We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites. We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.
This update includes Information Security, Environment, Health & Safety and Other – Russia Sanctions.
Information Security If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes The Investigatory Powers (Communications Data) (Relevant Public Authorities and Designated Senior Officers) Regulations 2022 has amended the Investigatory Powers Act 2016. It changes the powers for relevant services to acquire communications data, amending their authority to internally authorize acquisition of communications data for serious crime purposes to limit it to urgent situations that are defined in the act.
The Computer Misuse Act 1990 is under review. You just have time to have your say – Review of the Computer Misuse Act 1990 – GOV.UK (www.gov.uk)
The Data Protection and Digital Information (No. 2) Bill – is currently at the second reading stage in Parliament – Data Protection and Digital Information (No. 2) Bill – Parliamentary Bills – UK Parliament key points include:
A list of activities that would be considered ‘legitimate interest’
Records of processing would only be required for organisations carrying out processing activities likely to result in high risk to rights and freedoms of data subjects
Increase in fines for nuisance calls and texts to 4% of global turnover or 17.5 million GBP
Framework for use of digital verification services
Other updates Microsoft Highlights of the last quarter’s Microsoft patch Tuesdays… March – fixed 74 security flaws, two of which are being actively exploited, including a severe weakness in Outlook that can be exploited without user interaction; February – fixed three actively exploited zero-day vulnerabilities; January – fixed 100 security flaws including a zero-day vulnerability in Windows, printer flaws and a SharePoint server issue
‘Acropalypse bug’ affects windows devices too. Confirmed to affect the Windows 11 Snipping tool and Windows 10 Snip & Sketch tool. It was already known to affect Google’s Markup screen editing tool for Pixel and allows partial recovery of cropped or redacted images including screenshots. Microsoft released an update to fix the issue last week
Microsoft fixes Acropalypse privacy bug in Windows 11 Snipping Tool (bleepingcomputer.com)
The public preview of MS Defender 365’s automated attack disruption capabilities has been expanded to include business email compromise (BEC) Microsoft expands attack disruption to BEC, ransomware • The Register – Defender for individuals is now being force installed when users install or update M365 apps Microsoft Defender app now force-installed for Microsoft 365 users (bleepingcomputer.com)
Bye-bye Windows 8.1. Support for the venerable operating system ended on 10th January 2023… Windows 8.1 support ended on January 10, 2023 – Microsoft Support Organisations still using systems running 8.1 e.g. where legacy software won’t run on later operating systems, should take appropriate actions to secure those systems. **Remember – Organisations holding Cyber Essentials are required to either remove unsupported software from in-scope devices, or de-scope devices running that software in to a defined subset that prevents traffic to and from the internet**.
A network configuration issue in January caused an outage affecting multiple M365 services. Microsoft said the issues were resolved after they rolled back a network change – Microsoft says services have recovered after major outage that affected Teams and Outlook users | ZDNET
Apple New class of privilege escalation bug was found in iOS and macOS – A New Kind of Bug Spells Trouble for iOS and macOS Security | WIRED
Update for actively-exploited iOS zero-day vulnerability released – Apple fixes new WebKit zero-day exploited to hack iPhones, Macs (bleepingcomputer.com)
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies ‘AI’ chat risks – This blog post discusses the risks around use of ChatGPT and other Large Language Models (LLMs) including those hosted on-prem. Issues can include…
serving up incorrect answers
bias and gullibility
potential for manipulation by users to produce toxic content
regurgitation of information shared with them to other users
potential for malicious actors to use them to craft more convincing phishing emails across multiple languages (i.e. fewer easy-to-spot grammatical and spelling errors.
The NCSC recommends not to include sensitive information in queries to public LLMs and not to submit queries to public LLMs that might cause issues were they made public (similar precautions that you might take when using internet search engines). Link – ChatGPT and LLMs: what’s the risk – NCSC.GOV.UK
See also under noteworthy breaches below.
Supply chain mapping – Guidance for organisations to help with assessing risks associated with their supply chain. How to assess and gain confidence in your supply chain… – NCSC.GOV.UK outlines five practical stages and Mapping your supply chain – NCSC.GOV.UK is aimed at larger organisations to help map their supply chain dependencies, so that risks in the supply chain can be better understood and managed
MSP Cloud security – Guidance on using Managed Service Providers (MSPs) to administer your cloud services… Using MSPs to administer your cloud services – NCSC.GOV.UK
Supplier personnel Management. Updated guidance for organisations to assess your supplier’s approach managing security of its personnel who might be in a position to access your organisation’s information, such as support personnel. Updates are linked from this blog post Personnel security in the cloud – NCSC.GOV.UK
Phishing – Don’t just tell your staff not to click ‘bad links’- implement modern technical controls… Telling users to ‘avoid clicking bad links’ still isn’t… – NCSC.GOV.UK
Vulnerability disclosure toolkit – The NCSC’s Vulnerability Disclosure Toolkit – NCSC.GOV.UK for organisations to securely receive information about, and address, vulnerabilities discovered in their systems
Cyber Essentials 2023 – The 2023 changes to Cyber Essentials come in to force for organisations seeking certification or recertification from 24th April 2023. The revised technical guidance is here… Cyber Essentials Requirements for IT Infrastructure v3.1 April 2023 (published January 2023) (ncsc.gov.uk). The key changes from the last version can be found on the IASME blog page here… What are the changes to Cyber Essentials this year? – IASME
ESXiArgs ransomware recovery kit – CISA released a recovery script for organisations affected by ESXiArgs ransomware… CISA Releases ESXiArgs Ransomware Recovery Script | CISA. By way of reminder, NCSC have a page on understanding and dealing with Ransomware her A guide to ransomware – NCSC.GOV.UK
Decider tool – CISA and partners including MITRE have released a fee tool (Decider) to help map threat actor behaviour to the MITRE ATT&CK framework GitHub – cisagov/decider: A web application that assists network defenders, analysts, and researcher in the process of mapping adversary behaviours to the MITRE ATT&CK® framework.
Untitled Goose Tool (<<<I did not make this up, apparently it’s a reference to the ‘Untitled Goose Game’) – CISA have released this open source tool to help network managers to understand their Azure, Azure AD and M365 environments. It can help detect malicious activity and miss-configuration in those environments. New CISA tool detects hacking activity in Microsoft cloud services (bleepingcomputer.com)
Noteworthy cyber incidents This is just a flavour of some recent cyber incidents that stood out as attacks on ‘big name’ organisations, or where there were very significant impacts since our last update. More detailed reports of incidents and emerging vulnerabilities can be obtained from the information sources at the end of this newsletter.
Last Pass – Last pass admitted in August 2022 that they had been a victim of a cyber attack. At the time they claimed that only proprietary technical information had been compromised and the breach had been contained. It took until December 2022 before they revealed the full extent of the hack. Sensitive customer data had been accessed along with backups of vaults with encrypted and unencrypted data. While the breach doesn’t appear to have included passwords in vaults or customers’ master passwords for their vaults, the data could give malicious actors the ability to spear-phish users and trick them in to revealing those passwords. More concerning is that long-standing customers’ vaults may be vulnerable to potential hacking, because industry standards for password hashing have improved significantly since the service was introduced, but older accounts were not automatically upgraded to current hashing standards.
Earlier this month; Last Pass issued technical guidance to users on how to upgrade their account settings to reduce the likelihood of malicious actors successfully hacking their vaults. Last Pass users also been emailed and presented with multiple popups at login pointing them to the guidance. The latest blog post from Last Pass, including recommended actions for customers and business administrators is published here… Security Incident March 2023 Update & Actions – LastPass
Royal Mail – In January 2023; Royal Mail was hit by a cyber attack engineered by the LockBit ransomware organisation, who demanded a £65Million ransom payment that Royal Mail refused to pay. Disruption caused by the attack and recovery from it forced Royal Mail to suspend international parcel and letter deliveries through Post Office branches for almost six weeks. A breach of employee data has also been reported. LockBit ransomware – what you need to know | Tripwire
DropBox – Suffered a successful Phishing attack that allowed malicious actors to access and steal 130 of its code repositories. Code and data around it included personal information of staff, customers, vendors and sales leads. The attack impersonated CircleCI. The same attach was used successfully against a number of other GitHub users last autumn and highlighted concerns around supply chain attacks, particularly on software and SaaS provider. Dropbox discloses breach after hacker stole 130 GitHub repositories (bleepingcomputer.com) Note – GitHub has started rolling out mandatory MFA for developers GitHub makes 2FA mandatory next week for active developers (bleepingcomputer.com)
Ferrari – Got one? Criminals may have your personal data then… Ferrari in a spin as crims steal customer data • The Register
GoDaddy discloses multi-year breach – Malicious actors were able to redirect visitors to GoDaddy’s customers’ sites to malicious sites. GoDaddy: Hackers stole source code, installed malware in multi-year breach (bleepingcomputer.com)
T-Mobile suffered a significant breach in the US – T-Mobile announces another data breach, impacting 37 million accounts – The Verge
OpenAI took ChatGPT offline on Monday 20th March. When it returned, they had turned the chat history function off. Some users had reported that they could see what other users had been asking the AI. A subsequent announcement indicated that some users’ payment information may also have been exposed during the incident. The company says the payment info leak may have affected around 1.2 percent of ChatGPT Plus who used the service between 4AM and 1PM US Eastern Time (8am to 5pm GMT) on March 20th. ChatGPT’s history bug may have also exposed payment info, says OpenAI – The Verge
This blog post highlights the best and worst practices to help you with your incident responses – Best and worst data breach responses highlight the do’s and don’ts of IR | CSO Online
New and emerging malware and techniques Malicious OneNote file attachments – There has been an increase in the use of MS OneNote file attachments to spread malware on Windows. This appears to be a reaction to Microsoft disabling macros in Word and Excel documents in 2022. The malicious actors have switched to using OneNote templates instead. This article recommends blocking OneNote attachments (.one files)… How to prevent Microsoft OneNote files from infecting Windows with malware (bleepingcomputer.com)
Some of the newer strains of Malware identified in the last six months included:-
LockFile: A ransomware strain that exploits vulnerabilities in Microsoft Exchange servers.
HiveRAT: A remote access Trojan (RAT) that can be used for espionage and data theft.
Dtrack: A remote access Trojan (RAT) that has been used in cyber espionage campaigns against Indian financial institutions.
Teabot: A banking Trojan that targets Android devices and can steal banking credentials and other sensitive data.
HelloKitty: A ransomware strain that has been used in several recent attacks against hospitals and healthcare organizations.
Zeppelin: A ransomware strain that uses advanced encryption techniques to make file recovery difficult.
Jupyter: A backdoor Trojan that can steal data, install additional malware, and carry out other malicious activities.
Cobalt Strike: A tool often used by threat actors to carry out advanced persistent threat (APT) attacks.
Prometheus: A malware strain that can bypass antivirus software and other security measures.
Xanthe: A banking Trojan that targets Android devices and can steal banking credentials and other sensitive data.
Other information security news GitHub have made ‘secret scanning’ available on all public repositories, to allow users to scan for sensitive data inadvertently added to their repositories including authentication tokens, API keys and passwords – GitHub’s secret scanning alerts now available for all public repos (bleepingcomputer.com)
Who’s going to ban TikTok next? This report explains some of the concerns – TikTok “a loaded gun” says NSA (malwarebytes.com)
Twitter has decided to only allow its paying users to secure their accounts with MFA – Why is Twitter turning millions of accounts into defenceless targets? | ZDNET
Atlassian warned of critical flaw in Jira Service Management Server and Data Centre – Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability (thehackernews.com)
Environment Legislative changes
The Finance Act 2023 – Changes include introduction of Vehicle Excise Duty (VED – the duty that is commonly referred to as the ‘road tax’) on many Zero Emission Vehicles and Alternative Fuelled Vehicles from 1st April 2025. Zero Emission Vehicles are currently exempt from VED. The changes bring relevant vehicles them in line with traditional internal combustion engine (ICE) vehicles. Zero Emission Cars that were first registered after 1st April 2017 will be charged the lowest rate of VED (Band B); Zero Emission Vans will move to the standard annual light goods vehicle rate; Zero Emission motorcycles and tricycles will move to the annual rate for the smallest engine size; Other AFVs and hybrids will lose their £10 annual discount.
At the same time, the Expensive Car Supplement exemption for Zero Emissions cars will end. The act also included the annual adjustments to taxable benefits for cars with a CO2 emissions figure, which incentivises the use of ‘greener’ vehicles for business.
The Merchant Shipping (Control of Harmful Anti-Fouling Systems on Ships) Order 2022 gave effect to the International Convention on the Control of Harmful Anti-Fouling Systems on Ships, 2001 (“the Convention”).
Further provisions of the Environment Act 2021 came in to effect. Introduction of this legislation has been previously discussed here. Introduction of its provisions have been staggered.
Health & Safety Legislative changes
Three new regulations have come in to effect that support aspects of the Building Safety Act 2022 which we have previously reported here. They are: –
The Building Safety (Registration of Higher-Risk Buildings and Review of Decisions) (England) Regulations 2023 – enacts some of the requirements regarding the register of higher-risk buildings, held by the building safety regulator
The Higher-Risk Buildings (Descriptions and Supplementary Provisions) Regulations 2023 – gives clarification as to what types of buildings are classified as Higher Risk Buildings
The Building Safety (Leaseholder Protections) (England) (Amendment) Regulations 2023 – clarifies definitions of relevant landlords and persons associated with them
The Merchant Shipping (High Speed Craft) Regulations 2022 and The Merchant Shipping (Additional Safety Measures for Bulk Carriers) Regulations 2022 brought elements of International Convention for the Safety of Life at Sea, 1974 in to UK law
The Welsh government are consulting on changes to require installation of Carbon Monoxide (CO) alarms in all residential buildings in Wales –
Other Roundup of recent posts by the by the Health and Safety Executive (HSE)
2022 H&S Statistics Summary:
1.8 million working people suffering from a work-related illness, of which
914,000 workers suffering work-related stress, depression or anxiety
477,000 workers suffering from a work-related musculoskeletal disorder
123,000 workers suffering from COVID-19 which they believe may have been from exposure to coronavirus at work
2,544 mesothelioma deaths due to past asbestos exposures (2020)
123 workers killed in work-related accidents
565,000 working people sustained an injury at work according to the Labour Force Survey
61,713 injuries to employees reported under RIDDOR
36.8 million working days lost due to work-related illness and workplace injury
£18.8 billion estimated cost of injuries and ill health from current working conditions (2019/20)
Full Report – Health and safety statistics (hse.gov.uk) Other:
Guidance on violence at work has been refreshed – Violence and aggression at work – HSE
Musculoskeletal disorders (MSDs) ebulletin – Musculoskeletal disorders in the workplace – HSE and Expanded homeworking guidance – Managing home workers’ health and safety – Overview – HSE
Managing stress at work ebulletin – Stress at work – HSE
Refreshed workplace temperature guidance – Temperature (hse.gov.uk)
New principals and guidance for workers with long-term health conditions, and disabled workers – Overview – Principles to support disabled workers and workers with long-term health conditions – HSE
Campaign to raise awareness among younger construction workers of the risk of asbestos in buildings. Asbestos & You – Work Right to keep Britain safe Many will have joined the industry since it was outlawed, but it is still present in many buildings built or refurbished prior to the year 2000
‘Be Ready’ campaign launched to make relevant people and organisations aware of the changes introduced in the Building Safety Act 2022 following the Grenfell disaster, that affect Higher-Risk buildings, including registration of residential or part residential buildings taller than 18m or at least seven
storeys … New regulator takes major step forward in ‘landmark moment for building safety’ | HSE Media Centre
Report on the consultation for a Building Inspector Competence Framework has been published. BICoF consultation report HSE This supports the work around Higher-Risk buildings mentioned above
Other – Russia Sanctions Legislative changes
Multiple further amendments have been made to the The Russia (Sanctions) (EU Exit) Regulations 2019. The act is summarized on the PCML InfoSec Legislation site for subscribers, however sanctions continue to change as the Ukraine conflict continues. Most recently, the act has been amended to extend the requirement to apply sanctions to British Overseas Territories, except Bermuda and Gibraltar, which have already implemented their own sanctions.
Similar amendments were also made to the Republic of Belarus (Sanctions) (Overseas Territories) Order 2020 via the The Republic of Belarus (Sanctions) (Overseas Territories) (Amendment) Order 2022. Organizations trading with people or entities directly or indirectly associated with Russia and its allies, including Belarus should take appropriate steps to ensure that that the business conducted with those people or entities, and any payments made or received from them do not contravene the Sanctions Act.
Key business sectors affected by the act include, but are not limited to:- financial services, mining and minerals, oil and gas, precious metals, IT services, IT hardware, software, aircraft, shipping, military goods and dual-use goods (which are basically any civilian items that could also be used for military or military support purposes or incorporated in to military systems).
A linked list of changes can be found at this UK Government page… UK sanctions relating to Russia – GOV.UK (www.gov.uk)
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch
