Thycotic CISO Terence Jackson shares his thoughts on the challenges CISOs face in these difficult times.

• On the biggest security threats: "The most significant security threat that we are still seeing is phishing."
• On the evolving role of the CISO: "The CISO has to be multifaceted and to operate as the advisor, guardian, risk manager, and privacy guru."
• Click here to upgrade to premium and read the full interview!

Serious vulnerabilities in SD-WAN products made by Cisco, Citrix, VMware, and HP's Silver Peak can be used by an attacker to redirect traffic or shut down a network, warned researchers from Realmode Labs. The bugs can be exploited to carry out remote code execution (RCE) attacks. The vendors issued patches for the bugs after being informed about the issues by the researchers.

More:

• Cisco's SD-WAN vManager network management system has four bugs: two directory traversal issues, a shell injection bug, and a privilege escalation bug.
• Citrix's SD-WAN Center has two authentication bypass flaws and two shell injection bugs.
• VMware's SD-WAN (VeloCloud) Orchestrator has backdoor, path traversal, SQL injection, and file inclusion bugs.
• Silver Peak's Unity Orchestrator has authentication bypass, file delete path traversal, and arbitrary SQL query execution bugs.

CYBER BREACH MONDAY

Every Monday, I summarize the most important breaches, so you stay up-to-date on the latest cybersecurity incidents. In today's issue:

Albert Einstein Hospital (Sao Palolo, Brazil): 16 million breach victims; Health information of Brazilian COVID-19 patients was leaked by a hospital employee who uploaded an unsecured spreadsheet on GitHub.

AspenPointe (Colo.): 295,617 breach victims; network server hacking/IT incident.

A county in Pennsylvania paid a $500K ransom to get the decryption key from the DoppelPaymer ransomware gang. Delaware County had to take its network offline after discovering the ransomware infection. The county's Bureau of Elections and Emergency Services Department were not impacted by the attack. 

More:

• The attackers were able to access police reports as well as payroll and purchasing databases.
• The DoppelPaymer gang is one of a growing number of ransomware groups that engage in double extortion: holding both data and encrypted systems for ransom. 
• Other ransomware groups adopting the double-extortion strategy include REvil (Sodinokibi), Clop, Mespinoza, Nefilim, Nemty, Netwalker, RagnarLocker, Sekhmet, and Snatch.

The Supreme Court on Monday is hearing oral arguments about the scope of the Computer Fraud and Abuse Act (CFAA), a case that could have implications for cybersecurity research. The case, Van Buren v. United States, focuses on whether individuals who misuse their authorized access to a computer could be held liable under CFAA.

More:

• In an amicus brief, the Electronic Frontier Foundation and other groups argued that a broad interpretation of the law could discourage researchers from searching for and disclosing security flaws.
• The plaintiff, Nathan Van Buren, a Georgia police officer, was convicted of searching a license plate database for personal purposes in addition to law enforcement purposes.
• The case is expected to turn on an interpretation of the CFAA's vague language, which sanctions any person who "exceeds authorized access" on a computer.

Drupal has released emergency patches for two critical code execution (RCE) bugs in the Drupal core because of known exploits in the wild. The bugs are in the open-source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP.

More:

• The bugs are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
• Drupal stressed that these flaws are different from critical RCE bugs it patched last year.
• A week ago, Drupal fixed another RCE bug in Drupal core.

Trend Micro researchers have uncovered a backdoor in the macOS that could be related to the Vietnamese-based Ocean Lotus group. The researchers noted that the new variant of the malware includes new behavior and domain names. Ocean Lotus (aka, APT32) targets organizations in the media, research, and construction industries.

More:

• The malware is an app bundled in a ZIP archive, which disguises itself as a Word document.
• Ocean Lotus was recently discovered to be using fake websites and Facebook groups to deploy malware.
• The group carries out cyberespionage for the Vietnamese government.

Advantech has been hit by a ransomware attack that disrupted its network and leaked confidential corporate documents. The Conti ransomware group is demanding a hefty $14M ransom from Advantech to provide the decryption key and stop leaking stolen data.

More:

• Taiwan-based Advantech is a provider of Internet of Things systems and embedded platforms for industrial customers and has a workforce of more than 8,000.
• The company said that the attackers stole low-value documents from some of its servers but its important operating systems are functioning normally.
• The Conti group began publishing some of the stolen data on its website on Nov. 26 and threatened to publish more if the ransom is not paid.

Small and medium-sized businesses (SMBs) that disclose data breaches proactively suffer 40% less financial harm than those that don't, according to research from Kaspersky Lab. Firms that fail to provide timely public information about a data breach increase the financial and reputational consequences of that breach, Kaspersky found.

More from Kaspersky:

• 28% of enterprises suffer less financial damage by proactively disclosing breaches than those that don't.
• Financial losses were 32% lower for enterprises that detected a breach quickly, compared to those that took a week or longer.
• SMBs reduced losses by 17% through early breach detection.
• Kaspersky surveyed 5,266 IT decision-makers in 31 countries for the report.

QUICK HITS:

• During this holiday season, find out how SimpliSafe is protecting over 3 million homes with less markup and more security.*
• The Consumer Financial Protection Board is developing rules to cover consumer privacy, data breach liability, and information sharing regarding consumers' financial data.
• A Canadian soldier is seeking C$60K ($46K) in damages after colleagues and superiors shared his confidential medical information without permission. 
• Suspected North Korean hackers have been targeting U.K. drugmaker AstraZeneca, which is one of the firms developing a COVID-19 vaccine.
• A report claims that the CIA and the German spy agency used a second Swiss encryption company to spy on governments.
• Revtown’s changing the denim game by applying the best parts of workout clothes—comfort, flexibility & durability—to jeans.*

* This is sponsored content.