Senate Committee Seeks Answers From Twitter as Former Security Chief Gets Ready to Testify
Apple issues a fix for eighth zero-day of the year, NFC relay attack can allow thieves to steal Tesla cars, FBI warns of medical device flaws, Greek government rocked by spyware scandals, much more
My latest CSO column looks at how U.S. government officials speaking at last week’s Billington Cybersecurity Summit portray “offensive cybersecurity” measures as tools of reinforcing defensive cybersecurity protections.
Hours before testimony from former Twitter security chief now turned whistleblower Peiter Zatko, the leaders of the Senate Judiciary Committee sent a detailed list of questions to Twitter stating that Zatko’s allegations of lax security at the social media, if true, “demonstrate an unacceptable disregard for data security that threatens national security and the privacy of Twitter’s users.”
“The disclosure paints a disturbing picture of a company that has fallen short of basic security standards in the technology industry, failed to adequately mitigate attempts by foreign governments to gain access to sensitive user information, and willfully misled government regulators,” wrote the Judiciary Committee Chair Dick Durbin of Illinois and the panel’s top Republican, Chuck Grassley of Iowa.
The committee invited Twitter Chief Executive Officer Parag Agrawal to testify at the hearing to be held today, but he didn’t accept, according to the letter. Separately, Twitter rejected Elon Musk’s latest argument to terminate his $44 billion agreement to purchase Twitter, namely that the previously unrevealed $7 million settlement paid to former security chief and whistleblower Peiter Zatko gives Musk the ability to walk away from the deal. (Emily Birnbaum / Bloomberg and Sabela Ojea / Wall Street Journal)
Related: NBC News, CNBC News, The Guardian, Financial Times, CNET, Washington Post, Judiciary.Senate.gov, CNN, Watcher Guru, Business Insider, Reuters: World News, CNBC Technology, CNBC Technology, NBC News Top Stories, Forbes, Watcher Guru, Tech-Economic Times, The Independent, AP Top News, The Guardian, Big News Network, Chinanews.net
Apple released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year. This flaw may have been exploited in the wild, although Apple released no details about the exploitation.
The bug (CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges. Apple also backported patches for another zero-day (CVE-2022-32894) to Macs running macOS Big Sur 11.7 after releasing additional security updates on August 31 to address the same bug on iOS versions running on older iPhones and iPads. Although the zero-day was most likely only used in highly-targeted attacks, users should install the latest security updates as soon as possible. (Sergiu Gatlan / Bleeping Computer)
Related: Decipher, Cyber Security Intelligence, Security News | Tech Times, MacRumors, Ars Technica, Reddit - cybersecurity, iTech Post : Latest News, The Hacker News, Security Week, Apple Insider, Apple
Ryan Naraine @ryanaraineIt's Patch Day in the land of Apple (Includes in-the-wild 0day) https://t.co/KO3zTUe7Dl
A researcher at IOActive, Josep Pi Rodriguez, discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it in a matter of seconds.
The vulnerability involves an NFC (near filed communication) relay attack and requires two thieves working in tandem. One thief must be near the car and the other near the car owner, who has an NFC keycard or mobile phone with a Tesla virtual key in their pocket or purse.
Using Rodriguez’s technique, an attacker can steal a Tesla Model Y as long as they can position themselves within about two inches of the owner’s NFC card or mobile phone with a Tesla virtual key on it, for example, while in someone’s pocket or purse as they walk down the street, stand in line at Starbucks, or sit at a restaurant. Then, the keycard’s response is transmitted back to the car, allowing a second accomplice located there to unlock the vehicle and steal it.
However, once the thieves shut off the engine, they won’t be able to restart the car with that original NFC keycard. They can also strip the vehicle for parts. (Tesla did not respond to a request for comment. Kim Zetter / The Verge)
In a white notice from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.
The Bureau specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps, noting that malicious hackers could take over the devices, change readings, administer drug overdoses, or “otherwise endanger patient health.” In addition, the FBI noted that medical device hardware is often used for more than 30 years at some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs.
The alert follows Baxter International’s announcement of four vulnerabilities affecting their infusion pumps and WiFi batteries last week. CISA released its own advisory about the issues, the second one they released last week related to medical devices. (Jonathan Greig / The Record)
A burgeoning scandal over spyware has rocked the government of Prime Minister Kyriakos Mitsotakis in Greece, with half of the voters saying he should resign for deploying spyware on an opponent’s phone.
As more revelations of government use of spyware emerged, with more possibly to come, one of Mitsotakis’ top aides and his intelligence chief both resigned. But Mitsotakis is confident that he and his center-right New Democracy party may emerge relatively unscathed. (Nektaria Samouli / Politico)
Assemblea Nacional Catalana @assemblea⬛️⬜️‼️ If Europe wants to be a world leader in democracy, and be able lecture others, it cannot tolerate this massive violations of the fundamental rights of its populations. #CatalanGate #Pegasus https://t.co/lPr4RQTrnE
Researchers at Proofpoint say that Iranian hackers associated with threat group TA453 are using a clever new phishing technique relying on multiple personas to create email threads with various responses to trick potential victims into thinking bogus messages are legitimate.
The hackers’ activities overlap with other groups called Charming Kitten, Phosphorous, and APT42. They noticed a recent uptick in these phishing emails in late June when the attackers posing as a researcher in one email referenced another researcher who then replied to the thread. (AJ Vicens / Cyberscoop)
Google announced that its proposed $5.4 billion bid to buy cybersecurity firm Mandiant is now complete.
Moving forward, Mandiant will operate under the auspices of Google Cloud, though the Mandiant brand will continue. “We will retain the Mandiant brand and continue Mandiant’s mission to make every organization secure from cyber threats and confident in their readiness,” Google Cloud CEO Thomas Kurian wrote in a blog post. (Paul Sawers / TechCrunch)
Related: Mandiant, PR Newswire, Google, Reddit cybersecurity, Channel Futures, Security Affairs, My TechDecisions, Channel Futures, Dark Reading, CRN, DataBreachToday.com, Security Week, Business Standard, Silicon Angle, Tech-Economic Times
Researchers at Group-IB say that hackers are launching new attacks to steal Steam credentials using a browser-in-the-nrowser phishing technique that is rising in popularity among threat actors.
That technique involves the creation of fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service. These phishing attacks aim to sell access to those accounts, with some prominent Steam accounts valued between $100,000 and $300,000. Users should be wary of direct messages received on Steam, Discord, or other game-related platforms and avoid following links sent by users they do not know. (Bill Toulas / Bleeping Computer)
CrowdStrike’s Falcon OverWatch threat hunters say that the enterprises they monitor faced 77,000 attempts of hands-on, interactive intrusions, or approximately one potential intrusion every seven minutes, between July 1, 2021, and June 30, 2022, a 50% year-over-year increase.
Breakout time, or the time an adversary takes to move laterally from an initially compromised host to another host within the victim’s environment, fell to one hour and 24 minutes compared to one hour and 38 minutes during the year-earlier period, demonstrating that adversaries continue to sharpen their tradecraft. (Apurva Venkat / CSO Online)
Researchers at Arctic Wolf Labs say that the Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks.
Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment, according to Arctic Wolf. (Sergiu Gatlan / Bleeping Computer)
Related: Arctic Wolf
The Flipper Zero pen testing tool, an open source, multi-device tool that can reverse engineer access to radio protocols, hardware, and systems such as TVs and garage doors, gained 38,000 backers on Kickstarter, who donated $4.8 million when it launched in 2020.
FlipZero also turned to PayPal to sell its product to a broader audience. However, PayPal has put a hold on $1.3 million of Flipper Zero’s funds citing an “unusually large” increase in its sales activity and asking for shipment tracking numbers, which the company provided. PayPal then demanded extensive information, including beneficiaries’ information, proof of ID, proof of address, bank statements for the company, proof of goods purchase, and proof of fulfillment for 10 random orders, which Flipper Zero provided.
After responding to PayPal requests for even more information, PayPal completely blocked Flipper Zero’s account without further explanation. The company has now gone public with its frustrations in an attempt to force PayPal’s hand after months of inaction. (Chris Stokel-Walker / Daily Dot)
In notification letters sent to impacted individuals, moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers' names and driver's license information.
After an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers' rental contracts between November 5, 2021, and April 5, 2022. The attacker accessed the U-Haul rental contracts search portal after compromising two "unique passwords." U-Haul says it provides affected customers one year of complimentary identity theft protection services through Equifax to help them detect when or if their personal information is misused. (Sergiu Gatlan / Bleeping Computer)
According to China's National Computer Virus Emergency Response Center (CVERC), 41 types of cyber weapons were used by the NSA-affiliated Tailored Access Operations (TAO) Office in the recently exposed cyber attacks against China's Northwestern Polytechnical University.
Among them, the sniffing and stealing cyber weapon "Suctionchar" is one of the most direct culprits that led to the theft of a large amount of sensitive data, the CVERC said. According to the report released by the CVERC in collaboration with cybersecurity company Beijing Qi'an Pangu Laboratory Technology Co., Ltd., Suctionchar can steal accounts and passwords of various remote management and file transfer services on target servers and can effectively work with other cyber weapons deployed by the NSA. (Xinhua)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
According to the interior ministry report submitted to Rep. Lee Hae-sik of the main opposition Democratic Party in South Korea, the government has seen nearly 560,000 outside hacking attempts into its critical computer systems over the past six years, with a combined 43 percent from China and the United States.
A total of 40.9 percent of the hacking attempts detected were aimed at information leakage, followed by information gathering at 16.5 percent, according to the report. (Yonhap News)
Cloud and data security provider Fortanix closed a $90 million Series C venture funding round.
Goldman Sachs Growth Equity led the round with participation from Giantleap Capital, Foundation Capital, Intel Capital, Neotribe Ventures, and In-Q-Tel. (Kyle Wiggers / TechCrunch)
San Francisco-based, cybersecurity-focused venture capital firm Ballistic Ventures launched BallisticX, a new platform for portfolio companies.
BallisticX includes the appointment of an advisory board of cybersecurity leaders, including former New York Times journalist Nicole Perlroth, and services to help early-stage startup founders and their teams advance their businesses and cybersecurity. (FinSMEs)
Related: Ballistic Ventures
Cyber defense solution provider Celerium acquired Dark Cubed, a provider of automated network defense to small- and medium-sized businesses and U.S. Department of Defense contractors.
With the acquisition, Celerium will shift its overall focus to powering active cyber defense from enabling cyber threat sharing. (FinSMEs)
Related: PR Newswire