ELTENI’S CYBER SCOOP

Latest News

In this newsletter, we highlight the Compliance issues with the SEC’s rule on material incident disclosure, The Department of Justice’s continued efforts to combat the exploitation of widespread vulnerabilities and the increased sophistication of deepfake cyber incidents.

REGULATORY CORNER

Companies are not complying with the new SEC cybersecurity incident rule on disclosure

The U.S. Securities and Exchange Commission (SEC) implemented new cybersecurity disclosure rules in 2023, aimed at enhancing transparency for investors regarding the cybersecurity risks and incidents that could affect their investments. These rules mandate that companies disclose significant cyber incidents and certain aspects of their cybersecurity governance and management processes within four business days of determining the incident’s materiality. This requirement covers both unauthorized and accidental cybersecurity incidents that could materially impact investors.

Since these rules came into effect on December 18, several prominent companies, including Microsoft, Hewlett Packard, UnitedHealth Group, Prudential Financial, VF Corp, and Loan Depot, have reported cybersecurity incidents. However, it has been noted that none of these disclosures fully comply with the new SEC rules.

Notes

It is probable that additional guidance and iterations of the SEC rule on disclosure will be forthcoming. Furthermore, it wouldn’t be surprising if penalties were enforced to compel all organizations to adopt a more proactive approach to readiness and compliance with the disclosure rule. As such incidents continue to emerge, investors will likely become more informed on the matter and exert pressure on organizations to strengthen their processes and gain a better understanding of the materiality of their digital/cyber assets in the overall value of their organization. This entails not only achieving compliance but also ensuring transparency to effectively safeguard their investments.

Companies not complying with the SEC Cybersecurity Incident Disclosure Rule | Forbes

ENFORCEMENT NEWS

DOJ, FBI disrupt Russian intelligence botnet

US authorities have successfully dismantled a network comprising hundreds of compromised small office and home office routers that were utilized by Russian military intelligence for conducting global cyber espionage campaigns. This announcement was made jointly by the Federal Bureau of Investigation (FBI) and the Department of Justice.

Speaking at the Munich Cyber Security Conference, FBI Director Christopher Wray detailed the operation’s objective, which was to expel the Russian GRU from a vast network of compromised routers and subsequently secure it against further infiltration. This action effectively cut off the GRU’s access to a botnet it had been leveraging to orchestrate cyber operations against numerous countries worldwide, including the United States and its European allies.

Notes

These devices often serve as the first line of defense against external threats, making them prime targets for attackers seeking to exploit vulnerabilities. As such, this incident reinforces the importance of a proactive cybersecurity posture. First, device hardening, particularly for public-facing or perimeter devices to remove any unused features and settings that might be exploited, reducing the risk of unauthorized access and potential compromise. Second, automated and continuous vulnerability scanning to identify and address potential security flaws before they can be exploited by malicious actors. Third, regular patching and updates are essential for mitigating security risks associated with known vulnerabilities. Software vendors frequently release patches and updates to address newly discovered vulnerabilities and improve overall security posture. Failing to apply these patches promptly can leave devices susceptible to exploitation, potentially resulting in unauthorized access or compromise.

It is important to recognize that compromised devices can not only be used for intrusion but also for other nefarious activities by bad actors. For example, compromised devices can be enlisted into botnets to launch distributed denial-of-service (DDoS) attacks, spread malware, or participate in other illicit activities without the owner’s knowledge. Organizations can effectively mitigate these risks by prioritizing device hardening, continuous vulnerability analysis, timely patching and updates, safeguarding their digital assets from exploitation.

Joint Cybersecurity Advisory

CYBER NEWS

Finance worker pays out $25 million after video call with deepfake ‘Chief Financial Officer’ | CNN

Deepfake technology leveraging artificial intelligence and machine learning to manipulate or generate visual and audio content with a high degree of realism was used by scammers over a video call to mimic the voice of a company’s Chief Financial Officer. During this call, a finance employee was tricked into wiring 200 HKD ($25.6 million USD) to the perpetrator. They were also able to mimic other colleagues in the firm to allay any suspicion of credibility. With the increasing sophistication of these attacks, it is more important than ever to have proper training and internal controls in place to thwart these attacks.

Browser-Based Phishing Attacks Jump 198% second half of 2023 | TechNewsWorld

Browser-based phishing attacks are experiencing a significant surge, with a reported 198% increase in such incidents, alongside a more than 200% rise in “evasive” attack types which can evade traditional security controls and exploit browser vulnerabilities. This trend underscores a growing preference among cybercriminals for browser-based strategies over traditional email-directed attacks. This shift is likely because fake websites only need to appear legitimate or contain a malicious link to initiate an attack once clicked on. In 2023 alone, over half a million browser-based attacks were documented, largely because companies often fail to recognize these “imposter” sites. The effectiveness of evasive attacks in circumventing endpoint security tools designed to detect and block such threats has notably improved the success rates of cybercriminals’ phishing endeavors.

This alarming trend amplifies the urgency for enhanced security awareness training, tailored specifically to the roles and responsibilities of employees. A general lack of knowledge regarding phishing and other types of security threats leaves employees vulnerable, making it easier for attackers to exploit them, thereby jeopardizing the security of both the individual and the organization.

Hijacked subdomains exploited for massive spam campaign | Bleeping Computer

A massive ad fraud campaign named “SubdoMailing” was identified in which 8,000 legitimate internet domains and 13,000 subdomains were used to send up to five million emails per day to generate revenue through scams and phishing. The identified strategy is referred to as “Domain Hijacking” which is where attackers take control of dormant and unsecured domain names of legitimate organizations and use them in spam and phishing campaigns. Their association with these legitimate organizations and subsequently the valid SPF and DKIM records (meant to authenticate valid domains and protect against illegitimate domains), can allow them to subvert spam filters. Some brands who fell victim to this domain hijacking campaign include MSN, VMWare, McAfee, The Economist, Cornell University, CBS, NYC.gov, PWC, Pearson, Better Business Bureau, Unicef, ACLU, Symantec, Java, net, Marvel and eBay. This highlights the need for vigilance when managing and securing public-facing assets and information.

DECODE THE TERMS

DNS (Domain Name System) – A server that translates human-friendly domain names (e.g., example.com) into IP addresses (e.g., 192.0.2.1), which computers use to communicate with each other on the internet. This helps in navigating the internet and accessing websites by their names, which can align with a brand or business instead of a string of numbers which is not as easily recognized or memorized.

Domain Registrar – A domain registrar is a company or organization accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) or a national country code top-level domain (ccTLD) authority to register domain names. When individuals or businesses wish to establish an online presence, they must register their chosen domain name through a domain registrar to ensure they have the exclusive rights to use that name for their website’s address on the Internet.

CNAME – A Canonical Name Record (CNAME) is like a nickname for a domain. It is an alias listed in the domain name system (DNS), that points to a real domain name. For example, you might use a CNAME record to point “www.example.com” to “example.com”, ensuring that both addresses go to the same location.

Email Spoofing – When the sender of an email (typically a scammer) sends an email forging the sender’s address to look like it is from a legitimate source, like your bank or a friend, but it is from someone other than the actual sender. This technique is commonly used in SPAM and phishing campaigns.

Deepfake Attacks – Leverage advanced machine learning and artificial intelligence to create convincing audio or video recordings that appear to show real people saying or doing things they never actually said or did. This deceptive media content can be used to manipulate or harm individuals and organizations. For example, a deepfake video is created to make it appear as if a public figure is making controversial statements or engaging in illegal activities, causing potential damage to their reputation.

Browser-Based Phishing Attacks – Deceptive websites or messages used to lure you into giving away your personal information. For example, a pop-up appears while accessing a website that looks legitimate, like your bank’s website or a popular online store. It then tricks an individual into entering their sensitive information such as usernames, passwords, credit card information, etc.