Information Technology

On Tuesday, device security firm Forescout Technologies announced that it is acquiring healthcare cybersecurity provider CyberMDX for an undisclosed amount. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Forescout provides a broad range of services for IT, IoT, OT and IoMT devices, making the acquisition of CyberMDX key to their expansion into the healthcare market. “Forescout is seeing rapid growth in healthcare, a market the company has always focused attention on from a technology and sales perspective,” said Wael Mohamed, CEO of Forescout. “Cybersecurity for IoMT, much like cybersecurity for OT devices, requires specific expertise and technologies. We are pleased to have the CyberMDX team join Forescout as we continue delivering new capabilities on our market-leading platform and grow our R&D center.”The companies added that thanks to the merger, the two will “have a powerful platform that delivers an easy-to-use, scalable and agentless approach to device visibility, classification, threat detection and incident response focused on IoMT devices to better serve healthcare organizations.”Forescout previously acquired industrial control systems firm SecurityMatters for $133 million in an all-cash deal in 2018. Forescout itself was acquired by global private equity investor Advent International in a February 2020 deal worth $1.9 billion. The deal nearly fell through because of the pandemic but eventually was agreed upon at a 12% lower price in July 2020. Forescout claimed it has the largest number of deployments of OT infrastructure protection solutions globally and currently works with hospitals like the University Health Network in Toronto. Mohamed told ZDNet that the challenges healthcare organizations face around the globe as OT and IoMT devices come online prompted them to work with CyberMDX on delivering expanded, specialized capabilities for deeper visibility and granularity. 

“Forescout experienced great growth in our healthcare business in 2021, and we saw the need for deeper coverage in medical devices. We conducted an extensive evaluation and found a great partner and technology solution in CyberMDX. Bringing these two companies together means that we will be able to deliver the highest quality device visibility and risk assessment coverage for healthcare organizations around the globe. CyberMDX will continue to operate as a standalone company,” Mohamed said. “For Forescout, acquiring CyberMDX enhances our ability to address the growing demands and requirements from biomedical and clinical teams. The combined Forescout-CyberMDX solution delivers high-value cybersecurity automation capabilities that keep healthcare customers continuously compliant with healthcare regulations and best practices. It also enables our customers to make easier purchasing decisions and govern their network with a single solution. For CyberMDX, being acquired by Forescout means joining forces with a large, global leader in cybersecurity to continue its mission of protecting the things that protect human lives.”Amir Magner, president and co-founder of CyberMDX, said the move would help the company continue its work of providing healthcare institutions with wider cybersecurity protection. “CyberMDX enables hospitals to provide quality care by securing and protecting the systems and devices they rely on every day to treat patients and save lives,” Magner said. “We are thrilled to join the Forescout team where our innovation can continue to make a profound difference to healthcare organizations around the world.” More

Iranian hackers are targeting a range of organisations around the world in campaigns that use previously unidentified malware to conduct cyber-espionage actions and steal data from victims – and in some cases, the state-backed attackers are also launching ransomware in a dual effort to embarrass victims and cover their tracks. The two separate campaigns have been detailed by cybersecurity researchers at Cybereason, who’ve attributed the activity to an Iranian hacking group they track as Phosphorus – also known as APT35 and Charming Kitten – along with another Iranian-linked cyber operation, dubbed Moses Staff.

ZDNet Recommends

The attacks by Phosphorus have a more ‘traditional’ approach to cyber espionage, in that they’re designed to steal information and conduct operations that run in the interests of Tehran.  SEE: A winning strategy for cybersecurity (ZDNet special report) The group is suspected of being behind multiple espionage campaigns against organisations and individuals in the United States, Europe and the Middle East, as well as attempts to interfere with the US presidential elections.Now Phosphorus has added a new tool to their arsenal, trojan malware, which researchers have called PowerLess Backdoor, that allows attackers to conduct activity with little chance of being detected.  Once installed on a compromised machine, PowerLess allows attackers to download additional payloads, and steal information, while a keylogging tool sends all the keystrokes entered by the user direct to the attacker. 

Analysis of PowerLess backdoor campaigns appear to link attacks to tools, techniques and motivations associated with Phosphorus campaigns. In addition to this, analysis of the activity seems to link the Phosphorus threat group to ransomware attacks.  One of the IP addresses being used in the campaigns also serves as a command and control server for the recently discovered Momento ransomware, leading researchers to suggest there could be a link between the ransomware attacks and state-backed activity. “A connection between Phosphorus and the Memento ransomware was also found through mutual TTP patterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware and the Phosphorus group,” said the report. Cybereason also found a link between a second Iranian hacking operation, named Moses Staff, and additional ransomware attacks, which are deployed with the aid of another newly identified trojan backdoor, dubbed StrifeWater.  The trojan is used for the initial phases of the attack, before it removes itself after being replaced with other tools. The way StrifeWater removes itself relatively early in the infection process is the reason it hasn’t been detailed previously. Like Phosphorous, the key aim of Moses Staff is to conduct espionage and steal information “to advance Iran’s geopolitical goals” with victims all over the world, including the US, Israel, Germany, Chile, Turkey, and the United Arab Emirates.  But while the whole point of espionage is usually to stay under the radar, Moses Staff attacks actively deploy a form of ransomware after they’ve gathered what they need. “It’s like a scorched earth policy,” Assaf Dahan, head of threat research at the Cybereason Nocturnus Team, told ZDNet.The malware attacks in a similar way to ransomware, in that files are encrypted and stolen, but unlike regular ransomware operations, there isn’t a ransom demand – the attacks are launched purely with damage in mind. However, the similarity in design to ransomware could draw victims away from suspecting an espionage campaign as they rush to combat what looks like a standard ransomware attack.  SEE: Why Iranian hacking operations could be a threat to your networkBut while it looks like ransomware, those behind it haven’t built a backend for accepting a ransom payment, let alone supplying an encryption key. “Their main goal is to disrupt business and disseminate fear,” said Dahan, describing how Moses Staff attacks, while state-sponsored, also appear to take cues from hacktivism campaigns, with custom graphics and boasts about hacking victims. “They tried to appear as activists group operating on behalf of Iranian state interest,” he explained, adding: “They have a website and a logo and everything, they say ‘hey, it’s us’ and they’re quite verbose and vocal about their mission.”It’s thought that both campaigns remain active, but there are actions that organisations can take in an effort to avoid becoming a victim. Key among these is patching software and systems, because the attacks are known to exploit publicly available exploits, including the ProxyShell vulnerabilities in Microsoft Exchange, as well Log4j vulnerabilities. By applying security updates as soon as possible, it reduces the chances of any attackers having time to exploit disclosed vulnerabilities. It’s also recommended that information security staff and network administrators are proactive in looking for threats, by not only fully understanding their own network and being able to detect if something might be suspicious, but also to keep up to date with intelligence of the latest potential threats so they know what to look for. “Be proactive. Don’t just wait for an alert to pop because, by the time it pops, it could be too late,” said Dahan.MORE ON CYBERSECURITY More

One in seven ransomware extortion data leaks reveals business-critical operational technology data, researchers say. 

Ransomware has evolved from barebone encryption and basic demands for payment into something potentially far more severe in recent years. Once, ransomware was used en masse to infect systems and extort blackmail payments from the general public — normally in cryptocurrency such as Bitcoin (BTC) — but now, operators are targeting high-value targets for larger payoffs. In what some cybersecurity experts call “big game hunting,” ransomware groups go for large enterprise firms, utilities, hospitals, and key supply chain players.  While it may take longer to perform the reconnaissance required to enter networks owned by large companies, once entry has been obtained, it is possible that one attack can land them millions of dollars.  Colonial Pipeline is an example of just how debilitating a ransomware attack can be. The fuel supplier’s systems were hijacked by ransomware in 2021 by DarkSide, and while a $4.4 million ransom was paid to restore Colonial Pipeline’s network, the damage was already done — the attack prompted panic buying and fuel shortages across the United States.  However, ransomware attacks against the enterprise now go further. Cisco Secure coined the term “one-two-punch” extortion, in which ransomware operators will steal confidential data before encryption begins and will threaten to leak this information if a victim refuses to pay up.

Also: Hackers hijack smart contracts in cryptocurrency token ‘rug pull’ exit scamsMany ransomware operators manage leak sites online that publish stolen data dumps, and according to Mandiant Threat Intelligence, over 2021, thousands of victims found themselves subject to these extortion tactics.  In only a 12-month period, over 1,300 organizations from critical services, infrastructure, and the industrial sector were impacted.  Mandiant collected samples from victims that leverage operational technologies (OT) for their production. After pouring through the data dumps leaked on the name-and-shame websites, the researchers found everything from network and engineering diagrams to information on partner vendors and operator panels.  Among the samples examined were stolen employee credentials, asset tags, third-party vendor agreements and legal documents, project files, product diagrams, process documents, spreadsheets, visualizations, and in one case, the proprietary source code of a satellite vehicle tracker’s GPS platform. “Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation,” the researchers say. “Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber-physical attacks.” To make matters worse, leaked OT records may also provide cyberattackers — whether the original group or a copycat team looking to strike the same victim — a picture of a company’s culture, staff, finances, production processes, research, intellectual property, and more.  “We recommend that organizations in these sectors enforce robust data handling policies for employees and subcontractors to ensure that internal technical documentation is protected,” commented Daniel Kapellmann Zafra, Mandiant senior technical analysis manager. “This is particularly important for critical infrastructure such as rail, which provides services to thousands of passengers every day.”  “If you find your data has been exposed on a ransomware extortion site, it’s important to assess the value of this leaked data and determine if any additional controls should be put in place to decrease the risk of an adversary using this data in future.” Last month, Trellix (McAfee Enterprise/FireEye) released the results of an analysis of ransomware attacks between July and September 2021. The company said that organizations in the finance and retail sectors, alongside utilities, were the most common targets, making up 58% of reported ransomware incidents.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware has become the biggest cybersecurity issue facing businesses, governments and the wider world today. 

Special Report

Cybersecurity: Let’s get tactical

As the sophistication, frequency, and consequences of cyberattacks continue to evolve and grow, so private companies and public agencies alike must adapt.

Read More

A series of high-profile incidents during the past year – such as the Colonial Pipeline ransomware attack, the Kaseya ransomware attack, a string of attacks against hospitals and healthcare, including the Irish Healthcare Executive, and many others – have caused problems for millions.  Ransomware is effective because, in many cases, the victim will give into the extortion by the cyber criminals and pay the ransom, often millions of dollars, to get a decryption key to restore their network. In other cases, the victims don’t pay, opting to restore the network themselves, a process that can take weeks or months – all the while having an impact on their business or services. Such has been the chaos caused that ransomware has even become part of the discussion between world leaders during international summits. SEE: A winning strategy for cybersecurity (ZDNet special report)During the second half of 2021, law enforcement agencies around the world publicised arrests and take downs related to ransomware groups and the dark web services that allow them to operate, with suspects detained in countries including Ukraine, South Korea and Kuwait. But as welcome as these arrests were for law enforcement agencies, many of the most notorious ransomware crews remained at large. This, in part, is because many of these cyber-criminal operations are run out of Russia – and there’s a consensus among cybersecurity experts that the local authorities are willing to turn a blind eye to criminal hackers who focus their attentions on the West. So, it was a surprise when, on January 14, Russia’s Federal Security Service (FSB) announced it had detained suspected members of the REvil ransomware gang operating from several regions of the country and had dismantled the group’s operations. 

REvil was one of the most disruptive ransomware groups of 2021. One of the high-profile campaigns they carried out included an attack against JBS, which resulted in the food producer paying a ransom of over $10 million. The ransomware group was also blamed for an attack against Kaseya, the enterprise IT management software provider. The attack resulted in thousands of businesses around the world being disrupted – and in many cases temporarily closed until services were back online, preventing people from being able to buy goods from their local supermarkets in regions ranging from Sweden to New Zealand. But if one of the biggest, most infamous ransomware groups has suddenly found itself seemingly being taken down by law enforcement, does this mean the game is up for ransomware? Certainly, members of underground forums have taken note, with some expressing worries that it’s only a matter of time before law enforcement catches up with them. “In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said a member of one forum. Some forum members even suggested they might move operations to a different jurisdiction, although this is unlikely to be a realistic option for many. However, while REvil is notorious, the group had been on hiatus for several months prior to the FSB’s action – meaning that while arrests of cyber criminals are welcomed, some doubt if this will have any significant impact on other major ransomware crews. It’s also not clear whether Russia’s sudden interest in pursuing ransomware crime will continue; some industry experts have suggested that Russia’s engagement may be linked to its broader geopolitical agenda

ZDNet Recommends

According to the White House, one of the suspects arrested as part of the REvil raids was the person behind the Colonial Pipeline ransomware attack, the incident that led to gas shortages on the US east coast. The attack – which saw Colonial paying a $5 million ransom – wasn’t by REvil, but DarkSide, a separate but closely associated ransomware group. This situation illustrates one of the issues that complicates disrupting ransomware – the groups that operate them don’t act like regular companies with clear job titles. Instead, the different groups can overlap and individual cyber criminals can move between different outfits.  If one group gets taken down by law enforcement, remaining ransomware developers and other members of the operation can take their skills elsewhere, aiding existing ransomware affiliate schemes or helping to set up a new one. Ransomware-as-a-service affiliate schemes allow cyber criminals who want to conduct ransomware attacks, without having to build ransomware themselves, to get in on the action – usually with the developers of the product taking a cut of the profits made from ransoms. Over the years, the people who run the affiliate schemes have come and gone, either after being shut down, taking a temporary hiatus, sometimes returning after a rebrand, or in some cases just retiring from the ransomware business. But for those who want to be part of a ransomware-as-a-service scheme, there still are plenty of options available as new operations continue to appear. So, while arrests and take downs are effective tools against those developing ransomware, the demand from those lower down the chain, combined with skilled ransomware authors taking their skills to new operations, likely means that new ransomware operations will continue to emerge, even after take downs. SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterIt’s unlikely the latest round of arrests will suddenly stop ransomware for good. But they do show ransomware groups and the cyber criminals around them that they aren’t immune from being tracked down and having their assets obtained and ransom demands seized, particularly as more and more arrests take place. “It’s still lucrative, so plenty of reasons to do it, it’s still not particularly risky relatively, but in terms of imposing costs, the cost of doing business has gone up,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the UK’s National Cyber Security Centre. “Maybe they’re not the major operators, maybe they’re just bit-part players, but that still has an impact, and I think it still chips away a little better the sense of impunity of ransomware,” he adds. As demonstrated by dark web discussions following the arrests, action against ransomware groups can also sew doubt in the mind of those behind cyberattacks.  Not only might they be more likely to be worried about the idea of law enforcement bashing down their door, but it could plant the idea that individuals in the ransomware ecosystem can’t be trusted – it could be that law enforcement has infiltrated a forum, or a prominent member has suddenly been coerced into helping the authorities with their investigation.  “The trust between the various parts of these networks has probably been eroded,” says Martin.    And if there’s doubt among dark web ransomware communities, that pushes up another barrier that makes campaigns that little bit more difficult to carry out. Cyber criminals being arrested is welcome, it’s something that chips away at a major cybersecurity issue facing organisations today and shows that there are potential consequences for carrying out cybercrime – but the issue of ransomware isn’t suddenly going to disappear in 2022. “It’s not over by any means,” says Martin. “Parts of it have got a little bit better, but it’s still the pre-eminent cybersecurity issue of our time.”MORE ON CYBERSECURITY More

A state-sponsored Iranian hacking group has pivoted to attacks against high-profile targets in Turkey. 

This week, cybersecurity researchers from Cisco Talos said that MuddyWater, an advanced persistent threat (APT) group with ties to Iran’s Ministry of Intelligence and Security (MOIS), has been linked to campaigns against private organizations in Turkey alongside the country’s government. Active since at least 2017, MuddyWater, also known as Mercury or Static Kitten, has been tied to attacks against organizations in the US, Israel, Europe, and the Middle East in the past.  Earlier this year, US Cyber Command linked the APT to the Iranian government, saying that MuddyWater is one of many groups “conducting Iranian intelligence activities.” “MuddyWater is a subordinate element within the MOIS,” US Cyber Command says. “According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”” According to Talos researchers Asheer Malhotra and Vitor Ventura, the latest MuddyWater campaign, dating back from November 2021, is utilizing malicious PDFs and Microsoft Office documents as an initial attack vector.  Phishing emails containing these malicious attachments are spoofed to appear to be from the Turkish Health and Interior Ministries. Targets included the Scientific And Technological Research Council of Turkey (Tubitak). 

The malicious documents contained embedded VBA macros designed to trigger a PowerShell script, leading to the execution of a downloader for executing arbitrary code, the creation of a registry key for persistence, and the use of Living Off the Land Binaries (LOLBins) to hijack the machine.  Once inside a target system, MuddyWater tends to focus on three aims: conducting cyberespionage for state interests; stealing intellectual property with a high economic value, and deploying ransomware to deliberately disrupt a victim organization’s operators or to “destroy evidence of their intrusions,” according to Talos.  However, the researchers were not able to secure the final payload in this campaign due to verification checks on the operator’s command-and-control (C2) server. The APT has also adopted canary tokens to keep track of their intrusions. Canary tokens are digital “canaries” that warn that a file has been opened – and while often used by defenders to detect and monitor potential breaches, cyberattackers can also use them to track successful infections.  “Tracking tokens may also be used as another means of anti-analysis: timing checks,” Talos says. “A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis. […] Tracking tokens can also be a method to detect the blocking of the payload server. If they keep receiving requests to the token but not to the payload server, that is an indication of their payload server being blocked, and by whom.” An advisory issued by Trakya and the Turkey National Cyber Incident Response Center (USOM) warning of an APT-level attack listed IPs and an email address that were also uncovered in the Talos analysis of this campaign.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Department of Home Affairs has called for more oversight on social media algorithms and online platforms using encryption as being a potential mechanism for preventing online abuse.Those calls were made by Home Affairs representatives on Tuesday afternoon when they appeared before the Select Committee on Social Media and Online Safety. The committee is currently undertaking a social media probe into the practices of major technology companies to curb toxic online behaviour.The committee’s probe was approved by the federal government at the end of last year with the intention of building on the proposed social media legislation to “unmask trolls”.Home Affairs digital and technology policy head Brendan Dowling on Tuesday said his department has become increasingly concerned about the rollout of encryption on online platforms. In expressing these concerns, Dowling said his department was not anti-encryption and acknowledged the cybersecurity and privacy benefits of the technology, but noted the rollout of encryption on online platforms has not been done with the intention of prioritising the safety of users.”I think we’re seeing platforms adopt the idea of safety by design, but that continues to be a concern where safety seems to be an after feature or an afterthought to the design of platforms,” Dowling told the committee.”One of our most real and immediate concerns is that encryption is being rolled out without the associated consideration of safety features. To use an example, there are mechanisms to ensure that you can identify known child abuse material in any encrypted environment. “There are technical ways to achieve the identification of that deeply troubling material, but what we’re seeing is platforms are looking to roll out further encryption to deal with privacy issues or security issues without regard to how they’re going to prioritise public safety, child safety, and assistance to law enforcement in those environments so that’s one example of where we see the innovation being ahead of the safety considerations.”

In Home Affair’s submission to the committee, the department specifically called out Meta as being “frequently the most reluctant to work with government” when it comes to promoting a safe online environment, adopting a safety-by-design approach, and taking adequate proactive measures to prevent online harms.”Digital platforms continue to be manipulated by malicious actors, and those seeking to do harm are able to exploit their technologies faster than industry can develop new safety features,” Home Affairs wrote in its submission.Home Affair’s remarks are in stark contrast to the ones made by Meta when it appeared before the same committee a fortnight ago, when the company’s ANZ policy director Mia Garlick dismissed the claims made by whistleblower Frances Haugen that company prioritises profit over safety as being “categorically not true”.”Safety is at the core of our business,” Garlick said at the time.The committee’s findings for its social media probe are set to be released later this month.RELATED COVERAGE More

In a notice released on Monday, the FBI warned Olympic athletes about bringing their devices to the 2022 Beijing Winter Olympics and March 2022 Paralympics while also raising concerns about the potential for cyberattacks against the event. In a wide ranging alert, the FBI said entities associated with the games should prepare for “a broad range of cyber activities to disrupt these events” including distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats. The attacks would seek to “block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics.” “Additionally, the FBI warns Olympic participants and travelers of potential threats associated with mobile applications developed by untrusted vendors. The download and use of applications, including those required to participate or stay in country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware,” the FBI said. “The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games. The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”The FBI noted that during the 2020 Tokyo Olympics and Paralympics, the NTT Corporation — which provided its services for the Tokyo Olympic & Paralympic Games — revealed there were more than 450 million attempted cyber-related incidents during the event.NTT officials told ZDNet in October that none of the attacks were successful and added that the games went on without a hitch, but the number of attacks was 2.5x the number seen during the 2012 London Summer Olympics.

NTT’s Andrea MacLean compared the cybersecurity struggle to Harry Potter’s final fight against Voldemort, calling the effort to protect the event “Herculean.””Cybercriminals certainly saw the Games — and its related supply chain — as a high-value target with low downtime tolerance. After all, crime follows opportunity. And with connected stadiums, fan engagement platforms and complete digital replicas of sporting venues and the events themselves becoming the norm, there’s plenty of IT infrastructure and data to target — and via a multitude of components,” MacLean said. MacLean said among the 450 million attacks, NTT saw the Emotet malware, email spoofing and phishing, as well as fake websites made to look like they were associated with the Olympics. The FBI released a similar warning ahead of those Olympic Games as well. There has been significant debate and discussion within the cybersecurity community about the MY2022 smartphone app that the Chinese government is requiring all Olympic athletes to download upon entry into the country. Citizen Lab released a detailed examination of the app, noting that a “simple but devastating flaw” allegedly allows the encryption protecting users’ voice audio and file transfers to be “trivially sidestepped.”According to Citizen Lab, passport details, demographic information, and medical/travel history in health customs forms are also allegedly vulnerable. Server responses can reportedly be spoofed, allowing an attacker to display fake instructions to users, according to the report.The MY2022 app also allegedly allows users to report “politically sensitive” content and includes a censorship keyword list involving topics like Xinjiang and Tibet. Since that report was released, some have said concerns about the app are exaggerated and that it does not actually collect voice data from users. In comments to ZDNet, the International Olympic Committee defended the app and downplayed the severity of the issues discovered by Citizen Lab.A spokesperson justified the app’s security holes by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.” The IOC also defended the app by saying it received approval from the Google Play store and the App Store.”Therefore, a closed loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed loop environment. The user is in control over what the ‘My2022’ app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install ‘My 2022’ on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead,” the IOC claimed. “The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”In spite of the debate over the app, the UK, Australia, and Germany have all urged their citizens to leave all of their personal devices and laptops at home over concerns that they will be hacked or monitored by the Chinese government both during the games and once they go home. The Dutch Olympic Committee has already banned its citizens from bringing their devices to the games.  More

CISA has updated its Known Exploited Vulnerabilities Catalog with eight vulnerabilities, two of which have remediation dates of February 11. The list includes an Apple IOMobileFrameBuffer Memory Corruption vulnerability, a SonicWall SMA 100 Appliances Stack-Based Buffer Overflow vulnerability, a Microsoft Internet Explorer Use-After-Free vulnerability, a Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management vulnerability and two GNU Bourne-Again Shell (Bash) Arbitrary Code Execution vulnerabilities.
CISA
The Apple and SonicWall vulnerabilities have a remediation date for February 11 and the rest have remediation dates of July 28. Apple released patches for the vulnerability — tagged as CVE-2022-22587 — last week, noting that a malicious application may be able to execute arbitrary code with kernel privileges. Apple said it is “aware of a report that this issue may have been actively exploited” and added that it was discovered by a member of Mercedes-Benz Innovation Lab and two other researchers. Rapid7 said earlier this month that CVE-2021-20038 — the SonicWall vulnerability — has a suggested CVSS score of 9.8 out of 10, explaining in a blog post that by exploiting this issue, “an attack can get complete control of the device or virtual machine that’s running the SMA 100 series appliance.” “This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack. Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike,” Rapid7 said. Vulcan Cyber CEO Yaniv Bar-Dayan said digital business has a cyber debt problem, telling ZDNet that this latest batch of eight CVEs added by CISA “proves the adage that ‘vulnerabilities age like milk.'” 

“Three of the eight vulnerabilities were first disclosed in 2014, and the average age of the CVEs added to the CISA database today is more than four years. Our IT security teams are struggling to mitigate decade-old risk, much less the threat du jour,” Bar-Dayan said. Netenrich’s John Bambenek said he understood the need to quickly patch the iOS vulnerability but questioned some of the other additions. “If the federal government needs another six months to patch an 8-year-old Bash shell vulnerability, then we might as well surrender our IT to North Korea now and save the taxpayers some money,” Bambenek said. “What I fail to understand is why ancient vulnerabilities are put on this list with such long periods of time to remediate.” More