MITRE’s danger list, CISO liability insurance, BianLian changes tack
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts , RSS link , add as an Alexa Skill , or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
MITRE offers updated list of most dangerous software vulnerabilities
MITRE, the not-for-profit organization that oversees federally funded R&D centers with an eye to cybersecurity, has updated its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses” list, reflecting the newest developments in the cyber threat landscape. At the top of the list is cross-site scripting in top place followed by out-of-bounds write flaws, SQL injection bugs. Missing authorization comes in at number 10. CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to “review the list and prioritize these weaknesses in development and procurement processes.”
(Security Week and MITRE )
CISOs can now obtain professional liability insurance
New Jersey-based insurer Crum & Forster recently unveiled a policy specifically designed to shield CISOs from personal liability. Representatives from the firm pointed out that unlike other members of the C-Suite, CISOs “may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability.” The firm says their goal is to help CISOs who “are in a no-win situation…if everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional insurance policies.”
(Cyberscoop )
BianLian group refines its game
Warnings are being issued by government agencies in the U.S. and Australia regarding new TTPs being employed by the BianLian ransomware group. These include “shifting exclusively to exfiltration-based extortion and leveraging new approaches for initial access, command and control, and defense evasion.” Thought to be a Russia-based group, with its Chinese-sounding name typical of its practice of misattributing location and languages to throw off its pursuers, its shift toward exfiltration-based extortion means it still steals data and commands a price, but does so via File Transfer Protocol tools rather than ransomware, leaving the victims’ systems intact.
French hospital suffers cyberattack, patient data exposed
The named of the hospital attacked has yet to be released, but the attack has been claimed by an individual with the nickname “nears” as part of a series of attacks through MediBoard, an Electronic Patient Record solution made by Softway Medical Group, and used by hospitals across Europe. This recent attack claims to have involved the medical records of 750,000 patients, although the threat actor claims to have access to more than 1.5 million people overall. Softway Medical Group has confirmed the attack, but stated “this was not the result of a software vulnerability or misconfiguration on their part, but rather through the use of stolen credentials used by the hospital.” In addition, they stated the exposed data was not directly managed by them, but rather hosted by the hospital.
Huge thanks to our sponsor, ThreatLocker
Fortinet VPN design flaw hides successful brute-force attacks
According to researchers at Pentera, this flaw is with Fortinet VPN server’s logging mechanism, and it can be tweaked to conceal the successful verification of credentials during a brute-force attack without alerting the security system that is supposed to detect compromised logins. The brute-force attack itself remains visible, but only failed attempts are logged, not the successful ones, which generates a “false sense of security.”
Easily exploitable bugs found in Ubuntu Server utility after 10 years
The researchers at Threat Research Unit of Qualys, say they refuse to release exploit code for five bugs in Ubuntu Server’s needrestart utility. They state they were “able to develop a working exploit but wouldn’t release it, describing the findings as alarming.” The five vulnerabilities described by the researchers were actually introduced in April 2014. They reside in the needrestart utility of Ubuntu Server, which is designed to determine if a restart is needed following, for example, a critical library update or an upgrade is made. All five vulnerabilities have CVE numbers and four of them have a 7.8 CVSS score.
(The Register )
Ultra private phone available for high-risk individuals
The mobile technology company Cape has announced their development of an Android based phone that can protect against location tracking, ensure ads cannot uniquely ID the customer, and protect against SIM-swapping, all while only requiring a phone number, but no name or address. The company is “planning on selling the phone to governments and through organizations and other distribution partners, like consultants who work with high-risk people…the technology will adhere to Communications Assistance for Law Enforcement Act (CALEA) requirements, a regulation that forces the collection of certain types of identifying data.
(Cyberscoop )
Japan’s government suggests putting your usernames and passwords in your will
Described as “digital end of life planning” Japan’s National Consumer Affairs Center on Wednesday released a collection of suggestions to help avoid the complications and costs associated with passing to the great beyond with passwords still hidden. Helping loved ones deal with a digital legacy can include: ensuring family members can unlock your smartphone or computer; maintaining a list of subscriptions with user IDs and passwords; adding these details to a document intended for the person or persons responsible for managing such affairs, and designate a person to have access to the smartphone and other accounts.
(The Register )