Apple Updates Address Three Zero-Days; Some Android Phones and TVs Shipping with Malware Already Installed; EyeMed Will Pay $2.4 in Third Data Breach Settlement

Two of the zero-days were fixed in the recent "rapid security response" update. By combining these vulnerabilities, an attacker is able to execute arbitrary code outside the browser sandbox as a user visits a malicious web page.

Johannes Ullrich

Interesting that we saw two of these come out as Rapid Updates, but the third bundled with a major update (including the previous two). I have been beta-testing 16.5 for a while, so maybe the timing was right. So far, we have only seen one rapid security update in the last build. I guess the question that would make me wonder is the release cadence for these. Given this minor build update, I would assume that it follows a “rapid release” between major/minor build updates. When those updates are ready, any additional security patches will roll into the major/minor builds. Ultimately if you were thinking of relying on Rapid Updates solely for patches, you would be missing critical fixes still.

Moses Frost

Those zero-day fixes are baked into these releases, and unlike the RSR updates, your EMM/MDM should have no issues pushing these to your devices. Note these issues also prompted an update to iOS 15.7.6, which has 12 CVE’s listed, vs iOS 16.5 which addresses about 39.

Lee Neely

Apple products are getting noticed by hackers, and not in a good way. The total now stands at six zero-day vulnerabilities for 2023. Hopefully users were already on the latest operating system version(s) and took advantage of Apple’s RSR service. If not, whenever you see the words ‘actively exploited’ in the security bulletin, immediately elevate its priority in your patch cycle.

Curtis Dukes

While the trend is to include OEM-provided services in addition to the core Android load, these added services are much more than advertising related services, and as these are devices are intended for streaming content, not connecting them to the Internet is really not a mitigation. Review the Trend Micro blog for IOCs to detect malfeasance on your network as well as indications of which devices to avoid.

Lee Neely

The dangers of the Android EcoSystem. This is a criminal organization that is doing this; what would stop a more funded nation-state from doing this same? Would the nation-state be as noisy? One thing is sure: because it is Android, you have a change that you can find it. The one downside of iOS is the closed-source nature of it.

Moses Frost

Certainly a problem, but a problem we’ve collectively known about for close to a decade. Low-cost Android devices have been available for purchase via the Internet for years and come pre-bundled with any number of buggered applications. It’s yet another variation of a supply chain attack. This serves as a reminder that low-cost devices are often available for a reason – in this case to harvest user data.

Curtis Dukes

While Android devices can be used safely by those who choose them, one cannot say that for those buying them unsuspectingly.

William Hugh Murray

Adding up the three settlements over the last 18-months comes to a whopping $7.6 million in fines. In addition, EyeMed Vision must make significant changes to its security program. This and the other two settlements make for an excellent use case for boards as they balance the cost of implementing an effective cybersecurity program. In the end, the court is requiring them to implement such a program; that $7.6 million could have bought a lot of cybersecurity capability.

Curtis Dukes

Reporting data breaches promptly, implementing good cyber hygiene (to prevent breaches in the first place), and monitoring your systems has to be SOP. While this sounds like it’ll increase the cost of doing business, recovery from a breach accompanied by regulatory fines offset that cost substantially. If you’re at a loss on how to get your arms around cyber hygiene or requirements, your relevant ISAC or local CISA office can help you here, often for little to no cost.

Lee Neely

A breach is not necessarily evidence of a deficiency but it is prima facia, enough to land one in court. Across time and adversaries, adequate security should make the cost of attack higher than the value of success. However, the defender might not fully comprehend the value to the attacker and not all attackers are rational. While deciding how much to spend on security is difficult, if it can be done by anyone with available resources, it is essential and one had better do it.

William Hugh Murray

This case will be an interesting one to keep an eye on. Before the EU General Data Protection Regulation (GDPR) was brought into force in 2018, data subjects had little or no recourse to pursue damages resulting from a data breach. Depending on the EU member state they resided in, they had to prove a direct cause and effect between the actual breach and any losses they suffered. The EU GDPR now enables data subjects who have been negatively impacted by a data breach to sue for damages resulting from a data breach caused by the data controller not taking reasonable measures to prevent that data breach, without the burden being placed on the data subject to prove a direct cost to them. The EU GDPR is also one of the first regulations within the EU that supports class action types lawsuits. So while many of the headlines around GDPR focused on the fines companies could face for breaching GDPR, this is another part of the regulation that companies need to be aware of.

Brian Honan

The outcome of this case will likely have an impact on litigation of future data breaches. Today, victims of data breaches are typically offered free credit monitoring services for upwards of a year. It’s something but it doesn’t put coin in one’s pocket. This lawsuit flips that script but has the potential to cause serious financial harm to the company that was breached. It will all come down to the legal definition of ‘non-material’ damage.

Curtis Dukes

The core question is do privacy acts (GDPR, CPRA, etc.) apply when personal data is exfiltrated in a cyberattack? While there is no question of that being a deliberate disclosure of data, is the data steward liable for failure to properly protect the information? While there has to be appropriate notification and actions taken to protect affected users, this could result in an unwillingness to take those actions, which is a step in the wrong direction.

Lee Neely

Increased use of health tracking applications since the pandemic have put the protection of this data on the FTC radar, potentially expanding the definition of HIPAA. Read the rules carefully if you’re bound by the FTC and are incorporating health or biometric information in your applications or processes.

Lee Neely

This notice of proposed rulemaking is both timely and reflects changes in how personal health information is collected and used by data brokers. It reminds one of the adage ‘data is the new currency.’ It has value to enable business operations but consumers also have a right to be informed of its collection, use, and more importantly loss as part of a data breach.

Curtis Dukes

A common use of biometrics is for authentication of device owners, where neither the instant data or the reference ever leave the device. Moreover, the reference is not reversible; knowledge of the reference is not sufficient to dupe the system. Whatever concerns the FTC may have, this use of biometrics is optional, robust, convenient, and reasonably safe from misuse or abuse.

William Hugh Murray

Make sure that you know all the reverent regulatory requirements for data breach notification as well as who you’re sharing data with. In this case the SDK’s used to develop the app included the data-sharing code, making this even tricker than past instances where advertising and use analytics functions were also being used to exfiltrate user data. Note the FTC requirement to ask the third party to delete the shared data: while this would work with a business affiliate, with sharing embedded in the SDK, with a Chinese organization, removal of that data may not be feasible. Make sure you’ve confirmed the processes for data removal with entities you know you’re sharing data with, to include data gathered by use tracking services.

Lee Neely

Vital signs and exercise data, when associated with an individual or location are vulnerable to abuse and misuse. Apps that collect such data should be subject to some regulation or scrutiny, and should be chosen by consumers with some caution.

William Hugh Murray

Remember when you deployed changes that needed to be backed out because they didn’t act in production the way they did in QA, so you went back and reviewed the QA environment to reduce the likelihood of recurrence? Same thing, just a lot bigger user base. If you have folks who are cavalier making changes in production without testing in other environments first, here’s an excellent example of why we do that.

Lee Neely

While one is reluctant to criticize, the three outages are "related" by time and management. Forensic training tends to discourage belief in mere coincidence.

William Hugh Murray

This group uses RDP to compromise a system, then drops in a back door written in Go which installs TeamViewer, AnyDesk, etc for persistence. They evade detection by shutting down EDR services. Initial access is via exposed RDP or phishing. Mitigations include not exposing RDP to the Internet, updating PowerShell to the latest version, configuring UAC to require prompting for execution of PsExec scripts needing admin rights, and reviewing for accounts which have unexpected admin rights as well as unexpected accounts in general. Have your team closely review the IC3 article for more depth.

Lee Neely

While many ransomware groups use some form of *ishing to enable the cyberattack, BianLian targets the RDP protocol. So, to protect oneself it still comes down to secure configuration and proactive patch management. You can brush up on how to configure RDP securely by using guidance found at the Center for Internet Security.

Curtis Dukes

Despite the incident, and associated costs, the company was still able to meet or exceed expected production levels, indicating their BC/DR plan was quite effective. Have you assessed your plan to see what reduced or modified capabilities will affect your customers, short term and long term? Is something in place to preserve those relationships for when you come out the other side? (So you still have customers.)

Lee Neely

We have scant details on the cyberattack, although it’s speculated as being a ransomware event. Given the size of company and gross revenues, the estimated losses seem a bit smallish. I wouldn’t be surprised to find that future updates increase the cost of the cyber incident.

Curtis Dukes