Week in Review: Salt Typhoon saga, Microsoft MFA bypass, Yahoo cuts Paranoids

Fri Dec 13 2024

Link to This week’s Cyber Security Headlines - Week in Review is hosted by with guest , president, . ISSA International April 2025- will be celebrating its 40th Anniversary in April 2025. Watch for notifications at Thanks to today’s episode...

Summary

Cyber Security Headlines: Week in Review – Salt Typhoon Saga, Microsoft MFA Bypass, Yahoo Cuts Paranoids

Released on December 13, 2024, by CISO Series

In this episode of Cyber Security Headlines, hosted by Rich Strafolino of the CISO Series, expert guest Jimmy Sanders, President of ISSA International, delves deep into the week’s most pressing cybersecurity stories. The discussion navigates through sophisticated cyber espionage campaigns, evolving ransomware tactics, significant privacy law violations, vulnerabilities in multi-factor authentication (MFA), and alarming layoffs within Yahoo’s renowned cybersecurity team. Below is a comprehensive summary capturing all key points, discussions, insights, and conclusions from the episode.

1. The Salt Typhoon Cyber Espionage Campaign

Key Developments:

Texas vs. AllState Linked Data Broker: The episode opens with the ongoing intrigue surrounding the Salt Typhoon cyber espionage campaign. Texas authorities are taking action against AllState-linked data brokers amid concerns over data breaches and unauthorized access.
T-Mobile's Concerns: Jeff Simons, CSO of T-Mobile, remarked at [00:40] that the Salt Typhoon campaign employed a novel technique, stating, “not something that I've seen in my 15 plus year career in cybersecurity. It's not something that is well published or read about. There's no CVE for it.” This highlights the sophistication and elusive nature of the attack vector used.
CISA’s Uncertainty: Jeff Green of CISA expressed uncertainty regarding the eviction of adversaries from affected networks, leading to concerns over the scope and persistence of the threat.
White House Insights: Ann Neuberger, White House Cyber and Emerging Tech Lead, mentioned that Chinese cyber spies targeted senior U.S. political figures and stole private communications, exacerbating national security fears.

Discussion Highlights:

Jimmy’s Perspective [03:01]: Jimmy expressed surprise at a CSO acknowledging the novelty of the attack, emphasizing that experienced security leaders should anticipate and counteract such threats proactively. He asserted, “We have to own that. We can't have one silver bullet that breaks through because it didn't have a CVE, and all of a sudden everybody's owned.”
Evolving Threat Landscape: Rich Strafolino connected the dots to zero-day vulnerabilities, noting the inherent challenges in defending against unrecorded attack vectors. Jimmy stressed the importance for telcos to deeply understand their networks to prevent adversaries from navigating undetected.
National Implications: The conversation underscored the broader national security implications, suggesting that such sophisticated attacks by state-sponsored actors like China represent a persistent and escalating threat.

2. Evolution of Black Basta Ransomware Tactics

Key Developments:

Shift to Social Engineering: The Black Basta ransomware group has transitioned from relying solely on botnets to incorporating social engineering methods. Tactics include email bombing, impersonating IT staff, and distributing malicious payloads like Zbot and Darkgate.
Enhanced Attack Strategies: They leverage remote access tools (e.g., AnyDesk, TeamViewer) to deploy malware that harvests credentials, steals VPN configurations, and bypasses MFA protections, facilitating deeper network infiltration.

Discussion Highlights:

Jimmy’s Analysis [05:33]: He articulated that the evolution signifies a response to previously ineffective tactics, highlighting, “Their old tactics stopped working. So they have to... spend more money to do new attacks.” This indicates that improved security measures are forcing threat actors to innovate their strategies.
Proactive Security Measures: Rich posed the question of inevitability regarding evolving threats, to which Jimmy responded that security must continuously adapt, ensuring that yesterday’s attacks are mitigated today. He emphasized, “As we build our security network, the attacks that worked on us yesterday also don't work today.”
Future Outlook: The discussion suggested that as security infrastructures strengthen, ransomware groups might escalate their attacks or seek lower-hanging targets, emphasizing the need for relentless vigilance and adaptability in cybersecurity defenses.

3. Texas Attorney General Targets AllState-Linked Data Broker

Key Developments:

Privacy Law Violations: The Texas Attorney General has accused data broker Arity, owned by Allstate, of sharing consumer information without clear notice or consent. Over the past six weeks, six mobile apps partnered with Arity have been implicated in improperly sharing user data.
Implications for Insurance Pricing: Arity’s data collection, embedded via software development kits (SDKs) in partner apps, is used to recommend insurance pricing based on driving behaviors. While this could potentially lead to fairer insurance rates, the lack of transparency poses significant privacy concerns.

Discussion Highlights:

Jimmy’s Critique [07:32]: He criticized the lack of user consent, asserting, “The fact that they did it without informing is the issue.” He also questioned government intervention in private business practices, hinting at the complexities of regulating data brokers.
Rich’s Observation: Highlighted the practice of burying consent clauses in terms of service, branding it as a “solution” that actually represents user laziness and oversight.
Legal and Ethical Considerations: The dialogue touched upon the broader issues of third-party data sharing, user consent, and the ethical responsibilities of companies handling sensitive consumer information.

4. Microsoft Multi-Factor Authentication (MFA) Bypass – The Authquake Method

Key Developments:

Authquake Exploit: Researchers at Oasis Security unveiled Authquake, an attack method that bypasses Microsoft’s MFA by exploiting the Authenticator app process. The attack allows access to Outlook, OneDrive, Teams, and Azure Cloud instances within an hour, without user interaction or notifications.
Attack Mechanism: Authquake involves simultaneous brute-force attempts to guess the six-digit MFA code, circumventing the limitation on failed attempts by executing multiple tries concurrently.
Microsoft’s Response: Following the discovery in late June, Microsoft deployed a temporary fix a few days later, with a permanent solution implemented in October.

Discussion Highlights:

Jimmy’s Insights [11:59]: He argued that the issue lies not with MFA itself but with alerting and logging systems. “That's an alerting problem. That's a logging problem.” He emphasized the need for robust monitoring to detect repeated failed attempts.
Granularity of MFA Solutions: Rich pointed out varying MFA implementations, noting differences in security levels among text-based, push notifications, authenticator apps, and dedicated hardware solutions. Jimmy concurred, highlighting that not all MFA systems are created equal and underscored the importance of comprehensive logging within platforms like Microsoft’s ecosystem.
Snowflake’s Security Move: Concluding the MFA discussion, Rich shared that Snowflake will block single-factor password sign-ins starting November 2025, mandating MFA for all new accounts as part of their compliance with the CISA Secure by Design pledge.
Jimmy’s Rebuttal [14:09]: He criticized the blanket enforcement of MFA, arguing it creates user friction without considering threat levels or risk profiles. “It's just how you actually log into Snowflake. I hate people making me do two factor.” He advocated for a more nuanced approach, applying MFA based on specific risk criteria rather than universally.

Takeaway: The episode emphasized that while MFA remains a critical security measure, its effectiveness is contingent upon comprehensive monitoring and adaptive implementation strategies.

5. Yahoo’s Cybersecurity Team Layoffs – Outsourcing the "Paranoids"

Key Developments:

Massive Layoffs: Yahoo’s renowned cybersecurity team, nicknamed the "Paranoids," has been reduced by 25% over the past year. Additionally, the offensive security team responsible for conducting red team simulations will now be outsourced.
Leadership Communication: Valerie Labroski, Yahoo’s new CTO, conveyed the layoffs as strategic decisions aimed at enhancing profitability, a stance consistent with Yahoo CEO Jim Lanzone’s prior statements about cost-cutting to boost profits.

Discussion Highlights:

Jimmy’s Shock [16:49]: Expressed disbelief over the decision to eliminate an internal red team, emphasizing the irony in outsourcing the very functions that identify and mitigate internal vulnerabilities. “You're going to outsource the people who show you the attacks of your infrastructure before the outside world.”
Risks of Outsourcing: Rich highlighted the increased threat surface and third-party risks associated with outsourcing critical security functions, suggesting that such moves invite further vulnerabilities.
Accountability Concerns: Jimmy reinforced the idea that accountability cannot be effectively outsourced, noting, “You can't outsource accountability.”
Implications for Yahoo: The layoffs, especially of a skilled internal team, signal potential vulnerabilities and lowered security posture for Yahoo, raising questions about their commitment to robust cybersecurity amidst financial pressures.

Conclusion: The episode underscored the precarious balance between cost management and maintaining a strong security infrastructure, warning against shortcuts that may lead to increased vulnerabilities.

Final Thoughts and Reflections

As the episode concluded, Rich Strafolino extended empathy towards the laid-off Yahoo cybersecurity professionals, acknowledging their expertise and the unfortunate timing of their dismissals during the holidays. The discussion highlighted significant concerns over shifting security strategies, the potential widening of threat surfaces through outsourcing, and the nuanced challenges in implementing effective MFA solutions.

Notable Quote:

Jimmy Sanders at [19:31]: “You can do MFA transparently. There is no reason to do MFA. What it causes me to actually have to do something else.”

This encapsulates the tension between enhancing security measures and maintaining user convenience, a recurring theme in today’s cybersecurity landscape.

Stay Informed: For listeners seeking ongoing updates, Jimmy Sanders shared his contact information, directing audiences to ISSA International’s website and LinkedIn profile. The CISO Series also promoted upcoming events and encouraged community engagement to foster a collaborative approach to tackling emerging cybersecurity challenges.

Disclaimer: The views expressed in this summary reflect the opinions of the podcast participants and do not necessarily represent those of ISSA International.

Summary

Cyber Security Headlines: Week in Review – Salt Typhoon Saga, Microsoft MFA Bypass, Yahoo Cuts Paranoids

Released on December 13, 2024, by CISO Series

1. The Salt Typhoon Cyber Espionage Campaign

Key Developments:

Texas vs. AllState Linked Data Broker: The episode opens with the ongoing intrigue surrounding the Salt Typhoon cyber espionage campaign. Texas authorities are taking action against AllState-linked data brokers amid concerns over data breaches and unauthorized access.
T-Mobile's Concerns: Jeff Simons, CSO of T-Mobile, remarked at [00:40] that the Salt Typhoon campaign employed a novel technique, stating, “not something that I've seen in my 15 plus year career in cybersecurity. It's not something that is well published or read about. There's no CVE for it.” This highlights the sophistication and elusive nature of the attack vector used.
CISA’s Uncertainty: Jeff Green of CISA expressed uncertainty regarding the eviction of adversaries from affected networks, leading to concerns over the scope and persistence of the threat.
White House Insights: Ann Neuberger, White House Cyber and Emerging Tech Lead, mentioned that Chinese cyber spies targeted senior U.S. political figures and stole private communications, exacerbating national security fears.

Discussion Highlights:

Jimmy’s Perspective [03:01]: Jimmy expressed surprise at a CSO acknowledging the novelty of the attack, emphasizing that experienced security leaders should anticipate and counteract such threats proactively. He asserted, “We have to own that. We can't have one silver bullet that breaks through because it didn't have a CVE, and all of a sudden everybody's owned.”
Evolving Threat Landscape: Rich Strafolino connected the dots to zero-day vulnerabilities, noting the inherent challenges in defending against unrecorded attack vectors. Jimmy stressed the importance for telcos to deeply understand their networks to prevent adversaries from navigating undetected.
National Implications: The conversation underscored the broader national security implications, suggesting that such sophisticated attacks by state-sponsored actors like China represent a persistent and escalating threat.

2. Evolution of Black Basta Ransomware Tactics

Key Developments:

Shift to Social Engineering: The Black Basta ransomware group has transitioned from relying solely on botnets to incorporating social engineering methods. Tactics include email bombing, impersonating IT staff, and distributing malicious payloads like Zbot and Darkgate.
Enhanced Attack Strategies: They leverage remote access tools (e.g., AnyDesk, TeamViewer) to deploy malware that harvests credentials, steals VPN configurations, and bypasses MFA protections, facilitating deeper network infiltration.

Discussion Highlights:

Jimmy’s Analysis [05:33]: He articulated that the evolution signifies a response to previously ineffective tactics, highlighting, “Their old tactics stopped working. So they have to... spend more money to do new attacks.” This indicates that improved security measures are forcing threat actors to innovate their strategies.
Proactive Security Measures: Rich posed the question of inevitability regarding evolving threats, to which Jimmy responded that security must continuously adapt, ensuring that yesterday’s attacks are mitigated today. He emphasized, “As we build our security network, the attacks that worked on us yesterday also don't work today.”
Future Outlook: The discussion suggested that as security infrastructures strengthen, ransomware groups might escalate their attacks or seek lower-hanging targets, emphasizing the need for relentless vigilance and adaptability in cybersecurity defenses.

3. Texas Attorney General Targets AllState-Linked Data Broker

Key Developments:

Privacy Law Violations: The Texas Attorney General has accused data broker Arity, owned by Allstate, of sharing consumer information without clear notice or consent. Over the past six weeks, six mobile apps partnered with Arity have been implicated in improperly sharing user data.
Implications for Insurance Pricing: Arity’s data collection, embedded via software development kits (SDKs) in partner apps, is used to recommend insurance pricing based on driving behaviors. While this could potentially lead to fairer insurance rates, the lack of transparency poses significant privacy concerns.

Discussion Highlights:

Jimmy’s Critique [07:32]: He criticized the lack of user consent, asserting, “The fact that they did it without informing is the issue.” He also questioned government intervention in private business practices, hinting at the complexities of regulating data brokers.
Rich’s Observation: Highlighted the practice of burying consent clauses in terms of service, branding it as a “solution” that actually represents user laziness and oversight.
Legal and Ethical Considerations: The dialogue touched upon the broader issues of third-party data sharing, user consent, and the ethical responsibilities of companies handling sensitive consumer information.

4. Microsoft Multi-Factor Authentication (MFA) Bypass – The Authquake Method

Key Developments:

Authquake Exploit: Researchers at Oasis Security unveiled Authquake, an attack method that bypasses Microsoft’s MFA by exploiting the Authenticator app process. The attack allows access to Outlook, OneDrive, Teams, and Azure Cloud instances within an hour, without user interaction or notifications.
Attack Mechanism: Authquake involves simultaneous brute-force attempts to guess the six-digit MFA code, circumventing the limitation on failed attempts by executing multiple tries concurrently.
Microsoft’s Response: Following the discovery in late June, Microsoft deployed a temporary fix a few days later, with a permanent solution implemented in October.

Discussion Highlights:

Jimmy’s Insights [11:59]: He argued that the issue lies not with MFA itself but with alerting and logging systems. “That's an alerting problem. That's a logging problem.” He emphasized the need for robust monitoring to detect repeated failed attempts.
Granularity of MFA Solutions: Rich pointed out varying MFA implementations, noting differences in security levels among text-based, push notifications, authenticator apps, and dedicated hardware solutions. Jimmy concurred, highlighting that not all MFA systems are created equal and underscored the importance of comprehensive logging within platforms like Microsoft’s ecosystem.
Snowflake’s Security Move: Concluding the MFA discussion, Rich shared that Snowflake will block single-factor password sign-ins starting November 2025, mandating MFA for all new accounts as part of their compliance with the CISA Secure by Design pledge.
Jimmy’s Rebuttal [14:09]: He criticized the blanket enforcement of MFA, arguing it creates user friction without considering threat levels or risk profiles. “It's just how you actually log into Snowflake. I hate people making me do two factor.” He advocated for a more nuanced approach, applying MFA based on specific risk criteria rather than universally.

Takeaway: The episode emphasized that while MFA remains a critical security measure, its effectiveness is contingent upon comprehensive monitoring and adaptive implementation strategies.

5. Yahoo’s Cybersecurity Team Layoffs – Outsourcing the "Paranoids"

Key Developments:

Massive Layoffs: Yahoo’s renowned cybersecurity team, nicknamed the "Paranoids," has been reduced by 25% over the past year. Additionally, the offensive security team responsible for conducting red team simulations will now be outsourced.
Leadership Communication: Valerie Labroski, Yahoo’s new CTO, conveyed the layoffs as strategic decisions aimed at enhancing profitability, a stance consistent with Yahoo CEO Jim Lanzone’s prior statements about cost-cutting to boost profits.

Discussion Highlights:

Jimmy’s Shock [16:49]: Expressed disbelief over the decision to eliminate an internal red team, emphasizing the irony in outsourcing the very functions that identify and mitigate internal vulnerabilities. “You're going to outsource the people who show you the attacks of your infrastructure before the outside world.”
Risks of Outsourcing: Rich highlighted the increased threat surface and third-party risks associated with outsourcing critical security functions, suggesting that such moves invite further vulnerabilities.
Accountability Concerns: Jimmy reinforced the idea that accountability cannot be effectively outsourced, noting, “You can't outsource accountability.”
Implications for Yahoo: The layoffs, especially of a skilled internal team, signal potential vulnerabilities and lowered security posture for Yahoo, raising questions about their commitment to robust cybersecurity amidst financial pressures.

Final Thoughts and Reflections

Notable Quote:

Jimmy Sanders at [19:31]: “You can do MFA transparently. There is no reason to do MFA. What it causes me to actually have to do something else.”

This encapsulates the tension between enhancing security measures and maintaining user convenience, a recurring theme in today’s cybersecurity landscape.

Disclaimer: The views expressed in this summary reflect the opinions of the podcast participants and do not necessarily represent those of ISSA International.

wavePod

Week in Review: Salt Typhoon saga, Microsoft MFA bypass, Yahoo cuts Paranoids

Powered by Wave AI

Summary

1. The Salt Typhoon Cyber Espionage Campaign

2. Evolution of Black Basta Ransomware Tactics

3. Texas Attorney General Targets AllState-Linked Data Broker

4. Microsoft Multi-Factor Authentication (MFA) Bypass – The Authquake Method

5. Yahoo’s Cybersecurity Team Layoffs – Outsourcing the "Paranoids"

Final Thoughts and Reflections

Summary

1. The Salt Typhoon Cyber Espionage Campaign

2. Evolution of Black Basta Ransomware Tactics

3. Texas Attorney General Targets AllState-Linked Data Broker

4. Microsoft Multi-Factor Authentication (MFA) Bypass – The Authquake Method

5. Yahoo’s Cybersecurity Team Layoffs – Outsourcing the "Paranoids"

Final Thoughts and Reflections