October 2024 – Newsletter Update

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment and Health & Safety – click to jump to the relevant section.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.

One new regulation was proposed in the quarter:-

  • Cyber Security and Resilience Bill (2024) Proposed in Q3 2024, this Bill aims to update and enhance the UK’s cyber defence capabilities by amending the Network and Information Systems (NIS) Regulations 2018, expanding their scope and addressing supply chain security and critical infrastructure resilience. It will be introduced to parliament in 2025 Cyber Security and Resilience Bill – GOV.UK

Other

Microsoft

SANS Internet Storm Centre published the following summaries of the patch Tuesday releases from :-

Other

  • Windows Downgrade Attack: A vulnerability in Windows allowed attackers to downgrade fully patched systems, exposing them to previously fixed vulnerabilities. Microsoft is working on mitigations, but the process is extensive due to the large number of system files affected.
    More here
  • Unpatched Microsoft Office NTLM Flaw: Microsoft disclosed a vulnerability in Office products that could expose NTLM hashes, which could be used in network attacks. While a fix is being developed, users are advised to block NTLM traffic to mitigate the risk.
    More here
  • Zero-Click Vulnerability in IPv6: Microsoft warned of a critical remote code execution (RCE) vulnerability affecting all systems with IPv6 enabled. The flaw, which could allow attackers to remotely exploit devices without user interaction, requires immediate patching.
    More here
  • Outlook Security Enhancements: Microsoft announced changes for Outlook personal accounts, including the deprecation of Basic Authentication (username and password) in favour of modern, token-based authentication methods to enhance security.
    More here

Apple

Details of Key apple updates and security fixes can be found on Apple’s security updates page

Other

  • Pegasus spyware exploit: Apple patched a zero-click vulnerability in iOS that allowed the NSO Group’s Pegasus spyware to be deployed via PassKit attachments in iMessage without user interaction.
    More here
  • VoiceOver bug exposing passwords: A logic flaw in the iOS 18 VoiceOver feature could reveal saved passwords unintentionally. Apple resolved this issue in the iOS 18.0.1 update.
    More here
  • macOS Sequoia VPN and antivirus compatibility issues: macOS 15 ‘Sequoia’ introduced changes in networking structures that caused VPN and endpoint security tools like ESET and CrowdStrike to malfunction, prompting warnings against immediate upgrades.
    More here
  • iPhone Triangulation spyware attack: Kaspersky revealed that sophisticated attacks targeting iPhones since 2019 exploited undocumented hardware features in Apple chips, bypassing security protections.
    More here

Linux, Android, Google

  • Google & Android
    • Google addresses actively exploited Android kernel flaw: A serious remote code execution (RCE) vulnerability (CVE-2024-36971) in the Android kernel, which had been exploited in the wild, was patched in August 2024. This bug allowed attackers to gain full control of targeted devices through spyware.
      More here
    • Android Pixel zero-day exploit patched: Google released a fix for a privilege escalation flaw (CVE-2024-32896) in Pixel devices, which had been exploited in targeted attacks to bypass security features, preventing certain tools from auto-wiping compromised devices.
      More here
  • Linux
    • CUPS-based remote code execution vulnerability: A critical flaw in the CUPS printing system (CVE-2024-47176) was reported, allowing remote code execution on systems that have the cups-browsed service enabled, although it is not enabled by default on most systems.
      More here
    • ‘Looney Tunables’ GLIBC vulnerability: A bug in the GNU C Library (glibc) named ‘Looney Tunables’ (CVE-2024-20347) was found to allow attackers to exploit environment variable mismanagement, giving them root access on affected Linux systems.
      More here
    • Linux kernel privilege escalation flaw: A high-severity vulnerability in the Linux kernel’s netfilter framework (CVE-2024-1086) was actively exploited, allowing local attackers to gain root access by exploiting the nf_tables component.
      More here

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

Categories Posts (Click to view)
Awareness Raising Engaging with Boards to improve the management of cyber security risk
Awareness Raising How to talk to board members about cyber
Awareness Raising If you have knowledge, let others light their candles in it.
Governance/Guidance/General Information Cyber Essentials ‘Pathways’: From experiment to proof of concept
Governance/Guidance/General Information Cyber security tips for barristers, solicitors and legal professionals
Governance/Guidance/General Information Introducing Active Cyber Defence 2.0
Governance/Guidance/General Information Navigating the different cyber services from the NCSC
Governance/Guidance/General Information New legislation will help counter the cyber threat to our essential services
Governance/Guidance/General Information Post-quantum cryptography: what comes next?
Governance/Guidance/General Information SBOMs and the importance of inventory
Incident Management Guidance on effective communications in a cyber incident
Technical/Configuration Advice Digital twins: secure design and development
Technical/Configuration Advice Not all types of MFA are created equal…
Technical/Configuration Advice ‘PDNS for Schools’ to provide cyber resilience for more institutions

Information from the Information Commissioner’s Office and partner agencies

  • More sectors added to the online privacy notice generator More here
  • ICO seeking to fine NI Police £750K for data breach in August 2023 More here
  • New data protection audit framework launched to help organisations improve compliance. The framework helps organisations identify appropriate steps to improve data protection practices and a compliance culture. It provides a starting point to evaluate how personal information is handled and protected More here

Noteworthy cyber incident and breach news reported in the quarter

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

  • CrowdStrike Falcon outage (July 2024): A faulty update to CrowdStrike’s Falcon sensor caused a global IT outage, affecting over 8.5 million devices, including those in the UK, causing widespread disruption to financial and healthcare sectors.
    Source: More here and here
  • RockYou2024 password leak (July 2024): The RockYou2024 breach exposed over 10 billion passwords globally, increasing the risk of brute-force attacks on UK organisations and individuals.
    Source: More here
  • Advanced NHS IT provider fined for 2022 ransomware breach (August 2024): Advanced, an IT provider to the NHS, was fined £6.09M after a 2022 ransomware attack exposed sensitive data affecting 83,000 people and caused disruptions to NHS services.
    More here
  • Rhysida ransomware attack on Port of Seattle (August 2024): Though based in the US, the Rhysida ransomware attack on the Port of Seattle disrupted international shipping operations, posing indirect risks to UK-linked trade infrastructure.
  • Blackpool Trust Schools ransomware attack (September 2024): Schools under the Blackpool Trust were hit by a ransomware attack, severely disrupting educational services and necessitating a complete IT infrastructure rebuild.
    Source: More here
  • Fortinet confirms data breach after hacker claims to steal 440GB of files (September 2024) More here
  • Transport for London (TfL) cyberattack (September 2024): A cyberattack on TfL compromised personal data of approximately 5,000 Oyster card users, exposing names, addresses, and banking information.
    Source: More here
  • Irish DPC Commences Inquiry into Google’s AI Model (September 2024) The DPC has launched a cross-border statutory inquiry in to Google Ireland Ltd under the Irish Data Protection Act relating to Google’s foundational AI model and whether Google complied with its obligations to perform a Data protection Impact Assessment in accordance with the EU GDPR. More here

Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter

This is not intended to be a comprehensive summary. Readers are strongly recommended to sign up for some of the more regular vulnerability news feeds available from SANS and other providers to stay abreast of emerging vulnerabilities in general and particularly those that may affect systems they use

  • EDRKillShifter Malware (August 2024): RansomHub ransomware operators began deploying EDRKillShifter, a new malware used to disable Endpoint Detection and Response (EDR) software via a vulnerable driver, making it easier to execute ransomware attacks on UK organisations.
    More here
  • SinkClose AMD Vulnerability (August 2024): A newly discovered flaw in AMD processors, called SinkClose, allows attackers with kernel-level access to install undetectable malware on systems, posing significant risks to UK organisations relying on AMD-based infrastructure.
    More here
  • Sedexp Linux Malware (August 2024): The sedexp malware, undetected since 2022, was discovered exploiting a previously undocumented technique on Linux systems, allowing attackers to create hidden reverse shells and infiltrate critical infrastructure systems.
    More here
  • INC Ransomware in UK Healthcare (September 2024): Vanilla Tempest, a ransomware group, launched INC ransomware attacks targeting UK healthcare organisations, compromising NHS systems and disrupting patient services
    More here
  • Windows Powershell Phish (September 2024) GitHub users reported receiving novel phishing emails that asked recipients to prove they were not bots by entering keystrokes in response to a CAPTCHA request that caused Windows to download credential-stealing malware. More here

Environment

Legislative changes

No new principal legislation relevant to our customers was identified in this quarter.  The Packaging Waste (Data Reporting) (England) (Amendment) Regulations 2024 amended the Packaging Waste Regulations to cover drinks packaging, household packaging and exempted packaging, and to clarify definitions of persons with responsibilities under the regulations.

Health & Safety

Legislative changes

  • No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter. Further commencement regulations were published that bring in to force requirements previously stated in the Building Safety Act 2022.

HSE Bulletins and News

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use