Check That You Really Are Meeting Data Retention Requirements; Patch Fortinet FortiNAC Now; Follow NSA Recommendations to Reduce BlackLotus Bootkit Risk

The US Securities and Exchange Commission has fined JP Morgan Securities $4 million for deleting data related to Chase Bank. Under the Securities Exchange Act, JP Morgan is required to retain emails for three years; the 47 million messages in question, which were dated from January-April 2018, were deleted in 2019. JP Morgan detected the issue and self-reported to the SEC in 2020. JP Morgan says responsibility for deleting the data lies with a third-party vendor they hired to manage their archived data.

Read more in

Fortinet has released updates to address a deserialization of untrusted data vulnerability in its FortiNAC zero-trust access solution. The flaw could be exploited to execute code remotely. Users are urged to upgrade to FortiNAC versions 9.4.3, 9.2.8, 9.1.10, 7.2.2 or above. Although the vulnerability also affects FortiNAC versions 8.x, there will not be an update for those versions.

Read more in

The US National Security Agency (NSA) has published a mitigation guide for the BlackLotus Unified Extensible Firmware Interface (UEFI) bootkit malware. The NSA says that Microsoft’s efforts to address BlackLotus are insufficient: while “Microsoft issued patches for supported versions of Windows to correct boot loader logic, … patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX).”

Read more in

In a Form 8-K filing with the US Securities and Exchange Commission, SolarWinds revealed that several current and former employees, including the company’s chief financial officer (CFO) and chief information security officer (CISO) have received notices indicating they may be facing SEC civil enforcement action. In the filing, SolarWinds notes that “the Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.” The company itself has also received a Wells Notice.

Read more in

A flaw in Microsoft Teams External Tenants feature allows attackers to bypass phishing safeguards and deliver malware to employees. The vulnerability affects Microsoft Teams with default configuration. The issue lies in an insecure direct object reference (IDOR) access control vulnerability. Microsoft has acknowledged that the flaw exists but does not plan to address it right away.

Read more in

A cyberattack affecting systems at Canada’s Suncor Energy has caused problems for customers at Petro-Canada filling stations. The issues are preventing customers from logging in to accounts, earning rewards points, or paying with payment cards. Suncor has not yet provided details about the cyber security incident.

Read more in

On Thursday and Friday of last week (June 22& 23) the US Cybersecurity and Infrastructure Security Agency (CISA) added 11 security issues to its Known exploited Vulnerabilities (KEV) catalog. These include three vulnerabilities affecting multiple Apple products; vulnerabilities in VMware Tools and VMware Aria Operations for Networks; vulnerability in Zyxel Network-Attached Storage (NAS) devices; three vulnerabilities affecting Roundcube Webmail; a vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird; and a vulnerability affecting Microsoft Win32k.

Read more in

A third-party vendor breach has prompted American Airlines and Southwest Airlines to begin notifying pilots that their personal data have been compromised. The third-party vendor, Pilot Credentials, manages pilot recruitment and applications for multiple airlines. The compromised data include government-issued identification numbers, including those for Social Security, driver’s licenses, Airman Certificates, and passports. The breach occurred in late April; Pilot Credentials notified American and Southwest about the incident on May 3. American and Southwest have both moved pilot applications to internal systems.

Read more in

The Internet Systems Consortium (ISC) has released updated versions of BIND to address three vulnerabilities in the domain name system (DNS) software. All three issues are remotely exploitable and could be used to create denial-of-service (DoS) conditions. The vulnerabilities are fixed in BIND versions 9.16.42, 9.18.16, and 9.19.14 and BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1.

Read more in

Healthcare sector data security breaches reported to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) so far this year affect more than 39 million people. Among the largest reported breaches: Managed Care of North America, which affected 8.86 million people; Pharmerica Corp., which affected 5.8 million people; and egal medical group, which affected 3.38 million people. (Note: Some of the breaches occurred in 2022 but were not reported to HHS OCR until 2023.)

Read more in

The US Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note warning that search engine optimization (SEO) poisoning attacks are increasingly being used against organizations in the US Health Care and Public Health sector. The note’s suggestions for detecting and preventing SEO poisoning attacks include implementing typosquatting detection and using indicators of compromise (IoC) lists.

Read more in

Entities reporting breaches enabled by MOVEit include the New York City Department of Education and third-party service provider PBI Research Services. The PBI breach has affected Genworth Financial, Wilton Reassurance, and the California Public Employees’ Retirement System (CalPERS).

Read more in