Cyber News Roundup for May 23, 2024

This week is packed with cyber news from around the globe. We’ve got you covered with headlines surrounding the FCC’s proposal to enhance BGP security, a major ransomware breach in Australia’s healthcare sector, challenges faced by CISOs due to IBM’s exit from cybersecurity software, CISA’s warnings on vulnerabilities in Google Chrome and D-Link routers, and a proposal for a dedicated military cyber service. Additionally, we delve into design flaws in Foxit PDF reader, a new vulnerability in NextGen Healthcare’s Mirth Connect, and a significant SEC fine for the NY Stock Exchange owner. We’re here to keep you informed on these crucial developments.

 

1. The FCC wants to beef up BGP

FCC Chairwoman Jessica Rosenworcel proposes requiring ISPs to submit confidential reports on securing the Border Gateway Protocol (BGP), a critical internet routing system. The proposal aims to protect against national security threats by bad actors exploiting BGP vulnerabilities. The FCC’s interest in BGP security heightened in 2022 due to threats from Russian hackers. BGP hijacks can lead to data theft, extortion, espionage, and disrupted transactions. The proposal includes implementing origin validation and RPKI to ensure route legitimacy. Major ISPs would need to develop and report BGP security plans and submit public quarterly progress updates. The FCC will vote on this proposal in June. Experts say enhancing BGP security is crucial for national security, communication, and commerce. (networkworld)

 

2. Australian government warns of large-scale ransomware data breach in healthcare

The incident which has also been disclosed by the affected prescription company MediSecure is said to have impacted “the personal and health information of individuals,” and originated from a third-party vendors. This is a developing ransomware story, and more information may be forthcoming as the investigation continues. (The Record)

 

3. CISOs contend with IBM’s unexpected exit from cybersecurity software

Following up on a story we covered last week, the marriage between IBM and Palo Alto Networks is giving CISOs a headache due to the complications involved in IBM’s agreement to sell the QRadar SaaS portfolio to its new partner. An article in Dark Reading points out that “customers must now determine if they want to follow the newly announced chosen path, which calls for the migration of the QRadar legacy and SaaS suites to Palo Alto’s Cortex XSIAM, or evaluate other options.” Omdia managing principal analyst Eric Parizo says this sudden change of course is “frankly not in line with the customer-centric ethos IBM is known for.” (Dark Reading)

 

4. CISA warns of vulnerabilities affecting Google Chrome and D-Link routers

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three vulnerabilities to its ‘Known Exploited Vulnerabilities’ catalog: one affecting Google Chrome (CVE-2024-4761) and two impacting D-Link routers (CVE-2014-100005 and CVE-2021-40655). These vulnerabilities are actively exploited, prompting CISA to warn federal agencies and companies to apply security updates or mitigations. U.S. federal agencies must address these vulnerabilities by June 6th. The Chrome flaw involves an out-of-bounds write in the V8 engine, while the D-Link flaws allow remote control of outdated routers. (Bleepingcomputer)

 

5. Military cyber service proposal picks up steam

A group of bipartisan lawmakers on the House Armed Services Committee plan to push an amendment into the fiscal 2025 defense authorization bill calling on the Pentagon to study the establishment of a dedicated military cyber service. This will come in the markup stage of the bill, where all sorts of amendments get added. A similar amendment in a Senate bill was dropped late last year. This amendment would task the National Academy to study the issue. The 2023 National Defense Authorization Act mandated Cyber Command to look at “the prospect of a new force generation model,” but in the past has rejected the idea of creating a wholly new service for cyber defense. Even if this amendment passes, any report conclusions likely wouldn’t influence policy until 2027. (The Record)

 

6. Foxit PDF reader shows the power of design

Check Point researchers detailed a design flaw in the PDF reader, which makes trusting documents and allowing execution of additional commands the defaults in security pop-ups. As a result, most users click through to open their documents. A report found multiple threat actors taking advantage of this design choice, to install a wide variety of remote access trojans, documenting it being used to exfiltrate device screenshots or deploy cryptominers. Adobe’s Acrobat Reader uses different defaults. To quote design executive Irene Au, “Good design is like a refrigerator—when it works, no one notices, but when it doesn’t, it sure stinks.” (The Hacker News)

 

7. CISA adds a healthcare interface engine to its Known Exploited Vulnerabilities (KEV) catalog

The US cybersecurity agency CISA added a vulnerability in NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. Mirth Connect, an interface engine for healthcare information management, has a data deserialization flaw (CVE-2023-43208) allowing remote code execution. Discovered by Horizon3.ai in October 2023, the vulnerability was patched in version 4.4.1. Horizon3.ai warned the flaw is easily exploitable, posing significant risks to healthcare data. Over 1,200 internet-exposed instances were noted, with 440 still vulnerable by mid-January 2024. CISA instructed agencies to address the issue by June 10. Microsoft linked the flaw to ransomware attacks by the China-based Storm-1175 group. (SecurityWeek)

 

8. The EPA issues a cybersecurity alert for drinking water systems

The US Environmental Protection Agency (EPA) issued an alert on Monday to enhance the cybersecurity of drinking water systems. Inspections since September 2023 revealed over 70% non-compliance with the Safe Drinking Water Act, with critical cyber vulnerabilities such as default passwords. The EPA recommends reducing internet exposure, conducting regular assessments, changing default passwords, inventorying IT and OT assets, developing incident response plans, backing up systems, addressing vulnerabilities, and conducting awareness training. The agency plans to increase inspections and enforce compliance through civil and criminal actions. Recent cyberattacks on water systems by state-sponsored actors from Iran, Russia, and China have prompted these measures. Security experts advise robust IoT device management and consider outsourcing security for resource-limited utilities. (Security Week)

 

9. Rockwell Automation issues ICS warning

The company warned customers to immediately disconnect all industrial control systems not specifically designed to operate online, citing heightened geopolitical tension and adversarial cyber activity. Rockwell also reiterated that customers take available mitigation measures against known security issues with ICS devices. CISA also boosted this warning in an official alert. None of these alerts list specific threat actors targeting them. But the coordinated nature of the warnings means it wouldn’t be surprising to learn details about specific attacks at some point. (Bleeping Computer)

 

10. Researchers publish multiple QNAP NAS flaws

At the start of 2024, researchers at WatchTowr submitted fifteen flaws in QNAP’s QTS operating system used on its NAS devices. These flaws cover a range of problems, from buffer overflows and memory corruption to cross-site scripting and authentication bypasses. After QNAP only patched four the researchers published details on all flaws, including proof of concept code on a remote execution flaw. This opens the door to executing code using a maliciously crafted message for sharing media. After releasing the information, QNAP issued an emergency update to patch that flaw and four others, saying that “coordination issues” resulted in a delay. It promised to fix all issues listed within 45 days. (Bleeping Computer)

 

11. Researchers discover critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller

Cybersecurity firm Claroty discovered critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller (UOC), including one which allows arbitrary code execution via an undocumented function. Another flaw involves path traversal, enabling file reading. These vulnerabilities could let attackers gain full control of controllers. Claroty reported these issues, leading Honeywell to release patches and advisories. Additionally, CISA published an advisory covering 16 vulnerabilities in Honeywell’s systems, primarily discovered by Armis, which could expose sensitive information or allow privilege escalation. (SecurityWeek)

 

12. The DoD releases their Cybersecurity Reciprocity Playbook

The U.S. Department of Defense (DoD) Chief Information Officer announced the release of the DoD Cybersecurity Reciprocity Playbook, providing guidance on implementing cybersecurity reciprocity within DoD systems. The playbook outlines benefits, risks, and example use cases, emphasizing the re-use of security authorization packages to save time and resources. It highlights the importance of cooperation and trust among Authorizing Officials (AOs) for efficient system authorization. The playbook aims to enhance cybersecurity posture by promoting interagency collaboration and standardized security practices. (Industrial Cyber)

 

13. NY Stock Exchange owner fined $10 million by SEC

The SEC is putting its foot down that nobody or company is above the law. The Intercontinental Exchange (ICE), which owns nine of the world’s largest financial exchanges including the NY Stock Exchange, failed to report a 2021 cyber incident. The SEC claims the financial giant knew a hacker had inserted malicious code into the corporate network but did not notify any of the subsidiary companies for days. This lack of reporting violated federal regulations and the company’s own procedures, resulting in this $10 million fine. It should be noted that ICE reported a net revenue of $2.3 billion in the first quarter of 2024. ICE told The Record that the settlement “involves an unsuccessful attempt to access our network more than three years ago and had zero impact on market operations.”  (The Record), (Bleeping Computer)

 

14. US agency pledges $50 million to automate hospital security

Hospitals may be getting some relief in the form of funding to better protect against an attack. The US government’s Advanced Research Projects Agency for Health (ARPA-H) has pledged over $50 million to boost hospital cybersecurity through a new program called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE). This initiative aims to automate the process of securing hospital IT environments by developing software tools that scan for vulnerabilities and automatically deploy patches, all with minimal disruption to patient services. The agency is inviting teams to apply for funding by submitting proposals on four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses. (The Register), (Security Week), (ARPA-H), (UPGRADE | ARPA-H)

 

15. LastPass to start encrypting URLs

Rolling out next month, password management platform LastPass announced they will now be encrypting URLs stored in user vaults for better protection against potential breaches. The company is calling this a significant step in their commitment to implementing zero-knowledge architecture in the product. LastPass says they were not able to offer this extra layer of security before due to restrictions in processing power in 2008 when the system was created. The first phase of the encryption is set to begin in June, and according to the company the process should happen automatically without users noticing any changes. (Bleeping Computer)