EU Lawmakers Pass Sweeping New Cybersecurity Rules
Hackers gained unauthorized access to DEA portal, Ukrainian man sentenced to four years for stealing login credentials, Human rights group want war crimes prosecution for Russian hacking, more
Check out my latest CSO column that looks at the Five Eye’s warning to MSPs and what prompted them to issue an advisory.
EU countries and lawmakers agreed to stricter cybersecurity rules for virtually all organizations, including large energy, transport, and financial firms, digital providers, and medical device makers, by enacting legislation known as NIS 2 Directive.
The new law covers all medium and large firms across virtually all businesses and governments. Under the law, organizations must assess their cybersecurity risk, notify authorities and take technical and organizational measures to counter the risks, with fines up to 2% of global revenue for non-compliance.
EU countries and the EU cybersecurity agency ENISA could also assess the risks of critical supply chains under the rules. (Foo Yun Chee / Reuters)
Présidence française du Conseil de l’UE 🇫🇷🇪🇺 @Europe2022FR‼DEAL‼ Provisional agreement with @Europarl_EN on the revision of the NIS Directive on the security of network and information systems #NIS2. #EU2022FR ⤵ https://t.co/yGIO7kfkVA
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases, including those used by the DEA and FBI.
The alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. Screenshots shared with Brian Krebs indicate the hackers could use the DEA’s EPIC database to look up various records, including those for motor vehicles, boats, firearms, aircraft, and even drones.
The EPIC system does not use two-factor authentication. Krebs obtained the information through a suspected administrator of Doxbin, a hub for people posting private information online. (Brian Krebs / Krebs on Security)
Glib Oleksandr Ivanov-Tolpintsev from Ukraine was sentenced in the U.S. District Court for the Middle District of Florida to four years in prison for stealing thousands of login credentials per week and selling them on a dark web marketplace.
Ivanov-Tolpintsev claimed to some of his co-conspirators that he could crack credentials for over 2,000 systems each week in brute-force attacks using a botnet under his control. He was arrested by Polish authorities in Korczowa, Poland, two years ago, on October 3, 2020, and was extradited to the United States. On February 22, 2022, he pleaded guilty to the charges brought against him. (Sergiu Gatlan / Bleeping Computer)
In late March, a group of human rights lawyers and investigators in the Human Rights Center at UC Berkeley's School of Law sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in The Hague, urging the court to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine.
The team points to Sandworm, a notorious group of hackers within Russia's GRU military intelligence agency, and to two of Sandworm's most egregious acts of cyberwarfare: blackouts in Western Ukraine in December 2015 and Kyiv a year later. They also acknowledge that charges against Sandworm would represent the first case of “cyberwar crimes” ever brought by the ICC, but that precedent would help not only to seek justice for those harmed by Sandworm's cyberattacks but also to deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world. (Andy Greenberg / Wired)
The company said the goal of the test was to resemble the kind of real-world hacking attempts that security teams must battle. (Jonathan Greig / The Record)
Researchers at SEC Consult analyzed Konica Minolta printers and discovered that an attacker who has physical access to the targeted device’s touchscreen terminal could escape the sandbox and gain root access to the underlying operating system.
The analysis resulted in the discovery of three vulnerabilities. As a result, Konica Minolta provided a patch of the firmware and operating system at the start of the year 2020. But for most devices, service technicians must apply this firmware update manually, which has been delayed for hundreds of thousands of devices due to the COVID-19 lockdowns. (Eduard Kovacs / Security Week)
Related: SEC Consult
At the White House Open Source Security Summit, Google announced it would create a new “Open Source Maintenance Crew” to improve the security of critical open source projects. Google also introduced Google Cloud Dataset from Open Source Insights, designed to help developers better understand the software's structure and security.
The company further said it would be improving the OSS-Fuzz service for open source developers that have helped researchers spot more than 2,300 vulnerabilities in over 500 projects over the last year. The announcements came after Google executives joined 80 other leaders from several other companies in a meeting led by the Open Source Security Foundation (OpenSSF) and the Linux Foundation about the progress made on open source software security initiatives. OpenSSF general manager Brian Behlendorf said the organization had secured about $30 million in pledges from Amazon, Ericsson, Vmware, Intel, Microsoft, and Google to help fund a range of efforts to secure open source projects. (Jonathan Greig / The Record)
Eric Geller @ericgeller33 tech giants, big banks, and nonprofits are meeting today & tmrw to discuss an ambitious @theopenssf plan to secure open-source software ecosystem, from coding education to crisis response teams. I got the exclusive on the report and meeting: https://t.co/5hwrGreaBP
Republican Maryland Governor Larry Hogan signed a trio of cybersecurity preparedness bills into law following a string of costly, high-profile ransomware and other cyberattacks that temporarily crippled Maryland governmental bodies.
The cyber measures make permanent some aspects of an executive order Hogan signed in 2019 while providing additional resources and rules to aid county and state governments, school systems, and local health departments against digital attacks. They also will fund a new Cyber Preparedness Unit within the Maryland Department of Emergency Management, equipping it with a budget of about $455,000 and a staff of five people to work with local governments. In addition, $6.1 million will go toward software and filling 40 new positions within the Department of Information Technology. (Sam Janesch / The Baltimore Sun)
Related: Associated Press
Applications security provider Stackhawk raised $20.7 million in a Series B venture funding round.
Sapphire Ventures and Costanoa Ventures led the round with participation from Foundry Group and other high-value investors. (Tim Keary / Venture Beat)
Solidus Labs, a New York-based risk monitoring firm for crypto assets, raised $45 million in a Series B venture funding round.
Liberty City Ventures led the round with participation from Evolution Equity Partners and Declaration Partners. Angel investors include Brian Brooks, former U.S. Acting Comptroller of the Currency, and Christopher Giancarlo, former Commodities Futures Trading Commission chairman. (Anushree Dave / The Block)
Critical infrastructure security company Xage Security raised an additional $6 million top-up to the $30 million Series B funding it secured in January 2022.
The new financing comes from SCF Partners and Overture Venture Capital. (Kevin Townsend / Security Week)
Related: Global Newswire
Software supply chain security start-up Socket raised $4.6 million in a seed funding round.
The funding came from over a dozen angel investors and security leaders, including ex-GitHub CEO Nat Friedman, Keybase co-founder Max Krohn, Unusual Ventures, Village Global, and South Park Commons. (Zack Whittaker / TechCrunch)
African mobile identity verification startup Identitypass raised $2.8 million in a venture funding seed round.
Marc Ventures led the seed funding round for Identitypass, which is also backed by Y Combinator, Soma Capital, True Capital Fund and Sherwani Capital LP, and other funds. (Tage Kene-Okafor / TechCrunch)
Identity security company CyberArk has launched a $30 million investment fund to “empower the next generation of disruptors solving complex security challenges with innovative technology.”
CyberArk Ventures said it had completed initial investments in three cybersecurity start-ups: Dig Security, which provides real-time threat detection solutions for data assets hosted in public clouds; Enso Security, an Application Security Posture Management platform and Zero Networks, a provider of identity-based microsegmentation. (FinSMEs)