Welcome back to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week's edition of the Infosec Monitor — 2.1 Billion old NPM packages are downloaded each week. The cost of non-compliance could shut you down. And beware of Chinese drones?

News

Let's all download vulnerable code. 2.1 BILLION NPM downloads/week of archived code

New research shows developers download 2.1 billion deprecated packages weekly from the popular code repository. Out of the 50,000 more popular packages, 2.1 billion weekly downloads are of outdated versions, usually archived due to vulnerabilities and other flaws. Despite this, developers unknowingly keep downloading these versions as their software still depends on outdated packages on NPM. SC Magazine

Taking employee cybersecurity awareness to the next level

Many companies require their employees to take mandatory cybersecurity awareness training. The training usually involves a boring video or presentation and a short multiple-choice questionnaire. TAG.Global is taking a more comprehensive approach. It requires its employees to complete a fluency assessment test that covers a wide range of topics, such as phishing, device security, detecting fake websites, privacy settings, app security, data protection, and much more. Employees are given two chances to pass the test before taking a cybersecurity course. The exhaustive test aims to "cultivate awareness and foster a robust cybersecurity culture within the Middle East region." Dark Reading

New cybersecurity guidance for the public water sector from the FBI, CISA, and EPA

In response to criticism from the U.S. government's Office of the Inspector General (OIG), federal agencies, including the FBI, CISA, and EPA, have published a cybersecurity best practices guide for the water and sanitation sector. The guide aims to enhance the sector's preparedness and response to cyber threats. The guide outlines roles and responsibilities, incident response planning, and communication strategies. The initiative reflects efforts to strengthen cybersecurity in critical infrastructure sectors, especially in the face of increasing cyber threats from nation-states and ransomware attacks. The Record

Related: The U.S. Department of Energy is investing $30 million in organizations to secure clean energy infrastructure. Security Week

The cost of non-compliance — NYDFS fines firm $8 million. The company shuts down.

Genesis Global Trading, Inc., a cryptocurrency trading company, has ceased operations following an agreement to pay an $8 million penalty and surrender its licenses to New York state regulators. The New York State Department of Financial Services (NYDFS) found that Genesis had multiple compliance failures, leaving the company vulnerable to illicit activities and cybersecurity threats, including money laundering. The closure comes after DFS noted that Genesis' cybersecurity risk assessment, filed in December 2022, was significantly delayed, insufficiently comprehensive, and failed to address the cybersecurity risks to its business operations adequately. The Record

Russian-backed espionage group changing tactics

Google's Threat Analysis Group has reported a notable shift in the tactics of the Russian-linked hacking group Cold River. Traditionally involved in long-running espionage campaigns, particularly against NATO countries, Cold River is now using data-stealing malware, moving beyond its usual phishing strategies. The group, called Callisto Group and Star Blizzard, has developed a custom backdoor, SPICA, which they deliver through PDF documents disguised as opinion-editorial pieces. This new approach allows them to execute commands and steal information from victims' machines. TechCrunch

How much to fix a hacked court? More than $2.6 million

"The Kansas court system needs at least $2.6 million in additional funds to recover from an October cyberattack that prevented the electronic filing of documents and blocked online access to records for weeks." Security Week

Beware Chinese Drones?

The FBI and CISA are warning of significant risks to U.S. critical infrastructure due to the growing use of Chinese-made drones. The concerns stem from Chinese laws that compel companies, including drone manufacturers, to cooperate with state intelligence services, potentially leading to unauthorized data access. The agencies recommend that organizations in critical sectors such as energy, chemical, and communications should opt for drones that adhere to secure-by-design principles and are manufactured in the U.S. SC Magazine

Thank you for reading Infosec Monitor. This post is public so feel free to share it.

AI & Security

Frequent vulns raise concerns with popular AI framework MLFlow

Protect AI has discovered four critical vulnerabilities in MLFlow, a popular open-source machine learning framework, raising concerns about potential system takeovers and sensitive information loss. These vulnerabilities, including Remote Code Execution and Arbitrary File Overwrite, were identified within a span of 50 days. MLFlow, with a substantial user base that includes major tech companies, faces significant security challenges due to these flaws. CSO Online

MLFlow isn't the only one with flaws... Security Week

The power of AI in cybersecurity

A thoughtful review by Help Net Security on AI and cybersecurity. The dual-use nature of GenAI means that while it can assist security teams in enhancing system testing, it also enables cybercriminals to develop advanced malware and deceptive techniques like deepfakes. Recognizing these challenges, governments like the U.S. and UK are stepping up efforts to manage AI risks in cybersecurity, issuing guidelines and orders for secure AI development and deployment. Help Net Security

Cyber Security Incidents

Chinese hackers exploiting VMware vulnerability targeted defense, government, telecom, and tech center for over two years

Chinese hacking group UNC3886 has been exploiting a critical VMware vCenter Server vulnerability as a zero-day since at least late 2021, which VMware patched in October. Mandiant revealed the group used the flaw in a cyber espionage campaign, deploying backdoors and exploiting another VMware Tools vulnerability for privilege escalation and data harvesting. The attackers carefully covered their tracks by removing core dump files. Their targets primarily include organizations in defense, government, telecom, and technology sectors, showcasing their preference for zero-day vulnerabilities in critical platforms. The flaw is still actively being exploited. Bleeping Computer

€10 million demanded by ransomware gang of Spanish council, council refuses to pay

The mayor of Calvià, a Spanish municipality, has confirmed that the city council will not pay the €10 million ransom demanded following a ransomware attack. This decision aligns with Spain's commitment as a signatory of the Counter Ransomware Initiative, which discourages paying ransomware extortion demands. The attack has temporarily suspended administrative services, and the council is collaborating with the Civil Guard's cybercrime department to address the situation. SC Magazine

Over 178K SonicWall firewalls vulnerable to DoS

Security researchers have identified critical vulnerabilities in over 178,000 SonicWall next-generation firewalls, exposing them to DoS and potential RCE attacks.  Bleeping Computer

Malware campaign targeting Apache web servers and websites using Laravel

The FBI and CISA have issued an alert about a malware campaign targeting Apache web servers and websites using Laravel, a popular web application framework. The campaign, driven by 'Androxgh0st' malware, aims to steal credentials from high-profile applications like AWS and Microsoft 365. Attackers exploit known vulnerabilities to access and misuse credentials stored in Laravel .env files. Dark Reading

Other noteworthy incidents

CISA has warned about a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core, which are now actively exploited in the wild. The Hacker News

VF Corp (owner of Vans) says 35 million impacted from December breach TechCrunch

Three English councils in Kent — Canterbury, Dover, and Thanet — have been affected by a cyberattack, leading to the shutdown of multiple online services. The Record

A cybersecurity incident disrupted Kansas State University systems. Bleeping Computer

Nearly 7,000 WordPress sites were compromised, with almost 200,000 still vulnerable to Balada Injector Dark Reading

Google's first zero-day of the year hits Chrome. The Hacker News

SoftwareProjects leaves a non-password-protected database online with 200GB of data. CSO Online

AboutCybersecurity is at a crossroads, changing more rapidly than we believed was possible just a few years ago. Stay informed on what's going on, what's happened, and what's coming next.I'm Bryan Smith, the author of the Infosec Monitor. I've spent over a decade pioneering changes in how cybersecurity is managed. From helping create the first cyber risk quantification (CRQ) software to advising how to approach cybersecurity pragmatically and proactively.

Data & Research

70% of organizations use managed AI services. From Wiz's new report, "State of AI in the Cloud 2024." Wiz

DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023 The Hacker News

63% of cybersecurity professionals believe that working as a cybersecurity professional is more difficult today than two years ago. CSO Online

Cybersecurity Mergers, Acquisitions, and Funding

Software supply chain security startup Kusari raises $8 million. Security Week

Vicarius raised $30 million in Series B for AI innovation in vulnerability remediation. India Times

Snyk acquires Helios for an undisclosed sum. Dark Reading