This Month in Cybersecurity - December Edition

Final Patch Tuesday of 2023 - Microsoft and Adobe

Both Adobe and Microsoft have released the notes for the final patches to occur this year for both companies as 2023 closes out. Microsoft disclosed vulnerabilities for Office and Components, Win32k, Windows Kernel, the Microsoft Bluetooth Driver, among other things. The tech giant has fixed several flaws within their software that allowed for Denial of Service (DoS) exploits, spoofing, Elevation of Privelege (EoP), information disclosure, and remote code execution. Of these flaws, Microsoft has confirmed that there are 4 critical level vulnerabilities among the 38 they found and corrected within the patch.

Adobe experienced a slightly larger vulnerability load, disclosing that the company has found and patched 212 vulnerabilities, of which 13 were labeled as critical severity amongst their software suites. Adobe Experience Manager was the recipient of the lion’s share of these vulnerabilities, logging 185 of the 212 patched vulnerabilities.

None of these vulnerabilities were known to be exploited in the wild, but as always, we suggest that you update to the latest security build on any device/software/network to stay as secure as possible.

SEC Clarifies New Incident Disclosure Rules Coming into Effect

In July, the SEC announced that it would be adopting and implementing new rules surrounding the disclosure of a cybersecurity incident for public companies. These new rules would require companies to disclose any material breach within four business days of discovering the incident, if it had a material impact. Companies would also be required to submit annual reports regarding the information on their cybersecurity risk management, strategy, and governance. These rules, according to the SEC, are to provide investors with “timely, consistent, and comparable information”.

There was some concern raised by industry professionals pointing to the fact that the information the SEC is forcing victims to provide could be very useful to threat agents, providing insight to help set ransom demands. Erik Gerding, director of the SEC’s Division of Corporation Finance, has clarified that the final versions of the rules will require less information than initially outlined, even allowing for delayed response, or exemption if the company can verify that releasing that information will cause more harm or prove a substantial risk to public safety or national security.

The FBI has allowed delayed responses on behalf of the Justice Department in regards to cybersecurity incidents, providing some guidelines for how this process may work. The SEC has promised to assist companies regarding these new rules and promises to create a formal definition of what is “material” to an organization.

Guidance on Incorporating SBOMS Issued by NSA

Guidance on how organizations can incorporate software bill of materials (SBOMs) and mitigate supply chain risks has been published by the National Security Agency (NSA). In May 2021, an executive order concerning cybersecurity mandated the use of SBOMs to create transparency for users and to allow an understanding of related software components.

In the guidance, the NSA states that consumers should be leveraging available government resources to ensure that the software they acquire is secure. The agency also suggests software suppliers to mature their SBOM exchange practices, putting responsibility on the software providers to ensure that their software is secure by design.

 

Defensible Strategies

Learn from those who have been attacked

7 Million Exposed in Customer Data Breach at Delta Dental

Delta Dental, a large dental insurance company in California, has sent out notification letters to impacted individuals that their personal information was compromised. The company disclosed that on the 27th of November, they were able to determine that personal information of clients were included in the breach that occurred in late May. The breach was a result of the MOVEit Incident, a zero day exploit of the software’s file transfer tool.

The incident has affected more than 2600 organizations, including many Upstate New York entities, including healthcare organizations, SUNY schools, private colleges and universities, and many other organizations alongside Delta Dental. Reports are showing that more than 6.9 million individuals are involved in the Delta Dental breach and upwards of 62 million total individuals across the rest of the breach.

Instances such as the MOVEit breach are glaring examples of why companies should prioritize third-party risk management. If you and your organization have any questions, or would like to take a deeper look into your risk management plans, please feel free to reach out to Cyber Defense!

Hospitality Industry Targeted by Resurfacing Malware, Qakbot

The hospitality industry is being targeted by a phishing campaign that is seeing a new version of a previously dismantled malware. Qakbot, also known a Qbot or Pinkslipbot, was once the target of a coordinated effort, known as Operation Duck Hunt, where authorities managed to gain access to its infrastructure and enabled infected PCs to uninstall the malware and render ineffective.

The campaign, that is ongoing, was first discovered by Microsoft who noticed a wave of phishing emails from users claiming to be an IRS employee starting on December 11th of 2023. The tech giant has said that it is a low volume campaign, utilizing a URL within a PDF to download a Windows Installer onto the target’s computer. Once the installer has run, Qakbot is capable of of harvesting sensitive information, as well as delivering additional malware, and even ransomware.

While phishing campaigns are not new, it is imperative that we continue to teach and learn about attempts to infiltrate through phishing lures and spam emails. If you would like help learning more about how to prevent breaches like these, please reach out to us for Phishing and Internet Security Training!

NOTICE

New York has implemented an amendment to the DFS Regulation that may significantly impact your operations. Many of these changes were original proposed in the regulation proposal stage.

For a comprehensive overview of these changes, we have prepared a detailed web page where Jim has outlined the amendments section-by-section. You can access this valuable resource at the following link: https://cyberd.us/dfs-reg-500-2nd-amendment

Cyber Defense is happy to assist with navigating these changes and getting your company, so please do not hesitate to contact us as soon as possible!