FedRAMP-Certified Cloud Providers (Low, Moderate, High Impact Levels)

FedRAMP authorizations are categorized by impact level – Low, Moderate, or High – corresponding to the sensitivity of data a cloud service handles. The vast majority (~80%) of FedRAMP authorizations are at the Moderate impact level, covering systems where a security breach could cause “serious adverse effects” (e.g. significant operational damage or financial loss). High impact authorizations are reserved for the government’s most sensitive unclassified data (e.g. law enforcement, emergency services, financial or health records) where a compromise could be “severe or catastrophic”. Low impact (including the “LI-SaaS” tailored baseline for simple SaaS apps) is used for low-risk services (e.g. no sensitive PII beyond login info) and has fewer controls, offering a lightweight path for basic cloud tools.

Hundreds of cloud services now meet these bars. As of 2023, over 300 cloud offerings have achieved FedRAMP authorization . This roster includes all major cloud infrastructure players – Amazon Web Services, Microsoft Azure, and Google Cloud – which each maintain FedRAMP High authorizations for their U.S. government cloud environments. These platforms enable agencies to run highly sensitive workloads in the cloud with confidence in security and continuous monitoring. In the SaaS arena, dozens of well-known enterprise services have Moderate or High ATOs (Authority to Operate). For example, Box, a cloud content management provider, is FedRAMP Moderate authorized and even pursuing a High authorization to serve more sensitive federal needs. Collaboration and productivity tools like Zoom for Government have been FedRAMP Moderate authorized since 2019, and business applications from ServiceNow to Salesforce offer FedRAMP-authorized government editions. Industry-focused cloud solutions (e.g. for healthcare or finance) are also in the mix, as FedRAMP High covers domains like health IT systems and financial systems under its umbrella. Notably, FedRAMP isn’t only for tech giants – over 30% of FedRAMP-authorized providers are small businesses, underscoring that even smaller cloud innovators can meet these rigorous standards.

Business Impact of FedRAMP Certification: Case Studies and ROI

Achieving FedRAMP compliance is a resource-intensive journey – but it can yield significant financial and strategic benefits. Many cloud companies view FedRAMP as a “ticket” to enter or expand in the government market, and the numbers bear this out. A 2024 survey of 300 companies found that 57% pursued FedRAMP primarily to access federal or state government markets (only slightly behind the 62% who cited improved security posture as the top driver). By meeting FedRAMP’s stringent requirements, vendors become eligible for “$60+ billion” in federal cloud spending opportunities that would otherwise be off-limits. This often translates to new revenue streams and contract wins. In fact, among companies that achieved an ATO, 67% reported meeting or exceeding their revenue targets thanks to FedRAMP compliance .

Real-world cases illustrate this growth trajectory. For instance, Palantir Technologies saw a tangible market impact after securing FedRAMP High authorization for its platform. The company’s FedRAMP announcement instilled confidence in federal customers and even investors – Palantir’s stock price jumped 65% in the month following the news, contributing to a 300%+ year-to-date increase . This surge reflected expectations of lucrative new federal deals and validation of Palantir’s security robustness. Smaller firms have also leveraged FedRAMP to solidify and expand business. Aidin, a healthcare SaaS provider, noted that without FedRAMP compliance it “would have lost an existing [federal] contract” – a cornerstone customer – and “lost the opportunity to expand within the government agency.” By investing in FedRAMP (with help from a consultant), Aidin achieved a “FedRAMP In Process” status that saved its anchor client and positioned it to grow its federal business . In addition to winning deals, companies consistently cite credibility gains: FedRAMP’s rigorous review boosts customer trust. One FedRAMP-authorized SaaS CEO likened it to an elite security badge that reassures even commercial clients that the company meets top-tier standards for data protection . Internally, the process can also improve discipline – small cloud providers report that FedRAMP drove stronger security practices across all their products, not just the government offering .

FedRAMP vs. CMMC 2.0 vs. NIST 800-171: How Do They Compare?

Executives often ask how FedRAMP stacks up against other federal cybersecurity frameworks like CMMC 2.0 (Cybersecurity Maturity Model Certification) and NIST SP 800-171. All three are grounded in NIST security guidelines, but they differ in scope, rigor, and business context:

• Scope & Audience: FedRAMP applies to cloud service providers (CSPs) offering solutions to any federal agency (civilian or DoD) . It is essentially a vendor risk management program for cloud, ensuring agencies only use pre-vetted secure cloud services. In contrast, NIST 800-171 and CMMC 2.0 apply to federal contractors (especially Defense Industrial Base companies) that handle sensitive federal data. NIST 800-171 is a set of security requirements to protect Controlled Unclassified Information (CUI) on non-federal systems, and CMMC 2.0 is the DoD’s program to enforce those (and additional) requirements in the defense supply chain . In short: FedRAMP = cloud providers for gov; CMMC/NIST 800-171 = defense contractors handling CUI. They are complementary, not interchangeable – a cloud SaaS selling to DoD might need FedRAMP for the service and CMMC compliance for its organization if it handles CUI internally.

• Framework Rigor: FedRAMP is built on the comprehensive NIST SP 800-53 control catalog, with hundreds of controls at Moderate and High baselines . By comparison, NIST 800-171 has 110 controls that are effectively a tailored subset of 800-53 aimed at CUI protection . In fact, 800-171’s requirements are only “about 35%” of the controls in a FedRAMP Moderate baseline . CMMC 2.0 Level 2 maps directly to those 110 NIST 800-171 controls, while Level 3 will add a further enhanced set (drawn from NIST 800-172 for advanced threats) . FedRAMP High goes beyond, covering more controls across 17 families (comparable to highly sensitive systems). Thus, FedRAMP’s security bar (especially at Moderate/High) is broader in scope than CMMC Level 2/800-171 – which means achieving FedRAMP compliance can substantially cover an organization’s 800-171/CMMC obligations, but not vice versa .

• Certification Process: FedRAMP has a formalized authorization process: a cloud provider must undergo a third-party assessment by an accredited 3PAO auditor and then secure an ATO from either the FedRAMP Joint Authorization Board or a federal agency sponsor . This process emphasizes documentation (e.g. a detailed System Security Plan) and continuous monitoring once authorized. CMMC 2.0, on the other hand, will require certification audits by C3PAOs for contractors (Level 2 and above) starting as soon as 2025 . Unlike FedRAMP, CMMC has maturity levels (Level 1 basic, Level 2 advanced, Level 3 expert) and is focused on organizational cybersecurity maturity rather than a specific cloud system. NIST 800-171 historically relied on self-attestation or supplier declarations of compliance, but with CMMC coming, contractors handling CUI will move to third-party certification. In summary, FedRAMP and CMMC both demand independent audits, but FedRAMP is per cloud service authorization, while CMMC is organizational certification for DoD suppliers.

• Compliance Costs: All three frameworks carry compliance costs, but scale differs. FedRAMP is known for substantial upfront investment in engineering, documentation, and audit. Estimates for initial FedRAMP ATO costs range from $250K up to $750K (not including continuous monitoring overhead) . This figure can climb higher (into the millions) for large, complex systems – GAO found cost estimates “ranged from tens of thousands to millions” among various providers . CMMC 2.0 was explicitly designed to be more accessible for smaller firms, with Level 1 being relatively low effort (only 17 controls) and self-assessable. CMMC Level 2 (the roughly 110 controls matching 800-171) will involve more effort but still far less than a full FedRAMP Moderate program. Projected CMMC certification costs vary widely by company size and gaps – roughly $20K–$100K+ for many small/mid firms – but could reach a couple hundred thousand for larger enterprises needing Level 2 certification . (One analysis pegs Level 2 compliance in the $63K–$200K+ range in total) . In short, FedRAMP’s cost is often an order of magnitude higher due to its depth and ongoing requirements, whereas CMMC costs scale with the organization but are generally lower per company. NIST 800-171 implementation costs will mirror CMMC prep costs – often focusing on closing technical gaps and implementing controls – but without the added expense of formal certification audits (until CMMC kicks in for a given contract).

• Business Implications: The business value of each framework corresponds to market access. FedRAMP’s value proposition is clear for cloud vendors: no FedRAMP, no sale into most federal agencies. Many RFPs now require FedRAMP authorization up-front, effectively filtering out non-compliant providers. Thus, FedRAMP can be a competitive differentiator – even a smaller SaaS with a FedRAMP Moderate authorization competes on a level playing field with larger firms when federal agencies insist on it . Moreover, FedRAMP’s rigorous vetting signals strong security to other industries (e.g. state governments via StateRAMP, or even commercial clients), potentially opening doors in regulated sectors like healthcare and finance that prize robust cloud security . CMMC 2.0’s business impact is concentrated in the defense realm: certification will become “no bid” gating criteria – contractors must certify at the required level or be ineligible for DoD contracts . In essence, CMMC compliance will protect existing Defense revenue and enable continued participation in the DoD supply chain. For many suppliers, this is defensive: avoiding loss of contracts due to non-compliance . NIST 800-171 compliance (outside of CMMC) has been more of a contractual duty to avoid breach of contract and potential penalties . It hasn’t historically been a public “certification” to market, but it underpins trust in handling government data. From a strategic view, achieving FedRAMP can actually streamline meeting CMMC/800-171 requirements too – nearly half of companies in one survey said FedRAMP helped improve compliance with other frameworks like ISO 27001, SOC 2, and CMMC .

Strategic Insights: Trends in Government Cloud and Compliance

Government Cloud Adoption is Accelerating: Federal agencies are rapidly embracing cloud solutions as part of IT modernization. FedRAMP’s growth metrics reflect this trend – between 2019 and 2023, the number of FedRAMP authorizations across major agencies jumped about 60% . There are simply far more cloud services in use now, supporting everything from basic infrastructure to mission-critical applications . Notably, even Defense and intelligence communities (with DoD’s IL4/IL5 and IC’s C2S cloud programs) reciprocally recognize FedRAMP baselines, meaning a FedRAMP Moderate or High service can often be leveraged across civilian and military environments with minimal duplication . For cloud providers, this expanding market means FedRAMP authorization can lead to multiple agency customers reusing that ATO – a “sell once, deploy many” benefit. Agencies, for their part, are under mandates (Cloud Smart policy) to use secure cloud and prefer authorized solutions, which drives demand for FedRAMP-compliant offerings. An emerging insight is that being in the FedRAMP Marketplace is increasingly critical for visibility – agencies consult this official list of approved services when planning procurements.

Compliance as a Market Enabler (and Barrier): FedRAMP and related requirements are creating a clearer dividing line in the industry. On one hand, companies that invest in compliance are reaping rewards: 73% of firms that haven’t pursued FedRAMP report that they are still keeping the option open, likely due to fear of missing out on deals . On the other hand, firms that do achieve authorization report broader benefits than just sales. According to a 2024 Coalfire study, the top cited benefit of FedRAMP authorization was improving the company’s overall security program (72% of respondents) – even above the revenue gains – and a majority also said it accelerated compliance with other standards . This suggests FedRAMP can be a driver of internal maturity, which is a strategic upside for executives concerned about resilience and brand trust. Still, challenges persist: 81% of organizations said finding qualified FedRAMP talent is a major challenge (in fact, skill shortage was cited as a bigger barrier than budget) . This has led to an ecosystem of FedRAMP advisors, accelerators, and automation tools to help companies through the process. Boards should be aware that attracting and retaining cloud security talent (with FedRAMP experience) can be as important as the technology itself in meeting compliance on time.

“Do Once, Use Many” – Beyond FedRAMP: A strategic insight for companies is to leverage overlap and reciprocity among frameworks. Because FedRAMP draws from NIST 800-53 and has rigorous continuous monitoring, it often covers substantial ground for other cybersecurity frameworks. Achieving FedRAMP can thus give a head start in meeting CMMC, SOC 2, ISO 27001, GDPR and others . The reverse is also true: investments in NIST 800-171 (CMMC) controls can partially satisfy FedRAMP requirements since there is about 35% overlap . Executives should encourage their compliance and engineering teams to map control requirements across these standards to reduce duplicate work. Notably, recent policy updates aim to improve reciprocity. The FedRAMP Authorization Act (2022) encourages mutual recognition of security assessments, and there have been discussions about CMMC accepting FedRAMP-certified cloud services as automatically compliant for the cloud portion of a contractor’s environment . Staying attuned to these developments can save costs and time – for example, using a FedRAMP-authorized cloud for handling CUI may simplify a contractor’s CMMC compliance (the cloud provider already covers many controls).

FedRAMP Enhances Market Positioning: In an era of heightened cyber threats, many enterprise and government buyers prefer vendors who can demonstrate strong security credentials. FedRAMP has become a respected credential not just in government but in the broader market. A Harvard governance article even advises corporate directors to ask management “Is the cloud provider we’re considering FedRAMP-approved?” as a litmus test of security due diligence . The logic: if a vendor’s cloud platform is FedRAMP authorized, it means an objective 3rd party vetted its controls to a high standard, reducing risk. Tech executives can thus leverage FedRAMP status in sales discussions outside federal circles as proof of a hardened security environment. Additionally, being early to comply can preempt future regulations – FedRAMP’s model is inspiring analogous programs (e.g. StateRAMP for states, and discussions of similar frameworks for critical infrastructure clouds). Organizations that treat compliance as a strategic investment – building it into product development and cloud architecture – will be better positioned as trusted partners. On the flip side, non-compliance can be a deal-breaker: we’ve seen agencies report using non-FedRAMP cloud services in the past, but OMB is clamping down on that exception . The window for operating in federal spaces without proper certifications is closing fast.

Key Takeaways and Recommendations

• FedRAMP is a Must-Have for Federal Cloud Business: For any cloud service targeting government clients, FedRAMP authorization is effectively a prerequisite. Federal procurement officers often require FedRAMP in RFPs, which means providers without it are filtered out. Achieving FedRAMP not only opens doors to ~$60B in federal cloud spend , it also “levels the playing field” for smaller companies to compete in government deals . Board members should view FedRAMP as a strategic investment to access and grow in the public sector market.

• FedRAMP Drives Security and Revenue Upside: The compliance journey can strengthen a company’s overall security posture and credibility. Over 60% of companies sought FedRAMP to improve cybersecurity – not just to check a box . This rigor pays off: 67% of FedRAMP-compliant firms met or exceeded their revenue targets, and 63% saw improved security across the business as a result . Case studies show FedRAMP can help retain key customers and win new contracts (e.g. Aidin preserving a federal client ) and even boost investor confidence in tech companies aiming for government sectors (Palantir’s market value jump being a vivid example ). Executives should track and communicate these ROI metrics when evaluating the FedRAMP business case.

• Plan for Compliance Challenges – Talent and Cost: Executives must be prepared to dedicate resources – both people and budget – to succeed in FedRAMP or CMMC initiatives. FedRAMP can entail an initial spend in the high six or low seven figures , plus ongoing compliance staffing. Perhaps more critical is the talent gap: 81% of organizations say finding personnel with FedRAMP expertise is a top challenge . Companies should consider engaging experienced 3PAOs or consultants and investing in training to navigate the complexity. For CMMC 2.0, costs will scale with the organization (ranging from around $20K for very small Level 1 efforts up to hundreds of thousands for Level 2 in larger enterprises) . Early gap assessments and incremental upgrades can spread out the cost and avoid last-minute scrambles that disrupt operations .

• Align Frameworks and Leverage Overlap: Treat FedRAMP, CMMC, and NIST 800-171 not as isolated checklists but as complementary parts of a unified security governance strategy. Map controls across these frameworks to maximize reciprocity. For example, if you’ve built a robust FedRAMP Moderate environment, highlight that ~65% of its controls exceed NIST 800-171 – a strong selling point when pursuing defense contracts . Conversely, if you’re a defense contractor implementing CMMC Level 2, use that foundation to springboard into FedRAMP for any cloud services you may develop. This integrated approach reduces duplication and showcases a company-wide commitment to high standards. Consider also how FedRAMP authorization can satisfy state and local requirements (via StateRAMP reciprocity) or even bolster international compliance (many GDPR and ISO 27001 controls align with NIST 800-53, which FedRAMP covers) .

• Stay Ahead of Policy and Market Trends: Finally, board members should ensure their organizations remain proactive as the government compliance landscape evolves. OMB is working on FedRAMP process improvements to lower costs and speed authorizations – engage with these initiatives (through industry groups or public comments) to shape a more efficient future state. Keep an eye on the rollout of CMMC requirements in 2025 and beyond, updating risk registers for any contracts that will require certification. Embrace the “trust stamp” effect of FedRAMP in marketing and partnerships – include it in annual reports and sales pitches to capitalize on the brand value of being a FedRAMP-authorized provider. In an environment where cyber resilience is paramount, leveraging FedRAMP as part of your cloud governance strategy not only ensures compliance but can actively enhance your company’s reputation and competitive edge .

Cybersecurity governance is no longer just a technical matter—it is a critical strategic, legal, and operational issue that board members must actively oversee. Organizations of all sizes must ensure compliance with evolving security regulations and risk management standards. To fulfill their governance responsibilities, board members should prioritize structured discussions, documentation, and policy approvals related to cybersecurity.

Key Elements of Cybersecurity Governance

1. Cyber Risks Discussed and Documented

Regular, structured board discussions on cyber risks should be prioritized. These discussions must go beyond passive reporting to include thorough analysis, prioritization, and documented action plans. Meeting minutes should reference specific risks and the steps taken to mitigate them, ensuring accountability and providing a clear audit trail.

📌 Resource: National Association of Corporate Directors (NACD) Cyber-Risk Oversight Handbook

2. Approval of Risk Management and Compliance Policies

The board must formally approve cybersecurity risk management and compliance policies. These policies define the organization’s response to cyber threats, covering risk mitigation, incident response, data protection, and regulatory adherence. Annual reviews—or updates in response to significant cybersecurity developments—ensure alignment with industry standards and legal expectations.

📌 Resource: NIST Cybersecurity Framework (CSF)

3. Documenting Cyber Requests and Actions

Any cybersecurity-related requests—whether for new tools, training programs, or budget increases—should be documented in meeting minutes or other official records. This level of transparency allows the board to track progress and measure the organization’s commitment to strengthening its cybersecurity posture.

📌 Resource: CISA Cybersecurity Resources for Boards

4. Incident Response and Disclosure

Boards should review and approve incident response plans, ensuring they align with legal and regulatory disclosure requirements. If a security incident occurs, board minutes should document response steps, lessons learned, and follow-up actions to mitigate future risks.

📌 Resource: SEC Cybersecurity Disclosure Rules

5. Annual Review of SOC 2 Reports

SOC 2 reports provide critical insights into an organization’s security, privacy, and compliance posture. Companies that handle sensitive data—particularly in SaaS and technology sectors—should undergo annual reviews of these reports as part of the board’s oversight role.

📌 Resource: AICPA Guide to SOC 2 Compliance

6. Referencing Policies and Audit Results in Meeting Minutes

To maintain a strong cybersecurity governance framework, board minutes should regularly reference cybersecurity policies, audit outcomes, and updates to risk management practices. This demonstrates a proactive governance approach and helps integrate cybersecurity into the organization’s broader risk management strategy.

📌 Resource: ISO 27001 Compliance Framework

Conclusion

Board members play a vital role in cybersecurity governance. By fostering structured discussions, documentation, and policy approvals, they ensure accountability and compliance while reinforcing a strong security culture. A proactive approach to cybersecurity oversight will help safeguard the organization against evolving threats and regulatory risks.

For executives, founders, and business leaders, having a vulnerability management program is one of the often misunderstood requirements of audited frameworks like SOC2, ISO 270001, and NIST.

In this board brief, I’ll explain in the simplest terms for a non-technical audience what it is, how it’s measured during an audit, and what you can do right now to comply with this requirement.

There are many things that sound like they could be related to the words  “vulnerability management”, but the ones the frameworks focus on are very specific. 

Vuln Management is part of the secure software development lifecycle, which includes all the various things software developers have to do on an ongoing basis to ensure the applications they work on are secure from the most common types of threats. 

All software is built using libraries and packages. These are basically other people's code that make your software work, and most are open source. They can be tightly intertwined with your code or in the underlying OS that your application uses. 

As hackers and researchers identify security issues in packages, the maintainers, the people who write the code for them, update their libraries to fix the vulnerabilities that have been identified.

But not every update to a package fixes a vulnerability, most add features and can change how the package works. Updating to a new package that isn’t backward compatible could break something in your application. That’s why this can get very frustrating and time-consuming. 

But this is one of the most important things developers can do to secure their applications. This is literally how attacks on software happen: a well-established vulnerability is exploited to compromise your software.

Ok so, how do you pass your audit? 

During an audit, this is measured by examining the length of time a package that has been identified as vulnerable and then fixed or updated. 

Vulnerable packages are scored by how sensitive they are and auditors will look to make sure highly sensitive critical packages are updated within 30 days, or sooner for example. Less sensitive packages could be 60 or even 90-day timelines, or until they become severely critical. 

How do you actually get this done?

Detecting and triaging the vulnerabilities is thankfully very easy. 

Github’s Dependabot and Snyk’s free plan both cover everything you need to detect vulnerable packages. Did I mention they’re both free? 

Tools like those will continuously monitor and generate the list of vuln packages. They will even rank them in terms of importance. 

Now, this is the hard part. Developers will have to test to ensure that upgrading the packages doesn’t break their application. This is real work; it’s not just changing the version number of a package in a requirements file. Upgrading certain packages might require upgrading others or changing things in how your application uses that package. 

So how do you do this? You need to make vuln management a part of your normal software development process. Upgrading packages regularly. 

Some of the worst offenders I’ve seen are companies that leverage outsourced developers or development companies who write code and then forget about it. Upgrading packages from last quarter's version is significantly easier than upgrading a package from 3 years ago.

👋 What did you think of this post? I’d love to hear your feedback!

Table of Contents

1. Snowflake Data Leak Puts at Least 165 Clients at Risk 

2. Whistleblower Speaks About Negligence at Microsoft Prior to SolarWinds Attack

3. Apple Intelligence: What to Expect and Security Implications 

4. NSO Group Declares Government Officials and Military Leaders “Legitimate Targets”  

5. EU Considers Bill That Would Mandate the Mass Scanning of Digital Messages 

6. Ilya Sutskever Founds Safe Superintelligence Following Dramatic Exit From OpenAI

7. Active Directory Defense Startup Achieves Unicorn Status 

Snowflake Data Leak Puts at Least 165 Clients at Risk 

What happened: 

• Incident response firm Mandiant reports that hackers may have stolen a “significant volume of data” from cloud storage industry giant Snowflake and its customers.

What to know: 

• At least 165 victims have been identified, including TicketMaster and LendingTree.

• The threat isn’t over; TechCrunch confirms that hundreds of Snowflake customer credentials are still circulating online. 

• Snowflake defends its own security in official statement, blaming customers for putting their own credentials at risk by forgoing multifactor authentication. 

• Snowflake reports it is working on a plan to obligate customer use of MFA and other security features; however, they have yet to provide a timeline or specific plan of action.    

Business impact: 

• Companies utilizing Snowflake, partnering with, or relying on any vendors that utilize Snowflake should take immediate action to determine if they’ve been affected; especially important to confirm that MFA is being broadly enforced.

• Snowflake’s denial of wrongdoing and criticism of clients’ security practices sets a new precedent; service providers will not take responsibility for data leaks that leverage customer account access—companies have to take access to SAAS applications as entirely their own risk.

What to do: 

• Check with vendors and partners to see if they use or are connected to parties that use Snowflake. 

• Encourage employees to uphold rigorous use of MFA, especially if your company is a Snowflake customer, on everything, not just “high risk” applications.

For more information, check out this article.

Whistleblower Speaks about Negligence at Microsoft Prior to SolarWinds Attack

What happened: 

• Andrew Harris, former Microsoft employee, provides insight about his experience at the company prior to the devastating SolarWinds cyberattack, revealing that he flagged the potential for “SAML attacks” years before they occurred 

What to know: 

• Despite Harris’ warnings about the potential severity of the bug, Microsoft repeatedly brushed off his concerns. 

• Harris states their deprioritization of the security risk was undergirded by a mindset of profit-over-security, as Microsoft viewed getting a piece of an upcoming cloud computing deal with the USFG as a business imperative. 

• In 2019, Harris’ worst fears came true, as Russian hackers took advantage of the SAML weakness to perpetrate the SolarWinds cyberattack, one of the worst in US history, in which over 18,000 accounts were breached, including various divisions of the US government, most alarmingly the National Nuclear Security Administration  

Business impact: 

• Scale of SolarWinds cyberattack was such that even parties that weren’t directly affiliated with SolarWinds were affected by the hack; consequently, the full impact and extent of the intrusion is still being explored to this day

• Prioritization of profit over customers points to a troubling trend in Microsoft’s internal culture, despite its supposed policy of putting security “above all else”  

What to do:

• Companies should consider the impact of Microsoft products in their own cyber ecosystems, examine the extent to which another breach in Microsoft’s security would affect them, and review ways to mitigate this risk  

For more information, check out this article.

Apple Intelligence: What to Expect and Security Implications 

What happened: 

• Apple has finally released details about their new AI project, “Apple Intelligence,” which aims to integrate generative AI into Apple smartphones, creating a “semi-autonomous,” personalized AI assistant    

What to know: 

• The AI will be trained using your phone’s (e.g., your) personal data; however, Apple promises to keep as much of the AI training process and subsequent computations as possible on the device itself to minimize security anxieties 

• What can’t be done directly with your phone’s hardware will be sent to and processed by Apple’s “Private Cloud Compute System,” which Apple promises will be as secure as possible 

• For more computationally taxing queries, users will have the option to voluntarily run their inputs through ChatGPT, although Apple makes no promises about OpenAI’s own data privacy procedures

Business impact: 

• Apple Intelligence feature poised to boost iPhones sales, foreshadowing possible Apple boom   

• Could benefit certain businesses through faster schedule optimization and workflow acceleration 

• Company data could be processed through this system without company approval due to the fact that individuals get to make the decision about when to use ChatGPT on their phone (which won’t be handled by Apple’s Private Cloud) 

• The widespread introduction of this technology could necessitate increased mobile device security for companies to minimize security risks.

What to do:

• Individuals privy to and handling sensitive company information should be especially conscientious about what their own Apple Intelligence is trained on and has access to  

• Companies should explore the implementation of Mobile Device Management (MDM) software and related technologies to increase the security of employees’ personal devices. 

For more information, check out these articles.

NSO Group Declares Government Officials and Military Leaders “Legitimate Targets” 

What happened: 

• In a statement from court documents related to NSO Group’s ongoing legal battle against WhatsApp (which accuses them of unjustly infecting over 1,400 devices with spyware), NSO Group, Pegasus spyware manufacturer, states all government officials and military leaders are legitimate targets for their products by nature of their jobs   

What to know: 

• This statement stands as a significant revelation of the expected use cases of their technologies, which, according to their mission statement, are only to be used “to prevent acts of terrorism, large-scale drug trafficking, pedophile networks, and other serious criminal acts”

• Their most recent comment, though, makes no mention of the company’s mission statement, and insinuates a broader intended use for the technology

• NSO Group is no stranger to ethical scrutiny, as their technology was rumored to have been used to track journalist Jamal Khashoggi in the weeks leading up to his assassination, and has even been blacklisted by the Biden administration, which cited concerns that the company has acted “contrary to the foreign policy and national security interests of the US”

Business impact: 

• The result of WhatsApp’s lawsuit against NSO Group will determine to what extent NSO Group, and other commercial surveillance companies, will be held accountable for malicious uses and impacts of their technologies 

• How the trial ends will also define the efficacy of legal action against malware developers, and inform companies exploited by malware developers on how to proceed legally     

For more information, check out this article.

EU Considers Bill that Would Mandate the Mass Scanning of Digital Messages 

What happened: 

• On 6/20, the EU was scheduled to assume a position on a bill that would mandate the mass scanning of all digital messages in the EU; however, the vote was canceled on short notice, and a new vote has yet to be announced as of the writing of this article   

What to know: 

• The bill’s stated goal is to automatically scan digital messages in order to flag content that may contain “child sexual abuse material”

• Critics claim that it is a fundamental violation of the right to individual privacy within personal correspondence 

Business impact: 

• Subjects all EU digital correspondence to surveillance  

• Potentially massive security risks due to the undermining of end-to-end encryption (even encrypted messages will be scanned)  

What to do:

• Track updates on this legislation if your company is impacted by European business 

• Consider how the passing of such a bill may impact your company and data security 

For more information, check out this article. 

Share The InfoSec Board Brief

Ilya Sutskever Founds Safe Superintelligence Following Dramatic Exit From OpenAI

What happened: 

• After drawn out tensions and an eventual falling out with OpenAI leadership in May about how to deal with AI safety, Ilya Sutskever has announced the launch of his own company, Safe Superintelligence, which will, as the name implies, focus exclusively on the development and regulation of safe superintelligent AI  

What to know: 

• Safe Superintelligence is being designed from the bottom up as a for profit entity, and is currently recruiting talent 

Business impact: 

• How OpenAI will fare after losing one of its key scientific minds remains to be seen, but one thing is certain: the trajectory of the company has been altered by Ilya’s exit, with speculation that OpenAI will take a less cautious approach to development in the future

For more information, check out this article. 

Active Directory Defense Startup Achieves Unicorn Status 

What happened: 

• Semperis valuation surpasses $1 billion after successfully raising $125 million from JP Morgan and Hercules Capital

What to know: 

• Semperis’ offers extensive hybrid AD threat detection services, which automatically monitor and repel entry attempts to on premise AD and Entra ID, while providing a cohesive, real-time view of AD and Entra ID security  

• Semperis’ unique specialization in Active Directory makes it stand out within the cybersecurity industry, and despite not even having an IPO yet it has already received significant accolades and praise from big names such as Deloitte   

• Semperis to devote its new funding to R&D and Business Development 

• According to CEO, IPO is on the horizon 

Business impact: 

• Semperis’ runaway success highlights the importance of and a growing need for AD defense going into the future 

What to do:

• Companies should investigate ways to protect their AD systems if they aren’t already, and ensure that the measures they’re taking are as rigorous and up to date as they can be   

For more information, check out this article.

Table of Contents

1. Deep Secrets Exposed in Massive Psychotherapy Records Hack

2. Deepfake Menace: Global Election Security Under Threat

3. MITRE Hacked via Ivanti Zero-Day Vulnerabilities

4. Microsoft’s Security Crisis: A Battle Against Cyber Threats

5. Paris Olympics Gears Up for Cyber Attacks

6. Cybercrime's Destructive Alliance: Western Hackers and Russian Partners

7. CISA Investigates Breach at Sisense, Urges Customer Action

8. Nationwide Smart Lock Vulnerability

9. North Koreans Secretly Animated Amazon and HBO Max Shows

10. Musk Sparks Controversy with Sydney Attack Images on X

11. Kaiser Warns Millions of Data Exposure

12. GitHub Comments Used to Spread Malware via Microsoft Repo URLs

    Share The InfoSec Board Brief

Deep Secrets Exposed in Massive Psychotherapy Records Hack

What happened:

• Julius Kivimäki, renowned in global hacking communities for over a decade, was accused of hacking and attempting to extort ransom from Vastaamo, a Finnish national chain of psychotherapy clinics.

• Sensitive patient data was leaked online, including intimate details confessed to therapists.

What to know:

• It’s one of the largest data breaches in Finland’s history: “everyone knows someone who knows someone” whose therapy records were leaked.

• The breach triggered widespread distress among victims and prompted government intervention.

• Vastaamo's lax security measures like disabling network’s firewall or using no password on the system admin account facilitated the exposure of sensitive patient information at least twice.

• Kivimäki has a history of convictions for prominent data breaches and harassment since his early teens, including stealing passwords, and credit card information.

• Investigators pieced together evidence from digital traces and financial transactions to track down Kivimäki.

• Kivimäki consistently asserted his innocence, but the trial's outcome remains pending.

Business Impact:

• For businesses, especially those handling sensitive data, leaking customer data can severely damage reputation and erode customer trust.

• Businesses in the therapy industry or adjacent could be negatively affected by the appearance of lack of privacy in digital therapy services.

What to do:

• Therapy and tele-health services should prioritize implementing and regularly updating security protocols to mitigate the risk of data breaches.

For more information, check out this article.

Deepfake Menace: Global Election Security Under Threat

What happened:

• The rise of deepfake technology has raised concerns about the ability to manipulate elections worldwide.

What to know:

• Elections globally face the threat of AI-driven disinformation, including deepfake videos and manipulated content, influencing voter perceptions.

• Creating deepfakes is now faster, easier, and cheaper, requiring only days and a few thousand dollars to train and edit an effective AI.

• Once trained, AI models can generate videos using a politician's voice and images in minutes.

• Lack of clear regulations and guidelines exacerbates the risk of deepfake misuse.

• Major tech companies are developing tools to detect and label synthetic media, but voluntary commitments may not sufficiently address the issue.

• While most AI-related activity in elections involves "shallow" manipulations such as creating content or emails, requests for unethical deepfake videos persist.

• The EU has introduced comprehensive regulations on AI use, but implementation may take years, leaving elections vulnerable in the interim.

Business Impact:

• The true threat to democracy lies not solely in short-term deepfakes but also in the lasting erosion of trust in the electoral process. 

• Companies handling AI technologies face increasing scrutiny, with potential legal ramifications for misuse.

What to do:

• Regulatory bodies should consider the development and implementation of robust AI regulations to safeguard electoral processes.

• Voters need to remain vigilant against AI-driven disinformation.

For more information, check out this article.

MITRE Hacked via Ivanti Zero-Day Vulnerabilities

What happened:

• MITRE Corporation, overseeing federally funded research, breached by nation-state hackers through two zero-day vulnerabilities in the Ivanti Connect Secure (VPN) product.

What to know:

• MITRE discovered the breach in its unclassified network, impacting collaborative research and development activities supporting various government agencies.

• There’s no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident.

• Hackers moved laterally within MITRE's infrastructure using compromised administrator accounts, employing sophisticated backdoors and webshells.

• Actions advised by the government and Ivanti were insufficient to mitigate the vulnerability.

• MITRE provided recommendations for organizations based on their experience and will investigate the attack technical details in upcoming updates.

Business Impact:

• Organizations using Ivanti VPN and other products face heightened security risks and may have their data compromised.

What to do:

• Companies utilizing Ivanti products should promptly upgrade, replace, and harden their systems to mitigate vulnerabilities.

For more information, check out this article.

Microsoft’s Security Crisis: A Battle Against Cyber Threats

What happened:

• Microsoft faces a series of corporate and government high-profile hacks, including breaches by nation-state actors.

• Amid mounting criticism, the company pledges its most ambitious security overhaul in two decades.

What to know:

• Microsoft vows to address cloud vulnerabilities faster and enhance authentication protocols.

• The company also plans to rely more on AI and automation and change to more secure programming languages, which can be challenging given Microsoft’s size and the complexity of its product portfolio.

• Microsoft is accelerating efforts to eliminate outdated accounts and applications.

• Critics doubt Microsoft's incentive for lasting changes, citing its dominant market position and lucrative cybersecurity revenue.

• Legislation has been proposed to mandate cybersecurity standards for collaboration software, targeting Microsoft's alleged anticompetitive practices.

Business Impact:

• Microsoft's cybersecurity reputation is at stake, affecting customer trust and regulatory scrutiny.

• Microsoft faces the pressure to balance security improvements with product development amid heightened competition and market demands.

What to do:

• Federal agencies and companies should reassess their security protocols to combat evolving threats, and they might consider switching to an alternative vendor if Microsoft's security measures fail to improve.

For more information, check out this article.

Paris Olympics Gears Up for Cyber Attacks

What happened:

• The 2024 Paris Olympics anticipates facing billions of cyberattacks against the Games’ computer networks.

• To prepare, organizers have been conducting “war games” and offering bug bounties to ethical hackers.

What to know:

• Hacking groups now have sophisticated operations capable of disabling digital ticketing systems, credential scanners, and even event timing systems.

• The 2018 Pyeongchang Winter Olympics experienced a significant cyberattack, causing disruptions to Wi-Fi networks, ticket app, and broadcasting systems. Fans couldn’t enter the stadium and news couldn’t be transmitted.

• 2024 Paris Olympics organizers expect to face 3600-5400 “security events”.

• Russia is a major focus of concern due to past incidents of cyber interference in sports events, including state-sponsored hacking targeting anti-doping organizations.

Business Impact:

• Organizers promoting or working with the Olympics should be aware of potential cyberattacks and invest in robust cybersecurity measures.

What to do:

• Paris Olympics organizers are actively preparing for cyber threats through staff training, war games and collaboration with technology partners.

For more information, check out this article.

Cybercrime's Destructive Alliance: Western Hackers and Russian Partners

What happened:

• Ransomware attacks, where hackers encrypt critical files and demand payment for their release, have plagued hospitals, tech firms, and Las Vegas casinos.

• A group of young hackers from the U.S., U.K., and Canada, known as Scattered Spider, has joined forces with Russia's most notorious ransomware gang, raising concerns of escalating cyber threats.

What to know:

• MGM Resorts suffered a $100 million ransomware attack, disrupting operations across major Las Vegas casinos.

• Western hackers leverage their English and social engineering skills, like impersonating an employee, to infiltrate Western companies' networks, while the Russian group offers "ransomware as a service" to its affiliates.

• Despite law enforcement efforts, collaboration between Western hackers and Russian groups persists, posing significant challenges for cybersecurity.

Business Impact:

• The alliance between Western hackers and Russian ransomware groups amplifies the corporate threat landscape.

What to do:

• Companies must enhance cybersecurity measures to defend against ransomware attacks, including training employees to recognize social engineering tactics and implementing robust network security protocols.

For more information, check out this article.

CISA Investigates Breach at Sisense, Urges Customer Action

What happened:

• CISA is investigating a breach at Sisense, a business intelligence company known for its dashboard and analytics services.

• Customers were urged to reset all credentials used within Sisense, such as Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens.

What to know:

• The breach involves unauthorized access to Sisense's self-hosted Gitlab code repository, containing credentials to Sisense S3 buckets.

• Attackers accessed the buckets and exfiltrated terabytes of customer data, including access tokens, email passwords and even SSL certificates.

• The incident raises concerns about Sisense security protocols, including data encryption at rest.

Business Impact:

• Sisense's breach casts doubt on its security practices and damages its reputation.

• Businesses using Sisense may have had their data compromised.

What to do:

• Sisense customers should follow detailed instructions provided by the company to reset passwords and credentials.

For more information, check out this article.

Nationwide Smart Locks Vulnerability

What happened:

• The U.S. government warns of hard-coded credentials in Chirp Systems' smart locks, potentially compromising 50,000 dwellings nationwide.

• Despite being alerted to the vulnerability in March 2021, Chirp Systems remains unresponsive.

What to know:

• Chirp Systems offers smart mobile access to properties, allowing users to use its app for building entry.

• The company stores hardcoded credentials within its source code, posing a security risk if compromised.

• Attackers within Bluetooth range can use the credentials to manipulate device settings, although it doesn't impact the device's locking/unlocking functionality.

• Chirp's parent company, RealPage, faces lawsuits for alleged rent inflation collusion, using “a mysterious algorithm to help landlords push the highest possible rents on tenants.”

Business Impact:

• Businesses utilizing Chirp Systems' smart locks for property management are exposed to security risks, potentially leading to unauthorized access to their premises.

• RealPage's reputation may suffer further due to ongoing legal issues and its association with Chirp Systems.

What to do:

• Chirp Systems customers should be cautious and consider alternative security measures for their properties.

For more information, check out this article.

North Koreans Secretly Animated Amazon and HBO Max Shows

What happened:

• A misconfigured North Korean cloud server containing thousands of animation files was discovered, revealing North Korean’s involvement in international projects like season 3 of the Amazon show "Invincible", HBO Max shows and Japanese anime series.

What to know:

• Existing sanctions forbid US companies from working with North Korean entities, but the findings suggest North Korea utilizes skilled IT workers to fund its regime.

• North Korea's limited internet access (1,024 IP addresses and 30 websites) is tightly controlled, but skilled IT workers are still active.

• The server, accessed without a login, contained animation files, editing comments, and instructions in Chinese translated to Korean.

• The involvement of North Korean animators in these projects raises concerns about potential sanctions violations and the use of front companies in China to conceal their activity.

Business Impact:

• Skybound Entertainment, YouNeek Studios, and other involved companies face scrutiny and reputational challenges, although they may not have knowingly violated sanctions.

What to do:

• Companies involved in animation projects should conduct thorough due diligence to ensure compliance with sanctions regulations.

• Increased scrutiny and verification measures may be necessary for remote IT workers to prevent potential security breaches and sanctions violations.

For more information, check out this article.

Musk Sparks Controversy with Sydney Attack Images on X

What happened:

• Australian government criticizes Elon Musk and X for allegedly failing to promptly remove graphic content and misinformation during recent violent attacks in Sydney.

• Five government ministers signal potential tougher laws, including a mandatory code of conduct for social media companies operating in Australia.

What to know:

• Calls for stricter regulations surged after two knife attacks in Sydney, leading to the posting of graphic content and rapid misinformation spread.

• X contests the authority of Australia's eSafety commissioner to dictate global content visibility for its users, intending to challenge the orders in court.

• Musk's previous clashes with national authorities include defying orders from Brazil’s Supreme Court.

• Meta Platforms Inc. takes a contrasting stance, recognizing social responsibility and compliance with laws.

Business Impact:

• Musk's resistance and X's stance may lead to potential legal actions against the social media platform in Australia.

What to do:

• Social media companies should prioritize timely removal of inappropriate content and misinformation to address public concerns.

• Governments may introduce tougher legislation to regulate social media platforms and combat misinformation effectively.

For more information, check out this article.

Kaiser Warns Millions of Data Exposure

What happened:

• Kaiser Permanente, the Oakland-based health care conglomerate, revealed that its customers’ personal information may have been transmitted to Google, Microsoft Bing, and Twitter.

What to know:

• Any of the 13.4 million individuals, including current and former members and patients, may have been affected.

• While passwords, Social Security numbers, and credit card details were not exposed, other data such as names, IP addresses, and medical concerns might have been disclosed.

• The incident marks the largest health-related breach of the year.

• Kaiser has removed the technology responsible for the breach from its platforms, which is believed to be tracking software.

Business Impact:

• Kaiser faces reputational damage and potential regulatory scrutiny following the breach.

• Tracking software on organizations' websites may lead to potential violations of privacy laws.

What to do:

• Kaiser users should remain vigilant for any signs of misuse of their personal information.

• Companies should prioritize data protection measures and review their websites for tracking software.

For more information, check out this article.

GitHub Comments Used to Spread Malware via Microsoft Repo URLs

What happened:

• Malicious files were disguised as legitimate Microsoft files in GitHub comments, enticing users to download them.

What to know:

• Malicious URLs appearing to belong to Microsoft repos were crafted using GitHub's file upload feature in comments, creating convincing lures.

• GitHub automatically generates download links after files are added to unsaved comments, enabling threat actors to attach malware discreetly to any repository.

• Even after comments are deleted, the files remain accessible through generated URLs on GitHub's CDN.

• Disabling comments temporarily is the only way to safeguard a GitHub account from such abuse, which can disrupt bug reporting.

• GitHub has removed the malware linked to Microsoft's repositories.

Business Impact:

• Individuals and organizations may fall victim to malware distributed through seemingly trustworthy URLs.

• Companies hosting repositories on GitHub risk damage if users unknowingly download malicious files from URLs that resemble their repositories.

What to do:

• GitHub users and organizations should remain vigilant and report any suspicious activity or files.

• Implement additional security measures to mitigate the risk of malware distribution through comments and attachments.

• GitHub should address this vulnerability promptly to prevent further exploitation.

For more information, check out this article.

1. Doxing Turns Violent: Executives at Risk

2. Safe AI for US Government: Mitre Unveils Testing Lab

3. US Plans Defense Against Satellite Cyberattacks

4. Millions of AT&T Customers' Data Exposed on Dark Web

5. Red Hat Warns of Backdoor Threat in XZ Tools for Linux Distributions

6. Apple Users Targeted in 'MFA Bombing' Phishing Attacks

7. CISA Purposes Mandated Reporting of Cyber Incidents and Ransom Payments

Share The InfoSec Board Brief

Doxing Turns Violent: Executives at Risk

What happened:

• Domestic violent extremists (DVEs) in the US are increasingly doxing senior leaders from public and private sectors, exposing their personal information without consent.

What to know:

• Those being doxed face a higher risk of physical threats like harassment, stalking, protests, physical attacks and cyber threats.

• There was a notable surge in doxing in 2023, particularly against corporate leaders.

• Factors driving DVE doxing include geopolitical events, US presidential elections, and private sector engagement in social justice issues.

Business Impact:

• Doxing exposes both corporate executives and their companies to significant financial, reputational, and physical harm.

What to do:

• Executives should boost their cyber hygiene, use threat monitoring services, and minimize digital footprints.

• Regular audits of online presence, removal of personal information from public platforms, and preparation for potential doxing incidents recommended.

• In case of doxing, document the incidents, assess risks, mitigate leaks, and engage with law enforcement if necessary.

For more information, check out this article.

Safe AI for US Gov: Mitre Unveils Testing Lab

What happened:

• Mitre, a government-backed nonprofit, opened a lab to assess AI systems used by federal agencies for security flaws and risks, focusing on data leaks and explainability of AI decisions.

What to know:

• The facility is called the AI Assurance and Discovery Lab, located in McLean, Virginia, and can host up to 50 people onsite and 4,000 remotely.

• Concerns exist over the adoption of AI systems without fully understanding potential vulnerabilities.

• The lab will conduct hacking tests and assess AI for biases to understand the risks better.

Business Impact:

• Mitre enhances its role in overseeing national security and cybersecurity research.

• For companies involved in AI development: Highlight the importance of rigorous testing and risk mitigation in AI systems.

What to do:

• Mitre will continue its assessments of AI systems and collaborate with federal agencies to address any identified vulnerabilities.

• Companies engaged in AI development should prioritize thorough testing and addressing potential biases to ensure system reliability and security.

For more information, check out this article.

US Plans Defense Against Satellite Cyberattacks

What happened:

• The Biden administration and Congress are intensifying measures to counter cyberattacks targeting satellites and space infrastructure.

What to know:

• Cyberattacks on satellites can lead to control loss, device shutdowns, communication disruptions, or even force the satellites to overheat and explode.

• A widespread attack can disrupt multiple services such as stock trading, GPS navigation, text messaging, weather forecasting, and so on.

• Cyberattacks in space are a low-cost, low-effort way to disrupt critical systems globally, with unpredictable consequences due to a lack of regulations.

• Satellites' reliance on vulnerable networks makes them susceptible to attacks across various systems.

• Past incidents involving Russian hackers targeting satellite provider Viasat, causing major disruptions to Ukrainian military communications.

• US bolsters space security with Space Force's cyber focus, CISA collaboration, and proposed legislations.

Business Impact:

• Increased government focus on space security may lead to regulatory changes impacting companies involved in space-related industries.

What to do:

• Government agencies are planning to fortify cybersecurity resources and support for critical infrastructures reliant on space-based capabilities.

• Companies in the satellite sector should prioritize cybersecurity measures and stay informed.

For more information, check out this article.

Millions of AT&T Customers' Data Exposed on Dark Web

What happened:

• A data breach at AT&T has exposed information from over 7.6 million current customers and 65 million former customers.

• Leaked data includes sensitive details like full name, date of birth, passcodes, social security numbers, and more.

What to know:

• AT&T has reset security passcodes for affected active customers and is notifying them via email or letter.

• TechCrunch notified AT&T in 2021 about vulnerabilities in its encrypted passcodes, which are typically 4-digit numerical PINs and simple to decrypt.

• Customers are advised to set up fraud alerts from credit bureaus.

• The leaked data does not appear to contain financial information or call history.

• AT&T claimed that there hasn’t been evidence of unauthorized access to its systems.

• AT&T previously announced two data leaks in 2021 and 2023.

Business Impact:

• AT&T's reputation may be affected, leading to customer trust issues and loss of business.

• Businesses partnering with AT&T or using their services may have their data compromised and should take actions to secure it.

What to do:

• AT&T is collaborating with cybersecurity experts to analyze the breach.

• Affected customers should set up fraud alerts and monitor their accounts for any suspicious activity.

• Companies should review and enhance their data security measures, especially if they handle sensitive customer information.

For more information, check out this article.

Red Hat Warns of Backdoor Threat in XZ Tools for Linux Distributions

What happened:

• Red Hat issued a warning advising users to cease using Fedora 41 and Fedora Rawhide versions due to a backdoor discovered in the latest XZ Utils compression tools, which allows potential unauthorized access to systems running affected Linux distributions.

What to know:

• The compromised XZ versions 5.6.0 and 5.6.1 contain malicious code injected by contributor Jia Tan, potentially enabling remote code execution or unauthorized access.

• The malicious code is obfuscated and can only be found in complete download packages, not in Git distributions, complicating detection.

• Debian, Kali Linux, openSUSE, and Arch Linux have issued security advisories and rolled back affected versions in their distributions.

• Linux administrators are urged to downgrade to an uncompromised XZ version (i.e., 5.4.6 Stable).

Business Impact:

• Companies relying on systems running Fedora development and experimental versions should be mindful of potential breaches and must take immediate action to safeguard their systems.

What to do:

• Users should downgrade to uncompromised XZ versions and monitor their systems for any signs of malicious activity.

For more information, check out this article.

Apple Users Targeted in 'MFA Bombing' Phishing Attacks

What happened:

• Apple users have reported sophisticated phishing attacks involving overwhelming system prompts for password reset approvals.

What to know:

• Victims experience a barrage of system notifications demanding password reset approvals, hindering device functionality until users choose “Allow” or “Don’t Allow”.

• Clicking "Allow" displays a six-digit PIN necessary for changing the account password. Phishers will impersonate Apple support callers, attempting to extract these verification codes, change password and seize control of the Apple ID.

• Clicking "Don't Allow" triggers even more notifications that persist for days.

Business Impact:

• Apple's security reputation may suffer, leading to a loss of customer trust.

What to do:

• Apple users should remain vigilant and avoid clicking "Allow" on unsolicited password reset prompts, as this could enable attackers to compromise their accounts.

• Users should also consider changing account phone numbers and utilizing email aliases to reduce exposure to potential attacks.

For more information, check out this article.

CISA Purposes Mandated Reporting of Cyber Incidents and Ransom Payments

What happened:

• The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) proposed a comprehensive cyber incident reporting structure across 16 critical sectors.

• Covered organizations are required to report cyber incidents under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), within 18 months of the final rule.

What to know:

• The proposed rule includes sector-based criteria, such as the Healthcare and Public Health sector, encompassing entities like manufacturers of Class II or III medical devices.

• If a facility or function within an organization is considered a covered entity, then the entire organization will be a covered entity.

• A cyber incident at any part (sector-defined or not) within a covered entity triggers reporting for the entire entity.

• CISA considered various alternatives to the proposed rule, weighing costs and benefits, and explained the reasons why each alternative was rejected in the rule document.

Business Impact:

• If implemented, the rule could enhance cybersecurity resilience across critical sectors but may increase compliance costs for affected organizations.

What to do:

• Organizations falling under the proposed rule should closely monitor developments and prepare to comply with reporting requirements.

For more information, check out this article.

1. Automobile Makers Are Selling Consumer Driving Behavior To Insurers

2. The TikTok Threat

3. Nevada AG Seeks Ban On Meta's End-To-End Encryption For Minors

4. Telco Manager Pleads Guilty in SIM Swap Conspiracy

5. State AGs Demand Action from Meta Over Account Hacking

6. Healthcare Hack Will Burden US With Hundreds of Millions in Costs

7. Lawmakers Propose a New Federal Office to Regulate Workplace Surveillance Technology

8. McKinsey to Boards of Directors: You’re the Final Line of Cybersecurity Defense

Share The InfoSec Board Brief

Automobile Makers Are Selling Consumer Driving Behavior To Insurers

What happened:

• Automakers like General Motors (GM) are gathering extensive data on driving habits such as speed, braking, and acceleration patterns through connected car technologies.

• This data is being sold to insurance providers without drivers' knowledge.

What to know:

• Lexis Nexis, a data broker, received detailed driving data from GM vehicles, including trip details and driving behaviors.

• Many drivers have experienced spiking insurance premiums based on data collected without their explicit consent. 

• They were enrolled in driver feedback programs, which tracked driving habits without their full awareness, leading to privacy concerns.

• The practice of sharing driving data extends beyond GM, involving other automakers like Kia, Subaru, and Mitsubishi.

Business Impact:

• Brands involved in intrusive data collection practices can face growing consumer outrage and potential backlash.

• There are also potential legal implications regarding data privacy and the need for transparent consent mechanisms for data collection.

What to do:

• Companies should reassess their data collection practices, ensuring transparent disclosure and explicit consent from consumers. Review your consumer facing marketing materials for deceptive language about how data is used.

• Insurance providers should consider the ethical implications of using data obtained without full consumer awareness and consent.

For more information, check out this article.

The TikTok Threat

What happened:

• Despite widespread concerns and legislative actions targeting TikTok, U.S. intelligence has no evidence of TikTok coordinating with Beijing, labeling the national security threat as only hypothetical for now.

What to know:

• The bill to force ByteDance to sell TikTok passed a full vote in the House on March 13.

• Allegations against TikTok suggest it could be used by the Chinese government for manipulation, data collection, and espionage.

Business Impact:

• Continued uncertainty about TikTok's security and privacy could prompt regulatory or legislative actions, potentially resulting in bans or forced sales.

• Businesses utilizing TikTok for marketing or engagement strategies may face challenges due to ongoing scrutiny and regulatory concerns.

What to do:

• Companies relying on TikTok for marketing or engagement should monitor developments closely and be prepared to adapt to potential regulatory changes.

For more information, check out this article.

Share The InfoSec Board Brief

Nevada Attorney General Seeks Ban On Meta's End-To-End Encryption For Minors

What happened:

• Nevada's Attorney General (AG) has filed a motion to block Meta from providing end-to-end encryption to users under eighteen in the state.

• The AG cites concerns about child predators targeting minors online and argues that encrypted communication would hinder law enforcement investigations.

What to know:

• End-to-end encryption ensures that communication is encrypted on the sender's device and decrypted only on the recipient's device, preventing intermediaries from accessing its contents.

• Meta has offered optional end-to-end encryption since 2016 and recently made it default on Messenger.

• Despite Meta's claims that law enforcement can access messages from criminals and minors’ devices, the AG aggressively pushes for encryption restrictions.

• Identifying minors based on IP addresses and self-disclosure is challenging and risks compromising adults' privacy if wrongly identified.

• Meta opposes the injunction, arguing encryption is essential for user privacy and protection against online threats.

Business Impact:

• Granting the AG's request could set a precedent affecting privacy and security standards for minors on various messaging platforms, including Apple iMessages and WhatsApp, across multiple states.

What to do:

• Businesses involved in providing communication platforms should review their encryption policies and compliance with state regulations to mitigate legal risks.

For more information, check out this article.

Telco Manager Pleads Guilty in SIM Swap Conspiracy

What happened:

• Jonathan Katz, a former manager at a telecommunications company in New Jersey, admitted to performing unauthorized SIM swaps for payment, enabling an accomplice to hack customer accounts.

• The swaps occurred between May 10 and 20, 2021.

What to know:

• SIM swapping involves transferring a target's phone number to a physical SIM card or eSIM controlled by attackers to bypass two-factor authentication.

• Katz received $1,000 in Bitcoin per swap, totaling $5,000, and a share of profits from illicit access to victims' accounts.

• Court documents revealed victims across multiple states, whose accounts were compromised, including email, social media, and cryptocurrency wallets.

• Katz faces up to five years in prison and a significant fine.

• Telecom service providers have now enacted measures to prevent unauthorized number porting events without the owner's involvement or authorization.

Business Impact:

• Customers may lose trust in telecom providers if such similar insider threats occur, potentially leading to reputational damage and loss of business.

What to do:

• Telecom companies should review and enhance security measures to prevent similar insider abuses, safeguarding customer trust and data integrity.

• Users should remain vigilant by monitoring their accounts for suspicious activity and promptly reporting any unauthorized access.

For more information, check out this article.

Subscribe now

State AGs Demand Action from Meta Over Account Hacking

What happened:

• A coalition of 41 state attorney generals penned a letter to Meta's top attorney, expressing concerns over the surge in complaints about Facebook and Instagram accounts being stolen.

What to know:

• Reports indicate instances of fraudulent charges to stored credit cards, unauthorized use of personal information and advertisements, disruptions in communication, and more.

• The spike in complaints poses a significant drain on governmental resources, as many stolen accounts are linked to financial crimes.

• Meta faces criticism for allegedly failing to assist hacked users promptly, leaving them unable to salvage their accounts or their businesses.

• Complaints have surged over recent years, with a tenfold increase in New York alone.

• The surge in complaints coincided with Meta's layoffs of approximately 11,000 employees in November 2022.

Business Impact:

• Businesses using Meta face the risk of losing their account along with all the resources invested.

What to do:

• Meta is urged to take immediate action to address the surge in hacking complaints and provide timely assistance to affected users.

• Users experiencing hacking incidents should follow reporting procedures provided by Meta and seek legal recourse if necessary to protect their accounts and businesses.

• Secure your personal and business accounts with strong passwords and two-factor authentication.

For more information, check out this article.

Healthcare Hack Will Burden US With Hundreds of Millions in Costs

What happened:

• The Feb 21st cyberattack on Change Healthcare, an UnitedHealth subsidiary, has disrupted medical payments, causing financial strain on providers.

• Insurance executives and US health officials believe the situation is improving, with approximately 95% of claims being processed compared to pre-hack levels.

What to know:

• The cyberattack halted billions of dollars in medical payments and left many providers struggling financially.

• Insurance companies, doctors, hospitals, and pharmacies have been working to resolve the fallout, but there's no clear timeline for when backlogs will be cleared.

• UnitedHealth has advanced over $2 billion to medical providers affected by the hack, but the total amount of disrupted claims remains uncertain.

• Smaller medical providers relying on Change may face credit profile impacts, while larger companies have more financial flexibility.

• UnitedHealth has restored its payments platform as of March 15.

Business Impact:

• Companies in the healthcare industry should be mindful of and have backup plans for potential financial strains and disruptions caused by cyberattacks on payment systems.

What to do:

• Healthcare companies should continue efforts to restore disrupted services and processes.

• Implement robust cybersecurity measures to mitigate the risk of future cyberattacks and protect critical systems and data.

For more information, check out this article.

Lawmakers propose a new federal office to regulate workplace surveillance technology

What happened:

• Two House Democrats, Chris Deluzio and Suzanne Bonamici, introduced the Stop Spying Bosses Act to increase transparency and protect workers' rights regarding workplace surveillance technologies.

• The bill aims to regulate the surveillance, monitoring, and collection of certain worker data by employers, requiring disclosure and prohibiting specific surveillance activities.

What to know:

• The Department of Labor would establish a "privacy and technology division" to oversee workplace surveillance technologies under the proposed legislation.

• Similar legislation was previously introduced in the Senate in February 2023 by Senators Bob Casey, Cory Booker, and Brian Schatz.

• The proposed rules would mandate timely and conspicuous disclosure of data collection activities to workers, prohibit certain surveillance practices, and empower workers in AI-based decision-making processes.

Business Impact:

• Companies should prepare for increased transparency requirements and restrictions on surveillance activities in the workplace.

• This will also effect BYOD (bring your own device) policies.

What to do:

• Employers should stay informed about developments in workplace surveillance regulation to adapt policies and procedures accordingly.

For more information, check out this article.

McKinsey to Boards of Directors: You’re the Final Line of Cybersecurity Defense

What happened:

• In a new McKinsey article, they urged boards of directors are positioned to provide oversight, guidance, and risk prioritization in addressing cybersecurity challenges of the organizations in the industrial sector.

What to know:

• Cybercrimes are escalating and is projected to have an annual impact of $10.5 trillion by 2025.

• The cyber attack surface is expanding with the integration of digital operational technology (OT), cloud and edge computing, Internet of Things (IoT) & Industrial IoT, and AI.

• Attackers are evolving, pooling skills, and leveraging AI for novel attack techniques.

• Hacker-for-hire markets are thriving, with freelancers offering tailored attacks for personal profit.

• Time to exploit vulnerabilities has decreased from several months to only days.

• Despite the growing volume of cyberattacks, security professionals are improving defense capabilities.

Business Impact:

• Boards of directors play a crucial role in ensuring cybersecurity initiatives are planned, funded, and embedded in organizational strategies and digital transformations.

• Boards have the role of providing strategic cyber planning versus the day to day tasks of putting out fires.

• Boards should play a role in risk prioritization and managing the trade-offs, as this also relates to budget and resources.

• Organizations across all sectors face heightened cybersecurity risks and must prioritize building resilience against evolving threats.

What to do:

• Organizations should strengthen their cyber defense capabilities through human capital investment, integration of cyber governance, secure third-party and supply chain management, proactive response and recovery planning, embedded security architecture & engineering and AI.

• A board member doesn’t have to be a cyber expert to help add value or to ensure accountability.

• Boards of directors should provide oversight, guidance, and risk prioritization, and hold executives and cyber teams accountable for achieving security goals.

For more information, check out this article.

1. New York Sues Citibank Over Poor Data Security

2. Surveillance Apps PhoneSpector and Highster Shut Down After Legal Settlement

3. AnyDesk suffers cyberattack, source code and signing keys stolen

4. Clorox’s Cyberattack Costs Exceed $49 Million

5. CISA Issues Urgent Removal Order for Insecure Ivanti Products

6. Company Tracked Visits to 600 Planned Parenthood Locations for Anti-Abortion Ads

7. FCC Implements Stricter Rules for Telcos Regarding Data Breach Reporting

8. Staying Ahead of Threat Actors in the Age of AI

9. US military notifies 20,000 of data breach after cloud email leak

10. Atlassian vulnerability exploited in Government Accountability Office breach affecting 6,600 individuals.

11. Cyberattack Hits German Battery Maker Varta, Halts Production

12. Hackers Gained Access to Prudential’s Computer Systems

13. Nation-State Hackers Use AI to Boost Cyber Operations

14. Pig Butchering Scam Exposed: How Scammers Are Duping Victims for Millions

15. Microsoft Rolls Out Expanded Logging Six Months After Chinese Breach

16. Avast Ordered to Stop Selling Browsing Data from its Privacy Apps

New York Sues Citibank Over Poor Data Security

What happened: 

• New York Attorney General Letitia James has filed a lawsuit against Citibank for alleged failures in protecting customers from hackers and fraudsters who have stolen millions, as well as their refusal to reimburse victims.

What to know:

• The lawsuit cites specific examples of individuals losing significant sums after falling victim to cybercriminals.

• Threat actors primarily used social engineering tactics to trick victims into granting access to their accounts and executing unauthorized transfers without exploiting software vulnerabilities or system access.

• The attorney general believes Citibank should have more efficient fraud detection systems, such as identifying unrecognized device locations, suspicious password or username changes, and suspicious transfers.

• Citibank was accused of being slow in responding to fraud reports from customers.

• Citibank allegedly exploits a legal loophole to deny reimbursement claims under the Electronic Fund Transfer Act (EFTA), arguing that they are not obligated to reimburse customers who follow fraudsters' instructions without any indication of deception.

Business Impact: 

• Companies should consider the risks associated with benefiting from fraudulent activity against their customers or through their platforms.

What to do:

• Provide training to employees on recognizing and defending against social engineering techniques against your clients.

For more information, check out this article.

Surveillance Apps PhoneSpector and Highster Shut Down After Legal Settlement

What happened:

• PhoneSpector and Highster, two secret phone surveillance services, have shut down after their owner settled New York state accusations of promoting illegal spyware.

• The settlement in February 2023 required the companies to pay $410,000 in penalties and modify the apps to alert device owners that their phones were being monitored.

What to know:

• These apps, often referred to as stalkerware or spouseware, allowed covert surveillance of smartphones by individuals with knowledge of the device passcode, usually spouse or domestic partner. They continuously collected and uploaded messages, photos, and real-time location data to a dashboard accessible by the abuser.

• PhoneSpector's website stopped functioning after the settlement and was redirected to an Indonesian lottery website. Highster's website also stopped loading months later.

• The domains, servers, and infrastructure used by PhoneSpector and Highster are no longer online. Their customer service lines have also been disconnected.

• It remains uncertain whether the companies have paid the $410,000 penalty as agreed in the settlement. 

• Several other stalkerware apps, including Retina-X and SpyFone, have ceased operations in recent years following regulatory actions.

Business Impact: 

• Businesses developing stalkerware and individuals using them should reconsider the ethical implications of such practices.

What to do:

• Users of PhoneSpector and Highster may need to consider the legality and ethics of using such apps for monitoring purposes.

• Regularly check your devices for potential spyware.

For more information, check out this article.

AnyDesk Suffers Cyberattack- Source Code and Signing Keys Stolen

What happened:

• AnyDesk, a remote access solution, experienced a recent cyberattack where hackers gained access to the company's production systems and stole source code and private code signing certificates.

What to know:

• AnyDesk allows users to access computers remotely over the internet.

• AnyDesk serves 170,000 customers, including notable organizations like 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations.

• The attack was detected after indications of an incident on their servers, leading to a security audit that confirmed the compromise.

• The cybersecurity firm CrowdStrike assisted in responding to the incident, and AnyDesk revoked security-related certificates and replaced systems as necessary.

• While they assured customers that AnyDesk was safe to use, they recommended using the latest version with the new code signing certificate.

• AnyDesk stated that no authentication tokens were stolen as they exist only on the end user's device, not the AnyDesk system. Still, they decided to revoke all passwords to their web portal as a precaution.

Business Impact: 

• If your company uses AnyDesk, they assert that your authentication tokens and password remain unaffected. However, it's essential to remain vigilant and monitor for any signs of potential incidents.

What to do:

• If you use AnyDesk, switch to the new version, as the old code signing certificate will be revoked.

• Update your AnyDesk passwords and any other accounts if you're using the same passwords.

For more information, check out this article.

Clorox’s Cyberattack Costs Exceed $49 Million

What happened:

• Clorox suffered a cyberattack in August 2023, resulting in system shutdowns, order processing delays, and product shortages. The attack incurred $49 million in costs by the end of 2023.

What to know:

• Costs included losses from disruptions and expenses related to third-party experts engaged for investigation and remediation.

• Clorox anticipates additional costs of approximately $50-$60 million ($38-$46 million after tax) in FY24.

• The company has not recognized insurance proceeds, and timing may differ from expense recognition.

• Specific details of the attack, including data theft, remain undisclosed.

• Security researcher Dominic Alvieri stated that the cyberattack was attributed to the BlackCat (a.k.a Alphv) ransomware group, but this has yet to be confirmed. 

Business Impact:

• Clorox's customers may experience potential data breaches, and Clorox’s share price is down 2.4% over the past 12 months.

What to do:

• Invest in robust security protocols and incident response plans to minimize impacts.

For more information, check out this article.

CISA Issues Urgent Removal Order for Insecure Ivanti Products

What happened:

• The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an unprecedented directive on Jan 31, 2024 requiring federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products with only 48 hours notice.

What to Know:

• This move is in response to at least three actively exploited Ivanti security vulnerabilities.

• Ivanti is an IT software company that develops software solutions for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management, and supply chain management.

• Federal Civilian Executive Branch (FCEB) agencies were urged to conduct threat hunting on affected systems and monitor authentication or identity management services.

• Within the 48-hour timeframe, network administrators must isolate the systems from enterprise resources and continue auditing privilege-level access accounts.

• CISA outlines steps to bring Ivanti products back into service, including exporting device configuration settings, performing a factory reset following Ivanti's instructions, and upgrading to a fully patched software version.

• Volexity identified exploitations of these Ivanti’s vulnerabilities, warning of Chinese nation-state hackers leveraging them to breach US organizations.

• Cybercriminal groups have also taken advantage of these vulnerabilities to deploy malicious software.

Business Impact:

• Organizations relying on Ivanti’s products face potential security risks and should take immediate action to comply with CISA's directive.

What to Do:

• Federal agencies must follow CISA’s directive to bring the product back into service.

• Organizations should also be vigilant for any signs of compromise.

For more information, check out this article.

Company Tracked Visits to 600 Planned Parenthood Locations for Anti-Abortion Ads

What happened:

• Near Intelligence allegedly tracked visits to 600 Planned Parenthood locations across 48 states, fueling a significant anti-abortion ad campaign.

What to Know:

• Near Intelligence, a location data provider, allegedly gathered and sold information on visitors to Planned Parenthood locations without their consent.

• This data was utilized for a national anti-abortion ad campaign between 2019 and 2022, targeting individuals who had visited these locations.

• The company claims to have information on 1.6 billion people across 44 countries

• Near Intelligence filed for bankruptcy in December, raising concerns about the fate of the collected data, which could be sold off as part of its assets.

• Senator Ron Wyden has called on the Federal Trade Commission (FTC) to block Near Intelligence’s data sales and the Securities and Exchange Commission (SEC) to investigate the company’s misleading filings.

Business Impact:

• Businesses investing in, partnering with, or using Near Intelligence's services should be mindful of the legal and ethical implications associated with the data collected and sold by the company.

What to Do:

• This case highlights the need for stronger privacy regulations and compliance measures

• Companies should review data collection practices to ensure compliance.

• Businesses should ensure accurate representation of data practices in filings.

• Individuals should be mindful of sharing location data and consider privacy tools.

For more information, check out this article.

FCC Implements Stricter Rules for Telcos Regarding Data Breach Reporting

What happened: 

• The FCC has enforced new rules mandating telecom companies in the US to report any security breaches to the agency, FBI, and Secret Service within seven days. The mandatory waiting period before informing consumers has also been eliminated.

What to know:

• Telecom companies must now inform customers of data breaches without undue delay, with a maximum of 30 days following confirmation of a breach.

• The scope of data exposure types requiring customer notification has been expanded to include personally identifiable information (PII) such as names, government ID numbers, authentication data, email addresses/passwords, and biometric data.

• An exception to customer notifications exists if the carrier determines that no harm is reasonably likely to occur.

• The FCC's definition of a breach now includes "inadvertent access, use, or disclosure of customer information," broadening the scope of incidents requiring reporting.

Business impact:

• Telcos now have more compliance requirements related to breach disclosure.

• Businesses that are telcos’ customers will now be promptly informed of any breaches, allowing them to take immediate steps to remediate potential harms.

What to do:

• Telecom companies should review and update breach notification protocols to align with the FCC's new requirements.

• Ensure that all relevant personnel are aware of the updated regulations and receive appropriate training.

• Monitor developments from regulatory agencies like CISA to stay informed about potential changes in breach reporting standards.

For more information, check out this article.

Staying Ahead of Threat Actors in the Age of AI

What happened:

• Microsoft and OpenAI collaborated to publish research on how cybercriminals are using advanced technology like AI for attacks, such as attempted misuse of large language models (LLMs) and fraud.

What to know:

• The use of LLM technology by threat actors has shown them utilizing AI for reconnaissance, coding assistance for improving malware, and social engineering.

• While there haven't been big AI-powered attacks yet, Microsoft and OpenAI are watching closely.

• Microsoft outlined principles to mitigate risks associated with the use of AI tools by threat actors, including identification and action against malicious use, collaboration with stakeholders, and transparency in reporting actions taken.

Business Impact:

• Businesses should recognize the evolving landscape of cyber threats enhanced by AI and prioritize implementing robust cybersecurity measures.

• Understanding potential misuse of AI by threat actors is crucial for devising effective defense strategies and safeguarding against emerging threats.

What to do:

• Utilize resources provided by Microsoft and OpenAI to stay informed about emerging threats and best practices for mitigating risks associated with AI-enabled attacks.

• Implement comprehensive AI safety and security standards aligned with industry best practices and regulatory requirements.

• Foster collaboration with other stakeholders to exchange information and enhance collective responses to ecosystem-wide risks posed by AI-enabled threats.

For more information, check out this article.

US Military Notifies 20,000 of Data Breach After Cloud Email Leak

What happened:

• The U.S. Department of Defense (DOD) is informing thousands of individuals about their personal information being exposed in an email data leak from last year.

• The breach occurred between February 3 and February 20, 2023, due to an unsecured U.S. government cloud email server hosted on Microsoft's cloud platform.

What to know:

• Around 20,600 individuals are receiving breach notification letters.

• The exposed emails included sensitive military information, such as personnel data and security clearance questionnaires.

• The server was accessible without a password, allowing anyone with the public IP address to view the emails.

• The breach was initially discovered by security researcher Anurag Sen, who alerted TechCrunch to report it to the U.S. government.

• The affected server was identified and removed from public access on February 20, 2023, and the vendor addressed the issues that resulted in the exposure. 

Business Impact:

• Businesses engaged with the department should verify whether their sensitive data was compromised in the breach and take necessary measures to mitigate potential risks.

What to do:

• Organizations should regularly audit their cloud configurations and security protocols to ensure data protection.

• Promptly report any security vulnerabilities or breaches to the relevant authorities and take immediate action to address them.

For more information, check out this article.

Atlassian Vulnerability Exploited in Government Accountability Office Breach Affecting 6,600 Individuals.

What happened:

• A breach of the Government Accountability Office (GAO) occurred through a contractor, CGI Federal, resulting in the compromise of data of approximately 6,600 current and former GAO employees from 2007 to 2017, along with some companies engaged with GAO.

• The breach was attributed to a vulnerability in the Atlassian Confluence workforce collaboration tool, which malicious hackers actively exploited.

What to know:

• The GAO conducts investigations into taxpayer spending for Congress and federal agencies.

• The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in October 2023 about the vulnerability affecting certain versions of Atlassian Confluence Data Center and Server, warning of active exploitation.

• CGI Federal took immediate remediation actions following the CISA advisory and is cooperating with authorities and clients to address the impact of the breach.

• Atlassian alerted its customers of the vulnerability on October 4 and emphasized the importance of taking immediate action to safeguard data.

Business Impact:

• Companies involved with the GAO and/or using Atlassian should assess if their data was compromised and take appropriate measures to enhance their cybersecurity posture.

For more information, check out this article.

Cyberattack Hits German Battery Maker Varta, Halts Production

What happened:

• Varta AG experienced a cyberattack on February 12, leading to the suspension of production in five of its facilities.

• The company's information technology systems were temporarily shut down and disconnected from the internet.

What to know:

• VARTA AG is a German-based company specializing in battery manufacturing for automotive, industrial, and consumer markets, with subsidiaries in over 75 countries worldwide.

• The extent of the damage caused by the cyberattack is still under evaluation.

• Varta has activated its emergency plan to manage the situation and has formed a task force to expedite the restoration of operations.

• Varta shares went down 3.6% at the close of European trading the following day.

Business Impact:

• Companies doing business with Varta should be aware of the potential risks associated with cyberattacks.

• Interruptions in production due to cyber incidents can lead to financial losses and damage to reputation.

What to do:

• Companies with ties to Varta should assess their own cybersecurity measures and consider implementing additional safeguards to mitigate the risk of similar incidents.

Hackers Gained Access to Prudential’s Computer Systems

What happened:

• Hackers accessed Prudential Financial Inc.'s information technology systems.

• A small percentage of user accounts linked to employees and contractors were compromised.

What to know:

• No evidence of customer or client data theft has been found so far.

• The unauthorized access occurred starting from February 4, with Prudential detecting the breach the following day.

• The company is cooperating with law enforcement and regulatory authorities to address the breach.

• Prudential is investigating the incident's extent and potential impact on additional information or systems.

Business Impact:

• Companies that are Prudential’s customers or partners may have had their data leaked.

What to do:

• Companies associated with Prudential should check if their data has been compromised and monitor the situation closely for any updates.

• Companies should enhance their cybersecurity protocols and remain vigilant against potential cyber threats.

Nation-State Hackers Use AI to Boost Cyber Operations

What happened:

• Russian, North Korean, Iranian, and Chinese-backed adversaries are incorporating large-language models (LLMs) into their cyberattacks.

• These hackers are leveraging AI, such as OpenAI's ChatGPT, to enhance their operations, including phishing emails and vulnerability research.

What to know:

• The use of LLMs by state-sponsored cyber-espionage groups signals a significant evolution in their tactics.

• OpenAI has terminated accounts associated with state-sponsored hackers to mitigate the threat.

• Although no major breaches utilizing LLM technology have occurred yet, security experts warn of its potential for more sophisticated cyberattacks.

Business Impact:

• The increasing sophistication of cyber threats, particularly from nation-state actors poses significant risks to companies and governments.

What to do:

• Monitor developments in AI technology and its potential applications in cyber operations.

• Strengthen cybersecurity defenses to mitigate the risk of AI-enhanced attacks.

Pig Butchering Scam Exposed: How Scammers Are Duping Victims for Millions

What happened:

• Scammers are employing a sophisticated scheme known as "Pig Butchering," targeting victims worldwide through social media and dating apps, stealing hundreds of millions of dollars.

• They establish trust with victims through prolonged conversations, feigning interest, and offering investment opportunities in cryptocurrencies and other financial instruments.

What to know:

• "Pig butchering" refers to scammers luring victims with romantic or investment promises to swindle them of large sums of money, either in fiat currency or cryptocurrency.

• The scam has resulted in losses exceeding $429 million, per the FBI's 2021 Internet Crime Report.

• Victims are lured into the scam through various platforms such as WhatsApp, Telegram, TikTok, X (formerly Twitter), Instagram, Tinder, Bumble, and Hinge.

• Scammers use fake profiles, stolen images, and AI-generated photos to create convincing personas to gain victims' trust.

• The scheme involves "herders" who initiate contact and "pig butchers" who conduct prolonged conversations to persuade victims to invest.

Business Impact:

• Companies should be aware of the potential for employees to become victims of financial scams through social media and dating apps.

What to do:

• Victims of the scam should report suspicious activity to the appropriate authorities and cease communication with potential scammers.

• Platforms hosting these scams should implement stricter moderation and reporting mechanisms to prevent scammers from targeting unsuspecting users.

For more information, check out this article.

Microsoft Rolls Out Expanded Logging Six Months After Chinese Breach

What happened:

• After Chinese state hackers used a stolen Microsoft signing key to breach US government officials' email accounts in June 2023, Microsoft faced criticism for not offering robust logging features by default.

What to know:

• Microsoft's decision to charge a premium for security features, including logging, drew scrutiny following the Chinese hacking operation. The company removed this fee after that.

• Federal officials announced progress in making expanded logs available to federal agencies, with plans to extend access to all agencies this month.

• Microsoft is increasing the default log retention period from 90 to 180 days and making more detailed logs available.

Business Impact:

• The delayed rollout of expanded logging features may have hindered federal agencies' ability to detect and respond to security threats effectively.

What to do:

• Federal agencies should leverage the expanded logging capabilities to enhance their cybersecurity posture and better detect and respond to potential threats.

• Technology vendors, including Microsoft, should prioritize security features by default and address concerns about cybersecurity readiness to mitigate risks to the government and other users.

Avast Ordered to Stop Selling Browsing Data from its Privacy Apps

What happened:

• Avast collected users' browser information from 2014 to 2020 and sold it to over 100 companies through Jumpshot.

• The Federal Trade Commission (FTC) ordered Avast to pay $16.5 million and cease selling browsing data.

What to know:

• Avast acquired then-antivirus competitor Jumpshot in early 2014, rebranding it as an analytics seller, offering insights into the online habits of over 100 million consumers.

• Avast's apps claimed to increase privacy but collected identifiable data, including job searches and map directions.

• FTC found the data wasn't sufficiently anonymous, including unique device identifiers and specific browsing activities.

• The connection between Avast and Jumpshot was revealed in January 2020, showing data purchases by major companies like Home Depot, Google, Microsoft, Pepsi, and McKinsey.

• Avast is required to implement a comprehensive privacy program and obtain express consent for future data gathering.

Business Impact:

• Businesses using Avast’s applications or have employees using Avast may have their data tracked.

What to do:

• Companies may consider switching to alternative security providers with more stringent privacy policies.

• Companies should review their data collection and sharing practices to ensure compliance with privacy regulations.

Hi! We’re back after a short break with the essential cybersecurity and privacy news for executives.

Table of Contents

1. Microsoft network breached by Russia-state hackers

2. Cyber scams and their surprising connection to human trafficking and Myanmar's civil war

3. Nearly 25 million new unique login credentials stolen from various websites

4. Kaspersky Research Created a Lightweight Method to Detect Potential iOS Malware

5. SentinelOne Uncovers the Evolution of Undetected macOS InfoStealers | KeySteal, Atomic, and CherryPie

6. Facebook Users are Monitored by Thousands of Companies

7. Inside the $1 billion Walmart Gift Card Laundering Scheme

8. Critical GitLab vulnerability exposes 2FA-less users to account takeovers

9. GenAI could make KYC effectively useless

10. FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data

Share The InfoSec Board Brief

1. Microsoft network breached by Russia-state hackers

What happened: 

• In late November 2023, Russian state-backed hackers called Midnight Blizzard attacked Microsoft's network.

• Microsoft only discovered the breach on January 12, 2024.

What to know:

• The hackers breached a device within Microsoft’s network with a weak password and no two-factor authentication.

• They tried various previously compromised or commonly used passwords until they succeeded.

• After gaining access through this account, they assessed a small number of Microsoft corporate email accounts, including those of senior executives and employees in cybersecurity, legal, and other functions.

• Microsoft hasn't shared details about the number of compromised email accounts or the accessed data, but it didn’t seem to affect customer environments, production systems, source codes, or AI systems.

Business Impact: 

• Microsoft business customers should be aware of the potential information leak through these compromised emails.

What to do:

• Microsoft enhances security and applies current standards to legacy systems and internal processes. Organizations should consider reviewing and strengthening their own cybersecurity practices to mitigate similar threats.

For more information, check out this article.

Share

2. Cyber scams and their surprising connection to human trafficking and Myanmar's civil war.

What happened:

• Rebel groups called the Three Brotherhood Alliance launched "Operation 1027" in Myanmar's northern Shan state, capturing military outposts and towns.

• These rebels aimed to overthrow the military government and eliminate telecom fraud and scam centers along the China-Myanmar border.

What to know:

• Southeast Asia has seen a rise in abducting people for internet scams, known as "pig butchering" scams.

• Criminal groups lure tech-savvy workers with fake tech jobs, forcing them into scam operations.

• China's political ties and economic interests in Myanmar have led it to crack down on these scam centers.

• China's involvement in Myanmar's civil war has created a complex situation where it may be playing both sides to ensure stability.

• The cyberscam industry is growing, possibly using AI, and targeting a wider range of victims.

Business Impact:

• Companies operating in Myanmar or with employees and customers there can face disruptions and risks due to the growth of conflict and cybercrime.

What to do:

• A comprehensive approach is needed to combat transnational crimes like fraud, cybercrime, human trafficking, money laundering, and corruption.

• As crime moves online, its ties to real-world conflicts persist.

For more information, check out this article.

3. Nearly 25 million new unique login credentials stolen from various websites

What happened:

• Troy Hunt, creator of "Have I Been Pwned," reported a huge password dump on the dark web containing nearly 71 million unique login credentials, with 25 million of which had never been leaked before.

What to know:

• The stolen data is collected in text files and images; each line consists of a login URL, its login name, and an associated stolen password.

• Many passwords in the dataset are weak and duplicated, making them more vulnerable to simple password dictionary attacks.

• The authenticity of the dataset was confirmed by contacting affected individuals.

What to do:

• Change passwords for affected accounts. Encourage employees to do the same.

• Use strong, unique passwords, activate two-factor authentication, and use passkeys for extra security. Encourage employees to do the same with personal accounts.

• Regularly check for breached credentials and take necessary steps to secure accounts and data. Consider using software to do that for your organization.

• If cryptocurrency is owned, consider transferring it to a different wallet not associated with that email address.

For more information, check out this article.

5. Kaspersky Research Created a Lightweight Method to Detect Potential iOS Malware

What happened:

• A lightweight method for detecting potential iOS malware like Pegasus is to analyze the "Shutdown.log" file stored in sysdiag archives on iOS devices. 

What to know:

• Pegasus is a spyware for eavesdropping on mobile phones and harvesting their data.

• Traditional methods for detecting iPhone infections are time-consuming or require expertise.

• Shutdown.log is a text-based log file created on mobile iOS devices that records reboot events and multiple environment characteristics. 

• Anomalies detected include excessive reboot delays (more than 4) and the presence of Pegasus malware indicators.

• Retrieving the Shutdown.log file is relatively straightforward from sysdiag archives, which are collections of system logs for debugging and troubleshooting.

Impact:

• This discovery can help businesses identify iPhone malware more efficiently, improving their device and data security.

• This method relies on the user rebooting the phone as often as possible.

For more information, check out this article.

5. SentinelOne Uncovers the Evolution of Undetected macOS InfoStealers | KeySteal, Atomic, and CherryPie

What Happened:

• Despite Apple's updates to macOS's XProtect signature database, infostealer families like KeySteal, Atomic InfoStealer, and CherryPie are still active and continue to evolve.

What to Know:

• Information stealer (or Infostealer) is a type of malware that gathers information like usernames and passwords from a system.

• Infostealers targeting macOS have been on the rise, with variants like Atomic Stealer, macOS MetaStealer, and RealStealer.

• Three active infostealers that are currently avoiding static signature detection.

  • KeySteal, initially noted in 2021, has undergone significant technical changes and steals Keychain information.

  • Atomic InfoStealer has multiple variants, avoids detection, and includes anti-analysis logic.

  • CherryPie, also known as Gary Stealer, is detected by Apple but not on VirusTotal in some cases and has cross-platform Windows/macOS capabilities.

Business Impact: 

• MacOS is vulnerable to attacks by various undetected infostealers, leading to data theft, privacy breaches, and potential damage to an organization's reputation.

• Relying solely on signature-based detection is not enough. 

• Companies using macOS need to take security more seriously and allocate a security budget to implement more comprehensive security measures on MACs, such as installing tools like Endpoint Detection & Response (EDR).

What to Do:

• Be vigilant about the persistent risk of undetected macOS InfoStealer and strengthen macOS security.

• Prioritize proactive threat detection, improve detection rules, and stay informed about evolving tactics.

For more information, check out this article.

6. Facebook Users are Monitored by Thousands of Companies

What happened: 

• Consumer Reports, a non-profit consumer watchdog, conducted a study with 709 volunteers, revealing that 186,892 companies shared data about them with Facebook.

What to know: 

• The study exposed massive surveillance and server-to-server tracking, including the Meta tracking pixels on websites. 

• On average, each participant in the study had their data sent to Facebook by 2,230 companies. Some panelists' had over 7,000 companies providing their data to Facebook.

• Data collection includes "events" and "custom audiences," tracking user interactions on websites and apps.

• Users can access the list of companies that sent their data to Facebook and choose to disconnect future sharing via this link.

Business Impact: 

• The scale of data collection and sharing raises concerns about user privacy and transparency in data practices.

• Users may stop using businesses that collect and sell their data.

• Increased demand for privacy could impact marketing data brokers.

• Facebook might also crack down on businesses, which could jeopardize your pixel tracking.

What to do: 

• Businesses using Meta pixel or data brokers should review data-sharing practices.

• Ensure user data privacy and compliance with regulations.

For more information, check out this article.

Share

7. Inside the $1 billion Walmart Gift Card Laundering Scheme

What happened:

• Scammers have duped consumers out of more than $1 billion by exploiting Walmart’s lax security. The company has resisted taking responsibility while breaking promises to regulators and skimping on training.

What to Know:

• Scammers used tactics like posing as IRS agents or creating fake online romances to trick victims into buying gift cards, then quickly transferring balances to other cards.

• Walmart had a financial incentive to avoid banning card-for-card purchases, as it earns millions in profit from gift card usage, commissions on other brands of cards purchased, and money transfer fees.

• Walmart continued to expand in financial services, acquiring One in 2022.

• Despite claims of anti-fraud efforts, Walmart's training and security measures fell short, leading to legal action.

• Technology like analytics and AI only capture a small fraction of fraud, and gift card theft remains an ongoing issue.

What to Do:

• Exercise caution

• Be aware of common scam tactics and report suspicious activities.

For more information, check out this article.

8. Critical GitLab vulnerability exposes 2FA-less users to account takeovers

What Happened:

• GitLab disclosed a critical vulnerability with a severity score of 10 in May 2023, which allowed users to issue password resets through a secondary email address.

• Multiple GitLab versions are affected and require patching.

• A second critical vulnerability allowed attackers to execute slash commands in Slack or Mattermost.

What to Know:

• Attackers can send password reset emails to unverified addresses.

• Users without two-factor authentication (2FA) are at risk of account takeover.

• All authentication methods are impacted, including some single sign-on (SSO) configurations.

• Administrators can disable password authentication for self-managed customers.

Business Impact:

• There is a significant risk of account takeover for GitLab users if your company is using GitLab or relies on vendors who use GitLab with sensitive data.

• Organizations using GitLab for DevOps may have valuable intellectual property and source code at stake.

• Depending on their function, organizations with custom apps and integrations that use slash commands could also leak sensitive data.

What to Do:

• Apply the latest security patches promptly.

• Enable two-factor authentication (2FA) for all accounts and ensure vendors using Gitlab are checked.

• Regularly monitor logs for signs of exploitation.

• GitLab has added new tests to validate the password reset logic to prevent similar vulnerabilities. 

For more information, check out this article.

9. GenAI could make KYC effectively useless

What happened:

• Recent viral posts on social media platforms showed how to use generative AI to manipulate ID images and pass KYC (Know Your Customer) tests.

What to know:

• KYC (Know Your Customer) is a process used by financial institutions and banks to verify the identity of their customers. It often involves ID images and cross-checked selfies to confirm a person's identity.

  • Generative AI (GenAI) tools like Stable Diffusion can be used to create synthetic renderings of a person against various backdrops, including ones that appear to hold an ID document.

  • Android apps running on desktop emulators and web apps can be tricked into accepting deepfaked images instead of live camera feeds.

  • Some platforms implement "liveness" checks but can still be bypassed.

  • Deepfaked images and videos may soon reach the point where they can fool human reviewers.

Business Impact: 

• KYC could become useless as a security measure. Attackers can create convincing deepfake ID images, potentially undermining the security of platforms that rely on KYC.

What to do: 

• Businesses must enhance security beyond KYC in response to the deepfake threat.

For more information, check out this article.

Share

10. FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data

What happened:

• X-Mode Social and its successor Outlogic are prohibited from selling sensitive location data due to the Federal Trade Commission (FTC) settlement.

• Allegations included selling location data linked to sensitive places without proper safeguards.

What to know:

• X-Mode & Outlogic collected location data associated with mobile advertising IDs and sold it to various clients in different industries.

• The company did not have policies to remove sensitive locations from the raw data it sold until May 2023, potentially exposing consumers to privacy violations and risks.

• Users were not fully informed about how their location data would be used.

• The company didn’t employ necessary technical safeguards and oversight to honor users’ opt-out requests.

• X-Mode provided information for marketing purposes about consumers who had visited certain medical facilities and pharmacies, violating the FTC Act's prohibition against unfair and deceptive practices.

Business Impact: 

• Businesses using location data should be aware of the FTC settlement, which restricts X-Mode & Outlogic from sharing certain sensitive location data and requires them to take various measures to protect consumer data. 

What to do: 

• If your company collects location data, you must create a program for sensitive location data, data deletion, supplier assessment, and privacy measures.

• Simplify consent withdrawal and data deletion for consumers.

• If there’s sensitive location data, ensure compliance with privacy regulations and standards to avoid potential legal issues.

For more information, check out this article.

1. WormGPT and FraudGPT Claim to Create Content Cybercriminals Can Use For Phishing Campaigns

2. Cybersecurity Executive Slams Microsoft’s Negligent Approach to Security

3. Teenage Hackers Make Millions Through SIM Swapping

4. AI Incident Database Collects and Analyzes AI Incidents

5. Canon Printers Pose Network Threat

6. Pentagon Investigates Second Breach in 3 Months

7. Chinese Advanced Persistent Threats Continue to Infiltrate US Infrastructure

8. Obscure Cloud Service Company Tied to Malicious Users

9. Hackers Access 16 Years Worth of Colorado Public School Data

10. Cyberattacks on Ukraine Play Huge Role in War

11. Vulnerabilities Abound in Chinese Input Keyboard

12. Secure Channel OSDP is Rendered Useless

1. WormGPT and FraudGPT Claim to Create Content Cybercriminals Can Use For Phishing Campaigns

What Happened:

Cybercriminals have created unique versions of language models like ChatGPT that help them create copy for their phishing and malware scams.

What to Know:

• Criminals on dark-web forums are posting about two large language models (LLMs) they’ve created, called WormGPT and FraudGPT, and are marketing them for illegal activities.

• It is unknown how legitimate these claims are with some experts thinking these claims themselves are an attempt at a scam.

• LLMs like OpenAI and ChatGPT have safety measures that stop misuse - these shady LLMs strip away these guardrails.

• The FBI and Europol have issued warnings that cybercriminals are using generative AI in their work that could help with fraud, impersonation, and other social engineering. For example, operators of pig butchering and romance scams often use generated text in their messages.

What to Do:

• Businesses should be hyper-vigilant and should consider conducting in-depth training with employees about the possibility of these advanced-level phishing campaigns.

• Implement AI detection tools that can detect and mitigate AI-generated content. With these tools, you’ll be able to identify and block suspicious activities

For more information, check out this article.

2. Cybersecurity Executive Slams Microsoft’s Negligent Approach to Security

What Happened:

Amit Yoran, CEO of cybersecurity firm Tenable, criticized Microsoft as “grossly irresponsible, if not blatantly negligent” for consistently failing to proactively and professionally address vulnerabilities in their products.

What to Know:

• Yoran’s company recently identified a critical vulnerability in a Microsoft Azure product that allowed them to, among other things, access a bank’s authentication secrets. It has been four months since the disclosure to Microsoft, and the vulnerability has still not been patched.

• Microsoft announced that no one else accessed the secrets besides the researchers at Tenable.

• Microsoft is under increased scrutiny after hackers based in China abused one of Microsoft’s products to steal the email messages of senior U.S. officials. The Cyber Security Review Board is currently investigating Microsoft’s role in the breach.

• Microsoft is also under fire for the so-called SolarWinds attack in which Russian state-sponsored hackers compromised computer networks in the federal government and private sector.

What to Do:

• Keep up to date with possible updates to Microsoft’s software. Since the company is so ingrained in online business infrastructure, you’ll likely be impacted by any updates or changes the company makes in response to this backlash.

Business Impact:

• Shares of Microsoft were down 1% on Friday morning in New York

For more information, check out this article and this one, too.

3. Teenage Hackers Make Millions Through SIM Swapping

What Happened:

Michael Terpin, a prominent crypto investor and marketer, fell victim to a SIM swap by teenage hackers looking for access to his cryptocurrency.

What to Know:

• “SIM Swapping” is when a criminal hijacks a user’s mobile number by getting their phone service providers to transfer the numbers to phones the attackers control. This can give a hacker a way into someone’s email, social media, and online storage accounts.

• The first attempt of a SIM Swap on Terpin was successful only in that hackers were able to get about $30,000 from friends of Terpin after impersonating him via messages. Following this, T-Mobile and AT&T informed Terpin that he would get a heightened level of security on their accounts and that no SIM swap could be made without a PIN. A second attempt was much more successful, and Terpin responded by suing AT&T for $224 million. The fall-out from this ended up being the most significant take on record for a SIM swap and was conducted entirely by teenagers.

• Last year the FBI received over 2000 SIM swapping complaints with losses totaling $71.6 million.

• Community, a group of teenage SIM swappers in the US, the UK, and Ireland, ultimately ended up being responsible for the theft form Terpin.

What to Do:

• Security experts recommend that users use a form of two-factor authentication that requires a code sent to an app rather than one text to a phone number to prevent SIM swapping. This way, even if a hacker has access to your phone messages, they won’t be able to complete two-factor authorization for entities like emails and banking.

• Consider asking your phone provider to increase the level of security on your accounts.

• Reduce the amount of sensitive information you’re putting through messaging apps like Telegram and email apps like Gmail.

For more information, check out this article.

4. AI Incident Database Collects and Analyzes AI Incidents

What Happened:

The AI Incident Database is an open-source, constantly evolving database for AI incidents.

What to Know:

• This repository of problems will be used by future researchers and developers to mitigate or avoid repeated bad outcomes.

• It is designed to provide information, structure, and perspectives on AI incidents.

Business Impact:

• This tool will be incredibly helpful for anyone in the AI industry and will work to promote a more ethical, responsible AI industry.

What to Do:

• If you experience an AI incident, you can submit it directly to the AI Incident Database.

• Read through submitted incidents to learn more about faulty AI and AI mishaps.

Check out the AI Incident Database here.

5. Canon Printers Pose Network Threat

What Happened:

Canon is warning that sensitive Wi-Fi settings don’t get wiped during resets so customers need to manually delete them before selling, discarding, or getting them repaired.

What to Know:

• Manual wiping of settings needs to occur whenever your printer will be in the hand of a third party.

• Malicious actors could use settings saved on this hardware to gain unauthorized access to a network that hosts or hosted a Canon printer.

What to Do:

• Make sure you manually wipe your settings before sending your Canon printer off to any third party. If you don’t use a Canon printer, check to see if these same precautions are necessary for your brand.

• If your business utilizes a printer connected to the network over Wi-Fi, a malicious actor could theoretically gain access to your network through the printer. Make sure to take necessary precautions before getting printers repaired or replaced.

For more information, check out this article.

6. Pentagon Investigates Second Breach in 3 Months

What Happened:

The compromise was made across several Air Force Facilities by a US Air Force engineer.

What to Know:

• The government was told that an Arnold Air Force Base (in Tennessee) employee had taken government radio technologies home. The equipment was worth around $90,000.

• It was found the employee had unauthorized administrator access to radio communications technology used by the Air Education and Training Command. The compromise affected 17 Department of Defense installations.

• There is evidence the suspect had possible access to communications of the FBI and various Tennessee state agencies.

• This comes just three months after another major breach of Pentagon security where Massachusetts Air National Guard member Jack Teixeira leaked classified documents related to the war in Ukraine on Discord.

For more information, check out this article.

7. Chinese Advanced Persistent Threats Continue to Infiltrate US Infrastructure

What Happened:

Chinese APTs (Advanced Persistent Threats), believed to be associated with the Chinese government, are actively infiltrating sensitive infrastructure in the US with the intention of establishing permanent presences.

What to Know:

• Three distinct reports highlight this threat:

  • Security firm Kaspersky reported on an advanced spying toolkit used by a group (Zirconium) to create a continuous data exfiltration channel within industrial infrastructure.

  • The New York Times reported on another Chinese Group (Volt Typhoon) that aimed to insert disruptive malware deep within critical infrastructure, possibly for use during potential conflicts.

  • Microsoft disclosed a breach involving its Azure and Exchange cloud services by a Chinese APT where hackers accessed inactive signing keys and forged tokens for authentication

• These Chinese efforts are all difficult to detect due to their sophistication and the dormant nature of their malware, which can remain hidden for long periods.

• Chinese reports label this propaganda.

What to Do:

• Keep up to date as more information comes to light. The US government is investigating the extent of the code’s presence in networks, as its scope is still not fully understood.

For more information, check out this article.

8. Obscure Cloud Service Companies Tied to Malicious Users

What Happened:

Cloudzy, an obscure cloud service company, has been providing state-sponsored hackers with internet services to spy on and extort their victims

What to Know:

• Researchers from cybersecurity firm Halcyon said Cloudzy had been leasing server space and reselling it to at least 17 different state-sponsored hacking groups from China, Russia, Iran, North Korea, India, Pakistan, and Vietnam.

• Cloudzy CEO says only 2% of his firm’s clients are malicious. Halcyon estimates that half of Cloudsy’s business was malicious.

• The bigger picture is that this is an example of how hackers and ransomware gangs use small firms operating at the fringes of cyberspace to enable big hacks.

For more information, check out this article.

9. Hackers Access 16 Years Worth of Colorado Public School Data

What Happened:

16 years of student information was accessed by a ransomware gang over the course of eight days this past June. Additional victims were certain cohorts of higher education students, recipients of General Education Development certificates, and teacher’s licenses.

What to Know:

• No ransomware gang has taken public credit and it is unknown whether a ransom was paid.

• Impacted records include names, SSNs, student ID numbers, and other records ranging from bank statements and bills to copies of government IDs parents use as proof of address.

What to Do:

• If you’ve gone to school in Colorado, check out the original article to see if you may have been included on the list of people who’s data was breached.

For more information and to see the list of affected people, check out this article.

10. Cyberattacks on Ukraine Play Huge Role in War

What Happened:

Victor Zhora, deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, is working to catalog cyberwar crime evidence against Russian hackers targeting Ukraine.

What to Know:

• Cyberattacks have played a huge role in the war in Ukraine. Russian hackers have targeted satellite systems and used digital assaults to execute disinformation and psychological warfare campaigns; have carried out widespread hacking campaigns to conduct cyber-espionage, surveil Ukrainians, and spread propaganda; and have conducted other digital assaults.

• Each day, Ukraine faces up to 10 cyberattacks. Since the beginning of the invasion, they’ve registered around 3000 major cyber incidents.

• Ukraine considers the first strike in cyberwar to have been made on January 14 when around 70 governmental websites were attacked by Russia-affiliated actors.

• Global IT providers have offered software, hardware, cloud infrastructures, consultancy, and threat intelligence to Ukraine.

For more information, check out this article.

11. Vulnerabilities Abound in Chinese Input Keyboard

What Happened:

There has been a lot of effort analyzing, documenting, and responsibly disclosing vulnerabilities concerning the insecure transmission of sensitive data in Chinese-developed apps. A specific study showed how Tencent’s Sogou Input Method, the most popular Chinese input method in China, has vulnerabilities decipherable by a network eavesdropper, revealing what users are typing as they type.

What to Know:

• This ecosystem remains problematic as these apps fail to adopt practices to secure the sensitive data which they transmits.

• Sogou Input Method, an app with around 450 million users, failed to properly secure the transmission of sensitive data.

What to Do:

• Reconsider using this type of input keyboard.

• Don’t ever use messaging or input apps that don’t implement any type of well-known encryption.

To see the complete study, click here.

11. Secure Channel OSDP is Rendered Useless

What Happened:

Secure Channel is a next-gen protocol that was designed to prevent the hacking of access control systems used at secure facilities on US military bases and buildings belonging to federal, state, and local governments and private organizations. Recently, researchers discovered a suit of vulnerabilities.

What to Know:

• Open Supervised Device Protocol (OSDP) was developed as a security standard after an attack demonstrated at the Black Hat security conference in 2008 on a device called Gecko. Gecko exploited weaknesses that allowed attackers to create spoof cards for unauthorized entry. To address these vulnerabilities, the industry introduced OSDP with a Secure Channel that encrypted communication.

• Recent research shows that OSDP is still very vulnerable. Vulnerabilities include the inability to enforce encryption, weak key management, and a flawed key exchange process.

• Despite efforts to improve security, OSDP remains compromised with vulnerabilities that can lead to unauthorized access of buildings and data breaches.

For more information, check out this article.

1. 700,000 TikTok Accounts in Turkey Compromised

2. Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns

3. “Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement

4. Stalkerware App Made Millions by Forging Identities

5. VirusTotal Apologizes for Human Error-Driven Data Exposure

6. Typo Leads to Continuing Military Data Leak

7. Dutch Patient Data at Risk for Data Leakage

8. Amazon Van Surveillance Camera Footage Ending Up On Reddit

9. IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State

10. Biden-Harris Administration Proposes “U.S. Cyber Trust Mark'“

1. 700,000 TikTok Accounts in Turkey Compromised

What Happened:

Weeks before the presidential election in Turkey, around 700,000 TikTok accounts in Turkey had their private information and control compromised

What To Know:

• The vulnerability came from TikTok’s “grey routing” of SMS messages through insecure channels during an account verification step

• Grey routing of a message is when a message bypasses international messaging laws and fees and travels through illegal channels before reaching its destination. Companies do this to keep down costs and avoid guardrails.

• Prior to the breach, TikTok was warned by the U.K.’s National Cyber Security Centre that this practice posed cybersecurity threats

• This is the largest company-confirmed compromise of TikTok

• This comes at a time when TikTok and parent company ByteDance have been facing increased scrutiny for shaky security practices

Business Impact:

Companies utilizing grey routing should be wary of the cybersecurity threats inherent to this practice and consider alternate modes of account verification

What to Do:

• In response, TikTok introduced passkeys so users could log into their accounts without using an SMS code. Users of TikTok should consider opting out of SMS verifications for their accounts

For more information, check out this article.

2. Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns

What Happened:

The CIOp extortion group responsible for the MOVEit hack continues to post the names of hundreds of companies, state and local governments, universities, and other organizations on its dark web leak site with an extortion threat to leak data of named victims if payment demands are not made.

What to Know:

• The breach initially occurred in May and there are no signs of a slow down in reported incidents.

• With about 369 organizations confirmed to be affected by the breach, this is the most widespread file transfer hack ever recorded. Most of the victims are direct Progress Software customers or entities that purchased or used its file transfer service.

• There are at least 73,000 entities that tech-solution company Exiger is “moderately confident” could inadvertently have exposed their data to theft in the hack due to relationships with third-party providers

What to Do:

• Reconsider the avenue through which you transfer files for your business and double check for safety and security of data transfer

• Users of Progress Software are especially vulnerable and should consult a cybersecurity expert to see if they are victims of a data leak

• Consider software supply chain vulnerabilities that your business may face

• Many of the victims don’t use MOVEit Transfer, but they send their data to third-party providers who do. Consider who your third-, fourth-, or fifth-party providers may be and understand how they handle the data you may be sending them.

  For more information, check out this article.

3. “Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement

What Happened:

The House Judiciary Committee advanced the “Fourth Amendment is Not for Sale Act,” legislation that will prevent data brokers from selling consumer data to government agencies.

What to Know:

• Proponents of the legislation argue that purchases of data by government agencies breach the Fourth Amendment. Such purchases allow law enforcement to bypass the judicial system’s requirement for a warrant

• Without this ruling, information like location and internet records can be purchased directly from data brokers. This allows law enforcement to evade the warrant process required to get the same information from phone companies directly

• With bipartisan support, this ruling suggests both sides agree that law enforcement’s access to digital data needs to be regulated

What to Do:

• Keep an eye out as this continues to move forward. Eventually, the bill might be included in a bigger surveillance reform package

For more information, check out this article.

4. Stalkerware App Made Millions by Forging Identities

What Happened:

TheTruthSpy, a collection of Android “stalkerware” surveillance apps, has compromised hundreds of thousands of phones.

What to Know:

• Vietnam-based startup 1Byte is behind the development of TheTruthSpy. To go under the radar, 1Byte devised a network of fake identities with forged American passports to cash out customer payments into bank accounts that at the surface level looked like accounts owned by Americans but that 1Byte actually owned. That way, the fake sellers would take the fall if the operation was discovered by authorities. Through an intricate system of fake identities, 1Byte made millions.

• TheTruthSpy’s database contains a record of close to 400,000 victims

• 1Byte faced constant difficulty in finding a way to process payments and eventually built its own checkout website called Affiligate which quickly began handling the majority of customer payments for TheTruthSpy and other cloned apps. It was designed to look and feel like a legitimate software reseller marketplace to outsiders while acting as a payment processor for 1Byte’s stalkerware products. However, Affiligate still needed to rely on an outside company for credit card payments and eventually use Stripe to process them at scale.

• 1Byte’s forgeries were impressive: passports, driver licenses, and proof of U.S. residency were forged; email addresses were used to establish merchant accounts; burner phone numbers were acquired. A deeper dive shows that some of the home addresses 1Byte listed for its employees don’t exist; some SSNs belong to deceased persons; and forged government documents contain typos

• 1Byte hosted the phone data in Texas web hosting data centers

• Stalkerware developers and companies are notoriously susceptible to hacks

What to Do:

• TechCrunch created a free tool that allows anyone to check if their phone has been compromised: https://techcrunch.com/pages/thetruthspy-investigation/. Consider checking your devices

  For more information, check out this article.

5. VirusTotal Apologizes for Human Error-Driven Data Exposure

What Happened:

VirusTotal issued an apology for the recent customer data exposure incident. The incident was due to human error and not related to a cyberattack.

What to Know:

• An employee accidentally uploaded a file containing information about customers (including names of companies, associated VirusTotal group names, and email addresses of group admin) to the VirusTotal platform. It was removed within one hour of its posting.

• The file was only accessible to partners and cybersecurity analysts who hold premium accounts. No anonymous user or malicious entity would have had access to the premium platform and thus would have been able to leak the data.

Business Impact:

• Businesses should take this as a reminder to regularly schedule training sessions with employees in order to mitigate opportunities for human error driven data spills

What to Do:

• Consider implementing internal processes and technical controls to improve security of customer data

• Restrict employee access to customer data to those employee for whom it is essential to their role

To view the apology, click here.

6. Typo Leads to Continuing Military Data Leak

What Happened:

Millions of US military emails have been misdirected to Mali through a “typo leak.”

What to Know:

• The suffix to all US military email addresses is .MIL; however, it is commonly misspelled as the country identifier for Mali, .ML, and as a result emails are sent to that domain instead of the military domain. The problem was first identified about a decade ago.

• Highly sensitive information like diplomatic documents, tax returns, passwords, and travel details of top officers have been breached. Additional email contents include things like medical data, crew lists for ships, photos of bases, naval inspection reports, bullying investigations, and financial records. None of the information was marked classified.

• Mali’s government is closely allied with Russia

  For more information, check out this article.

  ---

7. Dutch Patient Data at Risk for Data Leakage

What Happened:

Dutch family doctor medical records are stored on servers owned by a commercial software company without some patients’ knowledge.

What to Know:

• Canadian-owned software company Calculus allows doctors to share encrypted patient information with other doctors in the region which can help facilitate treatment for certain patients. The problem is that some doctors are claiming that all patient files are being copied, not just those necessary

• There is a risk of a massive data leak because Calculus is storing too much data in one place

8. Amazon Van Surveillance Camera Footage Ending Up On Reddit

What Happened:

Anonymous reddit users have been posting video footage from in-van cameras that Amazon uses to monitor drivers to the subreddit r/AmazonDSPDrivers.

What to Know:

• Amazon delivery service partners (DSP) are small-business contractors responsible for Amazon’s door-to-door deliveries. They select routes, dispatch drivers, and monitor their actions on the road with cameras

• Amazon drivers have to sign a “biometric consent” form that allows them to be monitored while on the job

• It isn’t clear who exactly is posting these videos or how they have access, but they seem to be DSP employees who have access to the camera stream

• The cameras Amazon use are AI-enabled to monitor drivers’ speed, location, and actions on the road

Business Impact:

Employees are becoming ever-more concerned with data breaches at the hands of their parent companies and may become less willing to work for companies that violate their privacy.

What to Do:

• If you’re a business owner, make sure your employees are aware of their privacy rights and of company data protection policies.

• To prevent similar leakages to DSP, consider scheduling regular training sessions with employees about the importance of protected company data

For more information, check out this article.

9. IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State

What Happened:

Cloud-based IT management service JumpCloud experienced a security breach beginning on June 22nd and discovered on June 27th.

What to Know:

• The breach was done by hackers working for a nation-state and started as a spear-phishing campaign

• A spear-phishing campaign aims malicious emails at specific individuals or organizations in order to steal sensitive information or infect a device with malware

• JumpCloud implemented its incidence response plan, rotated account credentials, and rebuilt systems

• The attack was targeted and limited to specific customers

What to Do:

• Have an incident response plan in place in the event of a breach and consider working with an incident response partner to analyze systems and logs for suspicious activity

• Post-investigation, JumpCloud created a list of malicious IP addresses and hashes to block and avoid at all costs in order to add protection to your Endpoint Detection and Response and perimeter security solutions. If you utilize these workflows, access the list and further secure your business environment here.

• Consider increased training sessions for employees centered on phishing attacks

To learn more, check out this article.

10. Biden-Harris Administration Proposes “U.S. Cyber Trust Mark“

What Happened:

The U.S. Cyber Trust Mark program will raise the bar for cybersecurity across common devices and help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks.

What to Know:

• Under the new program consumers would see a new “U.S. Cyber Trust Mark” applied to products that meet established cybersecurity criteria. Criteria include things like requirements for unique and strong default passwords, data protection, software updates, and incident detection capabilities

• The program is voluntary and has received support from companies like Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung

Business Impact:

• If passed, this will likely increase the standard to which smart technology is held and will make it easier for consumers to compare and rank product-security across brands before purchase. In response, it’s likely that businesses supplying these products will need to increase security process transparency and maintain high levels of security in order to meet what may become an industry norm of receiving this U.S. Cyber Trust Mark on their products

• This would make it much easier for consumers to seek and feel confident about products that meet at least a baseline level of security

• This would be beneficial for businesses selling smart devices as it helps customers to differentiate between trustworthy products on the market

What to Do:

• As a next step the FCC is expected to seek public comment, Keep up to date on the program as opinions are shared and as development continues

For more information, check out this White House briefing.

1. Microsoft Forces Changes to Web Links in Outlook and Teams

2. Federal Trade Commission Accuses Meta of Data Privacy Settlement Breach

3. Numerous Public Salesforce Sites Exposing Private Information

4. DHS Pursues Legislation to Codify the Cyber Safety Review Board

5. Home-Care Provider That Violated Breach Notification Rules Owes Millions in Settlement

6. Videos, Photos, and Employee Interviews Reveal Security Vulnerabilities at TikTok Data Centers in Virginia 

7. Lead Singer of Smashing Pumpkins Paid Ransom to Hacker to Prevent Leak of New Album

8. Hacked Facebook Pages are Impersonating Major Tech Companies, Purchasing Ads and Distributing Suspicious Download Links

9. FCC Proposes to Integrate Satellite and Cellular Communications

10. U.S. Emerging Technology Standards

11. Merck’s Victory Serves As A Major Win For Cyber Security Insurance Policy Holders

1. Microsoft Forces Changes to Web Links Work in Outlook and Teams

What Happened:

Microsoft has announced that a new change will coerce Outlook and Teams users to use its Edge browser for all web links. When a link is clicked, default browser choices will be ignored, and the user will be forced into Edge.

What To Know:

• The change will take effect on June 15th, and will affect both Windows and Mac users.

• Microsoft is hoping that this will make Edge the go-to browser.

• This will likely cause issues for IT teams and employees who may be confused about why Edge is opening links.

• Some websites may not be optimized for Edge and, therefore, not load properly.

What to Do:

Make sure your IT & Security teams are aware of this change and plan for any user support issues that might come up.

Business Impact:

This new change is part of Microsoft’s larger plan to increase the use of Edge across its services. It is being marketed as a larger effort to increase the security of its users. They’re trying to position the Edge browser as being designed to be more secure than other browsers.

For more information, check out this article. 

2. Federal Trade Commission Accuses Meta of Data Privacy Settlement Breach

What’s Happening: 

• The Federal Trade Commission is accusing Meta of failing to comply with its $5 billion data privacy settlement from 2020. The main concern is that Facebook is giving app developers access to private user information, especially that of users under 18.

What to Know:

• Meta is being accused of:

1. Misleading parents about their ability to control who their children communicate with on the Facebook Messenger app

2. Misrepresenting the access it provided to app developers in violation of two previous FTC orders

• The FTC is looking to stop the launch of any new Meta projects without confirmation that the privacy program is in compliance 

• The FTC is proposing a ban on Meta profiting from the data it collects from users under 18 and wants to add additional protective measures to facial recognition technology.

What Happens Next: 

• Meta has 30 days to respond to allegations 

• If Meta acts in favor of the FTC, Meta would only be able to collect data for security purposes and would be prohibited from profiting off of the information even after users turn 18.

Business Impact: 

• Since the FTC is looking to halt the launch of any new products or services by Meta, this could disrupt Meta’s business operations and could thus have implications for businesses associated with Meta and its platforms. 

• Serves as a reminder for businesses to prioritize user privacy and implement robust privacy programs with the knowledge that failure to do so can result in significant penalties. Businesses operating in the digital space should monitor developments and ensure compliance with evolving privacy regulations.

For more information, check out this article.

3. Numerous Public Salesforce Sites Exposing Private Information

What’s Happening: 

A huge number of organizations have unknowingly been leaking private and sensitive information from their Salesforce Community websites due to a misconfiguration within the Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.

What to Know: 

• The mistake occurs when Salesforce administrators grant guest user access to internal resources.

• Sites granted guest access to sensitive data like names, Social Security numbers, addresses, phone numbers, and bank account numbers.

• The misconfigurations were often the result of rapid site deployment during the pandemic, which bypassed normal security review processes.

What To Do:

• If your business utilizes a Salesforce Community website, make it a priority to identify if any of the pages are misconfigured to make sure you’re not leaking private information.

• If your business utilizes a website created rapidly in response to the pandemic, take the time now to double-check safety protocols and conduct a formal security review process.

For more information, check out this article. 

4. DHS Pursues Legislation to Codify the Cyber Safety Review Board

What’s Happening: 

• The Department of Homeland Security is collaborating with Congress and the White House to develop legislation that would establish the Cyber Safety Review Board as a formal entity with authorized funding and subpoena power. 

• The CSRB would be responsible for investigating significant cybersecurity incidents and making recommendations.

What to Know: 

• If the legislative proposal is approved, it would give the foundation for more resources and subpoena power.

• If passed, the CSRB would become a formal entity for examining significant cybersecurity incidents and grant the board subpoena power. Legal framework and additional resources would be added to the CSRB, enhancing its ability to continue working towards cybersecurity at a large scale. 

Impact on Businesses If Legislation is Passed:

• Business owners may face increased accountability for their cybersecurity practices and incident responses as the CSRB evaluates major cybersecurity incidents and makes recommendations to remediate them.

• It may introduce new compliance requirements for businesses.

• Since the CSRB’s work involves gathering information about cybersecurity incidents there may be increased information sharing between businesses and the board. Sensitive information related to cybersecurity incidents may be requested to facilitate investigations. 

What to do: 

• Executives should stay current on the changing status of the CSRB. If legislation is passed, companies may need to stay updated with the board’s findings and recommendations to align their security measures with evolving standards

For more information, check out this article. 

5. Home-Care Provider That Violated Breach Notification Rules Owes Millions in Settlement

What’s Happening: 

• Home-care service provider SuperCare reached a multi-million dollar settlement with over 318,000 patients impacted by a 2021 systems hack.

What to Know:

• Hackers accessed personal data for a large group of patients and even accessed social security and driver’s license numbers for others.

• The breach notice wasn’t issued until eight months following the incident.

• SuperCare was claimed to have an inadequate security program that was responsible for the attack and that violated the Federal Trade Commission and The Health Insurance Portability and Accountability Act regulations in the process.

How to Prevent an Attack Like This: 

• To prevent a similar attack, businesses can conduct penetration testing and risk assessments to adjust and strengthen their existing cyber security protocols.

• Update soft authentication for a multi-factor authentication tool 

• Implement a cloud-based identity and access management system

• Update end-user cybersecurity awareness training

Business Impact: 

• Executives responsible for confidential client information should make enhancements to cybersecurity so they don’t find themselves with an inadequate security program like SuperCare.

For more information, check out this article.

6. Videos, Photos, and Employee Interviews Reveal Security Vulnerabilities at TikTok Data Centers in Virginia 

What’s Happening:

• As a result of TikTok trying to quickly grow data storage capacity, corners have been cut along the way.

• Evidence suggests that TikTok data operations are still intertwined with ByteDance’s business in China.

What to Know: 

• Security vulnerabilities include unmarked flash drives plugged into servers and unescorted visitors to boxes of hard drives left unattended in hallways

• TikTok has proposed a project in which it would remove private U.S. data from the Virginia servers and isolate them in Texas-based data centers. Additionally, TikTok plans to delete private posts, DMs, and other U.S. user data from the servers before the end of 2023.

What to do: 

• Don’t allow security to take a backseat within your organization.

• If your business utilizes a data center, conduct research about the efficacy of the center and ask direct questions to determine the security vulnerabilities that may be present.

Business Takeaway: 

• Executives should ensure that security protocols are up-to-date and that employees are undergoing the training necessary to prevent data breaches and vulnerabilities being seen at TikTok.

For more information, check out this article.

7. Lead Singer of Smashing Pumpkins Paid Ransom to Hacker to Prevent Leak of New Album

What’s Happening:

• Billy Corgan, the lead singer of the band Smashing Pumpkins, paid ransom to a hacker to prevent nine new songs from being leaked.

What to Know: 

• The FBI got involved in helping trace the hacker.

• The money came from Corgan’s personal finances.

• Corgan claims that the hacker has other leaks in their possession from other notable musicians.

What to Do:

• Re-evaluate safety protocols for online databases and implement heightened security to protect data and online files.

• Do not transfer files through mediums that can be easily breached: choose platforms or tools that offer end-to-end encryption, access controls, and user authentications to ensure file transmission.

• Use encryption methods to protect files during transmission to ensure data will be unreadable to unauthorized individuals.

• Utilize a secure file transfer protocol to employ encryption and provide stronger authentication mechanisms.

• Enforce strong password policies for file transfers.

• Implement data loss prevention solutions to detect and prevent unauthorized transfer of sensitive data.

Business Impact:

• Businesses for whom transferring data and files with third parties is inherent to operation should re-evaluate modes of transmission and storage and stay up to date on the newest cybersecurity measures.

For more information, check out this article. 

8. Hacked Facebook Pages are Impersonating Major Tech Companies, Purchasing Ads and Distributing Suspicious Download Links

What’s Happening: 

• Hacked and verified Facebook pages are posing as Meta, among other major tech companies, and using the Meta platform to purchase ads and spread harmful download links.

• These hacked pages exploit the trust associated with verified accounts to deceive advertisers.

What to Know: 

• Threats are mostly malware-related

What to do: 

• Executives should remind employees not to use personal social media accounts on company hardware in an effort to reduce opportunities for this type of attack.

• For businesses utilizing Facebook ads, be wary of verified accounts impersonating Meta that ask you to download new tools relating to their ad services.

• Check the history of name changes for verified accounts before clicking links from what appears to be a verified account.

Business Impact: 

• Businesses that use Facebook and Meta as an advertising platform should realize people are becoming increasingly wary of the authenticity and legitimacy of verified accounts and ads on the platform. 

• Businesses that fall victim to these fraudulent ads may incur financial losses that waste advertising budgets.

• Fraudulent ads may not reach the intended target audience and will undermine the effectiveness of advertising campaigns.

• Businesses may need to reevaluate security measures regarding advertising and explore other avenues for future advertisements other than social media.

For more information, check out this article.

9. FCC Proposes to Integrate Satellite and Cellular Communications

What’s Happening:

• The FCC has proposed to integrate satellite and cellular communications in such a way that would allow smartphones to communicate through either a cell tower or a satellite

• Recent technological innovations have finally made it cost-effective to merge these technologies

• About a dozen companies have announced interest in getting involved

What to Know:

• Up to this point, cell towers and satellites have been in separate regulatory environments

• People would be able to pay extra to access “satcom” to use when no cell service is available

• This merging could lead to eventual global access to seamless communication

• Sat-coms have a history of being internationally coordinated, and new regulations and international discussions would be needed to determine regulations for this new technology

What to do: 

• Businesses should stay updated on developments and monitor industry news

• Evaluate specific business needs and determine how satellite and cellular integration can address challenges or open up new opportunities

• Consider initiating pilot projects or proof-of-concept trials to test this integration in a controlled environment

Business Impact: 

• This has the potential to change how people engage in every single online activity 

• Partnerships between satellite operators, smartphone manufacturers, cellcom carriers, and new entrepreneurs emerging in this space will become much more common, so businesses in this environment should begin to consider how the introduction of this new technology could impact operations 

• With the potential to provide businesses with enhanced connectivity options, businesses could greatly benefit from improved connectivity in remote or underserved areas. Further, businesses could extend their reach on a global scale 

• Businesses can leverage merged networks to enhance connectivity, improve data collection and enable real-time monitoring and control

• In the event of natural disasters or network outages, satellite connectivity can serve as an alternative option ensuring uninterrupted business communications

For more information, check out this article. 

10. U.S. Emerging Technology Standards

What’s Happening: 

• The U.S. government released a standards strategy for critical and emerging technology (CET) spaces that will strengthen national economic and national security

What to Know:

• The U.S. wants to ensure that CET are developed and deployed in ways that benefit the U.S. while influencing international standards

• Competitors are seeking to influence international standards development to advance military-industrial policies and autocratic objectives by tilting what should be a neutral playing field to their own advantage

What to Do:

• Stay up to date with standards relating to quantum information technologies in order to protect your business from potential cybersecurity threats relating to quantum technologies

• Stay up to date with national cybersecurity and privacy standards as well 

Business Impact: 

• Part of the strategy is to educate and empower the domestic workforce: taking part in engagement opportunities can help you stay up to date on CET standards that can help you keep data protected

• Businesses that operate globally could potentially encounter challenges due to different standards across countries

To access the full strategy, see here. 

11. Merck’s Victory Serves As A Major Win For Cyber Security Insurance Policy Holders

What’s Happening:

A New Jersey appellate court has upheld a ruling in favor of Merck, a pharmaceutical company, in a legal battle with its insurance carrier, Ace American Insurance. The court found that Ace American Insurance must help cover the losses suffered by Merck during the 2017 global Notpetya cyberattack. The court determined that the cyberattack was not “hostile or warlike” as required by the exclusion clauses of Merck’s insurance policy, and therefore, coverage could not be excluded.

What to know: 

• Merck suffered significant losses during the NotPetya cyberattack, including production disruptions, manufacturing outages, third-party cyber firm fees, and the cost of replacing impacted systems. More than 40,000 machines in the network were infected, and losses to production disruptions totaled an estimated $1.4 billion. 

• The insurance policy held by Merck had an exclusion clause for “Acts of War,” but the company argued that the exclusion did not apply as a nation-state attack did not cause the cyberattack.

What to do: 

• Policyholders can take note of this case as a win for seeking insurance coverage for cyberattack-related losses. 

• Business owners should review existing insurance policies and fully understand the scope and interpretation of exclusion clauses. 

Business Impact:

• The court’s decision sets a precedent and provides clarity for policyholders seeking coverage for losses resulting from cyberattacks. 

• Reinforces the need for insurance companies to interpret exclusion clauses and resolve ambiguities

• Serves as a reminder for businesses to review insurance policies and discuss cyber coverage 

For more information, check out this article. 

The cybersecurity media often goes too broad or dives too deep into a topic to be useful for business leaders. My goal is for this monthly briefing to become a reliable companion as you navigate corporate information security.

Subscribe now to lock in a free subscription.

Subscribe now