InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A recent study by MITRE and DTEX revealed that despite years of industry efforts against insider threats, there isn’t enough data – or systems advanced enough – to spot all malicious behavior. As companies work to build a corporate culture of cybersecurity, they’ve begun investing in zero-trust architectures to proactively cover all attack surfaces.
While this is a step in the right direction, this security method also has the potential to raise fear and generate negative responses from employees. This is especially a concern amid the Great Resignation; countless employees are leaving their jobs due to issues centered around work culture that no longer meets the demands of the modern employee. If taken as a sign of mistrust and poor faith, zero-trust security could spread resentment and demotivation among employees, potentially accelerating turnover rates and bringing the Great Resignation to its peak.
How can companies effectively navigate zero trust without creating friction among employers and employees? And how do they get there without the luxury of trust-building exercises in the close quarters of an in-office environment?
The thing is, zero trust doesn’t mean seeding mistrust throughout an organization’s networks. Companies shouldn’t have to rely on technologies alone for protection. Security is best applied when it’s a team effort. In other words, successful zero trust relies on a culture of transparency, communication, and consistency across the board. When appropriately understood and applied, these efforts can create a sustainable zero-trust work environment. So, how do we get there?
Many organisations have been considering a network transformation initiative to support the adoption of SaaS, cloud-based applications, and an increasingly remote workforce. Given the connectivity needs of a remote workforce – and knowing a hybrid workforce is here to stay – many IT teams have had to make sudden changes in the way workers connect to corporate systems that could introduce new cyber risks and vulnerabilities.
When developing a security strategy for supporting a hybrid workforce, it is essential to identify risks, as well as any potential blind spots. As CISOs embark on their transformational journeys, identifying these areas of weakness should be the top priority. Keeping business data safe everywhere is crucial to enabling employees to work anywhere. However, enforcing the same policies consistently from the endpoint, network, web, and cloud requires a new approach.
Cloud dominance
For instance, cloud vulnerabilities and misconfigurations continue to be a concern, particularly as the demand for more cloud integration has increased. This has led to CISOs shifting how they approach protecting the corporate perimeter with additional controls and monitoring tools being used to scan any access to the network. Security leaders are beginning to understand that legacy detection tools that would have traditionally been used for data centres, do not extend to the cloud which is why a shift in strategy is required. As a result, identifying and remediating cloud system vulnerabilities and misconfiguration errors is a top priority for the modern CISO when protecting the remote workforce.
Security landscape requires adaptation
Keeping up with security threat landscape is another area in which CISOs have had to adapt. Hackers have evolved in their tactics to evade detection while using techniques that require less effort and reap a higher reward. Their end result is to obtain money or steal sensitive data which normally involves ransomware schemes, state-sponsored methods or just nefarious individuals looking to make a name for themselves in the online underworld. Either way, they are more devious and better equipped than 12 months ago. Cybercrime has become commercialised, with many cybercriminals selling their tools, stolen details and ransomware kits across the dark web which is giving easy access for others to replicate and cause more disruption.
With the ability to launch cyberattacks more quickly with little effort, we are witnessing CISOs and security teams adopting a proactive mindset to cybersecurity. This approach helps to avoid being overwhelmed by the number of threats, especially those targeting workers who are outside the traditional perimeter and are accessing corporate files remotely.
Those that are not taking a proactive stance are at risk as even the most sophisticated defence strategies will become ineffective if they’re not regularly tested and kept current. While being able to mimic human behaviour with artificial intelligence, hackers are outpacing many organisations when it comes to the technology and hacking techniques used to attack them.
Other security initiatives to leverage
The job is never finished when it comes to the cybersecurity of an organisation. This means staying one step ahead of the next potential threat. Looking ahead now means better preparation for the future. Mitigating third-party risk, embedding security into the development process, and defending against ransomware attacks are just a few things that CISOs should be incorporating as part of the future-proofing cybersecurity strategy for a hybrid workforce.
Key initiatives should include adopting multi-factor authentication, achieving greater response time through automation, and extending Zero Trust to applications. The rapid adoption of cloud services, IoT, application containers, and other technologies is helping drive organisations forward. However, it also means that security teams must work harder to maintain visibility. To do so, they need to continuously see and catalogue every asset in their environments and accurately determine the security status of their devices.
In addition to the initiatives mentioned, secure access service edge (SASE) is a framework that CISOs are beginning to embrace as it is a convergence of key security capabilities including software-defined area networking (SD-WAN), Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), Cloud-Access Security Brokers (CASB) and Zero-Trust Network Access (ZTNA). It supports the organisation’s cloud-based computing environments while providing security professionals the necessary information to secure the digital transformation journey as well as its remote workforce.
Organisations are feeling a shift in networking and security with the realities of mobile working, particularly as they rapidly adopt and embrace the cloud. With this, CISOs are seeking further efficiency, visibility, and stronger security for their enterprises. SASE and Zero trust implementations can provide more comprehensive security capabilities to support digital transformations.
The freight logs of two major Chinese shipping ports have been leaking data, a problem which if left unresolved could disrupt the supply chain of up to 70,000 tonnes of cargo a day, with potentially serious consequences for international shipping.
The cybernews® research team identified an open ElasticSearch database, which contained more than 243GB of data detailing current and historic ship positions that is exposed to the public. Analyzing the data, the team determined that it is highly likely to belong to the Yangtze river ports of Nanjing and Zhangjiagang.
The discovery is especially timely, given the escalation of the geopolitical situation caused by Russia’s recent decision to invade Ukraine. “This could have gone very badly if bad guys had found it before we did,” said a spokesperson for Cybernews.
ElasticSearch lacks a default authentication and authorization system – meaning the data must be put behind a firewall, or else run the risk of being freely accessed, modified or deleted by threat actors. The push access logs of the zjgeport.com found on the database contained user IDs and, most importantly, API keys that could in theory permit universal access, allowing a cybercriminal to write new data about current ship positions.
In layman’s terms, what this means is that if left unplugged, the gap could allow threat actors to read, delete or alter any of the entries in the exposed databases – or even create new ones for cargoes or ships that don’t exist. Moreover, conventional criminals could physically hijack a ship and jam its communications, leaving the port that controls and tracks its movements unaware that the vessel had been boarded.
That in turn could jeopardize up to 3,100 vessels that transport more than 250 million tonnes of cargo annually to and from the two ports – not to mention putting at risk the lives of the estimated 40,000 passengers a year that use Nanjing for sea travel.
The Cybernews team said: “Because of the way ElasticSearch architecture is built, anybody with access to the link has full administrator privileges over the data warehouse, and is thus able to edit or delete all of the contents and, most likely, disrupt the normal workflow of these ports.
“Because both of these ports directly connect factories based in China to international waters, it’s more than likely that they carry international cargo, thus creating a butterfly effect likely to affect the whole supply chain worldwide if the open instance is not closed.”
Zhangjiagang’s main cargoes include steel, timber, coal, cement and chemical fertilizers, while Nanjing typically trades in goods such as metal ore, light industrial goods, petroleum and pharmaceutical products. With Russia having incurred global sanctions as a result of its invasion of Ukraine, the fate of China’s economy will be more important than ever as it seeks to fill the vacuum created by its superpower neighbor’s expulsion from the world stage.
Since being alerted to the problem by Cybernews, the owners of the ElasticSearch database have enforced HTTP Authentication as a requirement for access, effectively cutting it off from the public side of the internet.
The flaws can allow remote attackers to manipulate the power of millions of enterprise devices carrying out extreme cyber-physical attacks.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical systems.
“If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.” reads the analysis published by Armis.
APC has over 20 million devices worldwide, according to the researchers, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.
Two of the TLStorm vulnerabilities reside in the TLS implementation used by Cloud-connected Smart-UPS devices, while the third one is a design flaw in the firmware upgrade process of Smart-UPS devices.
The researchers discovered that the firmware upgrades are not properly signed and validated.
This third flaw could be exploited by an attacker to achieve persistence by planting a malicious update on vulnerable UPS devices.
Below is the list of the flaws discovered by the experts:
CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).
An attacker can trigger one of the above issues to gain remote code execution on vulnerable devices and interfere with the operation of the UPS to cause physical damage.
“The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device.” continues Armis. “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.”
Experts pointed out that vulnerabilities in the firmware upgrade process are often abused by sophisticated APT groups.
Armis reported the flaws to Schneider Electric’s APC on October 31, 2021, the vendor addressed them with the release of Patch Tuesday security updates on March 8, 2022.
“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.” concludes the report. It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”
Are you planning a career as a DPO (data protection officer)?
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.
Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.
The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.
Researchers disclosed 16 high-severity flaws in different implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.
Researchers from cybersecurity firm Binarly discovered 16 high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.
An attacker can exploit these vulnerabilities to implant a firmware that survives operating system updates and bypasses UEFI Secure Boot, Intel Boot Guard, and virtualization-based security.
Impacted devices include multiple HP enterprise devices, including laptops, desktops, point-of-sale systems, and edge computing nodes.
“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.” reads the analysis published by Binarly.
Below is the list of vulnerabilities discovered by the researchers:
“Binarly believes that the lack of a knowledge base of common firmware exploitation techniques and primitives related to UEFI firmware makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing comprehensive technical details in our advisories. This knowledge base is crucial for developing effective mitigations and defense technologies for device security.”, said Alex Matrosov, Founder and CEO at Binarly.
The most severe of the vulnerabilities discovered by the researchers are memory corruption issues affecting the System Management Mode (SMM) of the firmware. An attacker could trigger them to gain arbitrary code execution with the highest privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked asÂ
, to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.
Yesterday Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.
The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.
Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.
Below is the description of both flaws included in the advisory published by Mozilla:
CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog that are reported in the following table along with the associated due date.
CVE ID
Vulnerability Name
Due Date
CVE-2022-26486
Mozilla Firefox Use-After-Free Vulnerability
03/21/22
CVE-2022-26485
Mozilla Firefox Use-After-Free Vulnerability
03/21/22
CVE-2021-21973
VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)
03/21/22
CVE-2020-8218
Pulse Connect Secure Code Injection Vulnerability
09/07/22
CVE-2019-11581
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
A Linux kernel flaw, tracked as CVE-2022-0492, can allow an attacker to escape a container to execute arbitrary commands on the container host.
A now-patched high-severity Linux kernel vulnerability, tracked as CVE-2022-0492 (CVSS score: 7.0), can be exploited by an attacker to escape a container to execute arbitrary commands on the container host.
The issue is a privilege escalation flaw affecting the Linux kernel feature called control groups (groups), that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
“A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.” reads the advisory published for this flaw.
Major Linux distros, including Suse, Ubuntu, and Redhat, also published their own advisories.
The flaw resides in the cgroups v1 release_agent functionality which is executed after the termination of any process in the group.
The root cause of the problem is the cgroups implementation in the Linux kernel that did not properly restrict access to the feature. A local attacker could exploit this vulnerability to gain administrative privileges.
The vulnerability was discovered by the security researchers Yiqi Sun and Kevin Wang.
, a new privilege escalation vulnerability in the kernel.Â
CVE-2022-0492
 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.” reads the analysis published by Palo Alto Networks Unit 42 researcher Yuval Avrahami. “The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.”
According to Palo Alto Networks, CVE-2022-0492 is caused by the lack of check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability).
Attackers that can write to the release_agent file, can force the kernel into invoking a binary of their choosing with elevated privileges and take over the machine. Only processes with “root” privileges can write to the file.
“Because Linux sets the owner of the release_agent file to root, only root can write to it (or processes that can bypass file permission checks via the CAP_DAC_OVERRIDE capability). As such, the vulnerability only allows root processes to escalate privileges.” continues the analysis. “At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre. Running as root doesn’t necessarily mean full control over the machine: There’s a gray area between the root user and full privileges that includes capabilities, namespaces, and containers. In these scenarios where a root process doesn’t have full control over the machine, CVE-2022-0492 becomes a serious vulnerability.”
Users are recommended to apply the security fixes as soon as possible. Containers running AppArmor or SELinux security systems are not impacted.
Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
CVE-2022-26485.Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
CVE-2022-26486,Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it…
…but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If you’re on Android, check for updates via the Play Store.
If you’re a Linux user where Firefox is managed by your distro, check your distro creator.
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of users’ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasn’t evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.
Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.
Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.
“We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks.” reads the report published by Palo Alto Networks. “An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”
One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.
The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices.Â
Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf
Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks.Â
 and CVE 2019-12264 vulnerabilities in the TCP/IP stack IPNet.
Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.
Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:
Accurate discovery and inventory
Holistic risk assessment
Apply risk reduction policies
Prevent Threats
“Among the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.” concludes the report.
Researchers from JFrog’s Security Research team discovered five vulnerabilities in the popular PJSIP open-source multimedia communication library.
PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.
PJSIP supports audio, video, presence, and instant messaging, the APT supplied by the library can be used by IP telephony applications, including VoIP devices.
Many popular communication applications use the library, including WhatsApp, BlueJeans and Asterisk.
An attacker can exploit the flaws to gain arbitrary code execution on devices running applications using the vulnerable library or to trigger a denial-of-service (DoS) condition.
Guarding intellectual property (IP) has always been a priority for medical device manufacturers as competitors and even nation states are constantly trying to compromise or steal IP. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards, was sentenced to over two years in federal prison. Over time, Wenfeng Lu had copied numerous documents belonging to both of his employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop computer. He was arrested as he prepared to board a plane to the PRC.
It has never been easier or more profitable to hack devices for their IP. More and more medical devices have transformed from mechanical devices with limited software, to software packed devices. Companies spend billions of dollars on R&D for years upon years, only to leave vulnerabilities in the software and firmware of the devices, opening the door for hackers to waltz in, and steal their IP. Something is horribly wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they come part and parcel from the components received from their supply chain providers. Amplifying the challenge is the shortage of parts and components caused in part by the pandemic. This is driving many manufacturers to seek alternative suppliers who can produce steady supplies. With new suppliers comes the added risk of new, untested components and the potential for many new threats and vulnerabilities.
Organizations that wish to secure their IP from theft and misuse need to do a much better job at securing the devices that they produce.
What’s at stake
Stolen intellectual property enables hackers to re-engineer and sell the same device with a fraction of the investment in R&D. Wenfeng Lu for example had obtained financing and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and would use technology he had stolen from his American employers, according to court documents.
The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. IP infringement may significantly affect a company’s revenue and put downward pressure on its prices. If a competitor steals a company’s product trade secrets, it may beat that company to market with a new and innovative product, undercutting the victim’s market share.
Medical device companies face a very competitive environment, increasing the incentive for IP theft. Stealing IP using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to remotely hack systems.
The device is the target
While it is true that the IP can leak from internal sources and insider threats, IP is being hacked more and more through cyber-attacks on the device itself. For example, a recent case was reported where a Massachusetts medical device engineering company experienced hacking of source code for its medical devices and algorithms, essential to operate the devices. Devices reside at the customer’s location and can often be accessed, investigated and reverse engineered at the attacker’s leisure.
New Common Vulnerabilities and Exposures (CVEs) frequently appear and risk assessments are often only sporadically executed during the development process, and not done at all after the product is launched. This means that there are significant time periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Hardening the device
Protecting IP assets is a business-critical task. Protecting the IP on a device requires a holistic approach to device security. Locking down the interfaces, as well as protecting the software code and firmware, is crucial for defending against IP theft. While there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and cost required for hacking the device.
It’s imperative that medical manufacturers defend themselves from IP theft, including targeted cyber-attacks. To protect IP, enterprises need product security systems that automatically and continuously monitor medical device software and firmware, uncovering known and zero day vulnerabilities.
Protecting the code
The software and firmware running the device are a valuable target for attackers. Adding layers of protection to make the code less accessible to attackers, is essential to securing IP. This includes uncovering errors in the code that could allow attackers to enter, encryption of the data and storage, and using obfuscation techniques to make reverse engineering more challenging.
Manufacturers should employ continuous vulnerability assessments of the software deployed on medical devices, using vulnerability databases. They should ensure that the cybersecurity platform they enlist is also able to detect zero-day vulnerabilities. The monitoring should stretch through the entire lifecycle from design to end-of-life of the device. The solution should also be able to output software bill of materials (SBOM) or cyber bill of materials (CBOM) and remediation options for any threats or vulnerabilities discovered.
Keeping products secure
One of the most effective ways to secure the IP on a device is to eliminate the easiest method for hacking the device, known vulnerabilities. Attackers scan targets for known and published vulnerabilities to use as starting points for attacks. Vulnerability management requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or lack of proper remediation of discovered vulnerabilities can lead to costly recalls, and damage to brand and bottom line.
Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.
The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.
The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.
“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”
The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.
The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.
NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday.
The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.
“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message.” the LAPSU$ ransomware gang wrote on its Telegram change. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”
Lapsus$ claim responsibility for the hack on Nvidia – and also claim that Nvidia successfully hacked back. pic.twitter.com/F8ocpB6Qev
Below is the statement shared by NVIDIA with some websites and published by BleepingComputer.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” reads the statement. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”
US CISA and the FBI warned US organizations that data wiping attacks targeting Ukraine entities could spill over to targets worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory to warn US organizations of data wiping attacks targeting Ukraine that could hit targets worldwide.
The advisory warns of the potential effects of the two destructive malware, tracked as WhisperGate and HermeticWiper, on organizations worldwide.
The US agencies believe that further disruptive data wiping attacks could target organizations in Ukraine and may unintentionally spill over to organizations in other countries.
This joint Cybersecurity Advisory (CSA) provides information on the two wipers as well as indicators of compromise (IOCs) that could be used by defenders to detect and prevent infections. The advisory also provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.
“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.” reads the advisory. “Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”
Below is the list of actions recommended to the organizations: • Set antivirus and antimalware programs to conduct regular scans. • Enable strong spam filters to prevent phishing emails from reaching end users. • Filter network traffic. • Update software. • Require multifactor authentication.
The advisory also includes recommendations for System and Application Hardening and Recovery and Reconstitution Planning along with Incident Response instructions.
