New Quantum Cybersecurity Preparedness Act Aims to Protect Agencies Against Looming “Q-Day”

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act into law. The law aims to protect federal government data against the impending threat of quantum-enabled data breaches ahead of “Q-day”—the time when quantum computers will be able to break through current cryptographic algorithms. Cybersecurity experts believe that Q-day is a mere 5 to 10 years away, thus prompting the launch of this bipartisan Act.

Co-sponsored by senators Rob Portman (R-OH) and Maggie Hassan (D-NH), the law sets various requirements for federal government agencies to prepare their migration towards quantum-secure cryptography. These include the requirement to maintain an up-to-date inventory of current IT systems that are vulnerable to decryption by quantum computers and to design the migration process toward post-quantum cryptography. Federal agencies must complete both requirements within 6 months of the law’s enactment.

The Office of Management and Budget (OMB) will also publish federal guidelines for the IT migration process within a year of the National Institute of Standards and Technology (NIST)’s issuance of its post-quantum cryptography standards. OMB’s guidelines will apply to all federal agencies except for national security systems.

Co-sponsor of the Act, Senator Hassan said: “To strengthen our national security, it is essential that we address potential vulnerabilities in our cybersecurity systems, including new threats presented by quantum computing.”

Read: https://www.infosecurity-magazine.com/news/biden-quantum-cybersecurity-law/

Fortinet and Zoho urge their customers to patch vulnerabilities recently discovered in their enterprise software

A major security flaw has been discovered in FortiADC application delivery controllers that could potentially allow an attacker to carry out malicious code execution across different versions. Known as CVE-2022-39947, the vulnerability impacts the following versions:

• FortiADC version 7.0.0 through 7.0.2
• FortiADC version 6.2.0 through 6.2.3
• FortiADC version 6.1.0 through 6.1.6
• FortiADC version 6.0.0 through 6.0.4
• FortiADC version 5.4.0 through 5.4.5

It is highly advised that users upgrade their systems quickly to the latest 6.2.4 and 7.0.2 releases of FortiADC.

However, Fortinet isn’t the only one stepping up to tackle vulnerabilities in their software – Zoho recently released a patch designed to deter an unexpected SQL injection flaw found in Access Manager Plus, PAM360 and Password Manager Pro. While details of the bug have not been revealed yet, it’s understood that any users could potentially exploit it for access to their victim’s backend database.

Read: https://thehackernews.com/2023/01/fortinet-and-zoho-urge-customers-to.html

Are Meta and Twitter Ushering in a New Age of Insider Threats?

Though most cybersecurity threats are perceived to be from external actors, a pair of stories this month from Meta and Twitter serve as an ominous reminder that sometimes the worst threats come from within. According to reports, employees at both companies have been using internal workarounds or private channels to sell access to private platforms or account verification. According to a tweet from Elon Musk, the new Twitter CEO, Twitter employees may have sold verification statuses to users for up to $15,000 off the record. Meanwhile, at Meta, more than two dozen employees have abused an internal account recovery tool to restore accounts for people who otherwise had no means to do so.

Though some of this may have been a clear case of employees helping out friends and family, such malpractices have formed an incredible black market for threat actors who have been blocked entry to these social media platforms. Employees who enable unauthorized access to these actors for financial compensation highlight the extent to which trust in digital media has collapsed and highlight the need for constant vigilance on the part of companies to get things back on track.

Indeed, companies today are caught between a rock and a hard place: there must be a baseline level of trust in one’s employees to run operations at all, yet in a mature threat model, every employee is also a simultaneous threat. To monitor the situation, companies can invest in a data loss prevention program that sends alerts when data is exfiltrated via email or USB. They can also keep track of privileged programs or locations to check if they are accessed too frequently or at unusual times.

It should, however, serve as a wake-up call to organizations that constant vigilance is their only means to track threats, be they internal or external.

Read: https://www.darkreading.com/vulnerabilities-threats/are-meta-and-twitter-ushering-in-a-new-age-of-insider-threats-

Colombian Bank Hijacked to Drop the Remote Access Trojan, BitRAT

A Colombian cooperative bank has been hijacked by a new malware campaign that is using sensitive stolen information as phishing bait to drop the remote access trojan, BitRAT. The vulnerability in the bank’s infrastructure was discovered by cybersecurity firm Qualys, which found 418,777 records in a database dump believed to be obtained by exploiting SQL injection faults. The leaked sensitive data include Cédula numbers (Colombian national ID), email addresses, phone numbers, customer names, payment records, salary details, and addresses.

Victims were sent messages that tricked them into opening an infected Excel document that contained the exfiltrated bank data. Also embedded in this Excel document is a macro that retrieves and executes BitRAT on the compromised machine. For only $20, BitRAT is a powerful malware suite that steals data, extracts credentials, mines cryptocurrency, and downloads additional software.

Qualys researcher Akshat Pradhan says: “Commercial off the shelf RATs have been evolving their methodology to spread and infect their victims. They have also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for it.“

Read: https://thehackernews.com/2023/01/hackers-using-stolen-bank-information.html

Ukrainian Cyber Police Arrest 40 in End of Year Call Centre Raid

On Dec 29, 2022, the Ukrainian Cyber Police successfully raided a fraudulent call center that had been involved in a large-scale banking fraud. Police arrested the scam’s three main masterminds, plus 37 of their staff.

The scammers were sending calls out to unsuspecting victims by hiding their true caller ID. To victims, the calls seemed to be coming from their bank, the tax office, or even their local police station. From these “spoofed” phone numbers, the scammers would then try to convince victims that their bank accounts had been compromised and that they needed to “secure” their accounts to recover lost or at-risk funds. By combining a mix of threatening, scary, and urgent language, the scammers would often succeed at pulling their victims into their trap.

Once it becomes clear that the victim is worried about the security of their funds, the scammer would then try to glean various pieces of personal and security information from the victim. They would do this by asking them to “confirm” the information that the “bank official” can supposedly already see on their screen. Once completed, the scammers would then ask victims to log into a fake security site, guiding them through any 2FA (two-factor authentication) security processes. After access had finally been granted, the fraudsters could then transfer victims’ money to their own accounts.

According to the Ukrainian police, “For the conspiracy, the participants used bank accounts located in offshore zones and cryptocurrency wallets. In this way, the criminals defrauded [about 18,000 people].” To protect themselves from such frauds in the future, police advise users to never believe anyone who randomly contacts them to “help” with a fraud investigation. You should always rely on something other than the Caller ID that shows up on your phone, as these are becoming easier and easier to fake.

Read: https://nakedsecurity.sophos.com/2023/01/03/inside-a-scammers-lair-ukraine-busts-40-in-fake-bank-call-centre-raid/

 

Elsewhere Online:

Raspberry Robin Obfuscates ‘Deeper, More Personal’ Data Collection In New Infection Campaign
Read: https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.html

Section 702 Expiration Imminent: Debate Surrounding Surveillance Powers Heats Up
Read: https://www.politico.com/newsletters/weekly-cybersecurity/2023/01/03/congress-gears-up-for-fight-over-key-surveillance-program-00076042

In a recent FBI report, cybercriminals are using search engine ads to spread malware and phishing scams
Read: https://www.cpomagazine.com/cyber-security/fbi-hackers-are-using-search-engine-ads-for-phishing-and-malware-distribution/

How could the EU’s decision impact US data privacy policies?
Read: https://www.healthcareitnews.com/news/could-eus-decision-against-meta-affect-data-privacy-policies-us

Iranian authorities detained a journalist who published interviews with families of death row inmates
Read: https://www.arabnews.com/node/2227691/middle-east

Truth About Mandatory ‘Safety Device’ Biden Signed Into Law 
Read: https://www.westernjournal.com/truth-mandatory-safety-device-biden-signed-law-power-government-wants/

Previously on #AxisOfEasy