US Proposes Rules to Bar Transfer of Americans' Data to China, Russia, Other Sanctioned Countries

Sponsor message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code. 

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

The Biden administration issued a notice for proposed rulemaking for regulating certain data transfers to adversarial countries such as China and Russia, creating specific requirements for how sensitive personal and federal information can be shared.

The proposed regulations follow the release of a February executive order designed to block foreign adversaries from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out cyberattacks or spy on Americans.

Under the proposed rules, data transfers to companies and individuals in six countries — China, Russia, Iran, North Korea, Venezuela, and Cuba — will be prohibited when specific pre-set volume thresholds are exceeded, according to a detailed fact sheet released by the administration and comments from senior administration officials.

US companies will be restricted from transferring more than 100 Americans’ genomic data to the targeted countries over any 12-month period. Data transfers for more than 1,000 Americans’ geolocation data and biometric identifiers, more than 10,000 Americans’ health and financial data, and more than 100,000 personal identifiers will also be barred.

Personal identifiers include names linked to device IDs, Social Security numbers, and driver’s license numbers.

Data belonging to even a single active-duty military or federal personnel will be prohibited from being transferred, as will data broker sales where the seller has reason to believe the information they are peddling will make its way to any of the six countries.

A senior administration official said that US-based data brokers of all sizes and types are primary targets for the rule. Both third-party data brokers and companies selling data they have collected will be entirely prohibited from data transactions tied to the six designated countries.

The official said that data broker sales to those countries seriously threaten national security. “Countries of concern can buy the data on the open market,” the official said. “Once acquired … that data can be used for various nefarious activities.”

The official said these activities include executing cyberattacks, creating disinformation campaigns, building profiles used to track national security leaders, surveilling and mapping government facilities, threatening dissidents and journalists, and understanding the “patterns of life” of average Americans. 

Restrictions would also apply to various other business relationships with entities and individuals in the six countries, including investments in American companies, hiring subcontractors, and data processing or storage. 

Companies making such transactions must comply with a new Cybersecurity and Infrastructure Security Agency (CISA) regulatory regime, which draws from existing National Institute of Standards and Technology (NIST) cybersecurity and privacy frameworks. Those frameworks include physical access control, data minimization, and encryption standards. 

Firms which violate the proposed regulations would be subject to civil penalties and criminal prosecution. (Suzanne Smalley / The Record)

Related: Justice Department, Justice Department, Justice Department, CyberScoop, The Register, PCMag, Cybernews, The Cyber Express, Reuters

Japanese watchmaker Casio Computer said it will delay the release of its second-quarter earnings to mid-November from November 6 due to the impact of a ransomware attack on its accounting process.

Casio announced earlier this month that its servers had been damaged by a ransomware attack that potentially leaked some personal information of its employees and business partners. (Kantaro Komiya / Reuters)

Related: The Record, Cyber Daily

An FBI probe into the shuttered Genesis Market cybercrime site has led to the indictment of Michael Ciszek, a police detective in Buffalo, New York.

A federal grand jury handed down a three-count indictment charging Ciszek with possession of unauthorized access devices in the form of stolen credit card data. He also faces two counts of making false statements to federal investigators. Each charge carries a maximum penalty of 10 years in prison; the unauthorized access device charge carries a maximum fine of $250,000.

In the indictment and a previous complaint, authorities accused Ciszek of using the moniker "DrMonster" on Genesis Market over four months in 2020 to buy 11 data packages that included 194 stolen account credentials.

Investigators said they additionally tied Ciszek to a Bitcoin wallet address hosted by CashApp, which was used to buy stolen data on UniCC, a dark net carding site devoted to the buying, selling, and using stolen payment card data.

Investigators said Ciszek accessed his CashApp account—opened using his driver's license to confirm his identity—on March 16, 2020, from an IP address used later that day to access the Genesis account of the user DrMonster. Funds from the CashApp account appeared in DrMonster's Genesis account three days later.

The indictment also accused Ciszek of recording a video around that time "explaining to others how he anonymized his identity on the internet when purchasing stolen credit cards," as well as how he used UniCC. "In the video, the defendant stated, among other things, 'And then I usually get my credit cards from UniCC, which is an amazing place if you guys don't have it,'" it said.

The indictment against Ciszek reflects ongoing probes into Genesis Market by multiple law enforcement agencies. The FBI began investigating in 2018, shortly after the market launched. Authorities said Russia-based administrators ran the site.

An international law enforcement effort involving 17 countries, dubbed "Operation Cookie Monster" and spearheaded by the FBI and Dutch National Police in April 2023, seized Genesis Market and arrested over 170 suspected users worldwide, with additional arrests following. (Matthew Schwartz / Data Breach Today)

Related: Justice Department, District Court Indictment, District Court Criminal Complaint, WKBW, WGRZ, BankInfoSecurity

Japanese tech giant Nidec Corporation says that hackers behind a ransomware attack it suffered earlier this year stole data and leaked it on the dark web.

The attack did not encrypt files; the incident is considered fully remediated. However, Nidec employees, contractors, and associates should be aware that the leaked data could be used in more targeted phishing attacks.

The cyberattack targeted Nidec Precision's Vietnam-based division, which specializes in manufacturing optical, electronic, and mechanical equipment for the photography industry.

The hackers obtained valid VPN account credentials of a Nidec employee and accessed a server that contained confidential information. The company closed the entry point and implemented additional security measures, and Nidec employees are undergoing training to minimize such risks.

The investigation also revealed that the attackers stole 50,694 files,

The 8BASE ransomware gang claimed an attack on Nidec on June 18, alleging that the data had been stolen from the systems of the Japanese firm on June 3, 2024. 8BASE claimed to be holding much of what Nidec confirmed via its investigation, plus personal data and “a huge amount of confidential information.”

On August 8, the Everest ransomware group, known for receiving stolen data from other cybercriminals to perform new extortion attempts on victims, published data allegedly stolen from Nidec.

The company states in the latest announcement that the threat actors first made contact on August 5, suggesting that the communication came from the Everest ransomware gang. (Bill Toulas / Bleeping Computer)

Related: Nidec, SC Media, Tech Radar, iZooLogic, Cyber Daily

Crypto on-ramp firm Transak has disclosed a recent data breach that affected over 92,000 users.

The company identified that a malicious actor gained access to an employee’s laptop through a phishing attack, exposing them to “specific user information stored within the vendor’s dashboard.”

The attacker compromised the employee credentials and could log in to the system of a third-party Know Your Customer vendor used for document scanning and verification services. Sensitive information such as names, dates of birth, passports, driver’s licenses, and selfies of 92,554 users, or 1.14% of Transak’s user base, was compromised.

Transak is contacting affected users. “If we do not email you, then you have not been affected,” said the company, adding that data protection authorities in the United Kingdom and regulators across the European Union and the United States have also been notified. (Ana Paula Pereira / Cointelegraph)

Related: CoinDesk, The Record, crypto.news, CryptoSlate, Cryptonews, The Block, CoinMarketCap, Cybernews, CoinGape

Blockchain security firm ScamSniffer reports that a Google sponsored ad that appears as a website link for Sony’s blockchain Soneium is actually a hidden crypto wallet drainer.

The firm said that its team found a Google Search for “soneium" produced a sponsored link to a malicious website that included a wallet drainer.

Soneium is an Ethereum layer-2 blockchain from Sony Block Solutions Labs, a joint venture between the tech conglomerate Sony and blockchain firm Startale Labs that went live on its testnet in August.

“Searched for Soneium on Google, clicked a phishing ad,” it added. “Phishing always happens when you’re not paying attention, even if you mistakenly spell ‘soneium’ as ‘someium.'” 

Scam Sniffer shared the claimed phishing link. The link used a domain suffix different from Soneium’s website and appeared as a simple and unfinished landing page for a British-based radiology service.

Scam Sniffer told Cointelegraph the website’s creators used specific techniques to hide the malicious page from Google.

“It’s hard to see it unless you are targeted, and that’s why Google couldn’t know [about] it,” the firm said. (Jesse Coghlan / Cointelegraph)

Related: CCN, Protos, CoinMarketCap, Cryptonews, Binance

Researchers at Positive Technologies report that threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.

Roundcube Webmail is an open-source, PHP-based webmail solution supporting plugins to extend functionality. It is popular with commercial and government entities.

The attack was discovered in September, but the researchers determined that the threat actor activity had started in June.

The threat actor exploited a medium-severity stored XSS (cross-site scripting) vulnerability identified as CVE-2024-37383. This vulnerability allows malicious JavaScript code to be executed on the Roundcube page when opening a specially crafted email.

The issue is triggered by improper processing of SVG elements in the email, which bypasses syntax checks and allows malicious code to be executed on the user's page.

The attacks used emails without visible content and only a .DOC attachment. However, the threat actor embedded a hidden payload within the code that the client processes but does not show in the message body based on specific tags, “<animate>” in this case. The attackers use the ManageSieve plugin to exfiltrate messages from the mail server. (Bill Toulas / Bleeping Computer)

Related: Positive Technologies, Security Week, Security Affairs, CIO News

Cisco confirmed that it took its public DevHub portal offline after a threat actor leaked "non-public" data, but it continues to state that there is no evidence that its systems were breached.

"We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc., for customers to use as needed," reads an updated statement from Cisco.

"At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

Cisco says there are no indications that personal information or financial data was stolen but is continuing to investigate what data may have been accessed.

This statement comes after a threat actor, IntelBroker, claimed to have breached Cisco and attempted to sell data and source code stolen from the company. (Lawrence Abrams / Bleeping Computer)

Related: Cisco, Dark Reading, Security Week

Researchers at Netscout report that two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms and government and political organizations, which experts believe are attempts to pressure the Japanese government. 

The attacks came after lawmakers boosted the nation's defense budget and its military conducted exercises with regional allies.

The two pro-Russian cyber threat groups, NoName057(16) and the Russian Cyber Army Team started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

Netscout says the groups targeted Japanese industry and government agencies in the latest spate of attacks after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted Japan's government agencies and political organizations. (Robert Lemos / Dark Reading)

Related: Netscout, BankInfoSecurity

A $2 million contract that the US Immigration and Customs Enforcement signed with Israeli commercial spyware vendor Paragon Solutions has been paused and placed under compliance review, marking the first test of the Biden administration’s executive order restricting the government’s use of spyware.

The one-year contract between Paragon’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations (HSI) Division 3 was signed on September 27.

A few days later, on October 8, HSI issued a stop-work order for the award “to review and verify compliance with Executive Order 14093,” a Department of Homeland Security spokesperson said.

The executive order signed by President Joe Biden in March 2023 aims to restrict the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

DHS did not confirm whether the contract, which says it covers a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training,” includes the deployment of Paragon’s flagship product, Graphite, a powerful spyware tool that reportedly extracts data primarily from cloud backups. (Vas Panagiotopoulos / Wired)

Ireland’s media and internet watchdog, Coimisiún na Meán, has adopted and published an Online Safety Code that will apply to video-sharing platforms headquartered in the country starting next month, including ByteDance’s TikTok, Google-owned YouTube, and Meta’s Instagram and Facebook Reels.

Under the Code, in-scope platforms are required to have terms and conditions that ban uploads or sharing of a range of harmful content types — including cyberbullying, promoting self-harm or suicide, and promoting eating or feeding disorders, in addition to banning content that incites hatred or violence, terrorism, child sex abuse material (CSAM), and racism and xenophobia.

The Code aims to address content types that are not directly in scope of the European Union’s Digital Services Act (DSA).

Notably, the Code mandates that video sites that permit pornographic content or gratuitous violence in their T&Cs must apply “appropriate” age assurance (or age verification) in a bid to ensure minors do not access inappropriate content. (Natasha Lomas / TechCrunch)

Related: Irish Independent, HotAir, Irish Examiner, TheJournal.ie, Kilkenny Live, Coimisiún na Meán, The Independent, Coimisiún na Meán, Gript, Business Plus, Irish Legal News, gov.ie, Silicon Republic, Head Topics, Business Post, Irish Examiner, RTÉ

Civil liberties organization Institute for Justice has filed a federal lawsuit in Virginia arguing that widespread surveillance enabled by Flock, a company that sells networks of automated license plate readers, is unconstitutional under the Fourth Amendment.

Two Virginia residents, Lee Schmidt and Crystal Arrington, are listed as plaintiffs in the case. Schmidt, a Navy veteran, alleges in the lawsuit that the cops can easily infer where he is going based on Flock data. 

Flock cameras, which are called automated license plate readers (ALPRs), have become popular all over the United States. More than 5,000 communities around the country have the cameras, which use AI to passively and constantly check which cars are driving by them. (Jason Koebler / 404 Media)

Related: IJ.org, Techdirt, San Francisco Chronicle, Daily Press

Meta announced that it is expanding tests of facial recognition as an anti-scam measure to combat celebrity scam ads and more broadly.

Some of the tests aim to bolster its existing anti-scam measures, such as the automated scans (using machine learning classifiers) run as part of its ad review system, to make it harder for fraudsters to fly under its radar and dupe Facebook and Instagram users to click on bogus ads.

The tests appear to use facial recognition as a backstop for checking ads flagged as suspect by existing meta systems when they contain the image of a public figure at risk of so-called “celeb bait.”

Meta also announced that it’s trialing facial recognition applied to video selfies to enable faster account unlocking for people who have been locked out of their Facebook/Instagram accounts after they’ve been taken over by scammers (such as if a person was tricked into handing over their passwords). (Natasha Lomas / TechCrunch)

Related: Meta, International Business Times, RTÉ, Reuters, The Economic Times, Neowin, Engadget, Bizcommunity, News.ng, Proactiveinvestors UK, Moneycontrol, SiliconANGLE, Yahoo Finance, Time, Social Media Today, PCMag, Business Standard, The Independent, CGTN, 9News, CNET, The Straits Times, ABC, Digital Trends, Tech in Asia

Global identity verification platform Authologic announced it had raised $8.2 million in a Series A venture funding round.

OpenOcean led the round, with participation from YCombinator, Peak Capital, and SMOK VC. (Cate Lawrence / Tech.eu)

Related: Finextra, Silicon Canals

Cybersecurity company Sophos is acquiring cybersecurity company Secureworks, for about $859 million.

Sophos “expects to integrate solutions from both companies into a broader and stronger security portfolio benefiting small, mid-and enterprise customers.” (Joe Warminsky / The Record)

Related: Sophos News, Secureworks, Forbes, SiliconANGLE, CRN,  iTnews, HealthcareInfoSecurity.com, CyberScoop, Channel Futures, ITPro, SecurityWeek. The Cyber Express

Best Thing of the Day: Time to Take an SEC Cybersecurity Exam

The US Securities and Exchange Commission (SEC) announced that its 2025 examination agenda will concentrate on both long-standing and emerging risks, including cybersecurity, which will examine how registered entities, including investment advisers, broker-dealers, and clearing agencies, manage cybersecurity risks.

Worst Thing of the Day: Hello World, Goodbye Columbus!

Despite having three months to deal with a massive ransomware attack, the City of Columbus, OH, has only restored 74% of its systems, is delaying the release of a report on the incident, and will not make its director of technology available to the press.

Bonus Worst Thing of the Day: It's Always the Russians

A Russia-aligned propaganda network called Storm-1516, notorious for creating deepfake whistleblower videos, appears to be behind a coordinated effort to promote wild and baseless claims that Minnesota governor and vice presidential candidate Tim Walz sexually assaulted one of his former students.

Closing Thought