New US law: Cyberattacks to be reported within 72 hours
Plus: Criminals use contact forms to spread BazarBackdoor, ServiceNow leaks, and more
In brief A US bill that would require critical infrastructure operators to report cyberattacks within 72 hours is headed to President Joe Biden's desk to be signed into law.
The House passed the reporting requirements as part of a larger omnibus spending bill late Wednesday night, and the Senate approved the final legislation the following day. It matches a provision in an earlier bill that unanimously cleared the Senate earlier this month.
Specifically, the law would require critical infrastructure owners and operators to report a "substantial" cybersecurity incident to CISA within 72 hours and within 24 hours of making a ransomware payment. The provision also gives CISA the authority to subpoena anyone that fails to report cyberattacks or ransomware payments.
The new reporting requirements will better prepare the US against possible cyber threats from Russia in retaliation for sanctions and support for Ukraine, Senators Gary Peters (D-MI) and Rob Portman (R-OH) said in a statement.
CISA director Jen Easterly applauded lawmakers' actions, and said the new legislation will give her agency better data and visibility to help it protect critical infrastructure.
"This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims," Easterly said.
BazarBackdoor changes contact info
Criminals have found a new way to spread the infamous BazarBackdoor malware. Instead of relying on phishing emails, they exploit websites' contact forms, according to email security provider Abnormal Security.
This malware family has ties to the TrickBot Gang, aka Wizard Spider, which the IBM X-Force threat-hunting team credits with developing the Trickbot trojan. The gang uses both Trickbot and BazarLoader malware to stage Conti ransomware and other extortion attacks.
Abnormal discovered a series of phishing campaigns targeting its customers between December 2021 and January 2022. "At first glance, the overall volume of messages seemed low; however, as we continued researching these attacks, it became clear that the volume was artificially deflated because email was not the initial communication method used," the email security firm said.
Instead, the attackers used businesses' website contact forms to avoid email security tools. After the attacker submitted the contact form, they waited for a follow-up email from someone at the company. This helped establish a trusted identity because the email system saw the company initiating the conversation.
The criminals kept the conversation going via email to convince the victim to download a malicious file containing the malware. Abnormal noted that this involved "some level of social engineering to find a download method not blocked by the victim's security protocols, without arousing their suspicion."
They found success with a couple of file-sharing services: TransferNow and WeTransfer.
After dropping the BazarLoader malware, Abnormal said the trails went cold. But the threat researchers offered some "educated guesses" as to what the criminals want.
"BazarLoader is usually the first stage in a more sophisticated, multi-stage malware attack, often used to deploy Conti ransomware or Cobalt Strike, for example," they warned.
Leaky ServiceNow instances
AppOmni has discovered a common ServiceNow Access Control List (ACL) misconfiguration that could allow an unauthenticated user to extract data from records.
- Data stolen from Nvidia, blueprints leak threatened
- Time for people to patch backup plugin for WordPress
- Linux tops Google's Project Zero charts for fastest bug fixes
- Linux distros patch 'Dirty Pipe' make-me-root kernel bug
The issue is a result of customer-managed ServiceNow ACL configurations combined with over-provisioning of guest users and is common across SaaS platforms, according to the SaaS security vendor. Further analysis of the ServiceNow instances by the security shop showed that nearly 70 percent of systems leaked sensitive information including personal identifiable information.
Organizations can take steps to evaluate and remediate their instances, and AppOmni outlines these on its website:
- Review ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
- Review User Criteria (UC) and the resources to which those criteria are granting access. In particular, focus on any UC in which the 'Guest' user is assigned to or contains the 'public' role. This includes the 'Any User' and 'Guest' built-in UCs.
- Review resources that can be directly assigned the 'public' role to grant access, or indirectly made accessible to the public through another mechanism (such as publishing a report).
- Review System Properties that may dictate access to records through a provided role or list of roles.
Palo Alto Networks shifts left
Palo Alto Networks has rolled out a new supply chain security system that the cybersecurity vendor claims can identify vulnerabilities and misconfigurations across the lifecycle of cloud native applications.
It's called Prisma Cloud Supply Chain Security, and it scans for any issues in code – such as version control system and CI pipeline misconfigs – across open-source packages, infrastructure-as-code (IaC) files and delivery pipelines, according to the security shop.
Other features include auto-discovery with code assets extracted and modeled via existing Cloud Code Security scanners. The product also provides graph visualization to help users see asset dependencies and potential weaknesses across the attack surface.
After it finds security flaws, it can fix vulnerable dependencies or misconfigured IaC resources as well as open-source code packages, according to the vendor. It also allows users to extend policy-as-code to VCS and CI/CD configurations, which Palo Alto Networks said helps prevent code-tampering attacks.
Google goes to Washington
Fresh off its $5.4bn Mandiant buy, Google Cloud unveiled three new security initiatives including one that the ad giant said will help US government agencies modernize their approach to cyberthreat management.
In a white paper, Google outlined how public-sector agencies can meet the White House cybersecurity analytics requirements of OMB M-21-31 and Executive Order 14028 using three of its products: security analytics platform Chronicle; security orchestration, automation, and response (SOAR) platform Siemplify; and its security and risk management product Security Command Center.
For its second rollout, Google has donated Community Security Analytics to security researchers. This is an open-source analytics repository that the cloud provider said will help SecOps teams analyze their Google Cloud logs to find threats.
To kick things off, Google partnered with customers, the MITRE Engenuity's Center for Threat-Informed Defense and the Fishtech Group and produced a sample set of analytics mapped to MITRE ATT&CK's adversary tactics, techniques, and procedures.
Finally, the cloud provider developed a blueprint to capture network data in Google Cloud. It uses Packet Mirroring, transforms packets into Zeek logs, and stores the logs in Cloud Logging, Google says. Once they're in Cloud Logging, Google's Chronicle – or any security information and event management (SIEM) tool of choice – can ingest and analyze the logs.
This new telemetry and monitoring capability is available on the Google Cloud Architecture Center. ®