Weekly Breakdown of Security News and Global Cyber Insights
This week’s CyberScan roundup delves into the most pressing cybersecurity issues and developments shaping the global landscape. Australia’s Big Four banks are in the spotlight, battling relentless cyber attacks from individuals, criminal syndicates, and nation-state actors.
Chris Sheehan of the National Australia Bank highlighted the severity, stating, “Every bank is being attacked all the time,” with sophisticated crime groups responsible for 90 percent of scams targeting Australians. Despite implementing robust cybersecurity measures, the financial sector continues to grapple with significant breaches, underscoring the critical need for vigilance.
Meanwhile, Google has launched a lucrative bug bounty program for the KVM hypervisor, aiming to strengthen security through collaboration and remediation of vulnerabilities. The program, kvmCFT, promises substantial rewards for identifying zero-day vulnerabilities, reflecting Google’s commitment to enhancing the security of its cloud and Android platforms.
This initiative underscores the increasing importance of proactive measures in cybersecurity, as companies seek to fortify their defences against emerging threats.
In Europe, the defence and aerospace industry is calling for higher security standards in cloud services. Giorgio Mosca from Leonardo and ASD emphasised the need for harmonisation and certainty to maintain competitiveness. The current proposal for a European cybersecurity certification scheme for cloud services is seen as inadequate, prompting industry leaders to urge the new European Commission to take decisive action.
Additionally, the Biden administration’s efforts to implement stricter cybersecurity regulations face an 'uphill battle' following a Supreme Court decision that limits federal agencies’ regulatory authority. This ruling complicates the administration’s plans amidst a backdrop of increasing cyber threats and underscores the ongoing challenges in achieving robust cybersecurity frameworks globally.
Australian Banks Battling Constant Cyber Threats
Australia’s Big Four banks are engaged in a relentless battle against cyber attacks from individuals, criminal syndicates, and nation state actors. Chris Sheehan, head of the National Australia Bank’s Group Investigations and Fraud business unit, highlighted the severity of the situation, stating, “Every bank is being attacked all the time.”
Sheehan described the threat landscape as dominated by “sophisticated, ruthless, and resilient transnational organised crime groups,” which are responsible for 90 percent of scams targeting Australians. These threats range from government-backed nation state operators to individuals attempting to hack systems from their homes.
NAB’s CEO Ross McEwan revealed that the bank faced 50 million attacks per month in late 2022, a figure that has likely increased with the advent of generative AI technologies. In response, NAB has implemented several initiatives to enhance cyber security, such as a bug bounty program, a crackdown on malicious insiders, and a ban on clickable links in customer SMSs.
These measures have yielded positive results, with scam losses decreasing over the past two quarters. Sheehan emphasised the importance of customer vigilance, advising that any pressure to make a payment under threat of penalty is a major red flag.
The financial services sector at large is grappling with a surge in cyber attacks. According to the Office of the Australian Information Commissioner (OAIC), financial services operators reported 49 data breaches in the second half of 2023, with 33 attributed to malicious or criminal attacks.
Notable breaches include the compromise of information at law firm HWL Ebsworth, affecting all Big Four banks, and data breaches at Judo Bank, Latitude, and Suncorp. Regulatory bodies are intensifying their efforts, with APRA introducing new resilience requirements and conducting war games to test bank defences. Despite these measures, Sheehan’s advice remains crucial: “Don’t hit send on the payment.”
Google Launches Lucrative Bug Bounty Program for KVM Hypervisor
Google has introduced an enticing new bug bounty program with significant rewards. The new program, kvmCFT, is a vulnerability reward initiative for the Kernel-based Virtual Machine (KVM) hypervisor, first announced in October 2023. KVM is a virtualization module within the Linux kernel that allows it to function as a hypervisor, enabling the management and operation of multiple virtual machines (VMs) on a single physical host. Each VM can run its own operating system, which can differ from the host OS.
With over 15 years of open-source development, KVM is a crucial component of both Android and Google Cloud, according to the company.
"We designed kvmCTF as a collaborative way to help identify & remediate vulnerabilities and further harden this fundamental security boundary", Google stated in a blog post.
The bug bounty program will focus on zero-day vulnerabilities, with no payouts for n-day flaws. The rewards will vary based on the severity of the vulnerability: full VM escape earns $250,000, arbitrary memory write $100,000, arbitrary memory read $50,000, relative memory write $50,000, denial of service $20,000, and relative memory read $10,000.
European Defence Industry Calls for High Security Standards in Cloud Services
Brussels – The European defence and aerospace industry is pushing for the establishment of high common security standards for cloud services. According to Giorgio Mosca from Leonardo and ASD, harmonisation and certainty are essential for competitiveness. The new European Commission is expected to address certification systems to meet these demands.
The current proposal for a European cybersecurity certification scheme for cloud services (EUCS) by the European Union Agency for Security IT (ENISA) and the European Cybersecurity Certification Group (ECCG) is considered inadequate by industry leaders. The Association of European Security, Defense, and Aerospace Companies (ASD) is urging European decision-makers to revise the delegated act implementing the cybersecurity regulation.
They emphasise the need for higher security standards to make investments more attractive and ensure the security of supply chains and communication channels within the EU. Giorgio Mosca highlighted the risks associated with the current situation, including increased vulnerability to cyber-attacks and potential disruptions due to data being outside the EU.
He criticised the slow progress on the EUCS and called for the reintroduction of high+ criteria for strategic sectors. Mosca urged the new Commission to take decisive action, emphasising that higher security standards, even if optional, are crucial for industry clarity and competitiveness. He called for the European Cybersecurity Certification Group to consider the new legislature's proposals before making a final decision.
Supreme Court Ruling Threatens Biden's Cybersecurity Efforts
The Biden administration’s push for stronger cybersecurity rules faces an 'uphill battle' following a landmark Supreme Court decision. The ruling, which overturns the Chevron doctrine, threatens to undermine the administration's regulatory foundation by limiting federal agencies' ability to interpret ambiguous laws. This setback comes at a time when the administration has been aggressively pursuing tighter cybersecurity regulations to counteract a series of damaging supply chain hacks, breaches, and ransomware attacks.
Harley Geiger, an attorney at Venable and counsel at the Center for Cybersecurity Policy and Law, warns that existing cybersecurity regulations may now be more vulnerable to court challenges.
"Congress has actually legislated relatively little when it comes to cybersecurity," Geiger noted, highlighting the administration's reliance on reinterpreting older statutes to enforce new cybersecurity standards. The recent ruling emboldens opponents of stringent regulations to file lawsuits testing the limits of agencies' regulatory authorities, potentially jeopardising rules that have been put in place to protect critical infrastructure and national security.
Administration officials are now evaluating how to proceed, with White House spokesperson Karine Jean-Pierre stating that the
“administration is doing everything we can to continue to deploy the extraordinary expertise of the federal workers to keep Americans safe and ensure our communities thrive and prosper.”
This ruling could also impact efforts by agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC) to implement new regulations. As Geiger pointed out, agencies may need to revise pending regulations to address ambiguous statutory interpretations, adding further complexity to an already challenging regulatory landscape.
Government Agencies Warn of Memory Safety Risks in Open Source Software
Government agencies from the US, Australia, and Canada are raising concerns about memory safety issues in open source software (OSS). Many OSS projects rely heavily on code written in memory-unsafe languages, creating vulnerabilities that could be exploited by attackers. The joint guidance from CISA, the FBI, Australia’s Cyber Security Center (ACSC), and the Canadian Centre for Cybersecurity (CCCS) highlights the importance of addressing these memory safety concerns to protect both organisations and users.
An analysis of 172 projects from the Open Source Security Foundation (OpenSSF) found that over half contain code written in memory-unsafe languages, comprising 55% of their total lines of code. Notably, the largest projects, such as the Linux kernel and Chromium, are predominantly written in these languages.
The guidance also points out that even projects entirely written in memory-safe languages often depend on components that are not. "Mistakes, which inevitably occur, can result in memory-safety vulnerabilities such as buffer overflows and use-after-free," the guidance states. To mitigate these risks, the agencies recommend transitioning critical projects to memory-safe languages like Rust, which can offer performance comparable to traditional memory-unsafe languages.