Significant upcoming legislation promises to tighten the screws on cyber incident response in Australia, mirroring CIRCIA in the US.

Source: Bonaventura via Alamy Stock Photo

Australian companies may soon have to disclose to the government any ransom payments they surrender to ransomware attackers.

It wasn't so long ago that Australia's government was considering an outright ban on ransom payments across the country. That idea didn't survive, but a slightly softer rule was floated in a national cybersecurity strategy document published last November. In just a single sentence buried deep in that document, the government signaled its intention that "To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses."

That obligation seems to be part of the country's upcoming Cyber Security Act, which is expected to be brought before parliament during its next sitting in just a couple of weeks' time.

Following an interview with Clare O'Neil — who, until Monday, was Australia's Minister for Home Affairs — the Australian Broadcasting Corporation (ABC) reported that businesses making more than $3 million AUD ($1.96 million US) in annual revenue will be forced to report their ransom payments. However, the fines for noncompliance are purportedly just $15,000.

Dark Reading has contacted Australia's Department of Home Affairs to confirm reports about the new rule.

"The goal with such laws is to allow governments to have insight into funds going to bad actors, in order to be able to track those payments and hopefully bring criminals to justice," explains Beth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB).

In Australia's case, "The proposed bill appears to mirror what we are seeing in the United States from CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires that covered entities report ransom payments within 24 hours of making a ransom payment to CISA," she explains. "The Australian proposed law is broader, though, in the sense that it appears to be for any business making a ransom payment, whereas it appears CIRCIA covers only 'covered entities,' which the current proposed CIRCIA regulations broadly define."

**Will Forcing Ransom Disclosure Work?**

Australia has been rocked by some major cyberattacks in recent years. In 2022, a breach of millions of consumer records struck the telecommunications company Optus. Shortly thereafter, a case of similar scope hit the health insurance provider Medibank. Last year, a cyber disruption downed four core ports around the country for a weekend. And there have been more.

The toll to Australia's economy has been significant. As former minister O'Neil noted in a forward to the 2023–2030 Australian Cyber Security Strategy, a cyber incident is reported to the government every six minutes. (Of course, that doesn't include all the incidents that don't get reported.) Ransomware, meanwhile, is responsible for $3 billion worth of damage to Aussie organizations annually, and cyberattack costs are rising 14% per annum.

Any hard and fast rules that help curb the problem inevitably affect different organizations differently. On one hand there are larger companies, which can handle the costs involved and stand to benefit the most from clearer regulations.

"With laws like this popping up locally across the globe, it creates a patchwork quilt of compliance for multi-national organizations with perhaps a headquarters in the United States but significant operations in Australia," Waller says.

Smaller organizations, meanwhile, have fewer resources to dedicate to cybersecurity, and less money to pay fines when they fall short. According to ABC, the Australian Chamber of Commerce and Industry (ACCI) trade organization supports parts of the upcoming Cyber Security Act, but proposes that the minimum revenue threshold for businesses affected by the reporting rule should be $10 million.

**Incentive for Stronger Cyber Defenses**

The hope, regardless, is that any potential negative side effects will be outweighed by greater visibility for law enforcement, and more effective incentives for companies to better themselves.

"Mandatory disclosures may prompt a reassessment of corporate practices regarding negotiations with cybercriminals," says Anne Cutler, cybersecurity evangelist at Keeper Security. "With the knowledge they must disclose any ransom payments, business leaders may be persuaded to invest more heavily in preventive measures and robust incident response plans to avoid the financial and reputational scrutiny that comes with public disclosure."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Australian Companies Will Soon Need to Report Ransom Payments

DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.

Source: sakkmesterke via Alamy Stock Photo

The North Korea-based DEV#POPPER campaign is back, with an updated malware and social engineering arsenal that it's using to target software developers worldwide for data theft.

That's according to research from the Securonix Threat Research team, which found in an analysis today that the known threat group is casting a wider net than ever before, having added Linux and macOS variants to its malware toolbox in addition to its existing Windows binary.

The campaign, which focused primarily on South Korea before, has spread out globally, and is also active in Europe, the Middle East, and North America.

It's unclear as to the level of specific targeting the campaign is using, but there are overlaps with other efforts by North Korean actors to use fake recruiting in state-sponsored attacks.

"I would imagine that the ultimate goal for the attackers is conducting a successful operation against an individual on a corporate or company-owned endpoint," says Tim Peck, senior threat researcher at Securonix. "Based on the malware used, its primary purpose is theft. Typically, with financially motivated attacks, we see either ransomware or cryptominers being used."

**Targeting Developers With Social Engineering**

To lure in their victims, DEV#POPPER threat actors pose as interviewers looking to hire software developers for nonexistent positions. When someone applies, they send off a .ZIP file to the target that purports to be an npm package to be used for testing the applicant's coding skills.

"The use of practical-style interviews makes for an easy medium for the attackers to run malicious code on the interviewee's system," Peck notes. "Given the practical nature of developer interviews, it would not be uncommon to be asked to compile or execute code, as opposed to most other types of interviews. In such a use case, it would generally not raise suspicions for the interviewee."

When the interviewee extracts and executes the contents of the package, a well-hidden line of JavaScript code executes, which kicks off the infection chain, the researchers explained in their analysis of the campaign. "The .ZIP file contains dozens of legitimate files, making identifying potential foul play difficult to spot if it's missed by any installed antivirus."

Antivirus, by way, may indeed miss it: the malicious file, which is obfuscated in multiple ways, has just a 3/64 vendor detection rate on VirusTotal as of the Securonix blog post being published today.

The level of savvy scamming is notable: "In this particular attack, the lengths that the threat actors go through to pull off their social engineering scheme is quite bold," says Peck. "If you think about it, the amount of work needed to host fake job interviews goes way beyond traditional compromise actions such as blasting out phishing emails, for example."

**DEV#POPPER's Cyberattack Routine & Updated Malware**

The malware strategy is not just now multiplatform, but is also more sophisticated than its predecessor, according to Securonix.

After deobfuscating the script, the researchers were able to detect the campaign's command-and-control address (C2), as well as a number of malicious functions. The latter includes a fresh main function, dubbed "M," which orchestrates data extraction and code execution on different operating systems.

"It begins by identifying the platform, constructs paths and variables, and then calls appropriate extraction functions based on the detected OS," according to the analysis.

Other functions are in charge of sending the stolen data to the C2, collecting system and geolocation information, and assigning unique identifiers to each infected host (which allows the server to track which data came from which machine). Another function downloads next-stage payloads, while another new addition performs directory traversal, which includes filters to exclude certain files and directories from extraction (in order to appear more legitimate).

Securonix researchers noted that after the script was executed on a compromised host, the attackers then fetched a series of additional payloads culminating in an updated version of a Python script that DEV#POPPER has used before. This performs the actual theft of various sensitive files, plus keylogging and surveillance; one new capability is the ability to steal browser cookies, credit-card information entered into websites, and data for any installed browser extensions.

"The risk of running this kind of information-stealer malware on a business endpoint could be catastrophic," Peck says. "Considering the information stolen, the threat actors would almost immediately have access to all of the user's active browser sessions, cookies, and passwords. Additionally, they would have remote access to the endpoint allowing them to embed themselves deeper or attempt to move laterally into other systems that the user might have access to."

While it's difficult for businesses to protect against this type of attack, given that they might not be aware that a target is job-hunting, awareness training is always an option on the defensive side.

"First, if you're employed and actively interviewing, never conduct the interview on a company-owned appliance," Peck warns. "Second, though job interviews are oftentimes stressful situations, maintain a security-focused mindset. Social engineering attacks can be difficult to spot, however if the request seems odd or out of the norm, don't be afraid to back out of a request for fear of rejection or making a situation awkward."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Koreans Target Devs Worldwide With Spyware, Job Offers

PRESS RELEASE

BRATISLAVA — July 31, 2024 — ESET, a global leader in cybersecurity, today announced the introduction of the cloud version of ESET Secure Authentication, the multifactor authentication module of the ESET PROTECT Platform. With the new offering, ESET customers can consolidate their security stack and have endpoint protection and multifactor authentication (MFA) provided natively from one vendor with a single pane of glass experience, offering unparalleled flexibility and ease of use, utilizing a wide range of authentication methods in one effective and affordable solution for companies of all sizes.

“We understand how poor password hygiene can lead to devastating data breaches,” said Michal Jankech, Vice President of SMB and MSP segment at ESET. “With the cloud version of ESET Secure Authentication, ESET aimed to provide a solution that is flexible, scalable, easy to deploy, and above all, effective and affordable for companies of all sizes, boosting business data protection while reducing total cost of ownership, in an effort to deliver superior business value to our customers.” 

In today’s cybersecurity landscape, one of the most common ways hackers can gain access to a company’s data is through weak or stolen passwords gathered via automated bots, phishing, or targeted attacks. To protect against such threats, in addition to just protecting normal users’ logins to critical services, businesses can implement an advanced MFA solution to prevent unauthorized administrative access. ESET Secure Authentication provides an easy way for businesses of all sizes to implement MFA across commonly utilized systems such as VPNs, Remote Desktop Protocol, Outlook Web Access, and operating system logins. It supports technologies such as mobile apps with push notifications, hardware tokens, FIDO keys, and other custom methods.

The cloud version of ESET Secure Authentication will be available through the ESET PROTECT Elite subscription tier, and as a standalone solution without any change in pricing. The solution will be immediately available for new customers, and available to all North America customers later in Q4 2024. 

 About ESET

ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

You May Also Like

ESET Reveals Latest Cloud-Native Authentication Solution

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

PRESS RELEASE

NEW YORK, July 31, 2024 /PRNewswire/ -- Trustmi today released The State of Business Payment Security in the U.S. report. The results detail the findings of 516 finance professionals, including CFOs, treasurers, and accounts payable professionals, about the state of their business payment security processes. According to the survey, 22% of respondents have already been targeted by AI-driven deepfake and executive impersonation attacks. With the rise of generative AI, attackers are deploying increasingly sophisticated cyberattacks that pose new challenges for finance and cybersecurity teams.

While AI-driven attacks are gaining momentum, companies continue to contend with existing threats. Fifty percent said they experienced business payment fraud resulting from human error and 42% reported fraud from business email compromise (BEC) attacks. Other fraud sources include social engineering schemes (almost 20%) and employee collusion (nearly 16%).

According to Trustmi's research, a lack of visibility over payment processes persists. Nearly 58% of respondents had a fraud prevention solution, yet they lacked visibility into payment fraud activity. This includes insights into how much money they lost due to payment fraud in the past 12 months.

According to the research:

*   Less than one-third (28%) knew with certainty that their organization had experienced business payment fraud.
    
*   Nearly 22% of respondents did not know if their organization had experienced business payment fraud.
    
*   48% did not know how many times their organization had been targeted with payment fraud attempts in the past 12 months.
    
*   51% did not know how much money their organization had lost due to payment fraud.
    

"Finance teams face unprecedented challenges when it comes to payment fraud, battling emerging AI-powered threats while trying to identify and stop losses stemming from avoidable human error," said Shai Gabay, Trustmi co-founder and CEO. "To overcome these issues, businesses need AI-powered, end-to-end fraud prevention technology capable of automating their B2B payment processes while providing the visibility required to prevent fraud from all attack vectors and loss from needless human errors."

The survey found that many businesses lack automated business payment processes. Only 32% currently operate automated payment processes. Most (41%) automate some aspects of their workflow, while nearly 27% still rely on manual operations. This lack of automation creates even greater challenges for businesses with payment processes that involve multiple technology solutions. According to the research, 54% reported that their payment processes involve up to five technology solutions, with 12% using up to 10 solutions and 7% relying on 15 or more solutions within their payment technology stack.

Trustmi helps companies protect their bottom line by eliminating losses from cyberattacks, internal collusion, and human error and ensuring payments go to the right place. Trustmi enables finance and security teams to secure payment processes and manage vendors by connecting payment data and activity across an organization's siloed systems more effectively and efficiently. Trustmi's platform is a flexible solution that layers seamlessly onto existing systems to secure payments across the entire flow, boosting efficiency and reducing manual work. The easy-to-use interface allows full control so businesses can run their payment process without changing or interrupting their workflows.

Access The State of Business Payment Security in the U.S. report here.

About Trustmi  
Trustmi is the only end-to-end payment security solution that helps businesses protect their bottom line by eliminating losses from cyberattacks, internal collusion, and human error. Trustmi's flexible and modular solution offers businesses complete control to use only the tools they need for securing their payment processes and managing their vendors. Founded in 2021 by Shai Gabay and Eli Ben Nun, Trustmi is headquartered in Tel Aviv with an office in New York City. For more information, visit https://www.trustmi.ai/.

You May Also Like

AI-Driven Executive Impersonations Emerge As Significant Threat to Business Payment Processes

Malicious actors could potentially exploit this vulnerability if they gain physical access to a user's device.

Source: Anatolii Babii via Alamy Stock Photo

Apple released updates for a variety of its products to patch recent vulnerabilities found in Siri, the Apple iOS digital assistant.

The vulnerabilities could allow an attacker to steal information through a locked device because when a device is locked, there are still voice commands that the digital assistant can process and may allow access to contacts and other sensitive data.

In its latest round of fixes, Apple restricted these options to prevent malicious actors from exploiting the vulnerability, even if they have physical access to a device.

In addition to the iPhone, the company patched a similar vulnerability in Apple Watch, iOS, iPadOS, and the macOS Ventura.

Users should update to the latest software version of iOS and iPadOS, iOS 17.6, or iPadOS 17.6, to mitigate these bugs by going to settings, general, and then software update.

**About the Author(s)**

Siri Bug Enables Data Theft on Locked Apple Devices

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Source: DD Images via Shutterstock

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

**DDoS Cyber-Defense Error Under Investigation**

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike \[that\] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

**Inadvertent Errors in DDoS Mitigation**

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

**DDoS Attacks Adopt "Smash & Grab" Tactics**

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "\[Attackers\] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs \[Web application firewalls\] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error

Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

Source: CC7 via Shutterstock

Two US senators have called on the US Federal Trade Commission (FTC) to hold automakers accountable for sharing driver data without consent, highlighting the growing data privacy challenges — and deceptive verbiage from terms of service — associated with modern smart cars.

In a letter to the FTC (PDF) last week, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) used the data-sharing practices of General Motors, Honda, and Hyundai as symptomatic of an industrywide problem that needs immediate investigation.

**Data Sharing Without Consent**

All three vendors collected and sold driver information such as acceleration and braking data to Verisk, a data analytics company that used the information to prepare driver behavior reports that it then resold to insurance companies. By their own account, none of the automakers obtained informed consent from customers before sharing their information. Instead, they deliberately obscured their data-sharing relationship with Verisk in lengthy disclosures and made deceptive claims about how they would use driver data, the senators charged.

"The FTC should hold accountable the automakers, which shared their customers' data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner," their letter noted. "Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers' privacy."

The letter highlights just one aspect of what many say is a rapidly growing set of security and privacy issues around modern, highly connected software-defined vehicles. While such vehicles offer increased automation, autonomous capabilities, and highly customizable user experiences, they also collect an enormous amount of data that can be hard to protect and secure.

"Your vehicle knows your name, your home address, your debit/credit card info, how fast you drive, how hard you brake, what you ask its voice assistant, the locations you frequent and at what times," says Riley Keehn, lead regulatory and government affairs consultant for SBD Automotive, an automotive research and consulting firm. "Certain occupant detection and automated driving cameras and sensors can even see you and your surroundings."

The onboard storage of this sheer volume of personal and identifying information (PII) and sensitive data types make drivers and their vehicles the direct targets of cyberattacks. These attacks can happen via hardwired systems like the OBD-II port or even the headlights, connections to the vehicle via shared and insecure Wi-Fi networks, through electric vehicle charging stations, compromised aftermarket components, and other means, Keehn says.

Some of these risks can be addressed via security-by-design approaches and the implementation of industry best practices and regulations, such as UN R155 on Cybersecurity Management Systems (CSMS) and UN R156 on Software Update Management Systems (SUMS), ISO/SAE 21434:2021 on Cybersecurity Engineering for Road Vehicles, and other international and regional requirements, she notes.

**A Complete Lack of Consumer Privacy Protections?**

But where things can get messy is what happens to personal data after a vehicle collects it. "The US still lacks a comprehensive, general data privacy regulation comparable to the EU's GDPR, China's PIPL/DSL/CSL framework, and other global regulations that have adopted the GDPR's model and stringency," Keehn says.

The US largely relies on sector-specific regulations, such as HIPAA in healthcare, to address unique data privacy and security requirements. Individual states have filled that gap with their own data privacy laws, creating a patchwork of inconsistent rules, often exempting certain sectors and technologies. While some states may have clear requirements for how an original equipment manufacturer (OEM) must handle the storage, collection, sharing, and sale of data, other states may have different requirements or none at all, she says.

"This inconsistency and lack of national guidance in the US creates a host of risks at the business level and can foster an OEM culture where security stops with the vehicle," Keehn adds.

**Can the FTC Really Drive Change?**

David Brumley, CEO of software security firm ForAllSecure, says car companies should be required to ask for informed consent from drivers to share their information for advertising or for any other purpose not specific to delivering a required feature. 

"Over-the-air software updates? Probably being served from Amazon or Google. Maps? Probably from a third-party. Accurate position? It's not just GPS; often it's assisted with other metadata — like Swift Navigation — to increase accuracy," Brumley notes.

A car vendor might require some data, like location information, for instance, to provide services such as roadside assistance, traffic warnings, and autonomous driving. So there needs to be separate consent requirement for sharing such data and for sharing data for pure profit reasons, he says. "Second, we need a law that says companies must not limit functionality when someone opts out," he adds. "Someone shouldn't be able to force your consent so you can keep driving to work."

Brumley says it's unrealistic, however, to expect the FTC to drive much change. "They don't exercise their regulatory powers in other domains, and instead rely on free-market" dynamics, which won't help here, he says. "Where we may get a bump is EU regulations, which tend to be stricter.  We also need consumers to speak up that it impacts their buying decisions."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Smart Cars Share Driver Data, Prompting Calls for Federal Scrutiny

The security vulnerabilities, CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, could lay open proprietary and sensitive research to data thieves.

Source: Yuri Arcurs via Alamy Stock Photo

Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.

The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they "could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data," according to an advisory from Trustwave's SpiderLabs.

Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.

"Our researchers developed proof-of-concept exploits for each vulnerable location," the researchers wrote. "In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain."

The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victim's actions, manipulate the REDCap application, and even gain access to protected data.

It's recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws. 

**About the Author(s)**

Dangerous XSS Bugs in RedCAP Threaten Academic &amp; Scientific Research

If paying a ransom is prohibited, organizations won't do it — eliminating the incentive for cybercriminals. Problem solved, it seems. Or is it?

Ilia Sotnikov, Security Strategist & Vice President of User Experience, Netwrix

July 31, 2024

4 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware and other malware attacks are among the top three types of security incidents that organizations experience, according to Netwrix's "2024 Hybrid Security Trends Report." In a bid to curb this menace, for several years now there have been discussions around a radical approach: making ransomware payments illegal. The rationale is straightforward. If paying a ransom is prohibited, organizations won't do it — thus eliminating the incentive for cybercriminals to launch ransomware attacks. Problem solved. Or is it?

**All Ransoms Are Not Equal**

We must first recognize that there are multiple types of extortion. Ransomware is generally different from physical extortion cases like kidnappings, hostage situations, and threats of violence against individuals or public spaces. However, a ransomware attack, for example, on a hospital, literally endangers patients' lives. 

In scenarios where human lives are directly at stake, the ethical and legal considerations surrounding ransom payments are more complex than a simple ban allows for. Given the adaptability and resourcefulness of ransomware attackers, it is highly likely that they will push the boundaries of such a ban and test the limits of enforcement. As a result, a blanket ban on all ransom payments could force decision-makers into impossible moral dilemmas.

**The Law of Unintended Consequences**

Let's suppose for a moment that ransom payments have been legally prohibited, and a ransomware attack has just crippled your business. You need to get back online quickly or your business may go under. While the law forbids you from paying the ransom, enforcement agencies cannot stop what they don't know about. Almost certainly, some companies would quietly pay the ransom and simply not report the incident. This hesitancy to report attacks affects visibility into the actual scope of the problem and hinders law enforcement from acting accordingly. If the challenge is unknown, it cannot be addressed. 

In addition, there would be a disproportionate impact on small and medium-sized businesses. While large organizations might possess the resources to endure a ransomware attack without caving in to ransom demands, small businesses could face existential threats. A blanket ban on ransom payments could leave them in a precarious position of having to choose between resorting to illegal payments or risking going out of business.

**Case in Point: Cyber Insurance **

No legislative action or policy change occurs in isolation; it inevitably has ripple effects and unintended consequences. Cyber insurance provides a prime example in the arena of ransomware. By securing a cyber-insurance policy, businesses aim to protect themselves from the financial fallout of a ransomware attack, as the insurance provider would cover the ransom payment. 

Indeed, this is how it worked just several years ago. However, cybercriminals quickly recognized that insured organizations are more likely to pay ransoms, since their insurance company covers these expenses. It is reasonable to assume that threat actors started conducting reconnaissance on the cyber-insurance coverage of potential victims to tailor their attacks and maximize their profits. This is how cyber insurance might have contributed to the growth of the ransomware epidemic. 

Currently, one can hardly find an insurance company ready to reimburse the ransom payment.

**A Better Model: Follow the Banking Industry**

Bank robberies were once a prevalent threat, but they have significantly declined in recent decades. This reduction was not achieved by banning bank tellers from handing over cash. Instead, banks have adopted a multifaceted approach to mitigate the risk. To deter potential robbers, they use measures such as reduced cash handling, time-lock safes, enhanced security cameras, and alarm systems. Dye packs, decoy money, and GPS trackers reduce the risk of financial loss in cases where cash is ultimately handed over. What's more, appropriate security measures are a must to obtain and keep the license to operate. 

A similar approach may prove equally effective for other high-risk industries. Governments can establish cybersecurity benchmarks and recommend risk mitigation strategies, just as they have for the public sector and critical infrastructure. Such standards offer essential guidance for organizations that lack the strategic leadership necessary to develop an effective ransomware defense strategy independently. 

Finally, law enforcement agencies take their share of the responsibility and increase international collaboration to dismantle ransomware networks. The benefits of this approach are already paying off, as evidenced by the recent takedown of the LockBit ransomware gang. Agencies from more than half a dozen countries issued a detailed joint cybersecurity advisory that outlined LockBit's tactics and tools. They also seized some of the group's attack assets, significantly hindering their ability to initiate attacks.

**Conclusion**

Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.

**About the Author(s)**

Security Strategist & Vice President of User Experience, Netwrix

An accomplished expert in cybersecurity and IT management, Ilia Sotnikov is security strategist and vice president of user experience at Netwrix, a vendor of information security and governance software. Netwrix is based in Frisco, Texas. 

Ilia has more than 20 years of experience in cybersecurity as well as IT management experience during his time at Netwrix, Quest Software, and Dell. In his current role, Ilia is responsible for technical enablement, UX design, and product vision across the entire product portfolio. Ilia’s main areas of expertise are data security and risk management.

Source

DARKReading