Friday Five: Vulnerability Disclosure, Malicious QR Codes, Social Media Giants Challenged, & More
Between malicious QR codes, ransomware, and new legislation that would require increased vulnerability disclosures, organizations have a lot to pay attention to in this week's headlines. Catch up on it all in this week’s Friday Five!
NEW BILL WOULD REQUIRE ALL FEDERAL CONTRACTORS TO DEVELOP VULNERABILITY DISCLOSURE POLICIES BY CHRIS RIOTTA
Rep. Nancy Mace (R-S.C.) introduced the Federal Cybersecurity Vulnerability Reduction Act, aiming to make federal contractors adopt vulnerability disclosure policies in line with NIST guidelines. This bill involves the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST) to offer recommendations for updating contract requirements. The Defense Department is directed to create uniform vulnerability disclosure policies within six months. Mace emphasizes the bill's role in proactive cybersecurity, enabling contractors to counteract threats. The legislation builds upon previous federal guidance, addressing a gap in contractor security for government functions, and aims to support coordinated vulnerability disclosures as directed by the National Cybersecurity Strategy.
QR CODES USED TO PHISH FOR MICROSOFT CREDENTIALS BY PIETER ARNTZ
Researchers have uncovered a phishing campaign utilizing QR codes to target Microsoft credentials. QR codes, two-dimensional barcodes storing various data that largely gained traction during the pandemic, can be exploited due to their visual similarity. A large-scale campaign that tracked roughly 1000 malicious emails, active since May 2023, notably targeted a major US energy company, which received 29% of those malicious QR code emails. Links within QR codes redirected victims to phishing sites, typically for data theft or malware installation, often mimicking Microsoft security notices. Campaign volume surged over 2,400% since discovery. Recommendations include treating QR codes with caution, verifying sources, and using smartphone cameras for scanning.
TWO DOZEN ARRESTED, HUNDREDS OF MALICIOUS IPS TAKEN DOWN IN AFRICAN CYBERCRIME OPERATION BY AJ VICENS
Interpol's Africa Cyber Surge II operation, supported by organizations like Group-IB, Trend Micro, Kaspersky, and Coinbase, led to 14 arrests across Africa and dismantled numerous malicious IP addresses and malware hosters, according to a recent statement. Launched in April 2023, the operation aimed to identify cybercriminals and compromised infrastructure. Private sector contributions revealed thousands of malicious servers, victim IP addresses, phishing links, scam IPs, and more. These cybercrimes, including fraud and art scams, resulted in over $40 million in financial losses. The operation involved 25 countries, with Interpol's Cybercrime Directorate and Afripol coordinating efforts to combat cybercrime and ensure law enforcement across the African Union.
AKIRA RANSOMWARE TARGETS CISCO VPNS TO BREACH ORGANIZATIONS BY BILL TOULAS
Akira ransomware is targeting Cisco VPN products--which are widely adopted across many industries--to infiltrate corporate networks. Operating since March 2023, the group has added a Linux encryptor for VMware ESXi VMs. A report suggests an unknown Cisco VPN software vulnerability might enable authentication bypass and that Akira exploits compromised VPN accounts, bypassing additional backdoors. Evidence of Akira using Cisco VPN in leaked data and the use of RustDesk for remote access have been observed. Akira also manipulates SQL databases, disables firewalls, enables RDP, and more. Avast's decryptor is only effective for older Akira versions.
TWELVE NATIONS URGE SOCIAL MEDIA GIANTS TO TACKLE ILLEGAL DATA SCRAPING BY EILEEN YU
Twelve nations, including Australia, Canada, the UK, Hong Kong, and Switzerland, have issued a joint warning against data scraping technologies that collect personal data from online platforms, citing privacy concerns. Data scraping gathers large amounts of personal data from the internet for various purposes, including resale, identity fraud, and cyber attacks. The Office of the Australian Information Commissioner (OAIC) observed an increase in data scraping reports, referencing the Clearview AI case. The statement emphasizes data protection laws' application to publicly accessible personal data. The nations expect compliance with their outlined principles, such as limiting account visits, detecting scrapers, and implementing security controls on platforms like YouTube, TikTok, and Facebook.