The Federal Communications Commission (FCC) has given regional US voice service providers Akabis, Cloud4, Global UC, Horizon Technology Group, Morse Communications, Sharon Telephone Company, and SW Arkansas Telecommunications and Technology 14 days to prove they have taken action to mitigate robocalls on their networks before they are pulled from the Robocall Mitigation Database, which would prevent their traffic from being carried by intermediate and terminating providers. 

Without being able to hand off their call traffic to other networks, traffic provided by those seven companies would never reach the called party. “This is a new era,” said FCC Chairwoman Jessica Rosenworcel in a recent press release. “If a provider doesn’t meet its obligations under the law, it now faces expulsions from America’s phone networks. Fines alone aren’t enough. Providers that don’t follow our rules and make it easy to scam consumers will now face swift consequences.” 

Biden commissions an AI Bill of Rights

With AI becoming more and more a part of America’s daily life – via Alexa, Siri, or any number of digital services – President Joe Biden’s administration has put forth a blueprint for an AI Bill of Rights aimed at protecting the public from harmful bias or discrimination. Noting that current systems have proven unsafe or biased, the White House Office of Science and Technology Policy intends the AI Bill of Rights to guide AI implementation based on five core pillars of safety. Critics argue, however, that because it is not law, the document would be largely ineffective.

ZINC attacks with weaponized open source software

Last week, Microsoft Security Threat Intelligence reported in a post that it had “detected a wide range of social engineering campaigns using weaponized legitimate open-source software.” The compromised software includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording. The report goes on to say the organization identified the bad actor as ZINC, also known as Lazarus, the North Korean-sponsored cybercriminal group behind the 2014 Sony hack. ZINC seems to be targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. For more, see Ars Technica. 

Microsoft Exchange attack mitigation not enough

According to CSO, two zero-day exploits that affect Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively abused to trigger remote code execution, despite the mitigation advice put forward by Microsoft. The company advised users to deploy a blocking rule with a PowerShell script, but researchers pointed out that the blocking rule as it was written could be easily bypassed. Microsoft also provided instructions on how to disable remote PowerShell access for users and offered detection and threat hunting guidance for the current attacks. 

CISA issues directive to improve vulnerability detection

This week, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Improving Asset Visibility and Vulnerability Detection on Federal Networks directive, which requires federal civilian agencies to regularly report software vulnerabilities. “Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk.” See the full news release for more. 

This week’s must-read on the Avast blog 

While BeReal's stated intention is good, there are some major potential privacy issues with it. Here’s what Jeff Williams, Avast Global Head of Security, found when he took a closer look at the social network.