Cyber Security Headlines: Week in Review – December 27, 2024

Host: Rich Stroffolino
Guest: Steve Zaluski, CyberSecurity Advisor and CISO in Residence
Episode: Week in Review: Microsoft deactivation flaw, BeyondTrust on KEV, LLM generated malware

1. General Dynamics Phishing Attack

Summary:
The episode opens with a discussion on a recent phishing attack targeting General Dynamics employees. The aerospace and defense giant reported that threat actors successfully compromised dozens of employee benefits accounts through a sophisticated phishing campaign. This incident affected 37 individuals, leading to unauthorized access to Personally Identifiable Information (PII) and government ID numbers. Additionally, attackers altered bank account information, posing significant risks.

Key Insights:
Steve Zaluski expresses deep frustration over the recurring human vulnerabilities exploited in such attacks, especially within organizations like defense contractors that prioritize security training and infrastructure.

Notable Quote:

“I'm frustrated. It's just incredibly frustrating, right... we continuously see humans make mistakes.” — Steve Zaluski [03:03]

Discussion Points:

• The persistent challenge of human error in cybersecurity despite robust training and systems.
• The balance between implementing stringent security measures and maintaining user convenience.
• The necessity of ongoing efforts to influence and change human behavior to enhance security postures.

2. Japan Airlines Cyber Attack

Summary:
Japan Airlines experienced a cyber attack that disrupted its systems, leading to flight delays. The outage, which occurred at 7:24 am local time, was attributed to a malfunctioning router. The airline promptly restored its systems, assuring that no customer data was compromised. This incident follows a similar outage by American Airlines on Christmas Eve, albeit with different causes.

Key Insights:
Steve highlights the vulnerability of critical infrastructure like airlines to Distributed Denial of Service (DDoS) attacks, emphasizing how even short-term outages can have cascading effects on operations and public safety.

Notable Quote:

“...these types of DDoS attacks... have to go into hold mode. All the major airports have got slotting so you can have these huge disruptions.” — Steve Zaluski [10:15]

Discussion Points:

• The increasing trend of using DDoS attacks to disrupt essential services.
• The potential for such attacks to undermine public trust and operational integrity.
• The importance of resilience strategies in mitigating the impact of service outages.

3. TechCrunch's List of Badly Handled Data Breaches of 2024

Summary:
TechCrunch released its annual compilation of the most poorly managed data breaches of the year. Notable mentions include:

• 23andMe: Blamed customers for inadequate account security during a credential stuffing attack.
• Change Healthcare: Delayed confirmation of a breach that compromised a majority of America's health data due to insufficient multi-factor authentication (MFA).
• Snowflake: Suffered a breach attributed to the lack of mandated MFA use.
• City of Columbus, Ohio: Sued a security researcher for reporting a ransomware attack truthfully.

Key Insights:
Steve critiques the recurring theme of identity and access management (IAM) failures, particularly the over-reliance on customer diligence rather than enforcing robust security measures like MFA.

Notable Quote:

“Half of those incidences were identity and access management where the humans were phished and their credentials were compromised.” — Steve Zaluski [12:40]

Discussion Points:

• The critical role of MFA and its underutilization across various organizations.
• The tendency of companies to shift blame onto consumers instead of addressing internal security shortcomings.
• The necessity for organizations to prioritize security, especially when handling sensitive data.

4. Microsoft 365 Product Deactivation Errors

Summary:
Microsoft 365 users have reported encountering product deactivation errors, particularly when transitioning between licensing groups such as moving from Office 365 to Microsoft 365. Affected users can resolve the issue by reactivating their accounts or signing out and back into their applications. Microsoft is implementing a server-side fix to address the problem.

Key Insights:
Steve draws parallels between such user-facing issues and phishing tactics, warning that simplifying resolutions like “click the Reactivate button” could inadvertently train users to follow dangerous cues similar to those exploited in phishing attacks.

Notable Quote:

“As long as we continue to enable and support that type of behavior, we're basically giving it to the bad guys.” — Steve Zaluski [19:30]

Discussion Points:

• The potential security risks of user-friendly prompts that resemble phishing lures.
• The importance of robust product testing to prevent such vulnerabilities from reaching end-users.
• The broader implications of software design choices on user security behavior.

5. BeyondTrust Vulnerability Added to CISA's KEV Catalog

Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in BeyondTrust's privileged remote access and remote support products to its Known Exploited Vulnerabilities (KEV) catalog. This flaw allows unauthenticated attackers to inject commands executed as a site user, carrying a CVSS score of 9.8. Federal agencies were given a deadline of December 27th to implement fixes.

Key Insights:
Steve expresses aggravation over vulnerabilities in trusted security products, emphasizing the increased burden on IT and security teams to respond swiftly to such critical flaws despite their best efforts in securing their environments.

Notable Quote:

“I'm implementing PAM tools, doing everything right for my teams to be able to try to prevent the bad guys. And then the underlying software... has problems exploitable.” — Steve Zaluski [22:06]

Discussion Points:

• The challenges posed by vulnerabilities in security tools themselves and the cascading effects on organizational security.
• The heightened responsibility and pressure on security teams to remediate critical flaws promptly.
• The need for higher standards and more rigorous testing in security product development.

6. LLM-Generated Malware Variants

Summary:
Palo Alto Networks' Unit 42 released a report on the utilization of Large Language Models (LLMs) to generate malware variants. By iteratively modifying existing malware through techniques like variable renaming and junk code insertion, threat actors can create numerous variants that evade traditional detection systems. Palo Alto responded by generating tens of thousands of these variants to enhance their detection algorithms, achieving a 10% improvement in detection rates.

Key Insights:
Steve discusses the escalating arms race between threat actors and defenders, where the rapid weaponization of AI-driven technologies by malicious actors outpaces defensive capabilities. This dynamic poses significant challenges for cybersecurity professionals striving to keep systems secure.

Notable Quote:

“The protectors are the mice. I'd like to be the cat for a change.” — Steve Zaluski [25:00]

Discussion Points:

• The dual-use nature of AI technologies in both enhancing and undermining cybersecurity.
• The reactive nature of defenses in contrast to the proactive weaponization by adversaries.
• The potential for more aggressive and innovative defensive tools leveraging AI to counteract evolving threats.

Closing Remarks

The episode concludes with reflections on the discussed topics and a commendation for Steve Zaluski’s insightful contributions. Emphasis is placed on the ongoing challenges in cybersecurity, the necessity for continuous adaptation, and the hopeful pursuit of more effective defensive strategies.

Final Quote:

“We are acknowledging the limitations of our ability for defense and we've got to continue to think outside the box to figure out how we can someday be the cat.” — Steve Zaluski [28:14]

Additional Resources:

• CISO Series Website: CISOseries.com
• ThreatLocker: Zero Trust Endpoint Protection Platform
• Defense in Depth Podcast: Featuring Steve Zaluski

This comprehensive review encapsulates the critical cybersecurity events of the past week, offering expert analysis and highlighting the persistent challenges faced by organizations in safeguarding their digital assets.