Hello! It's been another busy week, full of cybersecurity incidents and other developments. Let's dive in!
Uber has apparently suffered what The Register has described as what "looks like a substantial cybersecurity breach." The company has not shared many details but it appears a hacker broke into the HackerOne account of an Uber employee and may have gained access to all of Uber's HackerOne reports.
The US Department of Justice (DoJ) announced an indictment on Wednesday against three Iranian hackers who used ransomware to extort a battered women's shelter and a power company. And that's just the beginning. The DoJ said the trio launched ransomware attacks at "hundreds" of victims in England, Australia, Iran, Russia and the United States, saying they extorted money "largely" for their own accounts. One of the biggest targets was Boston Children's Hospital in the summer of 2021. Fortunately, an unspecified intelligence partner tipped off the FBI, and the agency worked with Children’s to block what would have been “one of the most despicable cyberattacks I’ve seen,” Wray said at a Boston College cybersecurity conference in June.
The European Union introduced legislation on Thursday that requires companies that make digital devices and software to fulfill basic cybersecurity requirements. Lawmakers are hoping the new legislation will reduce hacking risks in a broad range of products. In addition, manufacturers that do business in the EU must provide security patches and updates for the product’s lifetime or five years after going to market, whichever is shorter. The fine for breaking the rules would be as much as 15 million euros, equivalent to $15 million, or 2.5% of global revenue.
With cybercrime rampant worldwide, the United States is doing what it can to help other countries by participating in joint law-enforcement operations and examining how cybersecurity rules can be more closely aligned. The US is also "harmonizing" breach reporting requirements between states and federal agencies due to the increasing nature of crimes with an "international dimension".
Twitter's former head of security has continued to speak with the US Senate Judiciary Committee. On Tuesday, Peiter “Mudge” Zatko told the committee that his former employer was unable to track how employees accessed internal data, blinding them to foreign spies. Zatko told lawmakers there was “a lack of fundamental tools and access controls” putting the company at least 10 years behind industry norms. Mudge cited one example where there were “thousands of failed attempts to access internal systems per week” and nobody could explain where they were coming from or what they were trying to access.
Networking giant Cisco has had its files stolen after a breach earlier in the year. However, the company contends, as it has since the incident was first reported, there is no impact to its business. Cisco disclosed in August a security breach was detected on May 24 after a ransomware group named Yanluowang claimed to have obtained gigabytes of information and publishing a list of files allegedly stolen from the company.
Tesla owners could not have been happy to learn that attackers are now able to unlock and start a Tesla Model Y in just seconds. Researcher Josep Pi Rodriguez, principal security consultant for IOActive, this week revealed a vulnerability involving an NFC relay attack. The attack requires two thieves working in tandem, one of whom needs to be near the car and the other near the car owner, who has an NFC keycard or mobile phone with a Tesla virtual key in their pocket or purse. The vulnerability is the result of a software update eliminating the need for Tesla owners to place their NFC key card in the console between the front seats to shift into D and drive off. As Slashgear puts it, the update came with a flaw: The car could accept new keys within two minutes after unlocking, and the new keys could unlock and start the vehicle without requiring further authentication.
That's a wrap for this week's news. See you next week!
Top Global Security News
The Register (September 16, 2022) Uber reels from 'security incident' in which cloud systems seemingly hijacked
Uber is tonight reeling from what looks like a substantial cybersecurity breach.
The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds. No other details were shared.
Judging from screenshots leaked onto Twitter, though, an intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.
Wall Street Journal (September 15, 2022) EU Proposes Strict Cybersecurity Rules for Digital-Product Makers
Companies that make digital devices and software will need to prove they fulfill basic cybersecurity requirements under a new European proposal intended to reduce hacking risks in a range of products, from home appliances and wearable devices to software and computers.
The draft legislation introduced Thursday also requires manufacturers that do business in the European Union to provide security patches and updates for the product’s lifetime or five years after going to market, whichever is shorter. Companies that break the rules would face fines of up to 15 million euros, equivalent to $15 million, or 2.5% of global revenue.
“It’s important when you buy a product that the product doesn’t have known vulnerabilities. That’s not the case today,” Thierry Breton, EU commissioner for the internal market, told reporters on Thursday. The legislation is a breakthrough, he said, because Europe is the first continent to propose required cybersecurity assessments for software.
READ MORE (subscription required)
Security Week (September 14, 2022) US Indicts Iranians Who Hacked Power Company, Women's Shelter
The US Department of Justice announced an indictment Wednesday against three Iranian hackers who used ransomware to extort a battered women's shelter and a power company.
Authorities said the trio launched ransomware attacks at "hundreds" of victims, including inside Britain, Australia, Iran, Russia and the United States, saying they extorted money "largely" for their own accounts, and not for the Iranian government.
But a separate US Treasury announcement of sanctions said the three were part of a larger hacking group tied to Iran's powerful Islamic Revolutionary Guard Corps (IRGC), and the US State Department has offered a $10 million reward for information on them.
Wall Street Journal (September 13, 2022) U.S. Broadens International Efforts to Pursue Hackers
The U.S. is helping other countries fight cybercrime with measures that include joint law-enforcement operations and examining how cybersecurity rules can be more closely aligned.
Efforts in the U.S. around harmonizing breach reporting requirements between states and federal agencies have a growing international dimension, said Rob Silvers, undersecretary for strategy, policy and plans at the Department of Homeland Security.
Mr. Silvers chairs the recently launched Cyber Incident Reporting Council, a DHS body designed to harmonize reporting. Multinational companies will likely have to report cyberattacks to several national authorities requiring similar information, he said.
“There’s no reason we shouldn’t be able to find some opportunities to lessen the burden and streamline ways to do it,” he said, speaking at the Billington CyberSecurity Summit last week.
READ MORE (subscription required)
Cyberscoop (September 13, 2022) Twitter couldn't detect foreign agents on its own, whistleblower testifies
Twitter’s inability to track how employees accessed internal data blinded them to foreign spies, the company’s former head of security, Peiter “Mudge” Zatko, testified at a hearing in front of the Senate Judiciary Committee on Tuesday.
Zatko called the issue “a lack of fundamental tools and access controls” that put the company at least 10 years behind industry norms. Mudge recounted that at one point later in his tenure, for instance, there were “thousands of failed attempts to access internal systems per week” and nobody could explain where they were coming from or what they were trying to access.
A whistleblower complaint filed by Zatko in July included allegations of two incidents involving foreign spies. In one instance, Twitter knowingly allowed a non-engineering employee who was a state agent for India to retain access to internal dealings with the Indian government. In a second, the FBI alerted Twitter’s security team to the presence of a Chinese state agent in the ranks of its security team. The details of the incident were revealed to the public for the first time at the hearing and had not been available in the redacted whistleblower report.
The Verge (September 12, 2022) New attack can unlock and start a Tesla Model Y in seconds, say researchers
Tesla prides itself on its cybersecurity protections, particularly the elaborate challenge system that protects its cars from conventional methods for attacking the remote unlock system. But now, one researcher has discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it in a matter of seconds.
The vulnerability — discovered by Josep Pi Rodriguez, principal security consultant for IOActive — involves what’s called an NFC relay attack and requires two thieves working in tandem. One thief needs to be near the car and the other near the car owner, who has an NFC keycard or mobile phone with a Tesla virtual key in their pocket or purse.
Near-field communication keycards allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader embedded in the driver’s side body of the car. Owners can also use a key fob or a virtual key on their mobile phone to unlock their car, but the car manual advises them to always carry the NFC keycard as a backup in case they lose the key fob or phone or their phone’s battery dies.
Security Week (September 12, 2022) Ransomware Group Leaks Files Stolen From Cisco
A cybercrime group has leaked files stolen earlier this year from Cisco, but the networking giant stands by its initial assessment of the incident and says there is no impact to its business.
Cisco admitted on August 10 that it had detected a security breach on May 24. The admission was prompted by a ransomware group named Yanluowang claiming to have obtained gigabytes of information and publishing a list of files allegedly stolen from Cisco.
The hackers have now published the actual files stolen from Cisco and the company has confirmed that they originated from its systems.
Other Top Security News
Hive ransomware claims cyberattack on Bell Canada subsidiary - Bleeping Computer
FBI: Millions in Losses resulted from attacks against Healthcare payment processors - Security Affairs
Texas hospital still bringing systems back online after Sept 1 ransomware attack - The Record
North Korean cyberespionage actor Lazarus targets energy providers with new malware - TechRepublic
Passengers Exposed to Hacking via Vulnerabilities in Airplane Wi-Fi Devices - Security Week
High Severity Vulnerabilities Found in HP Enterprise Devices - Infosecurity
Hackers steal Steam accounts in new Browser-in-the-Browser attacks - Bleeping Computer
The Future of the Web: The good, the bad and the very weird - ZDNet
Cybersecurity Report: Average data breach in the US costs 9.4 million - MSSP Alert
Phishing page embeds keylogger to steal passwords as you type - Bleeping Computer