Endpoint Security , Incident & Breach Response , Internet of Things Security
Breach Roundup: US FCC Authorizes IoT Cybersecurity Label
Also: Catching Up With Spain's Most Dangerous HackerEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the FCC OK'd cybersecurity labeling, DarkGate exploited Google, Fortinet patched a bug, cyberattacks hit the French government and employment agencies, Google restricted Gemini AI chatbot and paid bug bounties, Microsoft had Patch Tuesday, Marine Max was attacked, and Alcasec moved on.
See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines
US FCC Authorizes IoT Cybersecurity Label
The U.S. Federal Communications Commission voted unanimously Thursday to authorize a voluntary cybersecurity labeling program for internet of things devices. The program, which will initially focus on wireless consumer products such as smart speakers and doorbells, will allow qualifying products to display the U.S. Cyber Trust Mark and a QR code linking to a product registry. Qualifying products will undergo a two-step process that starts with accreditation from an in-house lab or a third party. The agency said it decided not to allow outright self-attestation but that testing by in-house labs "will mitigate the additional process associated with certification."
The agency adopted guidelines developed by the National Institute of Standards and Technology as the baseline against which to measure products. The guidelines are "based on product-focused cybersecurity capabilities (also referred to by NIST as 'Outcomes') rather than specific requirements, which NIST asserts provide the flexibility needed due to the diverse marketplace of IoT products, and we agree," the FCC said.
The second step is applying to "cybersecurity labeling administrators" designated by the FCC as being responsible for reviewing and approving - or denying - applications.
The agency may expand the program by requiring disclosure of elements such as whether software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.
DarkGate Malware Operators Exploit Google Ad Tech
The DarkGate malware-as-a-service operation has been using fake software installers and open redirects in a phishing campaign that uses a now-patched Windows zero-day to infect computers, said Trend Micro.
The operation - recently spotted ramping up advertising on Russian-language criminal forums - in mid-January started using a Microsoft Windows SmartScreen bypass tracked as CVE-2024-21412. Hackers used PDFs containing open redirects made via Google DoubleClick Digital Marketing tools to goad victims into downloading malicious files. The threat actor "deployed an open redirect from the doubleclick.net
domain" to a malicious server.
"We have seen an increase in the abuse of the Google Ads ecosystem to deliver malicious software in the past," Trend Micro said. Windows deploys "Mark of the Web" warnings to caution users from opening files that could contain malicious content, but threat actors were able to bypass that protection using the now-patched CVE-2024-21412 flaw.
The actual DarkGate malware is a remote access Trojan containing various features "including process injection, the download and execution file, information stealing, shell command execution, keylogging abilities, and more. It also employs multiple evasion techniques."
Critical Fortinet Bug Needs Patching
California security appliance maker Fortinet has a new patch for a new critical bug. The company told FortiClient Enterprise Management Server customers on Tuesday that attackers could bypass authentication to remotely execute code. The flaw, tracked as CVE-2023-48788, is an SQL injection vulnerability in the Db2 Administration component.
The company didn't say whether hackers have exploited the vulnerability in the wild. It credits a Fortinet developer and the U.K. National Cyber Security Center with spotting the zero-day.
French Government Targeted in Suspected Russian Cyberattack
Pro-Russian, self-declared hacktivist group Anonymous Sudan took responsibility for a distributed denial-of-service attack late Sunday night against French government ministries. Prime Minister Gabriel Attal's office said the attacks landed with "unprecedented intensity" but that by Monday afternoon most services had been restored.
Anonymous Sudan is putatively based in that impoverished East African country, which is currently involved in a mounting civil war. In reality, it almost certainly is a Russian information operation (see: Expensive Proxies Underpin Anonymous Sudan DDoS Attacks).
France has signaled strong support for Ukraine, and President Emmanuel Macron in February signed a decade-long security pact with Kyiv - a move the National Assembly backed in a Tuesday vote. The French government in February accused Russia of running a disinformation campaign targeting Kyiv's Western allies, including France.
Google Limits Gemini AI's Election-Related Responses
Google announced restrictions on its Gemini AI chatbot in countries with upcoming elections, including the United States, India, South Africa and the United Kingdom. The move aims to curb the potential dissemination of misinformation ahead of crucial votes. Users now querying the Gemini AI chatbot about election-related topics receive evasive responses that direct them to Google search instead.
The move reflects widespread concerns over AI-generated disinformation and its potential impact on democratic processes (see: AI Disinformation Likely a Daily Threat This Election Year).
Microsoft March Patch Tuesday Tackles 60 Vulnerabilities
Microsoft March Patch Tuesday fixed 60 vulnerabilities, including 18 remote code execution flaws. The Redmond giant classified two flaws as critical.
A patch for CVE-2024-21400 focuses on Azure Kubernetes Service, where attackers could gain elevated privileges and steal credentials.
Another critical vulnerability, tracked as CVE-2024-26199, affects Microsoft Office, allowing any authenticated user to gain system privileges.
Microsoft also addressed a security feature bypass vulnerability in Microsoft Defender and a remote code execution vulnerability in Skype for Consumer.
Google Paid $10 Million in Bug Bounties in 2023
Google disbursed $10 million in bug bounties in 2023 to security researchers worldwide, marking a reduction from the $12 million paid out in 2022. More than 600 white hat hackers from 68 countries obtained rewards, and the highest single payment was $113,337.
Google allocated more than $3.4 million in rewards for discovering significant vulnerabilities within Android. The tech giant also introduced wearables, such as Wear OS, into its bug bounty program to encourage research in new technology for user safety.
French Employment Agencies Hit by Data Breach
Prominent French employment agencies France Travail and Cap Emploi confirmed a security breach in their information systems that resulted in the leak of personal data, including names, Social Security numbers, email addresses and telephone numbers. The incident affected approximately 43 million individuals.
While the cybercriminals reportedly did not access passwords and banking details, authorities cautioned that they might use the data they stole in phishing and other attacks.
MarineMax Reports Cyberattack to SEC
If the two best days in the life of a boat owner are the day they buy a boat and the day they sell it, one of the worst days is probably the day a major boat retailer reports to a U.S. federal regulator that it "experienced a 'cybersecurity incident.'" Florida-based MarineMax said the incident began Sunday and involved unauthorized access to parts of the company's information environment. Despite disruptions, the attack hasn't materially affected operations, and it is unclear if the incident is a ransomware attack. MarineMax said it didn't store sensitive data in the affected IT system.
A yacht with a Horizon E90 motor and a "4 stateroom layout with en-suite heads in each" is currently for sale on the MarineMax website for $7.5 million.
Catching Up With Alcasec, Spain's Most Dangerous Hacker
José Luis Huertas, Spain's most famous teenage hacker - now 20 and awaiting sentencing for a 2022 incident - said he's going into cyber defense as the head of his own firm. Once described by Spanish national police as the country's most powerful and untraceable hacker, Huertas told online newspaper El Confidencial that a two-month stay in the Alcalá Meco high-security prison altered his perspective. "It changed my mind; it was pretty rough," he said in Spanish.
Spanish prosecutors seek a three-year prison sentence for Huertas, aka Alcasec, for penetrating a centralized file transfer system that links the judiciary with executive branch agencies, including the tax administration agency. He was held in prison following his spring arrest last year (see: Spanish Police Arrest 'Dangerous' Teenage Hacker). A judge released him in May after he assisted police with the investigation and disgorged 13 bitcoins he obtained by selling illicit data.
"Everybody will think that I'm doing this just because of the court case, as a strategy to show that I've changed," he told El Confidencial. "It's not just that; I'm doing it for my future," he said.
Funded with 100,000 euros from an investing firm controlled by the family of a friend, the startup will be named Havenio and is close to signing five contracts, Huertas said. Huertas once boasted during a YouTube podcast interview - in which he wore a balaclava - of having access to personal data of 90% of the Spanish population. None of Havenio's services will flow from any of the databases "of which I might have had access to in the past," Huertas said.
Before his arrest, Huertas served time in a semi-open juvenile detention center after authorities determined he was part of a gang that had hacked into the city administrations of Granada and Madrid to steal 53,000 euros. He gained fame as a teenager for hacking stunts such as creating more than 150,000 free HBO accounts and distributing them on Instagram and manipulating the Burger King ordering system to offer free food.
Other Coverage From Last Week
- Feds Launch Investigation into Change Healthcare Attack
- Hackers Hiding Keylogger, RAT Malware in SVG Image Files
- Canada Sentences LockBit Hacker Mikhail Vasiliev to 4 Years
With reporting from Information Security Media Group's David Perera in Washington, D.C.; Akshaya Asokan in Southern England, Prajeet Nair in Bengaluru, India and Mihir Bagwe in Mumbai, India.