Friday Five: Threats to Critical Infrastructure, New Actively Exploited Bugs, & More
As cyber attacks and data breaches are on the rise, federal agencies are warning of several new and persisting threats. Learn all you need to know in this week's Friday Five.
CISA ROADMAP SEEKS TO PROTECT CRITICAL INFRASTRUCTURE FROM AI BY MATT BRACKEN
The Cybersecurity and Infrastructure Security Agency (CISA) unveiled a strategy focused on safeguarding critical infrastructure from AI-related threats. The roadmap addresses the challenges posed by both AI and older software systems that lack "secure by design" principles. CISA plans to use AI-enabled software to enhance cyber defenses for critical infrastructure, partner with government and industry entities, and launch JCDC.AI, a website to coordinate AI-related threat responses. The agency will assess and assist secure-by-design AI adoption, provide guidance, formalize red-teaming recommendations for generative AI, share findings, and contribute to DHS's overall U.S. strategy for AI and cybersecurity. CISA also aims to expand internal AI expertise through education and recruitment efforts.
CISA, FBI WARN OF SOCIAL ENGINEERING-BASED RANSOMWARE BY ALEXANDRA KELLEY
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning about Scattered Spider, a ransomware group targeting large U.S. corporations. The group employs social engineering tactics, such as phishing schemes, push bombing, and subscriber identity module attacks, to breach network defenses. Scattered Spider gains access by contacting IT helpdesk services with deceptive questions. Once inside, the group utilizes malware to monitor and extract data, often using legitimate software tools in a tactic known as "living off the land." Incidents also show the use of BlackCat/ALPHV ransomware. The advisory emphasizes not paying ransoms, as it incentivizes further attacks and re-victimization.
CISA WARNS OF ACTIVELY EXPLOITED WINDOWS, SOPHOS, AND ORACLE BUGS BY BILL TOULAS
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities catalog:
- CVE-2023-36584: "Mark of the Web" (MotW) security feature bypass on Microsoft Windows. Microsoft addressed this in the October 2023 security updates.
- CVE-2023-1671: Command injection vulnerability in Sophos Web Appliance, allowing remote code execution (RCE). Sophos fixed this on April 4, 2023. It has a severity score of 9.8.
- CVE-2020-2551: Unspecified vulnerability in Oracle Fusion Middleware, allowing an unauthenticated attacker to compromise the WebLogic server via IIOP.
CISA urges federal agencies to apply security updates for these vulnerabilities by December 7. The Sophos Web Appliance reached end-of-life in July, and users are advised to migrate to Sophos Firewall for optimal security.
DEVELOPERS CAN’T SEEM TO STOP EXPOSING CREDENTIALS IN PUBLICLY ACCESSIBLE CODE BY DAN GOODIN
A recent report by security researchers reveals that almost 4,000 unique secrets were found in 450,000 Python projects submitted to PyPI, the official code repository for the Python programming language. These secrets, including cryptographic keys and passwords, were exposed in various types of files published on PyPI, potentially providing unauthorized access to resources like Microsoft Active Directory servers, OAuth servers, SSH servers, and third-party services for customer communications and cryptocurrencies. Despite numerous warnings and security measures available, many developers still inadvertently embed sensitive credentials directly into source code, making them vulnerable to exploitation by attackers.
THE NSA SEEMS PRETTY STRESSED ABOUT THE THREAT OF CHINESE HACKERS IN US CRITICAL INFRASTRUCTURE BY LILY HAY NEWMAN
At the Cyberwarcon security conference, officials from the United States National Security Agency (NSA) warned about the threat of Chinese government-backed hackers embedding in US critical infrastructure. They highlighted the sophisticated and pervasive nature of the threat posed by a Beijing-sponsored group known as Volt Typhoon, which has been targeting critical infrastructure networks, including power grids. The hackers are adept at manipulating and misusing legitimate tools, employing 'living off the land' tactics in a similar fashion to Scattered Spider, making their activity difficult to detect. The NSA urged network defenders to be vigilant, manage system logs for anomalous activity, and implement best practices to secure critical infrastructure.