SEC Cyber Disclosure Rules Leave Companies Confused, One Year Later, Deloitte Denies Hack Claims Amid Brain Cipher Ransomware Allegations, Microsoft and SAP Issuing Patches for Some Critical Vulnerabilities.
This is Cyber Security Today. I’m your host, Jim Love
SEC Cyber Disclosure Rules Leave Companies Confused, One Year Later
One year after the Securities and Exchange Commission (SEC) introduced stricter disclosure rules for cybersecurity incidents, many companies are still struggling to comply, leaving investors in the dark about critical details.
A recent report by BreachRx reveals that only 16.9% of public companies filing 8-K reports on cyber incidents have provided specific details on the material impact of those incidents on their business. Furthermore, 52% of these filings relied on generic boilerplate language, with just under half offering any information on how the organization was responding to the issue.
The rules, enacted in December 2023, require public companies to disclose “material” cyber incidents within four business days and to include details of their overall cybersecurity strategies in annual reports. However, ambiguity around what constitutes “material” has left companies grappling with compliance. Many have interpreted the term narrowly, focusing solely on financial impacts while excluding breaches affecting customer data.
The SEC intended for the rules to promote greater transparency and avoid vague statements, but industry practices have fallen short. “The SEC was very clear… they wanted more transparency,” said BreachRx CEO Andy Lunsford. “It’s pretty clear that’s not what the industry has done.”
Corporate lawyers have reportedly discouraged detailed disclosures due to concerns about litigation risks. As a result, some companies have adopted minimal reporting practices, prompting criticism from cybersecurity advocates. Notable exceptions like Microsoft have filed more comprehensive disclosures, setting a potential standard for the industry.
Looking ahead, the SEC’s enforcement of these rules remains uncertain, especially with a change in leadership on the horizon. While current chair Gary Gensler has prioritized cybersecurity, incoming chair Paul Atkins may take a different approach, raising questions about the long-term impact of the rules.
For now, the lack of clarity and inconsistent compliance highlights the ongoing challenge of balancing corporate transparency with legal and operational concerns.
+++
Deloitte Denies Hack Claims Amid Brain Cipher Ransomware Allegations
Deloitte has denied allegations from the Brain Cipher ransomware group claiming the theft of over one terabyte of data. The group added Deloitte UK to its Tor leak site, alleging they had exfiltrated a trove of compressed data. Deloitte has clarified that the incident pertains to a single client’s system external to its network.
In a statement, a Deloitte spokesperson emphasized, “Our investigation indicates that the allegations relate to a single client’s system which sits outside of the Deloitte network. No Deloitte systems have been impacted.” The company continues to investigate the matter.
The Brain Cipher ransomware group has threatened to release the data in five days if a ransom is not paid. The group, active since at least April 2024, has a track record of high-profile cyberattacks, including a June breach of an Indonesian data center that disrupted 210 critical government services, causing widespread delays. Despite initially demanding an $8 million ransom, the group later released a decryptor for free.
Cybersecurity researchers, including those at Group-IB, suggest connections between Brain Cipher and other ransomware groups such as EstateRansomware and SenSayQ. Shared stylistic elements in ransom notes and overlapping technologies on their Tor sites support this hypothesis.
This isn’t the first time Deloitte has faced hacking allegations. In September, the IntelBroker threat actor claimed to have stolen sensitive data from the firm, but Deloitte refuted the claims, stating no sensitive data was compromised. Additionally, in 2017, the company suffer a significant breach, where a hacker got access to admin credentials which exposed cconfidential client emails and other sensitive information, leading to a reputational hit.
The ongoing Brain Cipher allegations place Deloitte’s cybersecurity measures under scrutiny once again, though the company firmly maintains that its network remains unaffected.
+++
Microsoft and SAP issuing patches for some critical vulnerabilities.
Microsoft December 2024 Patch Tuesday Fixes Exploited Zero-Day and 71 Flaws
Microsoft’s December 2024 Patch Tuesday addressed 71 security vulnerabilities, including one actively exploited zero-day (CVE-2024-49138). Among the fixes, 16 critical flaws involve remote code execution, posing significant risks to affected systems. The zero-day vulnerability, discovered by CrowdStrike, allows attackers to gain SYSTEM privileges on Windows devices. While details on how it was exploited remain scarce, Microsoft has released a fix to mitigate the risk.
The updates also include patches for 27 elevation of privilege vulnerabilities, seven information disclosure flaws, and five denial-of-service issues. Notably, two Edge vulnerabilities were resolved earlier in the month. Given the severity of these flaws, users and organizations are urged to apply the patches immediately to protect against potential exploits.
In addition to these security updates, Microsoft released non-security updates for Windows 10 and 11, which address performance and functionality improvements. As cyber threats continue to evolve, timely updates are essential to maintaining secure and resilient systems.
SAP Fixes Critical SSRF Vulnerability in NetWeaver’s Adobe Document Services
SAP has released patches for 16 vulnerabilities as part of its December 2024 Security Patch Day, including a critical Server-Side Request Forgery (SSRF) flaw in NetWeaver’s Adobe Document Services. The vulnerability, tracked as CVE-2024-47578 with a CVSS score of 9.1, could allow attackers with administrative privileges to exploit the system by sending crafted requests through a vulnerable web application. Successful exploitation might enable attackers to read or modify files and potentially disable the entire system.
The flaw affects ADSSSAP version 7.50 and poses a significant threat to internal systems typically protected by firewalls. Alongside CVE-2024-47578, SAP addressed two related vulnerabilities (CVE-2024-47579 and CVE-2024-47580) that could lead to unauthorized file access and information disclosure. Other notable fixes include a Cross-Site Scripting (XSS) vulnerability (CVE-2024-47590, CVSS 8.8) in Web Dispatcher and an Information Disclosure issue (CVE-2024-54198, CVSS 8.5) in SAP NetWeaver Application Server ABAP.
SAP has reported no active exploitation of these vulnerabilities in the wild. Organizations using affected systems are strongly advised to apply the patches promptly to mitigate potential risks.
Lot’s goin’ on….
That’s our show for today.
You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love, thanks for listening.