Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.

Malware

• Several U.S. government agencies, including the FBI and National Security Agency, discovered malware that could gain full access to industrial control systems (ICS). The agencies issued a joint statement, claiming that the malware was discovered before an attack could occur. Nation-state actors developed the custom-made malware to target ICS and supervisory control and data acquisition (SCADA) devices.

Vulnerabilities

• Oracle patched a bug in Java that allowed bad actors to digitally sign files, allowing them to pass on digitally signed malware and malicious files as if they were legitimate.
• Microsoft released more than 100 security fixes in their April 2022 patch to fix several vulnerabilities, including two zero-day vulnerabilities.
• Security researchers discovered a vulnerability in the platform VirusTotal, a scanning service that looks for malware in suspicious files and URLs. Hackers could have gained remote code execution on any unpatched third-party sandboxing machines. However, the flaw is now patched.
• The European Union Agency for Cybersecurity (ENISA) published a roadmap for a coordinated vulnerability disclosure policy in the EU. The policy would provide frameworks for researchers to report vulnerabilities and for vendors to deploy patches quickly. EU Member States will need to establish their own national policies and guidelines for coordinated vulnerability disclosure.

TLS/SSL

• Starting April 25, 2022, Cloudflare automatically started issuing backup certificates for all of their domains to prevent outages.

Data breaches

• A recent survey found that about half of businesses from over a dozen countries have experienced a data breach in the last two years. The study found that data breaches are increasing, and with an increasing threat landscape comes increased costs and resources spent in remediation.
• Samsung was hit with a breach that included stolen code for operation of Galaxy smartphones. Samsung says no customer data was breached, but 190GB of code were stolen. This example is a reminder for businesses to build sufficient defenses and have plans in place in the event of data loss.
• Mailchimp was hacked in April, and the hackers were phishing for cryptocurrency. The hackers targeted users of Trezor hardware cryptocurrency wallet and stole data of over 100 customers to send targeted phishing emails. Mailchimp disabled the breached employee accounts as soon as suspicious activity was detected, but not before the hackers were able to obtain customer data.

Government standards

• The U.S. White House, along with 60 global partners, issued a declaration on the future of the internet. The declaration included a warning about rising digital risks and misinformation. About 60 other countries endorsed the declaration, as well as the European Commission.
• The U.S. Food and Drug Administration released draft guidance last month on cybersecurity for medical devices to replace previous guidance, last issued in 2018. The FDA explained that increasing connectivity requires adequate security to protect both patients and healthcare networks. The FDA recommends that manufacturers consider the larger network security and environment where the device will be used. The FDA is accepting comments until July 7, 2022, on the updated language.

Quantum computing

• China announced a photon-based quantum computer that is a million times faster at solving a particular problem than what Google reported achieving with a superconducting quantum computer in 2019. China has reportedly invested nearly $10 billion in R&D for quantum, which make put it ahead of the U.S. in the race to quantum. However, the U.S. Senate passed a bill in 2021 to invest $29 billion in quantum by 2026.
• IBM announced IBM z16 that allows for real-time AI insights at scale and is the first quantum-safe system in the industry.
• A team of researchers from Griffith University’s Center for Quantum Dynamics demonstrated that teleportation can be used to avoid data loss in communication at a quantum level. This would not only reduce data loss but also enable the transmission of data securely, without access by a third party.

Internet of Things

• None of the subway cameras were functioning during the New York subway shooting in early April, although officials had warned about a vulnerability in the cameras years before. This delayed the police’s search for the gunman.
• The U.S. PATCH act was put forward recently, which would make it easier for medical device manufacturers to patch devices. It would also require manufacturers to follow security best practices for the design, development and maintenance of these devices.

CA/B Forum

• The S/MIME Certificate Working Group of the CA/Browser Forum has released a final discussion draft of a new Baseline Requirements for S/MIME Certificates used for secure email, with a view to going to formal ballot later in 2022. This would be the first standard aimed to create consistency across all issuers of publicly-trusted S/MIME certificates and includes provisions for the Enterprise Registration Authorities which are commonly used to register users for corporate email environments.