We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.
Due to the volume of information to share relating to the recent quarter, we are splitting this issue of our newsletter into two parts:
-
Part 1 – Legislative changes covering Information Security, Environment, Health & Safety and Quality
-
Part 2 – Security threat and vulnerability intelligence, support for awareness raising and other information security news
Information Security
Security threat and vulnerability intelligence
This update covers the period from 1st January to 31st March 2024, but we have included any relevant information for the period to 26th April 2024.
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Microsoft
SANS Internet Storm Centre published the following summaries of Q1’s patch Tuesday releases from :-
-
January
-
February
-
March
-
Copilot for Security, subscription AI security service released
-
EU Cloud Users May Store Personal Data in Europe
-
GitHub AI Code-Scanning Autofix Tool available
-
MS Corporate email breach – see under noteworthy cyber incidents and breaches below
-
See also New and emerging malware, techniques and other vulnerabilities in the quarter, below
Apple
Details of Key apple updates and security fixes can be found on Apple’s security updates page
-
See also New and emerging malware, techniques and other vulnerabilities in the quarter, below
-
It is an old marketing myth that Apple devices are somehow immune to Malware – as highlighted in this Malwarebytes article on the extent of malware it detects on Apple Mac devices.
-
See also information about the malware spread via Calendly in the new and emerging malware techniques below
-
-
iMessage to be protected by post-quantum encryption
Linux, Android, Google
-
Linux xz-utils backdoor – A malicious back door was found in the data compression software library xz (versions 5.6.0 & 5.6.1). It arose from a supply-cain attack years in the making. Luckily it was found by random chance very soon after release and before it made its way in to most Distros but it may have found its way in to some distros of Fedora Linux 40 and Fedora Rawhide developer distribution. It was given the highest (10/10) CVSS severity score. Users should check to see which version of xz they have and take appropriate steps to apply an unaffected version
-
AWS Fixes Service Takeover Vulnerability
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
We missed a number of posts from Q4 2023, so this update summarises the NCSC’s last six month’s-worth of blog posts that may be of use or interest. We have attempted to categorised them by topic.
Information from the Information Commissioner’s Office and partner agencies
-
ICO consultation series on generative AI and data protection
-
2024-25 Children’s Code priorities focus on: – Default privacy and geolocation settings. Profiling children for targeted adverts. Using Children’s information in recommender systems, and Use of information of children under 13 years old
-
Guidance for organisations considering using biometric data (See also under Other infosec news below regarding action taken against Serco Leisure in this respect.
-
Following research on how fertility apps use data, the ICO urged all app developers to prioritise privacy
-
New guidance on data protection breach fines published
-
Warning to organisations to make sure advertising cookies are compliant
-
Platforms told to respect information rights when moderating online content
-
Call for people who spent time in care to share experiences of accessing their records relating to that time
-
The 2024 Data Protection Practitioner’s Conference will be held digitally on 8th October 2024
Noteworthy cyber incident and breach news in the quarter
This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment
-
See also information about the LockBit takedown in other infosec news, below
-
Southern Water – Black Basta ransomware attack resulted in breach of customer and employee personal data affecting 5-10% of the company’s database
-
UK Communication workers union breach
-
iCabbi exposed personal datails of almost 300,000 UK and Ireland taxi users
-
Leicester Council suffered a ransomware attack in March with breach of personal data and loss of control of some council systems
-
More than one Million neighbourhood watch members’ details exposed due to bug
-
CVS veterinary group announced a possible breach of personal information in April
-
French Health Insurance Data Compromised – tens of millions affected by the country’s largest ever breach
-
Canterbury, Dover and Thanet Councils IT systems disrupted by cyber attack in January
-
Belgian brewery, Duvel’s facility shut down for days by breach in March
-
OWASP server misconfiguration exposed some member’s CVs
-
World-check database used by businesses to verify the trustworthiness of users stolen
-
Data from old AT&T breach, affecting 70 million dumped on dark web
-
French Government agencies hit by unprecedented cyber attacks
-
Orange España Mobile Outage due to a weak password
-
Microsoft Officials email Breached by state sponsored actors – MS Subsequently revealed that an old test account that had admin privileges! and did not have MFA was compromised
-
American Express breach
-
Swedish Data Centre ransomware leads to IT Outages in Sweden
-
Schneider Electric TBs of corporate data breached by Cactus ransomware
-
Mishandled GitHub Token Exposes Mercedes Source CodE
-
AnyDesk Forces Passwords Resets After Data Leak
-
Fujitsu Data Breach
-
Cisco Duo SMS MFA Logs Stolen from Telephony Provider
-
Roku Mandates 2FA following data breach
Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter
This is not intended to be a comprehensive summary. Readers are strongly recommended to sign up for some of the more regular vulnerability news feeds available from SANS and other providers to stay abreast of emerging vulnerabilities in general and particularly those that may affect systems they use
-
Saflok Keycard Lock Vulnerability Fix – while reported as ‘hotel keycards’ these cards are also used in door and lift access control systems
-
Information about the emerging Dragonforce Ransomware
-
‘Thread Hijacking’ credential-theft Phishing This isn’t necessarily a new technique, but it is interesting. It happens when the recipient gets CCd in to a conversation that includes someone the recipient already knows. The conversation is designed to prey on the recipient’s curiosity and includes malicious attachments that ultimately ask them to log in to your M365 account and steal their credentials
-
Critical vulnerability found in Chirp door locks – easy to exploit to unlock doors
-
AI used to create fake software packages containing malware – Devs are downloading them
-
Apple
-
Ivanti
-
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN – CISA subsequently orders US Federal Agencies to disconnect Ivanti VPNs – And MITRE says its NERVE R&D operation was penetrated via the flaws
-
Fixes for more critical flaws
-
And more fixes for critical flaws
-
And more fixes for critical flaws (Avalanche Mobile Device Management System)
-
-
Microsoft
-
Privilege Escalation vulnerability in Microsoft SharePoint Server is being actively exploited – patches have been available for several months
-
Windows Server update causes Domain Controller crasheS
-
Old print spooler bug recycled in to malware by Russians
-
Researchers claim that Windows Defender can be exploited to delete databases
-
-
Git Hub
-
critical security releases issued in January
-
ore critical security releases in January
-
Warning from researchers to lock down GitHub services that are being actively used to launch cyber-attacks
-
Warning about attack resulting in millions of repositories containing obfuscated malicious code
-
-
Palo Alto critical RCE vulnerability in GlobalProtect
-
Atlassian – critical confluence vulnerability actively exploited
-
VMWare
-
JetBrains
-
Multiple Vulnerabilities in Canon Printers
-
Fake LastPass app removed from App Store
-
Fortinet
-
Ubiquiti urges users to secure home routers attacked by Russia – you might want to pass this on to your remote/homeworkers?
-
CISCO – vulnerability fixes
-
QNAP – vulnerability fixes
-
Kubernetes
-
ChatGPT plugin vulnerabilities
-
Ray AI framework vulnerability
-
Nvidia ChatRTX vulnerability
-
D-Link NAS vulnerability
Other infosec news
-
March was a bad month for UK retailers with Sainsburys, Tesco, McDonalds (globally) and Greggs all suffering outages within a few days of each other. McDonalds blamed a third party provider, and Sainsburys and Greggs blamed issues with payment systems (presumably also provided by third parties)
-
The ICO took action against outsourcing giant Serco’s Serco Leisure, and community leisure trusts, to stop them using biometrics (facial recognition and/or fingerprint scanning) to monitor worker attendance
-
Capita announced >£100 Million loss for 2023, part of which was blamed on the cyber attack they suffered in that year
-
The remnants of BlackCat ransomware group (aka ALPHV) may have finally collapsed after successfully extracting a ransom from a US healthcare provider
-
US and UK authorities took down LockBit’s websites and the Japonese Policie, supported by Europol have made a recovery tool available to recover files encrypted by the LockBit 3.0 Black Ransomware via NoMoreRansom.org
-
CISA and the FBI have published a Secure by Design alert, which urges software manufacturers eliminate SQL injection vulnerabilities from their products
-
GPT-4 can be used to exploit vulnerabilities by reading security advisories
-
US legislature drafting Nationwide Data Privacy Act
-
The FTC is sending refunds totalling $5.6 to US Ring customers, following revolations last year that. Security controls in Ring products were deemed inadequate to prevent criminals using them to spy on users