected, as have online financial services and various sections of Internet-connected infrastructure, like air raid sirens and public street lighting. Investigation continues, but the Russian hacktivist auxiliary KillNet (now under new management after Killmilk's retirement) was quick to claim credit for the operation. The Wall Street Journal notes that most informed observers regard KillNet's claim with skepticism.
Ukraine's SBU says that a Russian "pseudo-hacker group" has claimed responsibility for the cyberattack that took down the mobile telecommunications and Internet service provider Kyivstar earlier this week. The SBU doesn't identify the group, but says that it works for Russia's GRU, affording Moscow's military intelligence service a degree of plausible deniability. The Kyiv Independent reports that the self-identified Russian group, Solntsepek, said in a Telegram channel that "We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine." The group claimed that it "destroyed" ten-thousand computers, more than four-thousand servers, and all cloud storage and backup systems associated with Kyivstar. That's clearly exaggerated, but the disruption was nonetheless widespread and extensive. Ars Technica notes that Solntsepek has been associated with the GRU's Sandworm activity.
Thus the initial claims of responsibility by KillNet lack credibility. Dan Black, Principal Analyst, Mandiant Intelligence - Google Cloud, sent us his team's assessment of KillNet's claims. They think it's empty gasconade. "Mandiant has noted the claim of responsibility from KillNet. We regard this claim skeptically. Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation. In addition this claim of responsibility does not match that pattern and was released hours after the operation and does not release any 'proof,' raising the possibility that it is simply an opportunistic claim, rather than a legitimate one."
Approximately 24 million customers' mobile service was affected, as were more than a million customers' home Internet connectivity. Although Kyivstar says their data weren't compromised, the company did say that two customer databases had been "damaged," and were now "locked." One noteworthy effect of the attack was a minor but telling impact on infrastructure: streetlights in Lviv had to be turned off manually. Their remote controls ride on Kyivstar's network.
Developing Telecoms has reported that Kyivstar had substantially restored broadband Internet service, but, as Reuters observed some hours earlier, full recovery is probably still a matter of weeks away.
Ukraine's GUR claims to have successfully attacked Russia's tax service.
Ukraine's military intelligence service, the GUR, claims to have conducted a disabling cyberattack against Russia's tax service. Interfax quotes the GUR: "During the special operation, military intelligence officers managed to penetrate into one of the well-protected key central servers of the Federal Tax Service (FTS of the Russian Federation), and then into more than 2,300 of its regional servers throughout Russia, as well as on the territory of the temporarily occupied Crimea. As a result of the cyberattack, all servers received malicious software." An IT company that provides support to financial services was also hit.
"During the special operation," the GUR writes on its public website, "military intelligence officers managed to break into one of the well-protected key central servers of the federal taxation service (fts of the russian federation), and then into more than 2,300 of its regional servers throughout russia, as well as on the territory of temporarily occupied Crimea." (The lowercasing of "russia" and acronyms associated with the Russian government has become a standard gesture of contempt in Ukrainian official communications.) The GUR claims four days of disruption so far and predicts that it will take at least a month for the FTS to restore service.
According to RIA Novosti, the FTS says the whole thing never happened, and that all services are up and running normally. Some services, like the FTS's main, informational site, are indeed still accessible, but as Meduza points out the FTS has also quietly warned, in a Telegram channel, that users may experience some difficulties.
GRU phishing campaign delivers Headlace malware.
IBM's X-Force reports that an apparent GRU operation, ITG05, is using Israel-Hamas-war-themed phishbait in a campaign that spreads the Headlace backdoor. "X-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing overlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard," the IBM advisory explains. Discovered in September by CERT-UA, Headlace has three components: a .CMD dropper, a .VBS launcher, and a .BAT backdoor.
The researchers have identified targets in thirteen different countries. The phishbait and the geographical targeting suggests to X-Force that ITG05 is interested in humanitarian aid organizations based for the most part in Europe. The attacks are tightly geolocated, designed to be opened only in the targeted countries. "It is unclear precisely how many entities were impacted by the campaign, but our analysis indicates that organizations in the following countries were targeted: Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. Of note, all but one of the 13 nations featured in the geolocations perimeters for downloading Headlace are United Nations Human Rights Council members." The Human Rights Council is of interest to Russia because of the threat (as Russia's government perceives it) of that organization taking action to expose, condemn, or otherwise oppose Russian activity against the population of Ukraine. X-Force expects campaigns of this kind to continue.
SVR exploits JetBrains TeamCity vulnerability.
The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) have issued a Joint Cybersecurity Advisory warning that Russia's SVR is engaged in widespread exploitation of CVE-2023-42793. The Russian foreign intelligence service (whose cyber operations have been tracked as APT29, the Dukes, CozyBear, NOBELIUM, and Midnight Blizzard) has been "targeting servers hosting JetBrains TeamCity software since September 2023."
TeamCity is used by developers to manage and automate compilation, building, testing, and releasing software. Successful exploitation could provide the SVR with access to developers' source code, signing certificates, and the compilation and deployment processes themselves. It would represent a software supply chain threat. The SVR has engaged in this sort of attack before, most notably in 2020, when it accessed and compromised SolarWinds and its customers. So far SVR's exploitation of TeamCity hasn't had comparably wide-reaching effects. The Joint Advisory says, "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments." The victimology shows no clear pattern beyond simple vulnerability: the attackers chose targets opportunistically. If an organization was exposed to CVE-2023-42793, that was enough for the SVR's targeteers.
The Joint Advisory includes the description of attack techniques, indicators of compromise, and recommended mitigations one would expect, but it also includes a long review of the SVR's history of offensive cyber operations, beginning in 2013. "The authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations."
Researchers at Fortinet worked with some of Cozy Bear's victims and offer a detailed analysis of the attackers' initial entrance through the authentication bypass vulnerability, and their post-exploitation behavior, in particular the use they made of GraphicalProton malware to maintain persistence. GraphicalProton has been associated with other SVR operations.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
Apache Struts vulnerability exploited in the wild.
Sonatype describes a newly discovered remote code execution vulnerability in Apache’s Struts2 Framework (CVE-2023-50164). Sonatype explains, “At its core, this vulnerability allows attackers to exploit a flaw in Apache Struts's file upload system. It lets them manipulate the file upload parameters and perform path traversal. This exploitation can result in arbitrary code execution on the server, leading to various outcomes like unauthorized data access, system compromise, or even complete control over the affected systems, including placing malicious files within systems.” Gridinsoft notes, “The vulnerability affects the following versions of Apache Struts 2.3.37 (End of Life), 2.5.0 to 2.5.32 and Struts 6.0.0 to 6.3.0. Apache released patches in Struts versions 2.5.33 and 6.3.0.2 or later to address this issue. The developer does not offer any workarounds to mitigate the issue, so applying the patch update as soon as possible is crucial.”
USPS impersonation.
Researchers at Uptycs are tracking a smishing campaign that’s impersonating the US Postal Service in order to steal victims’ personal and financial information. The text messages inform recipients that a USPS delivery requires their attention, and direct them to click on a link in order to resolve the issue. The link leads to a fake USPS website that asks the user to enter their name, address, and billing information. The researchers have tied this campaign to over a thousand active phishing sites. Uptycs believes the scammers are based in China, and are targeting users around the world.
5Ghoul: a chip risk.
Researchers from the Singapore University of Technology and Design discovered a series of vulnerabilities affecting the firmware implementation of 5G mobile network modems by Qualcomm and MediaTek, BleepingComputer reports. The flaws, collectively dubbed “5Ghoul,” can be exploited to cause service disruptions or network downgrades. The researchers note, “We found over 710 smartphone models that are currently in the market to be affected. We emphasize that the actual number of affected models might be more, as firmware code is often shared across different modem versions.”
Autofill risk.
BleepingComputer describes “AutoSpill,” a new attack that can steal credentials during an Android device’s autofill operation. The attack was discovered by researchers from the International Institute of Information Technology (IIIT) at Hyderabad, who found that most Android password managers are vulnerable to the technique. BleepingComputer explains, “[T]he AutoSpill issue stems from Android’s failure to enforce or to clearly define the responsibility for the secure handling of the auto-filled data, which can result in leaking it or being captured by the host app.”
MrAnon infostealer and a malicious booking app.
Researchers at Fortinet are tracking a phishing campaign that’s using phony hotel booking notifications to deliver the MrAnon information stealer: “The downloader URL was mostly queried in Germany, which suggests it was the primary target of the attack. The number of queries for this URL rose significantly in November 2023, implying the campaign was more active and aggressive during that month.” The researchers note that MrAnon can steal “victims' credentials, system information, browser sessions, and cryptocurrency extensions.”
BatLoader and FakeBat.
Researchers at eSentire are tracking two competing Russophone malware-as-a-service groups called “BatLoader” and “FakeBat.” FakeBat appears to be a former BatLoader customer that launched its own operation, possibly copying BatLoader’s services. The researchers state, “The operators have created Google Ads and websites that mimic legitimate software sites to lure employees to download what they believe is business software. In actuality, they are downloading a very stealthy and capable malware loader. The BatLoader and FakeBat operations specialize in infecting corporate employees with whatever malware their customer chooses. BatLoader attacks have led to companies being infected with the Royal Ransomware, Gozi Banking Trojan, credential stealers, and remote access trojans.”
Holiday fraud services for sale in the C2C market.
ZeroFox describes a new criminal marketplace called “OLVX” that’s offering “phish kits, remote desktop connections, cPanel credentials/access, webshells, SPAM sending systems, stolen data, webmail access, and leads/combo lists.” The researchers note, “While some marketplaces specialize in illegal/illicit products such as drugs, counterfeit products, and hacked gift cards, OLVX focuses less on end-user products and more on tools and services to aid cybercriminals in their activities to obtain data, many of which can be deployed by threat actors looking to capitalize on the busy 2023 holiday retail season.”
BazarCall phishes with Google Forms.
Abnormal Security describes a BazarCall phishing attack that abuses Google Forms to lend itself legitimacy. BazarCall phishing involves sending a user an email informing them of an upcoming subscription charge, and providing a phony customer support number for them to call if they want to dispute the charge. If a user calls the number, a scammer will attempt to trick them into installing malware.
In this case, the attacker creates a phony invoice in Google Forms and uses the response receipt option to send a copy of the form to an email address of their choice: “Then, they enter the target’s email address in the ‘Your email’ field and click Submit. Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which the attacker has designed to look like a payment confirmation for Norton Antivirus software.” Since the email is sent from a legitimate Google Forms address, it’s more likely to bypass security filters.
New threat actor discovered: "GambleForce."
Security firm Group-IB announced its discovery of "GambleForce," which it describes as a new threat actor working against targets in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil. The group's name derives from its initial attention to the gambling sector, but GambleForce quickly branched out to government, retail, and travel websites. Job-seeking sites also figured among the targets. "In almost all known attacks, GambleForce abused public-facing applications of victims by exploiting SQL injections." Among the attack software the group used were dirsearch, redis-rogue-getshell, Tinyproxy, CobaltStrike, and sqlmap, all publicly available open-source tools. GambleForce seems to have been indiscriminate in its theft of accessible data, but the researchers haven't been able to determine what the threat group is doing with those data. Group-IB says it's taken down GambleForce's command-and-control server and notified the victims it's been able to identify.
Malicious ads associated with Zoom.
Researchers at Malwarebytes are tracking an increase in malvertising themed around Zoom, noting that “these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.” One of the campaigns is delivering a new loader dubbed “HiroshimaNukes” that delivers information-stealing malware. The researchers add, “Threat actors have been alternating between different keywords for software downloads such as ‘Advanced IP Scanner’ or ‘WinSCP’ normally geared towards IT administrators.”
Share your message with our audience of security leaders.
N2K Cyber’s 2024 sponsorship packages are now available. If you're looking to reach the eyes and ears of our influential security professionals, let's talk and see how we can build a program that meets your goals.
Patch news.
This week saw Patch Tuesday. Microsoft, Dell, Fortigard, Adobe, SAP, Apache, Google, Atlassian, and Apple all released security updates. CISA issued two sets of ICS Advisories, one for two issues, the other for seventeen.
Crime and punishment.
Reports late last week that servers used by ALPHV/BlackCat had been taken down by law enforcement remain unconfirmed. Computing notes that the gang's dump site remains down, and that it's been down for five days. SC Magazine was unable to obtain confirmation from law enforcement agencies, and vx-underground tweeted that "ALPHV informed us they are experiencing hardware failure on their server," but that they've heard that before, too. In vx-underground's opinion, ALPHV probably is experiencing server problems, but, again, vx-underground can't confirm that. "We have NOT heard rumors of them being arrested, we also have NOT heard rumors of their servers being seized. The only mentions of these rumors are from other people asking us about these rumors. We cannot comment the legitimacy of these claims because we have no way to substantiate them." And for now, at least, the gang remains active and its members at large.
The US Department of Justice has indicted four individuals alleged to have been involved in "pig-butchering" scams, long-running, highly targeted social engineering efforts that prospect victims to metaphorically fatten them up for financial slaughter. In this case the scams took in some $80 million in cryptocurrency investment fraud. "Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois, are charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering." Zhang and Walker have been detained and made their first appearance in court.
France's National Police have arrested a Russian national on charges connected with the Hive ransomware operation.
HackRead reports that the Spanish National Police have arrested a Venezuelan national in connection with the activities of the Kelvin Security cybercriminal gang, responsible, by the police account, for at least three-hundred consequential cyberattacks.
The traditional mnemonic device for the common motives of spies and other insider threats is MICE, standing for money, ideology, compromise, and ego. In two recent US cases, the Discord Leaks for which Airman Texiera is alleged to be responsible and the spying for Cuba of which former career US diplomat Manuel Rocha is accused, the motive seems to have been the big "E." Both men, of course, should be considered innocent until proven guilty.
Courts and torts.
After obtaining a court order, Microsoft took down servers belonging to a major cybercrime-as-a-service provider, Vietnam-based Storm-1152. Redmond called Storm-1152 "a gateway service to cybercrime," which is an accurate representation. The gang and groups like it lower the barriers to entry into the cyber underworld, and Microsoft's action dealt this operation a severe blow. "Storm-1152 plays a significant role in the highly specialized cybercrime-as-a-service ecosystem," Microsoft explained. "Cybercriminals need fraudulent accounts to support their largely automated criminal activities. With companies able to quickly identify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent mitigation efforts. Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups. This allows criminals to focus their efforts on their ultimate goals of phishing, spamming, ransomware, and other types of fraud and abuse. Storm-1152 and groups like them enable scores of cybercriminals to carry out their malicious activities more efficiently and effectively."
Policies, procurements, and agency equities.
Iran International reports that the Iranian Parliament has ratified an information security agreement with Russia. "Comprising nine articles, the bill focuses on combating cyber threats, fortifying information security measures, and fostering collaboration between Iran and Russia. A notable clause in the legislation addresses the exchange of information and cooperation in prosecuting criminal offenses between the two nations."
The US Securities and Exchange Commission’s (SEC’s) cybersecurity disclosure rules take effect on Monday. The rules require publicly traded companies to disclose cybersecurity incidents within four business days after the company determines an incident to be material. The FBI has issued guidance for victims of cyber incidents who want to submit a request to delay SEC-mandated public disclosures in cases where national security or public safety are concerned. The Wall Street Journal sees determining materiality as likely to be the most problematic challenge publicly traded companies will encounter as they seek to comply with the new disclosure rules.
The US Federal Communications Commission (FCC) on Wednesday voted to expand breach notification requirements for telecoms, GovInfoSecurity reports. The new rules cover all personally identifiable information held by telecoms, and “expand[s] the definition of ‘breach’ to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is inadvertently acquired by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.”
The US Senate on Wednesday confirmed Harry Coker, Jr. as National Cyber Director in the White House Office of the National Cyber Director, where he will serve as the principal advisor to the President on cybersecurity policy and strategy. He will be the second person to hold the office since its creation in 2021. Coker is a retired senior executive at the Central Intelligence Agency and a career Naval officer. He most recently served as Executive Director of the National Security Agency. The first National Cyber Director was Chris Inglis, who held the post from 2021 until February of this year.
Fortunes of commerce.
Bitsight and Google have published a joint report looking at “how organizations perform across cybersecurity controls in the Minimum Viable Secure Product (MVSP) framework—a minimum security baseline for enterprise-ready products and services.” The report found that “while every industry in 2023 has a high pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.” Across all industries, organizations struggle with self-assessment, dependency patching, vulnerability prevention, and time to fix vulnerabilities.
BlackBerry has canceled its plan to separate its IoT and cybersecurity business units into two separate companies, the Register reports. The company will instead reorganize the two units as two fully standalone divisions. BlackBerry stated, "The Company will no longer pursue a subsidiary initial public offering of its IoT business unit. The process will include the separation and streamlining of BlackBerry’s centralized corporate functions into business-unit specific teams, with a view to each division operating independently and on a profitable and cashflow-positive basis going forward."
Mergers and acquisitions.
Reston, Virginia-based language and intelligence firm Acclaim Technical Services (ATS) has acquired Chantilly, Virginia-based network engineering and security provider Alder Technology.