US government launches IoT security labeling program
The Biden administration has launched its long-awaited “U.S. Cyber Trust Mark” program which aims to protect Americans from security risks associated with Internet of Things (IoT) devices. The criteria for the voluntary Energy Star-influenced labeling system were established by the National Institute of Standards and Technology (NIST). So far, the standard calls for strong and unique default passwords, protections for data at rest and in transit, providing regular security updates and having built in incident detection capabilities. The Cyber Trust Mark labeling system will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria. The full list of standards are planned for completion by the end of 2023 and for launch in 2024.
Renewable technologies could pose risk to US electric grid
At a congressional hearing on Tuesday, former Assistant Secretary of Defense, Paul Stockton, warned that inverters that underpin solar and wind energy storage systems present potential hacking risks. Inverters convert direct current (DC) electricity generated by solar panels to alternating currents (AC) used by the electric grid. Stockton said inverters are a major point of weakness since the equipment is digitally native and because China is a major manufacturer of many of those devices. While inverters currently only account for roughly 14% of total electricity generation, the threat vector is expected to expand in the coming years. Stockton said securing inverters presents, “an opportunity to transition to a stronger resilience strategy to defend the grid.“
US blacklists two spyware firms run by Israeli former general
On Tuesday, the US government added two Europe-based hacking firms, Intellexa and Cytrox, to its blacklist. The two firms are controlled by Tal Dilian, an Israeli former general to the Commerce Department. Both companies are at the center of a political scandal in Greece, where government officials have been accused of using their hacking tools against journalists and political opponents. American companies are largely prohibited from doing business with the blacklisted firms in order to prevent their operations from leveraging US technologies. Dilian was forced to retire from Israeli forces in 2003 upon suspicions of being involved in funds mismanagement.
(NY Times)
Cybersecurity firm Sophos impersonated by new ransomware scheme
On Monday researchers discovered a ransomware-as-a-service operation called SophosEncrypt leveraging the name of the well-known cybersecurity vendor. The ransomware changes the Windows desktop with new wallpaper boldly displaying the ‘Sophos’ brand.The ransomware was initially thought to be part of a red team exercise by Sophos, but the firm’s X-Ops team tweeted they did not create the encryptor and that they are investigating the matter. SophosEncrypt’s Command and Control (C2) servers have been linked to Cobalt Strike servers used in previous attacks. Recent submissions from infected victims indicate that SophosEncrypt is active and researchers are analyzing the malware for weaknesses that could help decrypt victim files for free.
And now a word from our sponsor, OpenVPN
VirusTotal data leak affects 5K+ users
VirusTotal, the Google-owned online service used to detect malicious files and URLs, has experienced a data leak, exposing the data of 5,600 of its users. The leaked data includes names and email addresses of employees from US and German intelligence agencies, official bodies of the Netherlands, Taiwan, and Great Britain as well as BMW and Mercedes Benz. While passwords remain concealed, the leaked info equips threat actors with prime info to launch spear-phishing attacks against affected individuals. Google acknowledged the data leak and indicated it was caused unintentionally by a Google employee.
New critical Citrix flaw exploited as zero-day
On Tuesday, Citrix issued fixes for a critical-severity (9.8 out of 10) vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that has exploits in the wild along with two other bugs. If a vulnerable appliance is configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (the so-called AAA server), an attacker can exploit the flaw to execute code remotely without authentication. There is speculation that the bug is linked to the Citrix ADC zero-day that was advertised on a hacker forum earlier this month.
Google Cloud Build could lead to supply chain attacks
It has been revealed that researchers discovered a design flaw in the Google Cloud Build service that could allow attackers to escalate privileges and gain unauthorized access to Google Artifact Registry code repositories. Dubbed Bad.Build, the flaw could allow threat actors to impersonate the service account for the Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls and inject builds with malicious code. The flaw was reported by researchers through Google’s Vulnerability Rewards program, and Google says it fixed the issue last month. However, researchers claim the fix limits privilege escalation but doesn’t fully resolve the risk of supply chain attacks. Customers should apply least privilege to the default Google Cloud Build account and monitor its activity.
Hacker gets infected by their own infostealer
Since 2020, a hacker known as “La_Citrix” has built a reputation by using an infostealer to hack credentials from organizations and selling them on Russian-language Dark Web forums. However, La_Citrix apparently slipped up and accidentally infected his own computer with the malware and then sold off his own data, along with a cache of other stolen data to security researchers at Hudson Rock. Hudson Rock’s Dark Web monitoring API detected the stolen data which featured a single individual appearing to be an employee at nearly 300 different companies. Researchers found that La_Citrix used his personal computer to orchestrate all of the hacking incidents using creds installed in his web browsers. The team at Hudson Rock was quickly able to ascertain the threat actor’s identity, address, and phone number and have turned that info over to law enforcement.
