Newsletters

It is hard to care about hacktivism when the news from Israel and Gaza is so bleak, but there has been a flurry of activity from both camps since the conflict erupted.

Cyber attacks reported so far include the DDoSing of both Israeli and Palestinian websites and the leaking of stolen documents and credentials from Israeli-related sites. While these actions generally made little difference to events on the ground, some attacks attempted to disrupt Israel's response to Hamas rocket attacks.

Per Wednesday's edition of Risky Business News:

Microsoft has deprecated VBScript, a powerful scripting language that has been part of the Windows operating system since 1998.

VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.

As a FoD, Microsoft says VBscript will be preinstalled on Windows OS images but not enabled by default.

The number of human-operated ransomware attacks has more than doubled over the past year, Microsoft said in its yearly Digital Defense Report.

The term "human-operated ransomware" refers to certain intrusions where the ransomware is deployed manually rather than using automated scripts.

During these intrusions, one or more members of the ransomware group manually connect to a breached network and run commands in a terminal to make sure scripts execute with the proper parameters, data is exfiltrated without errors, and files are encrypted correctly.

A group of more than 50 tech experts and organizations have signed an open letter asking EU officials to rethink Article 11 of the upcoming EU Cyber Resilience Act.

The article introduces a mandatory requirement for all software vendors to disclose vulnerabilities to the ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of in-the-wild exploitation. ENISA will then relay this information to national CSIRT teams and stock market watchdogs across its member states.

The open letter's signatories argue that the CRA's Article 11—in its current form, at least—greatly expands the number of organizations that will have first-hand and real-time immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to product vendors, their customers, and the general public.

The US National Security Agency (NSA) is creating a new Artificial Intelligence Security Center to develop secure AI for use in defence and national security. The Center will also work to maintain the US's AI advantage by protecting against intellectual property (IP) theft.

The Director of NSA and US Cyber Command, General Paul Nakasone, announced the creation of the new centre in a speech at the National Press Club in Washington DC.

In his speech Nakasone pithily described AI security as "about protecting AI systems from learning, doing and revealing the wrong thing", before listing some goals of the new centre:

Ransomware groups are exploiting recently disclosed vulnerabilities in TeamCity and WS_FTP servers to breach corporate networks and ransom organizations.

The attacks are exploiting CVE-2023-42793 and CVE-2023-40044.

The first is an authentication bypass and RCE vulnerability that can allow threat actors to take full control of JetBrains TeamCity CI/CD servers. Once on the development pipeline, threat actors can pivot to other resources on a company's internal or cloud network, from where ransomware gangs can do extensive damage.

A critical vulnerability impacting more than 3.5 million Exim email servers has remained unpatched for more than 15 months in one of the most egregious instances of vulnerability disclosure snafus in recent history.

Tracked as CVE-2023-42115, the vulnerability is a no-authentication remote code execution with a severity rating of 9.8/10.

It is one of six vulnerabilities that were disclosed by Trend Micro's Zero-Day Initiative (ZDI) to the Exim project in June 2022.

Cybersecurity agencies from Japan and the US have issued a joint security  advisory about a Chinese APT group that is hacking the overseas subsidiaries of US and Japanese companies and then pivoting to their corporate headquarters.

Known as BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group targets internet-facing routers as their entry point into victim networks.

To maintain access, the group hot-patches the router firmware with a modified version that bypasses security features and contains a built-in SSH backdoor to maintain future access.

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations.

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

The US Cybersecurity and Infrastructure Security Agency released on Monday the first version of the Hardware Bill of Materials (HBOM), a framework meant to mitigate supply chain risks for hardware/physical products.

The framework is inspired and is meant to be a complement to SBOM, a similar framework that CISA has been pushing to software vendors since the Log4Shell incident in late 2021.

Under the new HBOM framework, hardware vendors are expected to produce an HBOM file that will contain information on all physical components used in a product.