We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.
This update includes Information Security, Environment and Health & Safety – click to jump to the relevant section.
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes
No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.
One new regulation was proposed in the quarter:-
- Cyber Security and Resilience Bill (2024) Proposed in Q3 2024, this Bill aims to update and enhance the UK’s cyber defence capabilities by amending the Network and Information Systems (NIS) Regulations 2018, expanding their scope and addressing supply chain security and critical infrastructure resilience. It will be introduced to parliament in 2025 Cyber Security and Resilience Bill – GOV.UK
Other
Microsoft
SANS Internet Storm Centre published the following summaries of the patch Tuesday releases from :-
Other
- Windows Downgrade Attack: A vulnerability in Windows allowed attackers to downgrade fully patched systems, exposing them to previously fixed vulnerabilities. Microsoft is working on mitigations, but the process is extensive due to the large number of system files affected.
More here - Unpatched Microsoft Office NTLM Flaw: Microsoft disclosed a vulnerability in Office products that could expose NTLM hashes, which could be used in network attacks. While a fix is being developed, users are advised to block NTLM traffic to mitigate the risk.
More here - Zero-Click Vulnerability in IPv6: Microsoft warned of a critical remote code execution (RCE) vulnerability affecting all systems with IPv6 enabled. The flaw, which could allow attackers to remotely exploit devices without user interaction, requires immediate patching.
More here - Outlook Security Enhancements: Microsoft announced changes for Outlook personal accounts, including the deprecation of Basic Authentication (username and password) in favour of modern, token-based authentication methods to enhance security.
More here
Apple
Details of Key apple updates and security fixes can be found on Apple’s security updates page
Other
- Pegasus spyware exploit: Apple patched a zero-click vulnerability in iOS that allowed the NSO Group’s Pegasus spyware to be deployed via PassKit attachments in iMessage without user interaction.
More here - VoiceOver bug exposing passwords: A logic flaw in the iOS 18 VoiceOver feature could reveal saved passwords unintentionally. Apple resolved this issue in the iOS 18.0.1 update.
More here - macOS Sequoia VPN and antivirus compatibility issues: macOS 15 ‘Sequoia’ introduced changes in networking structures that caused VPN and endpoint security tools like ESET and CrowdStrike to malfunction, prompting warnings against immediate upgrades.
More here - iPhone Triangulation spyware attack: Kaspersky revealed that sophisticated attacks targeting iPhones since 2019 exploited undocumented hardware features in Apple chips, bypassing security protections.
More here
Linux, Android, Google
- Google & Android
- Google addresses actively exploited Android kernel flaw: A serious remote code execution (RCE) vulnerability (CVE-2024-36971) in the Android kernel, which had been exploited in the wild, was patched in August 2024. This bug allowed attackers to gain full control of targeted devices through spyware.
More here - Android Pixel zero-day exploit patched: Google released a fix for a privilege escalation flaw (CVE-2024-32896) in Pixel devices, which had been exploited in targeted attacks to bypass security features, preventing certain tools from auto-wiping compromised devices.
More here
- Google addresses actively exploited Android kernel flaw: A serious remote code execution (RCE) vulnerability (CVE-2024-36971) in the Android kernel, which had been exploited in the wild, was patched in August 2024. This bug allowed attackers to gain full control of targeted devices through spyware.
- Linux
- CUPS-based remote code execution vulnerability: A critical flaw in the CUPS printing system (CVE-2024-47176) was reported, allowing remote code execution on systems that have the cups-browsed service enabled, although it is not enabled by default on most systems.
More here - ‘Looney Tunables’ GLIBC vulnerability: A bug in the GNU C Library (glibc) named ‘Looney Tunables’ (CVE-2024-20347) was found to allow attackers to exploit environment variable mismanagement, giving them root access on affected Linux systems.
More here - Linux kernel privilege escalation flaw: A high-severity vulnerability in the Linux kernel’s netfilter framework (CVE-2024-1086) was actively exploited, allowing local attackers to gain root access by exploiting the nf_tables component.
More here
- CUPS-based remote code execution vulnerability: A critical flaw in the CUPS printing system (CVE-2024-47176) was reported, allowing remote code execution on systems that have the cups-browsed service enabled, although it is not enabled by default on most systems.
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
Information from the Information Commissioner’s Office and partner agencies
- More sectors added to the online privacy notice generator More here
- ICO seeking to fine NI Police £750K for data breach in August 2023 More here
- New data protection audit framework launched to help organisations improve compliance. The framework helps organisations identify appropriate steps to improve data protection practices and a compliance culture. It provides a starting point to evaluate how personal information is handled and protected More here
Noteworthy cyber incident and breach news reported in the quarter
This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment
- CrowdStrike Falcon outage (July 2024): A faulty update to CrowdStrike’s Falcon sensor caused a global IT outage, affecting over 8.5 million devices, including those in the UK, causing widespread disruption to financial and healthcare sectors.
Source: More here and here - RockYou2024 password leak (July 2024): The RockYou2024 breach exposed over 10 billion passwords globally, increasing the risk of brute-force attacks on UK organisations and individuals.
Source: More here - Advanced NHS IT provider fined for 2022 ransomware breach (August 2024): Advanced, an IT provider to the NHS, was fined £6.09M after a 2022 ransomware attack exposed sensitive data affecting 83,000 people and caused disruptions to NHS services.
More here - Rhysida ransomware attack on Port of Seattle (August 2024): Though based in the US, the Rhysida ransomware attack on the Port of Seattle disrupted international shipping operations, posing indirect risks to UK-linked trade infrastructure.
- Blackpool Trust Schools ransomware attack (September 2024): Schools under the Blackpool Trust were hit by a ransomware attack, severely disrupting educational services and necessitating a complete IT infrastructure rebuild.
Source: More here - Fortinet confirms data breach after hacker claims to steal 440GB of files (September 2024) More here
- Transport for London (TfL) cyberattack (September 2024): A cyberattack on TfL compromised personal data of approximately 5,000 Oyster card users, exposing names, addresses, and banking information.
Source: More here - Irish DPC Commences Inquiry into Google’s AI Model (September 2024) The DPC has launched a cross-border statutory inquiry in to Google Ireland Ltd under the Irish Data Protection Act relating to Google’s foundational AI model and whether Google complied with its obligations to perform a Data protection Impact Assessment in accordance with the EU GDPR. More here
Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter
This is not intended to be a comprehensive summary. Readers are strongly recommended to sign up for some of the more regular vulnerability news feeds available from SANS and other providers to stay abreast of emerging vulnerabilities in general and particularly those that may affect systems they use
- EDRKillShifter Malware (August 2024): RansomHub ransomware operators began deploying EDRKillShifter, a new malware used to disable Endpoint Detection and Response (EDR) software via a vulnerable driver, making it easier to execute ransomware attacks on UK organisations.
More here - SinkClose AMD Vulnerability (August 2024): A newly discovered flaw in AMD processors, called SinkClose, allows attackers with kernel-level access to install undetectable malware on systems, posing significant risks to UK organisations relying on AMD-based infrastructure.
More here - Sedexp Linux Malware (August 2024): The sedexp malware, undetected since 2022, was discovered exploiting a previously undocumented technique on Linux systems, allowing attackers to create hidden reverse shells and infiltrate critical infrastructure systems.
More here - INC Ransomware in UK Healthcare (September 2024): Vanilla Tempest, a ransomware group, launched INC ransomware attacks targeting UK healthcare organisations, compromising NHS systems and disrupting patient services
More here - Windows Powershell Phish (September 2024) GitHub users reported receiving novel phishing emails that asked recipients to prove they were not bots by entering keystrokes in response to a CAPTCHA request that caused Windows to download credential-stealing malware. More here
Environment
Legislative changes
No new principal legislation relevant to our customers was identified in this quarter. The Packaging Waste (Data Reporting) (England) (Amendment) Regulations 2024 amended the Packaging Waste Regulations to cover drinks packaging, household packaging and exempted packaging, and to clarify definitions of persons with responsibilities under the regulations.
Health & Safety
Legislative changes
- No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter. Further commencement regulations were published that bring in to force requirements previously stated in the Building Safety Act 2022.
HSE Bulletins and News
- Annual workplace fatality figures for 2023/24 show that a total of 138 workers were killed at work in Great Britain between April 2023 and March 2024. The worst affected sector was construction and the highest cause of deaths was falls from height. HSE guidance regarding working at height, including obligations and common myths is published here
- Annual mesothelioma data released – The figures show 2,257 people died from the disease in 2022. This is slightly lower than the 2,290 deaths in 2021, and substantially lower than the average of 2,529 deaths per year over the period from 2012 to 2020. HSE guidance on responsibilities in relation to asbestos is published here
- Homeworking guidance
- Guidance on violence at work
- Guidance on managing risks of lone working
- World Mental Health Day was on 10th October. HSE’s Working Minds Campaign information is published here
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch
Here are some more helpful links which may be of use
