This week’s updates would tell you why it is crucial to patch vulnerabilities in your applications if you’re a business owner, and similarly, why it is essential to have the latest versions of these applications and software installed for the end-users. Here are the weekly cyber headlines.
Cisco Releases Nine Security Patches
Cisco recently released patches for a critical vulnerability with a CVSS score of 9.6, affecting the Unified Contact Center Domain Manager (Unified CCDM) and Unified Contact Center Management Portal (Unified CCMP). Dubbed CVE-2022-20658, the vulnerability could be used to exploit administrator privileges by submitting crafted HTTP requests on vulnerable systems. This was made possible because there was no server-side validation of user permissions.
By exploiting the flaw, adversaries could create Administrator accounts to access and modify user resources in all Unified platforms associated with the vulnerable Cisco Unified CCMP. The adversary needed to have the Advanced User credentials, and they could easily exploit the vulnerability. As part of its ransomware protection measures, Cisco addressed this flaw in the Unified CCDM and Unified CCMP versions 11.6.1 ES17, 12.0.1 ES5, and 12.5.1 ES5. However, version 12.6.1 of the software remains unaffected by the vulnerability. In its statement, Cisco mentions that it has no reason to believe that the vulnerability was exploited in some attack.
On Wednesday, the tech organization also announced the release of patches for eight medium-severity vulnerabilities in Secure Network Analytics, Tetration, Prime Access Registrar Appliance, Evolved Programmable Network Manager (EPNM), Prime Infrastructure (PI), several IP Phone models, Security Manager, Enterprise Chat and Email (ECE), and Adaptive Security Device Manager (ASDM).
Senate Introduces Two Cybersecurity Bills Amid Frequent Attack on Federal Systems
The Senate Governmental Affairs and Homeland Security Committee, chaired by Gary Peters, has recently introduced two cyber-related bills to train feds on managing cybersecurity risks. Also, they are providing new federal resources to state and local governments to ensure ransomware protection. The first is called the Supply Chain Security Training Act. It is designed to be a training program for federal employees within the General Services Administration. Such employees will be trained to identify and mitigate supply chain risks and perform various supply chain risk management activities so that they can handle the risks that might arise throughout the acquisition lifecycle.
The second bill is called the State and Local Government Cybersecurity Act. In essence, it amends the 2002 Homeland Security Act to allow the federal government to provide technical assistance to state and local entities to conduct cybersecurity exercises. The bill will also make it easier for federal officials to collaborate with state, local, tribal, and territorial entities to establish information-sharing programs, vulnerability disclosure programs and improve the election security infrastructure. These bills are proposed at a time when local and state governments frequently get targeted by ransomware attacks. Both the bills currently head to the House and are yet to be passed through the concerned committees. They bring new hope to the federal employees struggling to fight cyberattacks every day.
Adversaries Use YouTube Shorts to Trend Stolen TikTok Content
YouTube Shorts was launched around September 2020 to enable the TikTok content creators to find a similar platform via Google’s YouTube, now that TikTok is out of the picture. However, scammers have targeted viewers of these YouTube Shorts videos with stolen content to run rackets promoting fake, overpriced, and ineffective goods and websites like dating applications, diet pills, marked-up goods, etc. Still, in its Beta version, YouTube Shorts has become one of the favorite platforms for adversaries to use viral videos to make viewers click on various links and sites (they usually get paid for clicks).
Cybersecurity researcher Narang evaluated 50 YouTube channels posting over 38,000 stolen TikTok videos, which have gathered a total of over 3.2 billion views as of December 2021. These channels have more than 3 million subscribers, and these figures are rising by the day. Narang estimates that adversaries can earn up to $100 for every viewer who purchases products from affiliate programs. He adds that these fraud attempts to fool viewers and push legitimate content creators towards an unfair disadvantage.
Federal Communications Commission to Launch Strict Data Breach Reporting Rules
Given the frequent attacks at US telecom companies, the Federal Communications Commission (FCC) has proposed stricter data breach reporting rules. It plans to amend the existing data breach notification requirements to compel organizations to give a more detailed analysis of the nature of the breach and the threats it poses to customers, which are usually disclosed long after the attack has occurred. The changes are made to provide customers with the transparency in information disclosure they deserve, especially when it’s their personal information at stake, not just at the moment but also for the next many years.
FCC Chairwoman Jessica Rosenworcel, while talking about the new rules, says that removing the clause providing telecom organizations with a seven-business-day waiting period to notify customers of a breach is a good start. This new rule demands that enterprises inform customers of breaches as soon as they happen unless told otherwise by law enforcement. The new rules also mandate organizations to update customers of all those instances when they inadvertently left customers’ personal information available unencrypted online. With the new cybersecurity rules, telecom enterprises will also have to inform the FCC of breaches along with the Secret Service and FBI.
Claroty Acquires Medigate
Popular healthcare IoT security business Medigate has been recently acquired by the cyber-physical systems (CPS) security organization Claroty. Claroty announced the acquisition via a statement on 10th January where it mentioned that this new merger would allow it to protect the extent IoT (XIoT) better. With this acquisition, Claroty envisions providing unparalleled threat detection and visibility solutions to all connected organizations.
Brooklyn-based Medigate is renowned for creating the world’s first security platform for healthcare IoT. Medigate CEO Langer says that this merger with Claroty has created a one-of-its-kind cybersecurity organization that shall provide email security solutions across the industrial and healthcare sectors and enterprise environments comprising XIoT. Claroty CEO – Vardi has similar things to say of its merger and says that Medigate’s cyber capabilities will enhance Claroty’s efforts at reaching its vision for the future – creating a cyber and physical world that safely connects to support lives.
Apple Fixes Vulnerability Affecting HomeKit Devices
Apple recently released patches for iOS and iPadOS devices which could be exploited to launch DoS attacks on the HomeKit smart home framework. Apple calls this vulnerability affecting iOS and iPadOS 15.2.1 devices a resource exhaustion issue. This vulnerability could be exploited while processing a malicious HomeKit accessory name. However, Apple has now added improved validations to address the bug. Dubbed CVE-2022-22588, this doorLock vulnerability affected HomeKit – the API connecting home and iOS devices.
All an adversary needed to do was change the name of a HomeKit device to something exceeding 500,000 characters, and the connected iPads and iPhones would crash immediately. If a HomeKit device name is backed up on iCloud, it will push the user to an endless loop of crash and reboot, which can be fixed only by restoring the factory settings.
Apple tried several cybersecurity measures to fix this issue, such as setting an upper limit on the length of the device name, but this doesn’t stop adversaries from using an earlier version to target victims with phishing emails. Surprisingly, the issue was first reported in August last year, and Apple couldn’t fix it since then.