Week in Review: Cloudflare's lost logs, cyber-unsafe employees, FBI encryption request - Cybersecurity Headlines

Summary6 min read

Podcast Summary: Cyber Security Headlines – Week in Review

Released on December 7, 2024, "Cyber Security Headlines" hosted by CISO Series delivers daily insights from the evolving world of information security. In this week's episode titled "Week in Review: Cloudflare’s lost logs, cyber-unsafe employees, FBI encryption request," the host and guest Edward Fry, Head of Security at Luminary Cloud, delve into critical cybersecurity incidents, emerging threats, and industry insights.

1. Cloudflare's Log Loss Incident

Incident Overview:
Cloudflare experienced a significant issue on November 14th, where it lost 55% of the logs pushed to customers over a span of three and a half hours. This disruption impacted their log collection service, essential for monitoring website traffic, filtering criteria, investigating DDoS attacks, analyzing traffic patterns, and performing site optimizations. The root cause was a misconfiguration of a log forwarder component combined with a pipeline pause that led to a system spike and subsequent failure.

Discussion & Insights:
Edward Fry highlighted the critical nature of such services for customers' cyber risk profiles. He remarked, “If we have this sort of policy where you don't want people to access this with their personal device, it would be much better to just prevent somebody from accessing it with their personal device” (04:59). Moreover, Fry emphasized the importance of robust testing for failure states, noting, “the problem was they didn't test that failure state” (03:21).

Key Takeaway:
Cloudflare's incident underscores the necessity for comprehensive testing of system changes and fallback procedures to mitigate similar risks in the future.

2. Cyber-Unsafe Employees Increasing Organizational Risk

Study Findings:
A CyberArk survey of over 14,000 employees revealed alarming statistics:

80% access workplace applications from personal devices lacking key security controls.
33% can alter sensitive data without admin privileges.
30% approve large financial transactions independently.
Nearly 50% reuse login credentials across multiple work applications.
65% bypass security policies for personal convenience.

Discussion & Insights:
Edward Fry stressed that policies alone are insufficient. He compared security measures to storing money in a vault rather than a drawer: “if you store money in the bank, you don't put it into a drawer in the cabinet and say, don't touch it” (05:46). Fry advocated for implementing strict controls such as multifactor authentication and device authentication to prevent policy bypassing. Additionally, he acknowledged the role of training but emphasized that technical controls are paramount: “humans are the weakest link, but they're also your strongest asset” (06:01).

Key Takeaway:
Organizations must enforce stringent security controls to complement policies and reduce dependency on employee behavior for maintaining security.

3. FBI and CISA Urge Use of Encrypted Apps Over Calling

Advisory Overview:
In response to the SALT typhoon attack on US telecom companies, the FBI and CISA recommend Americans utilize encrypted messaging applications instead of traditional phone calls. Officials like Jeff Green of CISA advocated for encryption with the simple message, “encryption is your friend” (07:30).

Discussion & Insights:
Edward Fry expressed concerns about the practicality of this directive, especially regarding interoperability between different platforms. He noted, “there's not a lot of Interop between iPhone to iPhone and Android to Android” (07:30). Fry highlighted the challenge of achieving seamless communication across various encrypted platforms and the potential regulatory issues associated with using commercial or open-source encrypted tools.

Key Takeaway:
While encryption enhances security, achieving widespread adoption and interoperability remains a significant challenge for effective implementation.

4. Rockstar2FA: A New Phishing Threat Targeting M365 Credentials

Threat Overview:
Researchers from Trustwave identified Rockstar2FA, a phishing-as-a-service toolkit targeting Microsoft 365 accounts. This tool bypasses multi-factor authentication (MFA) through adversary-in-the-middle attacks, stealing passwords and session cookies by creating proxy servers between users and phishing sites.

Discussion & Insights:
Edward Fry expressed frustration over the continuous evolution of phishing methods that undermine security measures like MFA: “it seems like the game that never ends for security practitioners” (11:36). He questioned the effectiveness of current technologies like TLS 1.3 in countering such sophisticated attacks and emphasized the need for innovative solutions to stay ahead of adversaries.

Key Takeaway:
As phishing tactics become more advanced, relying solely on MFA is insufficient. Organizations must explore additional security layers and adaptive defenses to counteract evolving threats.

5. Russian Authorities Crack Down on Cybercriminals

Incident Overview:
In a rare move, Russian authorities sentenced Stanislav Moishev, leader of the Hydra dark web market, to life in prison for operating the platform that facilitated drug sales and money laundering. Fifteen accomplices were also sentenced, and the ransomware gang leader Wazawaka was arrested.

Discussion & Insights:
Edward Fry found the severity of the sentencing surprising, noting Russia's typical tolerance of cybercriminals unless they target Russian interests: “it raises in my mind, is it that they weren't cooperating with the state or refused to... act on their behalf” (12:37). He speculated whether this crackdown signals a shift in Russia's approach to cybercrime, though he admitted uncertainty: “I really don't have a good answer... it's a new and interesting trend” (13:36).

Key Takeaway:
Russia's stringent actions against cybercriminals may indicate a forthcoming shift in their cybercrime policies, though the motivations behind this crackdown remain unclear.

6. Chinese Group Linked to Long-Term Intrusion in US Organization

Attack Overview:
Symantec researchers reported a prolonged intrusion by a Chinese-linked threat actor targeting an unnamed US organization from April to August. The attack employed DLL side-loading techniques similar to the Crimson Palace espionage campaign, focusing on credential theft and access to Exchange servers.

Discussion & Insights:
Edward Fry raised questions about the detection timeline and the efficacy of endpoint protections: “Was the attack actually detected way back in April... or detected later?” (14:52). He emphasized the importance of robust endpoint security and questioned the clarity surrounding the threat actor's nature and motives: “Is it a state-sponsored... who's the company?” (16:12).

Key Takeaway:
The prolonged and sophisticated nature of state-linked intrusions highlights the need for continuous monitoring and enhanced endpoint security to detect and mitigate such threats effectively.

7. Generative AI Boosting Financial Fraud

FBI Alert Overview:
The FBI's Internet Crime Complaint Center alerted that threat actors are leveraging generative AI tools to conduct more believable and widespread financial fraud. Techniques include using ChatGPT for language translations in scams, image generation for fake social media profiles, and deepfakes for audio verification evasion.

Discussion & Insights:
Edward Fry anticipated an escalation in AI-driven fraud: “This is only going to get worse” (18:19). He pointed out the challenges in securing public-facing communications and the difficulty in scaling verification protocols across large organizations: “how do you do that across an organization of 500 or 5,000...” (18:35). Fry highlighted the diminishing effectiveness of traditional phishing indicators as AI tools produce more sophisticated and human-like deceptive content.

Key Takeaway:
The integration of generative AI into financial fraud schemes necessitates innovative detection methods and comprehensive employee training to identify and counteract increasingly sophisticated scams.

Conclusion

In this episode of "Cyber Security Headlines," the host and Edward Fry provided a thorough analysis of significant cybersecurity events and trends. From infrastructure vulnerabilities and insider threats to state-sponsored cyber activities and the burgeoning role of AI in fraud, the discussions underscored the complexity and dynamic nature of today's cybersecurity landscape. Edward emphasized the importance of proactive measures, robust security controls, and continuous adaptation to counter evolving threats effectively.

Notable Quote Highlights:

"If you store money in the bank, you don't put it into a drawer in the cabinet and say, don't touch it." – Edward Fry (05:46)
"Humans are the weakest link, but they're also your strongest asset." – Edward Fry (06:01)
"Encryption is your friend." – Jeff Green, CISA (07:30)
"It seems like the game that never ends for security practitioners." – Edward Fry (11:36)
"This is only going to get worse." – Edward Fry (18:19)

For more detailed discussions and future episodes, visit CISOseries.com.

Loading summary

Transcript35 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines. Cloudflare says it lost 55% of logs pushed to customers for three and a half hours. Cyber Unsafe employees increasingly put their orgs at risk. And FBI and CISA urge Americans to use encrypted apps rather than calling. These are some of the stories that my colleagues and I have selected from this week's cybersecurity headlines. And now we're ready for some insight opinion and expertise from our guest, Edward Fry, head of security at Luminary Cloud. Edward, happy Friday. Welcome to the show. And how's your week in cybersecurity been?
[00:39]
B
It's been pretty good, you know, prepping for some work for next week. It'll be really busy next week, but it was a great week this week.
[00:47]
A
It's good to hear and we'll knock on wood for that. We're almost out. Our sponsor for today is Vanta. Leading companies use Vantis Questionnaire Automation. You can join us on YouTube live by going to cisoseries.com hitting the events drop down and looking for cybersecurity headlines. We can review image. Just click on it to join us and be sure to contribute your comments. I'm seeing the comments rolling in already, so good for a lively chat. All right, let's throw out a disclaimer. Edward's opinions are of his own and not of his employer. And with that, we have just 20 minutes, so let's dive right in. Our first story today, Cloudflare says it lost 55% of logs pushed to customers for three and a half hours. This is about a bug that appeared on November 14th in the Internet security company's log collection service that allows its customers to monitor the traffic on their websites and filter it based on certain criteria. They're also used to investigate security incidents like DDoS attacks, traffic patterns, and to perform site optimizations. This is a big service accounting for over 50 trillion customer event logs every day, of which around four and a half are sent to customers. The incident was caused by a misconfiguration of a log forwarder component and Cloudflare's pipeline. Then a pause created massive spike, so the system tried to resolve it. So, Edward, not a topic we cover all the time on this show, but an interesting look at how a service might affect the cyber risk profile of its customers. So what's your take on this one?
[02:17]
B
So this one's a little bit interesting to me and one, it's a critical service for a lot of customers in order to protect their service or provide web filtering, and that's sort of thing. So as you mentioned, those logs could be critical for investigation. What's kind of lucky here is that it was only about three and a half hours worth of logs. But one thing about that is we had a very similar event just one month prior that lasted two weeks, where Microsoft lost logs for a long time. And we've had another thing where a change was implemented and the whole world basically went on pause. So some of the things that I think here are what are we doing when we're pushing changes that could impact our customers and that sort of thing, how are we testing those changes and what do we do with the failure state? You know, are we testing the failure state when something goes wrong?
[03:08]
A
And I guess the question that when I read down through these stories and now hear about the mitigations that have been put in place is, you know, in your opinion, should these things be thought of before or just are there some unforeseen things that pop up then we just have to triage?
[03:22]
B
Well, so some of these things I think are unforeseen, but in this particular instance in this article, they had some fallback procedures where they had a configuration where they would fall back and just ship all of the logs. The problem was is they didn't test that failure state. So once it went into failure, then that failure state was then overwhelmed, which caused a secondary outage, which then made it so that those logs didn't get to those customers.
[03:51]
A
All right, we'll give Cloudflare a little grace there. All right, onto our second story. Cyber unsafe employees increasingly put their orgs at risk. A new study from Cyberark surveyed more than 14,000 employees across a variety of industry and shows that 80% of respondents access workplace applications from personal devices that lack key security controls. A third of respondents are able to alter sensitive data without admin level privileges, and roughly 30% approve large financial transactions on their own. Nearly half of respondents admitted to reusing the same login credentials for multiple work applications, and about a third use the same credentials for both work and personal applications. And the final statistic here, 65% admitted to bypassing security policies for personal ease. You know, because those things kind of get in our way. We want to smoothly ride down the freeway without our seatbelts on. So, you know, Edward, a lot of stats here, obviously a lot of them alarming. We should keep in mind these are from Cyberark, so they're trying to protect people's privileges through their own products. But, you know, what's your read on the entirety of the story.
[04:59]
B
So my thoughts on this are if a system needs to be secure, you can't just have a written policy saying, don't do this. For example, if you store money in the bank, you don't put it into a drawer in the cabinet and say, don't touch it. You put it into a vault and you lock it. So if you have this sort of policy where you don't want people to access things from their personal computer or personal web device, a browser or something like that, you implement a control like Cyberark, which is what they're trying to promote is, and then you lock it down so that you can't access those services without using those protections in place, making it so that it's not possible to bypass the security controls.
[05:47]
A
Preventative is always better. Do you think there's merits to training in this industry? We're talking about how humans are the weakest link and beat the drum with training. How effective do you think that is in a situation like this, affecting these types of statistics?
[06:01]
B
Well, I would also argue, you know, there is the argument that humans are the weakest link, but they're also your strongest asset. So I think some training is something you can implement. But ultimately, if you have a policy to prove that says you can't access this with your personal device, it would be much better to just prevent somebody from accessing it with their personal device. For example, multifactor authentication, device authentication, VPNs. All of those things.
[06:34]
A
Yep, all the things. And there's a lot there to unpack in that story. And thanks for your insights there, Edward. Move on to the third story. FBI and CISA urge Americans to use encrypted apps rather than calling one another. So let's be less interpersonal than we already are. More fallout from the SALT typhoon attack on the US Telecom companies. Officials from both agencies are now recommending that Americans start using encrypted messaging apps to communicate. Jeff Green, executive assistant director for cisa, along with a senior FBI official who asked not to be named, said they plan to use the same message as they do inside their respective organizations, which is encryption is your friend. Very simple and to the point, whether it's on messaging or encrypted voice communications. So this one is definitely an interesting one from the week. Edward, broad implications for sure. Is this really the way we should be going and what's kind of your take on the effectiveness of this direction that we're being urged to go?
[07:31]
B
I think there's some aspects of this that are very interesting. For secure communications. If I want to protect that communication with a friend or a critical communication with my business partners or that sort of thing, I will use an encrypted method. But I think just in general this is a hard ask right now for say me to communicate with my mom or my friends who are on different platforms. And I've got two or three different communication platforms that I could use. You know, there's WhatsApp, there's Signal, there's Slack for business and that sort of thing. But there's not a lot of Interop and iPhone to iPhone and Android to Android. They've kind of started to move that way. But we really need to get the iPhone to Android type of communication and get those companies to cooperate because just saying use one of these commercial applications or one of these open source applications becomes a problem. And then I think there's also some aspects of it where using some, some of those encrypted tools have had headline reaching events where somebody got in trouble with say the FTC for using such a tool.
[08:48]
A
Yeah, it's going to be tough for me to say sorry mom, you know, I need to message you on Slack today because you know, I'm worried about our voice call being recorded. Not that we're talking about all that top secret thing, but we're talking about nation state actors here and trying to prevent a pretty drastic way that will shift. And I love your point on when we can get Apple to cooperate with Google. That will be a great day for all of us. Indeed.
[09:11]
B
Absolutely.
[09:12]
A
Let's all be friends. So, all right, let's, let's move on. I just, you know, before we do, we would like to put a word in for today's sponsor, Vanta. As third party breaches continue to rise, companies are increasingly vigilant, which means more time spent on manual security reviews. With Vanta questionnaire automation, security and compliance teams can complete security reviews up to five times faster, giving you time back to focus on running your security and compliance programs. Over 8,000 global companies like Zoom Info, Smart Recruiters and NOIBU use Vanta to save time on security reviews. Visit vanta.com to learn more about Questionnaire automation. That's V A n T a dot com. All right, let's move on to our next story and I love the lively chat by the way. I will send my regards along to Rich Strofelino who as you notice is not me and I'm filling in today, but ccl. Thanks for keep the comments coming. We'll get them up on Screen here soon. Our fourth story fishing tool Rockstar 2fa targets M365 creds. So researchers that trust wave are warning of a fishing as a service toolkit named Rockstar2FA, which apparently targets M365 accounts and bypasses multi factor authentication via adversary in the middle attacks. The attacks involve theft of a victim's password and session cookie through the creation of a proxy server between the target user and the website the user is visiting, which is a phishing page itself. So we have been beating the drum lately. Many of the stories we cover involve lack of MFAN accounts. And here we have a story, Edward, of sort of bypassing the control we rely on a little too much. So what's your take on this one?
[11:00]
B
This one's tough because, you know, as a security practitioner, implementing multifactor authentication was supposed to be part of the, you know, end all to prevent that sort of credential harvesting and what have you. But now you've got an adversary in the middle of their proxying the connections. How do we solve this? Right? What are the steps that I could do as a practitioner to prevent this when I don't control the middle and, you know, is TLS 1.3 supposed to solve this or, you know, what can we do to help prevent this?
[11:36]
A
I agree. This one hurt me too. I'm the same mindset, you know, where we're trying, we're just getting to the point where widely adoption mfa. And here's a workaround to that. And it's. It seems like the game that never ends for security practitioners for sure. All right, let's move on to our fifth story. Hydra market leader sentenced to life. Russia, of all countries, continues its crackdown on cybercriminals. On Monday, authorities sentenced Hydra market leader Stanislav Moishev to life in prison for running the world's largest dark web market platform for drugs and money laundering. Fifteen other accomplices also received sentences. Russian law enforcement also arrested ransomware gang leader Wazawaka. Sounds like a quote from Fozzie Bear on Friday for his role in several hacking groups. All of this is rare for a country that typically tolerates cyber criminals as long as they're not targeting Russian targets. So a lot in this one, and definitely it raised my eyebrows. So I'll let you just riff on this one, Edward, a lot here.
[12:38]
B
So this is, this is something that I find kind of interesting because as you said, they don't typically crack down on the cyber criminals so long as they're not acting against the state. So the question is, it kind of raises in my mind, is it that they weren't cooperating with the state and weren't acting on their behalf or refused to do that, or that they actually also tried to go after their local state infrastructure and that sort of thing. So I find that that interesting that a life in prison sentence is pretty big, pretty rare.
[13:18]
A
It seems rare and harsh. And then, you know, coming from Russia as well, I mean, you know, not known for their, their crackdown on cyber criminals. We've had a number of stories recently. I mean, what's kind of your take on that? You know, is this like a political play in your mind or are they just really changing their stance for the good of the whole?
[13:37]
B
That's a great question. I really don't have a good answer. But I think that it is a new and interesting trend that we'll see coming in the, you know, next few months and over the next year or so.
[13:50]
A
Awesome. Yeah, we'll get our popcorn for that one and keep following for sure. So interesting to see how that turns out. So we'll move on to our next story, which is Chinese group linked to another long term intrusion. Researchers at Symantec report that a Chinese linked threat actor carried out a long term attack against an unnamed US organization operating since at least back April 11th of this year. The attacks used DLL side loading attack showing similarities to larger Crimson palace espionage campaign. Sophos discovered that one back in September. The threat actors used their access for credential theft and targeted access around exchange servers. So Edward, this is another example of a, you know, growing Chinese threat actors and you know, we see the difficult of getting salt typhoon out of the telecoms and they've been in this network that didn't name the company in this case, but seems like they have a habit of hanging around and being tough to kick out. So what's your thought on the threat that China's bringing to the table here?
[14:52]
B
Well, so first I wanted to talk more about how long they were in the network. It says in the article that they were detected around April and lasted from April to August. So my question there was, was the attack actually detected way back in April and then the teams left the threat actors on the network to find out what was going on or was this forensically detected later and they found that those threat actors were there from April to August. So that's one question I had. The second one is, you know, the points around endpoint protection and how some of that detection was it came from another system on the network. Using WMI type of side loading from so a trusted system to another trusted system. Where is that endpoint protection for those systems and servers to look for that sort of thing. And then is it a hacking group? Is it a state sponsored? Who's the company? There's a lot of vagueness in there, so I'm not quite sure where to go with that.
[16:12]
A
Yeah, yeah, I agree with that. CCL said, how do we discourage someone whose job it is to hack orgs in another country? It feels like something like you said, there's middle ground for your networks. Here we have threat actors that we have very seemingly very little control over. What's your take on that? Edward?
[16:30]
B
Our country has threat actors like that. There's a whole team that's very well known of other state sponsored. You join the army, you go into this unit and your whole job is to go hack other countries and other networks and that sort of thing. But the real thing is from a corporate perspective or from a state perspective, you have to realize that those actors are out there and so you have to implement those controls to try and prevent that. So you're not really in my mind trying to stop that other organization. That's their job to try and get into you. Your job is to prevent them from getting into you.
[17:12]
A
Spot on. Yeah, spot on. If we distract ourselves with where all the threats could possibly come from, it takes the eye off the ball of hey, let's just get down to having the foundational controls in place that you mentioned. Excellent. So we're going to move on to our last story of the day. We couldn't get through without having a Gen AI discussion, so let's talk about it. Gen AI boosting financial fraud. A new alert from the FBI's Internet Crime Complaint center details how threat actors use generative AI tools for fraud on larger scale and with more believability. This includes using tools like ChatGPT to assist with language translation for romance or other investment scams, enabling faster and more elaborate lures. Image generation tools allow for believable social media profile photos and other supporting evidence and financial fraud schemes. Deepfakes are increasingly using short audio only voice clips, bypassing visual verification checks and video calls. So definitely some different ways that threat actors are figuring out how to use these tools. Edward, sounds like an obvious next step is to use these for phishing scams. You know, what's your take here?
[18:20]
B
I think this is only going to get worse. You know, some of the recommendations within the article are limit your public exposure. Well, here we are on A public podcast with our voices nice and clear. It's all out there.
[18:36]
A
Yep, it's all out there.
[18:38]
B
You know, we've got pictures, that sort of thing. I think this is. It's getting better. Better for the hackers and that sort of thing. It's going to be harder for us and it's going to be harder for us to train our employees and our friends and colleagues and family on how to prevent this. One of the recommendations was set up your secret passcodes of. Hey, if I've got an emergency, I'm going to use this phrase or this term in order to authenticate that it's really me. And. But how do you do that across an organization of 500 or 5,000 or 500,000 people? That becomes even more difficult.
[19:21]
A
Yeah. Many of the hallmarks we've been touting Right. For how to identify a phishing scam are getting resolved now with the Gen AI usage. So it's becoming harder for people to distinguish for sure between what's a legitimate and an adversary.
[19:36]
B
Yeah. And the spelling mistakes and the. And all of those things are starting to go away. The functions that people are using, the words are becoming more. And if you have a writing sample for somebody, then you know how they talk or you know how they write their email. So you can tailor it much more closely to that. I think it's going to be a difficult challenge.
[19:57]
A
Agree to agree. That brought us to the end of the show. It went really, really fast. Edward, thank you for your insights. For you, were there any thumbs up our eye roller stories, you know, which one stood out to you that we covered in today's rundown?
[20:12]
B
I think that the one that really stands out to me is the cloudflare one. We've had a number of pushes that have caused outages recently. We need to get better about how we deploy changes to our environments.
[20:27]
A
So we just want to say thank you to our guest, Edward Fry, head of security at Luminary Cloud. Also thank you to our sponsor, Vanta. Leading companies are using Vanta's questionnaire automation. And thank you to the audience. CCL was absolutely on top of his game today. Sorry I couldn't reference all your comments, but I'm reading them and enjoying them. So I appreciate your takes and others who have dropped notes into the chat as well. Encourage your friends to join too. We want to keep making this more lively and so don't forget to join us next Friday at 1pm Eastern for another live stream event, which is Super Cyber Friday. We'll be talking about hacking technical debt, an hour of critical thinking about strategically modernizing your infrastructure. Later on Friday, we'll be having this very show that we can Review starting at 3:30pm and you can register for both by going to the events page@cisoseries.com in the meantime, you still get your daily news fix via Cybersecurity headlines drops about 6am Eastern every day. So with that, I'd like to wish you all an awesome weekend and thanks for joining us. We'll see you next time.
[21:35]
B
Cybersecurity Headlines are available every weekday. Head to csoseries.com for the full stories.
[21:41]
A
Behind the headlines.