Weekly CyberTip: Watch out for multi-vector attacks
According to IBM’s X-Force Threat Intelligence Index 2022 report released early this year, while the success rate for the average targeted phishing attack was 17.8%, campaigns that added phone calls were three times more effective, achieving a click rate of 53.2%. Be aware that hackers are always looking for ways to make their attacks more realistic. Always verify that messages are legitimate before taking action, even if you get them across more than one channel.
Popular automotive GPS tracker found to have severe software vulnerabilities
In a July 19 report, researchers from BitSight announced the discovery of six severe vulnerabilities in the popular MV720 GPS tracker. The MV720, manufactured by Chinese firm MiCODUS, is used in both consumer settings and by logistics and fleet management enterprises across 169 countries. The report suggests that a malicious actor could pose a potential danger to personal information, highway safety, national security, and integrity of supply chains. The exploitation of these flaws could have “disastrous and even life-threatening implications,” according to BitSight.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a companion advisory about five of the flaws as well. BitSight and CISA have tried repeatedly to contact the manufacturers of the tracker to collaborate on fixes, but have not received any reply to date.
BitSight urges users to disable the MV720 GPS tracker until patches are made available. “Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk,” warns the report.
There have been no documented cases of public exploit of the vulnerabilities; however, the flaws are characterized as “low complexity”, so there is potentially an increased risk to these IoT devices now that the flaws have been documented publicly.
OSFI publishes new cyber guideline
Canada’s Office of the Superintendent of Financial Institutions (OSFI) has published its Final Guideline B-13 for cyber management. The new guideline, which sets out “OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more,” takes effect on January 1, 2024.
The guideline is organized around three key domains of cyber: Governance and Risk Management, Technology Operations and Resilience, and Cybersecurity. The document lays out key components for developing and maintaining a sound risk management framework around these critical operational areas.
The document has been a long time in the making: “Final Guideline B-13 is the product of extensive consultation with industry, starting with the September 2020 publication of a discussion paper and a consultation period from September to December 2020. Following the release of OSFI’s draft Guideline B-13 in November 2021, OSFI further consulted on its proposed guidance regarding technology and cyber risk from November 2021 to February 2022,” according to the press release.
The guideline will affect the 400 federally-regulated financial institutions and 1,200 pension plans under OSFI’s supervision.
CSRB releases Log4J vulnerability analysis report
The recently-formed Cyber Safety Review Board (CSRB) in the United States has issued its first report, an analysis of the Log4j vulnerability disclosed in December 2021. The thoroughly-researched report describes the origins of the bug, the challenges faced by so many organizations in managing the early days after the announcement of the vulnerability, and even how the scope and timing of the discovery may have contributed to the burnout and turnover rates of IT professionals in 2022. Importantly, the report also warns that “the Log4j event is not over. The Board assesses that Log4j is an ‘endemic vulnerability” and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”
The CSRB’s report was developed in consultation with nearly 80 private organizations and government agencies. It lays out a set of 19 recommendations across four categories of cyber management to help continue the response to Log4j, and to mitigate the disruption caused by any potential similar future threats.
TSA releases revised cyber guidelines for pipeline owners and operators
In a July 21 press release, the Transportation Security Administration (TSA) announced revisions to its cybersecurity directive regarding oil and gas operations in the United States. The new security directive updates and replaces the initial directive issued in May 2021 in the wake of the Colonial Pipeline cyber attack. Clarifying some aspects of the original release, and introducing additional requirements in response to the “evolving threat landscape,” the new directive takes effect on July 27, 2022.