In a joint effort to enhance election security and public confidence, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Election Assistance Commission (EAC) have released a comprehensive guide titled “Enhancing Election Security Through Public Communications.” This guide on election security is designed for state, local, tribal, and territorial election officials who play a critical role as the primary sources of official election information.

Why Communication is Important in Election Security

Open and transparent communication with the American public is essential to maintaining trust in the electoral process. State and local election officials are on the front lines, engaging with the public and the media on numerous election-related topics. These range from election dates and deadlines to voter registration, candidate filings, voting locations, election worker recruitment, security measures, and the publication of results. The new guide aims to provide these officials with a strong framework and practical tools to develop and implement an effective, year-round communications plan. “The ability for election officials to be transparent about the elections process and communicate quickly and effectively with the American people is crucial for building and maintaining their trust in the security and integrity of our elections process,” stated CISA Senior Advisor Cait Conley. The election security guide offers practical advice on how to tailor communication plans to the specific needs and resources of different jurisdictions. It includes worksheets to help officials develop core components of their communication strategies. This approach recognizes the diverse nature of election administration across the United States, where varying local contexts require customized solutions. EAC Chairman Ben Hovland, Vice Chair Donald Palmer, Commissioner Thomas Hicks, and Commissioner Christy McCormick collectively emphasized the critical role of election officials as trusted sources of information. “This resource supports election officials to successfully deliver accurate communication to voters with the critical information they need before and after Election Day,” they said. Effective and transparent communication not only aids voters in casting their ballots but also helps instill confidence in the security and accuracy of the election results.

How Tailored Communication Enhances Election Security

The release of this guide on election security comes at a crucial time when trust in the electoral process is increasingly under scrutiny. In recent years, the rise of misinformation and cyber threats has posed significant challenges to the integrity of elections worldwide. By equipping election officials with the tools to communicate effectively and transparently, CISA and the EAC are taking proactive steps to safeguard the democratic process. One of the strengths of this guide is its emphasis on tailoring communication strategies to the unique needs of different jurisdictions. This is a pragmatic approach that acknowledges the diverse landscape of election administration in the U.S. It recognizes that a one-size-fits-all solution is not feasible and that local context matters significantly in how information is disseminated and received. Furthermore, the guide’s focus on year-round communication is a noteworthy aspect. Election security is not just a concern during election cycles but is a continuous process that requires ongoing vigilance and engagement with the public. By encouraging a year-round communication plan, the guide promotes sustained efforts to build and maintain public trust. However, while the guide is a step in the right direction, its effectiveness will largely depend on the implementation by election officials at all levels. Adequate training and resources must be provided to ensure that officials can effectively utilize the tools and strategies outlined in the guide. Additionally, there needs to be a concerted effort to address potential barriers to effective communication, such as limited funding or technological challenges in certain jurisdictions.

To Wrap UP

The “Enhancing Election Security Through Public Communications” guide by CISA and the EAC is a timely and necessary resource for election officials across the United States. As election officials begin to implement the strategies outlined in the guide, it is imperative that they receive the support and resources needed to overcome any challenges. Ultimately, the success of this initiative will hinge on the ability of election officials to engage with the public in a clear, accurate, and transparent manner, thereby reinforcing the security and integrity of the election process.

The US cybersecurity agency CISA has conducted a tabletop exercise with the private sector focused on AI cyber incident response.

The post CISA Conducts First AI Cyber Incident Response Exercise appeared first on SecurityWeek.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a recent impersonation scam in which scammers posed as its representatives and employees. Fraudsters in the campaign may extort money in various ways, such as bank transfers, gift cards or cryptocurrency payments.

CISA Impersonation Scam

The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:

• Unsolicited phone calls that claim to be from CISA.
• Callers requesting personal information, such as passwords, social security numbers, or financial information.
• Callers demanding payment or transfer of money to "protect" your account.
• Callers creating a sense of urgency or pressuring you to take immediate action.

If you're targeted by a CISA impersonation scam, here's what you should do:

• Do not pay the caller.
• Take record of  the numbers used.
• Hang up the phone immediately while ignoring further calls from suspicious numbers.
• Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).

FTC Observes Uptick in Impersonation Scams

The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:

1. Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
2. Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
3. Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
4. Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
5. Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.

To avoid such scams, the FTC has advised consumers to not click on unexpected links or messages, avoid scenarios where gift cards are offered as an option to fix problems, and scrutinize urgent offers and claims. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a four-year-old security flaw affecting Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The flaw, tracked as CVE-2020-17519, poses significant risks due to improper access control, allowing unauthorized access to sensitive information.

Researchers Observed Active Exploitation of Apache Flink Vulnerability

CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as "frequent attack vectors for malicious cyber actors" and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use. CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access. While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states:

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

The discovery of the vulnerability was credited to "0rich1" from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021.

Mitigation Measures and Binding Directives

The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems. CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats. Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable. In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Rockwell Automation has urged customers to immediately disconnect all industrial control systems facing the public Internet. The company cites increasing malicious activity amid mounting geopolitical tensions worldwide a reason for this recommendation.

The company advised customers to disconnect devices not specifically meant to face the public internet such as its cloud and edge offerings. Air gapping ICS systems from the public-facing internet can significantly reduce the attack surface of the organizations and protect their critical infrastructure from cyber threats, an advisory from the company suggested.

Rockwell Automation is a major provider of ICS products that has been in business for nearly a decade. Headquartered in Milwaukee, Wisconsin the industrial automation giant provides services for Architecture and Software segments meant for controlling the customer's industrial processes as well as Industrial Control Product Solution segments such as intelligent motor control, industrial control products, application expertise, and project management capabilities. "Due to heightened geopolitical tensions and increased adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take immediate action to assess whether they have devices facing the public internet and, if so, to urgently remove that connectivity for devices not specifically designed for public internet connectivity," Rockwell Automation stated.

Rockwell Automation Discourages Remote Connections to ICS

In its latest security advisory, Rockwell Automation stressed that network defenders should never configure ICS devices to allow remote connections from systems outside the local network. It advised organizations that disconnecting these systems from the public-facing internet could significantly reduce their attack surface. This action prevents threat actors from gaining direct access to vulnerable systems that may not yet have been patched against security vulnerabilities, thus protecting internal networks from potential breaches. Rockwell Automation has also cautioned customers to implement necessary mitigation measures against several security vulnerabilities in its ICS devices. These vulnerabilities, identified by their CVE IDs, span across several Rockwell products like Logix Controllers, Studio 5000 Logix Designer, and FactoryTalk platforms. The list of these vulnerabilities is as follows:

• CVE-2021-22681: Rockwell Automation Logix Controllers (Update A)
• CVE-2022-1159: Rockwell Automation Studio 5000 Logix Designer
• CVE-2023-3595: Rockwell Automation Select Communication Modules
• CVE-2023-46290: Rockwell Automation FactoryTalk Services Platform
• CVE-2024-21914: Rockwell Automation FactoryTalk View ME
• CVE-2024-21915: Rockwell Automation FactoryTalk Service Platform
• CVE-2024-21917: Rockwell Automation FactoryTalk Service Platform

Broader Efforts and Mitigation Actions for ICS Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert advising Rockwell customers to implement the recommended security measures as these products are in use at several critical infrastructure organizations across the country. Earlier in September 2022, the agency along with the NSA had issued recommendations and a "how-to guide" for reducing exposure across ICS and related operational technologies. The urgency of enhancing ICS security is further highlighted by the collaborative efforts of multiple U.S. federal agencies, including the NSA, FBI, and CISA, along with cybersecurity agencies from Canada and the U.K. These agencies have previously issued several public statements about the threats posed by hacktivists targeting critical infrastructure operations through unsecured OT systems. CISA has already recommended defensive measures on industrial control systems such as minimizing network exposure, isolating control system networks, and securing remote access through the implementation of Virtual Private Networks (VPNs). The present administration also issued the 2021 national security memorandum instructing CISA and NIST to develop cybersecurity performance goals for critical infrastructure operators as part of the broader initiatives in recent years to secure critical infrastructure within the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Google is invoking the 'monoculture' word in response to a scathing U.S. government report on Microsoft's inadequate cybersecurity practices.

The post Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft appeared first on SecurityWeek.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

The post Eric Goldstein Leaving CISA for Private Sector Role appeared first on SecurityWeek.

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.

In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.

The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”

Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:

“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”

“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”

The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.

Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.

“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”

The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.

“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”

Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.

“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.

CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.

“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”

Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.

KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.

Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.

Update, Feb. 3, 12:19 p.m. ET: The FBI declined a request to comment.