Easterly to step down, Maxar discloses breach, Microsoft hacking event - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Detailed Summary of November 20, 2024 Episode

Hosted by Sean Kelly from the CISO Series

1. Leadership Changes at CISA: Jen Easterly and Nitin Natarajan to Depart

In a significant development, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), along with Deputy Nitin Natarajan, announced their departure from the agency effective January 20, 2025. Sean Kelly opens the episode by highlighting this major leadership transition:

"CISA is fully committed to a seamless transition." [01:15]

Jen Easterly, a seasoned intelligence officer and military official, has been at the helm of CISA since 2021. During her tenure, she prioritized secure-by-design principles, aimed at reducing ransomware risks, and spearheaded initiatives like the Known Exploited Vulnerabilities (KEV) catalog and the Shields Up campaign. Under her leadership, CISA solidified its reputation as a pivotal agency for federal incident response and cyber mitigation.

However, Easterly's leadership has not been without controversy. Critics have questioned the return on investment (ROI) provided by CISA's multi-billion-dollar annual budget, arguing that the agency has not delivered substantial benefits commensurate with its spending. Kelly remarks:

"Easterly's departure comes at a crucial time as the US Government scrambles to stave off nation-state intrusions at major telcos and critical infrastructure installations." [02:50]

The departure of both Easterly and Natarajan raises concerns about the agency's continuity and its ongoing efforts to defend against sophisticated cyber threats targeting critical sectors.

2. Maxar Space Systems Reveals Employee Data Breach

Maxar Space Systems, a leading American aerospace company specializing in communication and earth observation satellites, disclosed a recent data breach impacting its employee information. The breach, traced back to a Hong Kong-based IP address, was detected on October 11, approximately a week after the initial intrusion.

Sean Kelly provides details on the nature of the breach:

"Attackers appear to have accessed some employee data, including home addresses, Social Security numbers, and other PII along with employment data." [04:30]

Maxar has taken proactive measures by offering identity theft protection services to both current and former employees affected by the breach. However, the company has not yet confirmed whether any confidential technological data was compromised during the incident.

The breach underscores the ongoing vulnerabilities faced by organizations within the aerospace sector and the imperative for robust cybersecurity defenses to protect sensitive employee and operational data.

3. Microsoft Launches Zero Day Quest Hacking Event

At its annual IGNITE conference in Chicago, Microsoft introduced Zero Day Quest, a new hacking competition aimed at identifying vulnerabilities within its cloud and artificial intelligence (AI) products and platforms. The event signifies Microsoft's commitment to enhancing the security of its offerings through community collaboration.

Key features of Zero Day Quest include:

Prize Pool: Up to $4 million in awards for researchers who discover and report vulnerabilities in critical impact areas, specifically targeting cloud and AI technologies.
Support and Resources: Participants receive direct access to Microsoft's AI engineers and a dedicated red team to assist with vulnerability submissions.
Future Opportunities: Successful researchers may be invited to join an exclusive on-site hacking event in Redmond, Washington, scheduled for next year.

Kelly highlights the event's scope and duration:

"The challenge, kicked off yesterday, is open to everyone and will run through January 19th." [06:10]

In addition to Zero Day Quest, Microsoft unveiled its Resiliency Initiative, aimed at preventing incidents like the CrowdStrike Sensor Update failure in July, which disrupted millions of Windows PCs and servers. The initiative focuses on:

Enhanced Security Controls: Stricter regulation of permissible applications and drivers.
Antivirus Processing: Moving antivirus operations outside of kernel mode for improved stability.
Quick Machine Recovery: Enabling IT administrators to remotely deploy fixes to machines, even those unable to boot.

Microsoft plans to release a preview of these features to the Windows 11 Insider Program community in early 2025, signaling a proactive approach to fortifying Windows security and reliability.

4. Ford Motor Company Investigates Data Theft Claims

A recent allegation surfaced on breach forums where notorious hacker groups Intel Broker and Energy Weapon User claimed responsibility for stealing sensitive data from Ford Motor Company. The purported breach involves approximately 44,000 customer records, encompassing names, physical addresses, and product acquisition information.

Sean Kelly reports:

"A data sample made public by the hackers indicates that customers may actually refer to dealerships that sell Ford vehicles." [09:20]

While the exposed data does not appear to be highly sensitive, its origin from an internal database suggests potential vulnerabilities within Ford's data management systems. Ford has confirmed that it is actively investigating these breach claims to ascertain the extent and impact of the data theft.

5. Ransomware Group Akira Expands Leaksite Victims

The Akira ransomware-as-a-service (RaaS) group has intensified its malicious activities, claiming approximately $42 million from over 250 critical infrastructure organizations across North America, Europe, and Australia. Security researchers have observed Akira adding 32 new victims to its publicly accessible leaksite between November 13th and 14th, predominantly targeting U.S.-based entities.

Sean Kelly notes the unexpected surge in victim additions:

"There is no apparent reason that the threat actor dropped so many victims all at once and warned that Akira's activity will likely continue to ramp up." [11:00]

This pattern indicates a potential escalation in Akira's operational capacity and suggests that organizations within critical infrastructure sectors need to bolster their defenses against sophisticated ransomware threats.

6. Helldown Ransomware Targets VMware and Linux Systems

A new variant of the Helldown ransomware group has emerged, expanding its attack vectors to include VMware and Linux systems. Initially identified in August, Helldown has primarily targeted Windows systems across at least 31 organizations by leveraging ransomware derived from Lockbit 3.0 code.

Key characteristics of the new variant include:

Target Expansion: Focus on VMware ESX and Linux environments.
Attack Mechanisms: The Linux variant, while lacking obfuscation and anti-debugging features, is capable of listing and terminating all active virtual machines before deploying file encryption.
Exploitation Tactics: Helldown exploits security vulnerabilities, particularly bugs in Zyxel firewalls, to infiltrate target networks.
Double Extortion Strategy: The group encrypts victim data and threatens to publish stolen information unless ransoms are paid.

Sean Kelly emphasizes the threat posed by Helldown's evolving tactics:

"Heldown pressures victims into paying ransoms by encrypting their data and threatening to publish their stolen data, a tactic known as double extortion." [13:45]

Organizations using VMware and Linux systems should implement enhanced security measures and regularly update their defenses to mitigate the risk posed by this aggressive ransomware variant.

7. Ransomware Gangs Recruiting Pentesters

A concerning trend has emerged where ransomware gangs, including apos, Lynx, and Rabbithole, are actively recruiting penetration testers (pentesters) on the Russian Anonymous Marketplace. According to a report from Kato Networks, these groups seek skilled individuals to join their ransomware affiliates.

Penetration testing involves simulating cyberattacks to identify and address system vulnerabilities, making it a critical component of an organization's cybersecurity strategy. The recruitment of pentesters by ransomware gangs signifies a move towards the professionalization and sophistication of Russian cybercriminal enterprises.

Sean Kelly highlights the implications:

"These new recruitment efforts are the latest example of the professionalization of Russian cybercriminal groups." [15:30]

This development underscores the escalating threat landscape, where advanced skills are being harnessed to enhance the efficacy and impact of ransomware attacks. Organizations must remain vigilant and invest in robust cybersecurity practices to defend against such well-equipped adversaries.

8. Upcoming CISO Series Meetup in Boston

For listeners in the Boston, Massachusetts area, the CISO Series is hosting a meetup on November 25th at the Venture Cafe, starting at 5 PM Eastern. The event offers an opportunity to network with industry professionals, engage with the show's producer David Spark, participate in interactive games, and earn exclusive CISO Series merchandise.

Sean Kelly invites listeners to join:

"You'll get a chance to meet our esteemed producer David Spark, network with fellow listeners, play some fun games, and even win some CISO series swag." [17:20]

Interested attendees can find more details and RSVP on the CISO Series events page at cisoseries.com.

Conclusion

This episode of Cyber Security Headlines provided a comprehensive overview of the latest developments in the information security landscape, from leadership changes within key agencies to emerging threats posed by sophisticated ransomware groups. Sean Kelly effectively captured the critical issues facing organizations today, emphasizing the need for proactive and adaptive cybersecurity strategies in an increasingly complex threat environment.

For a deeper dive into these stories and more, listeners are encouraged to visit cisoseries.com.

Loading summary

Transcript1 lines

[00:00]
Sean Kelly
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, November 20, 2024. I'm Sean Kelly. CISO Director Jen Easterly to Step Down On Tuesday, the U.S. government's cybersecurity agency confirmed that Director Jenn Easterly and Deputy Nitin Natarajan will depart their posts at the agency on January 20. A CISA spokesperson said CISA is fully committed to a seamless transition. Easterly is a decorated intelligence officer and military official. She took control of CISA in 2021, investing heavily in secure by design principles, reducing ransomware risk, creating the known Exploited Vulnerabilities catalog and the Shields up campaign. Under Easterly, CISA has established itself as the go to agency for federal incident response and cyber mitigation. However, the agency has generated controversy in some circles for not providing substantial ROI for its multi billion dollar annual budget. Easterly's departure comes at a crucial time as the US Government scrambles to stave off nation state intrusions at major telcos and critical infrastructure installations. Space tech giant Maxar Discloses employee data breach Hackers using a Hong Kong based IP address breached US Satellite maker Maxar Space Systems. Maxar is a major player in the American aerospace industry specializing in building communication and earth observation satellites. Maxar discovered unauthorized activity on ITS systems on October 11, about a week after the threat actor gained initial access. Maxar said the attackers appear to have accessed some employee data, including home addresses, Social Security numbers and other pii along with employment data. The company is providing identity theft protection to both former and current employees. Maxar has not commented as to whether any confidential technology data was exposed during the incident. Microsoft Launches Zero Day Quest Hacking Event On Tuesday at its IGNITE Annual conference in Chicago, Microsoft unveiled Zero Day Quest, a new hacking event focused on cloud and artificial intelligence products and platforms. Zero day quest begins with Microsoft offering up to $4 million in awards to researchers who identify vulnerabilities in hype impact areas, specifically cloud and AI. Throughout the campaign, Microsoft is providing researchers direct access to their Microsoft AI engineers and a red team through their phone submissions. Researchers may qualify for next year's Invite Only on site hacking event in Redmond, Washington. The challenge, kicked off yesterday, is open to everyone and will run through January 19th. Microsoft's new Resiliency Initiative aims to avoid another crowdstrike incident. In other major Microsoft news, the company announced its new Windows Resiliency initiative designed to improve Windows security and reliability, ultimately making it easier for customers to recover Windows based machines. This follows the crowd Strike Sensor Update catastrophe that took down millions of Windows PCs and servers back in July. Windows platform improvements will include stronger controls over what apps and drivers are allowed to run, and will allow antivirus processing outside of kernel mode. Microsoft also developed a Quick Machine recovery feature that enables IT admins to remotely deploy fixes to machines even when they're unable to boot properly. Microsoft plans to roll out a preview of the new features to the Windows 11 Insider Program community in early 2025. And now we'd like to thank today's episode's sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with threat locker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protecting from ransomware, visit threatlocker.com that'S-R-E-A-T-L-O-C-K E R.com Ford investigating hacker data theft claims On Sunday, the notorious hacker Intel Broker and a hacker called Energy Weapon User claimed in a post on breach forums that they stole sensitive data from the Ford Motor Company. The hackers claim that the data includes 44,000 customer records, including names, physical addresses and information on product acquisitions. A data sample made public by the hackers indicates that customers may actually refer to dealerships that sell Ford vehicles. So far, the sample data does not appear to be sensitive in nature, but does indicate that it came from an internal database. Ford confirmed that they are actively investigating the data breach allegations. Akira drops over 30 victims on Leaksite in one day back in April, US government agencies estimated that the Acura Ransomware as a Service outfit had laid claim to roughly $42 million in PR proceeds from over 250 critical infrastructure orgs in North America, Europe and Australia. Last week, security researchers observed Akira adding 32 new victims to the leaks section of its Tor based site between November 13th and 14th. Most of the newly added victims are based in the U.S. the researchers said. There is no apparent reason that the threat actor dropped so many victims all at once and warned that Akira's activity will likely continue to ramp up. New heldown ransomware variant expands to VMware and Linux systems Cybersecurity researchers say that an aggressive ransomware group dubbed Helldown have recently expanded its scope to Target ESX and VMware with a new ransomware variant. Researchers first identified the gang back in August, targeting Windows systems of at least 31 organizations with ransomware derived from Lockbit 3.0 code. The new Linux variant lacks obfuscation and anti debugging mechanisms, but lists and kills all active virtual machines before ultimately deploying file encryption. Heldown infiltrates target networks by exploiting security vulnerabilities, favoring an attack chain that exploits bugs in Zyxel firewalls. Heldown pressures victims into paying ransoms by encrypting their data and threatening to publish their stolen data, a tactic known as double extortion. Ransomware Gangs now Recruiting Pentesters According to a new report from Kato Networks, ransomware gangs such as apos, Lynx and Rabbithole are posting job listings on the Russian Anonymous Marketplace to recruit pentesters to join their ransomware affiliates. Penetration testing simulates common attacks in order to identify gaps and system vulnerabilities and gauges the strength of an organization's cyber defenses. These new recruitment efforts are the latest example of the professionalization of Russian cybercriminal groups, and that does it for today's cybersecurity headlines. But if you're in the Boston, Massachusetts area, then you need to join us for our CISO series meetup on November 25th. We'll be meeting at the Venture Cafe starting at 5pm Eastern. You'll get a chance to meet our esteemed producer David Spark, network with fellow listeners, play some fun games, and even win some CISO series swag. Head on over to our events page@cisoseries.com for more details and to RSVP. We hope to see you there. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.