Commit 12_18_2023: Predatory Sparrow dives again

Jacques LE HENAFF / Unsplash

Welcome to the penultimate Commit of 2023! README senior editor Nathaniel Mott here with the security news of the moment.


Times of Israel: Predatory Sparrow claims Iran gas station hack

The self-proclaimed hacktivist group Predatory Sparrow has reportedly claimed responsibility for a hack that purportedly rendered “a majority of the gas pumps throughout Iran” inoperable. The Times of Israel today reported that Iran has acknowledged the malfunctions but said they were the result of a “software problem.”

Despite claims that it’s merely a pro-Israel hacktivist group, many suspect that Predatory Sparrow is a government-backed effort conducting officially sanctioned operations for which they desire plausible deniability. Either way, there’s no denying that the group is effective, and this probably won’t be the last time we hear about it in the years to come.

TechCrunch: SEC incident reporting rules go into effect

Somebody let AlphV / BlackCat know the Securities and Exchange Commission’s requirements for companies to disclose cybersecurity incidents are now in effect. The commission officially adopted the new rules in July; TechCrunch said it will finally require publicly traded companies to abide by them starting today.

The rules don’t require companies to disclose all incidents, however, and I suspect many legal teams will be looking for ways to circumvent the requirements in the months ahead. (Assuming they didn’t start back when the rules were adopted.) Let’s see if the new rules prove to be as impactful as people seem to think they will.

The Record: Mr. Cooper details extent of October hack

Mr. Cooper, which The Record described as “one of the largest mortgage loan servicers” in the U.S., has offered additional information about an October breach that left people around the country unable to pay their mortgages. The company said the personal information of some 14.7 million people was compromised as part of the incident.

That information is said to include someone’s “name, address, phone number, Social Security number, date of birth, bank account number,” with the victim list including anyone who’s had  seemingly anything to do with Mr. Cooper or a “sister brand,” including applying for a mortgage or servicing a mortgage through their partners.

Financial Times: U.K. pulls Chinese equipment from power grid

The Financial Times today reported National Grid “has started removing components supplied by a Chinese state-backed company from Britain’s electricity transmission network over cyber security fears.” The company, Nari Technology, is “a big supplier of components that help manage and improve the performance of electricity grids.”

The move highlights the vast array of responses critical infrastructure operators have to cybersecurity. In this instance, a company is pulling out equipment because it’s worried that it could eventually be used by a political rival. Yet many water treatment facilities throughout the U.S. can’t be bothered to change default passwords on critical equipment.

VulnCheck: Log4Shell ‘overblown and exaggerated’ 

Last week I said I was disappointed to hear that roughly 30% of software relying on Log4j uses a version of the library with a known vulnerability even after the Log4Shell flaws were all seemingly anyone in the security industry could talk about following their disclosure in 2021. But now VulnCheck has argued Log4Shell wasn’t all that bad.

“Log4Shell has an interesting place in security history because it accelerated the conversation around Software Supply Chain Security & SBOM,” the company said. “But the impact of the vulnerability itself was, and still is, overblown and exaggerated.” That seems like a hot take, but I think it’s worth reading through VulnCheck’s argument.