White House Issues Cybersecurity Guidelines for Agencies, Contractors
CISA releases its first strategic plan, Asian victims forced to run cyber scams, China begins mass DNA collection in Tibet, Google and Meta hit with $72 million privacy fines in S. Korea, much more
Don’t miss Metacurity’s special report on Peiter Zatko’s testimony before the Senate Judiciary Committee that we published yesterday.
The White House published guidelines for how federal agencies and government contractors must comply with President Biden’s May 2021 cybersecurity executive order that stipulated federal systems and vendors must meet common cybersecurity standards.
In an eight-page memo, the Office of Management and Budget spells out how the NIST Secure Software Development Framework (SSDF), SP 800- 218,3, and the NIST Software Supply Chain Security Guidance4 include a set of practices that create the foundation for developing secure software. The EO further directs the Office of Management and Budget (OMB) to require agencies to comply with these guidelines. (Tim Starks and Aaron Schaffer / Washington Post)
Related: OMB, White House
The Cybersecurity and Infrastructure Security Agency laid out its first strategic plan showing how it plans to improve cooperation with the private sector and local governments and share more useful information about threats to critical infrastructure.
It lays out a broad approach to confronting cyberattacks and physical disruptions threatening everything from power plants and hospitals to police departments and election systems. (Eric Geller / Politico)
Related: CISA
Jen🛡Easterly @CISAJen
🙏Grateful to our first Director @C_C_Krebs for setting a strong foundation for our success w/the 2019 Strategic Intent (https://t.co/xOpPVc7jqE). Excited to work w/our amazing team & our partners across the nation & the 🌎as we continue to build America’s Cyber Defense Agency.Tens of thousands of people from across Asia have been taken captive and coerced into defrauding people in America and worldwide out of millions of dollars through cyberscams.
If they resist, they face beatings, food deprivation, or electric shocks, and some commit suicide to escape their never-ending situations. Typically, they are forced to ingratiate themselves into online friendships or romantic relationships and then manipulate their targets into depositing larger and larger sums in investment platforms controlled by the fraudsters in a scam known as pig butchering. (Cezary Podkul, with Cindy Liu / ProPublica)
Related: The Crime Report
Since June 2016, China’s police have conducted a mass DNA collection program in the Tibet Autonomous Region, targeting men, women, and children, including Buddhist monks, for DNA collection outside of any ongoing criminal investigation.
Authorities have justified this mass DNA collection as a tool to fight crime, find missing people, and ensure social stability. However, they are free to use their databases for whatever purpose. (Emile Durks / The Citizen Lab)
Related: The Economist, The Intercept, Axios
Microsoft released the Windows 11 KB5017328 cumulative update with security updates and improvements, including USB printing and Bluetooth headsets fixes.
KB5017328 is a mandatory cumulative update containing the September 2022 Patch Tuesday security updates for vulnerabilities discovered in previous months. The update includes approximately 25 improvements and fixes. (Lawrence Abrams / Bleeping Computer)
Related: Sophos News, Dark Reading, The State of Security, Rapid7, Security Week, US-CERT Current Activity, My TechDecisions, Help Net Security
South Korean authorities hit Google and Meta with a fine of around $72 million (100 billion KRW) after finding they violated the country’s privacy law.
The country’s privacy watchdog said that Google and Meta did not receive legitimate consent in collecting information from users who visit their websites and use other websites and apps for customized advertisements. Meta was also found to have violated personal information protection rules. (Kate Park / TechCrunch)
Related: Financial Times, AP Top News, Tech Xplore, South China Morning Post, UPI.com, Silicon Republic, Tech-Economic Times
Researchers on Broadcom’s Symantec Threat Hunter Team say that hackers associated with the Chinese military are leveraging a wide range of legitimate software packages to load their malware payloads and target government leaders across Asia.
The attacks use a technique known as Dynamic-link library (DLL) side-loading that takes advantage of how Microsoft Windows applications handle DLL files and involves malware that places a malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file. The campaign targets a range of government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Symantec links the group behind the attacks to previous incidents involving the Korplug/PlugX malware and to attacks by several known groups, including Blackfly/Grayfly (APT41) and Mustang Panda, as well as a long-running campaign involving Korplug/Plug X targeting the Roman Catholic Church. (Jonathan Greig / The Record)
Related: Dark Reading, Broadcom
The legislature of Argentina’s capital city of Buenos Aires was hit by a ransomware attack, compromising its internal operating systems and shuttering its WiFi system.
No ransomware group has taken credit for the incident, but several gangs have targeted governments across Central and South America over the past year. (Jonathan Greig / The Record)
Related: InfoBae
Security researchers at Sansec say that hackers injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads.
The intruders took control of FishPig's server infrastructure and added malicious code to the vendor's software to gain access to websites using the products, in what is described as a supply-chain attack FishPig Magento Security Suite and FishPig WordPress Multisite, along with likely other extensions of the vendor. FishPig said that they are investigating the impact of the intrusion. The company has published a security advisory recommending an upgrade of all FishPig modules. (Bill Toulas / Bleeping Computer)
Related: Ars Technica, Sansec, FishPig
Wordfence researcher Ram Gall said that a zero-day flaw in the latest version of a WordPress premium plugin, WPGateway, is being actively exploited in the wild, potentially allowing malicious actors to take over affected sites completely.
The flaw CVE-2022-3180 is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted. Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days. (Ravie Lakshmanan / The Hacker News)
Related: Bleeping Computer, Wordfence
A referendum in Kansas last month illustrates how easily a bad actor can leverage text messages when voters saw a lie about how to vote pop up on their phones regarding a significant vote on abortion rights in their state.
There is no company or regulatory agency that monitors the contents of all of the billions of text messages that are sent every day. Even though American phone carriers employ some anti-spam measures, they’re limited. CTIA senior vice president Nick Ludlum said in an emailed statement that by design, “Wireless carriers do not pre-screen the content of their customers’ text messages.” (Kevin Collier / NBC News)
Airline carrier Philippine Airlines (PAL) became a cyberattack victim after criminals targeted its information technology (IT) service provider, Accelya, and exposed the personal data of Mabuhay Miles members.
PAL said that the data breach only involved "limited information" of customers who became Mabuhay Miles members from 2015-2017 and said that the incident did not affect PAL's internal IT systems. (CNN Philippines Staff / CNN)
Related: Simple Flying, Travel Mole
According to the cybercrime unit in Uttar Pradesh, India, Chinese scammers have reportedly stolen a whopping $529 million from Indian residents using instant lending apps, lures of part-time jobs, and bogus cryptocurrency trading schemes.
According to local media reports, the scammers promoted their fraud through bulk TXT messages that the police tracked to the Middle Kingdom, with some operators located in Nepal and working under the direction of Chinese threat actors. Fake websites and crypto apps were set up to lure in investors. (Laura Dobberstein / The Register)
Related: Times of India, Business Standard, Newsday Express
Retired General Keith Alexander, the former head of US Cyber Command and as director of the National Security Agency under Presidents George W. Bush and Barack Obama, has been accused in a securities lawsuit of allegedly misleading investors through a pump-and-dump scheme that enriched him with at least $5 million.
Investors in IronNet, a cybersecurity company, co-founded by Alexander after he left the Obama administration in 2014, claim that the former general gave false promises of government contracts and inflated revenue numbers while selling off his shares in the company. The plaintiffs in the US District Court in Alexandria, Virginia, allege that IronNet made lofty promises as a cover for company insiders to quickly unload stock on clueless retail investors. (Lee Fang / The Intercept)
Period tracking app Flo released an “Anonymous Mode” that lets people use the app without linking their data to their name, email address or IP address as a direct response to privacy concerns stemming from the overturn of Roe v. Wade in June.
“The world is not designed for privacy,” said Roman Bugaev, chief technology officer at Flo, said. “We need to rethink all of the internet with this in mind.” (Nicole Wetsman and Corin Faife / The Verge)
Related: Engadget
The Rust Foundation, which supports the development of the popular open-source Rust programming language, announced it’s establishing a dedicated security team, which is underwritten by the Open Source Security Foundation’s Alpha-Omega Initiative.
The first initiative for the new team will be to undertake a security audit and threat modeling exercises to identify how security can be economically maintained in the future. The team will also help advocate for security practices across the Rust landscape, including Cargo and Crates.io, and will be a resource for the maintainer community. (Duncan Riley / Silicon Angle)
Related: Rust Foundation
The merger of security companies Avast and NortonLifeLock, announced over a year ago, has been completed.
The combined company will operate as NortonLifeLock (Nasdaq: NLOK) until the new name is revealed, at which time the company will use a new ticker symbol while still trading on the Nasdaq exchange. (Greg Barr / Phoenix Business Journal)
Related: Avast, Databreachtoday
Cloud security orchestration and remediation platform Opus Security emerged from stealth mode with $10 million from a seed venture funding round.
YL Ventures, with participation from Tiger Global and angel investors, including George Kurtz, co-founder, CEO and President of CrowdStrike; Udi Mokady, co-founder, Chairman and CEO of CyberArk; Dan Plastina, former Head of AWS Security Services; Oliver Friedrichs, co-founder and former CEO of Phantom Cyber, acquired by Splunk; and Alon Cohen, co-founder and former CTO of Siemplify, acquired by Google Cloud, among others. (Kyle Wiggers / TechCrunch)
Related: Techstartups, Fintech Global, Dark Reading, Silicon Angle, Venture Beat, Business Wire
Cloud data security company Theom has emerged from stealth mode with an oversubscribed $16.4 million seed funding round.
Ridge Ventures led the round along with M12, Microsoft's Venture Fund. (Eduard Kovacs / Security Week)
Related: PR Newswire, FinSMEs, Fintech Global
Create your profile
Only paid subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.