Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.
IoT
- by August 2023, which surprised customers and industry specialists. A year to transition seems like a generous runway, but why the change now, and are they doing the right thing? Learn more in this blog post. Additionally, Google IoT Core customers searching for alternatives should consider for Connected Devices.
Vulnerabilities
- for its npm software packages to protect its open-source registry. The move comes after vulnerabilities like Log4Shell raised concerns that there is no guarantee that open source packages on npm are built from the same source code that’s published. Code signing builds will authenticate where the software came from, adding another layer of digital trust.
Malware
- , which comes from the same threat actors as the SolarWinds attack that would enable authentication as anyone. MagicWeb is an evolution of malware FoggyWeb, except that MagicWeb is a backdoored version of “Microsoft.IdentityServer.Diagnostics.dll” which hackers replaced, allowing them to perform a variety of functions, including forcing applications to accept a non-valid client certificate as valid.
- At the Black Hat conference, including Shlayer, NetSupport RAT and SHARPEXT malware, attributed to North Korean attackers. However, researchers expected there to be even more malware, given the 20,000 attendees including cybersecurity researchers and security employees present at the conference.
Data breaches
- in an attempt to steal source code. that the attack came through a compromised developer account but claims that no customer data or passwords were compromised, but the threat actors did steal portions of their source code.
- and attackers may have had access to total control of the facility. The incident highlights how vulnerable the water sector is to data breaches, and the potential damage that could be caused in that sector. In this environment, the .
- . The attacker gained access to Cisco’s network through an employee’s personal Google account, because they had saved passwords stored in the browser. The employee did have MFA enabled, but the attacker was able to use voice phishing attacks to get the victim to accept a push notification, granting the threat actor access. The threat was removed but continued to try to regain access for weeks after the incident, although unsuccessful.
- CapitalOne will pay to customers as part of a data breach settlement. The data breach occurred in March 2019 and affected over 100 million customers. The plaintiffs claimed that CapitalOne was aware of security vulnerabilities but failed to take steps to protect customers.
- The same in early August also targeted and over 100 other organizations. The attackers breached Twilio by using SMShing to trick some employees into handing over corporate login credentials. The attackers seemed to target companies using Okta for a single sign-on.
Government standards
- into law in early August. The legislation will provide billions in incentives to CHIP manufacturers and will fund public research to help boost the United States’ competitive edge and solve supply chain issues. “The United States must lead the world in the production of these advanced chips. This law will do exactly that,” Biden said. As CHIP manufacturers move operations to the United States, they should partner with a trusted, compliant leader in digital trust capable of helping them inject trust into their silicon and manage such trust at any stage in the product lifecycle.
- The (H.R. 3962), which would set federal standards to allow notaries in all states to perform remote online notarization transactions. The bill also allows a notary public to remotely notarize electronic records involving an individual located outside of the United States. It uses e-signatures as defined in the U.S. e-Sign Act. The legislation will now be considered by the Senate, where companion legislation (S.1625) has been introduced.
Ransomware
- In mid-August, from the Quantum group. Quantum demanded over $600k in ransom, claiming they had stolen over 1TB of data.
- , causing the hospital to postpone surgeries and refer patients elsewhere. The attack blocked hospital staff from accessing the business software, storage systems and patient information. The threat group hasn’t been confirmed, but they demanded $10 million for a decryption key so the hospital can resume normal operations.
Quantum
- , named Qian Shi. Qian Shi has 10 qubits of power and will offer service available to the public for use without needing their own quantum hardware or systems, so that the public can access quantum computing even on their smartphones.
- urging leaders to prepare for quantum computing risks now, and not to wait until quantum computing is commercially available. “Do not wait until the quantum computers are in use by our adversaries to act," the CISA warned.